IETF Logo Mail Archive

[Seat] Re: [Rats] [WIMSE] Re: Re: Re: Re: Follow-up of meeting 122 presentation (Formal proof of insecurity of Intel's RA-TLS and draft-fossati-tls-attestation)

John Kemp <stable.pseudonym@gmail.com> Sat, 17 January 2026 17:57 UTC

Return-Path: <stable.pseudonym@gmail.com>
X-Original-To: wimse@mail2.ietf.org
Delivered-To: wimse@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B9ED9A911A29 for <wimse@mail2.ietf.org>; Sat, 17 Jan 2026 09:57:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: 0.603
X-Spam-Level:
X-Spam-Status: No, score=0.603 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNbGIqUvRRuk for <wimse@mail2.ietf.org>; Sat, 17 Jan 2026 09:57:20 -0800 (PST)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0582DA911A1D for <wimse@ietf.org>; Sat, 17 Jan 2026 09:57:20 -0800 (PST)
Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-8907fb0188fso33015326d6.1 for <wimse@ietf.org>; Sat, 17 Jan 2026 09:57:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768672639; x=1769277439; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=zRVpwwUz8b+q4a4zMimUra+TwF6F7UX9TpzCycC3I8g=; b=T/PBX2AHfKgd81eByBd0OqIO8TDiIQ7frmoAmAZv4ZFwM44V+eLuSIbYnIGzQ2q/t8 8r4r+DRQtccaty6e5Zz04feqxAg4ckUAjv103oGHO1HrRPxXHDgKBLsdx3q9fioM6nai LM1BFfdWEU6X6TGyO1Sawkst63Vbaen414EHG+f5o/zv2peoS9g7Xlpfg1VYNntAngEY 2A+xs9Iyq8stK5BbYh4szDrMjQ0Zll0rP/1Bu5FLehI5CGyVMwg13VL6UTUjogafCwH/ fH6l9msOeoHKEtxrag3xicO+LNOarunfvI8WkJy+YtTiaOxepeXLpA4zVWmDZBlgknI6 fcdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768672639; x=1769277439; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zRVpwwUz8b+q4a4zMimUra+TwF6F7UX9TpzCycC3I8g=; b=iTaowVf9B2ofuq/O7q6DU6SuxjkdaCKyM6Eyctf2qswf6fpLrODY0vCsExGgXfv0r7 A2Oppw/hJPk5Ixj6N5DiyyE/e1StHW/cOGs7KSoeV2yTuL7Pj4xbMeSIsKpVAmx+Ua6M faw3UHCtRwKZnUcFwfK1qbvYqWgPABQFuytZx0HpDiNYBAJHeZDFFGof1pjC5+7VVH+R 7tSPzWSEMgc9Qgw8YbP+WqaYJAhWSkX5AveVjcR0DqXFbxUK1u7YahoKcz22i4/4aSi4 ZYcEuKwJwElVr8I+g6DswDHi3rrOVOjqKbU23wJILg9J0+wBk1dVnlW4eSodqYpyskQc hLnQ==
X-Forwarded-Encrypted: i=1; AJvYcCU4SoYSQZS4sFcB7ppiW8s3T5MVOQTWG6ZwZctPlLSb6QMipWiahObCGF9SuadP5tOYoK/8ug==@ietf.org
X-Gm-Message-State: AOJu0YwBFe/hUio2mvAyXmyap5ejeP4gbQDedHru9q/Wmhyn9lQ51hEt S4YeNuXZpOTScArEwqqYLrY0gKS5Q3pn464S78a0Hto5bWhn+Kk2XAGp
X-Gm-Gg: AY/fxX6sUJhhi4+iLD7rLUHkv5fqbSp1YaUe8Osubih+0z7PU4EJ1CNMXcF3Icool8v cLZ4xsNmJZcHWGKOkN22IDWRjYPcgla5XAjI3SmST6l0okkCxoj9gYgLyq2xcmxkVx1HshXC7vW tor4StLwjshvKWb2qEsrV6NMm0VZOtxZtaaCkJgLVNj63YLoRolTRWzGke/PCON40jrjrELeLgz G1G01I8fqvqG7OyxlSVyCs4hVFcRbr/gjf5oEnu9w1ApfAA8zRcs86JiZyGw8CM2n8W1OYxhoZh i44bHjJePZHRF/agRYEaHeohWBTydKoUJ6ZDB2JPQYBBI8ROSg1Y/Xmr/xX8hSpi9rSGFff3fLg M+ui0pQpLfjNR1MrCXPBnNPrd7f6PZp4pOKUb6WJbIbHlRTx/ssR9r+33DrbrKfnx5qMNirTvWy sbK44NzMEkbDZQs1p3ySQSjL+Vsi3nFBfMRA==
X-Received: by 2002:a05:6214:5191:b0:882:42e6:171a with SMTP id 6a1803df08f44-8942e48897bmr103186166d6.29.1768672639349; Sat, 17 Jan 2026 09:57:19 -0800 (PST)
Received: from smtpclient.apple ([67.246.88.47]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a71ab288sm495915585a.6.2026.01.17.09.57.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Jan 2026 09:57:17 -0800 (PST)
From: John Kemp <stable.pseudonym@gmail.com>
Message-Id: <14C120F2-7459-4249-91EA-697518FEB727@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_46BDE641-4343-4CA4-9C8A-9CB2E82C899B"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\))
Date: Sat, 17 Jan 2026 12:57:05 -0500
In-Reply-To: <CAHxYnaMcBNc+oE5f+QTPZBrjp+GQsOz=cdkaMO7Z5nW=NK1hbQ@mail.gmail.com>
To: Nathanael Ritz <nathanritz@gmail.com>
References: <CAHu=PL2n26wwEtEECb1VqzshJBTJ+chhbcKTNbLeABmM_+eymg@mail.gmail.com> <CBDD5425-01C7-4A2D-97F6-BF66C0E5A0FE@gmail.com> <CAOgPGoAoserfxs4DjMUpexvSfSxnWUzTedd1MPyc74+QTUC1_Q@mail.gmail.com> <cb5ce7ff-6e7c-4891-a1a6-0e5e8d706184@tu-dresden.de> <92BBB51B-5F89-416C-8684-F0A0011D84F0@gmail.com> <4978e51d-600d-4f1c-98c0-c3a2d2d065c7@tu-dresden.de> <ED4E9B70-A682-47AF-8013-5BB0B3A4B98E@gmail.com> <CAHxYnaMcBNc+oE5f+QTPZBrjp+GQsOz=cdkaMO7Z5nW=NK1hbQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3826.700.81.1.4)
X-MailFrom: stable.pseudonym@gmail.com
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: KI2RZNLCSFEUKVEEWVXUMLHSUBBOPS5L
X-Message-ID-Hash: KI2RZNLCSFEUKVEEWVXUMLHSUBBOPS5L
X-Mailman-Approved-At: Sat, 17 Jan 2026 10:56:52 -0800
CC: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>, Joseph Salowey <joe@salowey.net>, wimse@ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Manu Fontaine <Manu@hushmesh.com>, Henk Birkholz <henk.birkholz@ietf.contact>, Yaron Sheffer <yaronf.ietf@gmail.com>, Justin Richer <jricher@mit.edu>, Pieter Kasselman <pieter@defakto.security>, wimse-chairs@ietf.org, Sorin Dumitru <sorin@returnze.ro>, rats@ietf.org, seat@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Seat] Re: [Rats] [WIMSE] Re: Re: Re: Re: Follow-up of meeting 122 presentation (Formal proof of insecurity of Intel's RA-TLS and draft-fossati-tls-attestation)
List-Id: "Secure Evidence and Attestation Transport (SEAT) WG" <seat.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/seat/uQviRh69Oj2cOBv3-lDRH82dHfA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/seat>
List-Help: <mailto:seat-request@ietf.org?subject=help>
List-Owner: <mailto:seat-owner@ietf.org>
List-Post: <mailto:seat@ietf.org>
List-Subscribe: <mailto:seat-join@ietf.org>
List-Unsubscribe: <mailto:seat-leave@ietf.org>

Hi Nathanael,

> El ene 16, 2026, a las 4:38 p.m., Nathanael Ritz <nathanritz@gmail.com> escribió:
> 
> I am not sure about WIMSE, and apologies to the WG if it appears that I am conflating SPIFFE/SPIRE for WIMSE, as that’s not my intention. With that out of the way, if we use SPIRE as an example of what’s done in industry right now, their “node attestation” process comes from a SPIRE agent running a specific plugin that is checked against a policy. Plugin choices are diverse, to address the specific question about “hardware vs software ‘attestation’”. 

Agreed.

> 
> For example, a SPIRE agent can “attest” using a Keylime (HW RoT/TPM) plugin or it can “attest” with a bootstrap bearer-token (join_token), although I believe using join_tokens are strongly advised against. In any case, if the “attestation” is accepted, the SPIRE agent on the node is handed a “verifiable identity” in the form of an SVID (X.509 cert). 
> 
> There is a separate process where the RBAC policy engine uses “selectors” to “discover” what kind of privileges the successful node can have, but that’s checked independently from the initial “node attestation” process. 
> 
> My opinion to the WG is that I am very much against using “attestation” as a noun if a node is given some static credential by passing a bearer-token.

The Attester (the agent on the node) passes the token it received from the server (by some means unspecified) as Evidence, to a Relying Party (the server) that asks a Verifier (sometimes the same entity as the Relying Party itself) to check the Evidence. If the token is one generated by the Verifier/RP, and it has not been used, then the “attestation” is approved, and the agent joins the trust domain. 

I hear you that this is very different than having some number of third-party attestations about a key used from a secure element that has the endorsement of some other trusted third-party manufacturer whose PKI I can verify, and which comes with Evidence in form of measurements about the hardware and software environment that are rooted in that PKI.

SPIRE is not the first environment to use the “join token” mechanism, and will likely not be the last. It’s also the case that I can think of relatively secure ways to implement that, and relatively insecure ways to. 

By giving the join token one-time-use semantics, I already don’t think it’s a horrible mechanism...

I do agree that precise differences between authentication and attestation are difficult, unless you narrow down what you are willing to accept from an architecture that supports many different implementations. 

> As such mechanisms conflate authentication (through possession of an unbound secret) for authorization, but TOFU is what it is, and that’s the language used with SPIFFE, regardless of plugin choice, iirc. 
> 
> The key detail is that the SPIRE plugin system allows both software or hardware mechanisms for establishing trust and it appears WIMSE aligns with similar use of language. 

Agreed. That is the key detail.

Regards, -johnk

> 
> - Nathanael 
> 
> On Fri, Jan 16, 2026 at 2:05 PM John Kemp <stable.pseudonym@gmail.com <mailto:stable.pseudonym@gmail.com>> wrote:
>>> El ene 16, 2026, a las 3:35 p.m., Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de <mailto:muhammad_usama.sardar@tu-dresden.de>> escribió:
>>> 
>>> Could WIMSE clarify which one of the following is intended in its attestation?
>>> 
>>> Software-based attestation only
>>> Any of software-based attestation or hardware-based attestation
>>> If it is #1, then our attacks are completely irrelevant and I'll close my PR.
>>> 
>>> So a simple question for WIMSE is: is hardware-based attestation in scope or not?
>>> 
>> At the architecture level we’re operating at (not specific implementations) I would say that whether it is hardware-based or software-based is not relevant. Either are possible and allowed. 
>>> If hardware-based attestation is in scope, attacks are in scope.
>>> 
>> As I believe has been previously noted, the attacks you are talking about are quite specific — to “attested TLS” - I can’t say whether this is the correct document since it’s an expired draft, but there is a security considerations section of https://www.ietf.org/archive/id/draft-fossati-tls-attestation-09.html#name-security-considerations in the attested TLS document that would seem the correct place for a discussion of those attacks. 
>> 
>> In the WIMSE architecture document (the subject of this discussion) we do not refer to attested TLS at all, and it would be an implementation detail at the level of this document, so I would suggest it is out-of-scope.
>>> 
>>> If hardware-based attestation is out of scope, I don't really see why definition says WIMSE attestation is broader than RFC9334. In this case, maybe simply say it is software-based attestation.
>>> 
>> Hardware-based attestation is in-scope, but the specific type, or the mechanism by which is used (being different from the seven described RATS attestation use-cases), is not relevant for the WIMSE architecture document, in my opinion.
>> 
>> Regards, -johnk
>> 
>>> 
>>> On 16.01.26 19:54, John Kemp wrote:
>>>>> WIMSE folks seem to have settled at some definition. Looking at the current definition of attestation of WIMSE in PR [1], I have proposed a small edit there.
>>>>> 
>>>>> One nit: Definition says "Attestation in WIMSE is intentionally defined quite broadly" but I don't see what exactly is broader than RFC9334.
>>>>> 
>>>> What that specifically means to me is that the WIMSE definition is broader than the defined use-cases specifically mentioned in RFC9334.
>>> Well, I don't think that is quite right. RFC9334 never "defined" any use case. Sec. 2 says "Reference Use Cases". We don't limit remote attestation to these use cases only. The start of Sec. 2 says explicitly:
>>> 
>>> This section covers a number of representative and generic use cases for remote attestation, independent of specific solutions. The purpose is to provide motivation for various aspects of the architecture presented in this document. Many other use cases exist; this document does not contain a complete list. It only illustrates a set of use cases that collectively cover all the functionality required in the architecture.
>>> 
>>> -Usama
>>

v2.46.0 | Report a Bug | By Email | System Status