RATS Y. Deshpande
Internet-Draft Arm Ltd
Intended status: Informational J. Zhang
Expires: 4 September 2025 Huawei Technologies France S.A.S.U.
H. Birkholtz
Fraunhofer SIT
3 March 2025
Remote Attestation MultiVerifier
draft-deshpande-rats-multi-verifier-01
Abstract
IETF RATS Architecture, defines the key role of a Verifier. In a
complex system, this role needs to be performed by multiple Verfiers
coordinating together to assess the full trustworthiness of an
Attester. This document focuses on various topological patterns for
a multiple Verifier system.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-rats/draft-deshpande-multi-verifier.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 September 2025.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
Deshpande, et al. Expires 4 September 2025 [Page 1]
�
Internet-Draft RATS MultiVerifier March 2025
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
2.1. Glossary . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Multi Verifier topological patterns . . . . . . . . . . . . . 4
3.1. Hierarchical Pattern . . . . . . . . . . . . . . . . . . 4
3.1.1. Lead Verifier . . . . . . . . . . . . . . . . . . . . 5
3.1.2. Verifier for Component Attester . . . . . . . . . . . 6
3.1.3. Trust Relationships . . . . . . . . . . . . . . . . . 6
3.2. Cascaded Pattern {: #sec-verifier-cascade } . . . . . . . 6
3.2.1. Trust Relationships . . . . . . . . . . . . . . . . . 8
3.2.2. Verifiers . . . . . . . . . . . . . . . . . . . . . . 8
3.2.3. Relying Party and Verifiers . . . . . . . . . . . . . 8
3.3. Hybrid Pattern . . . . . . . . . . . . . . . . . . . . . 8
4. Freshness . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. CBOR Tag Registrations . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
A Verifier plays a Central Role in any Remote Attestation System. A
Verifier appraises the Attester and produces Attestation Results,
which is essentially a verdict of attestation. The results are
consumed by the Relying Party to conclude the trustworthiness of the
Attester, prior to making any critical decisions about the Attester,
such as admitting to network or releasing confidential resources to
it. Attesters can come in wide varieties of shape and form. For
example Attesters can be endpoints (edge or IoT devices) or complex
machines in the cloud. Composite Attester Section 2.1, generate
Evidence that consists of multiple parts. For example, in data
center servers, it is not uncommon for separate attesting
Deshpande, et al. Expires 4 September 2025 [Page 2]
�
Internet-Draft RATS MultiVerifier March 2025
environments (AE) to serve a subsection of the entire machine. One
AE might measure and attest to what was booted on the main CPU, while
another AE might measure and attest to what was booted machine's GPU.
Throughout this document we use the term Component Attester
Section 2.1 to address the sub-entity or an individual layer which
produces its own Evidence in a Composite Attester system.
A Verifier needs Reference Values and Endorsements from the supply
chain actors (for example OEM/ODM) to conduct the appraisal of an
Attester. Given the range of Component Attesters in a Composite
Attester, it is possible that a single Verifier may not have all the
capabilities or the information required to conduct the complete
appraisal of the Composite Attester. In this case, multiple
Verifiers need to collaborate to conclude the appraisal and produce
the Attestation Results.
This document describes various topological patterns of multiple
Verifiers that work in a coordinated manner to conduct appraisal of a
Composite Attester to produce an Attestation Results.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses terms and concepts defined by the RATS
architecture. For a complete glossary, see Section 4 of [RFC9334].
Specifically this document heavily uses the terms Layered Attester
Section 3.2 of [RFC9334] and Composite Device Section 3.3 of
[RFC9334]
2.1. Glossary
This document uses the following terms:
Composite Attester: A Composite Attester is either a Composite
Device or a Layered Attester or any composition involving a
combination of one or more Composite Devices or Layered Attesters.
Component Attester: A Component Attester is a single Attester of a
Composite Attester. For this document, a Component Attester is an
entity which produces a single Evidence which can be appraised by
a Verifier.
Deshpande, et al. Expires 4 September 2025 [Page 3]
�
Internet-Draft RATS MultiVerifier March 2025
Composite Evidence: Evidence produced by a Composite Attester.
Lead Verifier: A Verifier which acts as a Main Verifier to receive
Composite Evidence from a Composite Attester.
Aggregated Attestation Results: An Aggregated Attestation Results
(AAR) refers to a collection of Attestation Results produced upon
completion of appraisal of a Composite Attester.
3. Multi Verifier topological patterns
A Composite Attester has multiple Component Attesters. Each Attester
requires a different set of Verifiers. Hence multiple Verifiers
collaborate to appraise a Composite Attester.
3.1. Hierarchical Pattern
Figure below shows the block diagram of a Hierarchical Pattern.
Deshpande, et al. Expires 4 September 2025 [Page 4]
�
Internet-Draft RATS MultiVerifier March 2025
+----------+
| | +-----------+
| | | |
| | Evidence 1 | |
| +------------>+ Verifier 1|
| | | |
| +<------------+ |
| | AR 1 +-----------+
| |
+-----------+ Composite Evidence | |
| +-------------------->| | Evidence 2 +-----------+
| Attester | | Lead +------------>+ |
| or | Aggregated | Verifier | | |
| RP |<--------------------+ | | Verifier 2|
+-----------+ Attestation Result | +<------------+ |
(AAR) | | AR 2 | |
| | +-----+-----+
| | |
| | |
| | .
| | |
| | |
| | |
| | Evidence N +-----+-----+
| +------------>+ |
| | | |
| +<------------+ Verifier N|
| | AR N | |
| | | |
| | +-----------+
+----------+
The following sub-sections describe the various roles that exist in
this pattern.
3.1.1. Lead Verifier
In this topological pattern, there is an Entity known as Lead
Verifier.
Lead Verifier is the central entity in communication with the
Attester (directly in passport model or indirectly via the Relying
Party in background-check model). It receives Attestation Evidence
from a Composite Attester. If the Composite Attestation Evidence is
signed, then it validates the integrity of the Evidence by validating
the signature. If signature verification fails, the Verification is
terminated. Otherwise it performs the following steps.
Deshpande, et al. Expires 4 September 2025 [Page 5]
�
Internet-Draft RATS MultiVerifier March 2025
* Lead Verifier has the knowledge about the overall structure of the
Composite Evidence. It decodes the Composite Evidence to extract
the Component Attester Evidence. This may lead to "N" Evidence,
one for each Component Attester.
* Lead Verifier delegates each Component Attester Evidence to their
own Verifier and receives Component Attester Attestation Results
after successful Appraisal of Evidence.
* Once the Lead Verifier receives Attestation Results from all the
Verifiers, it combines the results from each Verifier to construct
a Aggregated Attestation Results (AAR). The Lead verifier may
apply its own policies and also add extra claims as part of its
appraisal.
* Lead Verifier conveys the AAR to the Attester (in Passport model)
or to the Relying Party (in background check model).
The overall verdict may be dependent on the Appraisal Policy of the
Lead Verifier.
In certain topologies, it is possible that only the Composite
Evidence is signed to provide the overall integrity, while the
individual Component Attester Evidence (example Evidence 1) is not
protected. In such cases, the Lead Verifer upon processing of
Composite Evidence may wrap the Component Attester Evidence (example
Evidence 1) in a signed Conceptual Message Wrapper (CMW), and send it
to each Verifier (example Verifier 1).
3.1.2. Verifier for Component Attester
The role of a Component Attester Verifier is to receive Component
Attester Evidence from the lead Verifier and produce Attestation
Results to the Lead Verifier.
3.1.3. Trust Relationships
In this topology the Lead Verifier is fully trusted by Component
Attester Verifiers (example Verifier 1).
Also, each of the Component Attester Verifier is fully trusted by the
Lead Verifier. Lead Verifier is provisioned with the Trust Anchors
for Verifier 1..N.
3.2. Cascaded Pattern {: #sec-verifier-cascade }
Figure below shows the block diagram of a Cascaded Pattern.
Deshpande, et al. Expires 4 September 2025 [Page 6]
�
Internet-Draft RATS MultiVerifier March 2025
+-----------+ +-----------+ +-----------+
+--------+ | | | | | |
| | Composite Evidence | | (CE) | | (CE) | |
| +-------------------->+ +--------->+ +------------>+ |
| | (CE) | |Partial AR| | Partial AR | |
|Attester| | Verifier 1| | Verifier 2| | Verifier N|
| or | Aggregated | | | | | |
| RP +<--------------------+ +<---------+ +<------------+ |
+--------+ Attestation Results | | (AAR) | | (AAR) | |
(AAR) | | | | | |
+-----------+ +-----------+ +-----------+
In this topological pattern, the Attestation Verification happens in
sequence. Verifiers are cascaded to perform the Attestation
Appraisal. Each Verifier in the chain possess the knowledge of the
entire Composite Attester topology.
Attester may send the Composite Evidence(CE) to any of the Verifier
(directly in the passport model, or indirectly via the Relying Party
in the background-check model). The Verifier which processes the
Composite Evidence, Verifies the signature on the Evidence, if
present. It decodes the Composite Evidence performs Appraisal of the
Component Attester whose Reference Values and Endorsements are in its
database. Once the appraisal is complete, it forwards the Composite
Evidence and partial Attestation Results to the subsequent Verifier.
The process is repeated, until the entire appraisal is complete. The
last Verifier, i.e. Verifier-N, completes its Appraisal of the
Component Attester Evidence and returns the complete Attestation
Results to the N-1 Verifier, which passed Evidence to it. The N-1
Verifier then simply passes the Aggregated Attestation Results(AAR)
from where it received its Combined Evidence. Alternatively, it may
also modify the AAR based on the inspection of received AAR. For
example, it may add its own Verifier Added Claims (policy claims) and
produce a new AAR. The process is repeated, until the Verifier,
which recieved the initial Evidence is reached. At this point in
time the Aggregated Attestation Results are signed and the Aggregated
Attestation Results are sent to the Attester (in Passport Model) or
Relying Party (in background check model).
As shown in the picture, the partial results and Combined Evidence is
transmitted to a chain of Verifier, till the Appraisal is complete.
The Verifier combines the incoming partial results, combines the
results from it own Evidence Appraisal and passes the Aggregated
Attestation Results to the Verifier from which it receives Combined
Evidence.
Deshpande, et al. Expires 4 September 2025 [Page 7]
�
Internet-Draft RATS MultiVerifier March 2025
3.2.1. Trust Relationships
3.2.2. Verifiers
In the cascaded pattern, the communicating Verifiers fully trust each
other. Each Verifier has the trust anchor for the Verifier it is
communicating to (i.e. either sending information or receiving
information). This prevents man in the middle attack for the partial
Attestation Results received by a Verifier or a Aggregated
Attestation Results (AAR) which it receives in the return path.
3.2.3. Relying Party and Verifiers
In the cascaded pattern, the RP may communicate with any Verifier and
thus receive its Attestation Results. Hence RP fully trusts all the
Verifiers.
3.3. Hybrid Pattern
In a particular deployment, there is a possibility that the two
models presented above can be combined to produce a hybrid pattern.
For example Verifier 2 in the Cascaded Pattern becomes the Lead
Verifier for the remaining Verifers from 3, to N.
4. Freshness
The Verifier needs to ensure that the claims included in the Evidence
reflect the latest state of the Attester. As per RATS Architecture,
the recommended freshness is ascertained using either Synchronised
Clocks, Epoch IDs, or nonce, embedded in the Evidence. In the case
of Hierarchical Pattern, the Verification of Freshness should be
checked by the Lead Verifier.
In the Cascaded Pattern, the freshness is always checked by the first
Verifier in communication with either the Attester (Passport Model)
or Relying Party (Background Check Model).
5. Security Considerations
// TODO
6. IANA Considerations
6.1. CBOR Tag Registrations
Deshpande, et al. Expires 4 September 2025 [Page 8]
�
Internet-Draft RATS MultiVerifier March 2025
7. Acknowledgements
// TODO
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
8.2. Informative References
[RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote ATtestation procedureS (RATS)
Architecture", RFC 9334, DOI 10.17487/RFC9334, January
2023, <https://www.rfc-editor.org/rfc/rfc9334>.
Contributors
Thomas Fossati
Linaro
Email: Thomas.Fossati@linaro.org
Authors' Addresses
Yogesh Deshpande
Arm Ltd
Email: yogesh.deshpande@arm.com
Jun Zhang
Huawei Technologies France S.A.S.U.
Email: junzhang1@huawei.com
Henk Birkholtz
Fraunhofer SIT
Email: henk.birkholz@sit.fraunhofer.de
Deshpande, et al. Expires 4 September 2025 [Page 9]