]> Entrust Limited

2500 Solandt Road – Suite 100 Ottawa, Ontario K2K 3G5 Canada mike.ounsworth@entrust.com

Siemens

Hannes.Tschofenig@gmx.net

Fraunhofer SIT

Rheinstrasse 75 Darmstadt 64295 Germany henk.birkholz@sit.fraunhofer.de

Beyond Identity

USA monty.wiseman@beyondidentity.com

Intel Corporation

United States ned.smith@intel.com

PKI PKCS#10 CRMF Attestation Evidence Certificate Signing Requests A PKI end entity requesting a certificate from a Certification Authority (CA) may wish to offer trustworthy claims about the platform generating the certification request and the environment associated with the corresponding private key, such as whether the private key resides on a hardware security module. This specification defines an attribute and an extension that allow for conveyance of Evidence and Attestation Results in Certificate Signing Requests (CSRs), such as PKCS#10 or Certificate Request Message Format (CRMF) payloads. This provides an elegant and automatable mechanism for transporting Evidence to a Certification Authority. Including Evidence and Attestation Results along with a CSR can help to improve the assessment of the security posture for the private key, and can help the Certification Authority to assess whether it satisfies the requested certificate profile. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction When requesting a certificate from a Certification Authority (CA), a PKI end entity may wish to include Evidence or Attestation Results of the security properties of its environments in which the private keys are stored in that request. Evidence are appraised by Verifiers, which typically produces Attestation Results that serve as input for validating incoming certificate requests against specified certificate policies. Verifiers are associated with Registration Authorities (RAs) or CAs and function as logical entities responsible for processing Evidence and producing Attestation Results. As remote attestation technology matures, it is natural for a Certification Authority to want proof that the requesting entity is in a state that matches the certificate profile. At the time of writing, the most notable example is the Code-Signing Baseline Requirements (CSBR) document maintained by the CA/Browser Forum , which requires compliant CAs to "ensure that a Subscriber’s Private Key is generated, stored, and used in a secure environment that has controls to prevent theft or misuse", which is a natural fit to enforce via remote attestation. This specification defines an attribute and an extension that allow for conveyance of Evidence and Attestation Results in Certificate Signing Requests (CSRs), such as PKCS#10 or Certificate Request Message Format (CRMF) payloads. This CSR extension satisfies CA/B Forum's CSBR requirements for key protection assurance. As outlined in the IETF RATS architecture , an Attester (typically a device) produces a signed collection of Claims that constitute Evidence about its running environment(s). The term "attestation" is not explicitly defined in RFC 9334 but was later clarified in . It refers to the process of generating and evaluating remote attestation Evidence. After the Verifier appraises the Evidence, it generates a new structure called an Attestation Result. A Relying Party utilizes Attestation Results to inform risk or policy-based decisions that consider trustworthiness of the attested entity. This document relies on as the foundation for how the various roles within the RATS architecture correspond to a certificate requester and a CA/RA. The IETF RATS architecture defines two communication patterns: the background-check model and the passport model. In the background-check model, the Relying Party receives Evidence in the CSR from the Attester and must interact with a Verifier service directly to obtain Attestation Results. In contrast, the passport model requires the Attester to first interact with the Verifier service to obtain an Attestation Result token that is then relayed to the Relying Party. This specification defines both communication patterns. Several standard and proprietary remote attestation technologies are in use. This specification thereby is intended to be as technology-agnostic as it is feasible with respect to implemented remote attestation technologies. Hence, this specification focuses on (1) the conveyance of Evidence and Attestation Results via CSRs while making minimal assumptions about content or format of the transported payload and (2) the conveyance of sets of certificates used for validation of Evidence. The certificates typically contain one or more certification paths rooted in a device manufacturer trust anchor and the end entity certificate being on the device in question. The end entity certificate is associated with key material that takes on the role of an Attestation Key and is used as Evidence originating from the Attester. This document specifies a CSR Attribute (or Extension for Certificate Request Message Format (CRMF) CSRs) for carrying Evidence and Attestation Results.

• Evidence is placed into an EvidenceStatement along with an OID to identify its type and optionally a hint to the Relying Party about which Verifier (software package, a microservice or some other service) will be capable of parsing it. A set of EvidenceStatement structures may be grouped together along with the set of CertificateChoice structures needed to validate them to form a EvidenceBundle.
• Attestation Results are carried in the AttestationResult along with an OID to identify its type. A set of AttestationResult structures may be grouped together to form an AttestationResultBundle.

A CSR may contain one or more Evidence payloads. For example Evidence asserting the storage properties of a private key, Evidence asserting firmware version and other general properties of the device, or Evidence signed using different cryptographic algorithms. Like-wise a CSR may also contain one or more Attestation Result payloads. With these attributes, additional information is available to an RA or CA, which may be used to decide whether to issue a certificate and what certificate profile to apply. The scope of this document is, however, limited to the conveyance of Evidence and Attestation Results within CSR. The exact format of the Evidence and Attestation Results being conveyed is defined in various standard and proprietary specifications.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document re-uses the terms defined in related to remote attestation. Readers of this document are assumed to be familiar with the following terms: Evidence, Claim, Attestation Result (AR), Attester, Verifier, Target Environment, Attesting Environment, Composite Device, Lead Attester, Attestation Key, and Relying Party (RP). The term "Certification Request" message is defined in . Specifications, such as , later introduced the term "Certificate Signing Request (CSR)" to refer to the Certification Request message. While the term "Certification Request" would have been correct, the mistake was unnoticed. In the meanwhile CSR is an abbreviation used beyond PKCS#10. Hence, it is equally applicable to other protocols that use a different syntax and even a different encoding, in particular this document also considers messages in the Certificate Request Message Format (CRMF) to be "CSRs". In this document, the terms "CSR" and Certificate Request message are used interchangeably. The term Hardware Security Modules (HSM) is used generically to refer to the combination of hardware and software designed to protect keys from unauthorized access. Other commonly used terms include Secure Element and Trusted Execution Environment.

Architecture shows the high-level communication pattern of the RATS background check model where the Attester transmits the Evidence in the CSR to the RA and the CA, which is subsequently forwarded to the Verifier. The Verifier appraises the received Evidence and computes an Attestation Result, which is then processed by the RA/CA prior to the certificate issuance. In addition to the background-check model, the RATS architecture also defines the passport model, as described in . In the passport model, the Attester transmits Evidence directly to the Verifier to obtain an Attestation Result, which is subsequently forwarded to the Relying Party. The choice of model depends on various factors. For instance, the background-check model is preferred when direct real-time interaction between the Attester and the Verifier is not feasible. Note that the Verifier is a logical role that may be included in the RA/CA product. In this case, the Relying Party role and Verifier role collapse into a single physical entity. The Verifier functionality can, however, also be kept separate from the RA functionality. For example, security concerns may require parsers of Evidence formats to be logically or physically separated from the core RA and CA functionality. The interface by which the Relying Party passes Evidence to the Verifier and receives back Attestation Results may be proprietary or standardized, but in any case is out-of-scope for this document. Like-wise, the interface between the Attester and the Verifier used in the passport model is also out-of-scope for this document. shows an example data flow where Evidence is included in a CSR in the background-check model. The CSR is parsed by the RA component of a CA, which extracts the Evidence and forwards it to a trusted Verifier. The RA receives back an Attestation Result, which it uses to decide whether this Evidence meets its policy for certificate issuance and if it does then the certificate request is forwarded to the CA for issuance. This diagram overlays PKI entities with RATS roles in parentheses.

Example data flow demonstrating the architecture with Background Check Model. |----' '--->|--------------->| | | End | Evidence | Registration | Attestation | CA | | Entity | in CSR | Authority (RA) | Result in |(RP) | | (Attester) | | (Relying Party) | CSR | | '------------' '-----------------' '-----' ]]>

illustrates the passport model, where the Attester first communicates with the Verifier to obtain the Attestation Result, which is subsequently included in the CSR.

Example data flow demonstrating the architecture with Passport Model. | | Compare Evidence | | (Verifier) | against Appraisal | +----------------| | Policy | | '-----------------' | | Attestation | | Result | v .------------. .-----------------. .------. | +------------>| Registration |------------->| | | End | Attestation | Authority | Attestation | CA | | Entity | Result in | | Result in | (RP) | | (Attester) | CSR | (Relying Party) | CSR | | '------------' '-----------------' '------' ]]>

RFC 9334 discusses different security and privacy aspects that need to be considered when developing and deploying a remote attestation solution. For example, Evidence may need to be protected against replay and lists approach for offering freshness. There are also concerns about the exposure of persistent identifiers by utilizing attestation technology, which are discussed in . Finally, the keying material used by the Attester needs to be protected against unauthorized access, and against signing arbitrary content that originated from outside the device. This aspect is described in . Most of these aspects are, however, outside the scope of this specification but relevant for use with a given attestation technology. The focus of this specification is on the transport of Evidence and Attesation Results from the Attester to the Relying Party via existing CSR messages.

Information Model

Model for Evidence in CSR To support a number of different use cases for the transmission of Evidence and certificate chains in a CSR the structure shown in is used. On a high-level, the structure is composed as follows: A PKCS#10 attribute or a CRMF extension contains one EvidenceBundle structure. The EvidenceBundle contains one or more EvidenceStatement structures as well as one or more CertificateChoices which enable to carry various format of certificates. Note: Since an extension must only be included once in a certificate see , this PKCS#10 attribute or the CRMF extension MUST only be included once in a CSR.

Information Model for CSR Evidence Conveyance.

A conformant implementation of an entity processing the CSR structures MUST be prepared to use certificates found in the EvidenceBundle structure to build a certification path to validate any EvidenceStatement. The following use cases are supported, as described in the sub-sections below.

Case 1 - Evidence Bundle without Certificate Chain A single Attester, which only distributes Evidence without an attached certificate chain. In the use case, the Verifier is assumed to be in possession of the certificate chain already or the Verifier directly trusts the Attestation Key and therefore no certificate chain needs to be conveyed in the CSR. As a result, one EvidenceBundle is included in a CSR that contains a single EvidenceStatement without the CertificateChoices structure. shows this use case.

Case 1: Evidence Bundle without Certificate Chain.

Case 2 - Evidence Bundle with Certificate Chain A single Attester, which shares Evidence together with a certificate chain, is shown in . The CSR conveys an EvidenceBundle with a single EvidenceStatement and a CertificateChoices structure.

Case 2: Single Evidence Bundle with Certificate Chain.

Case 3 - Evidence Bundles with Multiple Evidence Statements and Complete Certificate Chains In a Composite Device, which contains multiple Attesters, a collection of Evidence statements is obtained. In this use case, each Attester returns its Evidence together with a certificate chain. As a result, multiple EvidenceStatement structures and the corresponding CertificateChoices structure with the certification chains as provided by the Attester, are included in the CSR. This approach does not require any processing capabilities by a Lead Attester since the information is merely forwarded. shows this use case.

Case 3: Multiple Evidence Structures each with Complete Certificate Chains.

Model for Attestation Result in CSR illustrates the information model for transmitting Attestation Results as a PKCS#10 attribute or a CRMF extension. This structure includes a single AttestationResultBundle, which in turn comprises one or more AttestationResult structures.

Information Model for CSR Attestation Result Conveyance.

ASN.1 Elements for Evidence in CSR

Object Identifiers This document references id-pkix and id-aa, both defined in and . This document defines the arc depicted in .

New OID Arc for PKIX Evidence Statement Formats

Evidence Attribute and Extension By definition, attributes within a PKCS#10 CSR are typed as ATTRIBUTE and within a CRMF CSR are typed as EXTENSION. This attribute definition contains one Evidence bundle of type EvidenceBundle containing one or more Evidence statements of a type EvidenceStatement along with optional certificates for certification path building. This structure enables different Evidence statements to share a certification path without duplicating it in the attribute.

Definition of EvidenceStatementSet

The expression illustrated in maps ASN.1 Types for Evidence Statements to the OIDs that identify them. These mappings are used to construct or parse EvidenceStatements. Evidence Statements are typically defined in other IETF standards, other standards bodies, or vendor proprietary formats along with corresponding OIDs that identify them. This list is left unconstrained in this document. However, implementers can populate it with the formats that they wish to support.

Definition of EvidenceStatement

In , type is an OID that indicates the format of the value of stmt. Based on the responsibilities of the different roles in the RATS architecture, Relying Parties need to relay Evidence to Verifiers for evaluation and obtain an Attestation Result in return. Ideally, the Relying Party should select a Verifier based on the received Evidence without requiring the Relying Party to inspect the Evidence itself. This "routing" decision is simple when there is only a single Verifier configured for use by a Relying Party but gets more complex when there are different Verifiers available and each of them capable of parsing only certain Evidence formats. In some cases, the EvidenceStatement.type OID will be sufficient information for the Relying Party to correctly route it to an appropriate Verifier, however since the type OID only identifies the general data format, it is possible that multiple Verifiers are registered against the same type OID in which case the Relying Party will either require additional parsing of the evidence statement, or the Attester will be required to provide additional information. To simplify the task for the Relying Party an optional field, the hint, is available in the EvidenceStatement structure, as shown in . An Attester MAY include the hint to the EvidenceStatement and it MAY be processed by the Relying Party. The Relying Party MAY decide not to trust the information embedded in the hint or policy MAY override any information provided by the Attester via this hint. When the Attester populates the hint, it MUST contain a fully qualified domain name (FQDN) which uniquely identifies a Verifier. The problem of mapping hint FQDNs to Verifiers, and the problem of FQDN collision is out of scope for this specification; it is assumed that Attester and Verifier makers can manage this appropriately on their own FQDN trees, however if this becomes problematic then a public registry may be needed. In a typical usage scenario, the Relying Party is pre-configured with a list of trusted Verifiers and the corresponding hint values can be used to look up appropriate Verifier. Tricking an Relying Party into interacting with an unknown and untrusted Verifier must be avoided. Usage of the hint field can be seen in the TPM2_attest example in where the type OID indicates the OID id-TcgAttestCertify and the corresponding hint identifies the Verifier as "tpmverifier.example.com". The CertificateChoices structure defined in allows for carrying certificates in the default X.509 format, or in other non-X.509 certificate formats. CertificateChoices MUST only contain certificate or other. CertificateChoices MUST NOT contain extendedCertificate, v1AttrCert, or v2AttrCert. Note that for non-ASN.1 certificate formats, the CertificateChoices MUST use other [3] with an OtherCertificateFormat.Type of OCTET STRING, and then can carry any binary data. The certs field contains a set of certificates that is intended to validate the contents of an Evidence statement contained in evidences, if required. For each Evidnece statement the set of certificates should contain the certificate that contains the public key needed to directly validate the Evidence statement. Additional certificates may be provided, for example, to chain the Evidence signer key back to an agreed upon trust anchor. No specific order of the certificates in certs SHOULD be expected because certificates contained in certs may be needed to validate different Evidence statements. This specification places no restriction on mixing certificate types within the certs field. For example a non-X.509 Evidence signer certificate MAY chain to a trust anchor via a chain of X.509 certificates. It is up to the Attester and its Verifier to agree on supported certificate formats.

Definitions of CSR attribute and extension

The Extension variant illustrated in is intended only for use within CRMF CSRs and is NOT RECOMMENDED to be used within X.509 certificates due to the privacy implications of publishing Evidence about the end entity's hardware environment. See for more discussion. By the nature of the PKIX ASN.1 classes , there are multiple ways to convey multiple Evidence statements: by including multiple copies of attr-evidence or ext-evidence, multiple values within the attribute or extension, and finally, by including multiple EvidenceStatement structures within an EvidenceBundle. The latter is the preferred way to carry multiple Evidence statements. Implementations MUST NOT place multiple copies of attr-evidence into a PKCS#10 CSR due to the COUNTS MAX 1 declaration. In a CRMF CSR, implementers SHOULD NOT place multiple copies of ext-evidence.

ASN.1 Elements for Attestation Result in CSR

Object Identifiers This document defines the arc depicted in .

New OID Arc for PKIX Attestation Result Formats

Attestation Result Attribute and Extension By definition, attributes within a PKCS#10 CSR are typed as ATTRIBUTE and within a CRMF CSR are typed as EXTENSION. This attribute definition contains one AttestationResultBundle structure.

Definition of AttestationResultSet

The expression illustrated in maps ASN.1 Types for Attestation Result to the OIDs that identify them. These mappings are used to construct or parse AttestationResults. Attestation Results are defined in other IETF standards (see ), other standards bodies, or vendor proprietary formats along with corresponding OIDs that identify them. This list is left unconstrained in this document. However, implementers can populate it with the formats that they wish to support.

Definition of AttestationResult

In , type is an OID that indicates the format of the value of stmt.

Definitions of CSR attribute and extension

Implementation Considerations This specification is applicable both in cases where a CSR is constructed internally or externally to the Attesting Environment, from the point of view of the calling application. This section is particularly applicable to the background check model. Cases where the CSR is generated internally to the Attesting Environment are straightforward: the Hardware Security Model (HSM) generates and embeds the Evidence and the corresponding certification paths when constructing the CSR. Cases where the CSR is generated externally may require extra communication between the CSR generator and the Attesting Environment, first to obtain the necessary Evidence about the subject key, and then to use the subject key to sign the CSR; for example, a CSR generated by a popular crypto library about a subject key stored on a PKCS#11 device. As an example, assuming that the HSM is, or contains, the Attesting Environment and some cryptographic library is assembling a CSR by interacting with the HSM over some network protocol, then the interaction would conceptually be:

Example interaction between CSR generator and HSM. | | | |<-----------------| +---------------------+ | | | CSR = assembleCSR() |-| | +---------------------+ | | | | | sign(CSR) | |----------------->| | | |<-----------------| | | ]]>

IANA Considerations IANA is requested to open two new registries, allocate a value from the "SMI Security for PKIX Module Identifier" registry for the included ASN.1 module, and allocate values from "SMI Security for S/MIME Attributes" to identify two attributes defined within.

Module Registration - SMI Security for PKIX Module Identifier

• Decimal: IANA Assigned - Replace TBDMOD
• Description: CSR-ATTESTATION-2023 - id-mod-pkix-attest-01
• References: This Document

Object Identifier Registrations - SMI Security for S/MIME Attributes

• Evidence Statement
• Decimal: IANA Assigned - This was early-allocated as 59 so that we could generate the sample data.
• Description: id-aa-evidence
• References: This Document
• Attestation Result
• Decimal: IANA Assigned - - Replace TBD2
• Description: id-aa-ar
• References: This Document

"SMI Security for PKIX Evidence Statement Formats" Registry IANA is asked to create a registry for Evidence Statement Formats within the SMI-numbers registry, allocating an assignment from id-pkix ("SMI Security for PKIX" Registry) for the purpose.

• Decimal: IANA Assigned - replace TBD1
• Description: id-ata
• References: This document
• Initial contents: None
• Registration Regime: Specification Required. Document must specify an EVIDENCE-STATEMENT or ATTESTATION-RESULT definition to which this Object Identifier shall be bound.

Columns:

• Decimal: The subcomponent under id-ata
• Description: Begins with id-ata
• References: RFC or other document

Attestation Evidence OID Registry IANA is asked to create a registry that helps developers to find OID/Evidence mappings. Registration requests are evaluated using the criteria described in the registration template below after a three-week review period on the [[TBD]] mailing list, with the advice of one or more Designated Experts . However, to allow for the allocation of values prior to publication, the Designated Experts may approve registration once they are satisfied that such a specification will be published. Registration requests sent to the mailing list for review should use an appropriate subject (e.g., "Request to register attestation evidence: example"). IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list.

Registration Template The registry has the following columns:

• OID: The OID number, which has already been allocated. IANA does not allocate OID numbers for use with this registry.
• Description: Brief description of the use of the Evidence and the registration of the OID.
• Reference(s): Reference to the document or documents that register the OID for use with a specific attestation technology, preferably including URIs that can be used to retrieve copies of the documents. An indication of the relevant sections may also be included but is not required.
• Change Controller: For Standards Track RFCs, list the "IESG". For others, give the name of the responsible party. In most cases the third party requesting registration in this registry will also be the party that registered the OID.

Initial Registry Contents The initial registry contents is shown in the table below. It lists entries for several evidence encoding OIDs including an entry for the Conceptual Message Wrapper (CMW) . Initial Contents of the Attestation Evidence OID Registry

OID	Description	Reference(s)	Change Controller
2 23 133 5 4 1	tcg-dice-TcbInfo		TCG
2 23 133 5 4 3	tcg-dice-endorsement-manifest-uri		TCG
2 23 133 5 4 4	tcg-dice-Ueid		TCG
2 23 133 5 4 5	tcg-dice-MultiTcbInfo		TCG
2 23 133 5 4 6	tcg-dice-UCCS-evidence		TCG
2 23 133 5 4 7	tcg-dice-manifest-evidence		TCG
2 23 133 5 4 8	tcg-dice-MultiTcbInfoComp		TCG
2 23 133 5 4 9	tcg-dice-conceptual-message-wrapper		TCG
2 23 133 5 4 11	tcg-dice-TcbFreshness		TCG
2 23 133 20 1	tcg-attest-tpm-certify		TCG
1 3 6 1 5 5 7 1 35	id-pe-cmw		IETF

The current registry values can be retrieved from the IANA online website.

Security Considerations In the RATS architecture, when Evidence or an Attestation Result is presented to a Relying Party (RP), the RP may learn detailed information about the Attester unless that information has been redacted or encrypted. Consequently, a certain amount of trust must be placed in the RP, which raises potential privacy concerns because an RP could be used to track devices. This observation is noted in Section 11 of . Typically, the RPs considered in the RATS architecture are application services that use remote attestation, rather than RAs or CAs. Devices inherently place significant trust in RA/CA infrastructure elements, and therefore any additional information revealed through remote attestation to such entities is generally less concerning than disclosure to application services. The problem of copying Evidence by CAs into an X.509 certificate is discussed in . These privacy risks can be mitigated using several approaches, including:

• Shared Attestation Keys: A manufacturer of devices may provision all devices with the same attestation key(s), or share a common attestation key across devices of the same product family. This approach anonymizes individual devices by making them indistinguishable from others using the same key(s). However, it also means losing the ability to revoke a single attestation key if a specific device is compromised. Care must be taken to avoid embedding uniquely identifying information in the Evidence, as that would reduce the privacy benefits of using remote attestation.
• Per-Use Attestation Keys: Devices may be designed to dynamically generate distinct attestation keys (and request the corresponding certificates) for each use case, device, or session. This is analogous to the Privacy CA model, in which a device is initially provisioned with an attestation key and certificate; then, in conjunction with a privacy-preserving CA, it can obtain unique keys and certificates as needed. This strategy reduces the potential for tracking while maintaining strong security assurances. This is the model described in this document.
• Anonymous Attestation Mechanisms: Direct anonymous attestation (DAA) or similar cryptographic methods can be employed to generate blinded attestation signatures. In these schemes, the verifier can validate the attestation using a root key but does not gain a global correlation handle. Thus, repeated use of the same attestation key cannot be exploited to track devices. extends the RATS architecture with such a DAA scheme, significantly enhancing privacy.

Background Check Model Security Considerations A PKCS#10 or CRMF Certification Request message typically consists of a distinguished name, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification. In general usage, the private key used to sign the CSR MUST be different from the Attesting Key utilized to sign Evidence about the Target Environment, though exceptions MAY be made where CSRs and Evidence are involved in bootstrapping the Attesting Key. To demonstrate that the private key applied to sign the CSR is generated, and stored in a secure environment that has controls to prevent theft or misuse (including being non-exportable / non-recoverable), the Attesting Environment has to collect claims about this secure environment (or Target Environment, as shown in ). shows the interaction inside an Attester. The Attesting Environment, which is provisioned with an Attestation Key, retrieves claims about the Target Environment. The Target Environment offers key generation, storage and usage, which it makes available to services. The Attesting Environment collects these claims about the Target Environment and signs them and exports Evidence for use in remote attestation via a CSR.

Interaction between Attesting and Target Environment | Environment +----------+ | | (Firmware) |Evidence| | '-------------' | | | '------------------------------------' ]]>

places the CSR library outside the Attester, which is a valid architecture for certificate enrollment. The CSR library may also be located inside the trusted computing base. Regardless of the placement of the CSR library, an Attesting Environment MUST be able to collect claims about the Target Environment such that statements about the storage of the keying material can be made. For the Verifier, the provided Evidence must allow an assessment to be made whether the key used to sign the CSR is stored in a secure location and cannot be exported. Evidence communicated in the attributes and structures defined in this document are meant to be used in a CSR. It is up to the Verifier and to the Relying Party (RA/CA) to place as much or as little trust in this information as dictated by policies. This document defines the transport of Evidence of different formats in a CSR. Some of these encoding formats are based on standards while others are proprietary formats. A Verifier will need to understand these formats for matching the received claim values against policies. Policies drive the processing of Evidence at the Verifier: the Verifier's Appraisal Policy for Evidence will often be based on specifications by the manufacturer of a hardware security module, a regulatory agency, or specified by an oversight body, such as the CA Browser Forum. The Code-Signing Baseline Requirements document is an example of such a policy that has been published by the CA Browser Forum and specifies certain properties, such as non-exportability, which must be enabled for storing publicly-trusted code-signing keys. Other policies influence the decision making at the Relying Party when evaluating the Attestation Result. The Relying Party is ultimately responsible for making a decision of what information in the Attestation Result it will accept. The presence of the attributes defined in this specification provide the Relying Party with additional assurance about an Attester. Policies used at the Verifier and the Relying Party are implementation dependent and out of scope for this document. Whether to require the use of Evidence in a CSR is out-of-scope for this document.

Freshness for the Background Check Model Evidence generated by an Attester generally needs to be fresh to provide value to the Verifier since the configuration on the device may change over time. discusses different approaches for providing freshness, including a nonce-based approach, the use of timestamps and an epoch-based technique. The use of nonces requires that nonce to be provided by the Relying Party in some protocol step prior to Evidence and CSR generation, and the use of timestamps requires synchronized clocks which cannot be guaranteed in all operating environments. Epochs also require an out-of-band communication channel. This document leaves the exchange of nonces and other freshness data to certificate management protocols, see . Developers, operators, and designers of protocols, which embed Evidence-carrying-CSRs, MUST consider what notion of freshness is appropriate and available in-context; thus the issue of freshness is left up to the discretion of protocol designers and implementers. In the case of Hardware Security Modules (HSM), the definition of "fresh" is somewhat ambiguous in the context of CSRs, especially considering that non-automated certificate enrollments are often asynchronous, and considering the common practice of re-using the same CSR for multiple certificate renewals across the lifetime of a key. "Freshness" typically implies both asserting that the data was generated at a certain point-in-time, as well as providing non-replayability. Certain use cases may have special properties impacting the freshness requirements. For example, HSMs are typically designed to not allow downgrade of private key storage properties; for example if a given key was asserted at time T to have been generated inside the hardware boundary and to be non-exportable, then it can be assumed that those properties of that key will continue to hold into the future. Note: Freshness is also a concern for remote attestation in the passport model; however, the protocol between the Attester and the Verifier lies outside the scope of this specification.

Publishing Evidence in an X.509 Extension This document specifies an Extension for carrying Evidence in a CRMF Certificate Signing Request (CSR), but it is intentionally NOT RECOMMENDED for a CA to copy the ext-evidence extension into the published certificate. The reason for this is that certificates are considered public information and the Evidence might contain detailed information about hardware and patch levels of the device on which the private key resides. The certificate requester has consented to sharing this detailed device information with the CA but might not consent to having these details published. These privacy considerations are beyond the scope of this document and may require additional signaling mechanisms in the CSR to prevent unintended publication of sensitive information, so we leave it as "NOT RECOMMENDED". Often, the correct layer at which to address this is either in certificate profiles, a Certificate Practice Statement (CPS), or in the protocol or application that carries the CSR to the RA/CA where a flag can be added indicating whether the RA/CA should consider the evidence to be public or private.

Type OID and verifier hint The EvidenceStatement includes both a type OID and a free form hint field with which the Attester can provide information to the Relying Party about which Verifier to invoke to parse a given piece of Evidence. Care should be taken when processing these data since at the time they are used, they are not yet verified. In fact, they are protected by the CSR signature but not by the signature from the Attester and so could be maliciously replaced in some cases. The authors' intent is that the type OID and hint will allow an RP to select between Verifier with which it has pre-established trust relationships, such as Verifier libraries that have been compiled in to the RP application. As an example, the hint may take the form of an FQDN to uniquely identify a Verifier implementation, but the RP MUST NOT blindly make network calls to unknown domain names and trust the results. Implementers should also be cautious around type OID or hint values that cause a short-circuit in the verification logic, such as None, Null, Debug, empty CMW contents, or similar values that could cause the Evidence to appear to be valid when in fact it was not properly checked.

Additional Security Considerations In addition to the security considerations listed here, implementers should be familiar with the security considerations of the specifications on this this depends: PKCS#10 , CRMF , as well as general security concepts relating to remote attestation; many of these concepts are discussed in , , , , and . Implementers should also be aware of any security considerations relating to the specific Evidence and Attestation Result formats being carried within the CSR.

References Normative References In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative version. There are no bits- on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. This document describes the Certificate Request Message Format (CRMF) syntax and semantics. This syntax is used to convey a request for a certificate to a Certification Authority (CA), possibly via a Registration Authority (RA), for the purposes of X.509 certificate production. The request will typically include a public key and the associated registration information. This document does not define a certificate request protocol. [STANDARDS-TRACK] This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. Informative References Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. Fraunhofer SIT Intel Linaro University of Applied Sciences Bonn-Rhein-Sieg Google LLC This document defines the RATS conceptual message wrapper (CMW) format, a type of encapsulation format that can be used for any RATS messages, such as Evidence, Attestation Results, Endorsements, and Reference Values. Additionally, the document describes a collection type that enables the aggregation of one or more CMWs into a single message. This document also defines corresponding CBOR tag, JSON Web Tokens (JWT) and CBOR Web Tokens (CWT) claims, as well as an X.509 extension. These allow embedding the wrapped conceptual messages into CBOR-based protocols, web APIs, and PKIX protocols. In addition, a Media Type and a CoAP Content-Format are defined for transporting CMWs in HTTP, MIME, CoAP and other Internet protocols. arm Linaro This document defines an evidence format for key attestation based on the Entity Attestation Token (EAT). Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Remote ATtestation ProcedureS Working Group mailing list (rats@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/rats/. Source for this draft and an issue tracker can be found at https://github.com/thomas-fossati/draft-kat. This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA. Fraunhofer SIT University of Surrey University of Surrey Microsoft This document maps the concept of Direct Anonymous Attestation (DAA) to the Remote Attestation Procedures (RATS) Architecture. The protocol entity DAA Issuer is introduced and its mapping with existing RATS roles in DAA protocol steps is specified. Siemens Siemens When an end entity includes attestation Evidence in a Certificate Signing Request (CSR), it may be necessary to demonstrate the freshness of the provided Evidence. Current attestation technology commonly achieves this using nonces. This document outlines the process through which nonces are supplied to the end entity by an RA/CA for inclusion in Evidence, leveraging the Certificate Management Protocol (CMP) and Enrollment over Secure Transport (EST) Arm Limited Arm Limited HP Labs Linaro The Arm Platform Security Architecture (PSA) is a family of hardware and firmware security specifications, as well as open-source reference implementations, to help device makers and chip manufacturers build best-practice security into products. Devices that are PSA compliant can produce attestation tokens as described in this memo, which are the basis for many different protocols, including secure provisioning and network access control. This document specifies the PSA attestation token structure and semantics. The PSA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes what claims are used in an attestation token generated by PSA compliant systems, how these claims get serialized to the wire, and how they are cryptographically protected. This informational document is published as an independent submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF. Arm Limited Linaro Mediatek Inc The Arm Confidential Compute Architecture (CCA) is series of hardware and software innovations that enhance Arm’s support for Confidential Computing for large, compute-intensive workloads. Devices that implement CCA can produce attestation tokens as described in this memo, which are the basis for trustworthiness assessment of the Confidential Compute environment. This document specifies the CCA attestation token structure and semantics. The CCA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes what claims are used in an attestation token generated by CCA compliant systems, how these claims get serialized to the wire, and how they are cryptographically protected. This informational document is published as an independent submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF. Trusted Computing Group n.d. CA/Browser Forum Trusted Computing Group Trusted Computing Group OASIS n.d. Juniper Networks, Inc. Cisco Systems National Security Agency This document describes a workflow for remote attestation of the integrity of firmware and software installed on network devices that contain Trusted Platform Modules [TPM1.2], [TPM2.0], as defined by the Trusted Computing Group (TCG)), or equivalent hardware implementations that include the protected capabilities, as provided by TPMs. Cisco Systems Fraunhofer SIT MIT Linaro Intel This document defines reusable Attestation Result information elements. When these elements are offered to Relying Parties as Evidence, different aspects of Attester trustworthiness can be evaluated. Additionally, where the Relying Party is interfacing with a heterogeneous mix of Attesting Environment and Verifier types, consistent policies can be applied to subsequent information exchange between each Attester and the Relying Party.

Examples This section provides several examples and sample data for embedding Evidence in CSRs. The first example embeds Evidence produced by a TPM in the CSR. The second example conveys an Arm Platform Security Architecture token, which provides claims about the used hardware and software platform, into the CSR. After publication of this document, additional examples and sample data will be collected at the following GitHub repository : https://github.com/lamps-wg/csr-attestation-examples

Extending EvidenceStatementSet As defined in , EvidenceStatementSet acts as a way to provide an ASN.1 compiler or runtime parser with a list of OBJECT IDENTIFIERs that are known to represent EvidenceStatements -- and are expected to appear in an EvidenceStatement.type field, along with the ASN.1 type that should be used to parse the data in the associated EvidenceStatement.stmt field. Essentially this is a mapping of OIDs to data structures. Implementers are expected to populate it with mappings for the Evidence types that their application will be handling. This specification aims to be agnostic about the type of data being carried, and therefore does not specify any mandatory-to-implement Evidence types. As an example of how to populate EvidenceStatementSet, implementing the TPM 2.0 and PSA Evidence types given below would result in the following EvidenceStatementSet definition:

TPM V2.0 Evidence in CSR This section describes TPM2 key attestation for use in a CSR. This is a complete and canonical example that can be used to test parsers implemented against this specification. Readers who wish the sample data may skip to ; the following sections explain the TPM-specific data structures needed to fully parse the contents of the evidence statement.

TCG Key Attestation Certify There are several ways in TPM2 to provide proof of a key's properties. (i.e., key attestation). This description uses the simplest and most generally expected to be used, which is the TPM2_Certify and the TPM2_ReadPublic commands. This example does not describe how platform attestation augments key attestation. The properties of the key (such as the name of the key, the key usage) in this example do not change during the lifetime of the key.

TCG OIDs The OIDs in this section are defined by TCG TCG has a registered arc of 2.23.133 The tcg-kp-AIKCertificate OID in extendedKeyUsage identifies an AK Certificate in RFC 5280 format defined by TCG. This certificate would be a certificate in the EvidenceBundle defined in . (Note: The abbreviation AIK was used in TPM 1.2 specification. TPM 2.0 specifications use the abbreviation AK. The abbreviations are interchangeable.)

TPM2 AttestationStatement The EvidenceStatement structure contains a sequence of two fields: a type and a stmt. The 'type' field contains the OID of the Evidence format and it is set to tcg-attest-tpm-certify. The content of the structure shown below is placed into the stmt, which is a concatenation of existing TPM2 structures. These structures will be explained in the rest of this section.

Introduction to TPM2 concepts The definitions in the following sections are specified by the Trusted Computing Group (TCG). TCG specification including the TPM2 set of specifications , specifically Part 2 defines the TPM 2.0 structures. Those familiar with TPM2 concepts may skip to which defines an ASN.1 structure specific for bundling a TPM attestation into an EvidenceStatement, and which provides the example. For those unfamiliar with TPM2 concepts this section provides only the minimum information to understand TPM2 Attestation in CSR and is not a complete description of the technology in general.

TCG Objects and Key Attestation This provides a brief explanation of the relevant TPM2 commands and data structures needed to understand TPM2 Attestation used in this RFC. NOTE: The TPM2 specification used in this explanation is version 1.59, section number cited are based on that version. Note also that the TPM2 specification comprises four documents: Part 1: Architecture; Part 2: Structures; Part 3: Commands; Part 4: Supporting Routines. Note about convention: All structures starting with TPM2B_ are:

• a structure that is a sized buffer where the size of the buffer is contained in a 16-bit, unsigned value.
• The first parameter is the size in octets of the second parameter. The second parameter may be any type.

A full explanation of the TPM structures is outside the scope of this document. As a simplification references to TPM2B_ structures will simply use the enclosed TPMT_ structure by the same name following the '_'.

TPM2 Object Names All TPM2 Objects (e.g., keys are key objects which is the focus of this specification). A TPM2 object name is persistent across the object's life cycle whether the TPM2 object is transient or persistent. A TPM2 Object name is a concatenation of a hash algorithm identifier and a hash of the TPM2 Object's TPMT_PUBLIC. publicArea is the TPMT_PUBLIC structure for that TPM2 Object. The size of the Name field can be derived by examining the nameAlg value, which defines the hashing algorithm and the resulting size. The Name field is returned in the TPM2B_ATTEST data field. where for a key object the attested field is

TPM2 Public Structure Any TPM2 Object has an associated TPM2 Public structure defined as TPMT_PUBLIC. This is defined below as a 'C' structure. While there are many types of TPM2 Objects each with its own specific TPMT_PUBLIC structure (handled by the use of 'unions') this document will specifically define TPMT_PUBLIC for a TPM2 key object. Where: * type and nameAlg are 16 bit TCG defined algorithms. * objectAttributes is a 32 bit field defining properties of the object, as shown below

• authPolicy is the Policy Digest needed to authorize use of the object.
• Parameters are the object type specific public information about the key.
  • For key objects, this would be the key's public parameters.
• unique is the identifier for parameters

The size of the TPMT_PUBLIC is provided by the following structure:

TPM2 Signatures TPM2 signatures use a union where the first field (16 bits) identifies the signature scheme. The example below shows an RSA signature where TPMT_SIGNATURE->sigAlg will indicate to use TPMS_SIGNATURE_RSA as the signature.

Attestation Key The uniquely identifying TPM2 key is the Endorsement Key (the EK). As this is a privacy sensitive key, the EK is not directly used to attest to any TPM2 asset. Instead, the EK is used by an Attestation CA to create an Attestation Key (the AK). The AK is assumed trusted by the Verifier and is assume to be loaded in the TPM during the execution of the process described in the subsequent sections. The description of how to create the AK is outside the scope of this document.

Attester Processing The only signed component is the TPM2B_ATTEST structure, which returns only the (key's) Name and the signature computed over the Name but no detailed information about the key. As the Name is comprised of public information, the Name can be calculated by the Verifier but only if the Verify knows all the public information about the Key. The Attester's processing steps are as follows: Using the TPM2 command TPM2_Certify obtain the TPM2B_ATTEST and TPMT_SIGNATURE structures from the TPM2. The signing key for TPMT_SIGNATURE is an Attention Key (or AK), which is assumed to be available to the TPM2 upfront. More details are provided in The TPM2 command TPM2_Certify takes the following input:

• TPM2 handle for Key (the key to be attested to)
• TPM2 handle for the AK (see )

It produces the following output:

• TPM2B_ATTEST in binary format
• TPMT_SIGNATURE in binary format

Then, using the TPM2 command TPM2_ReadPublic obtain the Keys TPM2B_PUBLIC structure. While the Key's public information can be obtained by the Verifier in a number ways, such as storing it from when the Key was created, this may be impractical in many situations. As TPM2 provided a command to obtain this information, this specification will include it in the TPM2 Attestation CSR extension. The TPM2 command TPM2_ReadPublic takes the following input:

• TPM2 handle for Key (the key to be attested to)

It produces the following output:

• TPM2B_PUBLIC in binary format

Verifier Processing The Verifier has to perform the following steps once it receives the Evidence:

• Verify the TPM2B_ATTEST using the TPMT_SIGNATURE.
• Use the Key's "expected" Name from the provided TPM2B_PUBLIC structure. If Key's "expected" Name equals TPM2B_ATTEST->attestationData then returned TPM2B_PUBLIC is the verified.

Sample CSR This CSR demonstrates a certification request for a key stored in a TPM using the following structure: hint: "tpmverifier.example.com" } }, certs { akCertificate, caCertificate } } } } } ]]> Note that this example demonstrates most of the features of this specification:

• The data type is identified by the OID id-TcgCsrCertify contained in the EvidenceStatement.type field.
• The signed evidence is carried in the EvidenceStatement.stmt field.
• The EvidenceStatement.hint provides information to the Relying Party about which Verifier (software) will be able to correctly parse this data. Note that the type OID indicates the format of the data, but that may itself be a wrapper format that contains further data in a proprietary format. In this example, the hint says that software from the package "tpmverifier.example.com" will be able to parse this data.
• The evidence statement is accompanied by a certificate chain in the EvidenceBundle.certs field which can be used to verify the signature on the evidence statement. How the Verifier establishes trust in the provided certificates is outside the scope of this specification.

This example does not demonstrate an EvidenceBundle that contains multiple EvidenceStatements sharing a certificate chain.

PSA Attestation Token in CSR The Platform Security Architecture (PSA) Attestation Token is defined in and specifies claims to be included in an Entity Attestation Token (EAT). defines key attestation based on the EAT format. In this section the platform attestation offered by is combined with key attestation by binding the key attestation token (KAT) to the platform attestation token (PAT) with the help of the nonce. For details see . The resulting KAT-PAT bundle is, according to , combined in a CMW collection . The encoding of this KAT-PAT bundle is shown in the example below. EvidenceStatement + | +-> type: OID for CMW Collection | 1 3 6 1 5 5 7 1 TBD | +-> stmt: KAT/PAT CMW Collection ]]> The value in EvidenceStatement->stmt is based on the KAT/PAT example from and the result of CBOR encoding the CMW collection shown below (with line-breaks added for readability purposes):

Confidential Compute Architecture (CCA) Platform Token in CSR The Confidential Compute Architecture (CCA) Platform Token is described in and is also based on the EAT format. Although the full CCA attestation is composed of Realm and Platform Evidence, for the purposes of this example only the Platform token is provided. EvidenceStatement + | +-> type: OID for CCA Platform Attestation Toekn | 1 3 6 1 5 5 7 1 TBD | +-> stmt: CCA Platform Token ]]> Although the CCA Platform Token follows the EAT/CMW format, it is untagged. This is because the encoding can be discerned in the CSR based on the OID alone. The untagged token based on a sample claim set is provided below: Realm evidence can be included in a CMW bundle, similar to the PSA token. In this case, the CSR is constructed as follows: EvidenceStatement + | +-> type: OID for CMW Collection | 1 3 6 1 5 5 7 1 TBD | +-> stmt: Realm Token/Platform Token CMW Collection or Realm Claim Set/Platform Token CMW Collection ]]>

ASN.1 Module

TCG DICE Example in ASN.1 This section gives an example of extending the ASN.1 module above to carry an existing ASN.1-based Evidence Statement. The example used is the Trusted Computing Group DICE Attestation Conceptual Message Wrapper, as defined in .

TCG DICE TcbInfo Example in CSR This section gives an example of extending the ASN.1 module above to carry an existing ASN.1-based evidence statement. The example used is the Trusted Computing Group DiceTcbInfo, as defined in .

Acknowledgments This specification is the work of a design team created by the chairs of the LAMPS working group. The following persons, in no specific order, contributed to the work directly, participated in design team meetings, or provided review of the document. Richard Kettlewell, Chris Trufan, Bruno Couillard, Jean-Pierre Fiset, Sander Temme, Jethro Beekman, Zsolt Rózsahegyi, Ferenc Pető, Mike Agrenius Kushner, Tomas Gustavsson, Dieter Bong, Christopher Meyer, Carl Wallace, Michael Richardson, Tomofumi Okubo, Olivier Couillard, John Gray, Eric Amador, Darren Johnson, Herman Slatman, Tiru Reddy, James Hagborg, A.J. Stein, John Kemp, Daniel Migault and Russ Housley. We would like to specifically thank Mike StJohns for his work on an earlier version of this draft. We would also like to specifically thank Giri Mandyam for providing the appendix illustrating the confidential computing scenario, and to Corey Bonnell for helping with the hackathon scripts to bundle it into a CSR. Finally, we would like to thank Andreas Kretschmer, Hendrik Brockhaus, David von Oheimb, and Thomas Fossati for their feedback based on implementation experience.