| < draft-ietf-rats-architecture-03.txt | draft-ietf-rats-architecture-04.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 16 ¶ | skipping to change at page 1, line 16 ¶ | |||
| Expires: 22 November 2020 Microsoft | Expires: 22 November 2020 Microsoft | |||
| M. Richardson | M. Richardson | |||
| Sandelman Software Works | Sandelman Software Works | |||
| N. Smith | N. Smith | |||
| Intel | Intel | |||
| W. Pan | W. Pan | |||
| Huawei Technologies | Huawei Technologies | |||
| 21 May 2020 | 21 May 2020 | |||
| Remote Attestation Procedures Architecture | Remote Attestation Procedures Architecture | |||
| draft-ietf-rats-architecture-03 | draft-ietf-rats-architecture-04 | |||
| Abstract | Abstract | |||
| In network protocol exchanges, it is often the case that one entity | In network protocol exchanges, it is often the case that one entity | |||
| (a Relying Party) requires evidence about a remote peer to assess the | (a Relying Party) requires evidence about a remote peer to assess the | |||
| peer's trustworthiness, and a way to appraise such evidence. The | peer's trustworthiness, and a way to appraise such evidence. The | |||
| evidence is typically a set of claims about its software and hardware | evidence is typically a set of claims about its software and hardware | |||
| platform. This document describes an architecture for such remote | platform. This document describes an architecture for such remote | |||
| attestation procedures (RATS). | attestation procedures (RATS). | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Reference Use Cases . . . . . . . . . . . . . . . . . . . . . 5 | 3. Reference Use Cases . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Network Endpoint Assessment . . . . . . . . . . . . . . . 5 | 3.1. Network Endpoint Assessment . . . . . . . . . . . . . . . 5 | |||
| 3.2. Confidential Machine Learning (ML) Model Protection . . . 5 | 3.2. Confidential Machine Learning (ML) Model Protection . . . 6 | |||
| 3.3. Confidential Data Retrieval . . . . . . . . . . . . . . . 6 | 3.3. Confidential Data Retrieval . . . . . . . . . . . . . . . 6 | |||
| 3.4. Critical Infrastructure Control . . . . . . . . . . . . . 6 | 3.4. Critical Infrastructure Control . . . . . . . . . . . . . 6 | |||
| 3.5. Trusted Execution Environment (TEE) Provisioning . . . . 7 | 3.5. Trusted Execution Environment (TEE) Provisioning . . . . 7 | |||
| 3.6. Hardware Watchdog . . . . . . . . . . . . . . . . . . . . 7 | 3.6. Hardware Watchdog . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Architectural Overview . . . . . . . . . . . . . . . . . . . 7 | 4. Architectural Overview . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Appraisal Policies . . . . . . . . . . . . . . . . . . . 9 | 4.1. Appraisal Policies . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.2. Two Types of Environments of an Attester . . . . . . . . 9 | 4.2. Two Types of Environments of an Attester . . . . . . . . 9 | |||
| 4.3. Layered Attestation Environments . . . . . . . . . . . . 10 | 4.3. Layered Attestation Environments . . . . . . . . . . . . 10 | |||
| 4.4. Composite Device . . . . . . . . . . . . . . . . . . . . 12 | 4.4. Composite Device . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5. Topological Models . . . . . . . . . . . . . . . . . . . . . 14 | 5. Topological Models . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.1. Passport Model . . . . . . . . . . . . . . . . . . . . . 15 | 5.1. Passport Model . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.2. Background-Check Model . . . . . . . . . . . . . . . . . 16 | 5.2. Background-Check Model . . . . . . . . . . . . . . . . . 16 | |||
| 5.3. Combinations . . . . . . . . . . . . . . . . . . . . . . 17 | 5.3. Combinations . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6. Roles and Entities . . . . . . . . . . . . . . . . . . . . . 18 | 6. Roles and Entities . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. Role Hosting and Composition . . . . . . . . . . . . . . . . 19 | 7. Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 8. Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 8. Conceptual Messages . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 9. Conceptual Messages . . . . . . . . . . . . . . . . . . . . . 21 | 8.1. Evidence . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 9.1. Evidence . . . . . . . . . . . . . . . . . . . . . . . . 21 | 8.2. Endorsements . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 9.2. Endorsements . . . . . . . . . . . . . . . . . . . . . . 21 | 8.3. Attestation Results . . . . . . . . . . . . . . . . . . . 22 | |||
| 9.3. Attestation Results . . . . . . . . . . . . . . . . . . . 22 | 9. Claims Encoding Formats . . . . . . . . . . . . . . . . . . . 22 | |||
| 10. Freshness . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | ||||
| 10. Claims Encoding Formats . . . . . . . . . . . . . . . . . . . 23 | 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25 | |||
| 11. Freshness . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | 12. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | |||
| 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25 | 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 | 16. Appendix A: Time Considerations . . . . . . . . . . . . . . . 27 | |||
| 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 27 | 16.1. Example 1: Timestamp-based Passport Model Example . . . 29 | |||
| 17. Appendix A: Time Considerations . . . . . . . . . . . . . . . 27 | 16.2. Example 2: Nonce-based Passport Model Example . . . . . 30 | |||
| 17.1. Example 1: Timestamp-based Passport Model Example . . . 29 | 16.3. Example 3: Timestamp-based Background-Check Model | |||
| 17.2. Example 2: Nonce-based Passport Model Example . . . . . 30 | ||||
| 17.3. Example 3: Timestamp-based Background-Check Model | ||||
| Example . . . . . . . . . . . . . . . . . . . . . . . . 31 | Example . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 17.4. Example 4: Nonce-based Background-Check Model Example . 31 | 16.4. Example 4: Nonce-based Background-Check Model Example . 31 | |||
| 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 | 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 18.1. Normative References . . . . . . . . . . . . . . . . . . 32 | 17.1. Normative References . . . . . . . . . . . . . . . . . . 32 | |||
| 18.2. Informative References . . . . . . . . . . . . . . . . . 32 | 17.2. Informative References . . . . . . . . . . . . . . . . . 32 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 1. Introduction | 1. Introduction | |||
| In Remote Attestation Procedures (RATS), one peer (the "Attester") | In Remote Attestation Procedures (RATS), one peer (the "Attester") | |||
| produces believable information about itself - Evidence - to enable a | produces believable information about itself - Evidence - to enable a | |||
| remote peer (the "Relying Party") to decide whether to consider that | remote peer (the "Relying Party") to decide whether to consider that | |||
| Attester a trustworthy peer or not. RATS are facilitated by an | Attester a trustworthy peer or not. RATS are facilitated by an | |||
| additional vital party, the Verifier. | additional vital party, the Verifier. | |||
| This documents defines a flexible architecture consisting of | The Verifier appraises Evidence via Appraisal Policies and creates | |||
| attestation roles and their interactions via conceptual messages. | the Attestation Results to support Relying Parties in their decision | |||
| Additionally, this document defines a universal set of terms that can | process. | |||
| be mapped to various existing and emerging Remote Attestation | ||||
| Procedures. Common topological models and the data flows associated | This documents defines a flexible architecture with corresponding | |||
| with them, such as the "Passport Model" and the "Background-Check | roles and their interaction via conceptual messages. Additionally, | |||
| Model" are illustrated. The purpose is to enable readers to map | this document defines a universal set of terms that can be mapped to | |||
| their solution architecture to the canonical attestation architecture | various existing and emerging Remote Attestation Procedures. Common | |||
| provided here and to define useful terminology for attestation. | topological models and the data flows associated with them, such as | |||
| Having a common terminology that provides well-understood meanings | the "Passport Model" and the "Background-Check Model" are | |||
| for common themes such as, roles, device composition, topological | illustrated. The purpose is to enable readers of this document to | |||
| models and appraisal is vital for semantic interoperability across | map their current and emerging solutions to the architecture provided | |||
| solutions and platforms involving multiple vendors and providers. | and the corresponding terminology defined. | |||
| A common terminology that provides a well-understood semantic meaning | ||||
| to the concepts, roles, and models in this document is vital to | ||||
| create semantic interoperability between solutions and across | ||||
| different platforms. | ||||
| Amongst other things, this document is about trust and | Amongst other things, this document is about trust and | |||
| trustworthiness. Trust is a decision being made. Trustworthiness is | trustworthiness. Trust is a decision being made. Trustworthiness is | |||
| a quality that is assessed via evidence created. This is a subtle | a quality that is assessed via evidence created. This is a subtle | |||
| difference and being familiar with the difference is crucial for | difference and being familiar with the difference is crucial for | |||
| using this document. Additionally, the concepts of freshness and | using this document. Additionally, the concepts of freshness and | |||
| trust relationships with respect to RATS are elaborated on to enable | trust relationships with respect to RATS are elaborated on to enable | |||
| implementers in order to choose appropriate solutions to compose | implementers in order to choose appropriate solutions to compose | |||
| their Remote Attestation Procedures. | their Remote Attestation Procedures. | |||
| skipping to change at page 4, line 20 ¶ | skipping to change at page 4, line 24 ¶ | |||
| Verifier evaluates the validity of information about an Attester. | Verifier evaluates the validity of information about an Attester. | |||
| Compare /security policy/ in [RFC4949] | Compare /security policy/ in [RFC4949] | |||
| Appraisal Policy for Attestation Result: A set of rules that direct | Appraisal Policy for Attestation Result: A set of rules that direct | |||
| how a Relying Party uses the Attestation Results regarding an | how a Relying Party uses the Attestation Results regarding an | |||
| Attester generated by the Verifiers. Compare /security policy/ in | Attester generated by the Verifiers. Compare /security policy/ in | |||
| [RFC4949] | [RFC4949] | |||
| Attestation Result: The output generated by a Verifier, typically | Attestation Result: The output generated by a Verifier, typically | |||
| including information about an Attester, where the Verifier | including information about an Attester, where the Verifier | |||
| vouches for the validity of the Evidence it has appraised | vouches for the validity of the results | |||
| Attester: An entity (typically a device), whose Evidence must be | Attester: An entity whose attributes must be appraised in order to | |||
| appraised in order to infer the extent to which the Attester is | determine whether the entity is considered trustworthy, such as | |||
| considered trustworthy, such as when deciding whether it is | when deciding whether the entity is authorized to perform some | |||
| authorized to perform some operation | operation | |||
| Claim: A piece of asserted information, often in the form of a name/ | Claim: A piece of asserted information, often in the form of a name/ | |||
| value pair. (Compare /claim/ in [RFC7519]) | value pair. (Compare /claim/ in [RFC7519]) | |||
| Endorsement: Statements that Endorsers make (typically a | Endorsement: A secure statement that some entity (typically a | |||
| manufacturer) that vouches for the design and implementation of | manufacturer) vouches for the integrity of an Attester's signing | |||
| the Attester. Often this includes statements about the integrity | capability | |||
| of an Attester's signing capability | ||||
| Endorser: An entity (typically a manufacturer) whose Endorsements | Endorser: An entity that creates Endorsements that can be used to | |||
| help Verifiers appraise the authenticity of Evidence | help to appraise the trustworthiness of Attesters | |||
| Evidence: A set of information that asserts the trustworthiness | Evidence: A set of information about an Attester that is to be | |||
| status of an Attester, that is appraised by a Verifier | appraised by a Verifier | |||
| Relying Party: An entity, that depends on the validity of | Relying Party: An entity that depends on the validity of information | |||
| information about an Attester, for purposes of reliably applying | about another entity, typically for purposes of authorization. | |||
| application specific actions. Compare /relying party/ in | Compare /relying party/ in [RFC4949] | |||
| [RFC4949] | ||||
| Relying Party Owner: An entity (typically an administrator), that is | Relying Party Owner: An entity, such as an administrator, that is | |||
| authorized to configure Appraisal Policy for Attestation Results | authorized to configure Appraisal Policy for Attestation Results | |||
| in a Relying Party | in a Relying Party. | |||
| Verifier: An entity (typically a service), that appraises the | Verifier: An entity that appraises the validity of Evidence about an | |||
| validity of Evidence about an Attester and produces Attestation | Attester | |||
| Results to be used by a Relying Party | ||||
| Verifier Owner: An entity (typically an administrator), that is | Verifier Owner: An entity, such as an administrator, that is | |||
| authorized to configure Appraisal Policy for Evidence in a | authorized to configure Appraisal Policy for Evidence in a | |||
| Verifier | Verifier | |||
| 3. Reference Use Cases | 3. Reference Use Cases | |||
| This section covers a number of representative use cases for remote | This section covers a number of representative use cases for remote | |||
| attestation, independent of specific solutions. The purpose is to | attestation, independent of specific solutions. The purpose is to | |||
| provide motivation for various aspects of the architecture presented | provide motivation for various aspects of the architecture presented | |||
| in this draft. Many other use cases exist, and this document does | in this draft. Many other use cases exist, and this document does | |||
| not intend to have a complete list, only to have a set of use cases | not intend to have a complete list, only to have a set of use cases | |||
| skipping to change at page 14, line 38 ¶ | skipping to change at page 14, line 38 ¶ | |||
| '------------------------------------------------------------------' | '------------------------------------------------------------------' | |||
| Figure 4: Conceptual Data Flow for a Composite Device | Figure 4: Conceptual Data Flow for a Composite Device | |||
| In the Composite Device, each Attester generates its own Evidence by | In the Composite Device, each Attester generates its own Evidence by | |||
| its Attesting Environment(s) collecting the claims from its Target | its Attesting Environment(s) collecting the claims from its Target | |||
| Environment(s). The lead Attester collects the Evidence of all other | Environment(s). The lead Attester collects the Evidence of all other | |||
| Attesters and then generates the Evidence of the whole Composite | Attesters and then generates the Evidence of the whole Composite | |||
| Attester. | Attester. | |||
| An entity can take on multiple RATS roles (e.g., Attester, Verifier, | ||||
| Relying Party, etc.) at the same time. The combination of roles can | ||||
| be arbitrary. For example, in this Composite Device scenario, the | ||||
| entity inside the lead Attester can also take on the role of a | ||||
| Verifier, and the outside entity of Verifier can take on the role of | ||||
| a Relying Party. After collecting the Evidence of other Attesters, | ||||
| this inside Verifier verifies them using Endorsements and Appraisal | ||||
| Policies (obtained the same way as any other Verifier), to generate | ||||
| Attestation Results. The inside Verifier then conveys the | ||||
| Attestation Results of other Attesters, whether in the same | ||||
| conveyance protocol as the Evidence or not, to the outside Verifier. | ||||
| In this situation, the trust model described in Section 7 is also | ||||
| suitable for this inside Verifier. | ||||
| 5. Topological Models | 5. Topological Models | |||
| Figure 1 shows a basic model for communication between an Attester, a | Figure 1 shows a basic model for communication between an Attester, a | |||
| Verifier, and a Relying Party. The Attester conveys its Evidence to | Verifier, and a Relying Party. The Attester conveys its Evidence to | |||
| the Verifier for appraisal, and the Relying Party gets the | the Verifier for appraisal, and the Relying Party gets the | |||
| Attestation Results from the Verifier. There are multiple other | Attestation Results from the Verifier. There are multiple other | |||
| possible models. This section includes some reference models, but | possible models. This section includes some reference models, but | |||
| this is not intended to be a restrictive list, and other variations | this is not intended to be a restrictive list, and other variations | |||
| may exist. | may exist. | |||
| skipping to change at page 18, line 33 ¶ | skipping to change at page 18, line 42 ¶ | |||
| +----------+ +----------+ | +----------+ +----------+ | |||
| | |-------------->| | Compare Attestation | | |-------------->| | Compare Attestation | |||
| | Attester | Attestation | Relying | Result against | | Attester | Attestation | Relying | Result against | |||
| | | Result | Party 1 | Appraisal Policy | | | Result | Party 1 | Appraisal Policy | |||
| +----------+ +----------+ | +----------+ +----------+ | |||
| Figure 7: Example Combination | Figure 7: Example Combination | |||
| 6. Roles and Entities | 6. Roles and Entities | |||
| HENK VERSION | ||||
| An entity in the RATS architecture includes at least one of the roles | An entity in the RATS architecture includes at least one of the roles | |||
| defined in this document. As a result, the entity can participate as | defined in this document. As a result, the entity can participate as | |||
| a constituent of the RATS architecture. Additionally, an entity can | a constituent of the RATS architecture. Additionally, an entity can | |||
| aggregate more than one role into itself. These collapsed roles | aggregate more than one role into itself. These collapsed roles | |||
| combine the duties of multiple roles. In these cases, interaction | combine the duties of multiple roles. In these cases, interaction | |||
| between these roles do not necessarily use the Internet Protocol. | between these roles do not necessarily use the Internet Protocol. | |||
| They can be using a loopback device or other IP-based communication | They can be using a loopback device or other IP-based communication | |||
| between separate environments, but they do not have to. Alternative | between separate environments, but they do not have to. Alternative | |||
| channels to convey conceptual messages include function calls, | channels to convey conceptual messages include function calls, | |||
| sockets, GPIO interfaces, local busses, or hypervisor calls. This | sockets, GPIO interfaces, local busses, or hypervisor calls. This | |||
| skipping to change at page 19, line 13 ¶ | skipping to change at page 19, line 20 ¶ | |||
| As a system bus entity, a Verifier consumes Evidence from other | As a system bus entity, a Verifier consumes Evidence from other | |||
| devices connected to the system bus that implement Attester roles. | devices connected to the system bus that implement Attester roles. | |||
| As a wide-area network connected entity, it may implement an Attester | As a wide-area network connected entity, it may implement an Attester | |||
| role. The entity, as a system bus Verifier, may choose to fully | role. The entity, as a system bus Verifier, may choose to fully | |||
| isolate its role as a wide-area network Attester. | isolate its role as a wide-area network Attester. | |||
| In essence, an entity that combines more than one role also creates | In essence, an entity that combines more than one role also creates | |||
| and consumes the corresponding conceptual messages as defined in this | and consumes the corresponding conceptual messages as defined in this | |||
| document. | document. | |||
| 7. Role Hosting and Composition | 7. Trust Model | |||
| NED VERSION | ||||
| The RATS architecture includes the definition of Roles (e.g. | ||||
| Attester, Verifier, Relying Party, Endorser) and conceptual messages | ||||
| (e.g., Evidence, Attestation Results, Endorsements, Appraisal | ||||
| Policies) that captures canonical attestation behaviors, that are | ||||
| common to a broad range of attestation-enabled systems. An entity | ||||
| that combines multiple Roles produces and consumes the associated | ||||
| Role Messages. | ||||
| The RATS architecture is not prescriptive about deployment | ||||
| configuration options of attestation-enabled systems, therefore the | ||||
| various Roles can be hosted on any participating entity. This | ||||
| implies, for a given entity, that multiple Roles could be co-resident | ||||
| so that the duties of multiple roles could be performed | ||||
| simultaneously. Nevertheless, the semantics of which Role Messages | ||||
| are inputs and outputs to a Role entity remains constant. As a | ||||
| result, the entity can participate as a constituent of the RATS | ||||
| architecture while flexibly accommodating the needs of various | ||||
| deployment architectures. | ||||
| Interactions between Roles do not necessarily require use of Internet | ||||
| protocols. They could, for example, use inter-process communication, | ||||
| local system buses, shared memory, hypervisors, IP-loopback devices | ||||
| or any communication path between the various environments that may | ||||
| exist on the entity that combines multiple Roles. | ||||
| The movement of Role Messages between locally hosted Roles is | ||||
| referred to as "local conveyance". Most importantly, the definition | ||||
| of local conveyance methods is out-of-scope for the RATS | ||||
| architecture. | ||||
| The following paragraph elaborates on an exemplary usage scenario: | ||||
| In a Composite Device scenario, in addition to local entities that | ||||
| host the lead Attester and other subordinate Attesters, the Composite | ||||
| Device can host the Verifier role locally to appraise Evidence from | ||||
| one or more subordinate Attesters. The local Verifier might convey | ||||
| local Attestation Results to a remote Relying party or the Relying | ||||
| Party role also could become local where an application-specific | ||||
| action is taken locally. For example, a secure boot scenario | ||||
| prevents system software from loading if the firmware fails to | ||||
| satisfy a local trustworthiness appraisal policy. | ||||
| In a multi-network scenario, a network node might bridge a wide-area | ||||
| network, local-area network, and span various system buses. In so | ||||
| doing, the bridge node might need to host multiple Roles depending on | ||||
| the type of behavior each connected domain expects. For example, the | ||||
| node might be an Attester to a wide-area network, a Verifier to the | ||||
| local-area network, and a Relying Party to components attached to a | ||||
| local system bus. | ||||
| 8. Trust Model | ||||
| The scope of this document is scenarios for which a Relying Party | The scope of this document is scenarios for which a Relying Party | |||
| trusts a Verifier that can appraise the trustworthiness of | trusts a Verifier that can appraise the trustworthiness of | |||
| information about an Attester. Such trust might come by the Relying | information about an Attester. Such trust might come by the Relying | |||
| Party trusting the Verifier (or its public key) directly, or might | Party trusting the Verifier (or its public key) directly, or might | |||
| come by trusting an entity (e.g., a Certificate Authority) that is in | come by trusting an entity (e.g., a Certificate Authority) that is in | |||
| the Verifier's certificate chain. The Relying Party might implicitly | the Verifier's certificate chain. The Relying Party might implicitly | |||
| trust a Verifier (such as in the Verifying Relying Party | trust a Verifier (such as in the Verifying Relying Party | |||
| combination). Or, for a stronger level of security, the Relying | combination). Or, for a stronger level of security, the Relying | |||
| Party might require that the Verifier itself provide information | Party might require that the Verifier itself provide information | |||
| skipping to change at page 21, line 10 ¶ | skipping to change at page 20, line 11 ¶ | |||
| implicitly trust firmware or even software (e.g., a hypervisor). | implicitly trust firmware or even software (e.g., a hypervisor). | |||
| That is, it might appraise the trustworthiness of an application | That is, it might appraise the trustworthiness of an application | |||
| component, or operating system component or service, under the | component, or operating system component or service, under the | |||
| assumption that information provided about it by the lower-layer | assumption that information provided about it by the lower-layer | |||
| hypervisor or firmware is true. A stronger level of security comes | hypervisor or firmware is true. A stronger level of security comes | |||
| when information can be vouched for by hardware or by ROM code, | when information can be vouched for by hardware or by ROM code, | |||
| especially if such hardware is physically resistant to hardware | especially if such hardware is physically resistant to hardware | |||
| tampering. The component that is implicitly trusted is often | tampering. The component that is implicitly trusted is often | |||
| referred to as a Root of Trust. | referred to as a Root of Trust. | |||
| A conveyance protocol that provides authentication and integrity | ||||
| protection can be used to convey unprotected Evidence, assuming the | ||||
| following properties exists: | ||||
| 1. The key material used to authenticate and integrity protect the | ||||
| conveyance channel is trusted by the Verifier to speak for the | ||||
| Attesting Environment(s) that collected claims about the Target | ||||
| Environment(s). | ||||
| 2. All unprotected Evidence that is conveyed is supplied exclusively | ||||
| by the Attesting Environment that has the key material that | ||||
| protects the conveyance channel | ||||
| 3. The Root of Trust protects both the conveyance channel key | ||||
| material and the Attesting Environment with equivalent strength | ||||
| protections. | ||||
| In some scenarios, Evidence might contain sensitive information such | In some scenarios, Evidence might contain sensitive information such | |||
| as Personally Identifiable Information. Thus, an Attester must trust | as Personally Identifiable Information. Thus, an Attester must trust | |||
| entities to which it conveys Evidence, to not reveal sensitive data | entities to which it conveys Evidence, to not reveal sensitive data | |||
| to unauthorized parties. The Verifier might share this information | to unauthorized parties. The Verifier might share this information | |||
| with other authorized parties, according rules that it controls. In | with other authorized parties, according rules that it controls. In | |||
| the background-check model, this Evidence may also be revealed to | the background-check model, this Evidence may also be revealed to | |||
| Relying Party(s). | Relying Party(s). | |||
| 9. Conceptual Messages | 8. Conceptual Messages | |||
| 8.1. Evidence | ||||
| 9.1. Evidence | ||||
| Evidence is a set of claims about the target environment that reveal | Evidence is a set of claims about the target environment that reveal | |||
| operational status, health, configuration or construction that have | operational status, health, configuration or construction that have | |||
| security relevance. Evidence is evaluated by a Verifier to establish | security relevance. Evidence is evaluated by a Verifier to establish | |||
| its relevance, compliance, and timeliness. Claims need to be | its relevance, compliance, and timeliness. Claims need to be | |||
| collected in a manner that is reliable. Evidence needs to be | collected in a manner that is reliable. Evidence needs to be | |||
| securely associated with the target environment so that the Verifier | securely associated with the target environment so that the Verifier | |||
| cannot be tricked into accepting claims originating from a different | cannot be tricked into accepting claims originating from a different | |||
| environment (that may be more trustworthy). Evidence also must be | environment (that may be more trustworthy). Evidence also must be | |||
| protected from man-in-the-middle attackers who may observe, change or | protected from man-in-the-middle attackers who may observe, change or | |||
| misdirect Evidence as it travels from Attester to Verifier. The | misdirect Evidence as it travels from Attester to Verifier. The | |||
| timeliness of Evidence can be captured using claims that pinpoint the | timeliness of Evidence can be captured using claims that pinpoint the | |||
| time or interval when changes in operational status, health, and so | time or interval when changes in operational status, health, and so | |||
| forth occur. | forth occur. | |||
| 9.2. Endorsements | 8.2. Endorsements | |||
| An Endorsement is a secure statement that some entity (e.g., a | An Endorsement is a secure statement that some entity (e.g., a | |||
| manufacturer) vouches for the integrity of the device's signing | manufacturer) vouches for the integrity of the device's signing | |||
| capability. For example, if the signing capability is in hardware, | capability. For example, if the signing capability is in hardware, | |||
| then an Endorsement might be a manufacturer certificate that signs a | then an Endorsement might be a manufacturer certificate that signs a | |||
| public key whose corresponding private key is only known inside the | public key whose corresponding private key is only known inside the | |||
| device's hardware. Thus, when Evidence and such an Endorsement are | device's hardware. Thus, when Evidence and such an Endorsement are | |||
| used together, an appraisal procedure can be conducted based on | used together, an appraisal procedure can be conducted based on | |||
| Appraisal Policies that may not be specific to the device instance, | Appraisal Policies that may not be specific to the device instance, | |||
| but merely specific to the manufacturer providing the Endorsement. | but merely specific to the manufacturer providing the Endorsement. | |||
| skipping to change at page 22, line 19 ¶ | skipping to change at page 22, line 5 ¶ | |||
| compliant devices are considered authorized for some purpose. For | compliant devices are considered authorized for some purpose. For | |||
| example, an enterprise using remote attestation for Network Endpoint | example, an enterprise using remote attestation for Network Endpoint | |||
| Assessment may not wish to let every healthy laptop from the same | Assessment may not wish to let every healthy laptop from the same | |||
| manufacturer onto the network, but instead only want to let devices | manufacturer onto the network, but instead only want to let devices | |||
| that it legally owns onto the network. Thus, an Endorsement may be | that it legally owns onto the network. Thus, an Endorsement may be | |||
| helpful information in authenticating information about a device, but | helpful information in authenticating information about a device, but | |||
| is not necessarily sufficient to authorize access to resources which | is not necessarily sufficient to authorize access to resources which | |||
| may need device-specific information such as a public key for the | may need device-specific information such as a public key for the | |||
| device or component or user on the device. | device or component or user on the device. | |||
| 9.3. Attestation Results | 8.3. Attestation Results | |||
| Attestation Results may indicate compliance or non-compliance with a | Attestation Results may indicate compliance or non-compliance with a | |||
| Verifier's Appraisal Policy. A result that indicates non-compliance | Verifier's Appraisal Policy. A result that indicates non-compliance | |||
| can be used by an Attester (in the passport model) or a Relying Party | can be used by an Attester (in the passport model) or a Relying Party | |||
| (in the background-check model) to indicate that the Attester should | (in the background-check model) to indicate that the Attester should | |||
| not be treated as authorized and may be in need of remediation. In | not be treated as authorized and may be in need of remediation. In | |||
| some cases, it may even indicate that the Evidence itself cannot be | some cases, it may even indicate that the Evidence itself cannot be | |||
| authenticated as being correct. | authenticated as being correct. | |||
| An Attestation Result that indicates compliance can be used by a | An Attestation Result that indicates compliance can be used by a | |||
| skipping to change at page 23, line 11 ¶ | skipping to change at page 22, line 41 ¶ | |||
| allows a Relying Party's Appraisal Policy to be simpler, potentially | allows a Relying Party's Appraisal Policy to be simpler, potentially | |||
| based on standard ways of expressing the information, while still | based on standard ways of expressing the information, while still | |||
| allowing interoperability with heterogeneous devices. | allowing interoperability with heterogeneous devices. | |||
| Finally, whereas Evidence is signed by the device (or indirectly by a | Finally, whereas Evidence is signed by the device (or indirectly by a | |||
| manufacturer, if Endorsements are used), Attestation Results are | manufacturer, if Endorsements are used), Attestation Results are | |||
| signed by a Verifier, allowing a Relying Party to only need a trust | signed by a Verifier, allowing a Relying Party to only need a trust | |||
| relationship with one entity, rather than a larger set of entities, | relationship with one entity, rather than a larger set of entities, | |||
| for purposes of its Appraisal Policy. | for purposes of its Appraisal Policy. | |||
| 10. Claims Encoding Formats | 9. Claims Encoding Formats | |||
| The following diagram illustrates a relationship to which remote | The following diagram illustrates a relationship to which remote | |||
| attestation is desired to be added: | attestation is desired to be added: | |||
| +-------------+ +------------+ Evaluate | +-------------+ +------------+ Evaluate | |||
| | |-------------->| | request | | |-------------->| | request | |||
| | Attester | Access some | Relying | against | | Attester | Access some | Relying | against | |||
| | | resource | Party | security | | | resource | Party | security | |||
| +-------------+ +------------+ policy | +-------------+ +------------+ policy | |||
| skipping to change at page 24, line 38 ¶ | skipping to change at page 24, line 25 ¶ | |||
| .--------------. TPM | | TPM .-------------------. | .--------------. TPM | | TPM .-------------------. | |||
| | Attester-D |-------->| |-------->| Relying Party Y | | | Attester-D |-------->| |-------->| Relying Party Y | | |||
| '--------------' '------------' `-------------------' | '--------------' '------------' `-------------------' | |||
| .--------------. other ^ | other .-------------------. | .--------------. other ^ | other .-------------------. | |||
| | Attester-E |------------' '----------->| Relying Party Z | | | Attester-E |------------' '----------->| Relying Party Z | | |||
| '--------------' `-------------------' | '--------------' `-------------------' | |||
| Figure 9: Multiple Attesters and Relying Parties with Different | Figure 9: Multiple Attesters and Relying Parties with Different | |||
| Formats | Formats | |||
| 11. Freshness | 10. Freshness | |||
| It is important to prevent replay attacks where an attacker replays | It is important to prevent replay attacks where an attacker replays | |||
| old Evidence or an old Attestation Result that is no longer correct. | old Evidence or an old Attestation Result that is no longer correct. | |||
| To do so, some mechanism of ensuring that the Evidence and | To do so, some mechanism of ensuring that the Evidence and | |||
| Attestation Result are fresh, meaning that there is some degree of | Attestation Result are fresh, meaning that there is some degree of | |||
| assurance that they still reflect the latest state of the Attester, | assurance that they still reflect the latest state of the Attester, | |||
| and that any Attestation Result was generated using the latest | and that any Attestation Result was generated using the latest | |||
| Appraisal Policy for Evidence. There is, however, always a race | Appraisal Policy for Evidence. There is, however, always a race | |||
| condition possible in that the state of the Attester, and the | condition possible in that the state of the Attester, and the | |||
| Appraisal Policy for Evidence, might change immediately after the | Appraisal Policy for Evidence, might change immediately after the | |||
| skipping to change at page 25, line 28 ¶ | skipping to change at page 25, line 20 ¶ | |||
| requires additional claims about the signer's time synchronization | requires additional claims about the signer's time synchronization | |||
| mechanism in order to provide such assurance. | mechanism in order to provide such assurance. | |||
| In either approach, it is important to note that the actual values in | In either approach, it is important to note that the actual values in | |||
| claims might have been generated long before the claims are signed. | claims might have been generated long before the claims are signed. | |||
| If so, it is the signer's responsibility to ensure that the values | If so, it is the signer's responsibility to ensure that the values | |||
| are still correct when they are signed. For example, values might | are still correct when they are signed. For example, values might | |||
| have been generated at boot, and then used in claims as long as the | have been generated at boot, and then used in claims as long as the | |||
| signer can guarantee that they cannot have changed since boot. | signer can guarantee that they cannot have changed since boot. | |||
| A more detailed discussion with examples appears in Section 17. | A more detailed discussion with examples appears in Section 16. | |||
| 12. Privacy Considerations | 11. Privacy Considerations | |||
| The conveyance of Evidence and the resulting Attestation Results | The conveyance of Evidence and the resulting Attestation Results | |||
| reveal a great deal of information about the internal state of a | reveal a great deal of information about the internal state of a | |||
| device. In many cases, the whole point of the Attestation process is | device. In many cases, the whole point of the Attestation process is | |||
| to provide reliable information about the type of the device and the | to provide reliable information about the type of the device and the | |||
| firmware/software that the device is running. This information might | firmware/software that the device is running. This information might | |||
| be particularly interesting to many attackers. For example, knowing | be particularly interesting to many attackers. For example, knowing | |||
| that a device is running a weak version of firmware provides a way to | that a device is running a weak version of firmware provides a way to | |||
| aim attacks better. | aim attacks better. | |||
| skipping to change at page 26, line 4 ¶ | skipping to change at page 25, line 45 ¶ | |||
| optionally might support confidentiality protection (e.g., COSE, | optionally might support confidentiality protection (e.g., COSE, | |||
| JOSE). Therefore, if confidentiality protection is omitted or | JOSE). Therefore, if confidentiality protection is omitted or | |||
| unavailable, the protocols that convey Evidence or Attestation | unavailable, the protocols that convey Evidence or Attestation | |||
| Results are responsible for detailing what kinds of information are | Results are responsible for detailing what kinds of information are | |||
| disclosed, and to whom they are exposed. | disclosed, and to whom they are exposed. | |||
| Furthermore, because Evidence might contain sensitive information, | Furthermore, because Evidence might contain sensitive information, | |||
| Attesters are responsible for only sending such Evidence to trusted | Attesters are responsible for only sending such Evidence to trusted | |||
| Verifiers. Some Attesters might want a stronger level of assurance | Verifiers. Some Attesters might want a stronger level of assurance | |||
| of the trustworthiness of a Verifier before sending Evidence to it. | of the trustworthiness of a Verifier before sending Evidence to it. | |||
| In such cases, an Attester can first act as a Relying Party and ask | In such cases, an Attester can first act as a Relying Party and ask | |||
| for the Verifier's own Attestation Result, and appraising it just as | for the Verifier's own Attestation Result, and appraising it just as | |||
| a Relying Party would appraise an Attestation Result for any other | a Relying Party would appraise an Attestation Result for any other | |||
| purpose. | purpose. | |||
| 13. Security Considerations | 12. Security Considerations | |||
| Any solution that conveys information used for security purposes, | Any solution that conveys information used for security purposes, | |||
| whether such information is in the form of Evidence, Attestation | whether such information is in the form of Evidence, Attestation | |||
| Results, Endorsements, or Appraisal Policy, needs to support end-to- | Results, Endorsements, or Appraisal Policy, needs to support end-to- | |||
| end integrity protection and replay attack prevention, and often also | end integrity protection and replay attack prevention, and often also | |||
| needs to support additional security protections. For example, | needs to support additional security protections. For example, | |||
| additional means of authentication, confidentiality, integrity, | additional means of authentication, confidentiality, integrity, | |||
| replay, denial of service and privacy protection are needed in many | replay, denial of service and privacy protection are needed in many | |||
| use cases. Section 11 discusses ways in which freshness can be used | use cases. Section 10 discusses ways in which freshness can be used | |||
| in this architecture to protect against replay attacks. | in this architecture to protect against replay attacks. | |||
| To assess the security provided by a particular Appraisal Policy, it | To assess the security provided by a particular Appraisal Policy, it | |||
| is important to understand the strength of the Root of Trust, e.g., | is important to understand the strength of the Root of Trust, e.g., | |||
| whether it is mutable software, or firmware that is read-only after | whether it is mutable software, or firmware that is read-only after | |||
| boot, or immutable hardware/ROM. | boot, or immutable hardware/ROM. | |||
| It is also important that the Appraisal Policy was itself obtained | It is also important that the Appraisal Policy was itself obtained | |||
| securely. As such, if Appraisal Policies for a Relying Party or for | securely. As such, if Appraisal Policies for a Relying Party or for | |||
| a Verifier can be configured via a network protocol, the ability to | a Verifier can be configured via a network protocol, the ability to | |||
| skipping to change at page 26, line 43 ¶ | skipping to change at page 26, line 38 ¶ | |||
| The security of conveyed information may be applied at different | The security of conveyed information may be applied at different | |||
| layers, whether by a conveyance protocol, or an information encoding | layers, whether by a conveyance protocol, or an information encoding | |||
| format. This architecture expects attestation messages (i.e., | format. This architecture expects attestation messages (i.e., | |||
| Evidence, Attestation Results, Endorsements and Policies) are end-to- | Evidence, Attestation Results, Endorsements and Policies) are end-to- | |||
| end protected based on the role interaction context. For example, if | end protected based on the role interaction context. For example, if | |||
| an Attester produces Evidence that is relayed through some other | an Attester produces Evidence that is relayed through some other | |||
| entity that doesn't implement the Attester or the intended Verifier | entity that doesn't implement the Attester or the intended Verifier | |||
| roles, then the relaying entity should not expect to have access to | roles, then the relaying entity should not expect to have access to | |||
| the Evidence. | the Evidence. | |||
| 14. IANA Considerations | 13. IANA Considerations | |||
| This document does not require any actions by IANA. | This document does not require any actions by IANA. | |||
| 15. Acknowledgments | 14. Acknowledgments | |||
| Special thanks go to Joerg Borchert, Nancy Cam-Winget, Jessica | Special thanks go to Joerg Borchert, Nancy Cam-Winget, Jessica | |||
| Fitzgerald-McKay, Thomas Fossati, Diego Lopez, Laurence Lundblade, | Fitzgerald-McKay, Thomas Fossati, Diego Lopez, Laurence Lundblade, | |||
| Wei Pan, Paul Rowe, Hannes Tschofenig, Frank Xia, and David Wooten. | Wei Pan, Paul Rowe, Hannes Tschofenig, Frank Xia, and David Wooten. | |||
| 16. Contributors | 15. Contributors | |||
| Thomas Hardjono created older versions of the terminology section in | Thomas Hardjono created older versions of the terminology section in | |||
| collaboration with Ned Smith. Eric Voit provided the conceptual | collaboration with Ned Smith. Eric Voit provided the conceptual | |||
| separation between Attestation Provision Flows and Attestation | separation between Attestation Provision Flows and Attestation | |||
| Evidence Flows. Monty Wisemen created the content structure of the | Evidence Flows. Monty Wisemen created the content structure of the | |||
| first three architecture drafts. Carsten Bormann provided many of | first three architecture drafts. Carsten Bormann provided many of | |||
| the motivational building blocks with respect to the Internet Threat | the motivational building blocks with respect to the Internet Threat | |||
| Model. | Model. | |||
| 17. Appendix A: Time Considerations | 16. Appendix A: Time Considerations | |||
| The table below defines a number of relevant events, with an ID that | The table below defines a number of relevant events, with an ID that | |||
| is used in subsequent diagrams. The times of said events might be | is used in subsequent diagrams. The times of said events might be | |||
| defined in terms of an absolute clock time such as Coordinated | defined in terms of an absolute clock time such as Coordinated | |||
| Universal Time, or might be defined relative to some other timestamp | Universal Time, or might be defined relative to some other timestamp | |||
| or timeticks counter. | or timeticks counter. | |||
| +----+------------+-----------------------------------------------+ | +----+------------+-----------------------------------------------+ | |||
| | ID | Event | Explanation of event | | | ID | Event | Explanation of event | | |||
| +====+============+===============================================+ | +====+============+===============================================+ | |||
| skipping to change at page 29, line 5 ¶ | skipping to change at page 29, line 5 ¶ | |||
| | | | generated it | | | | | generated it | | |||
| +----+------------+-----------------------------------------------+ | +----+------------+-----------------------------------------------+ | |||
| Table 1 | Table 1 | |||
| We now walk through a number of hypothetical examples of how a | We now walk through a number of hypothetical examples of how a | |||
| solution might be built. This list is not intended to be complete, | solution might be built. This list is not intended to be complete, | |||
| but is just representative enough to highlight various timing | but is just representative enough to highlight various timing | |||
| considerations. | considerations. | |||
| 17.1. Example 1: Timestamp-based Passport Model Example | 16.1. Example 1: Timestamp-based Passport Model Example | |||
| The following example illustrates a hypothetical Passport Model | The following example illustrates a hypothetical Passport Model | |||
| solution that uses timestamps and requires roughly synchronized | solution that uses timestamps and requires roughly synchronized | |||
| clocks between the Attester, Verifier, and Relying Party, which | clocks between the Attester, Verifier, and Relying Party, which | |||
| depends on using a secure clock synchronization mechanism. | depends on using a secure clock synchronization mechanism. | |||
| .----------. .----------. .---------------. | .----------. .----------. .---------------. | |||
| | Attester | | Verifier | | Relying Party | | | Attester | | Verifier | | Relying Party | | |||
| '----------' '----------' '---------------' | '----------' '----------' '---------------' | |||
| time(VG) | | | time(VG) | | | |||
| skipping to change at page 30, line 9 ¶ | skipping to change at page 30, line 9 ¶ | |||
| account for the maximum permitted clock skew between the Relying | account for the maximum permitted clock skew between the Relying | |||
| Party and the Verifier. The result might then be used for some time | Party and the Verifier. The result might then be used for some time | |||
| (e.g., throughout the lifetime of a connection established at | (e.g., throughout the lifetime of a connection established at | |||
| time(RA)). The Relying Party must be careful, however, to not allow | time(RA)). The Relying Party must be careful, however, to not allow | |||
| continued use beyond the period for which it deems the Attestation | continued use beyond the period for which it deems the Attestation | |||
| Result to remain fresh enough. Thus, it might allow use (at | Result to remain fresh enough. Thus, it might allow use (at | |||
| time(OP)) as long as "time(OP) - time(RG) < Threshold". However, if | time(OP)) as long as "time(OP) - time(RG) < Threshold". However, if | |||
| the Attestation Result contains an expiry time time(RX) then it could | the Attestation Result contains an expiry time time(RX) then it could | |||
| explicitly check "time(OP) < time(RX)". | explicitly check "time(OP) < time(RX)". | |||
| 17.2. Example 2: Nonce-based Passport Model Example | 16.2. Example 2: Nonce-based Passport Model Example | |||
| The following example illustrates a hypothetical Passport Model | The following example illustrates a hypothetical Passport Model | |||
| solution that uses nonces and thus does not require that any clocks | solution that uses nonces and thus does not require that any clocks | |||
| are synchronized. | are synchronized. | |||
| .----------. .----------. .---------------. | .----------. .----------. .---------------. | |||
| | Attester | | Verifier | | Relying Party | | | Attester | | Verifier | | Relying Party | | |||
| '----------' '----------' '---------------' | '----------' '----------' '---------------' | |||
| time(VG) | | | time(VG) | | | |||
| | | | | | | | | |||
| skipping to change at page 31, line 20 ¶ | skipping to change at page 31, line 20 ¶ | |||
| time(EG) values cannot be inside the Attestation Result, they might | time(EG) values cannot be inside the Attestation Result, they might | |||
| be signed by the Attester such that the Attestation Result vouches | be signed by the Attester such that the Attestation Result vouches | |||
| for the Attester's signing capability. | for the Attester's signing capability. | |||
| The Relying Party must still be careful, however, to not allow | The Relying Party must still be careful, however, to not allow | |||
| continued use beyond the period for which it deems the Attestation | continued use beyond the period for which it deems the Attestation | |||
| Result to remain valid. Thus, if the Attestation Result sends a | Result to remain valid. Thus, if the Attestation Result sends a | |||
| validity lifetime in terms of time(RX)-time(RG), then the Relying | validity lifetime in terms of time(RX)-time(RG), then the Relying | |||
| Party can check "time(OP) - time(NS') < time(RX)-time(RG)". | Party can check "time(OP) - time(NS') < time(RX)-time(RG)". | |||
| 17.3. Example 3: Timestamp-based Background-Check Model Example | 16.3. Example 3: Timestamp-based Background-Check Model Example | |||
| The following example illustrates a hypothetical Background-Check | The following example illustrates a hypothetical Background-Check | |||
| Model solution that uses timestamps and requires roughly synchronized | Model solution that uses timestamps and requires roughly synchronized | |||
| clocks between the Attester, Verifier, and Relying Party. | clocks between the Attester, Verifier, and Relying Party. | |||
| .----------. .---------------. .----------. | .----------. .---------------. .----------. | |||
| | Attester | | Relying Party | | Verifier | | | Attester | | Relying Party | | Verifier | | |||
| '----------' '---------------' '----------' | '----------' '---------------' '----------' | |||
| time(VG) | | | time(VG) | | | |||
| | | | | | | | | |||
| skipping to change at page 31, line 46 ¶ | skipping to change at page 31, line 46 ¶ | |||
| | | time(RG) | | | time(RG) | |||
| | time(RA)<-Attestation Result---| | | time(RA)<-Attestation Result---| | |||
| | | {time(RX)} | | | | {time(RX)} | | |||
| ~ ~ ~ | ~ ~ ~ | |||
| | | | | | | | | |||
| | time(OP) | | | time(OP) | | |||
| The time considerations in this example are equivalent to those | The time considerations in this example are equivalent to those | |||
| discussed under Example 1 above. | discussed under Example 1 above. | |||
| 17.4. Example 4: Nonce-based Background-Check Model Example | 16.4. Example 4: Nonce-based Background-Check Model Example | |||
| The following example illustrates a hypothetical Background-Check | The following example illustrates a hypothetical Background-Check | |||
| Model solution that uses nonces and thus does not require that any | Model solution that uses nonces and thus does not require that any | |||
| clocks are synchronized. In this example solution, a nonce is | clocks are synchronized. In this example solution, a nonce is | |||
| generated by a Verifier at the request of a Relying Party, when the | generated by a Verifier at the request of a Relying Party, when the | |||
| Relying Party needs to send one to an Attester. | Relying Party needs to send one to an Attester. | |||
| .----------. .---------------. .----------. | .----------. .---------------. .----------. | |||
| | Attester | | Relying Party | | Verifier | | | Attester | | Relying Party | | Verifier | | |||
| '----------' '---------------' '----------' | '----------' '---------------' '----------' | |||
| skipping to change at page 32, line 37 ¶ | skipping to change at page 32, line 37 ¶ | |||
| However, unlike in Example 2, the Relying Party can use the Nonce to | However, unlike in Example 2, the Relying Party can use the Nonce to | |||
| determine whether the Attestation Result is fresh, by verifying that | determine whether the Attestation Result is fresh, by verifying that | |||
| "time(OP) - time(NR) < Threshold". | "time(OP) - time(NR) < Threshold". | |||
| The Relying Party must still be careful, however, to not allow | The Relying Party must still be careful, however, to not allow | |||
| continued use beyond the period for which it deems the Attestation | continued use beyond the period for which it deems the Attestation | |||
| Result to remain valid. Thus, if the Attestation Result sends a | Result to remain valid. Thus, if the Attestation Result sends a | |||
| validity lifetime in terms of time(RX)-time(RG), then the Relying | validity lifetime in terms of time(RX)-time(RG), then the Relying | |||
| Party can check "time(OP) - time(ER) < time(RX)-time(RG)". | Party can check "time(OP) - time(ER) < time(RX)-time(RG)". | |||
| 18. References | 17. References | |||
| 18.1. Normative References | 17.1. Normative References | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | |||
| "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | |||
| May 2018, <https://www.rfc-editor.org/info/rfc8392>. | May 2018, <https://www.rfc-editor.org/info/rfc8392>. | |||
| 18.2. Informative References | 17.2. Informative References | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | |||
| FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | |||
| <https://www.rfc-editor.org/info/rfc4949>. | <https://www.rfc-editor.org/info/rfc4949>. | |||
| [OPCUA] OPC Foundation, "OPC Unified Architecture Specification, | [OPCUA] OPC Foundation, "OPC Unified Architecture Specification, | |||
| Part 2: Security Model, Release 1.03", OPC 10000-2 , 25 | Part 2: Security Model, Release 1.03", OPC 10000-2 , 25 | |||
| November 2015, <https://opcfoundation.org/developer-tools/ | November 2015, <https://opcfoundation.org/developer-tools/ | |||
| specifications-unified-architecture/part-2-security- | specifications-unified-architecture/part-2-security- | |||
| model/>. | model/>. | |||
| End of changes. 41 change blocks. | ||||
| 141 lines changed or deleted | 115 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||