IETF Logo Mail Archive

[Seat] Re: [Rats] [WIMSE] Re: Re: Re: Re: Follow-up of meeting 122 presentation (Formal proof of insecurity of Intel's RA-TLS and draft-fossati-tls-attestation)

Nathanael Ritz <nathanritz@gmail.com> Fri, 16 January 2026 21:38 UTC

Return-Path: <nathanritz@gmail.com>
X-Original-To: seat@mail2.ietf.org
Delivered-To: seat@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9F7F3A8CC6A4 for <seat@mail2.ietf.org>; Fri, 16 Jan 2026 13:38:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: 0.603
X-Spam-Level:
X-Spam-Status: No, score=0.603 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJqWOD9cyqcz for <seat@mail2.ietf.org>; Fri, 16 Jan 2026 13:38:43 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E3B43A8CC697 for <seat@ietf.org>; Fri, 16 Jan 2026 13:38:42 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-64d30dc4ed7so4735780a12.0 for <seat@ietf.org>; Fri, 16 Jan 2026 13:38:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1768599522; cv=none; d=google.com; s=arc-20240605; b=X32VzEI+7Nk+nMjBYzFppy63XVTuTpvRCagoilu2NWWEIa2iuroX340C+b+n9humak /FqZNl9izTMWvtfQjttcIvcHAVoCcRY6saQQddY3pZYfMk4T+W01bAtHADbz4CS8w6So nqSjziHKMqgRrmgiEoH+PS23lFaL+2ACeqdca2vIeJkx3VALOCEqK0yuKSeg2wD3XCGy pHqafMk0ppLeLJt0wc3zDJxDaSAxVw28U2IQ3kFxrNPI4AxMuQy0rhp0vRBdo1nKGVJn /8mUz1LogNJJ2gPOn0JjxkgF0cwAIiD+dqq7qsB5buq6iR3QsxXF8us8UavEyxdgqWPG VDhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=FAnWHgqsXhULrolZNqQugX0yiradDv8TDA4YCdMsFUc=; fh=sr4asEZOtJ7aLKdPD84r/mGJ3C2Nwk6gwq2dKEh4pnw=; b=dHrqlUL1R2EjAlIThVLQLMbaMHM8mIGMGm0wTuu86IYhXlCHku4z1B08vaphvM6RWr iLPG9vT/VjRaX+ZLNYH1dxZXArP7i1b6SL7yd+8/3ax9lAejhlSbAIg87wbu3vD/fF21 WL+cQkBVcv2lFXFYNICjJWsEUdHmk4NIOvdtmN01DDfVHuPe/25vzKsw//7bjg4CIiPh ghjklJmeDnnMG/grxJ1Qk6e2FB70w7IBuuzDUDjQwhup1zRL8fvY2fAQqddyeNVFIvFG VvSmE3KzpQxxCRmlgKZsk60WLibZNq78XRi1sVcVSZqgYPUHdCeTBcgDh8lb76R4HQvk c5OA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768599522; x=1769204322; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FAnWHgqsXhULrolZNqQugX0yiradDv8TDA4YCdMsFUc=; b=TqVSdtpWiKKgkHGqxEtTicWcx5SSsZ4yAq/VL9iKVeB+PXI4R8HBA7ZGYNpK74b6nC 9DkoErRUTet+mTWG40c3OwADOOuu+QXANcyNAPk3+DsGjCB7NU3+PqVMkMoCAnmcIqxe 5Q3/8Xadlo4mmRAam4KWfw1JFRxD0rM/imWTIluIYGh1VU7B5eJrp8aTQJGFiARuIyzJ wm5uFE/BAkeHEytLX5b8gV/uSMaKeUpQO+viqee1HyI1bnDKtwPlg9LXyXtiwcTBC5YV BUNkN1AWguUwEj1Y1Rq8JRWpzZOFbL1WSUdBJZob398WeFWeINEyS6M8sx0upoJc6TGU LLsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768599522; x=1769204322; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FAnWHgqsXhULrolZNqQugX0yiradDv8TDA4YCdMsFUc=; b=fGmKBfkyMaUDWWner+GBKUHYWDiMx5jC6GAsKz/Lo4ShgomtdAGnV8Wo2vYK9pq7wy 3yv6QlzfcwmTcY95sfYGJUjja7uDL4X/zhCJmIyscGHOdLSGduw3gkK/6nscj4tcOAH8 pz3qAXJUMlIWA6+cBtmZ3Lu8mQKIoCSDVxaDEe4FNGd0+m0E1i0LgkVw/0k35wattp7H Ngbq06okQlBa5Nze0GdkWav9XZv+Bcw6Glhb9g4BuwdCip7e+B75FwfXcaGVXVpWS8xP 0hL5WsyaJiUVTf/my+fG3ckXkXQnmP818K0NF7CV6nkxOrL2Dm1i9/S3UXuG79s4sI6f gzSw==
X-Forwarded-Encrypted: i=1; AJvYcCX0MmdAgJvmi8lMOERFutGjvfxgOfIVwA6T6VeuYzYDTeyql8A6Caxg8XJpnNKpO/YPhxP1@ietf.org
X-Gm-Message-State: AOJu0YyXbhHsfMzt4YfZdE5bDr3ZT0J+LswWSc+unQs4Z4bxizA2E8n1 vXU/X9jxTguLqRLudJziXxC4POzebRglSCp6LYpj1CzVKnaDspu6jtNxM9d29U+DmMaY1j+gg3J sYF37txi+Ce7eIMM5DziMwnXpJiszq1Q=
X-Gm-Gg: AY/fxX6UPbxqN9qQpXtBoERr+Rj4Mw0DOLWC/UmeWcXqTzC31uIdcgyXqVAKHHwqszb qGu3zjG5o3yI2Md12sEx5BQSMDto0kqcGss+dH3pLanjWCxDRwxslpDs8MOydAbJKLa81/hekAg L2Az1xAy37/LLunB7I08h7ia3Yb21K/1gIfvGg8h4vsV+yJHBIsgY/4bcZDLUbTl2PYUupBO1P0 ItegD7oAcCRKtB8q33FiUzZ0vAE65cm93ygKH+Wsi27LlfB+jodId8uEFzi2n3D/304hJs=
X-Received: by 2002:a05:6402:50d3:b0:64b:458d:83 with SMTP id 4fb4d7f45d1cf-654524d6e23mr3012790a12.9.1768599521793; Fri, 16 Jan 2026 13:38:41 -0800 (PST)
MIME-Version: 1.0
References: <CAHu=PL2n26wwEtEECb1VqzshJBTJ+chhbcKTNbLeABmM_+eymg@mail.gmail.com> <CBDD5425-01C7-4A2D-97F6-BF66C0E5A0FE@gmail.com> <CAOgPGoAoserfxs4DjMUpexvSfSxnWUzTedd1MPyc74+QTUC1_Q@mail.gmail.com> <cb5ce7ff-6e7c-4891-a1a6-0e5e8d706184@tu-dresden.de> <92BBB51B-5F89-416C-8684-F0A0011D84F0@gmail.com> <4978e51d-600d-4f1c-98c0-c3a2d2d065c7@tu-dresden.de> <ED4E9B70-A682-47AF-8013-5BB0B3A4B98E@gmail.com>
In-Reply-To: <ED4E9B70-A682-47AF-8013-5BB0B3A4B98E@gmail.com>
From: Nathanael Ritz <nathanritz@gmail.com>
Date: Fri, 16 Jan 2026 14:38:29 -0700
X-Gm-Features: AZwV_QiBnm06AX_obly1S0vorYCUyRMsQETZe_yescxTYczMzLntZHwV-tpmuhA
Message-ID: <CAHxYnaMcBNc+oE5f+QTPZBrjp+GQsOz=cdkaMO7Z5nW=NK1hbQ@mail.gmail.com>
To: John Kemp <stable.pseudonym@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003f1bb10648882aab"
X-MailFrom: nathanritz@gmail.com
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: RF2ASLUNMFTWNHMTPROBWDJMAHALMQYB
X-Message-ID-Hash: RF2ASLUNMFTWNHMTPROBWDJMAHALMQYB
X-Mailman-Approved-At: Fri, 16 Jan 2026 15:13:05 -0800
CC: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>, Joseph Salowey <joe@salowey.net>, wimse@ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Manu Fontaine <Manu@hushmesh.com>, Henk Birkholz <henk.birkholz@ietf.contact>, Yaron Sheffer <yaronf.ietf@gmail.com>, Justin Richer <jricher@mit.edu>, Pieter Kasselman <pieter@defakto.security>, wimse-chairs@ietf.org, Sorin Dumitru <sorin@returnze.ro>, rats@ietf.org, seat@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Seat] Re: [Rats] [WIMSE] Re: Re: Re: Re: Follow-up of meeting 122 presentation (Formal proof of insecurity of Intel's RA-TLS and draft-fossati-tls-attestation)
List-Id: "Secure Evidence and Attestation Transport (SEAT) WG" <seat.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/seat/hE68a2X-PtwSWcyDJhlfWrDfp_w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/seat>
List-Help: <mailto:seat-request@ietf.org?subject=help>
List-Owner: <mailto:seat-owner@ietf.org>
List-Post: <mailto:seat@ietf.org>
List-Subscribe: <mailto:seat-join@ietf.org>
List-Unsubscribe: <mailto:seat-leave@ietf.org>

I am not sure about WIMSE, and apologies to the WG if it appears that I am
conflating SPIFFE/SPIRE for WIMSE, as that’s not my intention. With that
out of the way, if we use SPIRE as an example of what’s done in industry
right now, their “node attestation” process comes from a SPIRE agent
running a specific plugin that is checked against a policy. Plugin choices
are diverse, to address the specific question about “hardware vs software
‘attestation’”.

For example, a SPIRE agent can “attest” using a Keylime (HW RoT/TPM) plugin
or it can “attest” with a bootstrap bearer-token (join_token), although I
believe using join_tokens are strongly advised against. In any case, if the
“attestation” is accepted, the SPIRE agent on the node is handed a
“verifiable identity” in the form of an SVID (X.509 cert).

There is a separate process where the RBAC policy engine uses “selectors”
to “discover” what kind of privileges the successful node can have, but
that’s checked independently from the initial “node attestation” process.

My opinion to the WG is that I am very much against using “attestation” as
a noun if a node is given some static credential by passing a bearer-token.
As such mechanisms conflate authentication (through possession of an
unbound secret) for authorization, but TOFU is what it is, and that’s the
language used with SPIFFE, regardless of plugin choice, iirc.

The key detail is that the SPIRE plugin system allows both software or
hardware mechanisms for establishing trust and it appears WIMSE aligns with
similar use of language.

- Nathanael

On Fri, Jan 16, 2026 at 2:05 PM John Kemp <stable.pseudonym@gmail.com>
wrote:

> El ene 16, 2026, a las 3:35 p.m., Muhammad Usama Sardar <
> muhammad_usama.sardar@tu-dresden.de> escribió:
>
> Could WIMSE clarify which one of the following is intended in its
> attestation?
>
>    1. Software-based attestation *only*
>    2. Any of software-based attestation or hardware-based attestation
>
> If it is #1, then our attacks are completely irrelevant and I'll close my
> PR.
>
> So a simple question for WIMSE is: is hardware-based attestation in scope
> or not?
>
> At the architecture level we’re operating at (not specific
> implementations) I would say that whether it is hardware-based or
> software-based is not relevant. Either are possible and allowed.
>
> If hardware-based attestation is in scope, attacks are in scope.
>
> As I believe has been previously noted, the attacks you are talking about
> are quite specific — to “attested TLS” - I can’t say whether this is the
> correct document since it’s an expired draft, but there is a security
> considerations section of
> https://www.ietf.org/archive/id/draft-fossati-tls-attestation-09.html#name-security-considerations in
> the attested TLS document that would seem the correct place for a
> discussion of those attacks.
>
> In the WIMSE architecture document (the subject of this discussion) we do
> not refer to attested TLS at all, and it would be an implementation detail
> at the level of this document, so I would suggest it is out-of-scope.
>
> If hardware-based attestation is out of scope, I don't really see why
> definition says WIMSE attestation is broader than RFC9334. In this case,
> maybe simply say it is software-based attestation.
>
> Hardware-based attestation is in-scope, but the specific type, or the
> mechanism by which is used (being different from the seven described RATS
> attestation use-cases), is not relevant for the WIMSE architecture
> document, in my opinion.
>
> Regards, -johnk
>
> On 16.01.26 19:54, John Kemp wrote:
>
> WIMSE folks seem to have settled at some definition. Looking at the
> current definition of attestation of WIMSE in PR [1], I have proposed a
> small edit there.
>
> One nit: Definition says "Attestation in WIMSE is intentionally defined
> quite broadly" but I don't see what exactly is broader than RFC9334.
>
> What that specifically means to me is that the WIMSE definition is broader
> than the defined use-cases specifically mentioned in RFC9334.
>
> Well, I don't think that is quite right. RFC9334 never "defined" any use
> case. Sec. 2 says "Reference Use Cases". We don't limit remote attestation
> to these use cases only. The start of Sec. 2 says explicitly:
>
> This section covers a number of representative and generic use cases for
> remote attestation, independent of specific solutions. The purpose is to
> provide motivation for various aspects of the architecture presented in
> this document. Many other use cases exist; this document does not contain a
> complete list. It only illustrates a set of use cases that collectively
> cover all the functionality required in the architecture.
> -Usama
>
>
>

v2.43.4 | Report a Bug | By Email | System Status