]> Arm Limited

thomas.fossati@arm.com

Cisco

evoit@cisco.com

Arm Limited

sergei.trofimov@arm.com

Security Remote ATtestation ProcedureS EAT attestation result attestation verifier AR4SI This document defines the EAT Attestation Result (EAR) message format. EAR is used by a verifier to encode the result of the appraisal over an attester's evidence. It embeds an AR4SI's "trustworthiness vector" to present a normalized view of the evaluation results, thus easing the task of defining and computing authorization policies by relying parties. Alongside the trustworthiness vector, EAR provides contextual information bound to the appraisal process. This allows a relying party (or an auditor) to reconstruct the frame of reference in which the trustworthiness vector was originally computed. EAR supports simple devices with one attester as well as composite devices that are made of multiple attesters, allowing the state of each attester to be separately examined. EAR can also accommodate registered and unregistered extensions. It can be serialized and protected using either CWT or JWT. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Remote ATtestation ProcedureS Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction This document defines the EAT Attestation Result (EAR) message format. EAR is used by a verifier to encode the result of the appraisal over an attester's evidence. It embeds an AR4SI's "trustworthiness vector" to present a normalized view of the evaluation results, thus easing the task of defining and computing authorization policies by relying parties. Alongside the trustworthiness vector, EAR provides contextual information bound to the appraisal process. This allows a relying party (or an auditor) to reconstruct the frame of reference in which the trustworthiness vector was originally computed. EAR supports simple devices with one attester as well as composite devices that are made of multiple attesters (see ) allowing the state of each attester to be separately examined. EAR can also accommodate registered and unregistered extensions. It can be serialized and protected using either CWT or JWT .

Conventions and Definitions This document uses terms and concepts defined by the RATS architecture. For a complete glossary see . The terminology from CBOR , CDDL and COSE applies; in particular, CBOR diagnostic notation is defined in and . The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

EAT Attestation Result EAR is an EAT token which can be serialized as JWT or CWT . The EAR claims-set is as follows:

EAR (CDDL Definition) "tag:github.com,2023:veraison/ear" iat => int ear.verifier-id => ar4si.verifier-id ? ear.raw-evidence => ear-bytes eat.submods => { + text => EAR-appraisal } ? eat.nonce => eat.nonce-type * $$ear-extension } ]]>

Where:

eat.profile (mandatory)

The EAT profile () associated with the EAR claims-set and encodings defined by this document. It MUST be the following tag URI () tag:github.com,2023:veraison/ear.

iat (mandatory)

"Issued At" claim -- the time at which the EAR is issued. See and for the EAT-specific encoding restrictions (i.e., disallowing the floating point representation).

ear.verifier-id (mandatory)

Identifying information about the appraising verifier. See for further details on its structure and serialization.

ear.raw-evidence (optional)

The unabridged evidence submitted for appraisal, including any signed container/envelope. This field may be consumed by other Verifiers in multi-stage verification scenarios or by auditors. There are privacy considerations associated with this claim. See .

eat.submods (mandatory)

A submodule map () holding one EAR-appraisal for each separately appraised attester. The map MUST contain at least one entry. For each appraised attester the verifier chooses a unique label. For example, when evidence is in EAT format, the label could be constructed from the associated EAT profile. A verifier SHOULD publicly and permanently document its labelling scheme for each supported evidence type, unless EAR payloads are produced and consumed entirely within a private deployment. See for the details about the contents of an EAR-appraisal.

eat.nonce (optional)

A user supplied nonce that is echoed by the verifier to provide freshness. See .

$$ear-extension (optional)

Any registered or unregistered extension. An EAR extension MUST be a map. See for further details.

Verifier Software Identification defines an information model for identifying the software that runs the verifier. The ar4si.verifier-id claim provides its serialization as follows:

Verifier Software Identification Claim (CDDL Definition) text developer => text } ]]>

Where:

build (mandatory)

A text string that uniquely identifies the software build running the verifier.

developer (mandatory)

A text string that uniquely identifies the organizational unit responsible for this build.

EAR Appraisal Claims

EAR Appraisal Claims (CDDL Definition) $ar4si.trust-tier ? ear.trustworthiness-vector => ar4si.trustworthiness-vector ? ear.appraisal-policy-id => text * $$ear-appraisal-extension } ]]>

ear.status (mandatory)

The overall appraisal status for this attester represented as one of the four trustworthiness tiers (). The value of this claim MUST be set to a tier of no higher trust than the tier corresponding to the worst trustworthiness claim across the entire trustworthiness vector.

ear.trustworthiness-vector (optional)

The AR4SI trustworthiness vector providing the breakdown of the appraisal for this attester. See for the details. This claim MUST be present unless the party requesting Evidence appraisal explicitly asks for it to be dropped, e.g., via an API parameter or similar arrangement. Such consumer would therefore rely entirely on the semantics of the ear.status claim. This behaviour is NOT RECOMMENDED because of the resulting loss of quality of the appraisal result.

ear.appraisal-policy-id (optional)

An unique identifier of the appraisal policy used to evaluate the attestation result.

$$ear-appraisal-extension (optional)

Any registered or unregistered extension. An EAR appraisal extension MUST be a map. See for further details.

Trustworthiness Vector The ar4si-trustworthiness-vector claim is an embodiment of the AR4SI trustworthiness vector () and it is defined as follows:

Trustworthiness Vector (CDDL Definition) $ar4si.trustworthiness-claim ? configuration => $ar4si.trustworthiness-claim ? executables => $ar4si.trustworthiness-claim ? file-system => $ar4si.trustworthiness-claim ? hardware => $ar4si.trustworthiness-claim ? runtime-opaque => $ar4si.trustworthiness-claim ? storage-opaque => $ar4si.trustworthiness-claim ? sourced-data => $ar4si.trustworthiness-claim }> $ar4si.trustworthiness-claim = -128..127 ]]>

It contains an entry for each one of the eight AR4SI appraisals that have been conducted on the submitted evidence (). The value of each entry is chosen in the -128..127 range according to the rules described in Sections and of . All categories are optional. A missing entry means that the verifier makes no claim about this specific appraisal facet because the category is not applicable to the submitted evidence. As required by the non-empty macro, at least one entry MUST be present in the vector.

Trust Tiers The trust tier type represents one of the equivalency classes in which the $ar4si-trustworthiness-claim space is partitioned. See for the details. The allowed values for the type are as follows:

Trustworthiness Tiers (CDDL Definition)

JSON Serialisation To serialize the EAR claims-set in JSON format, the following substitutions are applied to the encoding-agnostic CDDL definitions in , and :

Examples The example in shows an EAR claims-set corresponding to a "contraindicated" appraisal, meaning the verifier has found some problems with the attester's state reported in the submitted evidence. Specifically, the identified issue is related to unauthorized code or configuration loaded in runtime memory (i.e., value 96 in the executables category). The appraisal is for a device with one attester labelled "PSA". Note that in case there is only one attester, the labelling can be freely chosen because there is no ambiguity.

JSON claims-set: contraindicated appraisal

The breakdown of the trustworthiness vector is as follows:

• Instance Identity (affirming): recognized and not compromised
• Configuration (warning): known vulnerabilities
• Executables (contraindicated): contraindicated run-time
• File System (none): no claim being made
• Hardware (affirming): genuine
• Runtime Opaque (none): no claim being made
• Storage Opaque (none): no claim being made
• Sourced Data (none): no claim being made

The example in contains the appraisal for a composite device with two attesters named "CCA Platform" and "CCA Realm" respectively. Both attesters have either "affirming" or (implicit) "none" values in their associated trustworthiness vectors. Note that the "none" values can refer to either an AR4SI category that is unapplicable for the specific attester (ideally, the applicability should be specified by the evidence format itself), or to the genuine lack of information at the attester site regarding the specific category. For example, the reference values for the "CCA Realm" executables (i.e., the confidential computing workload) may not be known to the CCA platform verifier. In such cases, it is up to the downstream entity (typically, the relying party) to complete the partial appraisal.

JSON claims-set: simple affirming appraisal

CBOR Serialisation

Examples The example in is semantically equivalent to that in . It shows the same "contraindicated" appraisal using the more compact CBOR serialization of the EAR claims-set.

CBOR claims-set: contraindicated appraisal

EAR Extensions EAR provides core semantics for describing the result of appraising attestation evidence. However, a given application may offer extra functionality to its relying parties, or tailor the attestation result to the needs of the application (e.g., TEEP ). To accommodate such cases, both EAR and EAR-appraisal claims-sets can be extended by plugging new claims into the $$ear-extension (or $$ear-appraisal-extension, respectively) CDDL socket. The rules that govern extensibility of EAR are those defined in and for CWTs and JWTs respectively. An extension MUST NOT change the semantics of the EAR and EAR-appraisal claims-sets. A receiver MUST ignore any unknown claim.

Unregistered claims An application-specific extension will normally mint its claim from the "private space" - using integer values less than -65536 for CWT, and Public or Private Claim Names as defined in Sections and of when serializing to JWT. It is RECOMMENDED that JWT EARs use Collision-Resistant Public Claim Names () rather than Private Claim Names.

Registered claims If an extension will be used across multiple applications, or is intended to be used across multiple environments, the associated extension claims SHOULD be registered in one, or both, the CWT and JWT claim registries. In general, if the registration policy requires an accompanying specification document (as it is the case for "specification required" and "standards action"), such document SHOULD explicitly say that the extension is expected to be used in EAR claims-sets identified by this profile. An up-to-date view of the registered claims can be obtained via the and registries.

Choosing between registered and unregistered claims If an extension supports functionality of a specific application (e.g. Project Veraison Services), its claims MAY be registered. If an extension supports a protocol that may be applicable across multiple applications or environments (e.g., TEEP), its claims SHOULD be registered. Since, in general, there is no guarantee that an application will be confined within an environment, it is RECOMMENDED that extension claims that have meaning outside the application's context are always registered. It is also possible that claims that start out as application-specific acquire a more stable meaning over time. In such cases, it is RECOMMENDED that new equivalent claims are created in the "public space" and are registered as described in . The original "private space" claims SHOULD then be deprecated by the application.

TEEP Extension The TEEP protocol specifies the required claims that an attestation result must carry for a TAM (Trusted Application Manager) to make decisions on how to remediate a TEE (Trusted Execution Environment) that is out of compliance, or update a TEE that is requesting an authorized change. The list is provided in . EAR defines a TEEP application extension for the purpose of conveying such claims.

TEEP Extension (CDDL Definition) ear-teep-claims ) ear-teep-claims = non-empty<{ ? eat.nonce => eat.nonce-type ? eat.ueid => eat.ueid-type ? eat.oemid => eat.oemid-type ? eat.hardware-model => eat.hardware-model-type ? eat.hardware-version => eat.hardware-version-type ? eat.manifests => eat.manifests-type }> ]]>

JSON Serialization Example:

CBOR Serialization Example:

Project Veraison Extensions The Project Veraison verifier defines three private, application-specific extensions:

ear.veraison.annotated-evidence

JSON representation of the evidence claims-set, including any annotations provided by the Project Veraison verifier. There are privacy considerations associated with this claim. See .

ear.veraison.policy-claims

any extra claims added by the policy engine in the Project Veraison verifier.

ear.veraison.key-attestation

contains the public key part of a successfully verified attested key. The key is a DER encoded ASN.1 SubjectPublicKeyInfo structure ().

Project Veraison Extensions (CDDL Definition) ear-veraison-annotated-evidence ) ear-veraison-annotated-evidence = { + ear-label => any } $$ear-appraisal-extension //= ( ear.veraison.policy-claims => ear-veraison-policy-claims ) ear-veraison-policy-claims = { + ear-label => any } $$ear-appraisal-extension //= ( ear.veraison.key-attestation => ear-veraison-key-attestation ) ear-veraison-key-attestation = { ear.veraison.attested-key-public => ear-bytes } ]]>

JSON Serialization Example: Key attestation example:

CBOR Serialization Example:

Media Types Media types for EAR are automatically derived from the base EAT media type using the profile string defined in . For example, a JWT serialization would use: A CWT serialization would instead use:

Implementation Status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

Project Veraison The organization responsible for this implementation is Project Veraison, a Linux Foundation project hosted at the Confidential Computing Consortium. The organization currently provides two separate implementations: one in Golang another in C17. The developers can be contacted on the Zulip channel: .

github.com/veraison/ear The software, hosted at , provides a Golang package that allows encoding, decoding, signing and verification of EAR payloads together with a CLI (arc) to create, verify and visualize EARs on the command line. The maturity level is currently alpha, and only the JWT serialization is implemented. The license is Apache 2.0. The package is used by the Project Veraison verifier to produce attestation results.

github.com/veraison/c-ear The software, hosted at , provides a C17 library that allows verification and partial decoding of EAR payloads. The maturity level is currently pre-alpha, and only the JWT serialization is implemented. The license is Apache 2.0. The library targets relying party applications that need to verify attestation results.

github.com/veraison/rust-ear The software, hosted at , provides a Rust (2021 edition) library that allows verification and partial decoding of EAR payloads. The maturity level is currently pre-alpha, with limitted algorithm support. Both JWT and COSE serializations are implemented. The license is Apache 2.0. The library targets verifiers that need to produce attestation results as well as relying party applications that need to verify and consume attestation results.

Security Considerations TODO Security

Privacy Considerations EAR is designed to expose as little identifying information as possible about the attester. However, certain EAR claims have direct privacy implications. Implementations should therefore allow applying privacy-preserving techniques to those claims, for example allowing their redaction, anonymisation or outright removal. Specifically:

• It SHOULD be possible to disable inclusion of the optional ear.raw-evidence claim
• It SHOULD be possible to disable inclusion of the optional ear.veraison.annotated-evidence claim
• It SHOULD be possible to allow redaction, anonymisation or removal of specific claims from the ear.veraison.annotated-evidence object

EAR is an EAT, therefore the privacy considerations in apply.

IANA Considerations

 New EAT Claims This specification adds the following values to the "JSON Web Token Claims" registry and the "CBOR Web Token Claims" registry . Each entry below is an addition to both registries. The "Claim Description", "Change Controller" and "Specification Documents" are common and equivalent for the JWT and CWT registries. The "Claim Key" and "Claim Value Types(s)" are for the CWT registry only. The "Claim Name" is as defined for the CWT registry, not the JWT registry. The "JWT Claim Name" is equivalent to the "Claim Name" in the JWT registry.

EAR Status

• Claim Name: ear.status
• Claim Description: EAR Status
• JWT Claim Name: ear.status
• Claim Key: 1000
• Claim Value Type(s): unsigned integer (0, 2, 32, 96)
• Change Controller: IESG
• Specification Document(s): of RFCthis

EAR Trustworthiness Vector

• Claim Name: ear.trustworthiness-vector
• Claim Description: EAR Trustworthiness Vector
• JWT Claim Name: ear.trustworthiness-vector
• Claim Key: 1001
• Claim Value Type(s): map
• Change Controller: IESG
• Specification Document(s): of RFCthis

EAR Raw Evidence

• Claim Name: ear.raw-evidence
• Claim Description: EAR Raw Evidence
• JWT Claim Name: ear.raw-evidence
• Claim Key: 1002
• Claim Value Type(s): bytes
• Change Controller: IESG
• Specification Document(s): of RFCthis

EAR Appraisal Policy Identifier

• Claim Name: ear.appraisal-policy-id
• Claim Description: EAR Appraisal Policy Identifier
• JWT Claim Name: ear.appraisal-policy-id
• Claim Key: 1003
• Claim Value Type(s): text
• Change Controller: IESG
• Specification Document(s): of RFCthis

EAR Verifier Software Identifier

• Claim Name: ear.verifier-id
• Claim Description: EAR Verifier Software Identifier
• JWT Claim Name: ear.verifier-id
• Claim Key: 1004
• Claim Value Type(s): map
• Change Controller: IESG
• Specification Document(s): of RFCthis

EAR TEEP Claims TODO

References Normative References JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Cisco Systems Fraunhofer SIT MIT Arm Limited Intel This document defines reusable Attestation Result information elements. When these elements are offered to Relying Parties as Evidence, different aspects of Attester trustworthiness can be evaluated. Additionally, where the Relying Party is interfacing with a heterogeneous mix of Attesting Environment and Verifier types, consistent policies can be applied to subsequent information exchange between each Attester and the Relying Party. Security Theory LLC Qualcomm Technologies Inc. Qualcomm Technologies Inc. Red Hound Software, Inc. An Entity Attestation Token (EAT) provides an attested claims set that describes state and characteristics of an entity, a device like a smartphone, IoT device, network equipment or such. This claims set is used by a relying party, server or service to determine how much it wishes to trust the entity. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims. Broadcom Amazon Microsoft ALAXALA Networks Corp. This document specifies a protocol that installs, updates, and deletes Trusted Components in a device with a Trusted Execution Environment (TEE). This specification defines an interoperable protocol for managing the lifecycle of Trusted Components. Security Theory LLC Fraunhofer Institute for Secure Information Technology arm Payloads used in Remote Attestation Procedures may require an associated media type for their conveyance, for example when used in RESTful APIs. This memo defines media types to be used for Entity Attestation Tokens (EAT). In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] Informative References In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice. This document describes the "tag" Uniform Resource Identifier (URI) scheme. Tag URIs (also known as "tags") are designed to be unique across space and time while being tractable to humans. They are distinct from most other URIs in that they have no authoritative resolution mechanism. A tag may be used purely as an entity identifier. Furthermore, using tags has some advantages over the common practice of using "http" URIs as identifiers for non-HTTP-accessible resources. This memo provides information for the Internet community. IANA IANA

Common CDDL Types

non-empty

A CDDL generic that can be used to ensure the presence of at least one item in an object with only optional fields.

= (M) .within ({ + any => any }) ]]>

base64-url-text

Base64 encoding using the URL- and filename-safe character set defined in , with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters.

Open Policy Agent Example Open Policy Agent OPA is a popular and flexible policy engine that is used in a variety of contexts, from cloud to IoT. OPA policies are written using a purpose-built, declarative programming language called Rego. Rego has been designed to handle JSON claim-sets and their JWT envelopes as first class objects, which makes it an excellent fit for dealing with JWT EARs. The following example illustrates an OPA policy that a Relying Party would use to make decisions based on a JWT EAR received from a trusted verifier. The result of the policy appraisal is the following JSON object: For completeness, the trusted verifier public key and the EAR JWT used in the example are provided below.

Open Issues Note to RFC Editor: please remove before publication. The list of currently open issues for this documents can be found at .

Document History Note to RFC Editor: please remove before publication.

draft-fv-rats-ear-00 Initial release.

Acknowledgments Many thanks to Dave Thaler, Greg Kostal, Simon Frost, Yogesh Deshpande for helpful comments and discussions that have shaped this document.