]> Red Hound Software

carl@redhoundsoftware.com

Vigil Security, LLC

housley@vigilsec.com

arm

Thomas.Fossati@arm.com

arm

yogesh.deshpande@arm.com

Security Remote ATtestation ProcedureS Internet-Draft Trust anchor (TA) stores may be used for several purposes in the Remote Attestation Procedures (RATS) architecture including verifying endorsements, reference values, digital letters of approval, attestations, or public key certificates. This document describes a Concise Reference Integrity Manifest (CoRIM) extension that may be used to convey optionally constrained trust anchor stores containing optionally constrained trust anchors in support of these purposes. About This Document Status information for this document may be found at . Discussion of this document takes place on the rats Working Group mailing list (), which is archived at . Subscribe at .

Introduction The RATS architecture uses the definition of a trust anchor from : "A trust anchor represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative." In the context of RATS, a trust anchor may be a public key or a symmetric key. This document focuses on trust anchors that are represented as public keys. The Concise Reference Integrity Manifest (CoRIM) specification defines a binary encoding for reference values using the Concise Binary Object Representation (CBOR) . Amongst other information, a CoRIM may include key material for use in verifying evidence from an attesting environment (see section 3.11 in ). The extension in this document aims to enable public key material to be decoupled from reference data for several reasons, described below. Trust anchor (TA) and certification authority (CA) public keys may be less dynamic than the reference data that comprises much of a reference integrity manifest (RIM). For example, TA and CA lifetimes are typically fairly long while software versions change frequently. Conveying keys less frequently and indepedent from reference data enables a reduction in size of RIMs used to convey dynamic information and may result in a reduction in the size of aggregated data transferred to a verifier. CoRIMs themselves are signed and some means of conveying CoRIM verification keys is required, though ultimately some out-of-band mechanism is required at least for bootstrapping purposes. Relying parties may verify attestations from both hardware and software sources and some trust anchors may be used to verify attestations from both hardware and software sources, as well. The verification information included in a CoRIM optionally includes a trust anchor, leaving trust anchor management to other mechanisms. Additionally, the CoRIM verification-map structure is tied to CoMIDs, leaving no simple means to convey verification information for CoSWIDs . This document defines means to decouple TAs and CAs from reference data and adds support for constraining the use of trust anchors, chiefly by limiting the environments to which a set of trust anchors is applicable. This constraints mechanism is similar to that in and and should align with existing attestation verification practices that tend to use per-vendor trust anchors. TA store instances may be further constrained using coarse-grained purpose values or a set of finer-grained permitted or excluded claims. The trust anchor formats supported by this draft allow for per-trust anchor constraints, if desired. Conveyance of trust anchors is the primary goal, CA certificates may optionally be included for convenience.

Constraints This document aims to support different PKI architectures including scenarios with various combinations of the following characteristics:

• TA stores that contain a TA or set of TAs from a single organization
• TA stores that contain a set of TAs from multiple organizations
• TAs that issue certificates to CAs within the same organiation as the TA
• TAs that issue certificates to CAs from multiple organizations
• CAs that issue certificates that may be used to verify attestations or certificates from the same organization as the TA and CA
• CAs that issue certificates that may be used to verify attestations or certificates from multiple organizations

Subsequent specifications may define extensions to express constraints as well as processing rules for evaluating constraints expressed in TA stores, TAs, CA certificates and end entity (EE) certificates. Support for constraints is intended to enable misissued certificates to be rejected at verification time. Any public key that can be used to verify a certificate is assumed to also support verification of revocation information, subject to applicable constraints defined by the revocation mechanism.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Trust anchor management for RATS Within RATS, trust anchors may be used to verify digital signatures for a variety of objects, including entity attestation tokens (EATs), CoRIMs, X.509 CA certificates (possibly containing endorsement information), X.509 EE certificates (possibly containing endorsement or attestation information), other attestation data, digital letters of approval , revocation information, etc. Depending on context, a raw public key may suffice or additional information may be required, such as subject name or subject public key identifier information found in an X.509 certificate. Trust anchors are usually aggregated into sets that are referred to as "trust anchor stores". Different trust anchor stores may serve different functional purposes. Historically, trust anchors and trust anchor stores are not constrained other than by the context(s) in which a trust anchor store is used. The path validation algorithm in only lists name, public key, public key algorithm and public key parameters as the elements of "trust anchor information". However, there are environments that do constrain trust anchor usage. The RPKI uses extensions from trust anchor certificates as defined in . FIDO provides a type of constraint by grouping attestation verification root certificates by authenticator model in . This document aims to support each of these types of models by allowing constrained or unconstrained trust anchors to be grouped by abstract purpose, i.e., similar to traditional trust anchor stores, or grouped by a set of constraints, such as vendor name.

TA and CA conveyance An unsigned concise TA stores object is a list of one or more TA stores, each represented below as a concise-ta-store-map element. Each TA store instance identifies a target environment and features one or more public keys. Optional constraints on usage may be defined as well. The following sections define the structures to support the concepts shown above.

The concise-ta-stores Container The concise-ta-stores type is the root element for distrbuting sets of trust anchor stores. It contains one or more concise-ta-store-map elements where each element in the list identifies the environments for which a given set of trust anchors is applicable, along with any constraints. The $concise-tag-type-choice is extended to include the concise-ta-stores structure. As shown in Section 4 of , the $concise-tag-type-choice type is used within the unsigned-corim-map structure, which is used within COSE-Sign1-corim structure. The COSE-Sign1-corim provides for integrity of the CoTS data. CoTS structures are not intended for use as stand-alone, unsigned structures. The signature on a CoTS instance SHOULD be verified using a TA associated with the cots purpose.

The concise-ta-store-map Container A concise-ta-store-map is a trust anchor store where the applicability of the store is established by the tastore.environment field with optional constraints on use of trust anchors found in the tastore.keys field defined by the tastore.purpose, tastore.perm_claims and tastore.excl_claims fields. language-type ? tastore.store-identity => tag-identity-map tastore.environments => environment-group-list ? tastore.purposes => [+ $$tas-list-purpose] ? tastore.perm_claims => [+ $$claims-set-claims] ? tastore.excl_claims => [+ $$claims-set-claims] tastore.keys => cas-and-tas-map } ; concise-ta-store-map indices tastore.language = 0 tastore.store-identity = 1 tastore.environment = 2 tastore.purpose = 3 tastore.perm_claims = 4 tastore.excl_claims = 5 tastore.keys = 6 ]]> The following describes each member of the concise-ta-store-map.

tastore.language:

A textual language tag that conforms with the IANA Language Subtag Registry .

tastore.store-identity:

A composite identifier containing identifying attributes that enable global unique identification of a TA store instance across versions and facilitate linking from other artifacts. The tag-identity-map type is defined in .

tastore.environment:

A list of environment definitions that limit the contexts for which the tastore.keys list is applicable. If the tastore.environment is empty, TAs in the tastore.keys list may be used for any environment.

tastore.purpose:

Contains a list of purposes for which the tastore.keys list may be used. When absent, TAs in the tastore.keys list may be used for any purpose. This field is simliar to the extendedKeyUsage extension defined in . The initial list of purposes are: cots, corim, comid, coswid, eat, key-attestation, certificate

tastore.perm_claims:

Contains a list of claim values for which tastore.keys list MAY be used to verify. When this field is absent, TAs in the tastore.keys list MAY be used to verify any claim subject to other restrictions.

tastore.excl_claims:

Contains a list of claim values for which tastore.keys list MUST NOT be used to verify. When this field is absent, TAs in the tastore.keys list may be used to verify any claim subject to other restrictions.

tastore.keys:

Contains a list of one or more TAs and an optional list of one or more CA certificates.

The perm_claims and excl_claims constraints MAY alternatively be expressed as extensions in a TA or CA. Inclusion of support here is intended as an aid for environments that find CBOR encoding support more readily available than DER encoding support.

The cas-and-tas-map Container The cas-and-tas-map container provides the means of representing trust anchors and, optionally, CA certificates. $pkix-ta-type data => bstr ] cas-and-tas-map = { tastore.tas => [ + trust-anchor ] ? tastore.cas => [ + pkix-cert-data ] } ; cas-and-tas-map indices tastore.tas = 0 tastore.cas = 1 ; format values $pkix-ta-type /= tastore.pkix-cert-type $pkix-ta-type /= tastore.pkix-tainfo-type $pkix-ta-type /= tastore.pkix-spki-type tastore.pkix-cert-type = 0 tastore.pkix-tainfo-type = 1 tastore.pkix-spki-type = 2 ; certificate type pkix-cert-data = bstr ]]> The tastore.tas element is used to convey one or more trust anchors and an optional set of one or more CA certificates. TAs are implicitly trusted, i.e., no verification is required prior to use. However, limitations on the use of the TA may be asserted in the corresponding concise-ta-store-map or within the TA itself. The tastore.cas field provides certificates that may be useful in the context where the corresponding concise-ta-store-map is used. These certificates are not implicitly trusted and MUST be validated to a trust anchor before use. End entity certificates SHOULD NOT appear in the tastore.cas list. The structure of the data contained in the data field of a trust-anchor is indicated by the format field. The pkix-cert-type is used to represent a binary, DER-encoded X.509 Certificate as defined in . The pkix-key-type is used to represent a binary, DER-encoded SubjectPublicKeyInfo as defined in . The pkix-tainfo-type is used to represent a binary, DER-encoded TrustAnchorInfo as defined in . The $pkix-ta-type provides an extensible means for representing trust anchor information. It is defined here as supporting the pkix-cert-type, pkix-spki-type or pkix-tainfo-type. The pkix-spki-type may be used where only a raw pubilc key is necessary. The pkix-cert-type may be used for most purposes, including scenarios where a raw public key is sufficient and those where additional information from a certificate is required. The pkix-tainfo-type is included to support scenarios where constraints information is directly associated with a public key or certificate (vs. constraints for a TA set as provided by tastore.purpose, tastore.perm_claims and tastore.excl_claims). The pkix-cert-data type is used to represent a binary, DER-encoded X.509 Certificate.

Environment definition

The environment-group-list Array In CoRIM, "composite devices or systems are represented by a collection of Concise Module Identifiers (CoMID) and Concise Software Identifiers (CoSWID)". For trust anchor management purposes, targeting specific devices or systems may be too granular. For example, a trust anchor or set of trust anchors may apply to multiple device models or versions. The environment-map definition as used in a CoRIM is tightly bound to a CoMID. To allow for distribution of key material applicable to a specific or range of devices or software, the envrionment-group-list and environment-group-map are defined as below. These aim to enable use of coarse-grained naturally occurring values, like vendor, make, model, etc. to determine if a set of trust anchors is applicable to an environment. environment-map, ? tastore.concise_swid_tag => abbreviated-swid-tag, ? tastore.named_ta_store => named-ta-store, } ; environment-group-list-map indices tastore.environment_map = 0 tastore.abbreviated_swid_tag = 1 tastore.named_ta_store = 2 ]]> An environment-group-list is a list of one or more environment-group-list-map elements that are used to determine if a given context is applicable. An empty list signifies all contexts SHOULD be considered as applicable. An environment-group-list-map is one of environment-map , abbreviated-swid-tag-map or named-ta-store. As defined in , an envirionment-map may contain class-map, $instance-id-type-choice, $group-id-type-choice. QUESTION: Should the above dispense with environment-map and concise-swid-tag and use or define some identity-focused structure with information common to both (possibly class-map from )? If not, should a more complete CoMID representation be used (instead of environment-map)?

The abbreviated-swid-tag-map Container The abbreviated-swid-tag-map allows for expression of fields from a concise-swid-tag with all fields except entity designated as optional, compared to the concise-swid-tag definition that requires tag-id, tag-version and software-name to be present. text / bstr .size 16, ? tag-version => integer, ? corpus => bool, ? patch => bool, ? supplemental => bool, ? software-name => text, ? software-version => text, ? version-scheme => $version-scheme, ? media => text, ? software-meta => one-or-more, entity => one-or-more, ? link => one-or-more, ? payload-or-evidence, * $$coswid-extension, global-attributes, } ]]>

The named-ta-store Type This specification allows for defining sets of trust anchors that are associated with an arbitrary name instead of relative to information typically expressed in a CoMID or CoSWID. Relying parties MUST be configured using the named-ta-store value to select a corresponding concise-ta-store-map for use.

Constraints definition

The $$tas-list-purpose Type The $$tas-list-purpose type provides an extensible means of expressions actions for which the corresponding keys are applicable. For example, trust anchors in a concise-ta-store-map with purpose field set to eat may not be used to verify certification paths. Extended key usage values corresponding to each purpose listed below (except for certificate) are defined in a companion specification. TODO: Define verification targets for each purpose. QUESTION: Should this have a registry?

Claims A concise-ta-store-map may include lists of permitted and/or excluded claims that limit the applicability of trust anchors present in a cas-and-tas-map. A subsequent specification will define processing rules for evaluating constraints expressed in TA stores, TAs, CA certificates and end entity certificates.

Processing a concise-ta-stores RIM When verifying a signature using a public key that chains back to a concise-ta-stores instance, elements in the concise-ta-stores array are processed beginning with the first element and proceeding until either a matching set is found that serves the desired purpose or no more elements are available. Each element is evaluated relative to the context, i.e., environment, purpose, artifact contents, etc. For example, when verifying a CoRIM, each element in a triples-group MUST have an environment value that matches an environment-group-list-map element associated with the concise-ta-store-map containing the trust anchor used to verify the CoMID. Similarly, when verifying a CoSWID, the values in a abbreviated-swid-tag element from the concise-ta-store-map MUST match the CoSWID tag being verified. When verifying a certificate with DICE attestation extension, the information in each DiceTcbInfo element MUST be consistent with an environment-group-list-map associated with the concise-ta-store-map.

Verifying a concise-ta-stores RIM defers verification rules to and this document follows suit with the additional recommendation that the public key used to verify the RIM SHOULD be present in or chain to a public key present in a concise-ta-store-map with purpose set to cots.

CDDL definitions The CDDL definitions present in this document are provided below. Definitions from are not repeated here. language-type ? tastore.store-identity => tag-identity-map tastore.environments => environment-group-list ? tastore.purposes => [+ $$tas-list-purpose] ? tastore.perm_claims => [+ $$claims-set-claims] ? tastore.excl_claims => [+ $$claims-set-claims] tastore.keys => cas-and-tas-map } ; concise-ta-store-map indices tastore.language = 0 tastore.store-identity = 1 tastore.environment = 2 tastore.purpose = 3 tastore.perm_claims = 4 tastore.excl_claims = 5 tastore.keys = 6 trust-anchor = [ format => $pkix-ta-type data => bstr ] cas-and-tas-map = { tastore.tas => [ + trust-anchor ] ? tastore.cas => [ + pkix-cert-type ] } ; cas-and-tas-map indices tastore.tas = 0 tastore.cas = 1 ; format values $pkix-ta-type /= tastore.pkix-cert-type $pkix-ta-type /= tastore.pkix-tainfo-type $pkix-ta-type /= tastore.pkix-spki-type tastore.pkix-cert-type = 0 tastore.pkix-tainfo-type = 1 tastore.pkix-spki-type = 2 ; certificate type pkix-cert-data = bstr environment-group-list = [* environment-group-list-map] environment-group-list-map = { ? environment-map => environment-map, ? concise-swid-tag => abbreviated-swid-tag, ? named-ta-store => named-ta-store, } abbreviated-swid-tag = { ? tag-version => integer, ? corpus => bool, ? patch => bool, ? supplemental => bool, ? software-name => text, ? software-version => text, ? version-scheme => $version-scheme, ? media => text, ? software-meta => one-or-more, ? entity => one-or-more, ? link => one-or-more, ? payload-or-evidence, * $$coswid-extension, global-attributes, } named-ta-store = tstr $tas-list-purpose /= "cots" $tas-list-purpose /= "corim" $tas-list-purpose /= "comid" $tas-list-purpose /= "coswid" $tas-list-purpose /= "eat" $tas-list-purpose /= "key-attestation" $tas-list-purpose /= "certificate" $tas-list-purpose /= "dloa" ]]>

Examples The following examples are isolated concise-ta-store-map instances shown as JSON for ease of reading. The final example is an ASCII hex representation of a CBOR-encoded concise-ta-stores instance containing each example below (and using a placeholder value for the concise-ta-stores tag). The TA store below contains a TA from a single organization ("Zesty Hands, Inc,") that is used to verify CoRIMs for that organization. Because this TA does not verify certificates, a bare public key is appropriate. It features a tag identity field containing a UUID for the tag identity and a version indication. The TA store below features three TAs from different organizations grouped as a TA store with the name "Miscellaneous TA Store". The first TA is an X.509 certificate. The second and third TAs are TrustAnchorInfo objects containing X.509 certificates. Though not shown in this example, constraints could be added to the TrustAnchorInfo elements, i.e., to restrict verification to attestations asserting a specific vendor name. It features a tag identity field containing a string as the tag identity with no version field present. The TA Store below features one TA with an environment targeting CoSWIDs with entity named "Zesty Hands, Inc," and one permitted EAT claim for software named "Bitter Paper". The dump below shows the COSE-Sign1-corim contents from the ASCII hex above. A full base64-encoded version of this example is given in

Security Considerations As a profile of CoRIM, the security considerations from apply. As a means of managing trust anchors, the security considerations from and apply. a CoTS signer is roughly analogous to a "management trust anchor" as described in .

IANA Considerations

CoRIM CBOR Tag Registration IANA is requested to allocate tags in the "CBOR Tags" registry , preferably with the specific value requested:

Tag	Data Item	Semantics
507	tagged array	Concise Trust Anchor Stores (CoTS)

References Normative References Fraunhofer SIT arm arm Intel Huawei Technologies Remote Attestation Procedures (RATS) enable Relying Parties to assess the trustworthiness of a remote Attester and therefore to decide whether to engage in secure interactions with it. Evidence about trustworthiness can be rather complex and it is deemed unrealistic that every Relying Party is capable of the appraisal of Evidence. Therefore that burden is typically offloaded to a Verifier. In order to conduct Evidence appraisal, a Verifier requires not only fresh Evidence from an Attester, but also trusted Endorsements and Reference Values from Endorsers and Reference Value Providers, such as manufacturers, distributors, or device owners. This document specifies Concise Reference Integrity Manifests (CoRIM) that represent Endorsements and Reference Values in CBOR format. Composite devices or systems are represented by a collection of Concise Module Identifiers (CoMID) and Concise Software Identifiers (CoSWID) bundled in a CoRIM document. Security Theory LLC Qualcomm Technologies Inc. Qualcomm Technologies Inc. Red Hound Software, Inc. An Entity Attestation Token (EAT) provides an attested claims set that describes state and characteristics of an entity, a device like a smartphone, IoT device, network equipment or such. This claims set is used by a relying party, server or service to determine how much it wishes to trust the entity. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims. Fraunhofer SIT National Security Agency The MITRE Corporation National Institute of Standards and Technology ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles. SWID tag representations can be too large for devices with network and storage constraints. This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags. CoSWID supports a similar set of semantics and features as SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory efficient format. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This document describes a structure for representing trust anchor information. A trust anchor is an authoritative entity represented by a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information or actions for which the trust anchor is authoritative. The structures defined in this document are intended to satisfy the format-related requirements defined in Trust Anchor Management Requirements. [STANDARDS-TRACK] The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. IANA In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. IANA Informative References In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. A trust anchor represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative. A relying party uses trust anchors to determine if a digitally signed object is valid by verifying a digital signature using the trust anchor's public key, and by enforcing the constraints expressed in the associated data for the trust anchor. This document describes some of the problems associated with the lack of a standard trust anchor management mechanism and defines requirements for data formats and push-based protocols designed to address these problems. This document is not an Internet Standards Track specification; it is published for informational purposes. This document describes a transport independent protocol for the management of trust anchors (TAs) and community identifiers stored in a trust anchor store. The protocol makes use of the Cryptographic Message Syntax (CMS), and a digital signature is used to provide integrity protection and data origin authentication. The protocol can be used to manage trust anchor stores containing trust anchors represented as Certificate, TBSCertificate, or TrustAnchorInfo objects. [STANDARDS-TRACK] This document defines two X.509 v3 certificate extensions. The first binds a list of IP address blocks, or prefixes, to the subject of a certificate. The second binds a list of autonomous system identifiers to the subject of a certificate. These extensions may be used to convey the authorization of the subject to use the IP addresses and autonomous system identifiers contained in the extensions. [STANDARDS-TRACK] Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need for the ability to have basic security services defined for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. FIDO Alliance FIDO Alliance GlobalPlatform

Examples Base64 Encodings The base64 encoded data below represents a signed CoRIM that features a concise-ta-stores containing the three examples shown above.

Acknowledgments Thanks to Sabreen Kaur for spotting a bug in the examples.