IETF Logo Mail Archive

[Seat] Re: New Version Notification for draft-mihalcea-seat-use-cases-02.txt

Nathanael Ritz <nathanritz@gmail.com> Sun, 10 May 2026 00:17 UTC

Return-Path: <nathanritz@gmail.com>
X-Original-To: seat@mail2.ietf.org
Delivered-To: seat@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 89D0EEBE1093 for <seat@mail2.ietf.org>; Sat, 9 May 2026 17:17:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778372245; bh=T4fiBFERJyOPZoMPuLDwRWh2s2NlRxATOXUgJ8rhqyY=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=oHIxPmV8YL1CTBbJE6vlnyMIFo22IGp6hj8IDKgHqaXjXt4vrbKlF1eI3BecHZivQ 85xmErgHnsriEg/xR48JYm+3kCuve68Ur4UXocSiildUYnxJHdbx7zGV3+wEfZlva6 cuM7rioaM9xXG56+hJI2OkhMqLOuwo+BfVnoQXEI=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlIhP3dGMS29 for <seat@mail2.ietf.org>; Sat, 9 May 2026 17:17:17 -0700 (PDT)
Received: from mail-dl1-x1236.google.com (mail-dl1-x1236.google.com [IPv6:2607:f8b0:4864:20::1236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 68FA5EBE1078 for <seat@ietf.org>; Sat, 9 May 2026 17:17:17 -0700 (PDT)
Received: by mail-dl1-x1236.google.com with SMTP id a92af1059eb24-13246950f3cso3523683c88.1 for <seat@ietf.org>; Sat, 09 May 2026 17:17:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1778372236; cv=none; d=google.com; s=arc-20240605; b=LVjVknlYEP9ooQ0rqWJ/oJaNVZg0cq32iQ2pAdKbI02roMAR51K97zFUsUOEz2kvY3 oolwTMqyDn7aJgm0kPT+0xZpkspClC9bj9MuZzcMGVUDfCl8qZ+H9sC5t7CJruPuHX8+ joLUYXEQRdp942cOLEdOCedeVDTT+Q3jJVY0xTkzFpks/QgV/qK/qFYoGw/nUO2i1uqU Q4C+bVIPW97i2/M/BwzzE6FnGFzU3sisv26z7KCMU+1PxOTix6HCb+3flKG7T2JRNISO /CayKbjPSbxBP9so9ZBHrY8AG1/ISnHcnPwD/kW1J3V+vXGDHtVvbJwFbxpbgLW7ZK8t gizg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=f6yBD0poiTeMxpDBHTXadnZkp4MdpeYWtf5URWIcthw=; fh=OmrzP2sApnh0ZUSp6XjlekZ/4a1lSdMkl432PLm0u2Q=; b=HflfK/d+aqC7pHM7Y6BAUt0gkealbmQ0zDuiwSbu5xlStcADhPVy3+DESlhr6Qrlxs sMINfPmgekPMNWEOMHTQwAlocU75XXnNvQr35d08/Sc/1pUXEcpk0YoIviQzgI1a89z/ E+m7A5WdiN5+SBUBCY/tLjFDvk8FdzlsnU109U++jGE687HdGIZS2PkGu8i/RSFI27nm leCLyA9X+ftzcM1NxWQ7VoV/8GuDn6uxh8gCexhBJlF11QOFCScs1nv6CCio2pMP8RES TfM+DKo/NwvJKO0SmlkSODih034g2ZYI9o52ldjJ7aJ8a3gQYUUOW7g1kP1sDzNjQeSo 3dNg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778372236; x=1778977036; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f6yBD0poiTeMxpDBHTXadnZkp4MdpeYWtf5URWIcthw=; b=WUts2755ndLf7UXOuR17YrApAOmHCkxMCkD/UIjvjgiaJh0eq/Q3SptanhJsKBszWC KKbJZkKGe2fMNGuWnaHgeTD+GPaISwL+bl21ZRn2F/R/h1x9qgkEma+ZgDXKmIPA//lx XSGTUKwi0CE98YmRVRYGjM8O5z1+aWPjTS6c6jpXcan6AIbhUiwtBuBj/wJYKuLtYwIC NRgM2t3ob4OFvAPBhjMPZKCrcla/Zgh5ov96ruxwKXCoCGps/ZOI55/VTOjiSBsg2T4F KyrzfkDViweyrgdzFVPv402UfGwTi2N9Ue3koTTV0XqMINcbdmEuebgKRKWPdOfttYeH fJ1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778372236; x=1778977036; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=f6yBD0poiTeMxpDBHTXadnZkp4MdpeYWtf5URWIcthw=; b=sFdXUNxLqy0tfab8RCgXlXdx4d6me9zBINCwxNXn81aaeyN8trwEGY6mz6N9alZTDM XURElDqggc2f2/kDWoDr5LwKTKUSqGe0rF6TQMGIyBtqasA29InvcnQptbfbfhekI+lD NRiN188rPXkSlqL25Ir61QmPlQzNipRthqNwdY+3r02mYHGiWS/YeDvZX70x78fpo/yo 7D9/lVySS7mdqw7kXIKX+WdU2xEy2qGePEW+YsUtUY7RCEar8oE5HDg84KZyDN9UunzN KgcuN6mq4l70iI+NVziqrXtmMc40e4w9SBBrjxxu3Z24RyvlhMoR5O90c6+NLK3Km+Q2 /xQg==
X-Gm-Message-State: AOJu0Yw5ktEGdng2hydsJsmWOCfJ2FGgtRAw8l8oaZ9YUcrEzfcj/nik aCRGG2r8KLa6raahJCN1X9qeEAjiLGIfvfaHAwI6cfsUUq147X4oCyoSKplcVOwL6KUEJbFAEB2 Da5t0SqaWK2G9e+FRsSjVOipNPmKMdsg=
X-Gm-Gg: Acq92OFNbUwmQVUsB5mqcvai1hdwGVvvr5uv1fcQLXuVkNdyk1BjsCz6Bw8wu58PfQ1 EtXv+w/Lv4pBR4uByE0OgL7sAJkT+g6bBJS77Y3DBaAxJcFTyChp8OcacW2LHPKqPmT+27r0YRw Nw2SDEi+wR9gu0i7xf6/ELdWSM8si7AfcTLFTQt5KY2AATNT4nhLpbrsCxCqS+aAqp92uOEgRdz LaRylcgNnbmw6g1FGdjLpU0AKowFwSJ1FTtfA3IOETT6ZlMTPnghBBCpP/NTZenrffX0hKHxxyj Rn1tczc=
X-Received: by 2002:a05:7022:6629:b0:128:cf5c:5362 with SMTP id a92af1059eb24-132a79ef2c6mr2263923c88.12.1778372236021; Sat, 09 May 2026 17:17:16 -0700 (PDT)
MIME-Version: 1.0
References: <4a03bb9a-542d-49b4-b307-238c2555db1f@tu-dresden.de> <5407A9DD-080F-4E46-979C-DE53BF2E52FE@aiven.io> <ea78e97b-3596-4fc8-87cc-59292499f754@tu-dresden.de> <57cf40db-bdfa-457e-a4dc-913eb0630e20@tu-dresden.de> <CAHxYnaNbiuSsZ2bH+X2u_HHDV60yEWeO3=vkQ5DRizHbnRZZKQ@mail.gmail.com> <48537165-5019-40b7-a8c1-8909fe1c2d66@tu-dresden.de>
In-Reply-To: <48537165-5019-40b7-a8c1-8909fe1c2d66@tu-dresden.de>
From: Nathanael Ritz <nathanritz@gmail.com>
Date: Sat, 09 May 2026 18:17:04 -0600
X-Gm-Features: AVHnY4KcEXLg2APd71eOJbOgGV-XaYdWlqUorRC_FFYgeyBoZd03EVd2a-DMy8g
Message-ID: <CAHxYnaNSZdyV9rEmkg3xQsbtPDG-HQAbc8PtFYg_kANWV_r-Tw@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Content-Type: multipart/alternative; boundary="0000000000006815ee06516b8d16"
Message-ID-Hash: 6SYHBOLYPRU5PSDU34JTTLZAQ4RFGR62
X-Message-ID-Hash: 6SYHBOLYPRU5PSDU34JTTLZAQ4RFGR62
X-MailFrom: nathanritz@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: seat@ietf.org, draft-mihalcea-seat-use-cases@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Seat] Re: New Version Notification for draft-mihalcea-seat-use-cases-02.txt
List-Id: "Secure Evidence and Attestation Transport (SEAT) WG" <seat.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/seat/Gv50FVAF35jFZvtrDFYEZGECZQY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/seat>
List-Help: <mailto:seat-request@ietf.org?subject=help>
List-Owner: <mailto:seat-owner@ietf.org>
List-Post: <mailto:seat@ietf.org>
List-Subscribe: <mailto:seat-join@ietf.org>
List-Unsubscribe: <mailto:seat-leave@ietf.org>

Hello,

On Sat, May 9, 2026 at 3:55 PM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:
> Please review [9] and constructively propose any changes.

I appreciate the repeated invitation to review [9] although you may
appreciate that by calling it a "cute little PR", I took the phrasing to
suggest the urgency required for an immediate closer look was somewhat
constrained. However I will be sure to review it and offer feedback to the
WG when I can.

On Sat, May 9, 2026 at 3:55 PM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:
> Does someone see any “mechanisms for key leakage” in Table 1 in [8]? I
don’t. This seems like misinterpretation of Table 1.
Yup, got my wires crossed a bit with my phrasing. The mechanisms are
discussed in Sec. 4.2.1. Thanks for the correction.

Regarding #43, I want to be clear: PKI binding with Remote Attestation is
well-motivated and the ID-Crisis paper establishes that much clearly.

Binding Evidence to an infrastructure-supplied or hardware-associated
identifier provides strong compound authentication when such an identifier
is available and verifiable. In deployments where those identifiers are
unavailable or unverifiable, alternative identifiers can still be
meaningful. While they do not provide the same semantics as a verifiable
physical machine identifier, they can still provide protection against
single key promise.

That said, if the relevant hardware root of trust is compromised, or if
signing material is extracted by a physical attack, then the identifiers
covered by that compromised material no longer guarantee the physical
hardware association they once did.

So yes, machine/platform identity binding is valuable. But the proposed
Section 3.3 text should not frame the absence of infrastructure-supplied
hardware identity as the cause of the physical attacks cited, and it should
not imply that a Layer 7 protocol property prevents those Layer 1 attacks
themselves.

Cheers,

Nathanael

On Sat, 9 May 2026 at 15:55, Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

> Hi all,
>
> My opinion remains unchanged. With the two proposed PRs, I believe all
> comments in this thread have been addressed modulo some wordsmithing.
>
> If someone disagrees, please *constructively* propose edits directly in
> the PR and if the edits are substantial, please bring to list for
> consideration by authors and WG.
>
>
> 2 key points:
>
>    1. Outside the scope of TDX/SEV-SNP threat model simply means that
>    Intel and AMD don't account for it. That makes attacker's job much easier,
>    i.e., that doesn't stop exploit in the real world.
>    2. The paper under discussion [8] has been presented at several IETF
>    meetings. If someone has missed, please see recordings [10]. If possible,
>    please also consider to read [8] completely before any further follow-up.
>    To respect the mail list procedures, I'll respond only when something new
>    is brought on the table.
>
>
> On 09.05.26 21:35, Nathanael Ritz wrote:
>
> My concern is that the proposed text conflates what a Layer 7 protocol
> could possibly accomplish in the face of a Layer 1 physical attack such as
> those mentioned in the proposed text. If an attacker exfiltrates the
> silicon's root private key, the trust anchor is gone, meaning every piece
> of data it signs, including its own physical identity, can be spoofed in
> software.
>
> Not to put too fine a point on it, my question is simply: key of *which*
> server is exfiltrated? Do we want that exfiltrating key of one server can
> potentially break down any connection anywhere in the world?
>
> Please see Sec. 8.1 of [8] for technical details.
>
> Further, the ID-Crisis threat model (Table 1) explicitly scopes to
> transient execution attacks, side-channel attacks, and implementation
> errors as the mechanisms for key leakage.
>
> Does someone see any "mechanisms for key leakage" in Table 1 in [8]? I
> don't. This seems like misinterpretation of Table 1.
>
> Please note that even the text in Sec. 4.2.1 [8] absolutely does *not*
> exclude anything. It says it *can* happen due to three *main* categories.
>
> More precisely, the disclosed diversion attacks in Sections 8.1 and 8.2
> are Dolev-Yao network-layer attacks that exploit the absence of PKI
> identity binding [8], not physical hardware compromise.
>
> Please see comments above.
>
> I am fine if the suggested changes I proposed to the same PR are moved
> elsewhere (such as to [9]),
>
> Please review [9] and *constructively* propose any changes.
>
> but I do not believe that the use-cases document for a Layer 7 protocol
> should include properties that implies capablities for mitigation against
> Layer 1 physical attacks that hardware vendors themselves place outside
> their threat models [*].
>
> Please understand that the vendors not considering physical attacks is
> exactly the reason why this property is required.
>
> Sincerely,
>
> -Usama
>
> [0]
> https://github.com/tls-attestation/use-cases-and-properties/blob/b50619cb3a6a71f1318c58a899380e038b21ff12/draft-mihalcea-seat-use-cases.md
> [1]
> https://github.com/tls-attestation/use-cases-and-properties/pull/43/commits/b50619cb3a6a71f1318c58a899380e038b21ff12#r3212889712
> [2] https://tee.fail
> [3] https://wiretap.fail
> [4]
> https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2025-10-28-001.html
> [5]
> https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3040.html
> [6] https://badram.eu
> [7]
> https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3015.html
> [8]
> https://www.researchgate.net/publication/398839141_Identity_Crisis_in_Confidential_Computing_Formal_Analysis_of_Attested_TLS
> [9] https://github.com/tls-attestation/use-cases-and-properties/pull/44
>
> [10]
> https://github.com/CCC-Attestation/formal-spec-id-crisis#upcoming-and-recent-talks-and-research-visits
> _______________________________________________
> Seat mailing list -- seat@ietf.org
> To unsubscribe send an email to seat-leave@ietf.org
>

v2.43.4 | Report a Bug | By Email | System Status