draft-ietf-rats-eat-11.txt   draft-ietf-rats-eat-12.txt 
RATS Working Group L. Lundblade RATS Working Group L. Lundblade
Internet-Draft Security Theory LLC Internet-Draft Security Theory LLC
Intended status: Standards Track G. Mandyam Intended status: Standards Track G. Mandyam
Expires: April 26, 2022 J. O'Donoghue Expires: August 27, 2022 J. O'Donoghue
Qualcomm Technologies Inc. Qualcomm Technologies Inc.
October 23, 2021 February 23, 2022
The Entity Attestation Token (EAT) The Entity Attestation Token (EAT)
draft-ietf-rats-eat-11 draft-ietf-rats-eat-12
Abstract Abstract
An Entity Attestation Token (EAT) provides a signed (attested) set of An Entity Attestation Token (EAT) provides an attested claims set
claims that describe state and characteristics of an entity, that describes state and characteristics of an entity, a device like
typically a device like a phone or an IoT device. These claims are a phone, IoT device, network equipment or such. This claims set is
used by a Relying Party to determine how much it wishes to trust the used by a relying party, server or service to determine how much it
entity. wishes to trust the entity.
An EAT is either a CWT or JWT with some attestation-oriented claims. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with
To a large degree, all this document does is extend CWT and JWT. attestation-oriented claims. To a large degree, all this document
does is extend CWT and JWT.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 26, 2022. This Internet-Draft will expire on August 27, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. CWT, JWT, UCCS, UJCS and DEB . . . . . . . . . . . . . . 5 1.1. Entity Overview . . . . . . . . . . . . . . . . . . . . . 6
1.2. CDDL, CBOR and JSON . . . . . . . . . . . . . . . . . . . 6 1.2. CWT, JWT, UCCS, UJCS and DEB . . . . . . . . . . . . . . 7
1.3. Operating Model and RATS Architecture . . . . . . . . . . 7 1.3. CDDL, CBOR and JSON . . . . . . . . . . . . . . . . . . . 8
1.3.1. Use as Attestation Evidence . . . . . . . . . . . . . 8 1.4. Operating Model and RATS Architecture . . . . . . . . . . 8
1.3.2. Use as Attestation Results . . . . . . . . . . . . . 8 1.4.1. Relationship between Attestation Evidence and
1.4. Entity Overview . . . . . . . . . . . . . . . . . . . . . 9 Attestation Results . . . . . . . . . . . . . . . . . 9
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10
3. The Claims . . . . . . . . . . . . . . . . . . . . . . . . . 10 3. The Claims . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1. Token ID Claim (cti and jti) . . . . . . . . . . . . . . 11 3.1. Token ID Claim (cti and jti) . . . . . . . . . . . . . . 11
3.2. Timestamp claim (iat) . . . . . . . . . . . . . . . . . . 11 3.2. Timestamp claim (iat) . . . . . . . . . . . . . . . . . . 11
3.3. Nonce Claim (nonce) . . . . . . . . . . . . . . . . . . . 11 3.3. Nonce Claim (nonce) . . . . . . . . . . . . . . . . . . . 12
3.4. Universal Entity ID Claim (ueid) . . . . . . . . . . . . 12 3.4. Universal Entity ID Claim (ueid) . . . . . . . . . . . . 12
3.5. Semi-permanent UEIDs (SUEIDs) . . . . . . . . . . . . . . 14 3.5. Semi-permanent UEIDs (SUEIDs) . . . . . . . . . . . . . . 15
3.6. Hardware OEM Identification (oemid) . . . . . . . . . . . 15 3.6. Hardware OEM Identification (oemid) . . . . . . . . . . . 16
3.6.1. Random Number Based . . . . . . . . . . . . . . . . . 15 3.6.1. Random Number Based OEMID . . . . . . . . . . . . . . 16
3.6.2. IEEE Based . . . . . . . . . . . . . . . . . . . . . 15 3.6.2. IEEE Based OEMID . . . . . . . . . . . . . . . . . . 16
3.6.3. IANA Private Enterprise Number . . . . . . . . . . . 16 3.6.3. IANA Private Enterprise Number Based OEMID . . . . . 17
3.7. Hardware Version Claims (hardware-version-claims) . . . . 16 3.7. Hardware Model Claim (hardware-model) . . . . . . . . . . 17
3.8. Software Name Claim . . . . . . . . . . . . . . . . . . . 17 3.8. Hardware Version Claims (hardware-version-claims) . . . . 18
3.9. Software Version Claim . . . . . . . . . . . . . . . . . 17 3.9. Software Name Claim . . . . . . . . . . . . . . . . . . . 19
3.10. The Security Level Claim (security-level) . . . . . . . . 17 3.10. Software Version Claim . . . . . . . . . . . . . . . . . 19
3.11. Secure Boot Claim (secure-boot) . . . . . . . . . . . . . 19 3.11. The Security Level Claim (security-level) . . . . . . . . 19
3.12. Debug Status Claim (debug-status) . . . . . . . . . . . . 19 3.12. Secure Boot Claim (secure-boot) . . . . . . . . . . . . . 21
3.12.1. Enabled . . . . . . . . . . . . . . . . . . . . . . 20 3.13. Debug Status Claim (debug-status) . . . . . . . . . . . . 21
3.12.2. Disabled . . . . . . . . . . . . . . . . . . . . . . 20 3.13.1. Enabled . . . . . . . . . . . . . . . . . . . . . . 22
3.12.3. Disabled Since Boot . . . . . . . . . . . . . . . . 21 3.13.2. Disabled . . . . . . . . . . . . . . . . . . . . . . 22
3.12.4. Disabled Permanently . . . . . . . . . . . . . . . . 21 3.13.3. Disabled Since Boot . . . . . . . . . . . . . . . . 22
3.12.5. Disabled Fully and Permanently . . . . . . . . . . . 21 3.13.4. Disabled Permanently . . . . . . . . . . . . . . . . 22
3.13. Including Keys . . . . . . . . . . . . . . . . . . . . . 21 3.13.5. Disabled Fully and Permanently . . . . . . . . . . . 22
3.14. The Location Claim (location) . . . . . . . . . . . . . . 22 3.14. Including Keys . . . . . . . . . . . . . . . . . . . . . 23
3.15. The Uptime Claim (uptime) . . . . . . . . . . . . . . . . 23 3.15. The Location Claim (location) . . . . . . . . . . . . . . 24
3.16. The Boot Seed Claim (boot-seed) . . . . . . . . . . . . . 23 3.16. The Uptime Claim (uptime) . . . . . . . . . . . . . . . . 25
3.17. The Intended Use Claim (intended-use) . . . . . . . . . . 24 3.17. The Boot Odometer Claim (odometer) . . . . . . . . . . . 25
3.18. The Profile Claim (profile) . . . . . . . . . . . . . . . 25 3.18. The Boot Seed Claim (boot-seed) . . . . . . . . . . . . . 25
3.19. The DLOA (Digital Letter or Approval) Claim (dloas) . . . 26 3.19. The Intended Use Claim (intended-use) . . . . . . . . . . 26
3.20. The Software Manifests Claim (manifests) . . . . . . . . 27 3.20. The Profile Claim (profile) . . . . . . . . . . . . . . . 27
3.21. The Software Evidence Claim (swevidence) . . . . . . . . 28 3.21. The DLOA (Digital Letter or Approval) Claim (dloas) . . . 27
3.22. The SW Measurement Results Claim (swresults) . . . . . . 29 3.22. The Software Manifests Claim (manifests) . . . . . . . . 28
3.22.1. Scheme . . . . . . . . . . . . . . . . . . . . . . . 29 3.23. The Software Evidence Claim (swevidence) . . . . . . . . 30
3.22.2. Objective . . . . . . . . . . . . . . . . . . . . . 30 3.24. The SW Measurement Results Claim (swresults) . . . . . . 30
3.22.3. Results . . . . . . . . . . . . . . . . . . . . . . 30 3.24.1. Scheme . . . . . . . . . . . . . . . . . . . . . . . 31
3.22.4. Objective Name . . . . . . . . . . . . . . . . . . . 31 3.24.2. Objective . . . . . . . . . . . . . . . . . . . . . 31
3.23. Submodules (submods) . . . . . . . . . . . . . . . . . . 33 3.24.3. Results . . . . . . . . . . . . . . . . . . . . . . 31
3.23.1. Submodule Types . . . . . . . . . . . . . . . . . . 33 3.24.4. Objective Name . . . . . . . . . . . . . . . . . . . 32
3.23.1.1. Submodule Claims-Set . . . . . . . . . . . . . . 33 3.25. Submodules (submods) . . . . . . . . . . . . . . . . . . 34
3.23.1.2. Nested Token . . . . . . . . . . . . . . . . . . 34 3.25.1. Submodule Types . . . . . . . . . . . . . . . . . . 34
3.23.1.3. Detached Submodule Digest . . . . . . . . . . . 36 3.25.1.1. Submodule Claims-Set . . . . . . . . . . . . . . 34
3.23.2. No Inheritance . . . . . . . . . . . . . . . . . . . 37 3.25.1.2. Nested Token . . . . . . . . . . . . . . . . . . 35
3.23.3. Security Levels . . . . . . . . . . . . . . . . . . 37 3.25.1.3. Detached Submodule Digest . . . . . . . . . . . 37
3.23.4. Submodule Names . . . . . . . . . . . . . . . . . . 37 3.25.2. No Inheritance . . . . . . . . . . . . . . . . . . . 38
3.23.5. CDDL for submods . . . . . . . . . . . . . . . . . . 38 3.25.3. Security Levels . . . . . . . . . . . . . . . . . . 38
4. Unprotected JWT Claims-Sets . . . . . . . . . . . . . . . . . 38 3.25.4. Submodule Names . . . . . . . . . . . . . . . . . . 39
3.25.5. CDDL for submods . . . . . . . . . . . . . . . . . . 39
4. Unprotected JWT Claims-Sets . . . . . . . . . . . . . . . . . 39
5. Detached EAT Bundles . . . . . . . . . . . . . . . . . . . . 39 5. Detached EAT Bundles . . . . . . . . . . . . . . . . . . . . 39
6. Endorsements and Verification Keys . . . . . . . . . . . . . 40 6. Endorsements and Verification Keys . . . . . . . . . . . . . 40
6.1. Identification Methods . . . . . . . . . . . . . . . . . 41 6.1. Identification Methods . . . . . . . . . . . . . . . . . 41
6.1.1. COSE/JWS Key ID . . . . . . . . . . . . . . . . . . . 41 6.1.1. COSE/JWS Key ID . . . . . . . . . . . . . . . . . . . 41
6.1.2. JWS and COSE X.509 Header Parameters . . . . . . . . 41 6.1.2. JWS and COSE X.509 Header Parameters . . . . . . . . 42
6.1.3. CBOR Certificate COSE Header Parameters . . . . . . . 42 6.1.3. CBOR Certificate COSE Header Parameters . . . . . . . 42
6.1.4. Claim-Based Key Identification . . . . . . . . . . . 42 6.1.4. Claim-Based Key Identification . . . . . . . . . . . 42
6.2. Other Considerations . . . . . . . . . . . . . . . . . . 42 6.2. Other Considerations . . . . . . . . . . . . . . . . . . 42
7. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 42 7. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.1. Format of a Profile Document . . . . . . . . . . . . . . 43 7.1. Format of a Profile Document . . . . . . . . . . . . . . 43
7.2. List of Profile Issues . . . . . . . . . . . . . . . . . 43 7.2. List of Profile Issues . . . . . . . . . . . . . . . . . 43
7.2.1. Use of JSON, CBOR or both . . . . . . . . . . . . . . 43 7.2.1. Use of JSON, CBOR or both . . . . . . . . . . . . . . 43
7.2.2. CBOR Map and Array Encoding . . . . . . . . . . . . . 43 7.2.2. CBOR Map and Array Encoding . . . . . . . . . . . . . 44
7.2.3. CBOR String Encoding . . . . . . . . . . . . . . . . 44 7.2.3. CBOR String Encoding . . . . . . . . . . . . . . . . 44
7.2.4. CBOR Preferred Serialization . . . . . . . . . . . . 44 7.2.4. CBOR Preferred Serialization . . . . . . . . . . . . 44
7.2.5. COSE/JOSE Protection . . . . . . . . . . . . . . . . 44 7.2.5. COSE/JOSE Protection . . . . . . . . . . . . . . . . 44
7.2.6. COSE/JOSE Algorithms . . . . . . . . . . . . . . . . 44 7.2.6. COSE/JOSE Algorithms . . . . . . . . . . . . . . . . 45
7.2.7. DEB Support . . . . . . . . . . . . . . . . . . . . . 44 7.2.7. DEB Support . . . . . . . . . . . . . . . . . . . . . 45
7.2.8. Verification Key Identification . . . . . . . . . . . 45 7.2.8. Verification Key Identification . . . . . . . . . . . 45
7.2.9. Endorsement Identification . . . . . . . . . . . . . 45 7.2.9. Endorsement Identification . . . . . . . . . . . . . 45
7.2.10. Freshness . . . . . . . . . . . . . . . . . . . . . . 45 7.2.10. Freshness . . . . . . . . . . . . . . . . . . . . . . 45
7.2.11. Required Claims . . . . . . . . . . . . . . . . . . . 45 7.2.11. Required Claims . . . . . . . . . . . . . . . . . . . 45
7.2.12. Prohibited Claims . . . . . . . . . . . . . . . . . . 45 7.2.12. Prohibited Claims . . . . . . . . . . . . . . . . . . 45
7.2.13. Additional Claims . . . . . . . . . . . . . . . . . . 45 7.2.13. Additional Claims . . . . . . . . . . . . . . . . . . 46
7.2.14. Refined Claim Definition . . . . . . . . . . . . . . 45 7.2.14. Refined Claim Definition . . . . . . . . . . . . . . 46
7.2.15. CBOR Tags . . . . . . . . . . . . . . . . . . . . . . 46 7.2.15. CBOR Tags . . . . . . . . . . . . . . . . . . . . . . 46
7.2.16. Manifests and Software Evidence Claims . . . . . . . 46 7.2.16. Manifests and Software Evidence Claims . . . . . . . 46
8. Encoding and Collected CDDL . . . . . . . . . . . . . . . . . 46 8. Encoding and Collected CDDL . . . . . . . . . . . . . . . . . 46
8.1. Claims-Set and CDDL for CWT and JWT . . . . . . . . . . . 46 8.1. Claims-Set and CDDL for CWT and JWT . . . . . . . . . . . 46
8.2. Encoding Data Types . . . . . . . . . . . . . . . . . . . 47 8.2. Encoding Data Types . . . . . . . . . . . . . . . . . . . 47
8.2.1. Common Data Types . . . . . . . . . . . . . . . . . . 47 8.2.1. Common Data Types . . . . . . . . . . . . . . . . . . 47
8.2.2. JSON Interoperability . . . . . . . . . . . . . . . . 47 8.2.2. JSON Interoperability . . . . . . . . . . . . . . . . 47
8.2.3. Labels . . . . . . . . . . . . . . . . . . . . . . . 47 8.2.3. Labels . . . . . . . . . . . . . . . . . . . . . . . 48
8.3. CBOR Interoperability . . . . . . . . . . . . . . . . . . 48 8.3. CBOR Interoperability . . . . . . . . . . . . . . . . . . 48
8.3.1. EAT Constrained Device Serialization . . . . . . . . 48 8.3.1. EAT Constrained Device Serialization . . . . . . . . 48
8.4. Collected Common CDDL . . . . . . . . . . . . . . . . . . 49 8.4. Collected Common CDDL . . . . . . . . . . . . . . . . . . 49
8.5. Collected CDDL for CBOR . . . . . . . . . . . . . . . . . 55 8.5. Collected CDDL for CBOR . . . . . . . . . . . . . . . . . 54
8.6. Collected CDDL for JSON . . . . . . . . . . . . . . . . . 57 8.6. Collected CDDL for JSON . . . . . . . . . . . . . . . . . 55
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56
9.1. Reuse of CBOR and JSON Web Token (CWT and JWT) Claims 9.1. Reuse of CBOR and JSON Web Token (CWT and JWT) Claims
Registries . . . . . . . . . . . . . . . . . . . . . . . 59 Registries . . . . . . . . . . . . . . . . . . . . . . . 56
9.2. Claim Characteristics . . . . . . . . . . . . . . . . . . 59 9.2. Claim Characteristics . . . . . . . . . . . . . . . . . . 57
9.2.1. Interoperability and Relying Party Orientation . . . 59 9.2.1. Interoperability and Relying Party Orientation . . . 57
9.2.2. Operating System and Technology Neutral . . . . . . . 59 9.2.2. Operating System and Technology Neutral . . . . . . . 57
9.2.3. Security Level Neutral . . . . . . . . . . . . . . . 60 9.2.3. Security Level Neutral . . . . . . . . . . . . . . . 58
9.2.4. Reuse of Extant Data Formats . . . . . . . . . . . . 60 9.2.4. Reuse of Extant Data Formats . . . . . . . . . . . . 58
9.2.5. Proprietary Claims . . . . . . . . . . . . . . . . . 60 9.2.5. Proprietary Claims . . . . . . . . . . . . . . . . . 58
9.3. Claims Registered by This Document . . . . . . . . . . . 61 9.3. Claims Registered by This Document . . . . . . . . . . . 58
9.3.1. Claims for Early Assignment . . . . . . . . . . . . . 61 9.3.1. Claims for Early Assignment . . . . . . . . . . . . . 59
9.3.2. To be Assigned Claims . . . . . . . . . . . . . . . . 64 9.3.2. To be Assigned Claims . . . . . . . . . . . . . . . . 62
9.3.3. Version Schemes Registered by this Document . . . . . 64 9.3.3. Version Schemes Registered by this Document . . . . . 65
9.3.4. UEID URN Registered by this Document . . . . . . . . 64 9.3.4. UEID URN Registered by this Document . . . . . . . . 66
9.3.5. Tag for Detached EAT Bundle . . . . . . . . . . . . . 65 9.3.5. Tag for Detached EAT Bundle . . . . . . . . . . . . . 66
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 65 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 66
10.1. UEID and SUEID Privacy Considerations . . . . . . . . . 65 10.1. UEID and SUEID Privacy Considerations . . . . . . . . . 67
10.2. Location Privacy Considerations . . . . . . . . . . . . 66 10.2. Location Privacy Considerations . . . . . . . . . . . . 67
11. Security Considerations . . . . . . . . . . . . . . . . . . . 66 10.3. Replay Protection and Privacy . . . . . . . . . . . . . 68
11.1. Key Provisioning . . . . . . . . . . . . . . . . . . . . 66 11. Security Considerations . . . . . . . . . . . . . . . . . . . 68
11.1.1. Transmission of Key Material . . . . . . . . . . . . 67 11.1. Key Provisioning . . . . . . . . . . . . . . . . . . . . 68
11.2. Transport Security . . . . . . . . . . . . . . . . . . . 67 11.1.1. Transmission of Key Material . . . . . . . . . . . . 69
11.3. Multiple EAT Consumers . . . . . . . . . . . . . . . . . 67 11.2. Transport Security . . . . . . . . . . . . . . . . . . . 69
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 68 11.3. Multiple EAT Consumers . . . . . . . . . . . . . . . . . 69
12.1. Normative References . . . . . . . . . . . . . . . . . . 68 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 70
12.2. Informative References . . . . . . . . . . . . . . . . . 70 12.1. Normative References . . . . . . . . . . . . . . . . . . 70
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 73 12.2. Informative References . . . . . . . . . . . . . . . . . 73
A.1. Simple TEE Attestation . . . . . . . . . . . . . . . . . 73 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 76
A.2. EAT Produced by Attestation Hardware Block . . . . . . . 74 A.1. Simple TEE Attestation . . . . . . . . . . . . . . . . . 76
A.3. Detached EAT Bundle . . . . . . . . . . . . . . . . . . . 75 A.2. Submodules for Board and Device . . . . . . . . . . . . . 77
A.4. Key / Key Store Attestation . . . . . . . . . . . . . . . 76 A.3. EAT Produced by Attestation Hardware Block . . . . . . . 79
A.5. SW Measurements of an IoT Device . . . . . . . . . . . . 78 A.4. Detached EAT Bundle . . . . . . . . . . . . . . . . . . . 79
A.6. Attestation Results in JSON format . . . . . . . . . . . 81 A.5. Key / Key Store Attestation . . . . . . . . . . . . . . . 81
Appendix B. UEID Design Rationale . . . . . . . . . . . . . . . 82 A.6. SW Measurements of an IoT Device . . . . . . . . . . . . 83
B.1. Collision Probability . . . . . . . . . . . . . . . . . . 82 A.7. Attestation Results in JSON format . . . . . . . . . . . 86
B.2. No Use of UUID . . . . . . . . . . . . . . . . . . . . . 84 Appendix B. UEID Design Rationale . . . . . . . . . . . . . . . 87
B.1. Collision Probability . . . . . . . . . . . . . . . . . . 87
B.2. No Use of UUID . . . . . . . . . . . . . . . . . . . . . 89
Appendix C. EAT Relation to IEEE.802.1AR Secure Device Identity Appendix C. EAT Relation to IEEE.802.1AR Secure Device Identity
(DevID) . . . . . . . . . . . . . . . . . . . . . . 85 (DevID) . . . . . . . . . . . . . . . . . . . . . . 90
C.1. DevID Used With EAT . . . . . . . . . . . . . . . . . . . 85 C.1. DevID Used With EAT . . . . . . . . . . . . . . . . . . . 90
C.2. How EAT Provides an Equivalent Secure Device Identity . . 86 C.2. How EAT Provides an Equivalent Secure Device Identity . . 91
C.3. An X.509 Format EAT . . . . . . . . . . . . . . . . . . . 86 C.3. An X.509 Format EAT . . . . . . . . . . . . . . . . . . . 91
C.4. Device Identifier Permanence . . . . . . . . . . . . . . 87 C.4. Device Identifier Permanence . . . . . . . . . . . . . . 92
Appendix D. Changes from Previous Drafts . . . . . . . . . . . . 87 Appendix D. Changes from Previous Drafts . . . . . . . . . . . . 92
D.1. From draft-rats-eat-01 . . . . . . . . . . . . . . . . . 87 D.1. From draft-rats-eat-01 . . . . . . . . . . . . . . . . . 92
D.2. From draft-mandyam-rats-eat-00 . . . . . . . . . . . . . 87 D.2. From draft-mandyam-rats-eat-00 . . . . . . . . . . . . . 92
D.3. From draft-ietf-rats-eat-01 . . . . . . . . . . . . . . . 87 D.3. From draft-ietf-rats-eat-01 . . . . . . . . . . . . . . . 92
D.4. From draft-ietf-rats-eat-02 . . . . . . . . . . . . . . . 88 D.4. From draft-ietf-rats-eat-02 . . . . . . . . . . . . . . . 93
D.5. From draft-ietf-rats-eat-03 . . . . . . . . . . . . . . . 88 D.5. From draft-ietf-rats-eat-03 . . . . . . . . . . . . . . . 93
D.6. From draft-ietf-rats-eat-04 . . . . . . . . . . . . . . . 88 D.6. From draft-ietf-rats-eat-04 . . . . . . . . . . . . . . . 93
D.7. From draft-ietf-rats-eat-05 . . . . . . . . . . . . . . . 89 D.7. From draft-ietf-rats-eat-05 . . . . . . . . . . . . . . . 94
D.8. From draft-ietf-rats-eat-06 . . . . . . . . . . . . . . . 89 D.8. From draft-ietf-rats-eat-06 . . . . . . . . . . . . . . . 94
D.9. From draft-ietf-rats-eat-07 . . . . . . . . . . . . . . . 89 D.9. From draft-ietf-rats-eat-07 . . . . . . . . . . . . . . . 94
D.10. From draft-ietf-rats-eat-08 . . . . . . . . . . . . . . . 89 D.10. From draft-ietf-rats-eat-08 . . . . . . . . . . . . . . . 94
D.11. From draft-ietf-rats-eat-09 . . . . . . . . . . . . . . . 89 D.11. From draft-ietf-rats-eat-09 . . . . . . . . . . . . . . . 94
D.12. From draft-ietf-rats-eat-10 . . . . . . . . . . . . . . . 90 D.12. From draft-ietf-rats-eat-10 . . . . . . . . . . . . . . . 95
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 D.13. From draft-ietf-rats-eat-11 . . . . . . . . . . . . . . . 96
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
1. Introduction 1. Introduction
Remote device attestation is a fundamental service that allows a EAT provides the definition of a base set of claims that can be made
remote device such as a mobile phone, an Internet-of-Things (IoT) about an entity, a device, some software and/or some hardware. This
device, or other endpoint to prove itself to a Relying Party, a claims set is received by a relying party who uses it to decide if
server or a service. This allows the Relying Party to know some and how it will interact with the remote entity. It may choose to
characteristics about the device and decide whether it trusts the not trust the entity and not interact with it. It may choose to
device. trust it. It may partially trust it, for example allowing monetary
transactions only up to a limit.
The notion of attestation here is large and may include, but is not EAT defines the encoding of the claims set in CBOR [RFC8949] and JSON
limited to the following: [RFC7159]. EAT is an extension to CBOR Web Token (CWT) [RFC8392] and
JSON Web Token (JWT) [RFC7519].
o Proof of the make and model of the device hardware (HW) The claims set is secured in transit with the same mechanisms used by
CWT and JWT, in particular CBOR Object Signing and Encryption (COSE)
[RFC8152] and JSON Object Signing and Encryption (JOSE) [RFC7515]
[RFC7516]. Authenticity and integrity protection must always be
provided. Privacy (encryption) may additionally be provided. The
key material used to sign and encrypt is specifically created and
provisioned for the purpose of attestation. It is the use of this
key material that make the claims set "attested" rather than just
some parameters sent to the relying party by the device.
o Proof of the make and model of the device processor, particularly EAT is focused on authenticating, identifying and characterizing
for security-oriented chips implementations where implementations are devices, chips, hardware,
software and such. This is distinct from protocols like TLS
[RFC8446] that authenticate and identify servers and services. It is
equally distinct from protocols like SASL [RFC4422] that authenticate
and identify persons.
o Measurement of the software (SW) running on the device The notion of attestation is large, ranging over a broad variety of
use cases and security levels. Here are a few examples of claims:
o Configuration and state of the device o Make and model of manufactured consumer device
o Environmental characteristics of the device such as its GPS o Make and model of a chip or processor, particularly for a
location security-oriented chip
o Identification and measurement of the software running on a device
o Configuration and state of a device
o Environmental characteristics of a device like its GPS location
o Formal certifications received
EAT also supports nesting of sets of claims and EAT tokens for use
with complex composite devices.
This document uses the terminology and main operational model defined This document uses the terminology and main operational model defined
in [RATS.Architecture]. In particular it is a format that can be in [RATS.Architecture]. In particular, it can be used for RATS
used for Attestation Evidence or Attestation Results as defined in Attestation Evidence and Attestation Results.
the RATS architecture.
1.1. CWT, JWT, UCCS, UJCS and DEB 1.1. Entity Overview
An EAT is a set of claims about an entity/device based on one of the The document uses the term "entity" to refer to the target of the
following: attestation token. The claims defined in this document are claims
about an entity.
o CBOR Web Token (CWT), [RFC8392] An entity is an implementation in hardware, software or both.
o Unprotected CWT Claims Sets (UCCS), [UCCS.Draft]
o JSON Web Token (JWT), [RFC7519] An entity is the same as the Attester Target Environment defined in
RATS Architecture.
An entity also corresponds to a "system component" as defined in the
Internet Security Glossary [RFC4949]. That glossary also defines
"entity" and "system entity" as something that may be a person or
organization as well as a system component. Here "entity" never
refers to a person or organization.
An entity is never a server or a service.
An entity may be the whole device or it may be a subsystem, a
subsystem of a subsystem and so on. EAT allows claims to be
organized into submodules, nested EATs and so on. See Section 3.25.
The entity to which a claim applies is the submodule in which it
appears, or to the top-level entity if it doesn't appear in a
submodule.
Some examples of entities:
o A Secure Element
o A TEE
o A card in a network router
o A network router, perhaps with each card in the router a submodule
o An IoT device
o An individual process
o An app on a smartphone
o A smartphone with many submodules for its many subsystems
o A subsystem in a smartphone like the modem or the camera
An entity may have strong security like defenses against hardware
invasive attacks. It may also have low security, having no special
security defenses. There is no minimum security requirement to be an
entity.
1.2. CWT, JWT, UCCS, UJCS and DEB
An EAT is a claims set about an entity based on one of the following:
o CBOR Web Token (CWT) [RFC8392]
o Unprotected CWT Claims Sets (UCCS) [UCCS.Draft]
o JSON Web Token (JWT) [RFC7519]
All definitions, requirements, creation and validation procedures, All definitions, requirements, creation and validation procedures,
security considerations, IANA registrations and so on from these security considerations, IANA registrations and so on from these
carry over to EAT. carry over to EAT.
This specification extends those specifications by defining This specification extends those specifications by defining
additional claims for attestation. This specification also describes additional claims for attestation. This specification also describes
the notion of a "profile" that can narrow the definition of an EAT, the notion of a "profile" that can narrow the definition of an EAT,
ensure interoperability and fill in details for specific usage ensure interoperability and fill in details for specific usage
scenarios. This specification also adds some considerations for scenarios. This specification also adds some considerations for
skipping to change at page 6, line 28 skipping to change at page 8, line 11
The identification of a protocol element as an EAT, whether CBOR or The identification of a protocol element as an EAT, whether CBOR or
JSON encoded, follows the general conventions used by CWT, JWT and JSON encoded, follows the general conventions used by CWT, JWT and
UCCS. Largely this depends on the protocol carrying the EAT. In UCCS. Largely this depends on the protocol carrying the EAT. In
some cases it may be by content type (e.g., MIME type). In other some cases it may be by content type (e.g., MIME type). In other
cases it may be through use of CBOR tags. There is no fixed cases it may be through use of CBOR tags. There is no fixed
mechanism across all use cases. mechanism across all use cases.
This specification adds two more top-level messages: This specification adds two more top-level messages:
o Unprotected JWT Claims Set (UJCS), Section 4 o Unprotected JWT Claims Set (UJCS) Section 4
o Detached EAT Bundle (DEB), Section 5 o Detached EAT Bundle (DEB), Section 5
A DEB is simple structure to hold a collection of detached claims- A DEB is structure to hold a collection of detached claims sets and
sets and the EAT that separately provides integrity and authenticity the EAT that separately provides integrity and authenticity
protection for them. It can be either CBOR or JSON encoded. protection for them. It can be either CBOR or JSON encoded.
1.2. CDDL, CBOR and JSON 1.3. CDDL, CBOR and JSON
An EAT can be encoded in either CBOR or JSON. The definition of each
claim is such that it can be encoded either. Each token is either
entirely CBOR or JSON, with only an exception for nested tokens.
To implement composite attestation as described in the RATS This document defines Concise Binary Object Representation (CBOR)
architecture document, one token has to be nested inside another. It [RFC8949] and Javascript Object Notation (JSON) [RFC7159] encoding
is also possible to construct composite Attestation Results (see for an EAT. All claims in an EAT MUST use the same encoding except
below) which may be expressed as one token nested inside another. So where explicitly allowed. It is explicitly allowed for a nested
as to not force each end-end attestation system to be all JSON or all token to be of a different encoding. Some claims explicitly contain
CBOR, nesting of JSON-encoded tokens in CBOR-encoded tokens and vice objects and messages that may use a different encoding than the
versa is accommodated by this specification. This is the only place enclosing EAT.
that CBOR and JSON can be mixed.
This specification formally uses CDDL, [RFC8610], to define each This specification uses Concise Data Definition Language (CDDL)
claim. The implementor interprets the CDDL to come to either the [RFC8610] for all definitions. The implementor interprets the CDDL
CBOR [RFC8949] or JSON [ECMAScript] representation. In the case of to come to either the CBOR or JSON encoding. In the case of JSON,
JSON, Appendix E of [RFC8610] is followed. Additional rules are Appendix E of [RFC8610] is followed. Additional rules are given in
given in Section 8.2.2 where Appendix E is insufficient. Section 8.2.2 where Appendix E is insufficient.
The CWT and JWT specifications were authored before CDDL was The CWT and JWT specifications were authored before CDDL was
available and did not use CDDL. This specification includes a CDDL available and did not use CDDL. This specification includes a CDDL
definition of most of what is defined in [RFC8392]. Similarly, this definition of most of what is defined in [RFC8392]. Similarly, this
specification includes CDDL for most of what is defined in [RFC7519]. specification includes CDDL for most of what is defined in [RFC7519].
The UCCS specification does not include CDDL. This specification The UCCS specification does not include CDDL. This specification
provides CDDL for it. provides CDDL for it.
(TODO: The authors are open to modifications to this specification 1.4. Operating Model and RATS Architecture
and the UCCS specification to include CDDL for UCCS and UJCS there
instead of here.)
1.3. Operating Model and RATS Architecture
While it is not required that EAT be used with the RATS operational While it is not required that EAT be used with the RATS operational
model described in Figure 1 in [RATS.Architecture], or even that it model described in Figure 1 in [RATS.Architecture], or even that it
be used for attestation, this document is authored with an be used for attestation, this document is oriented around that model.
orientation around that model.
To summarize, an Attester on an entity/device generates Attestation To summarize, an Attester generates Attestation Evidence.
Evidence. Attestation Evidence is a Claims Set describing various Attestation Evidence is a claims set describing various
characteristics of the entity/device. Attestation Evidence also is characteristics of an entity. Attestation Evidence also is usually
usually signed by a key that proves the entity/device and the signed by a key that proves the entity and the evidence it produces
evidence it produces are authentic. The Claims Set includes a nonce are authentic. The claims set includes a nonce or some other means
or some other means to provide freshness. EAT is designed to carry to provide freshness. EAT is designed to carry Attestation Evidence.
Attestation Evidence. The Attestation Evidence goes to a Verifier The Attestation Evidence goes to a Verifier where the signature is
where the signature is validated. Some of the Claims may also be verified. Some of the claims may also be checked against Reference
validated against Reference Values. The Verifier then produces Values. The Verifier then produces Attestation Results which is also
Attestation Results which is also usually a Claims Set. EAT is also usually a claims set. EAT is also designed to carry Attestation
designed to carry Attestation Results. The Attestation Results go to Results. The Attestation Results go to the Relying Party which is
the Relying Party which is the ultimate consumer of the "Remote the ultimate consumer of the Remote Attestation Procedure. The
Attestaton Procedures", RATS. The Relying Party uses the Attestation Relying Party uses the Attestation Results as needed for the use
Results as needed for the use case, perhaps allowing a device on the case, perhaps allowing an entity on the network, allowing a financial
network, allowing a financial transaction or such. transaction or such.
Note that sometimes the Verifier and Relying Party are not separate Note that sometimes the Verifier and Relying Party are not separate
and thus there is no need for a protocol to carry Attestation and thus there is no need for a protocol to carry Attestation
Results. Results.
1.3.1. Use as Attestation Evidence 1.4.1. Relationship between Attestation Evidence and Attestation
Results
Any claim defined in this document or in the IANA CWT or JWT registry
may be used in Attestation Evidence.
Attestation Evidence nearly always has to be signed or otherwise have
authenticity and integrity protection because the Attester is remote
relative to the Verifier. Usually, this is by using COSE/JOSE
signing where the signing key is an attestation key provisioned into
the entity/device by its manufacturer. The details of how this is
achieved are beyond this specification, but see Section 6. If there
is already a suitable secure channel between the Attester and
Verifier, UCCS may be used.
1.3.2. Use as Attestation Results
Any claim defined in this document or in the IANA CWT or JWT registry Any claim defined in this document or in the IANA CWT or JWT registry
may be used in Attestation Results. may be used in Attestation Evidence or Attestation Results.
It is useful to characterize the relationship of claims in Evidence
to those in Attestation Results.
Many claims in Attestation Evidence simply will pass through the Many claims in Attestation Evidence simply will pass through the
Verifier to the Relying Party without modification. They will be Verifier to the Relying Party without modification. They will be
verified as authentic from the device by the Verifier just through verified as authentic from the entity by the Verifier just through
normal verification of the Attester's signature. The UEID, normal verification of the Attester's signature. The UEID,
Section 3.4, and Location, Section 3.14, are examples of claims that Section 3.4, and Location, Section 3.15, are examples of claims that
may be passed through. may be passed through.
Some claims in Attestation Evidence will be verified by the Verifier Some claims in Attestation Evidence will be verified by the Verifier
by comparison to Reference Values. These claims will not likely be by comparison to Reference Values. These claims will not likely be
conveyed to the Relying Party. Instead, some claim indicating they conveyed to the Relying Party. Instead, some claim indicating they
were checked may be added to the Attestation Results or it may be were checked may be added to the Attestation Results or it may be
tacitly known that the Verifier always does this check. For example, tacitly known that the Verifier always does this check. For example,
the Verifier receives the Software Evidence claim, Section 3.21, the Verifier receives the Software Evidence claim, Section 3.23,
compares it to Reference Values and conveys the results to the compares it to Reference Values and conveys the results to the
Relying Party in a Software Measurement Results Claim, Section 3.22. Relying Party in a Software Measurement Results Claim, Section 3.24.
In some cases the Verifier may provide privacy-preserving In some cases the Verifier may provide privacy-preserving
functionality by stripping or modifying claims that do not posses functionality by stripping or modifying claims that do not posses
sufficient privacy-preserving characteristics. For example, the data sufficient privacy-preserving characteristics. For example, the data
in the Location claim, Section 3.14, may be modified to have a in the Location claim, Section 3.15, may be modified to have a
precision of a few kilometers rather than a few meters. precision of a few kilometers rather than a few meters.
When the Verifier is remote from the Relying Party, the Attestation
Results must be protected for integrity, authenticity and possibly
confidentiality. Often this will simply be HTTPS as per a normal web
service, but COSE or JOSE may also be used. The details of this
protection are beyond the scope of this document.
1.4. Entity Overview
An "entity" can be any device or device subassembly ("submodule")
that can generate its own attestation in the form of an EAT. The
attestation should be cryptographically verifiable by the EAT
consumer. An EAT at the device-level can be composed of several
submodule EAT's.
Modern devices such as a mobile phone have many different execution
environments operating with different security levels. For example,
it is common for a mobile phone to have an "apps" environment that
runs an operating system (OS) that hosts a plethora of downloadable
apps. It may also have a TEE (Trusted Execution Environment) that is
distinct, isolated, and hosts security-oriented functionality like
biometric authentication. Additionally, it may have an eSE (embedded
Secure Element) - a high security chip with defenses against HW
attacks that is used to produce attestations. This device
attestation format allows the attested data to be tagged at a
security level from which it originates. In general, any discrete
execution environment that has an identifiable security level can be
considered an entity.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
This document reuses terminology from JWT [RFC7519] and CWT This document reuses terminology from JWT [RFC7519] and CWT
[RFC8392]. [RFC8392].
skipping to change at page 11, line 32 skipping to change at page 12, line 9
and the token is composed and signed. and the token is composed and signed.
The data for some claims may be held or cached for some period of The data for some claims may be held or cached for some period of
time before the token is created. This period may be long, even time before the token is created. This period may be long, even
days. Examples are measurements taken at boot or a geographic days. Examples are measurements taken at boot or a geographic
position fix taken the last time a satellite signal was received. position fix taken the last time a satellite signal was received.
There are individual timestamps associated with these claims to There are individual timestamps associated with these claims to
indicate their age is older than the "iat" timestamp. indicate their age is older than the "iat" timestamp.
CWT allows the use floating-point for this claim. EAT disallows the CWT allows the use floating-point for this claim. EAT disallows the
use of floating-point. No token may contain an iat claim in float- use of floating-point. An EAT token MUST NOT contain an iat claim in
point format. Any recipient of a token with a floating-point format float-point format. Any recipient of a token with a floating-point
iat claim may consider it an error. A 64-bit integer representation format iat claim MUST consider it an error. A 64-bit integer
of epoch time can represent a range of +/- 500 billion years, so the representation of epoch time can represent a range of +/- 500 billion
only point of a floating-point timestamp is to have precession years, so the only point of a floating-point timestamp is to have
greater than one second. This is not needed for EAT. precession greater than one second. This is not needed for EAT.
3.3. Nonce Claim (nonce) 3.3. Nonce Claim (nonce)
All EATs should have a nonce to prevent replay attacks. The nonce is All EATs should have a nonce to prevent replay attacks. The nonce is
generated by the Relying Party, the end consumer of the token. It is generated by the Relying Party, the end consumer of the token. It is
conveyed to the entity over whatever transport is in use before the conveyed to the entity over whatever transport is in use before the
token is generated and then included in the token as the nonce claim. token is generated and then included in the token as the nonce claim.
This documents the nonce claim for registration in the IANA CWT This documents the nonce claim for registration in the IANA CWT
claims registry. This is equivalent to the JWT nonce claim that is claims registry. This is equivalent to the JWT nonce claim that is
already registered. already registered.
The nonce must be at least 8 bytes (64 bits) as fewer are unlikely to The nonce must be at least 8 bytes (64 bits) long as fewer bytes are
be secure. A maximum of 64 bytes is set to limit the memory a unlikely to be secure. A maximum of 64 bytes is set to limit the
constrained implementation uses. This size range is not set for the memory a constrained implementation uses. This size range is not set
already-registered JWT nonce, but it should follow this size for the already-registered JWT nonce, but it should follow this size
recommendation when used in an EAT. recommendation when used in an EAT.
Multiple nonces are allowed to accommodate multistage verification Multiple nonces are allowed to accommodate multistage verification
and consumption. and consumption.
$$claims-set-claims //= $$claims-set-claims //=
(nonce-label => nonce-type / [ 2* nonce-type ]) (nonce-label => nonce-type / [ 2* nonce-type ])
nonce-type = bstr .size (8..64) nonce-type = bstr .size (8..64)
3.4. Universal Entity ID Claim (ueid) 3.4. Universal Entity ID Claim (ueid)
UEID's identify individual manufactured entities / devices such as a A UEID identifies an individual manufactured entity like a mobile
mobile phone, a water meter, a Bluetooth speaker or a networked phone, a water meter, a Bluetooth speaker or a networked security
security camera. It may identify the entire device or a submodule or camera. It may identify the entire entity or a submodule. It does
subsystem. It does not identify types, models or classes of devices. not identify types, models or classes of entities. It is akin to a
It is akin to a serial number, though it does not have to be serial number, though it does not have to be sequential.
sequential.
UEID's must be universally and globally unique across manufacturers UEIDs MUST be universally and globally unique across manufacturers
and countries. UEIDs must also be unique across protocols and and countries. UEIDs MUST also be unique across protocols and
systems, as tokens are intended to be embedded in many different systems, as tokens are intended to be embedded in many different
protocols and systems. No two products anywhere, even in completely protocols and systems. No two products anywhere, even in completely
different industries made by two different manufacturers in two different industries made by two different manufacturers in two
different countries should have the same UEID (if they are not global different countries should have the same UEID (if they are not global
and universal in this way, then Relying Parties receiving them will and universal in this way, then Relying Parties receiving them will
have to track other characteristics of the device to keep devices have to track other characteristics of the entity to keep entities
distinct between manufacturers). distinct between manufacturers).
There are privacy considerations for UEID's. See Section 10.1. There are privacy considerations for UEIDs. See Section 10.1.
The UEID is permanent. It never change for a given device / entity.
UEIDs are variable length. All implementations MUST be able to The UEID is permanent. It MUST never change for a given entity.
receive UEIDs that are 33 bytes long (1 type byte and 256 bits). The
recommended maximum sent is also 33 bytes.
When the entity constructs the UEID, the first byte is a type and the A UEID is constructed of a single type byte followed by the bytes
following bytes the ID for that type. Several types are allowed to that are the identifier. Several types are allowed to accommodate
accommodate different industries and different manufacturing different industries, different manufacturing processes and to have
processes and to give options to avoid paying fees for certain types an alternative that doesn't require paying a registration fee.
of manufacturer registrations.
Creation of new types requires a Standards Action [RFC8126]. Creation of new types requires a Standards Action [RFC8126].
UEIDs are variable length. All implementations MUST be able to
receive UEIDs that are 33 bytes long (1 type byte and 256 bits). No
UEID longer than 33 bytes SHOULD be sent.
+------+------+-----------------------------------------------------+ +------+------+-----------------------------------------------------+
| Type | Type | Specification | | Type | Type | Specification |
| Byte | Name | | | Byte | Name | |
+------+------+-----------------------------------------------------+ +------+------+-----------------------------------------------------+
| 0x01 | RAND | This is a 128, 192 or 256 bit random number | | 0x01 | RAND | This is a 128, 192 or 256-bit random number |
| | | generated once and stored in the device. This may | | | | generated once and stored in the entity. This may |
| | | be constructed by concatenating enough identifiers | | | | be constructed by concatenating enough identifiers |
| | | to make up an equivalent number of random bits and | | | | to make up an equivalent number of random bits and |
| | | then feeding the concatenation through a | | | | then feeding the concatenation through a |
| | | cryptographic hash function. It may also be a | | | | cryptographic hash function. It may also be a |
| | | cryptographic quality random number generated once | | | | cryptographic quality random number generated once |
| | | at the beginning of the life of the device and | | | | at the beginning of the life of the entity and |
| | | stored. It may not be smaller than 128 bits. | | | | stored. It MUST NOT be smaller than 128 bits. See |
| 0x02 | IEEE | This makes use of the IEEE company identification | | | | the length analysis in Appendix B. |
| | EUI | registry. An EUI is either an EUI-48, EUI-60 or | | 0x02 | IEEE | This uses the IEEE company identification registry. |
| | | EUI-64 and made up of an OUI, OUI-36 or a CID, | | | EUI | An EUI is either an EUI-48, EUI-60 or EUI-64 and |
| | | different registered company identifiers, and some | | | | made up of an OUI, OUI-36 or a CID, different |
| | | unique per-device identifier. EUIs are often the | | | | registered company identifiers, and some unique |
| | | same as or similar to MAC addresses. This type | | | | per-entity identifier. EUIs are often the same as |
| | | includes MAC-48, an obsolete name for EUI-48. (Note | | | | or similar to MAC addresses. This type includes |
| | | that while devices with multiple network interfaces | | | | MAC-48, an obsolete name for EUI-48. (Note that |
| | | may have multiple MAC addresses, there is only one | | | | while entities with multiple network interfaces may |
| | | UEID for a device) [IEEE.802-2001], [OUI.Guide] | | | | have multiple MAC addresses, there is only one UEID |
| | | for an entity) [IEEE.802-2001], [OUI.Guide]. |
| 0x03 | IMEI | This is a 14-digit identifier consisting of an | | 0x03 | IMEI | This is a 14-digit identifier consisting of an |
| | | 8-digit Type Allocation Code and a 6-digit serial | | | | 8-digit Type Allocation Code and a 6-digit serial |
| | | number allocated by the manufacturer, which SHALL | | | | number allocated by the manufacturer, which SHALL |
| | | be encoded as byte string of length 14 with each | | | | be encoded as byte string of length 14 with each |
| | | byte as the digit's value (not the ASCII encoding | | | | byte as the digit's value (not the ASCII encoding |
| | | of the digit; the digit 3 encodes as 0x03, not | | | | of the digit; the digit 3 encodes as 0x03, not |
| | | 0x33). The IMEI value encoded SHALL NOT include | | | | 0x33). The IMEI value encoded SHALL NOT include |
| | | Luhn checksum or SVN information. [ThreeGPP.IMEI] | | | | Luhn checksum or SVN information. See |
| | | [ThreeGPP.IMEI]. |
+------+------+-----------------------------------------------------+ +------+------+-----------------------------------------------------+
Table 1: UEID Composition Types Table 1: UEID Composition Types
UEID's are not designed for direct use by humans (e.g., printing on UEIDs are not designed for direct use by humans (e.g., printing on
the case of a device), so no textual representation is defined. the case of a device), so no textual representation is defined.
The consumer (the Relying Party) of a UEID MUST treat a UEID as a The consumer (the Relying Party) of a UEID MUST treat a UEID as a
completely opaque string of bytes and not make any use of its completely opaque string of bytes and not make any use of its
internal structure. For example, they should not use the OUI part of internal structure. For example, they should not use the OUI part of
a type 0x02 UEID to identify the manufacturer of the device. Instead a type 0x02 UEID to identify the manufacturer of the entity.
they should use the oemid claim that is defined elsewhere. The Instead, they should use the OEMID claim. See Section 3.6. The
reasons for this are: reasons for this are:
o UEIDs types may vary freely from one manufacturer to the next. o UEIDs types may vary freely from one manufacturer to the next.
o New types of UEIDs may be created. For example, a type 0x07 UEID o New types of UEIDs may be created. For example, a type 0x07 UEID
may be created based on some other manufacturer registration may be created based on some other manufacturer registration
scheme. scheme.
o Device manufacturers are allowed to change from one type of UEID o Entity manufacturers are allowed to change from one type of UEID
to another anytime they want. For example, they may find they can to another anytime they want. For example, they may find they can
optimize their manufacturing by switching from type 0x01 to type optimize their manufacturing by switching from type 0x01 to type
0x02 or vice versa. The main requirement on the manufacturer is 0x02 or vice versa. The essential requirement on the manufacturer
that UEIDs be universally unique. is that UEIDs be universally unique.
A Device Indentifier URN is registered for UEIDs. See Section 9.3.4. A Device Identifier URN is registered for UEIDs. See Section 9.3.4.
$$claims-set-claims //= (ueid-label => ueid-type) $$claims-set-claims //= (ueid-label => ueid-type)
ueid-type = bstr .size (7..33) ueid-type = bstr .size (7..33)
3.5. Semi-permanent UEIDs (SUEIDs) 3.5. Semi-permanent UEIDs (SUEIDs)
An SEUID is of the same format as a UEID, but it may change to a An SEUID is of the same format as a UEID, but it MAY change to a
different value on device life-cycle events. Examples of these different value on device life-cycle events. Examples of these
events are change of ownership, factory reset and on-boarding into an events are change of ownership, factory reset and on-boarding into an
IoT device management system. A device may have both a UEID and IoT device management system. An entity MAY have both a UEID and
SUEIDs, neither, one or the other. SUEIDs, neither, one or the other.
There may be multiple SUEIDs. Each one has a text string label the There MAY be multiple SUEIDs. Each one has a text string label the
purpose of which is to distinguish it from others in the token. The purpose of which is to distinguish it from others in the token. The
label may name the purpose, application or type of the SUEID. label MAY name the purpose, application or type of the SUEID.
Typically, there will be few SUEDs so there is no need for a formal Typically, there will be few SUEDs so there is no need for a formal
labeling mechanism like a registry. The EAT profile may describe how labeling mechanism like a registry. The EAT profile MAY describe how
SUEIDs should be labeled. If there is only one SUEID, the claim SUEIDs should be labeled. If there is only one SUEID, the claim
remains a map and there still must be a label. For example, the remains a map and there still must be a label. For example, the
label for the SUEID used by FIDO Onboarding Protocol could simply be label for the SUEID used by FIDO Onboarding Protocol could simply be
"FDO". "FDO".
There are privacy considerations for SUEID's. See Section 10.1. There are privacy considerations for SUEIDs. See Section 10.1.
A Device Indentifier URN is registered for SUEIDs. See A Device Indentifier URN is registered for SUEIDs. See
Section 9.3.4. Section 9.3.4.
$$claims-set-claims //= (sueids-label => sueids-type) $$claims-set-claims //= (sueids-label => sueids-type)
sueids-type = { sueids-type = {
+ tstr => ueid-type + tstr => ueid-type
} }
3.6. Hardware OEM Identification (oemid) 3.6. Hardware OEM Identification (oemid)
This claim identifies the OEM of the hardware. Any of the three This claim identifies the Original Equipment Manufacturer (OEM) of
forms may be used at the convenience of the attester implementation. the hardware. Any of the three forms described below MAY be used at
The receiver of this claim MUST be able to handle all three forms. the convenience of the claim sender. The receiver of this claim MUST
be able to handle all three forms.
3.6.1. Random Number Based 3.6.1. Random Number Based OEMID
This format is always 16 bytes in size (128 bits). The random number based OEMID MUST always 16 bytes (128 bits).
The OEM may create their own ID by using a cryptographic-quality The OEM MAY create their own ID by using a cryptographic-quality
random number generator. They would perform this only once in the random number generator. They would perform this only once in the
life of the company to generate the single ID for said company. They life of the company to generate the single ID for said company. They
would use that same ID in every device they make. This uniquely would use that same ID in every entity they make. This uniquely
identifies the OEM on a statistical basis and is large enough should identifies the OEM on a statistical basis and is large enough should
there be ten billion companies. there be ten billion companies.
The OEM may also use a hash like SHA-256 and truncate the output to The OEM MAY also use a hash function like SHA-256 and truncate the
128 bits. The input to the hash should be somethings that have at output to 128 bits. The input to the hash should be somethings that
least 96 bits of entropy, but preferably 128 bits of entropy. The have at least 96 bits of entropy, but preferably 128 bits of entropy.
input to the hash may be something whose uniqueness is managed by a The input to the hash MAY be something whose uniqueness is managed by
central registry like a domain name. a central registry like a domain name.
This is to be base64url encoded in JSON. In JSON format tokens this MUST be base64url encoded.
3.6.2. IEEE Based 3.6.2. IEEE Based OEMID
The IEEE operates a global registry for MAC addresses and company The IEEE operates a global registry for MAC addresses and company
IDs. This claim uses that database to identify OEMs. The contents IDs. This claim uses that database to identify OEMs. The contents
of the claim may be either an IEEE MA-L, MA-M, MA-S or an IEEE CID of the claim may be either an IEEE MA-L, MA-M, MA-S or an IEEE CID
[IEEE.RA]. An MA-L, formerly known as an OUI, is a 24-bit value used [IEEE.RA]. An MA-L, formerly known as an OUI, is a 24-bit value used
as the first half of a MAC address. MA-M similarly is a 28-bit value as the first half of a MAC address. MA-M similarly is a 28-bit value
uses as the first part of a MAC address, and MA-S, formerly known as uses as the first part of a MAC address, and MA-S, formerly known as
OUI-36, a 36-bit value. Many companies already have purchased one of OUI-36, a 36-bit value. Many companies already have purchased one of
these. A CID is also a 24-bit value from the same space as an MA-L, these. A CID is also a 24-bit value from the same space as an MA-L,
but not for use as a MAC address. IEEE has published Guidelines for but not for use as a MAC address. IEEE has published Guidelines for
Use of EUI, OUI, and CID [OUI.Guide] and provides a lookup services Use of EUI, OUI, and CID [OUI.Guide] and provides a lookup service
[OUI.Lookup]. [OUI.Lookup].
Companies that have more than one of these IDs or MAC address blocks Companies that have more than one of these IDs or MAC address blocks
should pick one and prefer that for all their devices. SHOULD select one and prefer that for all their entities.
Commonly, these are expressed in Hexadecimal Representation Commonly, these are expressed in Hexadecimal Representation as
[IEEE.802-2001] also called the Canonical format. When this claim is described in [IEEE.802-2001]. It is also called the Canonical
encoded the order of bytes in the bstr are the same as the order in format. When this claim is encoded the order of bytes in the bstr
the Hexadecimal Representation. For example, an MA-L like "AC-DE-48" are the same as the order in the Hexadecimal Representation. For
would be encoded in 3 bytes with values 0xAC, 0xDE, 0x48. For JSON example, an MA-L like "AC-DE-48" would be encoded in 3 bytes with
encoded tokens, this is further base64url encoded. values 0xAC, 0xDE, 0x48.
This format is always 3 bytes in size in CBOR. This format is always 3 bytes in size in CBOR.
3.6.3. IANA Private Enterprise Number In JSON format tokens, this MUST be base64url encoded and always 4
bytes.
IANA maintains a simple integer-based company registry called the 3.6.3. IANA Private Enterprise Number Based OEMID
Private Enterprise Number (PEN) [PEN].
IANA maintains a integer-based company registry called the Private
Enterprise Number (PEN) [PEN].
PENs are often used to create an OID. That is not the case here. PENs are often used to create an OID. That is not the case here.
They are used only as a simple integer. They are used only as an integer.
In CBOR this is encoded as a major type 0 integer in CBOR and is In CBOR this value MUST be encoded as a major type 0 integer and is
typically 3 bytes. It is encoded as a number in JSON. typically 3 bytes. In JSON, this value MUST be encoded as a number.
oemid-pen = int oemid-pen = int
oemid-ieee = bstr .size 3 oemid-ieee = bstr .size 3
oemid-random = bstr .size 16 oemid-random = bstr .size 16
$$claims-set-claims //= ( $$claims-set-claims //= (
oemid-label => oemid-label =>
oemid-random / oemid-ieee / oemid-pen oemid-random / oemid-ieee / oemid-pen
) )
3.7. Hardware Version Claims (hardware-version-claims) 3.7. Hardware Model Claim (hardware-model)
The hardware version can be claimed at three different levels, the This claim differentiates hardware models, products and variants
chip, the circuit board and the final device assembly. An EAT can manufactured by a particular OEM, the one identified by OEM ID in
include any combination these claims. Section 3.6.
The hardware version is a simple text string the format of which is This claim must be unique so as to differentiate the models and
set by each manufacturer. The structure and sorting order of this products for the OEM ID. This claim does not have to be globally
text string can be specified using the version-scheme item from unique, but it can be. A receiver of this claim MUST not assume it
CoSWID [CoSWID]. is globally unique. To globally identify a particular product, the
receiver should concatenate the OEM ID and this claim.
The granularity of the model identification is for each OEM to
decide. It may be very granular, perhaps including some version
information. It may be very general, perhaps only indicating top-
level products.
The purpose of this claim is to identify models within protocols, not
for human-readable descriptions. The format and encoding of this
claim should not be human-readable to discourage use other than in
protocols. If this claim is to be derived from an already-in-use
human-readable identifier, it can be run through a hash function.
There is no minimum length so that an OEM with a very small number of
models can use a one-byte encoding. The maximum length is 32 bytes.
All receivers of this claim MUST be able to receive this maximum
size.
The receiver of this claim MUST treat it as a completely opaque
string of bytes, even if there is some apparent naming or structure.
The OEM is free to alter the internal structure of these bytes as
long as the claim continues to uniquely identify its models.
hardware-model-type = bytes .size (1..32)
$$claims-set-claims //= (
hardware-model-label => hardware-model-type
)
3.8. Hardware Version Claims (hardware-version-claims)
The hardware version is a text string the format of which is set by
each manufacturer. The structure and sorting order of this text
string can be specified using the version-scheme item from CoSWID
[CoSWID]. It is useful to know how to sort versions so the newer can
be distinguished from the older.
The hardware version can also be given by a 13-digit [EAN-13]. A new The hardware version can also be given by a 13-digit [EAN-13]. A new
CoSWID version scheme is registered with IANA by this document in CoSWID version scheme is registered with IANA by this document in
Section 9.3.3. An EAN-13 is also known as an International Article Section 9.3.3. An EAN-13 is also known as an International Article
Number or most commonly as a bar code. Number or most commonly as a bar code.
$$claims-set-claims //= ( $$claims-set-claims //= (
chip-version-label => hw-version-type hardware-version-label => hardware-version-type
)
$$claims-set-claims //= (
board-version-label => hw-version-type
)
$$claims-set-claims //= (
device-version-label => hw-version-type
) )
hw-version-type = [ hardware-version-type = [
version: tstr, version: tstr,
scheme: $version-scheme scheme: $version-scheme
] ]
3.8. Software Name Claim 3.9. Software Name Claim
This is a simple free-form text claim for the name of the software. This is a free-form text claim for the name of the software for the
A CoSWID manifest or other type of manifest can be used instead if entity or submodule. A CoSWID manifest or other type of manifest can
this is too simple. be used instead if this claim is to limited to correctly characterize
the SW for the entity or submodule.
$$claims-set-claims //= ( sw-name-label => tstr ) $$claims-set-claims //= ( sw-name-label => tstr )
3.9. Software Version Claim 3.10. Software Version Claim
This makes use of the CoSWID version scheme data type to give a This makes use of the CoSWID version scheme data type to give a
simple version for the software. A full CoSWID manifest or other simple version for the software. A full CoSWID manifest or other
type of manifest can be instead if this is too simple. type of manifest can be instead if this is too simple.
$$claims-set-claims //= (sw-version-label => sw-version-type) $$claims-set-claims //= (sw-version-label => sw-version-type)
sw-version-type = [ sw-version-type = [
version: tstr, version: tstr,
scheme: $version-scheme / As defined by CoSWID / scheme: $version-scheme ; As defined by CoSWID
] ]
3.10. The Security Level Claim (security-level) 3.11. The Security Level Claim (security-level)
This claim characterizes the device/entity ability to defend against This claim characterizes the entity's ability to defend against
attacks aimed at capturing the signing key, forging claims and at attacks aimed at capturing the signing key, forging claims and at
forging EATs. This is by defining four security levels as described forging EATs. This is by defining four security levels.
below.
These claims describe security environment and countermeasures This claim describes the security environment and countermeasures
available on the end-entity/client device where the attestation key available on the entity where the attestation key resides and the
resides and the claims originate. claims originate.
1 - Unrestricted: There is some expectation that implementor will 1 - Unrestricted: There is some expectation that implementor will
protect the attestation signing keys at this level. Otherwise, protect the attestation signing keys at this level. Otherwise,
the EAT provides no meaningful security assurances. the EAT provides no meaningful security assurances.
2 - Restricted: Entities at this level are not general-purpose 2 - Restricted: Entities at this level are not general-purpose
operating environments that host features such as app download operating environments that host features, such as app download
systems, web browsers and complex productivity applications. It systems, web browsers and complex applications. It is akin to the
is akin to the secure-restricted level (see below) without the secure-restricted level (see below) without the security
security orientation. Examples include a Wi-Fi subsystem, an IoT orientation. Examples include a Wi-Fi subsystem, an IoT camera,
camera, or sensor device. Often these can be considered more or sensor device. Often these can be considered more secure than
secure than unrestricted just because they are much simpler and a unrestricted just because they are much simpler and a smaller
smaller attack surface, but this won't always be the case. Some attack surface, but this won't always be the case. Some
unrestricted devices may be implemented in a way that provides unrestricted devices may be implemented in a way that provides
poor protection of signing keys. poor protection of signing keys.
3 - Secure-Restricted: Entities at this level must meet the criteria 3 - Secure-Restricted: Entities at this level must meet the criteria
defined in section 4 of FIDO Allowed Restricted Operating defined in Section 4 of FIDO Allowed Restricted Operating
Environments [FIDO.AROE]. Examples include TEE's and schemes Environments [FIDO.AROE]. Examples include TEE's and schemes
using virtualization-based security. Like the FIDO security goal, using virtualization-based security. Security at this level is
security at this level is aimed at defending well against large- aimed at defending against large-scale network/remote attacks
scale network/remote attacks against the device. against the entity.
4 - Hardware: Entities at this level must include substantial 4 - Hardware: Entities at this level must include substantial
defense against physical or electrical attacks against the device defense against physical or electrical attacks against the entity
itself. It is assumed any potential attacker has captured the itself. It is assumed the potential attacker has captured the
device and can disassemble it. Examples include TPMs and Secure entity and can disassemble it. Examples include TPMs and Secure
Elements. Elements.
The entity should claim the highest security level it achieves and no The entity should claim the highest security level it achieves and no
higher. This set is not extensible so as to provide a common higher. This set is not extensible so as to provide a common
interoperable description of security level to the Relying Party. If interoperable description of security level to the Relying Party. If
a particular implementation considers this claim to be inadequate, it a particular use case considers this claim to be inadequate, it can
can define its own proprietary claim. It may consider including both define its own proprietary claim. It may consider including both
this claim as a coarse indication of security and its own proprietary this claim as a coarse indication of security and its own proprietary
claim as a refined indication. claim as a refined indication.
This claim is not intended as a replacement for a proper end-device This claim is not intended as a replacement for a formal security
security certification scheme such as those based on FIPS 140 certification scheme, such as those based on FIPS 140 [FIPS-140] or
[FIPS-140] or those based on Common Criteria [Common.Criteria]. The those based on Common Criteria [Common.Criteria]. See Section 3.21.
claim made here is solely a self-claim made by the Attester.
$$claims-set-claims //= ( $$claims-set-claims //= (
security-level-label => security-level-label =>
security-level-cbor-type / security-level-cbor-type /
security-level-json-type security-level-json-type
) )
security-level-cbor-type = &( security-level-cbor-type = &(
unrestricted: 1, unrestricted: 1,
restricted: 2, restricted: 2,
secure-restricted: 3, secure-restricted: 3,
hardware: 4 hardware: 4
) )
security-level-json-type = security-level-json-type =
"unrestricted" / "unrestricted" /
"restricted" / "restricted" /
"secure-restricted" / "secure-restricted" /
"hardware" "hardware"
3.11. Secure Boot Claim (secure-boot) 3.12. Secure Boot Claim (secure-boot)
The value of true indicates secure boot is enabled. Secure boot is The value of true indicates secure boot is enabled. Secure boot is
considered enabled when base software, the firmware and operating considered enabled when the firmware and operating system, are under
system, are under control of the entity manufacturer identified in control of the manufacturer of the entity identified in the OEMID
the OEMID claim described in Section 3.6. This may because the claim described in Section 3.6. Control by the manufacturer of the
software is in ROM or because it is cryptographically authenticated firmware and the operating system may be by it being in ROM, being
or some combination of the two or other. cryptographically authenticated, a combination of the two or similar.
$$claims-set-claims //= (secure-boot-label => bool) $$claims-set-claims //= (secure-boot-label => bool)
3.12. Debug Status Claim (debug-status) 3.13. Debug Status Claim (debug-status)
This applies to system-wide or submodule-wide debug facilities of the This applies to entity-wide or submodule-wide debug facilities of the
target device / submodule like JTAG and diagnostic hardware built entity like JTAG and diagnostic hardware built into chips. It
into chips. It applies to any software debug facilities related to applies to any software debug facilities related to root, operating
root, operating system or privileged software that allow system-wide system or privileged software that allow system-wide memory
memory inspection, tracing or modification of non-system software inspection, tracing or modification of non-system software like user
like user mode applications. mode applications.
This characterization assumes that debug facilities can be enabled This characterization assumes that debug facilities can be enabled
and disabled in a dynamic way or be disabled in some permanent way and disabled in a dynamic way or be disabled in some permanent way
such that no enabling is possible. An example of dynamic enabling is such that no enabling is possible. An example of dynamic enabling is
one where some authentication is required to enable debugging. An one where some authentication is required to enable debugging. An
example of permanent disabling is blowing a hardware fuse in a chip. example of permanent disabling is blowing a hardware fuse in a chip.
The specific type of the mechanism is not taken into account. For The specific type of the mechanism is not taken into account. For
example, it does not matter if authentication is by a global password example, it does not matter if authentication is by a global password
or by per-device public keys. or by per-entity public keys.
As with all claims, the absence of the debug level claim means it is As with all claims, the absence of the debug level claim means it is
not reported. A conservative interpretation might assume the Not not reported. A conservative interpretation might assume the enabled
Disabled state. It could however be that it is reported in a state.
proprietary claim.
This claim is not extensible so as to provide a common interoperable This claim is not extensible so as to provide a common interoperable
description of debug status to the Relying Party. If a particular description of debug status. If a particular implementation
implementation considers this claim to be inadequate, it can define considers this claim to be inadequate, it can define its own
its own proprietary claim. It may consider including both this claim proprietary claim. It may consider including both this claim as a
as a coarse indication of debug status and its own proprietary claim coarse indication of debug status and its own proprietary claim as a
as a refined indication. refined indication.
The higher levels of debug disabling requires that all debug The higher levels of debug disabling requires that all debug
disabling of the levels below it be in effect. Since the lowest disabling of the levels below it be in effect. Since the lowest
level requires that all of the target's debug be currently disabled, level requires that all of the target's debug be currently disabled,
all other levels require that too. all other levels require that too.
There is no inheritance of claims from a submodule to a superior There is no inheritance of claims from a submodule to a superior
module or vice versa. There is no assumption, requirement or module or vice versa. There is no assumption, requirement or
guarantee that the target of a superior module encompasses the guarantee that the target of a superior module encompasses the
targets of submodules. Thus, every submodule must explicitly targets of submodules. Thus, every submodule must explicitly
describe its own debug state. The Verifier or Relying Party describe its own debug state. The receiver of an EAT MUST not assume
receiving an EAT cannot assume that debug is turned off in a that debug is turned off in a submodule because there is a claim
submodule because there is a claim indicating it is turned off in a indicating it is turned off in a superior module.
superior module.
An individual target device / submodule may have multiple debug An entity may have multiple debug facilities. The use of plural in
facilities. The use of plural in the description of the states the description of the states refers to that, not to any aggregation
refers to that, not to any aggregation or inheritance. or inheritance.
The architecture of some chips or devices may be such that a debug The architecture of some chips or devices may be such that a debug
facility operates for the whole chip or device. If the EAT for such facility operates for the whole chip or device. If the EAT for such
a chip includes submodules, then each submodule should independently a chip includes submodules, then each submodule should independently
report the status of the whole-chip or whole-device debug facility. report the status of the whole-chip or whole-device debug facility.
This is the only way the Relying Party can know the debug status of This is the only way the receiver can know the debug status of the
the submodules since there is no inheritance. submodules since there is no inheritance.
3.12.1. Enabled 3.13.1. Enabled
If any debug facility, even manufacturer hardware diagnostics, is If any debug facility, even manufacturer hardware diagnostics, is
currently enabled, then this level must be indicated. currently enabled, then this level must be indicated.
3.12.2. Disabled 3.13.2. Disabled
This level indicates all debug facilities are currently disabled. It This level indicates all debug facilities are currently disabled. It
may be possible to enable them in the future, and it may also be may be possible to enable them in the future. It may also be that
possible that they were enabled in the past after the target device/ they were enabled in the past, but they are currently disabled.
sub-system booted/started, but they are currently disabled.
3.12.3. Disabled Since Boot 3.13.3. Disabled Since Boot
This level indicates all debug facilities are currently disabled and This level indicates all debug facilities are currently disabled and
have been so since the target device/sub-system booted/started. have been so since the entity booted/started.
3.12.4. Disabled Permanently 3.13.4. Disabled Permanently
This level indicates all non-manufacturer facilities are permanently This level indicates all non-manufacturer facilities are permanently
disabled such that no end user or developer cannot enable them. Only disabled such that no end user or developer can enable them. Only
the manufacturer indicated in the OEMID claim can enable them. This the manufacturer indicated in the OEMID claim can enable them. This
also indicates that all debug facilities are currently disabled and also indicates that all debug facilities are currently disabled and
have been so since boot/start. have been so since boot/start.
3.12.5. Disabled Fully and Permanently 3.13.5. Disabled Fully and Permanently
This level indicates that all debug capabilities for the target This level indicates that all debug facilities for the entity are
device/sub-module are permanently disabled. permanently disabled.
$$claims-set-claims //= ( $$claims-set-claims //= (
debug-status-label => debug-status-label =>
debug-status-cbor-type / debug-status-json-type debug-status-cbor-type / debug-status-json-type
) )
debug-status-cbor-type = &( debug-status-cbor-type = &(
enabled: 0, enabled: 0,
disabled: 1, disabled: 1,
disabled-since-boot: 2, disabled-since-boot: 2,
skipping to change at page 21, line 43 skipping to change at page 23, line 25
disabled-fully-and-permanently: 4 disabled-fully-and-permanently: 4
) )
debug-status-json-type = debug-status-json-type =
"enabled" / "enabled" /
"disabled" / "disabled" /
"disabled-since-boot" / "disabled-since-boot" /
"disabled-permanently" / "disabled-permanently" /
"disabled-fully-and-permanently" "disabled-fully-and-permanently"
3.13. Including Keys 3.14. Including Keys
An EAT may include a cryptographic key such as a public key. The An EAT may include a cryptographic key such as a public key. The
signing of the EAT binds the key to all the other claims in the signing of the EAT binds the key to all the other claims in the
token. token.
The purpose for inclusion of the key may vary by use case. For The purpose for inclusion of the key may vary by use case. For
example, the key may be included as part of an IoT device onboarding example, the key may be included as part of an IoT device onboarding
protocol. When the FIDO protocol includes a pubic key in its protocol. When the FIDO protocol includes a public key in its
attestation message, the key represents the binding of a user, device attestation message, the key represents the binding of a user, device
and Relying Party. This document describes how claims containing and Relying Party. This document describes how claims containing
keys should be defined for the various use cases. It does not define keys should be defined for the various use cases. It does not define
specific claims for specific use cases. specific claims for specific use cases.
Keys in CBOR format tokens SHOULD be the COSE_Key format [RFC8152] Keys in CBOR format tokens SHOULD be the COSE_Key format [RFC8152]
and keys in JSON format tokens SHOULD be the JSON Web Key format and keys in JSON format tokens SHOULD be the JSON Web Key format
[RFC7517]. These two formats support many common key types. Their [RFC7517]. These two formats support many common key types. Their
use avoids the need to decode other serialization formats. These two use avoids the need to decode other serialization formats. These two
formats can be extended to support further key types through their formats can be extended to support further key types through their
IANA registries. IANA registries.
The general confirmation claim format [RFC8747], [RFC7800] may also The general confirmation claim format [RFC8747], [RFC7800] may also
be used. It provides key encryption. It also allows for inclusion be used. It provides key encryption. It also allows for inclusion
by reference through a key ID. The confirmation claim format may by reference through a key ID. The confirmation claim format may
employed in the definition of some new claim for a a particular use employed in the definition of some new claim for a a particular use
case. case.
When the actual confirmation claim is included in an EAT, this When the actual confirmation claim is included in an EAT, this
document associates no use case semantics other than proof of document associates no use case semantics other than proof of
posession. Different EAT use cases may choose to associate further possession. Different EAT use cases may choose to associate further
semantics. The key in the confirmation claim MUST be protected the semantics. The key in the confirmation claim MUST be protected in
same as the key used to sign the EAT. That is, the same, equivalent the same way as the key used to sign the EAT. That is, the same,
or better hardware defenses, access controls, key generation and such equivalent or better hardware defenses, access controls, key
must be used. generation and such must be used.
3.14. The Location Claim (location) 3.15. The Location Claim (location)
The location claim gives the location of the device entity from which The location claim gives the location of the entity from which the
the attestation originates. It is derived from the W3C Geolocation attestation originates. It is derived from the W3C Geolocation API
API [W3C.GeoLoc]. The latitude, longitude, altitude and accuracy [W3C.GeoLoc]. The latitude, longitude, altitude and accuracy must
must conform to [WGS84]. The altitude is in meters above the [WGS84] conform to [WGS84]. The altitude is in meters above the [WGS84]
ellipsoid. The two accuracy values are positive numbers in meters. ellipsoid. The two accuracy values are positive numbers in meters.
The heading is in degrees relative to true north. If the device is The heading is in degrees relative to true north. If the entity is
stationary, the heading is NaN (floating-point not-a-number). The stationary, the heading is NaN (floating-point not-a-number). The
speed is the horizontal component of the device velocity in meters speed is the horizontal component of the entity velocity in meters
per second. per second.
When encoding floating-point numbers half-precision should not be When encoding floating-point numbers half-precision SHOULD NOT be
used. It usually does not provide enough precision for a geographic used. They usually do not provide enough precision for a geographic
location. It is not a requirement that the receiver of an EAT location.
implement half-precision, so the receiver may not be able to decode
the location.
The location may have been cached for a period of time before token The location may have been cached for a period of time before token
creation. For example, it might have been minutes or hours or more creation. For example, it might have been minutes or hours or more
since the last contact with a GPS satellite. Either the timestamp or since the last contact with a GPS satellite. Either the timestamp or
age data item can be used to quantify the cached period. The age data item can be used to quantify the cached period. The
timestamp data item is preferred as it a non-relative time. timestamp data item is preferred as it a non-relative time.
The age data item can be used when the entity doesn't know what time The age data item can be used when the entity doesn't know what time
it is either because it doesn't have a clock or it isn't set. The it is either because it doesn't have a clock or it isn't set. The
entity must still have a "ticker" that can measure a time interval. entity MUST still have a "ticker" that can measure a time interval.
The age is the interval between acquisition of the location data and The age is the interval between acquisition of the location data and
token creation. token creation.
See location-related privacy considerations in Section 10.2 below. See location-related privacy considerations in Section 10.2.
$$claims-set-claims //= (location-label => location-type) $$claims-set-claims //= (location-label => location-type)
location-type = { location-type = {
latitude => number, latitude => number,
longitude => number, longitude => number,
? altitude => number, ? altitude => number,
? accuracy => number, ? accuracy => number,
? altitude-accuracy => number, ? altitude-accuracy => number,
? heading => number, ? heading => number,
skipping to change at page 23, line 37 skipping to change at page 25, line 29
latitude = 1 / "latitude" latitude = 1 / "latitude"
longitude = 2 / "longitude" longitude = 2 / "longitude"
altitude = 3 / "altitude" altitude = 3 / "altitude"
accuracy = 4 / "accuracy" accuracy = 4 / "accuracy"
altitude-accuracy = 5 / "altitude-accuracy" altitude-accuracy = 5 / "altitude-accuracy"
heading = 6 / "heading" heading = 6 / "heading"
speed = 7 / "speed" speed = 7 / "speed"
timestamp = 8 / "timestamp" timestamp = 8 / "timestamp"
age = 9 / "age" age = 9 / "age"
3.15. The Uptime Claim (uptime) 3.16. The Uptime Claim (uptime)
The "uptime" claim contains a value that represents the number of The "uptime" claim MUST contain a value that represents the number of
seconds that have elapsed since the entity or submod was last booted. seconds that have elapsed since the entity or submod was last booted.
$$claims-set-claims //= (uptime-label => uint) $$claims-set-claims //= (uptime-label => uint)
3.16. The Boot Seed Claim (boot-seed) 3.17. The Boot Odometer Claim (odometer)
The Boot Seed claim is a random value created at system boot time The "odometer" claim contains a value that represents the number of
that will allow differentiation of reports from different boot times the entity or submod has been booted. Support for this claim
sessions. This value is usually public and not protected. It is not requires a persistent storage on the device.
the same as a seed for a random number generator which must be kept
secret. $$claims-set-claims //= (odometer-label => uint)
3.18. The Boot Seed Claim (boot-seed)
The Boot Seed claim MUST contain a random value created at system
boot time that will allow differentiation of reports from different
boot sessions.
This value is usually public. It is not a secret and MUST NOT be
used for any purpose that a secret seed is needed, such as seeding a
random number generator.
$$claims-set-claims //= (boot-seed-label => bytes) $$claims-set-claims //= (boot-seed-label => bytes)
3.17. The Intended Use Claim (intended-use) 3.19. The Intended Use Claim (intended-use)
EAT's may be used in the context of several different applications. EAT's may be used in the context of several different applications.
The intended-use claim provides an indication to an EAT consumer The intended-use claim provides an indication to an EAT consumer
about the intended usage of the token. This claim can be used as a about the intended usage of the token. This claim can be used as a
way for an application using EAT to internally distinguish between way for an application using EAT to internally distinguish between
different ways it uses EAT. different ways it uses EAT.
1 - Generic Generic attestation describes an application where the 1 - Generic: Generic attestation describes an application where the
EAT consumer requres the most up-to-date security assessment of EAT consumer requires the most up-to-date security assessment of
the attesting entity. It is expected that this is the most the attesting entity. It is expected that this is the most
commonly-used application of EAT. commonly-used application of EAT.
2- Registration Entities that are registering for a new service may 2- Registration: Entities that are registering for a new service may
be expected to provide an attestation as part of the registration be expected to provide an attestation as part of the registration
process. This intended-use setting indicates that the attestation process. This intended-use setting indicates that the attestation
is not intended for any use but registration. is not intended for any use but registration.
3 - Provisioning Entities may be provisioned with different values 3 - Provisioning: Entities may be provisioned with different values
or settings by an EAT consumer. Examples include key material or or settings by an EAT consumer. Examples include key material or
device management trees. The consumer may require an EAT to device management trees. The consumer may require an EAT to
assess device security state of the entity prior to provisioning. assess entity security state of the entity prior to provisioning.
4 - Certificate Issuance (Certificate Signing Request) Certifying 4 - Certificate Issuance Certification Authorities (CA's) may
authorities (CA's) may require attestations prior to the issuance require attestations prior to the issuance of certificates related
of certificates related to keypairs hosted at the entity. An EAT to keypairs hosted at the entity. An EAT may be used as part of
may be used as part of the certificate signing request (CSR). the certificate signing request (CSR).
5 - Proof-of-Possession An EAT consumer may require an attestation 5 - Proof-of-Possession: An EAT consumer may require an attestation
as part of an accompanying proof-of-possession (PoP) appication. as part of an accompanying proof-of-possession (PoP) application.
More precisely, a PoP transaction is intended to provide to the More precisely, a PoP transaction is intended to provide to the
recipient cryptographically-verifiable proof that the sender has recipient cryptographically-verifiable proof that the sender has
posession of a key. This kind of attestation may be neceesary to possession of a key. This kind of attestation may be necceesary
verify the security state of the entity storing the private key to verify the security state of the entity storing the private key
used in a PoP application. used in a PoP application.
$$claims-set-claims //= ( $$claims-set-claims //= (
intended-use-label => intended-use-label =>
intended-use-cbor-type / intended-use-json-type intended-use-cbor-type / intended-use-json-type
) )
intended-use-cbor-type = &( intended-use-cbor-type = &(
generic: 1, generic: 1,
registration: 2, registration: 2,
skipping to change at page 25, line 25 skipping to change at page 27, line 25
pop: 5 pop: 5
) )
intended-use-json-type = intended-use-json-type =
"generic" / "generic" /
"registration" / "registration" /
"provisioning" / "provisioning" /
"csr" / "csr" /
"pop" "pop"
3.18. The Profile Claim (profile) 3.20. The Profile Claim (profile)
See Section 7 for the detailed description of a profile. See Section 7 for the detailed description of a profile.
A profile is identified by either a URL or an OID. Typically, the A profile is identified by either a URL or an OID. Typically, the
URI will reference a document describing the profile. An OID is just URI will reference a document describing the profile. An OID is just
a unique identifier for the profile. It may exist anywhere in the a unique identifier for the profile. It may exist anywhere in the
OID tree. There is no requirement that the named document be OID tree. There is no requirement that the named document be
publicly accessible. The primary purpose of the profile claim is to publicly accessible. The primary purpose of the profile claim is to
uniquely identify the profile even if it is a private profile. uniquely identify the profile even if it is a private profile.
The OID is encoded in CBOR according to [CBOR.OID] and the URI The OID is always absolute and never relative. In CBOR tokens, the
according to [RFC8949]. Both are unwrapped and thus not tags. The OID MUST be encoded according to [RFC9090] and the URI according to
OID is always absolute and never relative. If the claims CBOR type [RFC8949]. Both are unwrapped and thus not CBOR tags. In JSON
is a text string it is a URI and if a byte string it is an OID. tokens, the OID is a string of the form "X.X.X", and a URI is a
normal URI string.
Note that this named "eat_profile" for JWT and is distinct from the Note that this is named "eat_profile" for JWT and is distinct from
already registered "profile" claim in the JWT claims registry. the already registered "profile" claim in the JWT claims registry.
$$claims-set-claims //= (profile-label => ~uri / ~oid) $$claims-set-claims //= (profile-label => ~uri / ~oid)
oid = #6.4000(bstr) ; TODO: Replace with CDDL from OID RFC 3.21. The DLOA (Digital Letter or Approval) Claim (dloas)
3.19. The DLOA (Digital Letter or Approval) Claim (dloas)
A DLOA (Digital Letter of Approval) [DLOA] is an XML document that A DLOA (Digital Letter of Approval) [DLOA] is an XML document that
describes a certification that a device or entity has received. describes a certification that an entity has received. Examples of
Examples of certifications represented by a DLOA include those issued certifications represented by a DLOA include those issued by Global
by Global Platform and those based on Common Criteria. The DLOA is Platform and those based on Common Criteria. The DLOA is unspecific
unspecific to any particular certification type or those issued by to any particular certification type or those issued by any
any particular organization. particular organization.
This claim is typically issued by a Verifier, not an Attester. When This claim is typically issued by a Verifier, not an Attester. When
this claim is issued by a Verifier, it MUST be because the entity, this claim is issued by a Verifier, it MUST be because the entity has
device or submodule has received the certification in the DLOA. received the certification in the DLOA.
This claim can contain more than one DLOA. If multiple DLOAs are This claim MAY contain more than one DLOA. If multiple DLOAs are
present, it MUST be because the entity, device or submodule received present, it MUST be because the entity received all of the
all of the certifications. certifications.
DLOA XML documents are always fetched from a registrar that stores DLOA XML documents are always fetched from a registrar that stores
them. This claim contains several data items used to construct a URL them. This claim contains several data items used to construct a URL
for fetching the DLOA from the particular registrar. for fetching the DLOA from the particular registrar.
The first data item is a URI for the registrar. The second data item This claim MUST be encoded as an array with either two or three
is a platform label to indicate the particular platform that was elements. The first element MUST be the URI for the registrar. The
certified. For platform certifications only these two are needed. second element MUST be a platform label indicating which platform was
certified. If the DLOA applies to an application, then the third
A DLOA may equally apply to an application. In that case it has the element is added which MUST be an application label. The method of
URI for the registrar, a platform label and additionally an constructing the registrar URI, platform label and possibly
application label. application label is specified in [DLOA].
The method of combining the registrar URI, platform label and
possibly application label is specified in [DLOA].
$$claims-set-claims //= ( $$claims-set-claims //= (
dloas-label => [ + dloa-type ] dloas-label => [ + dloa-type ]
) )
dloa-type = [ dloa-type = [
dloa_registrar: ~uri dloa_registrar: ~uri
dloa_platform_label: text dloa_platform_label: text
? dloa_application_label: text ? dloa_application_label: text
] ]
3.20. The Software Manifests Claim (manifests) 3.22. The Software Manifests Claim (manifests)
This claim contains descriptions of software that is present on the This claim contains descriptions of software present on the entity.
device. These manifests are installed on the device when the These manifests are installed on the entity when the software is
software is installed or are created as part of the installation installed or are created as part of the installation process.
process. Installation is anything that adds software to the device, Installation is anything that adds software to the entity, possibly
possibly factory installation, the user installing elective factory installation, the user installing elective applications and
applications and so on. The defining characteristic is that they are so on. The defining characteristic is they are created by the
created by the software manufacturer. The purpose of these claims in software manufacturer. The purpose of these claims in an EAT is to
an EAT is to relay them without modification to the Verifier and/or relay them without modification to the Verifier and possibly to the
the Relying Party. Relying Party.
In some cases these will be signed by the software manufacturer Some manifests may be signed by their software manufacturer before
independent of any signing for the purpose of EAT attestation. they are put into this EAT claim. When such manifests are put into
Manifest claims should include the manufacturer's signature (which this claim, the manufacturer's signature SHOULD be included. For
will be signed over by the attestation signature). In other cases example, the manifest might be a CoSWID signed by the software
the attestation signature will be the only one. manufacturer, in which case the full signed CoSWID should be put in
this claim.
This claim allows multiple formats for the manifest. For example the This claim allows multiple formats for the manifest. For example,
manifest may be a CBOR-format CoSWID, an XML-format SWID or other. the manifest may be a CBOR-format CoSWID, an XML-format SWID or
Identification of the type of manifest is always by a CBOR tag. In other. Identification of the type of manifest is always by a CBOR
many cases, for examples CoSWID, a tag will already be registered tag. In many cases, for examples CoSWID, a tag will already be
with IANA. If not, a tag MUST be registered. It can be in the registered with IANA. If not, a tag MUST be registered. It can be
first-come-first-served space which has minimal requirements for in the first-come-first-served space which has minimal requirements
registration. for registration.
The claim is an array of one or more manifests. To facilitate hand The claim is an array of one or more manifests. To facilitate hand
off of the manifest to a decoding library, each manifest is contained off of the manifest to a decoding library, each manifest is contained
in a byte string. This occurs for CBOR-format manifests as well as in a byte string. This occurs for CBOR-format manifests as well as
non-CBOR format manifests. non-CBOR format manifests.
If a particular manifest type uses CBOR encoding, then the item in If a particular manifest type uses CBOR encoding, then the item in
the array for it MUST be a byte string that contains a CBOR tag. The the array for it MUST be a byte string that contains a CBOR tag. The
EAT decoder must decode the byte string and then the CBOR within it EAT decoder must decode the byte string and then the CBOR within it
to find the tag number to identify the type of manifest. The to find the tag number to identify the type of manifest. The
contents of the byte string is then handed to the particular manifest contents of the byte string is then handed to the particular manifest
processor for that type of manifest. CoSWID and SUIT manifest are processor for that type of manifest. CoSWID and SUIT manifest are
examples of this. examples of this.
If a particular manifest type does not use CBOR encoding, then the If a particular manifest type does not use CBOR encoding, then the
item in the array for it must be a CBOR tag that contains a byte item in the array for it MUST be a CBOR tag that contains a byte
string. The EAT decoder uses the tag to identify the processor for string. The EAT decoder uses the tag to identify the processor for
that type of manifest. The contents of the tag, the byte string, are that type of manifest. The contents of the tag, the byte string, are
handed to the manifest processor. Note that a byte string is used to handed to the manifest processor. Note that a byte string is used to
contain the manifest whether it is a text based format or not. An contain the manifest whether it is a text based format or not. An
example of this is an XML format ISO/IEC 19770 SWID. example of this is an XML format ISO/IEC 19770 SWID.
It is not possible to describe the above requirements in CDDL so the It is not possible to describe the above requirements in CDDL, so the
type for an individual manifest is any in the CDDL below. The above type for an individual manifest is any in the CDDL below. The above
text sets the encoding requirement. text sets the encoding requirement.
This claim allows for multiple manifests in one token since multiple This claim allows for multiple manifests in one token since multiple
software packages are likely to be present. The multiple manifests software packages are likely to be present. The multiple manifests
may be of multiple formats. In some cases EAT submodules may be used MAY be of multiple formats. In some cases EAT submodules may be used
instead of the array structure in this claim for multiple manifests. instead of the array structure in this claim for multiple manifests.
When the [CoSWID] format is used, it MUST be a payload CoSWID, not an When the [CoSWID] format is used, it MUST be a payload CoSWID, not an
evidence CoSWID. evidence CoSWID.
$$claims-set-claims //= ( $$claims-set-claims //= (
manifests-label => manifests-type manifests-label => manifests-type
) )
manifests-type = [+ $$manifest-formats] manifests-type = [+ $$manifest-formats]
; Must be a CoSWID payload type
; TODO: signed CoSWIDs
coswid-that-is-a-cbor-tag-xx = tagged-coswid<concise-swid-tag> coswid-that-is-a-cbor-tag-xx = tagged-coswid<concise-swid-tag>
$$manifest-formats /= bytes .cbor coswid-that-is-a-cbor-tag-xx $$manifest-formats /= bytes .cbor coswid-that-is-a-cbor-tag-xx
; TODO: make this work too 3.23. The Software Evidence Claim (swevidence)
;$$manifest-formats /= bytes .cbor SUIT_Envelope_Tagged
3.21. The Software Evidence Claim (swevidence)
This claim contains descriptions, lists, evidence or measurements of This claim contains descriptions, lists, evidence or measurements of
the software that exists on the device. The defining characteristic the software that exists on the entity. The defining characteristic
of this claim is that its contents are created by processes on the of this claim is that its contents are created by processes on the
device that inventory, measure or otherwise characterize the software entity that inventory, measure or otherwise characterize the software
on the device. The contents of this claim do not originate from the on the entity. The contents of this claim do not originate from the
software manufacturer. software manufacturer.
In most cases the contents of this claim are signed as part of
attestation signing, but independent signing in addition to the
attestation signing is not ruled out when a particular evidence
format supports it.
This claim uses the same mechanism for identification of the type of This claim uses the same mechanism for identification of the type of
the swevidence as is used for the type of the manifest in the the swevidence as is used for the type of the manifest in the
manifests claim. It also uses the same byte string based mechanism manifests claim. It also uses the same byte string based mechanism
for containing the claim and easing the hand off to a processing for containing the claim and easing the hand off to a processing
library. See the discussion above in the manifests claim. library. See the discussion above in the manifests claim.
When the [CoSWID] format is used, it MUST be evidence CoSWIDs, not When the [CoSWID] format is used, it MUST be evidence CoSWIDs, not
payload CoSWIDS. payload CoSWIDS.
$$claims-set-claims //= ( $$claims-set-claims //= (
swevidence-label => swevidence-type swevidence-label => swevidence-type
) )
swevidence-type = [+ $$swevidence-formats] swevidence-type = [+ $$swevidence-formats]
; Must be a CoSWID evidence type that is a CBOR tag
; TODO: fix the CDDL so a signed CoSWID is allowed too
coswid-that-is-a-cbor-tag = tagged-coswid<concise-swid-tag> coswid-that-is-a-cbor-tag = tagged-coswid<concise-swid-tag>
$$swevidence-formats /= bytes .cbor coswid-that-is-a-cbor-tag $$swevidence-formats /= bytes .cbor coswid-that-is-a-cbor-tag
3.22. The SW Measurement Results Claim (swresults) 3.24. The SW Measurement Results Claim (swresults)
This claims reports the outcome of the comparison of a measurement on This claims reports the outcome of the comparison of a measurement on
some software to the expected Reference Values. It may report a some software to the expected Reference Values. It may report a
successful comparison, failed comparison or other. successful comparison, failed comparison or other.
This claim may be generated by the Verifier and sent to the Relying This claim MAY be generated by the Verifier and sent to the Relying
Party. For example, it could be the results of the Verifier Party. For example, it could be the results of the Verifier
comparing the contents of the swevidence claim to Reference Values. comparing the contents of the swevidence claim to Reference Values.
This claim can also be generated on the device if the device has the This claim MAY also be generated on the entity if the entity has the
ability for one subsystem to measure another subsystem. For example, ability for one subsystem to measure another subsystem. For example,
a TEE might have the ability to measure the software of the rich OS a TEE might have the ability to measure the software of the rich OS
and may have the Reference Values for the rich OS. and may have the Reference Values for the rich OS.
Within an attestation target or submodule, multiple results can be Within an attestation target or submodule, multiple results can be
reported. For example, it may be desirable to report the results for reported. For example, it may be desirable to report the results for
the kernel and each individual application separately. the kernel and each individual application separately.
For each software objective, the following can be reported. For each software objective, the following can be reported. TODO:
defined objective
3.22.1. Scheme 3.24.1. Scheme
This is the free-form text name of the verification system or scheme This is the free-form text name of the verification system or scheme
that performed the verification. There is no official registry of that performed the verification. There is no official registry of
schemes or systems. It may be the name of a commercial product or schemes or systems. It may be the name of a commercial product or
such. such.
3.22.2. Objective 3.24.2. Objective
This roughly characterizes the coverage of the software measurement This roughly characterizes the coverage of the software measurement
software. This corresponds to the attestation target or the software. This corresponds to the attestation target or the
submodule. If all of the indicated target is not covered, the submodule. If all of the indicated target is not covered, the
measurement must indicate partial. measurement must indicate partial.
1 - all Indicates all the software has been verified, for example, 1 - all: Indicates all the software has been verified, for example,
all the software in the attestation target or the submodule all the software in the attestation target or the submodule
2 - firmware Indicates all of and only the firmware 2 - firmware: Indicates all of and only the firmware
3 - kernel Refers to all of the most-privileged software, for 3 - kernel: Refers to all of the most-privileged software, for
example the Linux kernel example the Linux kernel
4 - privileged Refers to all of the software used by the root, 4 - privileged: Refers to all of the software used by the root,
system or administrative account system or administrative account
5 - system-libs Refers to all of the system libraries that are 5 - system-libs: Refers to all of the system libraries that are
broadly shared and used by applications and such broadly shared and used by applications and such
6 - partial Some other partial set of the software 6 - partial: Some other partial set of the software
3.22.3. Results 3.24.3. Results
This describes the result of the measurement and also the comparison This describes the result of the measurement and also the comparison
to Reference Values. to Reference Values.
1 - verificaton-not-run Indicates no attempt was made to run the 1 - verification-not-run: Indicates that no attempt was made to run
verification the verification
2 - verification-indeterminite The verification was attempted, but 2 - verification-indeterminite: The verification was attempted, but
it did not produce a result; perhaps it ran out of memory, the it did not produce a result; perhaps it ran out of memory, the
battery died or such battery died or such
3 - verification-failed The verification ran to completion, the 3 - verification-failed: The verification ran to completion, the
comparison was completed and did not compare correctly to the comparison was completed and did not compare correctly to the
Reference Values Reference Values
4 - fully-verified The verification ran to completion and all 4 - fully-verified: The verification ran to completion and all
measurements compared correctly to Reference Values measurements compared correctly to Reference Values
5 - partially-verified The verification ran to completion and some, 5 - partially-verified: The verification ran to completion and some,
but not all measurements compared correctly to Reference Values but not all, measurements compared correctly to Reference Values
3.22.4. Objective Name 3.24.4. Objective Name
This is a free-form text string that describes the objective. For This is a free-form text string that describes the objective. For
example, "Linux kernel" or "Facebook App" example, "Linux kernel" or "Facebook App"
$$claims-set-claims //= (swresults-label => [ + swresult-type ]) $$claims-set-claims //= (swresults-label => [ + swresult-type ])
verification-result-cbor-type = &( verification-result-cbor-type = &(
verification-not-run: 1, verification-not-run: 1,
verification-indeterminate: 2, verification-indeterminate: 2,
verification-failed: 3, verification-failed: 3,
fully-verified: 4, fully-verified: 4,
skipping to change at page 33, line 5 skipping to change at page 34, line 5
swresult-type = [ swresult-type = [
verification-system: tstr, verification-system: tstr,
objective: verification-objective-cbor-type / objective: verification-objective-cbor-type /
verification-objective-json-type, verification-objective-json-type,
result: verification-result-cbor-type / result: verification-result-cbor-type /
verification-result-json-type, verification-result-json-type,
? objective-name: tstr ? objective-name: tstr
] ]
3.23. Submodules (submods) 3.25. Submodules (submods)
Some devices are complex, having many subsystems. A mobile phone is Some devices are complex, having many subsystems. A mobile phone is
a good example. It may have several connectivity subsystems for a good example. It may have several connectivity subsystems for
communications (e.g., Wi-Fi and cellular). It may have subsystems communications (e.g., Wi-Fi and cellular). It may have subsystems
for low-power audio and video playback. It may have one or more for low-power audio and video playback. It may have multiple
security-oriented subsystems like a TEE or a Secure Element. security-oriented subsystems like a TEE and a Secure Element.
The claims for a subsystem can be grouped together in a submodule or The claims for a subsystem can be grouped together in a submodule or
submod. submod.
The submods are in a single map/object, one entry per submodule. The submods are in a single map/object, one entry per submodule.
There is only one submods map/object in a token. It is identified by There is only one submods map/object in a token. It is identified by
its specific label. It is a peer to other claims, but it is not its specific label. It is a peer to other claims, but it is not
called a claim because it is a container for a claims set rather than called a claim because it is a container for a claims set rather than
an individual claim. This submods part of a token allows what might an individual claim. This submods part of a token allows what might
be called recursion. It allows claims sets inside of claims sets be called recursion. It allows claims sets inside of claims sets
inside of claims sets... inside of claims sets...
3.23.1. Submodule Types 3.25.1. Submodule Types
The following sections define the three major types of submodules: The following sections define the three types of submodules:
o A submodule Claims-Set o A submodule Claims-Set
o A nested token, which can be any valid EAT token, CBOR or JSON o A nested token, which can be any valid EAT token, CBOR or JSON
o The digest of a detached Claims-Set o The digest of a detached Claims-Set
These are distinguished primarily by their data type which may be a 3.25.1.1. Submodule Claims-Set
map/object, string or array.
3.23.1.1. Submodule Claims-Set
This is simply a subordinate Claims-Set containing claims about the This is a subordinate Claims-Set containing claims about the
submodule. submodule.
The submodule claims-set is produced by the same Attester as the The submodule claims-set is produced by the same Attester as the
surrounding token. It is secured using the same mechanism as the surrounding token. It is secured using the same mechanism as the
enclosing token (e.g., it is signed by the same attestation key). It enclosing token (e.g., it is signed by the same attestation key). It
roughly corresponds to an Attester Target Environment as described in roughly corresponds to an Attester Target Environment, as described
the RATS architecture. in the RATS architecture.
It may contain claims that are the same as its surrounding token or It may contain claims that are the same as its surrounding token or
superior submodules. For example, the top-level of the token may superior submodules. For example, the top-level of the token may
have a UEID, a submod may have a different UEID and a further have a UEID, a submod may have a different UEID and a further
subordinate submodule may also have a UEID. subordinate submodule may also have a UEID.
The encoding of a submodule Claims-Set is always the same as the The encoding of a submodule Claims-Set MUST be the same as the
encoding as the token it is part of. encoding as the token it is part of.
This data type for this type of submodule is a map/object as that is This data type for this type of submodule is a map/object. It is
the type of a Claims-Set. identified when decoding by it's type being a map/object.
3.23.1.2. Nested Token 3.25.1.2. Nested Token
This type of submodule is a fully formed complete token. It is This type of submodule is a fully formed complete token. It is
typically produced by a separate Attester. It is typically used by a typically produced by a separate Attester. It is typically used by a
Composite Device as described in RATS Architecture Composite Device as described in RATS Architecture
[RATS.Architecture] [RATS.Architecture] In being a submodule of the surrounding token, it
is cryptographically bound to the surrounding token. If it was
In being a submodule of the surrounding token, it is conveyed in parallel with the surrounding token, there would be no
cryptographically bound to the surrounding token. If it was conveyed such binding and attackers could substitute a good attestation from
in parallel with the surrounding token, there would be no such
binding and attackers could substitute a good attestation from
another device for the attestation of an errant subsystem. another device for the attestation of an errant subsystem.
A nested token does NOT need to use the same encoding as the A nested token does not need to use the same encoding as the
enclosing token. This is to allow Composite Devices to be built enclosing token. This is to allow Composite Devices to be built
without regards to the encoding supported by their Attesters. without regards to the encoding supported by their Attesters. Thus a
CBOR-encoded token like a CWT or UCCS can have a JWT as a nested
token submodule and a JSON-encoded token can have a CWT or UCCS as a
nested token submodule.
Thus a CBOR-encoded token like a CWT or UCCS can have a JWT as a The following two sections describe how to encode and decode a nested
nested token submodule and a JSON-encoded token can have a CWT or token.
UCCS as a nested token submodule.
The data type for this type of submodule is either a text or byte 3.25.1.2.1. Surrounding EAT is CBOR-Encoded
string.
Mechanisms are defined for identifying the encoding and type of the This describes the encoding and decoding of CBOR or JSON-encoded
nested token. These mechanisms are different for CBOR and JSON tokens nested inside a CBOR-encoded token.
encoding. The type of a CBOR-encoded nested token is identified
using the CBOR tagging mechanism and thus is in common with
identification used when any CBOR-encoded token is part of a CBOR-
based protocol. A new simple type mechanism is defined for
indication of the type of a JSON-encoded token since there is no JSON
equivalent of tagging.
3.23.1.2.1. Surrounding EAT is CBOR-Encoded If the nested token is CBOR-encoded, then it MUST be a CBOR tag and
MUST be wrapped in a byte string. The tag identifies whether the
nested token is a CWT, a UCCS, a CBOR-encoded DEB, or some other
CBOR-format token defined in the future. A nested CBOR-encoded token
that is not a CBOR tag is NOT allowed.
If the submodule is a byte string, then the nested token is CBOR- If the nested token is JSON-encoded, then the data item MUST be a
encoded. The byte string always wraps a token that is a tag. The text string. The text string MUST contain a JSON-encoded array of
tag identifies whether the nested token is a CWT, a UCCS or a CBOR- two items. The first item is a string identifying the type of the
encoded DEB. token. The second item is the JSON-encoded token.
If the submodule is a text string, then the nested token is JSON- The string identifying the JSON-encoded token MUST be one of the
encoded. The text string contains JSON. That JSON is the exactly following:
the JSON described in the next section with one exception. The token
can't be CBOR-encoded.
; This specifies how one fully-formed token is nested inside a "JWT": The second item MUST be a JWT formatted according to
; CBOR-format token. The fully-formed nested token is any valid [RFC7519]
; token, CBOR or JSON (JWT, CWT, UCCS, DEB...) The mechanism for
; identifying the type of the nested token is specific to the format "UJCS": The second item MUST be a UJCS-Message as defined in this
; of the surrounding token, CBOR in this case. document.
;
; A primary reason this is encoding-specific is that JSON does not "DEB": The second item MUST be a JSON-encoded Detached EAT Bundle as
; have an equivalent to CBOR tags. defined in this document.
;
; If the data type here is text, then the nested token is JSON The definition of additional types requires a standards action.
; format, one of a JWT, UJCS or JSON-encoded DEB. The means for
; distinguishing which is in the definition of JSON-encoded When decoding, if a byte string is encountered, it is known to be a
; Nested-Token. If the data type is bstr, then the nested token nested CBOR-encoded token. The byte string wrapping is removed. The
; is CBOR format. It is byte-string wrapped and identified by a type of the token is determined by the CBOR tag.
;CBOR tag.
When decoding, if a text string is encountered, it is known to be a
JSON-encoded token. The two-item array is decoded and tells the type
of the JSON-encoded token.
Nested-Token = Nested-Token =
tstr / ; A JSON-encoded Nested-Token (see json-nested-token.cddl) tstr / ; A JSON-encoded Nested-Token (see json-nested-token.cddl)
bstr .cbor Tagged-CBOR-Token bstr .cbor Tagged-CBOR-Token
3.23.1.2.2. Surrounding EAT is JSON-Encoded 3.25.1.2.2. Surrounding EAT is JSON-Encoded
A nested token in a JSON-encoded token is an array of two items. The This describes the encoding and decoding of CBOR or JSON-encoded
first is a string that indicates the type of the second item as tokens nested inside a JSON-encoded token.
follows:
"JWT" A JWT formatted according to [RFC7519] The nested token MUST be an array of two in the same format as
described in the section above.
"CBOR" Some base64url-encoded CBOR that is a tag that is either a A CBOR-encoded token nested inside a JSON-encoded MUST use the same
CWT, UCCS or CBOR-encoded DEB array of two, but with the type as follows:
"UJCS" A UJCS-Message. (A UJCS-Message is identical to a JSON- "CBOR": Some base64url-encoded CBOR that is a tag, typically a CWT,
encoded Claims-Set) UCCS or CBOR-encoded DEB
"DEB" A JSON-encoded Detached EAT Bundle. When decoding, the array of two is decoded. The first item indicates
the type and encoding of the nested token. If the type string is not
"CBOR", then the token is JSON-encoded and of the type indicated by
the string.
; This describes a nested token that occurs inside a JSON-encoded If the type string is "CBOR", then the token is CBOR-encoded. The
; token. It uses an array that is made up of a type indicator and the base64url encoding is removed. The CBOR-encoded data is then
; actual token. This is a substitute for the CBOR tag mechanism that decoded. The type of nested token is determined by the CBOR-tag. It
; JSON does not have. is an error if the CBOR is not a tag.
Nested-Token = [ Nested-Token = [
type : "JWT" / "CBOR" / "UJCS" / "DEB", type : "JWT" / "CBOR" / "UJCS" / "DEB",
nested-token : JWT-Message / nested-token : JWT-Message /
B64URL-Tagged-CBOR-Token / B64URL-Tagged-CBOR-Token /
DEB-JSON-Message / DEB-JSON-Message /
UJCS-Message UJCS-Message
] ]
; This text is a Tagged-CBOR-Token (see cbor-token.cddl) that is
; base64url encoded. For example, it is a CWT that is a COSE_Sign1
; that is a CBOR tag that has been base64url encoded.
B64URL-Tagged-CBOR-Token = tstr .regexp "[A-Za-z0-9_=-]+" B64URL-Tagged-CBOR-Token = tstr .regexp "[A-Za-z0-9_=-]+"
3.23.1.3. Detached Submodule Digest 3.25.1.3. Detached Submodule Digest
This is type of submodule equivalent to a Claims-Set submodule, This is type of submodule equivalent to a Claims-Set submodule,
except the Claims-Set is conveyed separately outside of the token. except the Claims-Set is conveyed separately outside of the token.
This type of submodule consists of a digest made using a This type of submodule consists of a digest made using a
cryptographic hash of a Claims-Set. The Claims-Set is not included cryptographic hash of a Claims-Set. The Claims-Set is not included
in the token. It is conveyed to the Verifier outside of the token. in the token. It is conveyed to the Verifier outside of the token.
The submodule containing the digest is called a detached digest. The The submodule containing the digest is called a detached digest. The
separately conveyed Claims-Set is called a detached claims set. separately conveyed Claims-Set is called a detached claims set.
skipping to change at page 37, line 13 skipping to change at page 38, line 5
Probably, every data item in it is of fixed length. Probably, every data item in it is of fixed length.
The integrity protection for the larger Claims Sets will not be as The integrity protection for the larger Claims Sets will not be as
secure as those originating in hardware block, but the key material secure as those originating in hardware block, but the key material
and hardware-based claims will be. It is possible for the hardware and hardware-based claims will be. It is possible for the hardware
to enforce hardware access control (memory protection) on the digest to enforce hardware access control (memory protection) on the digest
registers so that some of the larger claims can be more secure. For registers so that some of the larger claims can be more secure. For
example, one register may be writable only by the TEE, so the example, one register may be writable only by the TEE, so the
detached claims from the TEE will have TEE-level security. detached claims from the TEE will have TEE-level security.
The data type for this type of submodule is an array It contains two The data type for this type of submodule MUST be an array It contains
data items, an algorithm identifier and a byte string containing the two data items, an algorithm identifier and a byte string containing
digest. the digest.
When decoding a CBOR format token the detached digest type is
distringuished from the other types by it being an array. In CBOR
the none of other submodule types are arrays.
When decoding a JSON format token, a little more work is required
because both the nested token and detached digest types are an array.
To distinguish the nested token from the detached digest, the first
element in the array is examined. If it is "JWT", "UJCS" or "DEB",
the the submodule is a nested token. Otherwise it will contain an
algorithm identifier and is a detached digest.
A DEB, described in Section 5, may be used to convey detached claims A DEB, described in Section 5, may be used to convey detached claims
sets and the token with their detached digests. EAT, however, sets and the token with their detached digests. EAT, however,
doesn't require use of a DEB. Any other protocols may be used to doesn't require use of a DEB. Any other protocols may be used to
convey detached claims sets and the token with their detached convey detached claims sets and the token with their detached
digests. Note that since detached Claims-Sets are usually signed, digests. Note that since detached Claims-Sets are usually signed,
protocols conveying them must make sure they are not modified in protocols conveying them must make sure they are not modified in
transit. transit.
3.23.2. No Inheritance 3.25.2. No Inheritance
The subordinate modules do not inherit anything from the containing The subordinate modules do not inherit anything from the containing
token. The subordinate modules must explicitly include all of their token. The subordinate modules must explicitly include all of their
claims. This is the case even for claims like the nonce. claims. This is the case even for claims like the nonce.
This rule is in place for simplicity. It avoids complex inheritance This rule is in place for simplicity. It avoids complex inheritance
rules that might vary from one type of claim to another. rules that might vary from one type of claim to another.
3.23.3. Security Levels 3.25.3. Security Levels
The security level of the non-token subordinate modules should always The security level of the non-token subordinate modules should always
be less than or equal to that of the containing modules in the case be less than or equal to that of the containing modules in the case
of non-token submodules. It makes no sense for a module of lesser of non-token submodules. It makes no sense for a module of lesser
security to be signing claims of a module of higher security. An security to be signing claims of a module of higher security. An
example of this is a TEE signing claims made by the non-TEE parts example of this is a TEE signing claims made by the non-TEE parts
(e.g. the high-level OS) of the device. (e.g. the high-level OS) of the device.
The opposite may be true for the nested tokens. They usually have The opposite may be true for the nested tokens. They usually have
their own more secure key material. An example of this is an their own more secure key material. An example of this is an
embedded secure element. embedded secure element.
3.23.4. Submodule Names 3.25.4. Submodule Names
The label or name for each submodule in the submods map is a text The label or name for each submodule in the submods map is a text
string naming the submodule. No submodules may have the same name. string naming the submodule. No submodules may have the same name.
3.23.5. CDDL for submods 3.25.5. CDDL for submods
; This is the part of a token that contains all the submodules. It The submodule type is distinguished in the encoded bytes by its data
; is a peer with the claims in the token, but not a claim, only a type, map/object for a Claims-Set, string for nested token and array
; map/object to hold all the submodules. for a detached submodule. Nested tokens are byte-string wrapped when
encoded in CBOR and base64 encoded for JSON.
$$claims-set-claims //= (submods-label => { + text => Submodule }) $$claims-set-claims //= (submods-label => { + text => Submodule })
; A submodule can be:
; - A simple Claims-Set (encoded in the same format as the token)
; - A digest of a detached Claims-Set (encoded in the same format as
; the token)
; - A nested token which may be either CBOR or JSON format. Further,
; the mechanism for identifying and containing the nested token
; depends on the format of the surrounding token, particularly
; because JSON doesn't have any equivalent of a CBOR tag so a
; JSON-specific mechanism is invented. Also, there is the issue
; that binary data must be B64 encoded when carried in
; JSON. Nested-Token is defined in the format specific CDDL, not
; here.
; Note that at nested token can either be a signed token like a CWT
; or JWT, an unsigned token like a UCCS or UJCS, or a DEB (detached
; EAT bundle). The specific encoding of these is format-specific
; so it doesn't appear here.
Submodule = Claims-Set / Nested-Token / Detached-Submodule-Digest Submodule = Claims-Set / Nested-Token / Detached-Submodule-Digest
; This is for both JSON and CBOR. JSON uses text label for
; algorithm from JOSE registry. CBOR uses integer label for
; algorithm from COSE registry. In JSON the digest is base64
; encoded.
Detached-Submodule-Digest = [ Detached-Submodule-Digest = [
algorithm : int / text, algorithm : int / text,
digest : bstr digest : bstr
] ]
4. Unprotected JWT Claims-Sets 4. Unprotected JWT Claims-Sets
This is simply the JSON equivalent of an Unprotected CWT Claims-Set This is simply the JSON equivalent of an Unprotected CWT Claims-Set
[UCCS.Draft]. [UCCS.Draft].
skipping to change at page 40, line 7 skipping to change at page 40, line 32
normal rules apply for use or non-use of a tag. When it is sent as a normal rules apply for use or non-use of a tag. When it is sent as a
submodule, it is always sent as a tag to distinguish it from the submodule, it is always sent as a tag to distinguish it from the
other types of nested tokens. other types of nested tokens.
The digests of the detached claims sets are associated with detached The digests of the detached claims sets are associated with detached
claims-sets by label/name. It is up to the constructor of the claims-sets by label/name. It is up to the constructor of the
detached EAT bundle to ensure the names uniquely identify the detached EAT bundle to ensure the names uniquely identify the
detached claims sets. Since the names are used only in the detached detached claims sets. Since the names are used only in the detached
EAT bundle, they can be very short, perhaps one byte. EAT bundle, they can be very short, perhaps one byte.
; Top-level definition of a DEB for CBOR and JSON
Detached-EAT-Bundle = [ Detached-EAT-Bundle = [
main-token : Nested-Token, main-token : Nested-Token,
detached-claims-sets: { detached-claims-sets: {
+ tstr => cbor-wrapped-claims-set / json-wrapped-claims-set + tstr => cbor-wrapped-claims-set / json-wrapped-claims-set
} }
] ]
; text content is a base64url encoded JSON-format Claims-Set
json-wrapped-claims-set = tstr .regexp "[A-Za-z0-9_=-]+" json-wrapped-claims-set = tstr .regexp "[A-Za-z0-9_=-]+"
cbor-wrapped-claims-set = bstr .cbor Claims-Set cbor-wrapped-claims-set = bstr .cbor Claims-Set
6. Endorsements and Verification Keys 6. Endorsements and Verification Keys
The Verifier must possess the correct key when it performs the The Verifier must possess the correct key when it performs the
cryptographic part of an EAT verification (e.g., verifying the COSE/ cryptographic part of an EAT verification (e.g., verifying the COSE/
JOSE signature). This section describes several ways to identify the JOSE signature). This section describes several ways to identify the
verification key. There is not one standard method. verification key. There is not one standard method.
skipping to change at page 42, line 17 skipping to change at page 42, line 32
Compressed X.509 and CBOR Native certificates are defined by CBOR Compressed X.509 and CBOR Native certificates are defined by CBOR
Certificates [CBOR.Cert.Draft]. These are semantically compatible Certificates [CBOR.Cert.Draft]. These are semantically compatible
with X.509 and therefore can be used as an equivalent to X.509 as with X.509 and therefore can be used as an equivalent to X.509 as
described above. described above.
These are identified by their own header parameters (c5t, c5u,...). These are identified by their own header parameters (c5t, c5u,...).
6.1.4. Claim-Based Key Identification 6.1.4. Claim-Based Key Identification
For some attestation systems, a claim may be re-used as a key For some attestation systems, a claim may be re-used as a key
identifier. For example, the UEID uniquely identifies the device and identifier. For example, the UEID uniquely identifies the entity and
therefore can work well as a key identifier or Endorsement therefore can work well as a key identifier or Endorsement
identifier. identifier.
This has the advantage that key identification requires no additional This has the advantage that key identification requires no additional
bytes in the EAT and makes the EAT smaller. bytes in the EAT and makes the EAT smaller.
This has the disadvantage that the unverified EAT must be This has the disadvantage that the unverified EAT must be
substantially decoded to obtain the identifier since the identifier substantially decoded to obtain the identifier since the identifier
is in the COSE/JOSE payload, not in the headers. is in the COSE/JOSE payload, not in the headers.
skipping to change at page 43, line 6 skipping to change at page 43, line 22
7. Profiles 7. Profiles
This EAT specification does not gaurantee that implementations of it This EAT specification does not gaurantee that implementations of it
will interoperate. The variability in this specification is will interoperate. The variability in this specification is
necessary to accommodate the widely varying use cases. An EAT necessary to accommodate the widely varying use cases. An EAT
profile narrows the specification for a specific use case. An ideal profile narrows the specification for a specific use case. An ideal
EAT profile will guarantee interoperability. EAT profile will guarantee interoperability.
The profile can be named in the token using the profile claim The profile can be named in the token using the profile claim
described in Section 3.18. described in Section 3.20.
A profile can apply to Attestation Evidence or to Attestation Results A profile can apply to Attestation Evidence or to Attestation Results
or both. or both.
7.1. Format of a Profile Document 7.1. Format of a Profile Document
A profile document doesn't have to be in any particular format. It A profile document doesn't have to be in any particular format. It
may be simple text, something more formal or a combination. may be simple text, something more formal or a combination.
In some cases CDDL may be created that replaces CDDL in this or other In some cases CDDL may be created that replaces CDDL in this or other
skipping to change at page 48, line 20 skipping to change at page 48, line 34
This specification gives no blanket requirements to narrow CBOR This specification gives no blanket requirements to narrow CBOR
serialization for all uses of EAT. This allows individual uses to serialization for all uses of EAT. This allows individual uses to
tailor serialization to the environment. It also may result in EAT tailor serialization to the environment. It also may result in EAT
implementations that don't interoperate. implementations that don't interoperate.
One way to guarantee interoperability is to clearly specify CBOR One way to guarantee interoperability is to clearly specify CBOR
serialization in a profile document. See Section 7 for a list of serialization in a profile document. See Section 7 for a list of
serialization issues that should be addressed. serialization issues that should be addressed.
EAT will be commonly used where the device generating the attestation EAT will be commonly used where the entity generating the attestation
is constrained and the receiver/Verifier of the attestation is a is constrained and the receiver/Verifier of the attestation is a
capacious server. Following is a set of serialization requirements capacious server. Following is a set of serialization requirements
that work well for that use case and are guaranteed to interoperate. that work well for that use case and are guaranteed to interoperate.
Use of this serialization is recommended where possible, but not Use of this serialization is recommended where possible, but not
required. An EAT profile may just reference the following section required. An EAT profile may just reference the following section
rather than spell out serialization details. rather than spell out serialization details.
8.3.1. EAT Constrained Device Serialization 8.3.1. EAT Constrained Device Serialization
o Preferred serialization described in section 4.1 of [RFC8949] is o Preferred serialization described in section 4.1 of [RFC8949] is
skipping to change at page 49, line 7 skipping to change at page 49, line 21
o Deterministic encoding described in Section 4.2 of [RFC8949] is o Deterministic encoding described in Section 4.2 of [RFC8949] is
not required. not required.
o Basic validity described in section 5.3.1 of [RFC8949] must be o Basic validity described in section 5.3.1 of [RFC8949] must be
followed. The EAT encoder must not send duplicate map keys/labels followed. The EAT encoder must not send duplicate map keys/labels
or invalid UTF-8 strings. or invalid UTF-8 strings.
8.4. Collected Common CDDL 8.4. Collected Common CDDL
; This is the fundamental definition of a Claims-Set for both CBOR Claims-Set = {
; and JSON. It is a set of label-value pairs each of which is a * $$claims-set-claims,
; claim. * Claim-Label .feature "extended-label" => any
; }
; In CBOR the labels can be integers or strings with a strong
; preference for integers. For JSON, the labels are always strings.
;
; The values can be anything, with some consideration for types that
; can work in both CBOR and JSON.
Claims-Set = {
* $$claims-set-claims,
* Claim-Label .feature "extended-label" => any
}
Claim-Label = int / text
string-or-uri = tstr
time-int = #6.1(int)
; This is CDDL for the 7 individual claims that are defined in CWT
; and JWT. This CDDL works for either CBOR format CWT or JSON format
; JWT The integer format CWT Claim Keys (the labels) are defined in
; cwt-labels.cddl. The string format JWT Claim Names (the labels)
; are defined in jwt-labels.cddl.
; $$claims-set-claims is defined in claims-set.cddl
$$claims-set-claims //= (iss-label => text)
$$claims-set-claims //= (sub-label => text)
$$claims-set-claims //= (aud-label => text)
$$claims-set-claims //= (exp-label => ~time)
$$claims-set-claims //= (nbf-label => ~time)
$$claims-set-claims //= (iat-label => ~time)
; TODO: how does the bstr get handled in JSON validation with the
; cddl tool? TODO: should this be a text for JSON?
; $$claims-set-claims //= (cti-label : bytes)
$$claims-set-claims //=
(nonce-label => nonce-type / [ 2* nonce-type ])
nonce-type = bstr .size (8..64)
$$claims-set-claims //= (ueid-label => ueid-type)
ueid-type = bstr .size (7..33)
$$claims-set-claims //= (sueids-label => sueids-type)
sueids-type = {
+ tstr => ueid-type
}
oemid-pen = int
oemid-ieee = bstr .size 3
oemid-random = bstr .size 16
$$claims-set-claims //= (
oemid-label =>
oemid-random / oemid-ieee / oemid-pen
)
$$claims-set-claims //= (
chip-version-label => hw-version-type
)
$$claims-set-claims //= (
board-version-label => hw-version-type
)
$$claims-set-claims //= (
device-version-label => hw-version-type
)
hw-version-type = [
version: tstr,
scheme: $version-scheme
]
$$claims-set-claims //= ( sw-name-label => tstr )
$$claims-set-claims //= (
security-level-label =>
security-level-cbor-type /
security-level-json-type
)
security-level-cbor-type = &(
unrestricted: 1,
restricted: 2,
secure-restricted: 3,
hardware: 4
)
security-level-json-type = Claim-Label = int / text
"unrestricted" / string-or-uri = tstr
"restricted" /
"secure-restricted" /
"hardware"
$$claims-set-claims //= (secure-boot-label => bool)
$$claims-set-claims //= (
debug-status-label =>
debug-status-cbor-type / debug-status-json-type
)
debug-status-cbor-type = &( time-int = #6.1(int)
enabled: 0, $$claims-set-claims //= (iss-label => text)
disabled: 1, $$claims-set-claims //= (sub-label => text)
disabled-since-boot: 2, $$claims-set-claims //= (aud-label => text)
disabled-permanently: 3, $$claims-set-claims //= (exp-label => ~time)
disabled-fully-and-permanently: 4 $$claims-set-claims //= (nbf-label => ~time)
) $$claims-set-claims //= (iat-label => ~time)
debug-status-json-type = $$claims-set-claims //=
"enabled" / (nonce-label => nonce-type / [ 2* nonce-type ])
"disabled" /
"disabled-since-boot" /
"disabled-permanently" /
"disabled-fully-and-permanently"
$$claims-set-claims //= (location-label => location-type)
location-type = { nonce-type = bstr .size (8..64)
latitude => number, $$claims-set-claims //= (ueid-label => ueid-type)
longitude => number,
? altitude => number,
? accuracy => number,
? altitude-accuracy => number,
? heading => number,
? speed => number,
? timestamp => ~time-int,
? age => uint
}
latitude = 1 / "latitude" ueid-type = bstr .size (7..33)
longitude = 2 / "longitude" $$claims-set-claims //= (sueids-label => sueids-type)
altitude = 3 / "altitude"
accuracy = 4 / "accuracy"
altitude-accuracy = 5 / "altitude-accuracy"
heading = 6 / "heading"
speed = 7 / "speed"
timestamp = 8 / "timestamp"
age = 9 / "age"
$$claims-set-claims //= (uptime-label => uint) sueids-type = {
$$claims-set-claims //= (boot-seed-label => bytes) + tstr => ueid-type
$$claims-set-claims //= ( }
intended-use-label => oemid-pen = int
intended-use-cbor-type / intended-use-json-type
)
intended-use-cbor-type = &( oemid-ieee = bstr .size 3
generic: 1, oemid-random = bstr .size 16
registration: 2,
provisioning: 3,
csr: 4,
pop: 5
)
intended-use-json-type = $$claims-set-claims //= (
"generic" / oemid-label =>
"registration" / oemid-random / oemid-ieee / oemid-pen
"provisioning" / )
"csr" / $$claims-set-claims //= (
"pop" hardware-version-label => hardware-version-type
)
$$claims-set-claims //= ( hardware-version-type = [
dloas-label => [ + dloa-type ] version: tstr,
) scheme: $version-scheme
]
hardware-model-type = bytes .size (1..32)
dloa-type = [ $$claims-set-claims //= (
dloa_registrar: ~uri hardware-model-label => hardware-model-type
dloa_platform_label: text )
? dloa_application_label: text $$claims-set-claims //= ( sw-name-label => tstr )
] $$claims-set-claims //= (sw-version-label => sw-version-type)
$$claims-set-claims //= (profile-label => ~uri / ~oid) sw-version-type = [
version: tstr,
scheme: $version-scheme ; As defined by CoSWID
]
$$claims-set-claims //= (
security-level-label =>
security-level-cbor-type /
security-level-json-type
)
oid = #6.4000(bstr) ; TODO: Replace with CDDL from OID RFC security-level-cbor-type = &(
unrestricted: 1,
restricted: 2,
secure-restricted: 3,
hardware: 4
)
$$claims-set-claims //= ( security-level-json-type =
manifests-label => manifests-type "unrestricted" /
) "restricted" /
"secure-restricted" /
"hardware"
$$claims-set-claims //= (secure-boot-label => bool)
$$claims-set-claims //= (
debug-status-label =>
debug-status-cbor-type / debug-status-json-type
)
manifests-type = [+ $$manifest-formats] debug-status-cbor-type = &(
enabled: 0,
disabled: 1,
disabled-since-boot: 2,
disabled-permanently: 3,
disabled-fully-and-permanently: 4
)
; Must be a CoSWID payload type debug-status-json-type =
; TODO: signed CoSWIDs "enabled" /
coswid-that-is-a-cbor-tag-xx = tagged-coswid<concise-swid-tag> "disabled" /
"disabled-since-boot" /
"disabled-permanently" /
"disabled-fully-and-permanently"
$$claims-set-claims //= (location-label => location-type)
$$manifest-formats /= bytes .cbor coswid-that-is-a-cbor-tag-xx location-type = {
; TODO: make this work too latitude => number,
;$$manifest-formats /= bytes .cbor SUIT_Envelope_Tagged longitude => number,
? altitude => number,
? accuracy => number,
? altitude-accuracy => number,
? heading => number,
? speed => number,
? timestamp => ~time-int,
? age => uint
}
$$claims-set-claims //= ( latitude = 1 / "latitude"
swevidence-label => swevidence-type longitude = 2 / "longitude"
) altitude = 3 / "altitude"
accuracy = 4 / "accuracy"
altitude-accuracy = 5 / "altitude-accuracy"
heading = 6 / "heading"
speed = 7 / "speed"
timestamp = 8 / "timestamp"
age = 9 / "age"
$$claims-set-claims //= (uptime-label => uint)
$$claims-set-claims //= (boot-seed-label => bytes)
$$claims-set-claims //= (odometer-label => uint)
$$claims-set-claims //= (
intended-use-label =>
intended-use-cbor-type / intended-use-json-type
)
intended-use-cbor-type = &(
generic: 1,
registration: 2,
provisioning: 3,
csr: 4,
pop: 5
)
swevidence-type = [+ $$swevidence-formats] intended-use-json-type =
"generic" /
"registration" /
"provisioning" /
"csr" /
"pop"
$$claims-set-claims //= (
dloas-label => [ + dloa-type ]
)
; Must be a CoSWID evidence type that is a CBOR tag dloa-type = [
; TODO: fix the CDDL so a signed CoSWID is allowed too dloa_registrar: ~uri
coswid-that-is-a-cbor-tag = tagged-coswid<concise-swid-tag> dloa_platform_label: text
$$swevidence-formats /= bytes .cbor coswid-that-is-a-cbor-tag ? dloa_application_label: text
]
$$claims-set-claims //= (profile-label => ~uri / ~oid)
$$claims-set-claims //= (
manifests-label => manifests-type
)
$$claims-set-claims //= (swresults-label => [ + swresult-type ]) manifests-type = [+ $$manifest-formats]
verification-result-cbor-type = &( coswid-that-is-a-cbor-tag-xx = tagged-coswid<concise-swid-tag>
verification-not-run: 1,
verification-indeterminate: 2,
verification-failed: 3,
fully-verified: 4,
partially-verified: 5,
)
verification-result-json-type = $$manifest-formats /= bytes .cbor coswid-that-is-a-cbor-tag-xx$$claims-set-claims //= (
"verification-not-run" / swevidence-label => swevidence-type
"verification-indeterminate" / )
"verification-failed" /
"fully-verified" /
"partially-verified"
verification-objective-cbor-type = &( swevidence-type = [+ $$swevidence-formats]
all: 1,
firmware: 2,
kernel: 3,
privileged: 4,
system-libs: 5,
partial: 6,
)
verification-objective-json-type = coswid-that-is-a-cbor-tag = tagged-coswid<concise-swid-tag>
"all" / $$swevidence-formats /= bytes .cbor coswid-that-is-a-cbor-tag
"firmware" / $$claims-set-claims //= (swresults-label => [ + swresult-type ])
"kernel" /
"privileged" /
"system-libs" /
"partial"
swresult-type = [ verification-result-cbor-type = &(
verification-system: tstr, verification-not-run: 1,
objective: verification-objective-cbor-type / verification-indeterminate: 2,
verification-objective-json-type, verification-failed: 3,
result: verification-result-cbor-type / fully-verified: 4,
verification-result-json-type, partially-verified: 5,
? objective-name: tstr
]
; This is the part of a token that contains all the submodules. It
; is a peer with the claims in the token, but not a claim, only a
; map/object to hold all the submodules.
$$claims-set-claims //= (submods-label => { + text => Submodule }) )
; A submodule can be: verification-result-json-type =
; - A simple Claims-Set (encoded in the same format as the token) "verification-not-run" /
; - A digest of a detached Claims-Set (encoded in the same format as "verification-indeterminate" /
; the token) "verification-failed" /
; - A nested token which may be either CBOR or JSON format. Further, "fully-verified" /
; the mechanism for identifying and containing the nested token "partially-verified"
; depends on the format of the surrounding token, particularly
; because JSON doesn't have any equivalent of a CBOR tag so a
; JSON-specific mechanism is invented. Also, there is the issue
; that binary data must be B64 encoded when carried in
; JSON. Nested-Token is defined in the format specific CDDL, not
; here.
; Note that at nested token can either be a signed token like a CWT verification-objective-cbor-type = &(
; or JWT, an unsigned token like a UCCS or UJCS, or a DEB (detached all: 1,
; EAT bundle). The specific encoding of these is format-specific firmware: 2,
; so it doesn't appear here. kernel: 3,
privileged: 4,
system-libs: 5,
partial: 6,
)
Submodule = Claims-Set / Nested-Token / Detached-Submodule-Digest verification-objective-json-type =
"all" /
"firmware" /
"kernel" /
"privileged" /
"system-libs" /
"partial"
; This is for both JSON and CBOR. JSON uses text label for swresult-type = [
; algorithm from JOSE registry. CBOR uses integer label for verification-system: tstr,
; algorithm from COSE registry. In JSON the digest is base64 objective: verification-objective-cbor-type /
; encoded. verification-objective-json-type,
result: verification-result-cbor-type /
verification-result-json-type,
? objective-name: tstr
]
$$claims-set-claims //= (submods-label => { + text => Submodule })
Detached-Submodule-Digest = [ Submodule = Claims-Set / Nested-Token / Detached-Submodule-Digest
algorithm : int / text,
digest : bstr
]
; Top-level definition of a DEB for CBOR and JSON
Detached-EAT-Bundle = [ Detached-Submodule-Digest = [
main-token : Nested-Token, algorithm : int / text,
detached-claims-sets: { digest : bstr
+ tstr => cbor-wrapped-claims-set / json-wrapped-claims-set ]
} Detached-EAT-Bundle = [
] main-token : Nested-Token,
detached-claims-sets: {
+ tstr => cbor-wrapped-claims-set / json-wrapped-claims-set
; text content is a base64url encoded JSON-format Claims-Set }
]
json-wrapped-claims-set = tstr .regexp "[A-Za-z0-9_=-]+" json-wrapped-claims-set = tstr .regexp "[A-Za-z0-9_=-]+"
cbor-wrapped-claims-set = bstr .cbor Claims-Set cbor-wrapped-claims-set = bstr .cbor Claims-Set
8.5. Collected CDDL for CBOR 8.5. Collected CDDL for CBOR
; The top-level definition of a CBOR-encoded token. CBOR-Token = Tagged-CBOR-Token / Untagged-CBOR-Token
CBOR-Token = Tagged-CBOR-Token / Untagged-CBOR-Token
; All forms of a CBOR-encoded token that are a CBOR tag.
Tagged-CBOR-Token = CWT-Tagged-Message
Tagged-CBOR-Token /= UCCS-Tagged-Message
Tagged-CBOR-Token /= DEB-Tagged-Message
; All forms of a CBOR-encoded token that are not a CBOR tag.
Untagged-CBOR-Token = CWT-Untagged-Message
Untagged-CBOR-Token /= UCCS-Untagged-Message
Untagged-CBOR-Token /= DEB-Untagged-Message
; The payload of the COSE message is always a Claims-Set
CWT-Tagged-Message = COSE_Tagged_Message
CWT-Untagged-Message = COSE_Untagged_Message
UCCS-Message = UCCS-Tagged-Message / UCCS-Untagged-Message
UCCS-Tagged-Message = #6.601(UCCS-Untagged-Message)
UCCS-Untagged-Message = Claims-Set Tagged-CBOR-Token = CWT-Tagged-Message
Tagged-CBOR-Token /= UCCS-Tagged-Message
Tagged-CBOR-Token /= DEB-Tagged-Message
DEB-Tagged-Message = #6.602(DEB-Untagged-Message) Untagged-CBOR-Token = CWT-Untagged-Message
Untagged-CBOR-Token /= UCCS-Untagged-Message
Untagged-CBOR-Token /= DEB-Untagged-Message
DEB-Untagged-Message = Detached-EAT-Bundle CWT-Tagged-Message = COSE_Tagged_Message
CWT-Untagged-Message = COSE_Untagged_Message
; This specifies how one fully-formed token is nested inside a UCCS-Message = UCCS-Tagged-Message / UCCS-Untagged-Message
; CBOR-format token. The fully-formed nested token is any valid
; token, CBOR or JSON (JWT, CWT, UCCS, DEB...) The mechanism for
; identifying the type of the nested token is specific to the format
; of the surrounding token, CBOR in this case.
;
; A primary reason this is encoding-specific is that JSON does not
; have an equivalent to CBOR tags.
;
; If the data type here is text, then the nested token is JSON
; format, one of a JWT, UJCS or JSON-encoded DEB. The means for
; distinguishing which is in the definition of JSON-encoded
; Nested-Token. If the data type is bstr, then the nested token
; is CBOR format. It is byte-string wrapped and identified by a
;CBOR tag.
Nested-Token = UCCS-Tagged-Message = #6.601(UCCS-Untagged-Message)
tstr / ; A JSON-encoded Nested-Token (see json-nested-token.cddl)
bstr .cbor Tagged-CBOR-Token
; This is the CDDL definition of the labels for a CBOR format web UCCS-Untagged-Message = Claims-Set
; token, a CWT. The CDDL for the claims is in web-token-claims.cddl
iss-label = 1 DEB-Tagged-Message = #6.602(DEB-Untagged-Message)
sub-label = 2
aud-label = 3
exp-label = 4
nbf-label = 5
iat-label = 6
cti-label = 7; The following Claim Keys (labels) are pre-assigned by IANA.
; They are for CBOR-based tokens (CWT and UCCS).
; They are not expected to change in the final publication as an RFC.
nonce-label = 10 DEB-Untagged-Message = Detached-EAT-Bundle
ueid-label = 11
oemid-label = 13
security-level-label = 14
secure-boot-label = 15
debug-status-label = 16
location-label = 17
profile-label = 18
submods-label = 20
; These are not yet assigned in any way and may change. Nested-Token =
; These are intentionally above 24 so as to not use up tstr / ; A JSON-encoded Nested-Token (see json-nested-token.cddl)
; single-byte labels. bstr .cbor Tagged-CBOR-Token
sueids-label = <TBD25> iss-label = 1
chip-version-label = <TBD26> sub-label = 2
board-version-label = <TBD27> aud-label = 3
device-version-label = <TBD28> exp-label = 4
sw-name-label = <TBD29> nbf-label = 5
sw-version-label = <TBD30> iat-label = 6
uptime-label = <TBD31> cti-label = 7nonce-label = 10
boot-seed-label = <TBD32> ueid-label = 256
intended-use-label = <TBD33> sueids-label = 257
dloas-label = <TBD34> oemid-label = 258
manifests-label = <TBD35> hardware-model-label = 259
swevidence-label = <TBD36> hardware-version-label = 260
swresults-label = <TBD37> secure-boot-label = 262
debug-status-label = 263
location-label = 264
profile-label = 265
submods-label = 266
security-level-label = <TBD>
uptime-label = <TBD>
boot-seed-label = <TB>
odometer-label = <TBD>
intended-use-label = <TBD>
dloas-label = <TBD>
sw-name-label = <TBD>
sw-version-label = <TBD>
manifests-label = <TBD>
swevidence-label = <TBD>
swresults-label = <TBD>
8.6. Collected CDDL for JSON 8.6. Collected CDDL for JSON
; A JWT message is either a JWS or JWE in compact serialization form
; with the payload a Claims-Set. Compact serialization is the
; protected headers, payload and signature, each b64url encoded and
; separated by a ".". This CDDL simply matches top-level syntax of of
; a JWS or JWE since it is not possible to do more in CDDL.
JWT-Message = text .regexp [A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+ JWT-Message = text .regexp [A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+
; This defines the JSON equivalent of a UCCS message, a token with
; no integrity or authenticity protection.
UJCS-Message = Claims-Set UJCS-Message = Claims-Set
; This describes a nested token that occurs inside a JSON-encoded
; token. It uses an array that is made up of a type indicator and the
; actual token. This is a substitute for the CBOR tag mechanism that
; JSON does not have.
Nested-Token = [ Nested-Token = [
type : "JWT" / "CBOR" / "UJCS" / "DEB", type : "JWT" / "CBOR" / "UJCS" / "DEB",
nested-token : JWT-Message / nested-token : JWT-Message /
B64URL-Tagged-CBOR-Token / B64URL-Tagged-CBOR-Token /
DEB-JSON-Message / DEB-JSON-Message /
UJCS-Message UJCS-Message
] ]
; This text is a Tagged-CBOR-Token (see cbor-token.cddl) that is
; base64url encoded. For example, it is a CWT that is a COSE_Sign1
; that is a CBOR tag that has been base64url encoded.
B64URL-Tagged-CBOR-Token = tstr .regexp "[A-Za-z0-9_=-]+" B64URL-Tagged-CBOR-Token = tstr .regexp "[A-Za-z0-9_=-]+"
; This is the CDDL definition of the labels for a JSON format web
; token, a JWT. The CDDL for the claims is in web-token-claims.cddl
iss-label = "iss" iss-label = "iss"
sub-label = "sub" sub-label = "sub"
aud-label = "aud" aud-label = "aud"
exp-label = "exp" exp-label = "exp"
nbf-label = "nbf" nbf-label = "nbf"
iat-label = "iat" iat-label = "iat"
cti-label = "cti"; The following are claim names for JSON encoded tokens. cti-label = "cti"nonce-label /= "nonce"
ueid-label /= "ueid" ueid-label /= "ueid"
sueids-label /= "sueids" sueids-label /= "sueids"
nonce-label /= "nonce"
oemid-label /= "oemid" oemid-label /= "oemid"
hardware-model-label /= "hwmodel"
hardware-version-label /= "hwversion"
security-level-label /= "seclevel" security-level-label /= "seclevel"
secure-boot-label /= "secboot" secure-boot-label /= "secboot"
debug-status-label /= "dbgstat" debug-status-label /= "dbgstat"
location-label /= "location" location-label /= "location"
uptime-label /= "uptime"
profile-label /= "eat-profile" profile-label /= "eat-profile"
intended-use-label /= "intuse" uptime-label /= "uptime"
boot-seed-label /= "bootseed" boot-seed-label /= "bootseed"
submods-label /= "submods" odometer-label /= "odometer"
timestamp /= "timestamp" intended-use-label /= "intuse"
manifests-label /= "manifests"
swevidence-label /= "swevidence"
dloas-label /= "dloas" dloas-label /= "dloas"
swresults-label /= "swresults"
sw-name-label /= "swname" sw-name-label /= "swname"
sw-version-label /= "swversion" sw-version-label /= "swversion"
manifests-label /= "manifests"
swevidence-label /= "swevidence"
swresults-label /= "swresults"
submods-label /= "submods"
latitude /= "lat" latitude /= "lat"
longitude /= "long" longitude /= "long"
altitude /= "alt" altitude /= "alt"
accuracy /= "accry" accuracy /= "accry"
altitude-accuracy /= "alt-accry" altitude-accuracy /= "alt-accry"
heading /= "heading" heading /= "heading"
speed /= "speed" speed /= "speed"
9. IANA Considerations 9. IANA Considerations
skipping to change at page 61, line 42 skipping to change at page 59, line 28
distinguish claims with early assignment. Also, the following distinguish claims with early assignment. Also, the following
paragraph should be removed. paragraph should be removed.
The claims in this section have been (requested for / given) early The claims in this section have been (requested for / given) early
assignment according to [RFC7120]. They have been assigned values assignment according to [RFC7120]. They have been assigned values
and registered before final publication of this document. While and registered before final publication of this document. While
their semantics is not expected to change in final publication, it is their semantics is not expected to change in final publication, it is
possible that they will. The JWT Claim Names and CWT Claim Keys are possible that they will. The JWT Claim Names and CWT Claim Keys are
not expected to change. not expected to change.
In draft -06 an early allocation was described. The processing of
that early allocation was never correctly completed. This early
allocation assigns different numbers for the CBOR claim labels. This
early allocation will presumably complete correctly
o Claim Name: Nonce o Claim Name: Nonce
o Claim Description: Nonce o Claim Description: Nonce
o JWT Claim Name: "nonce" (already registered for JWT) o JWT Claim Name: "nonce" (already registered for JWT)
o Claim Key: 10 o Claim Key: TBD (requested value 10)
o Claim Value Type(s): byte string o Claim Value Type(s): byte string
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): [OpenIDConnectCore], *this document* o Specification Document(s): [OpenIDConnectCore], *this document*
o Claim Name: UEID o Claim Name: UEID
o Claim Description: The Universal Entity ID o Claim Description: The Universal Entity ID
o JWT Claim Name: "ueid" o JWT Claim Name: "ueid"
o CWT Claim Key: TBD (requested value 256)
o CWT Claim Key: 11
o Claim Value Type(s): byte string o Claim Value Type(s): byte string
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
o Claim Name: OEMID o Claim Name: SUEIDs
o Claim Description: IEEE-based OEM ID o Claim Description: Semi-permanent UEIDs
o JWT Claim Name: "sueids"
o CWT Claim Key: TBD (requested value 257)
o Claim Value Type(s): map
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: Hardware OEMID
o Claim Description: Hardware OEM ID
o JWT Claim Name: "oemid" o JWT Claim Name: "oemid"
o Claim Key: 13 o Claim Key: TBD (requested value 258)
o Claim Value Type(s): byte string o Claim Value Type(s): byte string or integer
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
o Claim Name: Security Level o Claim Name: Hardware Model
o Claim Description: Characterization of the security of an Attester o Claim Description: Model identifier for hardware
or submodule
o JWT Claim Name: "seclevel" o JWT Claim Name: "hwmodel"
o Claim Key: 14 o Claim Key: TBD (requested value 259)
o Claim Value Type(s): integer o Claim Value Type(s): byte string
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: Hardware Version
o Claim Description: Hardware Version Identifier
o JWT Claim Name: "hwversion"
o Claim Key: TBD (requested value 260)
o Claim Value Type(s): array
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
o Claim Name: Secure Boot o Claim Name: Secure Boot
o Claim Description: Indicate whether the boot was secure o Claim Description: Indicate whether the boot was secure
o JWT Claim Name: "secboot" o JWT Claim Name: "secboot"
o Claim Key: 15 o Claim Key: TBD (requested value 262)
o Claim Value Type(s): Boolean o Claim Value Type(s): Boolean
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
o Claim Name: Debug Status o Claim Name: Debug Status
o Claim Description: Indicate status of debug facilities o Claim Description: Indicate status of debug facilities
o JWT Claim Name: "dbgstat" o JWT Claim Name: "dbgstat"
o Claim Key: 16 o Claim Key: TBD (requested value 263)
o Claim Value Type(s): integer o Claim Value Type(s): integer or string
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
o Claim Name: Location o Claim Name: Location
o Claim Description: The geographic location o Claim Description: The geographic location
o JWT Claim Name: "location" o JWT Claim Name: "location"
o Claim Key: 17 o Claim Key: TBD (requested value 264)
o Claim Value Type(s): map o Claim Value Type(s): map
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
o Claim Name: Profile o Claim Name: Profile
o Claim Description: Indicates the EAT profile followed o Claim Description: Indicates the EAT profile followed
o JWT Claim Name: "eat_profile" o JWT Claim Name: "eat_profile"
o Claim Key: 18 o Claim Key: TBD (requested value 265)
o Claim Value Type(s): URI or OID
o Claim Value Type(s): map
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
o Claim Name: Submodules Section o Claim Name: Submodules Section
o Claim Description: The section containing submodules (not actually o Claim Description: The section containing submodules
a claim)
o JWT Claim Name: "submods" o JWT Claim Name: "submods"
o Claim Key: 20 o Claim Key: TBD (requested value 266)
o Claim Value Type(s): map o Claim Value Type(s): map
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): *this document* o Specification Document(s): *this document*
9.3.2. To be Assigned Claims 9.3.2. To be Assigned Claims
TODO: add the rest of the claims in here (Early assignment is NOT requested for these claims. Implementers
should be aware they may change)
o Claim Name: Security Level
o Claim Description: Characterization of the security of an Attester
or submodule
o JWT Claim Name: "seclevel"
o Claim Key: TBD
o Claim Value Type(s): integer or string
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: Uptime
o Claim Description: Uptime
o JWT Claim Name: "uptime"
o Claim Key: TBD
o Claim Value Type(s): unsigned integer
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: Boot Seed
o Claim Description: Identifies a boot cycle
o JWT Claim Name: "bootseed"
o Claim Key: TBD
o Claim Value Type(s): bytes
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: Intended Use
o Claim Description: Indicates intended use of the EAT
o JWT Claim Name: "intuse"
o Claim Key: TBD
o Claim Value Type(s): integer or string
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: DLOAs
o Claim Description: Certifications received as Digital Letters of
Approval
o JWT Claim Name: "dloas"
o Claim Key: TBD
o Claim Value Type(s): array
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: SW Name
o Claim Description: The name of the SW running in the entity
o JWT Claim Name: "swname"
o Claim Key: TBD
o Claim Value Type(s): map
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: SW Version
o Claim Description: The version of SW running in the entity
o JWT Claim Name: "swversion"
o Claim Key: TBD
o Claim Value Type(s): map
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: SW Manifests
o Claim Description: Manifests describing the SW installed on the
entity
o JWT Claim Name: "manifests"
o Claim Key: TBD
o Claim Value Type(s): array
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: SW Evidence
o Claim Description: Measurements of the SW, memory configuration
and such on the entity
o JWT Claim Name: "swevidence"
o Claim Key: TBD
o Claim Value Type(s): array
o Change Controller: IESG
o Specification Document(s): *this document*
o Claim Name: SW Measurment Results
o Claim Description: The results of comparing SW measurements to
reference values
o JWT Claim Name: "swresults"
o Claim Key: TBD
o Claim Value Type(s): array
o Change Controller: IESG
o Specification Document(s): *this document*
9.3.3. Version Schemes Registered by this Document 9.3.3. Version Schemes Registered by this Document
IANA is requested to register a new value in the "Software Tag IANA is requested to register a new value in the "Software Tag
Version Scheme Values" established by [CoSWID]. Version Scheme Values" established by [CoSWID].
The new value is a version scheme a 13-digit European Article Number The new value is a version scheme a 13-digit European Article Number
[EAN-13]. An EAN-13 is also known as an International Article Number [EAN-13]. An EAN-13 is also known as an International Article Number
or most commonly as a bar code. This version scheme is the ASCII or most commonly as a bar code. This version scheme is the ASCII
text representation of EAN-13 digits, the same ones often printed text representation of EAN-13 digits, the same ones often printed
skipping to change at page 65, line 36 skipping to change at page 67, line 8
Certain EAT claims can be used to track the owner of an entity and Certain EAT claims can be used to track the owner of an entity and
therefore, implementations should consider providing privacy- therefore, implementations should consider providing privacy-
preserving options dependent on the intended usage of the EAT. preserving options dependent on the intended usage of the EAT.
Examples would include suppression of location claims for EAT's Examples would include suppression of location claims for EAT's
provided to unauthenticated consumers. provided to unauthenticated consumers.
10.1. UEID and SUEID Privacy Considerations 10.1. UEID and SUEID Privacy Considerations
A UEID is usually not privacy-preserving. Any set of Relying Parties A UEID is usually not privacy-preserving. Any set of Relying Parties
that receives tokens that happen to be from a single device will be that receives tokens that happen to be from a particular entity will
able to know the tokens are all from the same device and be able to be able to know the tokens are all from the same entity and be able
track the device. Thus, in many usage situations UEID violates to track it.
governmental privacy regulation. In other usage situations a UEID
will not be allowed for certain products like browsers that give Thus, in many usage situations UEID violates governmental privacy
privacy for the end user. It will often be the case that tokens will regulation. In other usage situations a UEID will not be allowed for
not have a UEID for these reasons. certain products like browsers that give privacy for the end user.
It will often be the case that tokens will not have a UEID for these
reasons.
An SUEID is also usually not privacy-preserving. In some cases it An SUEID is also usually not privacy-preserving. In some cases it
may have fewer privacy issues than a UEID depending on when and how may have fewer privacy issues than a UEID depending on when and how
and when it is generated. and when it is generated.
There are several strategies that can be used to still be able to put There are several strategies that can be used to still be able to put
UEIDs and SUEIDs in tokens: UEIDs and SUEIDs in tokens:
o The device obtains explicit permission from the user of the device o The entity obtains explicit permission from the user of the entity
to use the UEID/SUEID. This may be through a prompt. It may also to use the UEID/SUEID. This may be through a prompt. It may also
be through a license agreement. For example, agreements for some be through a license agreement. For example, agreements for some
online banking and brokerage services might already cover use of a online banking and brokerage services might already cover use of a
UEID/SUEID. UEID/SUEID.
o The UEID/SUEID is used only in a particular context or particular o The UEID/SUEID is used only in a particular context or particular
use case. It is used only by one Relying Party. use case. It is used only by one Relying Party.
o The device authenticates the Relying Party and generates a derived o The entity authenticates the Relying Party and generates a derived
UEID/SUEID just for that particular Relying Party. For example, UEID/SUEID just for that particular Relying Party. For example,
the Relying Party could prove their identity cryptographically to the Relying Party could prove their identity cryptographically to
the device, then the device generates a UEID just for that Relying the entity, then the entity generates a UEID just for that Relying
Party by hashing a proofed Relying Party ID with the main device Party by hashing a proofed Relying Party ID with the main entity
UEID/SUEID. UEID/SUEID.
Note that some of these privacy preservation strategies result in Note that some of these privacy preservation strategies result in
multiple UEIDs and SUEIDs per device. Each UEID/SUEID is used in a multiple UEIDs and SUEIDs per entity. Each UEID/SUEID is used in a
different context, use case or system on the device. However, from different context, use case or system on the entity. However, from
the view of the Relying Party, there is just one UEID and it is still the view of the Relying Party, there is just one UEID and it is still
globally universal across manufacturers. globally universal across manufacturers.
10.2. Location Privacy Considerations 10.2. Location Privacy Considerations
Geographic location is most always considered personally identifiable Geographic location is most always considered personally identifiable
information. Implementers should consider laws and regulations information. Implementers should consider laws and regulations
governing the transmission of location data from end user devices to governing the transmission of location data from end user devices to
servers and services. Implementers should consider using location servers and services. Implementers should consider using location
management facilities offered by the operating system on the device management facilities offered by the operating system on the entity
generating the attestation. For example, many mobile phones prompt generating the attestation. For example, many mobile phones prompt
the user for permission when before sending location data. the user for permission when before sending location data.
10.3. Replay Protection and Privacy
EAT offers 2 primary mechanisms for token replay protection (also
sometimes known as token "freshness"): the cti/jti claim and the
nonce claim. The cti/jti claim in a CWT/JWT is a field that may be
optionally included in the EAT and is in general derived on the same
device in which the entity is instantiated. The nonce claim is based
on a value that is usually derived remotely (outside of the entity).
These claims can be used to extract and convey personally-identifying
information either inadvertently or by intention. For instance, an
implementor may choose a cti that is equivalent to a username
associated with the device (e.g., account login). If the token is
inspected by a 3rd-party then this information could be used to
identify the source of the token or an account associated with the
token (e.g., if the account name is used to derive the nonce). In
order to avoid the conveyance of privacy-related information in
either the cti/jti or nonce claims, these fields should be derived
using a salt that originates from a true and reliable random number
generator or any other source of randomness that would still meet the
target system requirements for replay protection.
11. Security Considerations 11. Security Considerations
The security considerations provided in Section 8 of [RFC8392] and The security considerations provided in Section 8 of [RFC8392] and
Section 11 of [RFC7519] apply to EAT in its CWT and JWT form, Section 11 of [RFC7519] apply to EAT in its CWT and JWT form,
respectively. In addition, implementors should consider the respectively. In addition, implementors should consider the
following. following.
11.1. Key Provisioning 11.1. Key Provisioning
Private key material can be used to sign and/or encrypt the EAT, or Private key material can be used to sign and/or encrypt the EAT, or
skipping to change at page 68, line 21 skipping to change at page 70, line 15
each claim subset for a downstream consumer is created in the form of each claim subset for a downstream consumer is created in the form of
a nested EAT. Then transport security between the receiving and a nested EAT. Then transport security between the receiving and
downstream consumers is not strictly required. Nevertheless, downstream consumers is not strictly required. Nevertheless,
downstream consumers of a nested EAT should provide a nonce unique to downstream consumers of a nested EAT should provide a nonce unique to
the EAT they are consuming. the EAT they are consuming.
12. References 12. References
12.1. Normative References 12.1. Normative References
[CBOR.OID]
Bormann, C., "Concise Binary Object Representation (CBOR)
Tags for Object Identifiers", draft-ietf-cbor-tags-oid-08
(work in progress), May 2021.
[CoSWID] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. [CoSWID] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
Waltermire, "Concise Software Identification Tags", draft- Waltermire, "Concise Software Identification Tags", draft-
ietf-sacm-coswid-19 (work in progress), October 2021. ietf-sacm-coswid-20 (work in progress), January 2022.
[DLOA] "Digital Letter of Approval", November 2015, [DLOA] "Digital Letter of Approval", November 2015,
<https://globalplatform.org/wp-content/uploads/2015/12/ <https://globalplatform.org/wp-content/uploads/2015/12/
GPC_DigitalLetterOfApproval_v1.0.pdf>. GPC_DigitalLetterOfApproval_v1.0.pdf>.
[EAN-13] GS1, "International Article Number - EAN/UPC barcodes", [EAN-13] GS1, "International Article Number - EAN/UPC barcodes",
2019, <https://www.gs1.org/standards/barcodes/ean-upc>. 2019, <https://www.gs1.org/standards/barcodes/ean-upc>.
[FIDO.AROE] [FIDO.AROE]
The FIDO Alliance, "FIDO Authenticator Allowed Restricted The FIDO Alliance, "FIDO Authenticator Allowed Restricted
skipping to change at page 69, line 28 skipping to change at page 71, line 18
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
2014, <https://www.rfc-editor.org/info/rfc7159>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <https://www.rfc-editor.org/info/rfc7515>. 2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
RFC 7516, DOI 10.17487/RFC7516, May 2015,
<https://www.rfc-editor.org/info/rfc7516>.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015, DOI 10.17487/RFC7517, May 2015,
<https://www.rfc-editor.org/info/rfc7517>. <https://www.rfc-editor.org/info/rfc7517>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7519>.
[RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of-
Possession Key Semantics for JSON Web Tokens (JWTs)", Possession Key Semantics for JSON Web Tokens (JWTs)",
skipping to change at page 70, line 29 skipping to change at page 72, line 29
[RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. [RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H.
Tschofenig, "Proof-of-Possession Key Semantics for CBOR Tschofenig, "Proof-of-Possession Key Semantics for CBOR
Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March
2020, <https://www.rfc-editor.org/info/rfc8747>. 2020, <https://www.rfc-editor.org/info/rfc8747>.
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949, Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020, DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/info/rfc8949>. <https://www.rfc-editor.org/info/rfc8949>.
[RFC9090] Bormann, C., "Concise Binary Object Representation (CBOR)
Tags for Object Identifiers", RFC 9090,
DOI 10.17487/RFC9090, July 2021,
<https://www.rfc-editor.org/info/rfc9090>.
[ThreeGPP.IMEI] [ThreeGPP.IMEI]
3GPP, "3rd Generation Partnership Project; Technical 3GPP, "3rd Generation Partnership Project; Technical
Specification Group Core Network and Terminals; Numbering, Specification Group Core Network and Terminals; Numbering,
addressing and identification", 2019, addressing and identification", 2019,
<https://portal.3gpp.org/desktopmodules/Specifications/ <https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=729>. SpecificationDetails.aspx?specificationId=729>.
[UCCS.Draft] [UCCS.Draft]
Birkholz, H., O'Donoghue, J., Cam-Winget, N., and C. Birkholz, H., O'Donoghue, J., Cam-Winget, N., and C.
Bormann, "A CBOR Tag for Unprotected CWT Claims Sets", Bormann, "A CBOR Tag for Unprotected CWT Claims Sets",
draft-ietf-rats-uccs-01 (work in progress), July 2021. draft-ietf-rats-uccs-02 (work in progress), January 2022.
[WGS84] National Geospatial-Intelligence Agency (NGA), "WORLD [WGS84] National Geospatial-Intelligence Agency (NGA), "WORLD
GEODETIC SYSTEM 1984, NGA.STND.0036_1.0.0_WGS84", July GEODETIC SYSTEM 1984, NGA.STND.0036_1.0.0_WGS84", July
2014, <https://earth-info.nga.mil/php/ 2014, <https://earth-info.nga.mil/php/
download.php?file=coord-wgs84>. download.php?file=coord-wgs84>.
12.2. Informative References 12.2. Informative References
[BirthdayAttack] [BirthdayAttack]
"Birthday attack", "Birthday attack",
<https://en.wikipedia.org/wiki/Birthday_attack.>. <https://en.wikipedia.org/wiki/Birthday_attack.>.
[CBOR.Cert.Draft] [CBOR.Cert.Draft]
Mattsson, J. P., Selander, G., Raza, S., Hoeglund, J., and Mattsson, J. P., Selander, G., Raza, S., Hoeglund, J., and
M. Furuhed, "CBOR Encoded X.509 Certificates (C509 M. Furuhed, "CBOR Encoded X.509 Certificates (C509
Certificates)", draft-ietf-cose-cbor-encoded-cert-02 (work Certificates)", draft-ietf-cose-cbor-encoded-cert-03 (work
in progress), July 2021. in progress), January 2022.
[Common.Criteria] [Common.Criteria]
"Common Criteria for Information Technology Security "Common Criteria for Information Technology Security
Evaluation", April 2017, Evaluation", April 2017,
<https://www.commoncriteriaportal.org/cc/>. <https://www.commoncriteriaportal.org/cc/>.
[COSE.X509.Draft] [COSE.X509.Draft]
Schaad, J., "CBOR Object Signing and Encryption (COSE): Schaad, J., "CBOR Object Signing and Encryption (COSE):
Header parameters for carrying and referencing X.509 Header parameters for carrying and referencing X.509
certificates", draft-ietf-cose-x509-08 (work in progress), certificates", draft-ietf-cose-x509-08 (work in progress),
December 2020. December 2020.
[ECMAScript]
"Ecma International, "ECMAScript Language Specification,
5.1 Edition", ECMA Standard 262", June 2011,
<http://www.ecma-international.org/ecma-262/5.1/ECMA-
262.pdf>.
[FIPS-140] [FIPS-140]
National Institue of Standards, "Security Requirements for National Institue of Standards, "Security Requirements for
Cryptographic Modules", May 2001, Cryptographic Modules", May 2001,
<https://csrc.nist.gov/publications/detail/fips/140/2/ <https://csrc.nist.gov/publications/detail/fips/140/2/
final>. final>.
[IEEE.802-2001] [IEEE.802-2001]
"IEEE Standard For Local And Metropolitan Area Networks "IEEE Standard For Local And Metropolitan Area Networks
Overview And Architecture", 2007, Overview And Architecture", 2007,
<https://webstore.ansi.org/standards/ieee/ <https://webstore.ansi.org/standards/ieee/
skipping to change at page 72, line 20 skipping to change at page 74, line 20
standards/standards/web/documents/tutorials/eui.pdf>. standards/standards/web/documents/tutorials/eui.pdf>.
[OUI.Lookup] [OUI.Lookup]
"IEEE Registration Authority Assignments", "IEEE Registration Authority Assignments",
<https://regauth.standards.ieee.org/standards-ra-web/pub/ <https://regauth.standards.ieee.org/standards-ra-web/pub/
view.html#registries>. view.html#registries>.
[RATS.Architecture] [RATS.Architecture]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", W. Pan, "Remote Attestation Procedures Architecture",
draft-ietf-rats-architecture-12 (work in progress), April draft-ietf-rats-architecture-15 (work in progress),
2021. February 2022.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>. <https://www.rfc-editor.org/info/rfc4122>.
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)", RFC 4422,
DOI 10.17487/RFC4422, June 2006,
<https://www.rfc-editor.org/info/rfc4422>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code [RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code
Points", BCP 100, RFC 7120, DOI 10.17487/RFC7120, January Points", BCP 100, RFC 7120, DOI 10.17487/RFC7120, January
2014, <https://www.rfc-editor.org/info/rfc7120>. 2014, <https://www.rfc-editor.org/info/rfc7120>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC9039] Arkko, J., Jennings, C., and Z. Shelby, "Uniform Resource [RFC9039] Arkko, J., Jennings, C., and Z. Shelby, "Uniform Resource
Names for Device Identifiers", RFC 9039, Names for Device Identifiers", RFC 9039,
DOI 10.17487/RFC9039, June 2021, DOI 10.17487/RFC9039, June 2021,
<https://www.rfc-editor.org/info/rfc9039>. <https://www.rfc-editor.org/info/rfc9039>.
[W3C.GeoLoc] [W3C.GeoLoc]
Worldwide Web Consortium, "Geolocation API Specification Worldwide Web Consortium, "Geolocation API Specification
2nd Edition", January 2018, <https://www.w3.org/TR/ 2nd Edition", January 2018, <https://www.w3.org/TR/
geolocation-API/#coordinates_interface>. geolocation-API/#coordinates_interface>.
skipping to change at page 73, line 29 skipping to change at page 76, line 29
A.1. Simple TEE Attestation A.1. Simple TEE Attestation
This is a simple attestation of a TEE that includes a manifest that This is a simple attestation of a TEE that includes a manifest that
is a payload CoSWID to describe the TEE's software. is a payload CoSWID to describe the TEE's software.
/ This is a UCCS EAT that describes a simple TEE. / / This is a UCCS EAT that describes a simple TEE. /
601({ 601({
/ nonce / 10: h'948f8860d13a463e', / nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 3, / secure-restricted / / security-level / 261: 3, / secure-restricted /
/ secure-boot / 15: true, / secure-boot / 262: true,
/ debug-status / 16: 2, / disabled-since-boot / / debug-status / 263: 2, / disabled-since-boot /
/ manfests / 35: [ / manfests / 273: [
/ This is byte-string wrapped / / This is byte-string wrapped /
/ payload CoSWID. It gives the TEE / / payload CoSWID. It gives the TEE /
/ software name, the version and / / software name, the version and /
/ the name of the file it is in. / / the name of the file it is in. /
h' da53574944a60064336132340c01016b h' da53574944a60064336132340c01016b
41636d6520544545204f530d65332e31 41636d6520544545204f530d65332e31
2e340282a2181f6b41636d6520544545 2e340282a2181f6b41636d6520544545
204f53182101a2181f6b41636d652054 204f53182101a2181f6b41636d652054
4545204f5318210206a111a118186e61 4545204f5318210206a111a118186e61
636d655f7465655f332e657865' 636d655f7465655f332e657865'
skipping to change at page 74, line 30 skipping to change at page 77, line 30
/ role / 33: 2 / software-creator / / role / 33: 2 / software-creator /
} }
], ],
/ payload / 6: { / payload / 6: {
/ ...file / 17: { / ...file / 17: {
/ ...fs-name / 24: "acme_tee_3.exe" / ...fs-name / 24: "acme_tee_3.exe"
} }
} }
}) })
A.2. EAT Produced by Attestation Hardware Block A.2. Submodules for Board and Device
/ This example shows use of submodules to give information /
/ about the chip, board and overall device. /
/ /
/ The main attestation is associated with the chip with the /
/ CPU and running the main OS. It is what has the keys and /
/ produces the token. /
/ /
/ The board is made by a different vendor than the chip. /
/ Perhaps it is some generic IoT board. /
/ /
/ The device is some specific appliance that is made by a /
/ different vendor than either the chip or the board. /
/ /
/ Here the board and device submodules aren't the typical /
/ target environments as described by the RATS architecture /
/ document, but they are a valid use of submodules. /
{
/ nonce / 10: h'948f8860d13a463e8e',
/ UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ HW OEM ID / 258: h'894823', / IEEE OUI format OEM ID /
/ HW Model ID / 259: h'549dcecc8b987c737b44e40f7c635ce8'
/ Hash of chip model name /,
/ HW Version / 260: ["1.3.4", 1], / Multipartnumeric version /
/ SW Name / 271: "Acme OS",
/ SW Version / 272: ["3.5.5", 1],
/ secure-boot / 262: true,
/ debug-status / 263: 3, / permanent-disable /
/ timestamp (iat) / 6: 1526542894,
/ security-level / 261: 3, / secure restricted OS /
/ submods / 266: {
/ A submodule to hold some claims about the circuit board /
"board" : {
/ HW OEM ID / 258: h'9bef8787eba13e2c8f6e7cb4b1f4619a',
/ HW Model ID / 259: h'ee80f5a66c1fb9742999a8fdab930893'
/ Hash of board module name /,
/ HW Version / 260: ["2.0a", 2] / multipartnumeric+suffix /
},
/ A submodule to hold claims about the overall device /
"device" : {
/ HW OEM ID / 258: 61234, / PEN Format OEM ID /
/ HW Version / 260: ["4012345123456", 5] / EAN-13 format (barcode) /
}
}
}
A.3. EAT Produced by Attestation Hardware Block
/ This is an example of a token produced by a HW block / / This is an example of a token produced by a HW block /
/ purpose-built for attestation. Only the nonce claim changes / / purpose-built for attestation. Only the nonce claim changes /
/ from one attestation to the next as the rest either come / / from one attestation to the next as the rest either come /
/ directly from the hardware or from one-time-programmable memory / / directly from the hardware or from one-time-programmable memory /
/ (e.g. a fuse). 47 bytes encoded in CBOR (8 byte nonce, 16 byte / / (e.g. a fuse). 47 bytes encoded in CBOR (8 byte nonce, 16 byte /
/ UEID). / / UEID). /
601({ 601({
/ nonce / 10: h'948f8860d13a463e', / nonce / 10: h'948f8860d13a463e',
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea', / UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEMID / 13: 64242, / Private Enterprise Number / / OEMID / 258: 64242, / Private Enterprise Number /
/ security-level / 14: 4, / hardware level security / / security-level / 261: 4, / hardware level security /
/ secure-boot / 15: true, / secure-boot / 262: true,
/ debug-status / 16: 3, / disabled-permanently / / debug-status / 263: 3, / disabled-permanently /
/ chip-version / 26: [ "3.1", 1 ] / Type is multipartnumeric / / HW version / 260: [ "3.1", 1 ] / Type is multipartnumeric /
}) })
A.3. Detached EAT Bundle A.4. Detached EAT Bundle
In this DEB main token is produced by a HW attestation block. The In this DEB main token is produced by a HW attestation block. The
detached Claims-Set is produced by a TEE and is largely identical to detached Claims-Set is produced by a TEE and is largely identical to
the Simple TEE examples above. The TEE digests its Claims-Set and the Simple TEE examples above. The TEE digests its Claims-Set and
feeds that digest to the HW block. feeds that digest to the HW block.
In a better example the attestation produced by the HW block would be In a better example the attestation produced by the HW block would be
a CWT and thus signed and secured by the HW block. Since the a CWT and thus signed and secured by the HW block. Since the
signature covers the digest from the TEE that Claims-Set is also signature covers the digest from the TEE that Claims-Set is also
secured. secured.
skipping to change at page 75, line 30 skipping to change at page 80, line 16
602([ 602([
/ First part is a full EAT token with claims like nonce and / / First part is a full EAT token with claims like nonce and /
/ UEID. Most importantly, it includes a submodule that is a / / UEID. Most importantly, it includes a submodule that is a /
/ detached digest which is the hash of the "TEE" claims set / / detached digest which is the hash of the "TEE" claims set /
/ in the next section. / / in the next section. /
/ / / /
/ This token here is in UCCS format (unsigned). In a more / / This token here is in UCCS format (unsigned). In a more /
/ realistic example, it would be a signed CWT. / / realistic example, it would be a signed CWT. /
h'd90259a80a48948f8860d13a463e0b500198f50a4ff6c058 h'd90259a80a48948f8860d13a463e190100500198
61c8860d13a638ea0d19faf20e040ff51003181a8263332e f50a4ff6c05861c8860d13a638ea19010219faf2
310114a163544545822f5820e5cf95fd24fab71446742dd5 19010504190106f5190107031901048263332e31
8d43dae178e55fe2b94291a9291082ffc2635a0b', 0119010aa163544545822f5820e5cf95fd24fab7
1446742dd58d43dae178e55fe2b94291a9291082
ffc2635a0b',
{ {
/ A CBOR-encoded byte-string wrapped EAT claims-set. It / / A CBOR-encoded byte-string wrapped EAT claims-set. It /
/ contains claims suitable for a TEE / / contains claims suitable for a TEE /
"TEE" : h'a50a48948f8860d13a463e0e030ff51002182381 "TEE" : h'a50a48948f8860d13a463e19010503190106f519
585dda53574944a60064336132340c01016b4163 01070219011181585dda53574944a60064336132
6d6520544545204f530d65332e312e340282a218 340c01016b41636d6520544545204f530d65332e
1f6b41636d6520544545204f53182101a2181f6b 312e340282a2181f6b41636d6520544545204f53
41636d6520544545204f5318210206a111a11818 182101a2181f6b41636d6520544545204f531821
6e61636d655f7465655f332e657865' 0206a111a118186e61636d655f7465655f332e65
7865'
} }
]) ])
/ This example contains submodule that is a detached digest, / / This example contains submodule that is a detached digest, /
/ which is the hash of a Claims-Set convey outside this token. / / which is the hash of a Claims-Set convey outside this token. /
/ Other than that is is the other example of a token from an / / Other than that is is the other example of a token from an /
/ attestation HW block / / attestation HW block /
601({ 601({
/ nonce / 10: h'948f8860d13a463e', / nonce / 10: h'948f8860d13a463e',
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea', / UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEMID / 13: 64242, / Private Enterprise Number / / OEMID / 258: 64242, / Private Enterprise Number /
/ security-level / 14: 4, / hardware level security / / security-level / 261: 4, / hardware level security /
/ secure-boot / 15: true, / secure-boot / 262: true,
/ debug-status / 16: 3, / disabled-permanently / / debug-status / 263: 3, / disabled-permanently /
/ chip-version / 26: [ "3.1", 1 ], / multipartnumeric / / hw version / 260: [ "3.1", 1 ], / multipartnumeric /
/ submods/ 20: { / submods/ 266: {
"TEE": [ / detached digest submod / "TEE": [ / detached digest submod /
-16, / SHA-256 / -16, / SHA-256 /
h'e5cf95fd24fab7144674 h'e5cf95fd24fab7144674
2dd58d43dae178e55fe2 2dd58d43dae178e55fe2
b94291a9291082ffc2635 b94291a9291082ffc2635
a0b' a0b'
] ]
} }
}) })
A.4. Key / Key Store Attestation A.5. Key / Key Store Attestation
/ This is an attestation of a public key and the key store / / This is an attestation of a public key and the key store /
/ implementation that protects and manages it. The key store / / implementation that protects and manages it. The key store /
/ implementation is in a security-oriented execution / / implementation is in a security-oriented execution /
/ environment separate from the high-level OS, for example a / / environment separate from the high-level OS, for example a /
/ TEE. The key store is the Attester. / / TEE. The key store is the Attester. /
/ / / /
/ There is some attestation of the high-level OS, just version / / There is some attestation of the high-level OS, just version /
/ and boot & debug status. It is a Claims-Set submodule because/ / and boot & debug status. It is a Claims-Set submodule because/
/ it has lower security level than the key store. The key / / it has lower security level than the key store. The key /
skipping to change at page 77, line 5 skipping to change at page 82, line 5
/ / / /
/ A key and an indication of the user authentication given to / / A key and an indication of the user authentication given to /
/ allow access to the key is given. The labels for these are / / allow access to the key is given. The labels for these are /
/ in the private space since this is just a hypothetical / / in the private space since this is just a hypothetical /
/ example, not part of a standard protocol. / / example, not part of a standard protocol. /
/ / / /
/ This is similar to Android Key Attestation. / / This is similar to Android Key Attestation. /
601({ 601({
/ nonce / 10: h'948f8860d13a463e', / nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 3, / secure-restricted / / security-level / 261: 3, / secure-restricted /
/ debug-status / 16: 2, / disabled-since-boot / / secure-boot / 262: true,
/ secure-boot / 15: true, / debug-status / 263: 2, / disabled-since-boot /
/ manifests / 35: [ / manifests / 273: [
h'da53574944a600683762623334383766 h'da53574944a600683762623334383766
0c000169436172626f6e6974650d6331 0c000169436172626f6e6974650d6331
2e320e0102a2181f75496e6475737472 2e320e0102a2181f75496e6475737472
69616c204175746f6d6174696f6e1821 69616c204175746f6d6174696f6e1821
02' 02'
/ Above is an encoded CoSWID / / Above is an encoded CoSWID /
/ with the following data / / with the following data /
/ SW Name: "Carbonite" / / SW Name: "Carbonite" /
/ SW Vers: "1.2" / / SW Vers: "1.2" /
/ SW Creator: / / SW Creator: /
skipping to change at page 77, line 34 skipping to change at page 82, line 34
-80001 : { / The key -- A COSE_Key / -80001 : { / The key -- A COSE_Key /
/ kty / 1: 2, / EC2, eliptic curve with x & y / / kty / 1: 2, / EC2, eliptic curve with x & y /
/ kid / 2: h'36675c206f96236c3f51f54637b94ced', / kid / 2: h'36675c206f96236c3f51f54637b94ced',
/ curve / -1: 2, / curve is P-256 / / curve / -1: 2, / curve is P-256 /
/ x-coord / -2: h'65eda5a12577c2bae829437fe338701a / x-coord / -2: h'65eda5a12577c2bae829437fe338701a
10aaa375e1bb5b5de108de439c08551d', 10aaa375e1bb5b5de108de439c08551d',
/ y-coord / -3: h'1e52ed75701163f7f9e40ddf9f341b3d / y-coord / -3: h'1e52ed75701163f7f9e40ddf9f341b3d
c9ba860af7e0ca7ca7e9eecd0084d19c' c9ba860af7e0ca7ca7e9eecd0084d19c'
}, },
/ submods / 20 : { / submods / 266 : {
"HLOS" : { / submod for high-level OS / "HLOS" : { / submod for high-level OS /
/ nonce / 10: h'948f8860d13a463e', / nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 1, / unrestricted / / security-level / 261: 1, / unrestricted /
/ secure-boot / 15: true, / secure-boot / 262: true,
/ manifests / 35: [ / manifests / 273: [
h'da53574944a600687337 h'da53574944a600687337
6537346b78380c000168 6537346b78380c000168
44726f6964204f530d65 44726f6964204f530d65
52322e44320e0302a218 52322e44320e0302a218
1F75496E647573747269 1F75496E647573747269
616c204175746f6d6174 616c204175746f6d6174
696f6e182102' 696f6e182102'
/ Above is an encoded CoSWID / / Above is an encoded CoSWID /
/ with the following data: / / with the following data: /
/ SW Name: "Droid OS" / / SW Name: "Droid OS" /
/ SW Vers: "R2.D2" / / SW Vers: "R2.D2" /
/ SW Creator: / / SW Creator: /
/ "Industrial Automation"/ / "Industrial Automation"/
] ]
} }
} }
}) })
A.5. SW Measurements of an IoT Device A.6. SW Measurements of an IoT Device
This is a simple token that might be for and IoT device. It includes This is a simple token that might be for and IoT device. It includes
CoSWID format measurments of the SW. The CoSWID is in byte-string CoSWID format measurments of the SW. The CoSWID is in byte-string
wrapped in the token and also shown in diagnostic form. wrapped in the token and also shown in diagnostic form.
/ This EAT UCCS is for an IoT device with a TEE. The attestation / / This EAT UCCS is for an IoT device with a TEE. The attestation /
/ is produced by the TEE. There is a submodule for the IoT OS (the / / is produced by the TEE. There is a submodule for the IoT OS (the /
/ main OS of the IoT device that is not as secure as the TEE). The / / main OS of the IoT device that is not as secure as the TEE). The /
/ submodule contains claims for the IoT OS. The TEE also measures / / submodule contains claims for the IoT OS. The TEE also measures /
/ the IoT OS and puts the measurements in the submodule. / / the IoT OS and puts the measurements in the submodule. /
601({ 601({
/ nonce / 10: h'948f8860d13a463e', / nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 3, / secure-restricted / / security-level / 261: 3, / secure-restricted /
/ secure-boot / 15: true, / secure-boot / 262: true,
/ debug-status / 16: 2, / disabled-since-boot / / debug-status / 263: 2, / disabled-since-boot /
/ OEMID / 13: h'8945ad', / IEEE CID based / / OEMID / 258: h'8945ad', / IEEE CID based /
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea', / UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ sumods / 20: { / sumods / 266: {
"OS" : { "OS" : {
/ security-level / 14: 2, / restricted / / security-level / 261: 2, / restricted /
/ secure-boot / 15: true, / secure-boot / 262: true,
/ debug-status / 16: 2, / disabled-since-boot / / debug-status / 263: 2, / disabled-since-boot /
/ swevidence / 36: [ / swevidence / 274: [
/ This is a byte-string wrapped / / This is a byte-string wrapped /
/ evidence CoSWID. It has / / evidence CoSWID. It has /
/ hashes of the main files of / / hashes of the main files of /
/ the IoT OS. / / the IoT OS. /
h'da53574944a600663463613234350c h'da53574944a600663463613234350c
17016d41636d6520522d496f542d4f 17016d41636d6520522d496f542d4f
530d65332e312e3402a2181f724163 530d65332e312e3402a2181f724163
6d6520426173652041747465737465 6d6520426173652041747465737465
7218210103a11183a318187161636d 7218210103a11183a318187161636d
655f725f696f745f6f732e65786514 655f725f696f745f6f732e65786514
skipping to change at page 81, line 8 skipping to change at page 86, line 8
f884e4e1e8e86299 f884e4e1e8e86299
58c2dbc702741443 58c2dbc702741443
a913e34de9333be6' a913e34de9333be6'
] ]
} }
] ]
} }
}) })
A.6. Attestation Results in JSON format A.7. Attestation Results in JSON format
This is a UJCS format token that might be the output of a Verifier This is a UJCS format token that might be the output of a Verifier
that evaluated the IoT Attestation example immediately above. that evaluated the IoT Attestation example immediately above.
This particular Verifier knows enough about the TEE Attester to be This particular Verifier knows enough about the TEE Attester to be
able to pass claims like security level directly through to the able to pass claims like security level directly through to the
Relying Party. The Verifier also knows the Reference Values for the Relying Party. The Verifier also knows the Reference Values for the
measured SW components and is able to check them. It informs the measured SW components and is able to check them. It informs the
Relying Party that they were correct in the swresults claim. Relying Party that they were correct in the swresults claim.
"Trustus Verifications" is the name of the services that verifies the "Trustus Verifications" is the name of the services that verifies the
skipping to change at page 83, line 15 skipping to change at page 88, line 15
p Collision Probability p Collision Probability
n Total possible population n Total possible population
k Actual population k Actual population
However, for the very large values involved here, this formula However, for the very large values involved here, this formula
requires floating point precision higher than commonly available in requires floating point precision higher than commonly available in
calculators and SW so this simple approximation is used. See calculators and SW so this simple approximation is used. See
[BirthdayAttack]. [BirthdayAttack].
p = k^2 / 2n p = k^2 / 2n
For this calculation: For this calculation:
p Collision Probability p Collision Probability
n Total population based on number of bits in UEID n Total population based on number of bits in UEID
k Population in a database k Population in a database
+----------------------+--------------+--------------+--------------+ +----------------------+--------------+--------------+--------------+
| Database Size | 128-bit UEID | 192-bit UEID | 256-bit UEID | | Database Size | 128-bit UEID | 192-bit UEID | 256-bit UEID |
+----------------------+--------------+--------------+--------------+ +----------------------+--------------+--------------+--------------+
| trillion (10^12) | 2 * 10^-15 | 8 * 10^-35 | 5 * 10^-55 | | trillion (10^12) | 2 * 10^-15 | 8 * 10^-35 | 5 * 10^-55 |
| quadrillion (10^15) | 2 * 10^-09 | 8 * 10^-29 | 5 * 10^-49 | | quadrillion (10^15) | 2 * 10^-09 | 8 * 10^-29 | 5 * 10^-49 |
| 100 quadrillion | 2 * 10^-05 | 8 * 10^-25 | 5 * 10^-45 | | 100 quadrillion | 2 * 10^-05 | 8 * 10^-25 | 5 * 10^-45 |
| (10^17) | | | | | (10^17) | | | |
+----------------------+--------------+--------------+--------------+ +----------------------+--------------+--------------+--------------+
skipping to change at page 91, line 13 skipping to change at page 96, line 13
o OEM ID is specifically for HW, not for SW o OEM ID is specifically for HW, not for SW
o HW OEM ID can now be a PEN o HW OEM ID can now be a PEN
o HW OEM ID can now be a 128-bit random number o HW OEM ID can now be a 128-bit random number
o Expand the examples section o Expand the examples section
o Add software and version claims as easy / JSON alternative to o Add software and version claims as easy / JSON alternative to
CoSWID CoSWID
D.13. From draft-ietf-rats-eat-11
o Add HW model claim
o Change reference for CBOR OID draft to RFC 9090
o Correct the iat claim in some examples
o Make HW Version just one claim rather than 3 (device, board and
chip)
o Remove CDDL comments from CDDL blocks
o More clearly define "entity" and use it more broadly, particularly
instead of "device"
o Re do early allocation of CBOR labels since last one didn't
complete correctly
o Lots of rewording and tightening up of section 1
o Lots of wording improvements in section 3, particularly better use
of normative language
o Improve wording in submodules section, particularly how to
distinguish types when decoding
o Remove security-level from early allocation
o Add boot odometer claim
o Add privacy considerations for replay protection
Authors' Addresses Authors' Addresses
Laurence Lundblade Laurence Lundblade
Security Theory LLC Security Theory LLC
EMail: lgl@securitytheory.com EMail: lgl@securitytheory.com
Giridhar Mandyam Giridhar Mandyam
Qualcomm Technologies Inc. Qualcomm Technologies Inc.
5775 Morehouse Drive 5775 Morehouse Drive
San Diego, California San Diego, California
USA USA
Phone: +1 858 651 7200 Phone: +1 858 651 7200
EMail: mandyam@qti.qualcomm.com EMail: mandyam@qti.qualcomm.com
Jeremy O'Donoghue Jeremy O'Donoghue
 End of changes. 349 change blocks. 
1158 lines changed or deleted 1356 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/