[Teep] [Hackathon 3/3] Implementation experience: bootstrapping trust in TEEP Agent keys using attestation
Ken Takayama <ken.takayama.ietf@gmail.com> Fri, 13 March 2026 13:06 UTC
Return-Path: <ken.takayama.ietf@gmail.com>
X-Original-To: teep@mail2.ietf.org
Delivered-To: teep@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 596CCC960372 for <teep@mail2.ietf.org>; Fri, 13 Mar 2026 06:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.099
X-Spam-Level:
X-Spam-Status: No, score=-1.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UbBwZ0ZySu7A for <teep@mail2.ietf.org>; Fri, 13 Mar 2026 06:06:04 -0700 (PDT)
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8EC12C95F426 for <teep@ietf.org>; Fri, 13 Mar 2026 06:04:42 -0700 (PDT)
Received: by mail-ua1-x931.google.com with SMTP id a1e0cc1a2514c-94dd7178d63so1260575241.3 for <teep@ietf.org>; Fri, 13 Mar 2026 06:04:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773407082; cv=none; d=google.com; s=arc-20240605; b=O8aPh/Or3llEOywCXZQUKzNtgii+vGH2HxxzzcTynyfG3P4IXDkSx2+5MFL3zarpXK nr6qz6JEFWonbCUhZhONfGuFtZONCfmokIFICIlSoUxlEvgxwGIvLA0cmrkORIOALg3X nyJIGGUxshUKohv1PA/0akAZ0IAiiDmHuDVw0IfO4xtAyG9Y+qzNRIKbqOEVRahW53j3 2swZxQILxxKdqZGOHLkHWNB3FORvXLraXBTUVbb5Fwu19MzcxF2Ph15r95ZSsbcmd9Et 7FhV/go89fOy9D65j/cbiYlipX1HL8mb/SGOBWnLzWLLoJYfG38DgPBVf23JwS1D7oD+ CrTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:dkim-signature; bh=fQw9lNT8ZllCpmPGs6GsfHn7nmqJMXTexaGOZOl3QFE=; fh=vzyWBmNqFP38n5etSvFEzLYtWvluUXW2lzDgnBzcR3M=; b=A0RC9a+GQaReHz7xvh24VDVTvahkW0zy2/nSaSkO6cElx2M1EEIe/Wl48d3e5kioRP qV671F5dEoUxZ5vWyJhl53npmyHDH12qWwJKnYwP4kOwRIUasTjcr94FoY8IRpO1yU5Z /YTxOZGxnQcevvVLWqN+z9Eshn9P+OZkhK8/ntGcA/2UJ9JkWJHn2W4sGxpxQfkaG/Ik 1m+eljdQXpGSQVSsNEPpdZJgC25X8LGMI4iELBAHrDjH2ttgO5vEg0vEMHybNkOsmNKb l8gVQhehAmtzNR0KHbSi0yKyRUe3fKT6wRGhgp6+d1+ykY61Dv/Ouce7FmefQ8jJ4fTd JHpQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773407082; x=1774011882; darn=ietf.org; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fQw9lNT8ZllCpmPGs6GsfHn7nmqJMXTexaGOZOl3QFE=; b=ehslnfYjfa3oFFdd1r9SQB54yjHQeVbkZKq3gUHhX1S5wy5po8kZErkCBPKXX4RLHZ fOGuPcRdLtzOLYw0rpDMvdcaQTZF7+66IUGOsbZg2NOn9IysyW6+z6dCzvHYIuWnHnqD E9ohRcl/SBsh+kKDKPQO3OyzKf17c25jdTyFne3EgUkGRFlR2OP1IrApuUHekgcuelqc X89gugUkA7wY5oED+nLvlbrZnre5cMs2QV2+FFYgpYtdCm/rv6qIpdSFdQbcbbAgZhvQ jUxog4hozTTO1L+mTg3y6V4KnDtzUm3lGrAZJ/aA0dJc+ZYS/ItaMDqEu7lpFsYHEFDR Wi+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773407082; x=1774011882; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fQw9lNT8ZllCpmPGs6GsfHn7nmqJMXTexaGOZOl3QFE=; b=n0bXGcVtEEB4kWxigAxD1Up7cz2ijPxvHFHYs2KDrJRjGmlAtpGG3h0YFgFSREEn/R +68H48neIuBJo6owg51THKpNhm//r+93SNn9KHwrJ+jfSRL++QRv0ZXFe+L6+rT06yXH Yi+/AjdUSGwcAmX3S/k7lPhiz4JBdxzKToe/yrS7L+ZeKsHcgjK2qCY8cynlhIhRNbor qoCGyw1t4drvzDdL+XnEODkMdTE9Hs/O3jK4tNQ0WqJz846DfDxxK1sPjftOvkQn4ZlC zImDzVC8ab7VijSoGQdi60tSRjgaV8gtg8Z0jFtVkAhlqAXmY5j39W89DgM13vHqLPEv JASw==
X-Gm-Message-State: AOJu0Ywm9Xy4AwihyLBUlgaNwY/SjbYJ3vAlK0jBJvr+F25u4Wi1f7T/ sFzAwKqTJ+2j/dbNfjyyqzUfj9YK7QD4O1Ca2eFlUX10a2QKxlxvvUoNvamsokNaxLyro0qsiNb RtdGtx70JL1/+lImHbuiIEZvYR1utBR88Jg==
X-Gm-Gg: ATEYQzxp6d51usd+9jvHExEgPFscLdd0nH31QZFDSxc4X/GySLbzcPDfRyHlxsUvjyI KUcO1eG/N6MwlP3e3FzKrk3mseFZRAQhJ/nZyYMUYvEZ8jAwK/zt2hO6Tm7OKapP3hzbdUAsmg0 gJPvXDYtwcUhNwYyyT5ca7KI2ZLdevRT7ms8Si9P5O1Gl0k590w5yg44QYaLA6JW8HRZnSRTMz6 B0E/Y673q9oFJMspdK4NuMKegZ4dNPmrnZepX04cF6oI/U2dLHHP8PERjE39adCN47TjV/Oxvzl m07UVqI5X+vXc0VoZrB/y1k6AgTxDgGe9+adnCCzr9clE43d/mytN/TMQOgCCTusWt4=
X-Received: by 2002:ac5:c253:0:b0:56b:6adf:150b with SMTP id 71dfb90a1353d-56b6adf2f60mr281118e0c.13.1773407081829; Fri, 13 Mar 2026 06:04:41 -0700 (PDT)
MIME-Version: 1.0
From: Ken Takayama <ken.takayama.ietf@gmail.com>
Date: Fri, 13 Mar 2026 22:04:30 +0900
X-Gm-Features: AaiRm50BAL04WytiaL_5CwWZtD9kAM8G54rARdhJEykEjHnH2ecXX0wCpIj1Unk
Message-ID: <CAOZByRDboAWpEsi1Ev6B+ne5=mDd3bWgH=mGdeHStM8Cw=DWjQ@mail.gmail.com>
To: "TEEP@ietf.org" <teep@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: V6I7LTVXPKBIRIQFBDFNVCB4XZDCZBLH
X-Message-ID-Hash: V6I7LTVXPKBIRIQFBDFNVCB4XZDCZBLH
X-MailFrom: ken.takayama.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-teep.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Teep] [Hackathon 3/3] Implementation experience: bootstrapping trust in TEEP Agent keys using attestation
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/fZOhT0xiUVzq4zgfMRC99-yKGJA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Owner: <mailto:teep-owner@ietf.org>
List-Post: <mailto:teep@ietf.org>
List-Subscribe: <mailto:teep-join@ietf.org>
List-Unsubscribe: <mailto:teep-leave@ietf.org>
Dear TEEP WG, In a previous message I shared some general observations about error handling in TEEP implementations. In this message I would like to share a more specific implementation experience related to attestation-based bootstrap when TEEP Agent keys are trusted only after successful remote attestation. While this is only one possible deployment model, we found that some practical issues arise when combining TEEP-over-HTTP with remote attestation. Our TAM implementation is available at: https://github.com/kentakayama/AttesTAM Our end-to-end (TEEP Agent - TAM - Verifier) demonstration will be available at: https://github.com/s-miyazawa/teep-wasm-demo ---------------------------------------------------------------------- Background: Attestation-based bootstrap in our implementation ---------------------------------------------------------------------- In our implementation, we used the Background Check Model and performed remote attestation within the TEEP Protocol in order for **the TAM to establish trust in the TEEP Agent’s public key**. The initial bootstrap flow is summarized as follows: 0. Preparation: The TEEP Agent is provisioned with the TAM public key (or a trust anchor for the TAM certificate). The Verifier is provisioned with reference measurements including the TEEP Agent. 1. Agent start: The TEEP Agent starts inside the TEE and generates its own signing key pair inside the TEE. This key is not yet trusted by the TAM. 2. Session initiation: The TEEP Agent POSTs an empty message to the TAM over TEEP/HTTP. 3. QueryRequest from TAM: The TAM returns a signed QueryRequest with a challenge and with the attestation bit set in data-item-requested. 4. Evidence generation: The Agent verifies the QueryRequest using the TAM public key and requests the TEE to generate Evidence using an attestation key. The Evidence binds: - the TEEP Agent public key - the received challenge 5. QueryResponse from Agent: The Agent returns a signed QueryResponse containing the Evidence in the attestation-payload. 6. Verification: The TAM parses the message, sends the Evidence to the Verifier, verifies the QueryResponse signature using the attested key, checks the challenge and its freshness, and then stores the Agent public key as trusted. 7. Completion: The TAM returns an empty response (HTTP 204). This is one possible profile and does not intend to restrict other deployment models. ---------------------------------------------------------------------- Implementation note: bootstrap behavior when attestation is used ---------------------------------------------------------------------- In deployments where remote attestation is used to establish trust in the TEEP Agent public key, attestation operations may be relatively expensive both computationally and operationally. If the TAM requests attestation every time the Agent initiates a connection, Evidence generation and verification may occur more often than necessary. During implementation we experimented with the following bootstrap pattern. 1. When the Agent initiates a connection with an empty message, the TAM first returns a QueryRequest containing a token and requesting information such as the trusted component list (without requesting attestation). 2. The Agent responds with a QueryResponse containing the requested information. 3. Since the Agent public key is not yet trusted, the TAM cannot verify the response and then proceeds to send a QueryRequest requesting attestation with a challenge. This approach introduces one additional round trip during bootstrap, but it allows the TAM to avoid requesting attestation unnecessarily on every connection. This is only an example implementation pattern discovered during our implementation work and does not change the protocol semantics. Other deployment models may choose different approaches. ---------------------------------------------------------------------- Note ---------------------------------------------------------------------- In our prototype implementation the Evidence is currently generated using a simplified EAT-based format rather than a hardware-generated SGX Quote. However, the structure follows the same design pattern used in hardware attestation systems: binding the Agent public key and a freshness value (challenge/nonce) to the measured state of the TEEP Agent. Best regards, Ken
- [Teep] [Hackathon 3/3] Implementation experience:… Ken Takayama