Return-Path: X-Original-To: seat@mail2.ietf.org Delivered-To: seat@mail2.ietf.org Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 892B1A5F019D for ; Sat, 10 Jan 2026 17:17:48 -0800 (PST) X-Virus-Scanned: amavisd-new at ietf.org X-Spam-Flag: NO X-Spam-Score: -4.397 X-Spam-Level: X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kWkvunWRYHYp for ; Sat, 10 Jan 2026 17:17:47 -0800 (PST) Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A6706A5F018E for ; Sat, 10 Jan 2026 17:17:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:To:Subject:From:MIME-Version:Date :Message-ID:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MLSN3Jjf5WUmnNIfaTiiHdIyUlh/F+R6V4ZUeVULvpA=; b=v4UE1KzYrPEqXi+QeU8RuTFACZ mzTncuiJicPmUnZLP+l93Bh3PSmYLYMNb+D+ia/Ap3bYTH3I5Wft/5cZdPUAYUHALSa613Gm65zrD maOID3zj2qIQ/2PnF3Hu/ogtdcrC2jDiUgLb/96oF5+xVmSf/9nq3/CHl3HZCBkY48UvrEhVLLhFl YwWuwbhjq5qibYQGNDW6DqBSJw7dBoQ/uMBvrTxlkH7N+fy9Th/hi3DFiD4xUgR2B4WC6USF1irh3 a7WqeswRsE5g3XZk7FXFwI2K2aX95ta33jOZU4it+8LJ+BbFzOgCy3iOav4qRcj+nIrfpXk0jmOru 8MBHH+Aw==; Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vek5R-00D0uz-Ma; Sun, 11 Jan 2026 02:17:46 +0100 Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.35; Sun, 11 Jan 2026 02:17:42 +0100 Message-ID: <5521ffe4-4f9f-4470-93a2-644841713996@tu-dresden.de> Date: Sun, 11 Jan 2026 02:17:42 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: Muhammad Usama Sardar To: "seat@ietf.org" , UFMRG IRTF Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms070101010601050705060008" X-ClientProxiedBy: msx-t420.msx.ad.zih.tu-dresden.de (172.26.35.137) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de Message-ID-Hash: 4NAMA5O3QKAKHHF3U6WAWZUZHU2QL5BI X-Message-ID-Hash: 4NAMA5O3QKAKHHF3U6WAWZUZHU2QL5BI X-MailFrom: muhammad_usama.sardar@tu-dresden.de X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9rc6 Precedence: list Subject: =?utf-8?q?=5BSeat=5D_Relay_Attacks_in_Intra-handshake_Attestation_for_Confid?= =?utf-8?q?ential_Agentic_AI_Systems?= List-Id: "Secure Evidence and Attestation Transport (SEAT) WG" Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --------------ms070101010601050705060008 Content-Type: multipart/alternative; boundary="------------yD5JUpm6rxy8vNTP0Gi0kBPF" --------------yD5JUpm6rxy8vNTP0Gi0kBPF Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 SGkgU0VBVCBhbmQgVUZNUkcsDQoNCiMgKkNvbnRleHQqDQoNCldlIChpLmUuLCBJLCBEci4g VmlhY2hlc2xhdiBEdWJleWtvIFtJQk1dLCBhbmQgUHJvZi4gSmVhbi1NYXJpZSBKYWNxdWV0 IA0KW1VuaXZlcnNpdHkgb2YgTmFtdXJdKSBkaWQgYW4gZXh0ZW5zaXZlIGV4cGxvcmF0aW9u IG9mIGJpbmRpbmcgDQptZWNoYW5pc21zIGluIGludHJhLWhhbmRzaGFrZSBhdHRlc3RhdGlv biBmb3IgY29uZmlkZW50aWFsIGFnZW50aWMgQUkgDQpzeXN0ZW1zLCB0aGF0IHdhcyBwcmVz ZW50ZWQgb24gbWljIGF0IFNFQVQgbWVldGluZyAxMjQgYW5kIGxhdGVyIA0Kc3VibWl0dGVk IGFzIGEgZHJhZnQgWzBdIHdpdGggZm9jdXMgb24gQUkgYWdlbnQuIEluIGxpbmUgd2l0aCB0 aGUgc2NvcGUgDQpvZiBTRUFUIGNoYXJ0ZXIsIHdlIGFsc28gZGlkIGZvcm1hbCBhbmFseXNp cyBpbiBzdGF0ZS1vZi10aGUtYXJ0IHRvb2wgDQpQcm9WZXJpZiBhbmQgd2Ugd291bGQgbGlr ZSB0byBzaGFyZSBhIHN1bW1hcnkgb2Ygb3VyIGZpbmRpbmdzIGZyb20gb3VyIA0KZm9ybWFs IGFuYWx5c2lzIHdpdGggdGhlIGhvcGUgdGhhdCB0aGUgYW5hbHlzaXMgcHJvdmlkZXMgaW1w b3J0YW50IGRhdGEgDQpwb2ludHMgdG8gV0cgZm9yIG1ha2luZyBpbmZvcm1lZCBkZWNpc2lv bnMuDQoNCiMgKktleSBGaW5kaW5nKg0KDQovQWxsLyBhbmFseXplZCBiaW5kaW5nIG1lY2hh bmlzbXMgYW5kIGltcGxlbWVudGF0aW9ucyBhcmUgYWQtaG9jIGFuZCANCi9hbGwvIG9mIHRo ZW0gcmVzdWx0IGluIHJlbGF5IGF0dGFja3MuDQoNClBsZWFzZSBub3RlIHRoYXQgdGhpcyBp bmNsdWRlcyBNZXRhJ3MgQUkgWzFdIGZvciB3aGljaCBhIHRob3JvdWdoIA0Kc2VjdXJpdHkg YXNzZXNzbWVudCBbMl0gd2FzIGNhcnJpZWQgb3V0IGJ5IC9UcmFpbCBvZiBCaXRzLyBhbmQg dGhleSB3ZXJlIA0KdW5hYmxlIHRvIGNhcHR1cmUgdGhlIHJlbGF5IGF0dGFja3MgYnV0IGFz IGtpbmRseSBjbGFyaWZpZWQgYnkgVGphZGVuIA0KSGVzcywgbm8gZm9ybWFsIG1ldGhvZHMg d2VyZSB1c2VkIGluIHRoZWlyIHJldmlldyBwcm9jZXNzLiBPdXIgYW5hbHlzaXMgDQpzaG93 cyB0aGUgdmFsdWUgb2YgZm9ybWFsIG1ldGhvZHMgaW4gdGhlIHJldmlldyBwcm9jZXNzLg0K DQojICpGdW5kYW1lbnRhbCBJc3N1ZSoNCg0KQmFzaWNhbGx5LCB0aGVyZSBpcyBubyBiaW5k aW5nIG9mIEV2aWRlbmNlIHRvIHRoZSBUTFMgY29ubmVjdGlvbiBpbiBhbGwgDQpvZiB0aGVz ZSBpbXBsZW1lbnRhdGlvbnMuDQoNCiMgKlRFRS1hZ25vc3RpYyBTeXN0ZW0gTW9kZWwqDQoN CiAgKiBMYXllcmVkIEF0dGVzdGVyIChlLmcuLCBJbnRlbCBURFgpDQogICogQ29tcG9zaXRl IEF0dGVzdGVyIChlLmcuLCBBcm0gQ0NBKQ0KDQojICpTY29wZSBvZiBBdHRlc3RlZCBUTFMq DQoNCiAgKiBJbnRyYS1oYW5kc2hha2UgYXR0ZXN0YXRpb24NCg0KIyAqRm9ybWFsaXphdGlv biBBcHByb2FjaCoNCg0KICAqIFN5bWJvbGljIHNlY3VyaXR5IGFuYWx5c2lzDQoNCiMgKkZv cm1hbGl6YXRpb24gVG9vbCoNCg0KICAqIFByb1ZlcmlmDQoNCg0KIyAqQmluZGluZyBNZWNo YW5pc21zKg0KDQoqQSouIFdlIGNvbnNpZGVyZWQgdGhlIGZvbGxvd2luZyB2YWx1ZXMgZm9y IHVzZXItZGVmaW5lZCBmaWVsZCAicmRhdGEiIA0KaW4gVEVFcw0KDQogMS4gQ2xpZW50J3Mg VExTIG5vbmNlDQogMi4gQ2xpZW50J3MgQXR0ZXN0YXRpb24gbm9uY2UNCiAzLiBFYXJseSBl eHBvcnRlcg0KIDQuIChIYXNoIG9mKSBTZXJ2ZXIncyBwdWJsaWMga2V5DQoNCi9RdWVzdGlv biBmb3IgV0cvUkcvOiBJcyBzb21lb25lIGF3YXJlIG9mIGFueSBvdGhlciB2YWx1ZSB0aGF0 IGZvbGtzIHVzZSANCmluICJyZGF0YSI/IElmIHBvc3NpYmxlLCBwbGVhc2Ugc2hhcmUgYSBs aW5rIHRvIHNwZWNpZmljYXRpb24gYW5kL29yIA0KaW1wbGVtZW50YXRpb24gdG9nZXRoZXIu DQoNCipCKi4gQ29tYmluYXRpb25zOg0KV2UgY29uc2lkZXJlZCB0aGUgZm9sbG93aW5nIGNv bWJpbmF0aW9ucyBvZiBiaW5kaW5nIG1lY2hhbmlzbXMgZnJvbSAqQSo6DQoNCiAxLiBIYXNo IChDbGllbnQnc8KgVExTIG5vbmNlIHx8IFNlcnZlcidzIHB1YmxpYyBrZXkpDQogMi4gSGFz aCAoQ2xpZW50J3MgQXR0ZXN0YXRpb24gbm9uY2UgfHwgU2VydmVyJ3MgcHVibGljIGtleSkN Cg0KL1F1ZXN0aW9uLy9mb3IgV0cvUkcvOiBJcyBzb21lb25lIGF3YXJlIG9mIGFueSBvdGhl ciBjb21iaW5hdGlvbiB0aGF0IA0KZm9sa3MgdXNlIGluICJyZGF0YSI/IElmIHBvc3NpYmxl LCBwbGVhc2Ugc2hhcmUgYSBsaW5rIHRvIHNwZWNpZmljYXRpb24gDQphbmQvb3IgaW1wbGVt ZW50YXRpb24gdG9nZXRoZXIuDQoNCg0KIyAqUHJvbWluZW50IEluZHVzdHJpYWwgSW1wbGVt ZW50YXRpb25zKg0KDQogMS4gRWRnZWxlc3MgU3lzdGVtcyBDb250cmFzdCBbM106IHVzZXMg YmluZGluZyBtZWNoYW5pc20gKkIqLjINCiAyLiBDb2NvcyBBSSBbNF0NCiAzLiBDQ0MgcHJv b2Ytb2YtY29uY2VwdCBbNV06IEltcGxlbWVudGF0aW9uIG9mDQogICAgZHJhZnQtZm9zc2F0 aS10bHMtYXR0ZXN0YXRpb24NCiA0LiBNZXRh4oCZcyBBSSBbMV06IHVzZXMgYmluZGluZyBt ZWNoYW5pc20gKkEqLjENCg0KL1F1ZXN0aW9uLy9mb3IgV0cvUkcvOsKgSXMgc29tZW9uZSBh d2FyZSBvZiBhbnkgb3RoZXIgaW50cmEtaGFuZHNoYWtlIA0KYXR0ZXN0YXRpb24gaW1wbGVt ZW50YXRpb24/IElmIHBvc3NpYmxlLCBwbGVhc2Ugc2hhcmUgYSBsaW5rIHRvIA0Kc3BlY2lm aWNhdGlvbiBhbmQvb3IgaW1wbGVtZW50YXRpb24gdG9nZXRoZXIuDQoNCg0KIyAqQmluZGlu ZyBMZXZlbHMqDQoNCiAxLiBTaGFyZWQgREggc2VjcmV0IChnXnh5KQ0KIDIuIENsaWVudCdz IGhhbmRzaGFrZSB0cmFmZmljIGtleSAoaHRzYykNCiAzLiBDbGllbnQncyBhcHBsaWNhdGlv biB0cmFmZmljIGtleSAoYXRzYykNCg0KDQojICpDb3JyZWxhdGlvbiBQcm9wZXJ0aWVzKg0K DQogICogRzE6IENvcnJlbGF0aW9uIG9mIEV2aWRlbmNlIHRvIFNoYXJlZCBESCBTZWNyZXQN CiAgKiBHMjogQ29ycmVsYXRpb24gb2YgRXZpZGVuY2UgdG8gQ2xpZW504oCZcyBIYW5kc2hh a2UgVHJhZmZpYyBLZXkNCiAgKiBHMzogQ29ycmVsYXRpb24gb2YgRXZpZGVuY2UgdG8gQ2xp ZW504oCZcyBBcHBsaWNhdGlvbiBUcmFmZmljIEtleQ0KDQoNCiMgKlJlc3VsdHMqDQoNCldl IHByb3ZlZCB0aGUgcHJvcG9zaXRpb246IEczID0+IEcyID0+IEcxDQoNCldlIGRpc2NvdmVy ZWQgcmVsYXkgYXR0YWNrcyBpbiBhbGwgYWJvdmUgcHJvcG9zYWxzIGZvciBiaW5kaW5nIA0K bWVjaGFuaXNtcyBhcyB3ZWxsIGFzIGFsbCBpbXBsZW1lbnRhdGlvbnMgYW5hbHl6ZWQuIFdl IHByb3ZpZGUgYSBmb3JtYWwgDQpwcm9vZiBvZiBpbnNlY3VyaXR5IHRoYXQgYWxsIGFib3Zl IGJpbmRpbmcgbWVjaGFuaXNtcyBhbmQgDQppbXBsZW1lbnRhdGlvbnMgZmFpbCB0byBldmVu IGFjaGlldmUgRzEgcHJvcGVydHkgKExldmVsIDEgYmluZGluZykuDQoNCkFueSBiaW5kaW5n IHRoYXQgaW52b2x2ZXMgc2VydmVyJ3MgcHVibGljIGtleSBuZWVkcyBhZGRpdGlvbmFsIA0K YXNzdW1wdGlvbiB0aGF0IHNlcnZlcidzIHB1YmxpYyBrZXkgZG9lcyBub3QgbGVhay4NCg0K SW4gZ2VuZXJhbCwgYWxsIHNvbHV0aW9ucyBmYWlsIHdoZW4gc2VydmVyJ3MgcHVibGljIGtl eSBpcyBsZWFrZWQuIEluIA0Kb3RoZXIgd29yZHMsIGV4dGVuc2lvbiBvZiBUTFMgd2l0aCBh dHRlc3RhdGlvbiBpbiB0aGVzZSBpbXBsZW1lbnRhdGlvbnMgDQppcyBub3QgcmVhbGx5IGJy aW5naW5nIG11Y2ggYmVuZWZpdCBmcm9tIGEgc2VjdXJpdHkgcGVyc3BlY3RpdmUgYW5kIA0K cmF0aGVyIGdpdmluZyBhIGZhbHNlIHNlbnNlIG9mIHNlY3VyaXR5Lg0KDQpXZSBiZWxpZXZl IHRoYXQgaXQgaXMgbm90IHBvc3NpYmxlIHRvIGFjaGlldmUgbGV2ZWwgMyBiaW5kaW5nIGZv ciANCmludHJhLWhhbmRzaGFrZSBhdHRlc3RhdGlvbiB3aXRoaW4gdGhlIHNjb3BlIG9mIFNF QVQgY2hhcnRlci4NCg0KDQojICpJbXBsZW1lbnRhdGlvbiBJc3N1ZXMqDQoNCiAgKiBNZXRh J3MgQUkgdXNlcyBjbGllbnQncyBUTFMgbm9uY2UgKGluc3RlYWQgb2YgYXR0ZXN0YXRpb24g bm9uY2UpLA0KICAgIGFuZCBoZW5jZSBkb2VzIG5vdCBwcm92aWRlIEV2aWRlbmNlIGZyZXNo bmVzcy4NCiAgKiBDb2NvcyBBSSBhYnVzZXMgdGhlIFNOSSBleHRlbnNpb24gdG8gY29udmV5 IGF0dGVzdGF0aW9uIG5vbmNlLg0KICAqIEVkZ2VsZXNzIFN5c3RlbXMgQ29udHJhc3Qgd2Fz IGFidXNpbmcgdGhlIFNOSSBleHRlbnNpb24gdG8gY29udmV5DQogICAgYXR0ZXN0YXRpb24g bm9uY2UsIGFuZCBjdXJyZW50bHkgYWJ1c2luZyB0aGUgQUxQTiBleHRlbnNpb24gdG8NCiAg ICBjb252ZXkgYXR0ZXN0YXRpb24gbm9uY2UuDQoNCg0KIyAqUHJvcG9zZWQgTWl0aWdhdGlv bioNCg0KICAqIFdlIHByb3Bvc2UgYSBjcnlwdG9ncmFwaGljIGJpbmRlciBhbmQgbW9kaWZ5 IENlcnRpZmljYXRlVmVyaWZ5DQogICAgbWVzc2FnZSwgd2hpY2ggYWNoaWV2ZXMgbGV2ZWwg MiBiaW5kaW5nLg0KDQoNCiMgKlBhcGVyIGFuZCBBcnRpZmFjdHMqDQpBIHBhcGVyIGRyYWZ0 IGhhcyBiZWVuIHByZXBhcmVkIGFuZCBhcnRpZmFjdHMgYXJlIHdlbGwtZG9jdW1lbnRlZC4g SWYgDQp5b3UgYXJlIGludGVyZXN0ZWQgaW4gcmV2aWV3aW5nIG9uZS9ib3RoIG9mIHRoZW0g YW5kIGNhbiBwcm92aWRlIHNvbWUgDQpmZWVkYmFjayB1bnRpbCAxOXRoIEphbiwgcGxlYXNl IHJlYWNoIG91dCB0byBtZSBvZmYtbGlzdC4gSWYgc29tZW9uZSBjYW4gDQpzdWJzdGFudGlh bGx5IGltcHJvdmUgdGhlIHBhcGVyIGFuZC9vciBhcnRpZmFjdHMsIHdlIGFyZSB2ZXJ5IHdl bGNvbWluZyANCnRvIGFkZGluZyB5b3UgYXMgY28tYXV0aG9yLiBXZSB3aWxsIG1ha2UgdGhl IHBhcGVyIGFuZCBhcnRpZmFjdHMgcHVibGljIA0KbGF0ZXIgb24uDQoNCg0KIyAqQ29udHJp YnV0b3JzKg0KV2UgdGhhbmsgSnVobyBGb3Jzw6luLCBNYXJpYW0gTW91c3RhZmEsIE1hcmt1 cyBSdWR5LCBUamFkZW4gSGVzcywgWXVuaW5nIA0KSmlhbmcsIGFuZCBQYXZlbCBOaWtvbm9y b3YgZm9yIHNoYXJpbmcgdGhlaXIgaW5zaWdodHMgYW5kIHByb3ZpZGluZyANCnZhbHVhYmxl IGZlZWRiYWNrLg0KDQoNCiMgKk90aGVyIGtub3duIHJlbGF0ZWQgaW1wbGVtZW50YXRpb25z Kg0KDQogICogQXR0ZXN0ZWQgRURIT0M6IE91ciBpbnR1aXRpb24gKG5vIGZvcm1hbCBwcm9v ZiB5ZXQpIGlzIHRoYXQgdGhlDQogICAgYXR0YWNrcyBzaG91bGQgYXBwbHkgdG8gYXR0ZXN0 ZWQgRURIT0MgcHJvdG9jb2wgaW4gaW50cmEtaGFuZHNoYWtlDQogICAgYXR0ZXN0YXRpb24g WzZdIGFzIHdlbGwgLS0gYXQgbGVhc3QgZm9yIHRoZSBjYXNlIG9mIFJlc3BvbmRlciBhcw0K ICAgIEF0dGVzdGVyLiBXZSB3aWxsIHJlYWNoIG91dCB0byBMQUtFIFdHIHRvIGluZm9ybSB0 aGVtIGFib3V0IHRoZXNlDQogICAgYXR0YWNrcy4NCiAgKiBBdHRlc3RlZCBOb2lzZTogQ29u ZmVyJ3MgcHJpdmF0ZSBpbmZlcmVuY2UgWzddIHVzZXMgYmluZGluZw0KICAgIG1lY2hhbmlz bSAqQSouNCBbOF0gZm9yIE5vaXNlIHByb3RvY29sLiBUaGlzIGltcGxlbWVudGF0aW9uIHN0 YXJ0ZWQNCiAgICBqdXN0IDMgd2Vla3MgYWdvICh3aXRoIGhvbGlkYXlzIGluIGJldHdlZW4p IGFuZCBpcyBub3QgbWF0dXJlIHlldC4NCiAgICBBbnl3YXksIHdlIHdpbGwgcmVhY2ggb3V0 IHRvIHRoZSBpbXBsZW1lbnRlciAoTW94aWUgTWFybGluc3Bpa2UpIHRvDQogICAgaW5mb3Jt IGhpbSBhYm91dCB0aGVzZSBhdHRhY2tzLg0KDQoNCiMgKkZlZWRiYWNrL0lkZWFzKg0KV2Ug YmVsaWV2ZSB0aGF0IHdlIGhhdmUgZXhwbG9yZWQgYWxsIG9wdGlvbnMgaW4gaW50cmEtaGFu ZHNoYWtlIA0KYXR0ZXN0YXRpb24gd2l0aGluIHRoZSBzY29wZSBvZiBTRUFUIGNoYXJ0ZXIu IFdlIGxvb2sgZm9yd2FyZCB0byB5b3VyIA0KdGhvdWdodHMgYW5kIGlkZWFzIG9uIGhvdyB3 ZSBjYW4gbXV0dWFsbHkgcHJvZ3Jlc3MgdGhpcyB3b3JrIGZvcndhcmQuDQoNCi1Vc2FtYQ0K DQpbMF0gaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtamlhbmctc2Vh dC1keW5hbWljLWF0dGVzdGF0aW9uLw0KDQpbMV0gDQpodHRwczovL2FpLm1ldGEuY29tL3N0 YXRpYy1yZXNvdXJjZS9wcml2YXRlLXByb2Nlc3NpbmctdGVjaG5pY2FsLXdoaXRlcGFwZXIN Cg0KWzJdIA0KaHR0cHM6Ly9naXRodWIuY29tL3RyYWlsb2ZiaXRzL3B1YmxpY2F0aW9ucy9i bG9iL21hc3Rlci9yZXZpZXdzLzIwMjUtMDgtbWV0YS13aGF0c2FwcC1wcml2YXRlcHJvY2Vz c2luZy1zZWN1cml0eXJldmlldy5wZGYNCg0KWzNdIA0KaHR0cHM6Ly9naXRodWIuY29tL0ND Qy1BdHRlc3RhdGlvbi9tZWV0aW5ncy9ibG9iL21haW4vbWF0ZXJpYWxzL01hcmt1c1J1ZHku Y29udHJhc3QtYXRscy1jY2MtYXR0ZXN0YXRpb24ucGRmDQoNCls0XSBodHRwczovL2RvY3Mu Y29jb3MudWx0cmF2aW9sZXQucnMvYXRscw0KDQpbNV0gaHR0cHM6Ly9naXRodWIuY29tL2Nj Yy1hdHRlc3RhdGlvbi9hdHRlc3RlZC10bHMtcG9jDQoNCls2XSBodHRwczovL2RhdGF0cmFj a2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWxha2UtcmEvDQoNCls3XSBodHRwczovL2Nv bmZlci50by9ibG9nLzIwMjYvMDEvcHJpdmF0ZS1pbmZlcmVuY2UvDQoNCls4XSANCmh0dHBz Oi8vZ2l0aHViLmNvbS9Db25mZXJMYWJzL2NvbmZlci1wcm94eS9ibG9iLzBmNjlmNTIyZjc1 OTdjNjU4Nzc0MTA1NWU4NmFlODAyYzEwODkxYWIvc3JjL21haW4vamF2YS9vcmcvbW94aWUv Y29uZmVyL3Byb3h5L2F0dGVzdGF0aW9uL0F0dGVzdGF0aW9uU2VydmljZS5qYXZhI0wxNDUN Cg0K --------------yD5JUpm6rxy8vNTP0Gi0kBPF Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi SEAT and UFMRG,

# Context

We (i.e., I, Dr. Viacheslav Dubeyko [IBM], and Prof. Jean-Marie Jacquet [University of Namur]) did an extensive exploration of binding mechanisms in intra-handshake attestation for confidential agentic AI systems, that was presented on mic at SEAT meeting 124 and later submitted as a draft [0] with focus on AI agent. In line with the scope of SEAT charter, we also did formal analysis in state-of-the-art tool ProVerif and we would like to share a summary of our findings from our formal analysis with the hope that the analysis provides important data points to WG for making informed decisions.

# Key Finding

All analyzed binding mechanisms and implementations are ad-hoc and all of them result in relay attacks.

Please note that this includes Meta's AI [1] for which a thorough security assessment [2] was carried out by Trail of Bits and they were unable to capture the relay attacks but as kindly clarified by Tjaden Hess, no formal methods were used in their review process. Our analysis shows the value of formal methods in the review process.

# Fundamental Issue

Basically, there is= no binding of Evidence to the TLS connection in all of these implementations.

# TEE-agnostic System Model
  • Layered Attester (e.g., Intel TDX)
  • Composite Attester (e.g., Arm CCA)
# Scope of Attested TLS
  • Intra-handshake attestation

# Formalization Approach

  • Symbolic security analysis

# Formalization Tool

  • ProVerif

# Binding Mechanisms

A. We considered the following values for user-defined field "rdata" in TEEs
  1. Client's TLS nonce
  2. Client's Attestation nonce
  3. Early exporter
  4. (Hash of) Server's public key

Question for WG/RG: Is someone aware of any other value that folks use in "rdata"? If possible, please share a link to specification and/or implementation together.

B. Combinations:
We considered the following combinations of binding mechanisms from A:
  1. Hash (Client's=C2=A0TLS nonce || Server's public key)
  2. Hash (Client's Attestation nonce || Server's public key)

Question for WG/RG: Is someone aware of any other combination that folks use in "rdata"? If possible, please share a link to specification and/or implementation together.


# Prominent Industrial Implementations

  1. Edgeless Systems Contrast [3]: uses binding mechanism B<= /b>.2
  2. Cocos AI [4]
  3. CCC proof-of-concept [5]: Implementation of draft-fossati-tls-attestation
  4. Meta=E2=80=99s AI [1]: uses binding mechanism A.1
Question = for WG/RG:=C2=A0Is someone aware of any other intra-handshake attestation implementation? If possible, please share a link to specification and/or implementation together.


# Binding Levels=
  1. Shared DH secret (g^xy)
  2. Client's handshake traffic key (htsc)
  3. Client's application traffic key (atsc)

# Correlation Properties
  • G1: Correlation of Evidence to Shared DH Secret
  • G2: Correlation of Evidence to Client=E2=80=99s Handshake T= raffic Key
  • G3: Correlation of Evidence to Client=E2=80=99s Application= Traffic Key

# Results

We proved the proposition: G3 =3D> G2 =3D> G1

We discovered rel= ay attacks in all above proposals for binding mechanisms as well as all implementations analyzed. We provide a formal proof of insecurity that all above binding mechanisms and implementations fail to even achieve G1 property (Level 1 binding).

Any binding that involves server's public key needs additional assumption that server's public key does not leak.

In general, all solutions fail when server's public key is leaked. In other words, extension of TLS with attestation in these implementations is not really bringing much benefit from a security perspective and rather giving a false sense of security.

We believe that i= t is not possible to achieve level 3 binding for intra-handshake attestation within the scope of SEAT charter.


# Implementati= on Issues
  • Meta's AI uses client's TLS nonce (instead of attestation nonce), and hence does not provide Evidence freshness.
  • Cocos AI abuses the SNI extension to convey attestation nonce.
  • Edgeless Systems Contrast was abusing the SNI extension to convey attestation nonce, and currently abusing the ALPN extension to convey attestation nonce.

# Proposed Mitigation
  • We propose a cryptographic binder and modify CertificateVerify message, which achieves level 2 binding.<= /li>

# Paper and Artifacts
A paper draft has b= een prepared and artifacts are well-documented. If you are interested in reviewing one/both of them and can provide some feedback until 19th Jan, please reach out to me off-list. If someone can substantially improve the paper and/or artifacts, we are very welcoming to adding you as co-author. We will make the paper and artifacts public later on.


# Contributors
We thank Juho Fors=C3= =A9n, Mariam Moustafa, Markus Rudy, Tjaden Hess, Yuning Jiang, and Pavel Nikonorov for sharing their insights and providing valuable feedback.


# Other known related implementations
  • Attested EDHOC: Our intuition (no formal proof yet) is that the attacks should apply to attested EDHOC protocol in intra-handshake attestation [6] as well -- at least for the case of Responder as Attester. We will reach out to LAKE WG to inform them about these attacks.
  • Attested Noise: Confer's private inference [7] uses binding mechanism A.4 [8] for Noise protocol. This implementation started just 3 weeks ago (with holidays in between) and is not mature yet. Anyway, we will reach out to the implementer (Moxie Marlinspike) to inform him about these attacks.

# Feedback/Ideas=
We believe that we have explored all options in intra-handshake attestation within the scope of SEAT charter. We look forward to your thoughts and ideas on how we can mutually progress this work forward.

-Usama

[0] https://datatracker.i= etf.org/doc/draft-jiang-seat-dynamic-attestation/

[1] https://ai.meta.com/static-resource/private-processing-techni= cal-whitepaper

[2] https://github.com/trailofbits/publications/blob/mas= ter/reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf

[3] https://github.com/CCC-Attes= tation/meetings/blob/main/materials/MarkusRudy.contrast-atls-ccc-attestat= ion.pdf

[4] https://docs.co= cos.ultraviolet.rs/atls

[5] = https://github.com/ccc-attestation/attested-tls-poc

[6] https://datatracker.ietf.org/doc/d= raft-ietf-lake-ra/

[7] https://confer.to/blog/2026/01/privat= e-inference/

[8] https://= github.com/ConferLabs/confer-proxy/blob/0f69f522f7597c6587741055e86ae802c= 10891ab/src/main/java/org/moxie/confer/proxy/attestation/AttestationServi= ce.java#L145

--------------yD5JUpm6rxy8vNTP0Gi0kBPF-- --------------ms070101010601050705060008 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DlwwggbmMIIEzqADAgECAhAxAnDUNb6bJJr4VtDh4oVJMA0GCSqGSIb3DQEBDAUAMIGIMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5IENpdHkx HjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRydXN0IFJT QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0yMDAyMTgwMDAwMDBaFw0zMzA1MDEyMzU5 NTlaMEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQD ExNHRUFOVCBQZXJzb25hbCBDQSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA s0riIl4nW+kEWxQENTIgFK600jFAxs1QwB6hRMqvnkphfy2Q3mKbM2otpELKlgE8/3AQPYBo 7p7yeORuPMnAuA+oMGRb2wbeSaLcZbpwXgfCvnKxmq97/kQkOFX706F9O7/h0yehHhDjUdyM yT0zMs4AMBDRrAFn/b2vR3j0BSYgoQs16oSqadM3p+d0vvH/YrRMtOhkvGpLuzL8m+LTAQWv QJ92NwCyKiHspoP4mLPJvVpEpDMnpDbRUQdftSpZzVKTNORvPrGPRLnJ0EEVCHR82LL6oz91 5WkrgeCY9ImuulBn4uVsd9ZpubCgM/EXvVBlViKqusChSsZEn7juIsGIiDyaIhhLsd3amm8B S3bgK6AxdSMROND6hiHT182Lmf8C+gRHxQG9McvG35uUvRu8v7bPZiJRaT7ZC2f50P4lTlnb LvWpXv5yv7hheO8bMXltiyLweLB+VNvg+GnfL6TW3Aq1yF1yrZAZzR4MbpjTWdEdSLKvz8+0 wCwscQ81nbDOwDt9vyZ+0eJXbRkWZiqScnwAg5/B1NUD4TrYlrI4n6zFp2pyYUOiuzP+as/A Znz63GvjFK69WODR2W/TK4D7VikEMhg18vhuRf4hxnWZOy0vhfDR/g3aJbdsGac+diahjEwz yB+UKJOCyzvecG8bZ/u/U8PsEMZg07iIPi8CAwEAAaOCAYswggGHMB8GA1UdIwQYMBaAFFN5 v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRpAKHHIVj44MUbILAK3adRvxPZ5DAOBgNV HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYI KwYBBQUHAwQwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNv bS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRq MGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FB ZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAN BgkqhkiG9w0BAQwFAAOCAgEACgVOew2PHxM5AP1v7GLGw+3tF6rjAcx43D9Hl110Q+BABABg lkrPkES/VyMZsfuds8fcDGvGE3o5UfjSno4sij0xdKut8zMazv8/4VMKPCA3EUS0tDUoL01u gDdqwlyXuYizeXyH2ICAQfXMtS+raz7mf741CZvO50OxMUMxqljeRfVPDJQJNHOYi2pxuxgj KDYx4hdZ9G2o+oLlHhu5+anMDkE8g0tffjRKn8I1D1BmrDdWR/IdbBOj6870abYvqys1qYlP otv5N5dm+XxQ8vlrvY7+kfQaAYeO3rP1DM8BGdpEqyFVa+I0rpJPhaZkeWW7cImDQFerHW9b KzBrCC815a3WrEhNpxh72ZJZNs1HYJ+29NTB6uu4NJjaMxpk+g2puNSm4b9uVjBbPO9V6sFS G+IBqE9ckX/1XjzJtY8Grqoo4SiRb6zcHhp3mxj3oqWi8SKNohAOKnUc7RIP6ss1hqIFyv0x XZor4N9tnzD0Fo0JDIURjDPEgo5WTdti/MdGTmKFQNqxyZuT9uSI2Xvhz8p+4pCYkiZqpahZ lHqMFxdw9XRZQgrP+cgtOkWEaiNkRBbvtvLdp7MCL2OsQhQEdEbUvDM9slzZXdI7NjJokVBq 3O4pls3VD2z3L/bHVBe0rBERjyM2C/HSIh84rfmAqBgklzIOqXhd+4RzadUwggduMIIFVqAD AgECAhA/YCOTOabjcS/HTP8f2MRxMA0GCSqGSIb3DQEBDAUAMEYxCzAJBgNVBAYTAk5MMRkw FwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBDQSA0 MB4XDTI0MTExOTAwMDAwMFoXDTI2MTExOTIzNTk1OVowgdoxCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdTYWNoc2VuMSgwJgYDVQQKEx9UZWNobmlzY2hlIFVuaXZlcnNpdGFldCBEcmVzZGVu MREwDwYDVQRhEwhHT1ZERStTTjEyMDAGCSqGSIb3DQEJARYjbXVoYW1tYWRfdXNhbWEuc2Fy ZGFyQHR1LWRyZXNkZW4uZGUxDzANBgNVBAQTBlNhcmRhcjEXMBUGA1UEKhMOTXVoYW1tYWQg VXNhbWExHjAcBgNVBAMTFU11aGFtbWFkIFVzYW1hIFNhcmRhcjCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAKhTeUVDqbjfDFmkVrgQMFC3S4O0vjW9zjlrkD8FrZ2ipCLuiNE2 XHibuTw57N2lrcWMRqjw/Tv7WqpasIHjIlvE5SJ+VuOzu5P0xLqfroT4MSlKIq1LyXkL1u09 A9EuCUxhf4Uc3Ir17VYzjS7meqv4+4yoVhnL9zepze8f0FG3EJmGJlBSJ8sD6dVxGQkDLWMf NNt/I8wkaQSFkzvd+KppPOjc4t4JtQWIHKPMKS3lbXv8RLO1jaPO9Fdfg4D/dq5I8fsnfg6y gmCL+nTsHWAXqgX8vcDVG5tz5ONzHgODtItrQWO+m4d8W16JWCbMMCFIqscZ5weRfS5dSFZk sptipqIm5tzUL3y2/VOFCiL/tofo7yA1bHnFXUGm2LkJVNx6pDZFh1G9OYPqmrjjSxL9E/ed xQ1lIe3GmBJGBUFldlP8STm3WapaatgNcuQ6HXX1HexWF14NBIguNajgOR17JxX0JS4t9o5f 3Po+Nqa/Als1Mm9Q6PACcVRhm7yH4vj3UqGcjAps6YM/HDkNoA2qsHmqZ/ya15eIORADN+ZQ O7hJYBH5TJprVdGXL7aTLNJh6xEn5V9TFcsT017ocQ5bJteN6caUay/0zPenwtabuSLR6y7e gmx8gTF4oPDUlgkaNcKAmkyzwM+IzPNIJvyxq/NI1pQRyTGUQJYyExO7AgMBAAGjggHBMIIB vTAfBgNVHSMEGDAWgBRpAKHHIVj44MUbILAK3adRvxPZ5DAdBgNVHQ4EFgQU4R79RPVSVexS +el1ZxCchmYs1akwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI KwYBBQUHAwQGCCsGAQUFBwMCMFAGA1UdIARJMEcwOgYMKwYBBAGyMQECAQoEMCowKAYIKwYB BQUHAgEWHGh0dHBzOi8vc2VjdGlnby5jb20vU01JTUVDUFMwCQYHZ4EMAQUDAjBCBgNVHR8E OzA5MDegNaAzhjFodHRwOi8vR0VBTlQuY3JsLnNlY3RpZ28uY29tL0dFQU5UUGVyc29uYWxD QTQuY3JsMHgGCCsGAQUFBwEBBGwwajA9BggrBgEFBQcwAoYxaHR0cDovL0dFQU5ULmNydC5z ZWN0aWdvLmNvbS9HRUFOVFBlcnNvbmFsQ0E0LmNydDApBggrBgEFBQcwAYYdaHR0cDovL0dF QU5ULm9jc3Auc2VjdGlnby5jb20wLgYDVR0RBCcwJYEjbXVoYW1tYWRfdXNhbWEuc2FyZGFy QHR1LWRyZXNkZW4uZGUwDQYJKoZIhvcNAQEMBQADggIBAIxymCHDahevSfae44bVKxAKDRLh ZVraNygdRQ2RQOkz8v8b/cl5yuWR/l3yMpIrwiDWT37UQibNuoPxaZeRBjDh8ItcUP51sOAV 7zd3GwfyUJNYKmgd6LjfE8+mkXrVU2JffVjRUgiyy7eBTzvTz5PFUQh2oqWfTh/Oz3pFXV+/ 0K3eP+fNkr0gljmEZi/h0ici5cJ+Q9J/Zx6Vg9ke2qb6PIh+zeb5oL40i7FR875NX/WGKMib ojTopS5xPbo0KmN64FqgasfJW03t0wyTtcYOap6tw2RcfVpjfsXQqEfjdjyrNHH6l/TDxUoL cNlu0zkYHMYmJ6MJ6VwaHWB5hou9N0WWrcQotsfkpf7lGZSlum9jG5/uB+d3FLK00QM99XN7 RhLbLOKKuw2Xri3MEcN/LvIRDIHef4uoONAI+4bOW+1wFmGwqpHYxA/JoUXoRjojuAon8lCF uVf3tFAkQ/V8zuPxCX36gEOsyQuK3IAeS8R8qhV5Cc+dcYDKid61AluluBcUSxfKxmoK19Mm f39FTD+bJpBCiEAdJuZfP6TD0dtBVcgJ4dBLZ4H13WBeVZRDXcxghYJcNWFHPa/qi20jmuUs CvcD4z2+LBFnVrwhOeBefYjm6zy7+9IbuomR11B4+AnLkjzTBZxcX17UMWyqVe4hZN2CsVS0 7doWTJJYMYIEWDCCBFQCAQEwWjBGMQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVy ZW5pZ2luZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29uYWwgQ0EgNAIQP2Ajkzmm43Evx0z/H9jE cTANBglghkgBZQMEAgMFAKCCAc8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG 9w0BCQUxDxcNMjYwMTExMDExNzQyWjBPBgkqhkiG9w0BCQQxQgRAlPoe4AI8ckUy0CFi3ixi gT42Onab/SeESuXX4vZLItTGcMk28tGRY19MwE3LS1Zf/rWjxhT9fxruKLhzFXT1yzBpBgkr BgEEAYI3EAQxXDBaMEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5n MRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBDQSA0AhA/YCOTOabjcS/HTP8f2MRxMGsGCyqG SIb3DQEJEAILMVygWjBGMQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2lu ZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29uYWwgQ0EgNAIQP2Ajkzmm43Evx0z/H9jEcTBsBgkq hkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYI KoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0G CSqGSIb3DQEBAQUABIICAIU7YT67mlqd1Lh2Yx7UZIGgDgn2VYOPTWOXwITQQ93HK0ffAuuE 00jemjhjxAOgzE6Tl3kWpVek/Zi7jo3ov94K/9zUaq2oTw/AVYoKnlUN5fOCNsu3lPYQXoB0 kc9y9Ts7bbkeL3uXzXalOYt6S5jMPs8soW/0Ub4MYl5SYlMPfe9VjjiOeBcGIijFizSMe1EE ySYXZ76lADUYc/6GFhbRbm+L/I9sX33qBwSkaUMNdQ9s7ftB4zFo+x/U0ic0sG0V03FIIS3M O61/pPzVD8dTMNuVEOD2Zlp7Amjn3aAtl2xJ3xOMxyjeDZtITpfOwJBEKSShAqQASLPR+V8L Ey5QGa6JVI7I3lcDBjIdrXKIqK+ycPz10hYRUQNdvbMj1+rDfkr30IQsiU8cd2BZV3DLZGk0 0/i5Oh4YIiRmmM54vEkjEcOqm1TaFaiF2IlTE/GROrne6tcgiXGKjDCBZOIwJI34eE1jgUXz IKzYK/bKBMo09lyShljN1vcWF71Y+Dgb7TIxF3UiIJNkU9GZSbfF2gXKCjmOfDuKOMKa9z9I 5dh/aMJ26qZy7XZ02w1/telI/geTMeswaVvvHrWw7QLTBmRs7I5zvvlnFEd/y75CWjskDd2G 2Ip6+4tcmgSojJNDglelb0NtmG5j9GD44XuenUAblld70nG+92J73nbGAAAAAAAA --------------ms070101010601050705060008--