[TLS] Re: [Wimse] Public side meetings on identity crisis in attested TLS for Confidential Computing

Tue, 11 Mar 2025 10:13:37 -0700 

Hi Usama,
The title of this email is quite alarming to me ("identity crisis") and yet I'm not able to understand what the actual issue is other than someone wishing to replace public-key authentication with "attestation". 

Personally, I wouldn't do that.


Although TLS PKI authentication involves a kind of attestation itself (I 
have to trust a CA installed in my trust store, and possibly some 
intermediate CAs too, that have blessed the authenticated key) and only 
good faith and good practices prevent a private key being copied all 
over the place and violating the attestation, I agree with anyone is 
saying that providing attested measurements of a TEE is not the same 
thing as attesting a key within a PKI. They are complementary.


Where is the "identity crisis" exactly?

Cheers, John

El 03/06/25 a las 04:14, Muhammad Usama Sardar escribió:

(Note for TLS WG only: announcing with approval of chairs [0])

Hi all,


*TL;DR*: There will be a couple of /public side meetings/ on attested 
TLS. For organizational purposes (e.g., to ask for a bigger room 
[current room capacity: 20]), if you are interested in presenting or 
attending /in-person/, please drop me a short email. Since some of the 
attested TLS team members will be remote (and in Europe), we have 
selected a time slot suitable for them. But if you are really interested 
and this time does not work for you, please let me know and we will seek 
alternatives. Also see call for presentations below.


Date: 17th March (Monday) and 19th March (Wednesday)

Time: Both meetings at 15:00 - 17:00

Room: Meeting Room 3

Relevant for:

  * *RATS*: Design space to inject remote attestation into transport
    protocols; and related security considerations
  * *TLS*: Extension of TLS with remote attestation
  * *WIMSE*: Identity crisis in confidential computing

No prior knowledge is assumed but knowledge of TLS will be helpful.


The current agenda is based on joint works with Arto Niemi, Hannes 
Tschofenig, Thomas Fossati, Simon Frost, Ned Smith, Mariam Moustafa, 
Tuomas Aura, Yaron Sheffer, Ionut Mihalcea and Jean-Marie Jacquet.


*Draft agenda for first side meeting*:


The first side meeting aims to bring everyone on the same page for 
discussion of the open questions in the second side meeting. We plan to 
cover the following topics (subject to changes dependent on the interest 
and background of attendees):


  * Network Security (TLS: RFC8446bis [1])
      o Without client authentication
      o With client authentication
  * Endpoint Security (Remote Attestation (RA): including RFC9334 and
    RFC9683)
      o Disambiguate attestation and authentication
  * Attested TLS (RA || TLS) including [4] and [5]
      o Design Options
          + Pre-handshake attestation
          + Intra-handshake attestation
          + Post-handshake attestation
      o Protocols
          + Server as Attester
          + Client as Attester

*Draft agenda and call for presentations for second side meeting*:

  * Technical details of impersonation attacks [6]
      o Attack1 in [6]
      o Attack2 in [6]
  * Proposed solution (Recommendation [6])
  * Discussion of open questions [6]
  * Other relevant open questions


We aim to scope the side meetings to Confidential Computing and welcome 
presentations around the theme of attacks mentioned here [6] within this 
scope. If interested, please send me your topic and time estimate until 
10th March.


Additional readings:

  * Attested TLS [7]
  * Attestation in Arm CCA and Intel TDX [8]



We look forward to your perspectives and discussions during the side 
meetings!



Kind regards,

Usama


[0] https://mailarchive.ietf.org/arch/msg/tls/RHyArzvEJHimDi49b2bboPAUW_c/

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8446bis/

[2] https://datatracker.ietf.org/doc/rfc9334/

[3] https://datatracker.ietf.org/doc/rfc9683/

[4] https://datatracker.ietf.org/doc/draft-fossati-tls-attestation/

[5] https://datatracker.ietf.org/doc/draft-fossati-tls-exported-attestation/

[6] https://mailarchive.ietf.org/arch/msg/tls/Jx_yPoYWMIKaqXmPsytKZBDq23o/

[7] https://ieeexplore.ieee.org/document/10752524

[8] https://ieeexplore.ieee.org/document/10373038




--
Independent Security Architect
t: +1.413.645.4169
e: stable.pseudo...@gmail.com

https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org






















					Reply via email to