Hi,This is an alternative approach to the example John has pointed out in [0] for high-security systems. Instead of "nested, independent tunnels" (for which I don't see any concrete specifications; if there is one, please share a pointer), it uses attestation as a second root of trust. It uses RFC9261 (more specifically Authenticator Request and Authenticators based on Exported Keying Material) to bind attestation Evidence to the underlying connection.
Formal analysis is in progress. Some open questions are in the thread [1]. We welcome any feedback. Thanks. -Usama [0] https://mailarchive.ietf.org/arch/msg/tls/s67NUtFlRpZoh05x72aXTWylOaE/ [1] https://mailarchive.ietf.org/arch/msg/tls/I9UeeY9vwGl_zEzhaSKEOC4ZCKc/ -------- Forwarded Message -------- Subject: New Version Notification for draft-fossati-seat-expat-02.txt Date: Thu, 26 Feb 2026 23:36:40 -0800 From: [email protected]To: Tirumaleswar Reddy.K <[email protected]>, Hannes Tschofenig <[email protected]>, Ionut Mihalcea <[email protected]>, Muhammad Sardar <[email protected]>, Muhammad Usama Sardar <[email protected]>, Thomas Fossati <[email protected]>, Tirumaleswar Reddy <[email protected]>, Yaron Sheffer <[email protected]>
A new version of Internet-Draft draft-fossati-seat-expat-02.txt has been successfully submitted by Muhammad Usama Sardar and posted to the IETF repository. Name: draft-fossati-seat-expat Revision: 02 Title: Remote Attestation with Exported Authenticators Date: 2026-02-27 Group: Individual Submission Pages: 23 URL: https://www.ietf.org/archive/id/draft-fossati-seat-expat-02.txt Status: https://datatracker.ietf.org/doc/draft-fossati-seat-expat/ HTML: https://www.ietf.org/archive/id/draft-fossati-seat-expat-02.html HTMLized: https://datatracker.ietf.org/doc/html/draft-fossati-seat-expat Diff: https://author-tools.ietf.org/iddiff?url2=draft-fossati-seat-expat-02 Abstract: This specification defines a method for two parties in a communication interaction to exchange Evidence and Attestation Results using exported authenticators, as defined in [RFC9261]. Additionally, it introduces the cmw_attestation extension, which allows attestation credentials to be included directly in the Certificate message sent during the Exported Authenticator-based post-handshake authentication. The approach supports both the passport and background check models from the RATS architecture while ensuring that attestation remains bound to the underlying communication channel. The IETF Secretariat
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
