--- 1/draft-ietf-rats-eat-11.txt 2022-02-24 12:13:12.342229097 -0800 +++ 2/draft-ietf-rats-eat-12.txt 2022-02-24 12:13:12.506233195 -0800 @@ -1,253 +1,334 @@ RATS Working Group L. Lundblade Internet-Draft Security Theory LLC Intended status: Standards Track G. Mandyam -Expires: April 26, 2022 J. O'Donoghue +Expires: August 27, 2022 J. O'Donoghue Qualcomm Technologies Inc. - October 23, 2021 + February 23, 2022 The Entity Attestation Token (EAT) - draft-ietf-rats-eat-11 + draft-ietf-rats-eat-12 Abstract - An Entity Attestation Token (EAT) provides a signed (attested) set of - claims that describe state and characteristics of an entity, - typically a device like a phone or an IoT device. These claims are - used by a Relying Party to determine how much it wishes to trust the - entity. + An Entity Attestation Token (EAT) provides an attested claims set + that describes state and characteristics of an entity, a device like + a phone, IoT device, network equipment or such. This claims set is + used by a relying party, server or service to determine how much it + wishes to trust the entity. - An EAT is either a CWT or JWT with some attestation-oriented claims. - To a large degree, all this document does is extend CWT and JWT. + An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with + attestation-oriented claims. To a large degree, all this document + does is extend CWT and JWT. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 26, 2022. + This Internet-Draft will expire on August 27, 2022. Copyright Notice - Copyright (c) 2021 IETF Trust and the persons identified as the + Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 - 1.1. CWT, JWT, UCCS, UJCS and DEB . . . . . . . . . . . . . . 5 - 1.2. CDDL, CBOR and JSON . . . . . . . . . . . . . . . . . . . 6 - 1.3. Operating Model and RATS Architecture . . . . . . . . . . 7 - 1.3.1. Use as Attestation Evidence . . . . . . . . . . . . . 8 - 1.3.2. Use as Attestation Results . . . . . . . . . . . . . 8 - 1.4. Entity Overview . . . . . . . . . . . . . . . . . . . . . 9 - 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 3. The Claims . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 1.1. Entity Overview . . . . . . . . . . . . . . . . . . . . . 6 + 1.2. CWT, JWT, UCCS, UJCS and DEB . . . . . . . . . . . . . . 7 + 1.3. CDDL, CBOR and JSON . . . . . . . . . . . . . . . . . . . 8 + 1.4. Operating Model and RATS Architecture . . . . . . . . . . 8 + 1.4.1. Relationship between Attestation Evidence and + Attestation Results . . . . . . . . . . . . . . . . . 9 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 3. The Claims . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1. Token ID Claim (cti and jti) . . . . . . . . . . . . . . 11 3.2. Timestamp claim (iat) . . . . . . . . . . . . . . . . . . 11 - 3.3. Nonce Claim (nonce) . . . . . . . . . . . . . . . . . . . 11 + 3.3. Nonce Claim (nonce) . . . . . . . . . . . . . . . . . . . 12 3.4. Universal Entity ID Claim (ueid) . . . . . . . . . . . . 12 - 3.5. Semi-permanent UEIDs (SUEIDs) . . . . . . . . . . . . . . 14 - 3.6. Hardware OEM Identification (oemid) . . . . . . . . . . . 15 - 3.6.1. Random Number Based . . . . . . . . . . . . . . . . . 15 - 3.6.2. IEEE Based . . . . . . . . . . . . . . . . . . . . . 15 - 3.6.3. IANA Private Enterprise Number . . . . . . . . . . . 16 - 3.7. Hardware Version Claims (hardware-version-claims) . . . . 16 - 3.8. Software Name Claim . . . . . . . . . . . . . . . . . . . 17 - 3.9. Software Version Claim . . . . . . . . . . . . . . . . . 17 - 3.10. The Security Level Claim (security-level) . . . . . . . . 17 - 3.11. Secure Boot Claim (secure-boot) . . . . . . . . . . . . . 19 - 3.12. Debug Status Claim (debug-status) . . . . . . . . . . . . 19 - 3.12.1. Enabled . . . . . . . . . . . . . . . . . . . . . . 20 - 3.12.2. Disabled . . . . . . . . . . . . . . . . . . . . . . 20 - 3.12.3. Disabled Since Boot . . . . . . . . . . . . . . . . 21 - 3.12.4. Disabled Permanently . . . . . . . . . . . . . . . . 21 - 3.12.5. Disabled Fully and Permanently . . . . . . . . . . . 21 - 3.13. Including Keys . . . . . . . . . . . . . . . . . . . . . 21 - 3.14. The Location Claim (location) . . . . . . . . . . . . . . 22 - 3.15. The Uptime Claim (uptime) . . . . . . . . . . . . . . . . 23 - 3.16. The Boot Seed Claim (boot-seed) . . . . . . . . . . . . . 23 - 3.17. The Intended Use Claim (intended-use) . . . . . . . . . . 24 - 3.18. The Profile Claim (profile) . . . . . . . . . . . . . . . 25 - 3.19. The DLOA (Digital Letter or Approval) Claim (dloas) . . . 26 - 3.20. The Software Manifests Claim (manifests) . . . . . . . . 27 - 3.21. The Software Evidence Claim (swevidence) . . . . . . . . 28 - 3.22. The SW Measurement Results Claim (swresults) . . . . . . 29 - 3.22.1. Scheme . . . . . . . . . . . . . . . . . . . . . . . 29 - 3.22.2. Objective . . . . . . . . . . . . . . . . . . . . . 30 - 3.22.3. Results . . . . . . . . . . . . . . . . . . . . . . 30 - 3.22.4. Objective Name . . . . . . . . . . . . . . . . . . . 31 - 3.23. Submodules (submods) . . . . . . . . . . . . . . . . . . 33 - 3.23.1. Submodule Types . . . . . . . . . . . . . . . . . . 33 - 3.23.1.1. Submodule Claims-Set . . . . . . . . . . . . . . 33 - 3.23.1.2. Nested Token . . . . . . . . . . . . . . . . . . 34 - 3.23.1.3. Detached Submodule Digest . . . . . . . . . . . 36 - 3.23.2. No Inheritance . . . . . . . . . . . . . . . . . . . 37 - 3.23.3. Security Levels . . . . . . . . . . . . . . . . . . 37 - 3.23.4. Submodule Names . . . . . . . . . . . . . . . . . . 37 - 3.23.5. CDDL for submods . . . . . . . . . . . . . . . . . . 38 - 4. Unprotected JWT Claims-Sets . . . . . . . . . . . . . . . . . 38 + 3.5. Semi-permanent UEIDs (SUEIDs) . . . . . . . . . . . . . . 15 + 3.6. Hardware OEM Identification (oemid) . . . . . . . . . . . 16 + 3.6.1. Random Number Based OEMID . . . . . . . . . . . . . . 16 + 3.6.2. IEEE Based OEMID . . . . . . . . . . . . . . . . . . 16 + 3.6.3. IANA Private Enterprise Number Based OEMID . . . . . 17 + 3.7. Hardware Model Claim (hardware-model) . . . . . . . . . . 17 + 3.8. Hardware Version Claims (hardware-version-claims) . . . . 18 + 3.9. Software Name Claim . . . . . . . . . . . . . . . . . . . 19 + 3.10. Software Version Claim . . . . . . . . . . . . . . . . . 19 + 3.11. The Security Level Claim (security-level) . . . . . . . . 19 + 3.12. Secure Boot Claim (secure-boot) . . . . . . . . . . . . . 21 + 3.13. Debug Status Claim (debug-status) . . . . . . . . . . . . 21 + 3.13.1. Enabled . . . . . . . . . . . . . . . . . . . . . . 22 + 3.13.2. Disabled . . . . . . . . . . . . . . . . . . . . . . 22 + 3.13.3. Disabled Since Boot . . . . . . . . . . . . . . . . 22 + 3.13.4. Disabled Permanently . . . . . . . . . . . . . . . . 22 + 3.13.5. Disabled Fully and Permanently . . . . . . . . . . . 22 + 3.14. Including Keys . . . . . . . . . . . . . . . . . . . . . 23 + 3.15. The Location Claim (location) . . . . . . . . . . . . . . 24 + 3.16. The Uptime Claim (uptime) . . . . . . . . . . . . . . . . 25 + 3.17. The Boot Odometer Claim (odometer) . . . . . . . . . . . 25 + 3.18. The Boot Seed Claim (boot-seed) . . . . . . . . . . . . . 25 + 3.19. The Intended Use Claim (intended-use) . . . . . . . . . . 26 + 3.20. The Profile Claim (profile) . . . . . . . . . . . . . . . 27 + 3.21. The DLOA (Digital Letter or Approval) Claim (dloas) . . . 27 + 3.22. The Software Manifests Claim (manifests) . . . . . . . . 28 + 3.23. The Software Evidence Claim (swevidence) . . . . . . . . 30 + 3.24. The SW Measurement Results Claim (swresults) . . . . . . 30 + 3.24.1. Scheme . . . . . . . . . . . . . . . . . . . . . . . 31 + 3.24.2. Objective . . . . . . . . . . . . . . . . . . . . . 31 + 3.24.3. Results . . . . . . . . . . . . . . . . . . . . . . 31 + 3.24.4. Objective Name . . . . . . . . . . . . . . . . . . . 32 + 3.25. Submodules (submods) . . . . . . . . . . . . . . . . . . 34 + 3.25.1. Submodule Types . . . . . . . . . . . . . . . . . . 34 + 3.25.1.1. Submodule Claims-Set . . . . . . . . . . . . . . 34 + 3.25.1.2. Nested Token . . . . . . . . . . . . . . . . . . 35 + 3.25.1.3. Detached Submodule Digest . . . . . . . . . . . 37 + 3.25.2. No Inheritance . . . . . . . . . . . . . . . . . . . 38 + 3.25.3. Security Levels . . . . . . . . . . . . . . . . . . 38 + 3.25.4. Submodule Names . . . . . . . . . . . . . . . . . . 39 + 3.25.5. CDDL for submods . . . . . . . . . . . . . . . . . . 39 + 4. Unprotected JWT Claims-Sets . . . . . . . . . . . . . . . . . 39 5. Detached EAT Bundles . . . . . . . . . . . . . . . . . . . . 39 6. Endorsements and Verification Keys . . . . . . . . . . . . . 40 6.1. Identification Methods . . . . . . . . . . . . . . . . . 41 6.1.1. COSE/JWS Key ID . . . . . . . . . . . . . . . . . . . 41 - 6.1.2. JWS and COSE X.509 Header Parameters . . . . . . . . 41 + 6.1.2. JWS and COSE X.509 Header Parameters . . . . . . . . 42 6.1.3. CBOR Certificate COSE Header Parameters . . . . . . . 42 6.1.4. Claim-Based Key Identification . . . . . . . . . . . 42 6.2. Other Considerations . . . . . . . . . . . . . . . . . . 42 - 7. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 42 + 7. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 43 7.1. Format of a Profile Document . . . . . . . . . . . . . . 43 7.2. List of Profile Issues . . . . . . . . . . . . . . . . . 43 7.2.1. Use of JSON, CBOR or both . . . . . . . . . . . . . . 43 - 7.2.2. CBOR Map and Array Encoding . . . . . . . . . . . . . 43 + 7.2.2. CBOR Map and Array Encoding . . . . . . . . . . . . . 44 7.2.3. CBOR String Encoding . . . . . . . . . . . . . . . . 44 7.2.4. CBOR Preferred Serialization . . . . . . . . . . . . 44 7.2.5. COSE/JOSE Protection . . . . . . . . . . . . . . . . 44 - 7.2.6. COSE/JOSE Algorithms . . . . . . . . . . . . . . . . 44 - 7.2.7. DEB Support . . . . . . . . . . . . . . . . . . . . . 44 + 7.2.6. COSE/JOSE Algorithms . . . . . . . . . . . . . . . . 45 + 7.2.7. DEB Support . . . . . . . . . . . . . . . . . . . . . 45 7.2.8. Verification Key Identification . . . . . . . . . . . 45 7.2.9. Endorsement Identification . . . . . . . . . . . . . 45 7.2.10. Freshness . . . . . . . . . . . . . . . . . . . . . . 45 7.2.11. Required Claims . . . . . . . . . . . . . . . . . . . 45 7.2.12. Prohibited Claims . . . . . . . . . . . . . . . . . . 45 - 7.2.13. Additional Claims . . . . . . . . . . . . . . . . . . 45 - 7.2.14. Refined Claim Definition . . . . . . . . . . . . . . 45 + 7.2.13. Additional Claims . . . . . . . . . . . . . . . . . . 46 + 7.2.14. Refined Claim Definition . . . . . . . . . . . . . . 46 7.2.15. CBOR Tags . . . . . . . . . . . . . . . . . . . . . . 46 7.2.16. Manifests and Software Evidence Claims . . . . . . . 46 8. Encoding and Collected CDDL . . . . . . . . . . . . . . . . . 46 8.1. Claims-Set and CDDL for CWT and JWT . . . . . . . . . . . 46 8.2. Encoding Data Types . . . . . . . . . . . . . . . . . . . 47 8.2.1. Common Data Types . . . . . . . . . . . . . . . . . . 47 8.2.2. JSON Interoperability . . . . . . . . . . . . . . . . 47 - 8.2.3. Labels . . . . . . . . . . . . . . . . . . . . . . . 47 + 8.2.3. Labels . . . . . . . . . . . . . . . . . . . . . . . 48 8.3. CBOR Interoperability . . . . . . . . . . . . . . . . . . 48 8.3.1. EAT Constrained Device Serialization . . . . . . . . 48 - 8.4. Collected Common CDDL . . . . . . . . . . . . . . . . . . 49 - 8.5. Collected CDDL for CBOR . . . . . . . . . . . . . . . . . 55 - 8.6. Collected CDDL for JSON . . . . . . . . . . . . . . . . . 57 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 + 8.5. Collected CDDL for CBOR . . . . . . . . . . . . . . . . . 54 + 8.6. Collected CDDL for JSON . . . . . . . . . . . . . . . . . 55 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 9.1. Reuse of CBOR and JSON Web Token (CWT and JWT) Claims - Registries . . . . . . . . . . . . . . . . . . . . . . . 59 - 9.2. Claim Characteristics . . . . . . . . . . . . . . . . . . 59 - 9.2.1. Interoperability and Relying Party Orientation . . . 59 - 9.2.2. Operating System and Technology Neutral . . . . . . . 59 - 9.2.3. Security Level Neutral . . . . . . . . . . . . . . . 60 - 9.2.4. Reuse of Extant Data Formats . . . . . . . . . . . . 60 - 9.2.5. Proprietary Claims . . . . . . . . . . . . . . . . . 60 - 9.3. Claims Registered by This Document . . . . . . . . . . . 61 - 9.3.1. Claims for Early Assignment . . . . . . . . . . . . . 61 - 9.3.2. To be Assigned Claims . . . . . . . . . . . . . . . . 64 - 9.3.3. Version Schemes Registered by this Document . . . . . 64 - 9.3.4. UEID URN Registered by this Document . . . . . . . . 64 - 9.3.5. Tag for Detached EAT Bundle . . . . . . . . . . . . . 65 - 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 65 - 10.1. UEID and SUEID Privacy Considerations . . . . . . . . . 65 - 10.2. Location Privacy Considerations . . . . . . . . . . . . 66 - 11. Security Considerations . . . . . . . . . . . . . . . . . . . 66 - 11.1. Key Provisioning . . . . . . . . . . . . . . . . . . . . 66 - 11.1.1. Transmission of Key Material . . . . . . . . . . . . 67 - 11.2. Transport Security . . . . . . . . . . . . . . . . . . . 67 - 11.3. Multiple EAT Consumers . . . . . . . . . . . . . . . . . 67 - 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 68 - 12.1. Normative References . . . . . . . . . . . . . . . . . . 68 - 12.2. Informative References . . . . . . . . . . . . . . . . . 70 - Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 73 - A.1. Simple TEE Attestation . . . . . . . . . . . . . . . . . 73 - A.2. EAT Produced by Attestation Hardware Block . . . . . . . 74 - A.3. Detached EAT Bundle . . . . . . . . . . . . . . . . . . . 75 - A.4. Key / Key Store Attestation . . . . . . . . . . . . . . . 76 - A.5. SW Measurements of an IoT Device . . . . . . . . . . . . 78 - A.6. Attestation Results in JSON format . . . . . . . . . . . 81 - Appendix B. UEID Design Rationale . . . . . . . . . . . . . . . 82 - B.1. Collision Probability . . . . . . . . . . . . . . . . . . 82 - B.2. No Use of UUID . . . . . . . . . . . . . . . . . . . . . 84 + Registries . . . . . . . . . . . . . . . . . . . . . . . 56 + 9.2. Claim Characteristics . . . . . . . . . . . . . . . . . . 57 + 9.2.1. Interoperability and Relying Party Orientation . . . 57 + 9.2.2. Operating System and Technology Neutral . . . . . . . 57 + 9.2.3. Security Level Neutral . . . . . . . . . . . . . . . 58 + 9.2.4. Reuse of Extant Data Formats . . . . . . . . . . . . 58 + 9.2.5. Proprietary Claims . . . . . . . . . . . . . . . . . 58 + 9.3. Claims Registered by This Document . . . . . . . . . . . 58 + 9.3.1. Claims for Early Assignment . . . . . . . . . . . . . 59 + 9.3.2. To be Assigned Claims . . . . . . . . . . . . . . . . 62 + 9.3.3. Version Schemes Registered by this Document . . . . . 65 + 9.3.4. UEID URN Registered by this Document . . . . . . . . 66 + 9.3.5. Tag for Detached EAT Bundle . . . . . . . . . . . . . 66 + 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 66 + 10.1. UEID and SUEID Privacy Considerations . . . . . . . . . 67 + 10.2. Location Privacy Considerations . . . . . . . . . . . . 67 + 10.3. Replay Protection and Privacy . . . . . . . . . . . . . 68 + 11. Security Considerations . . . . . . . . . . . . . . . . . . . 68 + 11.1. Key Provisioning . . . . . . . . . . . . . . . . . . . . 68 + 11.1.1. Transmission of Key Material . . . . . . . . . . . . 69 + 11.2. Transport Security . . . . . . . . . . . . . . . . . . . 69 + 11.3. Multiple EAT Consumers . . . . . . . . . . . . . . . . . 69 + 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 70 + 12.1. Normative References . . . . . . . . . . . . . . . . . . 70 + 12.2. Informative References . . . . . . . . . . . . . . . . . 73 + Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 76 + A.1. Simple TEE Attestation . . . . . . . . . . . . . . . . . 76 + A.2. Submodules for Board and Device . . . . . . . . . . . . . 77 + A.3. EAT Produced by Attestation Hardware Block . . . . . . . 79 + A.4. Detached EAT Bundle . . . . . . . . . . . . . . . . . . . 79 + A.5. Key / Key Store Attestation . . . . . . . . . . . . . . . 81 + A.6. SW Measurements of an IoT Device . . . . . . . . . . . . 83 + A.7. Attestation Results in JSON format . . . . . . . . . . . 86 + Appendix B. UEID Design Rationale . . . . . . . . . . . . . . . 87 + B.1. Collision Probability . . . . . . . . . . . . . . . . . . 87 + B.2. No Use of UUID . . . . . . . . . . . . . . . . . . . . . 89 Appendix C. EAT Relation to IEEE.802.1AR Secure Device Identity - (DevID) . . . . . . . . . . . . . . . . . . . . . . 85 - C.1. DevID Used With EAT . . . . . . . . . . . . . . . . . . . 85 - C.2. How EAT Provides an Equivalent Secure Device Identity . . 86 - C.3. An X.509 Format EAT . . . . . . . . . . . . . . . . . . . 86 - C.4. Device Identifier Permanence . . . . . . . . . . . . . . 87 - Appendix D. Changes from Previous Drafts . . . . . . . . . . . . 87 - D.1. From draft-rats-eat-01 . . . . . . . . . . . . . . . . . 87 - D.2. From draft-mandyam-rats-eat-00 . . . . . . . . . . . . . 87 - D.3. From draft-ietf-rats-eat-01 . . . . . . . . . . . . . . . 87 - D.4. From draft-ietf-rats-eat-02 . . . . . . . . . . . . . . . 88 - D.5. From draft-ietf-rats-eat-03 . . . . . . . . . . . . . . . 88 - D.6. From draft-ietf-rats-eat-04 . . . . . . . . . . . . . . . 88 - D.7. From draft-ietf-rats-eat-05 . . . . . . . . . . . . . . . 89 - D.8. From draft-ietf-rats-eat-06 . . . . . . . . . . . . . . . 89 - D.9. From draft-ietf-rats-eat-07 . . . . . . . . . . . . . . . 89 - D.10. From draft-ietf-rats-eat-08 . . . . . . . . . . . . . . . 89 - D.11. From draft-ietf-rats-eat-09 . . . . . . . . . . . . . . . 89 - D.12. From draft-ietf-rats-eat-10 . . . . . . . . . . . . . . . 90 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 + (DevID) . . . . . . . . . . . . . . . . . . . . . . 90 + C.1. DevID Used With EAT . . . . . . . . . . . . . . . . . . . 90 + C.2. How EAT Provides an Equivalent Secure Device Identity . . 91 + C.3. An X.509 Format EAT . . . . . . . . . . . . . . . . . . . 91 + C.4. Device Identifier Permanence . . . . . . . . . . . . . . 92 + Appendix D. Changes from Previous Drafts . . . . . . . . . . . . 92 + D.1. From draft-rats-eat-01 . . . . . . . . . . . . . . . . . 92 + D.2. From draft-mandyam-rats-eat-00 . . . . . . . . . . . . . 92 + D.3. From draft-ietf-rats-eat-01 . . . . . . . . . . . . . . . 92 + D.4. From draft-ietf-rats-eat-02 . . . . . . . . . . . . . . . 93 + D.5. From draft-ietf-rats-eat-03 . . . . . . . . . . . . . . . 93 + D.6. From draft-ietf-rats-eat-04 . . . . . . . . . . . . . . . 93 + D.7. From draft-ietf-rats-eat-05 . . . . . . . . . . . . . . . 94 + D.8. From draft-ietf-rats-eat-06 . . . . . . . . . . . . . . . 94 + D.9. From draft-ietf-rats-eat-07 . . . . . . . . . . . . . . . 94 + D.10. From draft-ietf-rats-eat-08 . . . . . . . . . . . . . . . 94 + D.11. From draft-ietf-rats-eat-09 . . . . . . . . . . . . . . . 94 + D.12. From draft-ietf-rats-eat-10 . . . . . . . . . . . . . . . 95 + D.13. From draft-ietf-rats-eat-11 . . . . . . . . . . . . . . . 96 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 1. Introduction - Remote device attestation is a fundamental service that allows a - remote device such as a mobile phone, an Internet-of-Things (IoT) - device, or other endpoint to prove itself to a Relying Party, a - server or a service. This allows the Relying Party to know some - characteristics about the device and decide whether it trusts the - device. + EAT provides the definition of a base set of claims that can be made + about an entity, a device, some software and/or some hardware. This + claims set is received by a relying party who uses it to decide if + and how it will interact with the remote entity. It may choose to + not trust the entity and not interact with it. It may choose to + trust it. It may partially trust it, for example allowing monetary + transactions only up to a limit. - The notion of attestation here is large and may include, but is not - limited to the following: + EAT defines the encoding of the claims set in CBOR [RFC8949] and JSON + [RFC7159]. EAT is an extension to CBOR Web Token (CWT) [RFC8392] and + JSON Web Token (JWT) [RFC7519]. - o Proof of the make and model of the device hardware (HW) + The claims set is secured in transit with the same mechanisms used by + CWT and JWT, in particular CBOR Object Signing and Encryption (COSE) + [RFC8152] and JSON Object Signing and Encryption (JOSE) [RFC7515] + [RFC7516]. Authenticity and integrity protection must always be + provided. Privacy (encryption) may additionally be provided. The + key material used to sign and encrypt is specifically created and + provisioned for the purpose of attestation. It is the use of this + key material that make the claims set "attested" rather than just + some parameters sent to the relying party by the device. - o Proof of the make and model of the device processor, particularly - for security-oriented chips + EAT is focused on authenticating, identifying and characterizing + implementations where implementations are devices, chips, hardware, + software and such. This is distinct from protocols like TLS + [RFC8446] that authenticate and identify servers and services. It is + equally distinct from protocols like SASL [RFC4422] that authenticate + and identify persons. - o Measurement of the software (SW) running on the device + The notion of attestation is large, ranging over a broad variety of + use cases and security levels. Here are a few examples of claims: - o Configuration and state of the device + o Make and model of manufactured consumer device - o Environmental characteristics of the device such as its GPS - location + o Make and model of a chip or processor, particularly for a + security-oriented chip + + o Identification and measurement of the software running on a device + + o Configuration and state of a device + + o Environmental characteristics of a device like its GPS location + + o Formal certifications received + + EAT also supports nesting of sets of claims and EAT tokens for use + with complex composite devices. This document uses the terminology and main operational model defined - in [RATS.Architecture]. In particular it is a format that can be - used for Attestation Evidence or Attestation Results as defined in - the RATS architecture. + in [RATS.Architecture]. In particular, it can be used for RATS + Attestation Evidence and Attestation Results. -1.1. CWT, JWT, UCCS, UJCS and DEB +1.1. Entity Overview - An EAT is a set of claims about an entity/device based on one of the - following: + The document uses the term "entity" to refer to the target of the + attestation token. The claims defined in this document are claims + about an entity. - o CBOR Web Token (CWT), [RFC8392] - o Unprotected CWT Claims Sets (UCCS), [UCCS.Draft] + An entity is an implementation in hardware, software or both. - o JSON Web Token (JWT), [RFC7519] + An entity is the same as the Attester Target Environment defined in + RATS Architecture. + + An entity also corresponds to a "system component" as defined in the + Internet Security Glossary [RFC4949]. That glossary also defines + "entity" and "system entity" as something that may be a person or + organization as well as a system component. Here "entity" never + refers to a person or organization. + + An entity is never a server or a service. + + An entity may be the whole device or it may be a subsystem, a + subsystem of a subsystem and so on. EAT allows claims to be + organized into submodules, nested EATs and so on. See Section 3.25. + The entity to which a claim applies is the submodule in which it + appears, or to the top-level entity if it doesn't appear in a + submodule. + + Some examples of entities: + + o A Secure Element + + o A TEE + + o A card in a network router + + o A network router, perhaps with each card in the router a submodule + + o An IoT device + + o An individual process + + o An app on a smartphone + + o A smartphone with many submodules for its many subsystems + + o A subsystem in a smartphone like the modem or the camera + + An entity may have strong security like defenses against hardware + invasive attacks. It may also have low security, having no special + security defenses. There is no minimum security requirement to be an + entity. + +1.2. CWT, JWT, UCCS, UJCS and DEB + + An EAT is a claims set about an entity based on one of the following: + + o CBOR Web Token (CWT) [RFC8392] + + o Unprotected CWT Claims Sets (UCCS) [UCCS.Draft] + + o JSON Web Token (JWT) [RFC7519] All definitions, requirements, creation and validation procedures, security considerations, IANA registrations and so on from these carry over to EAT. This specification extends those specifications by defining additional claims for attestation. This specification also describes the notion of a "profile" that can narrow the definition of an EAT, ensure interoperability and fill in details for specific usage scenarios. This specification also adds some considerations for @@ -255,160 +336,106 @@ The identification of a protocol element as an EAT, whether CBOR or JSON encoded, follows the general conventions used by CWT, JWT and UCCS. Largely this depends on the protocol carrying the EAT. In some cases it may be by content type (e.g., MIME type). In other cases it may be through use of CBOR tags. There is no fixed mechanism across all use cases. This specification adds two more top-level messages: - o Unprotected JWT Claims Set (UJCS), Section 4 + o Unprotected JWT Claims Set (UJCS) Section 4 o Detached EAT Bundle (DEB), Section 5 - A DEB is simple structure to hold a collection of detached claims- - sets and the EAT that separately provides integrity and authenticity + A DEB is structure to hold a collection of detached claims sets and + the EAT that separately provides integrity and authenticity protection for them. It can be either CBOR or JSON encoded. -1.2. CDDL, CBOR and JSON - - An EAT can be encoded in either CBOR or JSON. The definition of each - claim is such that it can be encoded either. Each token is either - entirely CBOR or JSON, with only an exception for nested tokens. +1.3. CDDL, CBOR and JSON - To implement composite attestation as described in the RATS - architecture document, one token has to be nested inside another. It - is also possible to construct composite Attestation Results (see - below) which may be expressed as one token nested inside another. So - as to not force each end-end attestation system to be all JSON or all - CBOR, nesting of JSON-encoded tokens in CBOR-encoded tokens and vice - versa is accommodated by this specification. This is the only place - that CBOR and JSON can be mixed. + This document defines Concise Binary Object Representation (CBOR) + [RFC8949] and Javascript Object Notation (JSON) [RFC7159] encoding + for an EAT. All claims in an EAT MUST use the same encoding except + where explicitly allowed. It is explicitly allowed for a nested + token to be of a different encoding. Some claims explicitly contain + objects and messages that may use a different encoding than the + enclosing EAT. - This specification formally uses CDDL, [RFC8610], to define each - claim. The implementor interprets the CDDL to come to either the - CBOR [RFC8949] or JSON [ECMAScript] representation. In the case of - JSON, Appendix E of [RFC8610] is followed. Additional rules are - given in Section 8.2.2 where Appendix E is insufficient. + This specification uses Concise Data Definition Language (CDDL) + [RFC8610] for all definitions. The implementor interprets the CDDL + to come to either the CBOR or JSON encoding. In the case of JSON, + Appendix E of [RFC8610] is followed. Additional rules are given in + Section 8.2.2 where Appendix E is insufficient. The CWT and JWT specifications were authored before CDDL was available and did not use CDDL. This specification includes a CDDL definition of most of what is defined in [RFC8392]. Similarly, this specification includes CDDL for most of what is defined in [RFC7519]. The UCCS specification does not include CDDL. This specification provides CDDL for it. - (TODO: The authors are open to modifications to this specification - and the UCCS specification to include CDDL for UCCS and UJCS there - instead of here.) - -1.3. Operating Model and RATS Architecture +1.4. Operating Model and RATS Architecture While it is not required that EAT be used with the RATS operational model described in Figure 1 in [RATS.Architecture], or even that it - be used for attestation, this document is authored with an - orientation around that model. + be used for attestation, this document is oriented around that model. - To summarize, an Attester on an entity/device generates Attestation - Evidence. Attestation Evidence is a Claims Set describing various - characteristics of the entity/device. Attestation Evidence also is - usually signed by a key that proves the entity/device and the - evidence it produces are authentic. The Claims Set includes a nonce - or some other means to provide freshness. EAT is designed to carry - Attestation Evidence. The Attestation Evidence goes to a Verifier - where the signature is validated. Some of the Claims may also be - validated against Reference Values. The Verifier then produces - Attestation Results which is also usually a Claims Set. EAT is also - designed to carry Attestation Results. The Attestation Results go to - the Relying Party which is the ultimate consumer of the "Remote - Attestaton Procedures", RATS. The Relying Party uses the Attestation - Results as needed for the use case, perhaps allowing a device on the - network, allowing a financial transaction or such. + To summarize, an Attester generates Attestation Evidence. + Attestation Evidence is a claims set describing various + characteristics of an entity. Attestation Evidence also is usually + signed by a key that proves the entity and the evidence it produces + are authentic. The claims set includes a nonce or some other means + to provide freshness. EAT is designed to carry Attestation Evidence. + The Attestation Evidence goes to a Verifier where the signature is + verified. Some of the claims may also be checked against Reference + Values. The Verifier then produces Attestation Results which is also + usually a claims set. EAT is also designed to carry Attestation + Results. The Attestation Results go to the Relying Party which is + the ultimate consumer of the Remote Attestation Procedure. The + Relying Party uses the Attestation Results as needed for the use + case, perhaps allowing an entity on the network, allowing a financial + transaction or such. Note that sometimes the Verifier and Relying Party are not separate and thus there is no need for a protocol to carry Attestation Results. -1.3.1. Use as Attestation Evidence - - Any claim defined in this document or in the IANA CWT or JWT registry - may be used in Attestation Evidence. - - Attestation Evidence nearly always has to be signed or otherwise have - authenticity and integrity protection because the Attester is remote - relative to the Verifier. Usually, this is by using COSE/JOSE - signing where the signing key is an attestation key provisioned into - the entity/device by its manufacturer. The details of how this is - achieved are beyond this specification, but see Section 6. If there - is already a suitable secure channel between the Attester and - Verifier, UCCS may be used. - -1.3.2. Use as Attestation Results +1.4.1. Relationship between Attestation Evidence and Attestation + Results Any claim defined in this document or in the IANA CWT or JWT registry - may be used in Attestation Results. - - It is useful to characterize the relationship of claims in Evidence - to those in Attestation Results. + may be used in Attestation Evidence or Attestation Results. Many claims in Attestation Evidence simply will pass through the Verifier to the Relying Party without modification. They will be - verified as authentic from the device by the Verifier just through + verified as authentic from the entity by the Verifier just through normal verification of the Attester's signature. The UEID, - Section 3.4, and Location, Section 3.14, are examples of claims that + Section 3.4, and Location, Section 3.15, are examples of claims that may be passed through. Some claims in Attestation Evidence will be verified by the Verifier by comparison to Reference Values. These claims will not likely be conveyed to the Relying Party. Instead, some claim indicating they were checked may be added to the Attestation Results or it may be tacitly known that the Verifier always does this check. For example, - the Verifier receives the Software Evidence claim, Section 3.21, + the Verifier receives the Software Evidence claim, Section 3.23, compares it to Reference Values and conveys the results to the - Relying Party in a Software Measurement Results Claim, Section 3.22. + Relying Party in a Software Measurement Results Claim, Section 3.24. In some cases the Verifier may provide privacy-preserving functionality by stripping or modifying claims that do not posses sufficient privacy-preserving characteristics. For example, the data - in the Location claim, Section 3.14, may be modified to have a + in the Location claim, Section 3.15, may be modified to have a precision of a few kilometers rather than a few meters. - When the Verifier is remote from the Relying Party, the Attestation - Results must be protected for integrity, authenticity and possibly - confidentiality. Often this will simply be HTTPS as per a normal web - service, but COSE or JOSE may also be used. The details of this - protection are beyond the scope of this document. - -1.4. Entity Overview - - An "entity" can be any device or device subassembly ("submodule") - that can generate its own attestation in the form of an EAT. The - attestation should be cryptographically verifiable by the EAT - consumer. An EAT at the device-level can be composed of several - submodule EAT's. - - Modern devices such as a mobile phone have many different execution - environments operating with different security levels. For example, - it is common for a mobile phone to have an "apps" environment that - runs an operating system (OS) that hosts a plethora of downloadable - apps. It may also have a TEE (Trusted Execution Environment) that is - distinct, isolated, and hosts security-oriented functionality like - biometric authentication. Additionally, it may have an eSE (embedded - Secure Element) - a high security chip with defenses against HW - attacks that is used to produce attestations. This device - attestation format allows the attested data to be tagged at a - security level from which it originates. In general, any discrete - execution environment that has an identifiable security level can be - considered an entity. - 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. This document reuses terminology from JWT [RFC7519] and CWT [RFC8392]. @@ -494,472 +521,500 @@ and the token is composed and signed. The data for some claims may be held or cached for some period of time before the token is created. This period may be long, even days. Examples are measurements taken at boot or a geographic position fix taken the last time a satellite signal was received. There are individual timestamps associated with these claims to indicate their age is older than the "iat" timestamp. CWT allows the use floating-point for this claim. EAT disallows the - use of floating-point. No token may contain an iat claim in float- - point format. Any recipient of a token with a floating-point format - iat claim may consider it an error. A 64-bit integer representation - of epoch time can represent a range of +/- 500 billion years, so the - only point of a floating-point timestamp is to have precession - greater than one second. This is not needed for EAT. + use of floating-point. An EAT token MUST NOT contain an iat claim in + float-point format. Any recipient of a token with a floating-point + format iat claim MUST consider it an error. A 64-bit integer + representation of epoch time can represent a range of +/- 500 billion + years, so the only point of a floating-point timestamp is to have + precession greater than one second. This is not needed for EAT. 3.3. Nonce Claim (nonce) All EATs should have a nonce to prevent replay attacks. The nonce is generated by the Relying Party, the end consumer of the token. It is conveyed to the entity over whatever transport is in use before the token is generated and then included in the token as the nonce claim. This documents the nonce claim for registration in the IANA CWT claims registry. This is equivalent to the JWT nonce claim that is already registered. - The nonce must be at least 8 bytes (64 bits) as fewer are unlikely to - be secure. A maximum of 64 bytes is set to limit the memory a - constrained implementation uses. This size range is not set for the - already-registered JWT nonce, but it should follow this size + The nonce must be at least 8 bytes (64 bits) long as fewer bytes are + unlikely to be secure. A maximum of 64 bytes is set to limit the + memory a constrained implementation uses. This size range is not set + for the already-registered JWT nonce, but it should follow this size recommendation when used in an EAT. Multiple nonces are allowed to accommodate multistage verification and consumption. $$claims-set-claims //= (nonce-label => nonce-type / [ 2* nonce-type ]) nonce-type = bstr .size (8..64) 3.4. Universal Entity ID Claim (ueid) - UEID's identify individual manufactured entities / devices such as a - mobile phone, a water meter, a Bluetooth speaker or a networked - security camera. It may identify the entire device or a submodule or - subsystem. It does not identify types, models or classes of devices. - It is akin to a serial number, though it does not have to be - sequential. + A UEID identifies an individual manufactured entity like a mobile + phone, a water meter, a Bluetooth speaker or a networked security + camera. It may identify the entire entity or a submodule. It does + not identify types, models or classes of entities. It is akin to a + serial number, though it does not have to be sequential. - UEID's must be universally and globally unique across manufacturers - and countries. UEIDs must also be unique across protocols and + UEIDs MUST be universally and globally unique across manufacturers + and countries. UEIDs MUST also be unique across protocols and systems, as tokens are intended to be embedded in many different protocols and systems. No two products anywhere, even in completely different industries made by two different manufacturers in two different countries should have the same UEID (if they are not global and universal in this way, then Relying Parties receiving them will - have to track other characteristics of the device to keep devices + have to track other characteristics of the entity to keep entities distinct between manufacturers). - There are privacy considerations for UEID's. See Section 10.1. - - The UEID is permanent. It never change for a given device / entity. + There are privacy considerations for UEIDs. See Section 10.1. - UEIDs are variable length. All implementations MUST be able to - receive UEIDs that are 33 bytes long (1 type byte and 256 bits). The - recommended maximum sent is also 33 bytes. + The UEID is permanent. It MUST never change for a given entity. - When the entity constructs the UEID, the first byte is a type and the - following bytes the ID for that type. Several types are allowed to - accommodate different industries and different manufacturing - processes and to give options to avoid paying fees for certain types - of manufacturer registrations. + A UEID is constructed of a single type byte followed by the bytes + that are the identifier. Several types are allowed to accommodate + different industries, different manufacturing processes and to have + an alternative that doesn't require paying a registration fee. Creation of new types requires a Standards Action [RFC8126]. + UEIDs are variable length. All implementations MUST be able to + receive UEIDs that are 33 bytes long (1 type byte and 256 bits). No + UEID longer than 33 bytes SHOULD be sent. + +------+------+-----------------------------------------------------+ | Type | Type | Specification | | Byte | Name | | +------+------+-----------------------------------------------------+ - | 0x01 | RAND | This is a 128, 192 or 256 bit random number | - | | | generated once and stored in the device. This may | + | 0x01 | RAND | This is a 128, 192 or 256-bit random number | + | | | generated once and stored in the entity. This may | | | | be constructed by concatenating enough identifiers | | | | to make up an equivalent number of random bits and | | | | then feeding the concatenation through a | | | | cryptographic hash function. It may also be a | | | | cryptographic quality random number generated once | - | | | at the beginning of the life of the device and | - | | | stored. It may not be smaller than 128 bits. | - | 0x02 | IEEE | This makes use of the IEEE company identification | - | | EUI | registry. An EUI is either an EUI-48, EUI-60 or | - | | | EUI-64 and made up of an OUI, OUI-36 or a CID, | - | | | different registered company identifiers, and some | - | | | unique per-device identifier. EUIs are often the | - | | | same as or similar to MAC addresses. This type | - | | | includes MAC-48, an obsolete name for EUI-48. (Note | - | | | that while devices with multiple network interfaces | - | | | may have multiple MAC addresses, there is only one | - | | | UEID for a device) [IEEE.802-2001], [OUI.Guide] | + | | | at the beginning of the life of the entity and | + | | | stored. It MUST NOT be smaller than 128 bits. See | + | | | the length analysis in Appendix B. | + | 0x02 | IEEE | This uses the IEEE company identification registry. | + | | EUI | An EUI is either an EUI-48, EUI-60 or EUI-64 and | + | | | made up of an OUI, OUI-36 or a CID, different | + | | | registered company identifiers, and some unique | + | | | per-entity identifier. EUIs are often the same as | + | | | or similar to MAC addresses. This type includes | + | | | MAC-48, an obsolete name for EUI-48. (Note that | + | | | while entities with multiple network interfaces may | + | | | have multiple MAC addresses, there is only one UEID | + | | | for an entity) [IEEE.802-2001], [OUI.Guide]. | | 0x03 | IMEI | This is a 14-digit identifier consisting of an | | | | 8-digit Type Allocation Code and a 6-digit serial | | | | number allocated by the manufacturer, which SHALL | | | | be encoded as byte string of length 14 with each | | | | byte as the digit's value (not the ASCII encoding | | | | of the digit; the digit 3 encodes as 0x03, not | | | | 0x33). The IMEI value encoded SHALL NOT include | - | | | Luhn checksum or SVN information. [ThreeGPP.IMEI] | + | | | Luhn checksum or SVN information. See | + | | | [ThreeGPP.IMEI]. | +------+------+-----------------------------------------------------+ Table 1: UEID Composition Types - UEID's are not designed for direct use by humans (e.g., printing on + UEIDs are not designed for direct use by humans (e.g., printing on the case of a device), so no textual representation is defined. The consumer (the Relying Party) of a UEID MUST treat a UEID as a completely opaque string of bytes and not make any use of its internal structure. For example, they should not use the OUI part of - a type 0x02 UEID to identify the manufacturer of the device. Instead - they should use the oemid claim that is defined elsewhere. The + a type 0x02 UEID to identify the manufacturer of the entity. + Instead, they should use the OEMID claim. See Section 3.6. The reasons for this are: o UEIDs types may vary freely from one manufacturer to the next. o New types of UEIDs may be created. For example, a type 0x07 UEID may be created based on some other manufacturer registration scheme. - o Device manufacturers are allowed to change from one type of UEID + o Entity manufacturers are allowed to change from one type of UEID to another anytime they want. For example, they may find they can optimize their manufacturing by switching from type 0x01 to type - 0x02 or vice versa. The main requirement on the manufacturer is - that UEIDs be universally unique. + 0x02 or vice versa. The essential requirement on the manufacturer + is that UEIDs be universally unique. - A Device Indentifier URN is registered for UEIDs. See Section 9.3.4. + A Device Identifier URN is registered for UEIDs. See Section 9.3.4. $$claims-set-claims //= (ueid-label => ueid-type) ueid-type = bstr .size (7..33) 3.5. Semi-permanent UEIDs (SUEIDs) - An SEUID is of the same format as a UEID, but it may change to a + An SEUID is of the same format as a UEID, but it MAY change to a different value on device life-cycle events. Examples of these events are change of ownership, factory reset and on-boarding into an - IoT device management system. A device may have both a UEID and + IoT device management system. An entity MAY have both a UEID and SUEIDs, neither, one or the other. - There may be multiple SUEIDs. Each one has a text string label the + There MAY be multiple SUEIDs. Each one has a text string label the purpose of which is to distinguish it from others in the token. The - label may name the purpose, application or type of the SUEID. + label MAY name the purpose, application or type of the SUEID. Typically, there will be few SUEDs so there is no need for a formal - labeling mechanism like a registry. The EAT profile may describe how + labeling mechanism like a registry. The EAT profile MAY describe how SUEIDs should be labeled. If there is only one SUEID, the claim remains a map and there still must be a label. For example, the label for the SUEID used by FIDO Onboarding Protocol could simply be "FDO". - There are privacy considerations for SUEID's. See Section 10.1. + There are privacy considerations for SUEIDs. See Section 10.1. A Device Indentifier URN is registered for SUEIDs. See Section 9.3.4. $$claims-set-claims //= (sueids-label => sueids-type) sueids-type = { + tstr => ueid-type } 3.6. Hardware OEM Identification (oemid) - This claim identifies the OEM of the hardware. Any of the three - forms may be used at the convenience of the attester implementation. - The receiver of this claim MUST be able to handle all three forms. + This claim identifies the Original Equipment Manufacturer (OEM) of + the hardware. Any of the three forms described below MAY be used at + the convenience of the claim sender. The receiver of this claim MUST + be able to handle all three forms. -3.6.1. Random Number Based +3.6.1. Random Number Based OEMID - This format is always 16 bytes in size (128 bits). + The random number based OEMID MUST always 16 bytes (128 bits). - The OEM may create their own ID by using a cryptographic-quality + The OEM MAY create their own ID by using a cryptographic-quality random number generator. They would perform this only once in the life of the company to generate the single ID for said company. They - would use that same ID in every device they make. This uniquely + would use that same ID in every entity they make. This uniquely identifies the OEM on a statistical basis and is large enough should there be ten billion companies. - The OEM may also use a hash like SHA-256 and truncate the output to - 128 bits. The input to the hash should be somethings that have at - least 96 bits of entropy, but preferably 128 bits of entropy. The - input to the hash may be something whose uniqueness is managed by a - central registry like a domain name. + The OEM MAY also use a hash function like SHA-256 and truncate the + output to 128 bits. The input to the hash should be somethings that + have at least 96 bits of entropy, but preferably 128 bits of entropy. + The input to the hash MAY be something whose uniqueness is managed by + a central registry like a domain name. - This is to be base64url encoded in JSON. + In JSON format tokens this MUST be base64url encoded. -3.6.2. IEEE Based +3.6.2. IEEE Based OEMID The IEEE operates a global registry for MAC addresses and company IDs. This claim uses that database to identify OEMs. The contents of the claim may be either an IEEE MA-L, MA-M, MA-S or an IEEE CID [IEEE.RA]. An MA-L, formerly known as an OUI, is a 24-bit value used as the first half of a MAC address. MA-M similarly is a 28-bit value uses as the first part of a MAC address, and MA-S, formerly known as OUI-36, a 36-bit value. Many companies already have purchased one of these. A CID is also a 24-bit value from the same space as an MA-L, but not for use as a MAC address. IEEE has published Guidelines for - Use of EUI, OUI, and CID [OUI.Guide] and provides a lookup services + Use of EUI, OUI, and CID [OUI.Guide] and provides a lookup service [OUI.Lookup]. Companies that have more than one of these IDs or MAC address blocks - should pick one and prefer that for all their devices. + SHOULD select one and prefer that for all their entities. - Commonly, these are expressed in Hexadecimal Representation - [IEEE.802-2001] also called the Canonical format. When this claim is - encoded the order of bytes in the bstr are the same as the order in - the Hexadecimal Representation. For example, an MA-L like "AC-DE-48" - would be encoded in 3 bytes with values 0xAC, 0xDE, 0x48. For JSON - encoded tokens, this is further base64url encoded. + Commonly, these are expressed in Hexadecimal Representation as + described in [IEEE.802-2001]. It is also called the Canonical + format. When this claim is encoded the order of bytes in the bstr + are the same as the order in the Hexadecimal Representation. For + example, an MA-L like "AC-DE-48" would be encoded in 3 bytes with + values 0xAC, 0xDE, 0x48. This format is always 3 bytes in size in CBOR. -3.6.3. IANA Private Enterprise Number + In JSON format tokens, this MUST be base64url encoded and always 4 + bytes. - IANA maintains a simple integer-based company registry called the - Private Enterprise Number (PEN) [PEN]. +3.6.3. IANA Private Enterprise Number Based OEMID + + IANA maintains a integer-based company registry called the Private + Enterprise Number (PEN) [PEN]. PENs are often used to create an OID. That is not the case here. - They are used only as a simple integer. + They are used only as an integer. - In CBOR this is encoded as a major type 0 integer in CBOR and is - typically 3 bytes. It is encoded as a number in JSON. + In CBOR this value MUST be encoded as a major type 0 integer and is + typically 3 bytes. In JSON, this value MUST be encoded as a number. oemid-pen = int oemid-ieee = bstr .size 3 oemid-random = bstr .size 16 $$claims-set-claims //= ( oemid-label => oemid-random / oemid-ieee / oemid-pen ) -3.7. Hardware Version Claims (hardware-version-claims) +3.7. Hardware Model Claim (hardware-model) - The hardware version can be claimed at three different levels, the - chip, the circuit board and the final device assembly. An EAT can - include any combination these claims. + This claim differentiates hardware models, products and variants + manufactured by a particular OEM, the one identified by OEM ID in + Section 3.6. - The hardware version is a simple text string the format of which is - set by each manufacturer. The structure and sorting order of this - text string can be specified using the version-scheme item from - CoSWID [CoSWID]. + This claim must be unique so as to differentiate the models and + products for the OEM ID. This claim does not have to be globally + unique, but it can be. A receiver of this claim MUST not assume it + is globally unique. To globally identify a particular product, the + receiver should concatenate the OEM ID and this claim. - The hardware version can also be given by a 13-digit [EAN-13]. A new - CoSWID version scheme is registered with IANA by this document in - Section 9.3.3. An EAN-13 is also known as an International Article - Number or most commonly as a bar code. + The granularity of the model identification is for each OEM to + decide. It may be very granular, perhaps including some version + information. It may be very general, perhaps only indicating top- + level products. - $$claims-set-claims //= ( - chip-version-label => hw-version-type - ) + The purpose of this claim is to identify models within protocols, not + for human-readable descriptions. The format and encoding of this + claim should not be human-readable to discourage use other than in + protocols. If this claim is to be derived from an already-in-use + human-readable identifier, it can be run through a hash function. + + There is no minimum length so that an OEM with a very small number of + models can use a one-byte encoding. The maximum length is 32 bytes. + All receivers of this claim MUST be able to receive this maximum + size. + + The receiver of this claim MUST treat it as a completely opaque + string of bytes, even if there is some apparent naming or structure. + The OEM is free to alter the internal structure of these bytes as + long as the claim continues to uniquely identify its models. + + hardware-model-type = bytes .size (1..32) $$claims-set-claims //= ( - board-version-label => hw-version-type + hardware-model-label => hardware-model-type ) +3.8. Hardware Version Claims (hardware-version-claims) + + The hardware version is a text string the format of which is set by + each manufacturer. The structure and sorting order of this text + string can be specified using the version-scheme item from CoSWID + [CoSWID]. It is useful to know how to sort versions so the newer can + be distinguished from the older. + + The hardware version can also be given by a 13-digit [EAN-13]. A new + CoSWID version scheme is registered with IANA by this document in + Section 9.3.3. An EAN-13 is also known as an International Article + Number or most commonly as a bar code. + $$claims-set-claims //= ( - device-version-label => hw-version-type + hardware-version-label => hardware-version-type ) - hw-version-type = [ + hardware-version-type = [ version: tstr, scheme: $version-scheme ] -3.8. Software Name Claim +3.9. Software Name Claim - This is a simple free-form text claim for the name of the software. - A CoSWID manifest or other type of manifest can be used instead if - this is too simple. + This is a free-form text claim for the name of the software for the + entity or submodule. A CoSWID manifest or other type of manifest can + be used instead if this claim is to limited to correctly characterize + the SW for the entity or submodule. $$claims-set-claims //= ( sw-name-label => tstr ) -3.9. Software Version Claim +3.10. Software Version Claim This makes use of the CoSWID version scheme data type to give a simple version for the software. A full CoSWID manifest or other type of manifest can be instead if this is too simple. $$claims-set-claims //= (sw-version-label => sw-version-type) sw-version-type = [ version: tstr, - scheme: $version-scheme / As defined by CoSWID / + scheme: $version-scheme ; As defined by CoSWID ] -3.10. The Security Level Claim (security-level) +3.11. The Security Level Claim (security-level) - This claim characterizes the device/entity ability to defend against + This claim characterizes the entity's ability to defend against attacks aimed at capturing the signing key, forging claims and at - forging EATs. This is by defining four security levels as described - below. + forging EATs. This is by defining four security levels. - These claims describe security environment and countermeasures - available on the end-entity/client device where the attestation key - resides and the claims originate. + This claim describes the security environment and countermeasures + available on the entity where the attestation key resides and the + claims originate. 1 - Unrestricted: There is some expectation that implementor will protect the attestation signing keys at this level. Otherwise, the EAT provides no meaningful security assurances. 2 - Restricted: Entities at this level are not general-purpose - operating environments that host features such as app download - systems, web browsers and complex productivity applications. It - is akin to the secure-restricted level (see below) without the - security orientation. Examples include a Wi-Fi subsystem, an IoT - camera, or sensor device. Often these can be considered more - secure than unrestricted just because they are much simpler and a - smaller attack surface, but this won't always be the case. Some + operating environments that host features, such as app download + systems, web browsers and complex applications. It is akin to the + secure-restricted level (see below) without the security + orientation. Examples include a Wi-Fi subsystem, an IoT camera, + or sensor device. Often these can be considered more secure than + unrestricted just because they are much simpler and a smaller + attack surface, but this won't always be the case. Some unrestricted devices may be implemented in a way that provides poor protection of signing keys. 3 - Secure-Restricted: Entities at this level must meet the criteria - defined in section 4 of FIDO Allowed Restricted Operating + defined in Section 4 of FIDO Allowed Restricted Operating Environments [FIDO.AROE]. Examples include TEE's and schemes - using virtualization-based security. Like the FIDO security goal, - security at this level is aimed at defending well against large- - scale network/remote attacks against the device. + using virtualization-based security. Security at this level is + aimed at defending against large-scale network/remote attacks + against the entity. 4 - Hardware: Entities at this level must include substantial - defense against physical or electrical attacks against the device - itself. It is assumed any potential attacker has captured the - device and can disassemble it. Examples include TPMs and Secure + defense against physical or electrical attacks against the entity + itself. It is assumed the potential attacker has captured the + entity and can disassemble it. Examples include TPMs and Secure Elements. The entity should claim the highest security level it achieves and no higher. This set is not extensible so as to provide a common interoperable description of security level to the Relying Party. If - a particular implementation considers this claim to be inadequate, it - can define its own proprietary claim. It may consider including both + a particular use case considers this claim to be inadequate, it can + define its own proprietary claim. It may consider including both this claim as a coarse indication of security and its own proprietary claim as a refined indication. - This claim is not intended as a replacement for a proper end-device - security certification scheme such as those based on FIPS 140 - [FIPS-140] or those based on Common Criteria [Common.Criteria]. The - claim made here is solely a self-claim made by the Attester. + This claim is not intended as a replacement for a formal security + certification scheme, such as those based on FIPS 140 [FIPS-140] or + those based on Common Criteria [Common.Criteria]. See Section 3.21. $$claims-set-claims //= ( security-level-label => security-level-cbor-type / security-level-json-type ) security-level-cbor-type = &( unrestricted: 1, restricted: 2, secure-restricted: 3, hardware: 4 ) security-level-json-type = "unrestricted" / "restricted" / "secure-restricted" / "hardware" -3.11. Secure Boot Claim (secure-boot) +3.12. Secure Boot Claim (secure-boot) The value of true indicates secure boot is enabled. Secure boot is - considered enabled when base software, the firmware and operating - system, are under control of the entity manufacturer identified in - the OEMID claim described in Section 3.6. This may because the - software is in ROM or because it is cryptographically authenticated - or some combination of the two or other. + considered enabled when the firmware and operating system, are under + control of the manufacturer of the entity identified in the OEMID + claim described in Section 3.6. Control by the manufacturer of the + firmware and the operating system may be by it being in ROM, being + cryptographically authenticated, a combination of the two or similar. $$claims-set-claims //= (secure-boot-label => bool) -3.12. Debug Status Claim (debug-status) +3.13. Debug Status Claim (debug-status) - This applies to system-wide or submodule-wide debug facilities of the - target device / submodule like JTAG and diagnostic hardware built - into chips. It applies to any software debug facilities related to - root, operating system or privileged software that allow system-wide - memory inspection, tracing or modification of non-system software - like user mode applications. + This applies to entity-wide or submodule-wide debug facilities of the + entity like JTAG and diagnostic hardware built into chips. It + applies to any software debug facilities related to root, operating + system or privileged software that allow system-wide memory + inspection, tracing or modification of non-system software like user + mode applications. This characterization assumes that debug facilities can be enabled and disabled in a dynamic way or be disabled in some permanent way such that no enabling is possible. An example of dynamic enabling is one where some authentication is required to enable debugging. An example of permanent disabling is blowing a hardware fuse in a chip. The specific type of the mechanism is not taken into account. For example, it does not matter if authentication is by a global password - or by per-device public keys. + or by per-entity public keys. As with all claims, the absence of the debug level claim means it is - not reported. A conservative interpretation might assume the Not - Disabled state. It could however be that it is reported in a - proprietary claim. + not reported. A conservative interpretation might assume the enabled + state. This claim is not extensible so as to provide a common interoperable - description of debug status to the Relying Party. If a particular - implementation considers this claim to be inadequate, it can define - its own proprietary claim. It may consider including both this claim - as a coarse indication of debug status and its own proprietary claim - as a refined indication. + description of debug status. If a particular implementation + considers this claim to be inadequate, it can define its own + proprietary claim. It may consider including both this claim as a + coarse indication of debug status and its own proprietary claim as a + refined indication. The higher levels of debug disabling requires that all debug disabling of the levels below it be in effect. Since the lowest level requires that all of the target's debug be currently disabled, all other levels require that too. There is no inheritance of claims from a submodule to a superior module or vice versa. There is no assumption, requirement or guarantee that the target of a superior module encompasses the targets of submodules. Thus, every submodule must explicitly - describe its own debug state. The Verifier or Relying Party - receiving an EAT cannot assume that debug is turned off in a - submodule because there is a claim indicating it is turned off in a - superior module. + describe its own debug state. The receiver of an EAT MUST not assume + that debug is turned off in a submodule because there is a claim + indicating it is turned off in a superior module. - An individual target device / submodule may have multiple debug - facilities. The use of plural in the description of the states - refers to that, not to any aggregation or inheritance. + An entity may have multiple debug facilities. The use of plural in + the description of the states refers to that, not to any aggregation + or inheritance. The architecture of some chips or devices may be such that a debug facility operates for the whole chip or device. If the EAT for such a chip includes submodules, then each submodule should independently report the status of the whole-chip or whole-device debug facility. - This is the only way the Relying Party can know the debug status of - the submodules since there is no inheritance. + This is the only way the receiver can know the debug status of the + submodules since there is no inheritance. -3.12.1. Enabled +3.13.1. Enabled If any debug facility, even manufacturer hardware diagnostics, is currently enabled, then this level must be indicated. -3.12.2. Disabled +3.13.2. Disabled This level indicates all debug facilities are currently disabled. It - may be possible to enable them in the future, and it may also be - possible that they were enabled in the past after the target device/ - sub-system booted/started, but they are currently disabled. + may be possible to enable them in the future. It may also be that + they were enabled in the past, but they are currently disabled. -3.12.3. Disabled Since Boot +3.13.3. Disabled Since Boot This level indicates all debug facilities are currently disabled and - have been so since the target device/sub-system booted/started. + have been so since the entity booted/started. -3.12.4. Disabled Permanently +3.13.4. Disabled Permanently This level indicates all non-manufacturer facilities are permanently - disabled such that no end user or developer cannot enable them. Only + disabled such that no end user or developer can enable them. Only the manufacturer indicated in the OEMID claim can enable them. This also indicates that all debug facilities are currently disabled and have been so since boot/start. -3.12.5. Disabled Fully and Permanently +3.13.5. Disabled Fully and Permanently - This level indicates that all debug capabilities for the target - device/sub-module are permanently disabled. + This level indicates that all debug facilities for the entity are + permanently disabled. $$claims-set-claims //= ( debug-status-label => debug-status-cbor-type / debug-status-json-type ) debug-status-cbor-type = &( enabled: 0, disabled: 1, disabled-since-boot: 2, @@ -967,86 +1022,84 @@ disabled-fully-and-permanently: 4 ) debug-status-json-type = "enabled" / "disabled" / "disabled-since-boot" / "disabled-permanently" / "disabled-fully-and-permanently" -3.13. Including Keys +3.14. Including Keys An EAT may include a cryptographic key such as a public key. The signing of the EAT binds the key to all the other claims in the token. The purpose for inclusion of the key may vary by use case. For example, the key may be included as part of an IoT device onboarding - protocol. When the FIDO protocol includes a pubic key in its + protocol. When the FIDO protocol includes a public key in its attestation message, the key represents the binding of a user, device and Relying Party. This document describes how claims containing keys should be defined for the various use cases. It does not define specific claims for specific use cases. Keys in CBOR format tokens SHOULD be the COSE_Key format [RFC8152] and keys in JSON format tokens SHOULD be the JSON Web Key format [RFC7517]. These two formats support many common key types. Their use avoids the need to decode other serialization formats. These two formats can be extended to support further key types through their IANA registries. The general confirmation claim format [RFC8747], [RFC7800] may also be used. It provides key encryption. It also allows for inclusion by reference through a key ID. The confirmation claim format may employed in the definition of some new claim for a a particular use case. When the actual confirmation claim is included in an EAT, this document associates no use case semantics other than proof of - posession. Different EAT use cases may choose to associate further - semantics. The key in the confirmation claim MUST be protected the - same as the key used to sign the EAT. That is, the same, equivalent - or better hardware defenses, access controls, key generation and such - must be used. + possession. Different EAT use cases may choose to associate further + semantics. The key in the confirmation claim MUST be protected in + the same way as the key used to sign the EAT. That is, the same, + equivalent or better hardware defenses, access controls, key + generation and such must be used. -3.14. The Location Claim (location) +3.15. The Location Claim (location) - The location claim gives the location of the device entity from which - the attestation originates. It is derived from the W3C Geolocation - API [W3C.GeoLoc]. The latitude, longitude, altitude and accuracy - must conform to [WGS84]. The altitude is in meters above the [WGS84] + The location claim gives the location of the entity from which the + attestation originates. It is derived from the W3C Geolocation API + [W3C.GeoLoc]. The latitude, longitude, altitude and accuracy must + conform to [WGS84]. The altitude is in meters above the [WGS84] ellipsoid. The two accuracy values are positive numbers in meters. - The heading is in degrees relative to true north. If the device is + The heading is in degrees relative to true north. If the entity is stationary, the heading is NaN (floating-point not-a-number). The - speed is the horizontal component of the device velocity in meters + speed is the horizontal component of the entity velocity in meters per second. - When encoding floating-point numbers half-precision should not be - used. It usually does not provide enough precision for a geographic - location. It is not a requirement that the receiver of an EAT - implement half-precision, so the receiver may not be able to decode - the location. + When encoding floating-point numbers half-precision SHOULD NOT be + used. They usually do not provide enough precision for a geographic + location. The location may have been cached for a period of time before token creation. For example, it might have been minutes or hours or more since the last contact with a GPS satellite. Either the timestamp or age data item can be used to quantify the cached period. The timestamp data item is preferred as it a non-relative time. The age data item can be used when the entity doesn't know what time it is either because it doesn't have a clock or it isn't set. The - entity must still have a "ticker" that can measure a time interval. + entity MUST still have a "ticker" that can measure a time interval. The age is the interval between acquisition of the location data and token creation. - See location-related privacy considerations in Section 10.2 below. + See location-related privacy considerations in Section 10.2. $$claims-set-claims //= (location-label => location-type) location-type = { latitude => number, longitude => number, ? altitude => number, ? accuracy => number, ? altitude-accuracy => number, ? heading => number, @@ -1058,71 +1111,81 @@ latitude = 1 / "latitude" longitude = 2 / "longitude" altitude = 3 / "altitude" accuracy = 4 / "accuracy" altitude-accuracy = 5 / "altitude-accuracy" heading = 6 / "heading" speed = 7 / "speed" timestamp = 8 / "timestamp" age = 9 / "age" -3.15. The Uptime Claim (uptime) +3.16. The Uptime Claim (uptime) - The "uptime" claim contains a value that represents the number of + The "uptime" claim MUST contain a value that represents the number of seconds that have elapsed since the entity or submod was last booted. $$claims-set-claims //= (uptime-label => uint) -3.16. The Boot Seed Claim (boot-seed) +3.17. The Boot Odometer Claim (odometer) - The Boot Seed claim is a random value created at system boot time - that will allow differentiation of reports from different boot - sessions. This value is usually public and not protected. It is not - the same as a seed for a random number generator which must be kept - secret. + The "odometer" claim contains a value that represents the number of + times the entity or submod has been booted. Support for this claim + requires a persistent storage on the device. + + $$claims-set-claims //= (odometer-label => uint) + +3.18. The Boot Seed Claim (boot-seed) + + The Boot Seed claim MUST contain a random value created at system + boot time that will allow differentiation of reports from different + boot sessions. + + This value is usually public. It is not a secret and MUST NOT be + used for any purpose that a secret seed is needed, such as seeding a + random number generator. $$claims-set-claims //= (boot-seed-label => bytes) -3.17. The Intended Use Claim (intended-use) +3.19. The Intended Use Claim (intended-use) EAT's may be used in the context of several different applications. The intended-use claim provides an indication to an EAT consumer about the intended usage of the token. This claim can be used as a way for an application using EAT to internally distinguish between different ways it uses EAT. - 1 - Generic Generic attestation describes an application where the - EAT consumer requres the most up-to-date security assessment of + 1 - Generic: Generic attestation describes an application where the + EAT consumer requires the most up-to-date security assessment of the attesting entity. It is expected that this is the most commonly-used application of EAT. - 2- Registration Entities that are registering for a new service may + 2- Registration: Entities that are registering for a new service may be expected to provide an attestation as part of the registration process. This intended-use setting indicates that the attestation is not intended for any use but registration. - 3 - Provisioning Entities may be provisioned with different values + 3 - Provisioning: Entities may be provisioned with different values or settings by an EAT consumer. Examples include key material or device management trees. The consumer may require an EAT to - assess device security state of the entity prior to provisioning. + assess entity security state of the entity prior to provisioning. - 4 - Certificate Issuance (Certificate Signing Request) Certifying - authorities (CA's) may require attestations prior to the issuance - of certificates related to keypairs hosted at the entity. An EAT - may be used as part of the certificate signing request (CSR). + 4 - Certificate Issuance Certification Authorities (CA's) may + require attestations prior to the issuance of certificates related + to keypairs hosted at the entity. An EAT may be used as part of + the certificate signing request (CSR). - 5 - Proof-of-Possession An EAT consumer may require an attestation - as part of an accompanying proof-of-possession (PoP) appication. + 5 - Proof-of-Possession: An EAT consumer may require an attestation + as part of an accompanying proof-of-possession (PoP) application. More precisely, a PoP transaction is intended to provide to the recipient cryptographically-verifiable proof that the sender has - posession of a key. This kind of attestation may be neceesary to - verify the security state of the entity storing the private key + possession of a key. This kind of attestation may be necceesary + to verify the security state of the entity storing the private key used in a PoP application. $$claims-set-claims //= ( intended-use-label => intended-use-cbor-type / intended-use-json-type ) intended-use-cbor-type = &( generic: 1, registration: 2, @@ -1131,267 +1194,253 @@ pop: 5 ) intended-use-json-type = "generic" / "registration" / "provisioning" / "csr" / "pop" -3.18. The Profile Claim (profile) +3.20. The Profile Claim (profile) See Section 7 for the detailed description of a profile. A profile is identified by either a URL or an OID. Typically, the URI will reference a document describing the profile. An OID is just a unique identifier for the profile. It may exist anywhere in the OID tree. There is no requirement that the named document be publicly accessible. The primary purpose of the profile claim is to uniquely identify the profile even if it is a private profile. - The OID is encoded in CBOR according to [CBOR.OID] and the URI - according to [RFC8949]. Both are unwrapped and thus not tags. The - OID is always absolute and never relative. If the claims CBOR type - is a text string it is a URI and if a byte string it is an OID. + The OID is always absolute and never relative. In CBOR tokens, the + OID MUST be encoded according to [RFC9090] and the URI according to + [RFC8949]. Both are unwrapped and thus not CBOR tags. In JSON + tokens, the OID is a string of the form "X.X.X", and a URI is a + normal URI string. - Note that this named "eat_profile" for JWT and is distinct from the - already registered "profile" claim in the JWT claims registry. + Note that this is named "eat_profile" for JWT and is distinct from + the already registered "profile" claim in the JWT claims registry. $$claims-set-claims //= (profile-label => ~uri / ~oid) - oid = #6.4000(bstr) ; TODO: Replace with CDDL from OID RFC - -3.19. The DLOA (Digital Letter or Approval) Claim (dloas) +3.21. The DLOA (Digital Letter or Approval) Claim (dloas) A DLOA (Digital Letter of Approval) [DLOA] is an XML document that - describes a certification that a device or entity has received. - Examples of certifications represented by a DLOA include those issued - by Global Platform and those based on Common Criteria. The DLOA is - unspecific to any particular certification type or those issued by - any particular organization. + describes a certification that an entity has received. Examples of + certifications represented by a DLOA include those issued by Global + Platform and those based on Common Criteria. The DLOA is unspecific + to any particular certification type or those issued by any + particular organization. This claim is typically issued by a Verifier, not an Attester. When - this claim is issued by a Verifier, it MUST be because the entity, - device or submodule has received the certification in the DLOA. + this claim is issued by a Verifier, it MUST be because the entity has + received the certification in the DLOA. - This claim can contain more than one DLOA. If multiple DLOAs are - present, it MUST be because the entity, device or submodule received - all of the certifications. + This claim MAY contain more than one DLOA. If multiple DLOAs are + present, it MUST be because the entity received all of the + certifications. DLOA XML documents are always fetched from a registrar that stores them. This claim contains several data items used to construct a URL for fetching the DLOA from the particular registrar. - The first data item is a URI for the registrar. The second data item - is a platform label to indicate the particular platform that was - certified. For platform certifications only these two are needed. - - A DLOA may equally apply to an application. In that case it has the - URI for the registrar, a platform label and additionally an - application label. - - The method of combining the registrar URI, platform label and - possibly application label is specified in [DLOA]. + This claim MUST be encoded as an array with either two or three + elements. The first element MUST be the URI for the registrar. The + second element MUST be a platform label indicating which platform was + certified. If the DLOA applies to an application, then the third + element is added which MUST be an application label. The method of + constructing the registrar URI, platform label and possibly + application label is specified in [DLOA]. $$claims-set-claims //= ( dloas-label => [ + dloa-type ] ) dloa-type = [ dloa_registrar: ~uri dloa_platform_label: text ? dloa_application_label: text ] -3.20. The Software Manifests Claim (manifests) +3.22. The Software Manifests Claim (manifests) - This claim contains descriptions of software that is present on the - device. These manifests are installed on the device when the - software is installed or are created as part of the installation - process. Installation is anything that adds software to the device, - possibly factory installation, the user installing elective - applications and so on. The defining characteristic is that they are - created by the software manufacturer. The purpose of these claims in - an EAT is to relay them without modification to the Verifier and/or - the Relying Party. + This claim contains descriptions of software present on the entity. + These manifests are installed on the entity when the software is + installed or are created as part of the installation process. + Installation is anything that adds software to the entity, possibly + factory installation, the user installing elective applications and + so on. The defining characteristic is they are created by the + software manufacturer. The purpose of these claims in an EAT is to + relay them without modification to the Verifier and possibly to the + Relying Party. - In some cases these will be signed by the software manufacturer - independent of any signing for the purpose of EAT attestation. - Manifest claims should include the manufacturer's signature (which - will be signed over by the attestation signature). In other cases - the attestation signature will be the only one. + Some manifests may be signed by their software manufacturer before + they are put into this EAT claim. When such manifests are put into + this claim, the manufacturer's signature SHOULD be included. For + example, the manifest might be a CoSWID signed by the software + manufacturer, in which case the full signed CoSWID should be put in + this claim. - This claim allows multiple formats for the manifest. For example the - manifest may be a CBOR-format CoSWID, an XML-format SWID or other. - Identification of the type of manifest is always by a CBOR tag. In - many cases, for examples CoSWID, a tag will already be registered - with IANA. If not, a tag MUST be registered. It can be in the - first-come-first-served space which has minimal requirements for - registration. + This claim allows multiple formats for the manifest. For example, + the manifest may be a CBOR-format CoSWID, an XML-format SWID or + other. Identification of the type of manifest is always by a CBOR + tag. In many cases, for examples CoSWID, a tag will already be + registered with IANA. If not, a tag MUST be registered. It can be + in the first-come-first-served space which has minimal requirements + for registration. The claim is an array of one or more manifests. To facilitate hand off of the manifest to a decoding library, each manifest is contained in a byte string. This occurs for CBOR-format manifests as well as non-CBOR format manifests. If a particular manifest type uses CBOR encoding, then the item in the array for it MUST be a byte string that contains a CBOR tag. The EAT decoder must decode the byte string and then the CBOR within it to find the tag number to identify the type of manifest. The contents of the byte string is then handed to the particular manifest processor for that type of manifest. CoSWID and SUIT manifest are examples of this. If a particular manifest type does not use CBOR encoding, then the - item in the array for it must be a CBOR tag that contains a byte + item in the array for it MUST be a CBOR tag that contains a byte string. The EAT decoder uses the tag to identify the processor for that type of manifest. The contents of the tag, the byte string, are handed to the manifest processor. Note that a byte string is used to contain the manifest whether it is a text based format or not. An example of this is an XML format ISO/IEC 19770 SWID. - It is not possible to describe the above requirements in CDDL so the + It is not possible to describe the above requirements in CDDL, so the type for an individual manifest is any in the CDDL below. The above text sets the encoding requirement. This claim allows for multiple manifests in one token since multiple software packages are likely to be present. The multiple manifests - may be of multiple formats. In some cases EAT submodules may be used + MAY be of multiple formats. In some cases EAT submodules may be used instead of the array structure in this claim for multiple manifests. When the [CoSWID] format is used, it MUST be a payload CoSWID, not an evidence CoSWID. $$claims-set-claims //= ( manifests-label => manifests-type ) manifests-type = [+ $$manifest-formats] - ; Must be a CoSWID payload type - ; TODO: signed CoSWIDs coswid-that-is-a-cbor-tag-xx = tagged-coswid $$manifest-formats /= bytes .cbor coswid-that-is-a-cbor-tag-xx - ; TODO: make this work too - ;$$manifest-formats /= bytes .cbor SUIT_Envelope_Tagged - -3.21. The Software Evidence Claim (swevidence) +3.23. The Software Evidence Claim (swevidence) This claim contains descriptions, lists, evidence or measurements of - the software that exists on the device. The defining characteristic + the software that exists on the entity. The defining characteristic of this claim is that its contents are created by processes on the - device that inventory, measure or otherwise characterize the software - on the device. The contents of this claim do not originate from the + entity that inventory, measure or otherwise characterize the software + on the entity. The contents of this claim do not originate from the software manufacturer. - In most cases the contents of this claim are signed as part of - attestation signing, but independent signing in addition to the - attestation signing is not ruled out when a particular evidence - format supports it. - This claim uses the same mechanism for identification of the type of the swevidence as is used for the type of the manifest in the manifests claim. It also uses the same byte string based mechanism for containing the claim and easing the hand off to a processing library. See the discussion above in the manifests claim. When the [CoSWID] format is used, it MUST be evidence CoSWIDs, not payload CoSWIDS. $$claims-set-claims //= ( swevidence-label => swevidence-type ) swevidence-type = [+ $$swevidence-formats] - ; Must be a CoSWID evidence type that is a CBOR tag - ; TODO: fix the CDDL so a signed CoSWID is allowed too coswid-that-is-a-cbor-tag = tagged-coswid $$swevidence-formats /= bytes .cbor coswid-that-is-a-cbor-tag -3.22. The SW Measurement Results Claim (swresults) +3.24. The SW Measurement Results Claim (swresults) This claims reports the outcome of the comparison of a measurement on some software to the expected Reference Values. It may report a successful comparison, failed comparison or other. - This claim may be generated by the Verifier and sent to the Relying + This claim MAY be generated by the Verifier and sent to the Relying Party. For example, it could be the results of the Verifier comparing the contents of the swevidence claim to Reference Values. - This claim can also be generated on the device if the device has the + This claim MAY also be generated on the entity if the entity has the ability for one subsystem to measure another subsystem. For example, a TEE might have the ability to measure the software of the rich OS and may have the Reference Values for the rich OS. Within an attestation target or submodule, multiple results can be reported. For example, it may be desirable to report the results for the kernel and each individual application separately. - For each software objective, the following can be reported. + For each software objective, the following can be reported. TODO: + defined objective -3.22.1. Scheme +3.24.1. Scheme This is the free-form text name of the verification system or scheme that performed the verification. There is no official registry of schemes or systems. It may be the name of a commercial product or such. -3.22.2. Objective +3.24.2. Objective This roughly characterizes the coverage of the software measurement software. This corresponds to the attestation target or the submodule. If all of the indicated target is not covered, the measurement must indicate partial. - 1 - all Indicates all the software has been verified, for example, + 1 - all: Indicates all the software has been verified, for example, all the software in the attestation target or the submodule - 2 - firmware Indicates all of and only the firmware + 2 - firmware: Indicates all of and only the firmware - 3 - kernel Refers to all of the most-privileged software, for + 3 - kernel: Refers to all of the most-privileged software, for example the Linux kernel - 4 - privileged Refers to all of the software used by the root, + 4 - privileged: Refers to all of the software used by the root, system or administrative account - 5 - system-libs Refers to all of the system libraries that are + 5 - system-libs: Refers to all of the system libraries that are broadly shared and used by applications and such - 6 - partial Some other partial set of the software + 6 - partial: Some other partial set of the software -3.22.3. Results +3.24.3. Results This describes the result of the measurement and also the comparison to Reference Values. - 1 - verificaton-not-run Indicates no attempt was made to run the - verification + 1 - verification-not-run: Indicates that no attempt was made to run + the verification - 2 - verification-indeterminite The verification was attempted, but + 2 - verification-indeterminite: The verification was attempted, but it did not produce a result; perhaps it ran out of memory, the battery died or such - 3 - verification-failed The verification ran to completion, the + 3 - verification-failed: The verification ran to completion, the comparison was completed and did not compare correctly to the Reference Values - 4 - fully-verified The verification ran to completion and all + 4 - fully-verified: The verification ran to completion and all measurements compared correctly to Reference Values - 5 - partially-verified The verification ran to completion and some, - but not all measurements compared correctly to Reference Values + 5 - partially-verified: The verification ran to completion and some, + but not all, measurements compared correctly to Reference Values -3.22.4. Objective Name +3.24.4. Objective Name This is a free-form text string that describes the objective. For example, "Linux kernel" or "Facebook App" $$claims-set-claims //= (swresults-label => [ + swresult-type ]) verification-result-cbor-type = &( verification-not-run: 1, verification-indeterminate: 2, verification-failed: 3, fully-verified: 4, @@ -1424,175 +1473,169 @@ swresult-type = [ verification-system: tstr, objective: verification-objective-cbor-type / verification-objective-json-type, result: verification-result-cbor-type / verification-result-json-type, ? objective-name: tstr ] -3.23. Submodules (submods) +3.25. Submodules (submods) Some devices are complex, having many subsystems. A mobile phone is a good example. It may have several connectivity subsystems for communications (e.g., Wi-Fi and cellular). It may have subsystems - for low-power audio and video playback. It may have one or more - security-oriented subsystems like a TEE or a Secure Element. + for low-power audio and video playback. It may have multiple + security-oriented subsystems like a TEE and a Secure Element. The claims for a subsystem can be grouped together in a submodule or submod. The submods are in a single map/object, one entry per submodule. There is only one submods map/object in a token. It is identified by its specific label. It is a peer to other claims, but it is not called a claim because it is a container for a claims set rather than an individual claim. This submods part of a token allows what might be called recursion. It allows claims sets inside of claims sets inside of claims sets... -3.23.1. Submodule Types +3.25.1. Submodule Types - The following sections define the three major types of submodules: + The following sections define the three types of submodules: o A submodule Claims-Set o A nested token, which can be any valid EAT token, CBOR or JSON o The digest of a detached Claims-Set - These are distinguished primarily by their data type which may be a - map/object, string or array. - -3.23.1.1. Submodule Claims-Set +3.25.1.1. Submodule Claims-Set - This is simply a subordinate Claims-Set containing claims about the + This is a subordinate Claims-Set containing claims about the submodule. The submodule claims-set is produced by the same Attester as the surrounding token. It is secured using the same mechanism as the enclosing token (e.g., it is signed by the same attestation key). It - roughly corresponds to an Attester Target Environment as described in - the RATS architecture. + roughly corresponds to an Attester Target Environment, as described + in the RATS architecture. It may contain claims that are the same as its surrounding token or superior submodules. For example, the top-level of the token may have a UEID, a submod may have a different UEID and a further subordinate submodule may also have a UEID. - The encoding of a submodule Claims-Set is always the same as the + The encoding of a submodule Claims-Set MUST be the same as the encoding as the token it is part of. - This data type for this type of submodule is a map/object as that is - the type of a Claims-Set. + This data type for this type of submodule is a map/object. It is + identified when decoding by it's type being a map/object. -3.23.1.2. Nested Token +3.25.1.2. Nested Token This type of submodule is a fully formed complete token. It is typically produced by a separate Attester. It is typically used by a Composite Device as described in RATS Architecture - [RATS.Architecture] - - In being a submodule of the surrounding token, it is - cryptographically bound to the surrounding token. If it was conveyed - in parallel with the surrounding token, there would be no such - binding and attackers could substitute a good attestation from + [RATS.Architecture] In being a submodule of the surrounding token, it + is cryptographically bound to the surrounding token. If it was + conveyed in parallel with the surrounding token, there would be no + such binding and attackers could substitute a good attestation from another device for the attestation of an errant subsystem. - A nested token does NOT need to use the same encoding as the + A nested token does not need to use the same encoding as the enclosing token. This is to allow Composite Devices to be built - without regards to the encoding supported by their Attesters. + without regards to the encoding supported by their Attesters. Thus a + CBOR-encoded token like a CWT or UCCS can have a JWT as a nested + token submodule and a JSON-encoded token can have a CWT or UCCS as a + nested token submodule. - Thus a CBOR-encoded token like a CWT or UCCS can have a JWT as a - nested token submodule and a JSON-encoded token can have a CWT or - UCCS as a nested token submodule. + The following two sections describe how to encode and decode a nested + token. - The data type for this type of submodule is either a text or byte - string. +3.25.1.2.1. Surrounding EAT is CBOR-Encoded - Mechanisms are defined for identifying the encoding and type of the - nested token. These mechanisms are different for CBOR and JSON - encoding. The type of a CBOR-encoded nested token is identified - using the CBOR tagging mechanism and thus is in common with - identification used when any CBOR-encoded token is part of a CBOR- - based protocol. A new simple type mechanism is defined for - indication of the type of a JSON-encoded token since there is no JSON - equivalent of tagging. + This describes the encoding and decoding of CBOR or JSON-encoded + tokens nested inside a CBOR-encoded token. -3.23.1.2.1. Surrounding EAT is CBOR-Encoded + If the nested token is CBOR-encoded, then it MUST be a CBOR tag and + MUST be wrapped in a byte string. The tag identifies whether the + nested token is a CWT, a UCCS, a CBOR-encoded DEB, or some other + CBOR-format token defined in the future. A nested CBOR-encoded token + that is not a CBOR tag is NOT allowed. - If the submodule is a byte string, then the nested token is CBOR- - encoded. The byte string always wraps a token that is a tag. The - tag identifies whether the nested token is a CWT, a UCCS or a CBOR- - encoded DEB. + If the nested token is JSON-encoded, then the data item MUST be a + text string. The text string MUST contain a JSON-encoded array of + two items. The first item is a string identifying the type of the + token. The second item is the JSON-encoded token. - If the submodule is a text string, then the nested token is JSON- - encoded. The text string contains JSON. That JSON is the exactly - the JSON described in the next section with one exception. The token - can't be CBOR-encoded. + The string identifying the JSON-encoded token MUST be one of the + following: - ; This specifies how one fully-formed token is nested inside a - ; CBOR-format token. The fully-formed nested token is any valid - ; token, CBOR or JSON (JWT, CWT, UCCS, DEB...) The mechanism for - ; identifying the type of the nested token is specific to the format - ; of the surrounding token, CBOR in this case. - ; - ; A primary reason this is encoding-specific is that JSON does not - ; have an equivalent to CBOR tags. - ; - ; If the data type here is text, then the nested token is JSON - ; format, one of a JWT, UJCS or JSON-encoded DEB. The means for - ; distinguishing which is in the definition of JSON-encoded - ; Nested-Token. If the data type is bstr, then the nested token - ; is CBOR format. It is byte-string wrapped and identified by a - ;CBOR tag. + "JWT": The second item MUST be a JWT formatted according to + [RFC7519] + + "UJCS": The second item MUST be a UJCS-Message as defined in this + document. + + "DEB": The second item MUST be a JSON-encoded Detached EAT Bundle as + defined in this document. + + The definition of additional types requires a standards action. + + When decoding, if a byte string is encountered, it is known to be a + nested CBOR-encoded token. The byte string wrapping is removed. The + type of the token is determined by the CBOR tag. + + When decoding, if a text string is encountered, it is known to be a + JSON-encoded token. The two-item array is decoded and tells the type + of the JSON-encoded token. Nested-Token = tstr / ; A JSON-encoded Nested-Token (see json-nested-token.cddl) bstr .cbor Tagged-CBOR-Token -3.23.1.2.2. Surrounding EAT is JSON-Encoded +3.25.1.2.2. Surrounding EAT is JSON-Encoded - A nested token in a JSON-encoded token is an array of two items. The - first is a string that indicates the type of the second item as - follows: + This describes the encoding and decoding of CBOR or JSON-encoded + tokens nested inside a JSON-encoded token. - "JWT" A JWT formatted according to [RFC7519] + The nested token MUST be an array of two in the same format as + described in the section above. - "CBOR" Some base64url-encoded CBOR that is a tag that is either a - CWT, UCCS or CBOR-encoded DEB + A CBOR-encoded token nested inside a JSON-encoded MUST use the same + array of two, but with the type as follows: - "UJCS" A UJCS-Message. (A UJCS-Message is identical to a JSON- - encoded Claims-Set) + "CBOR": Some base64url-encoded CBOR that is a tag, typically a CWT, + UCCS or CBOR-encoded DEB - "DEB" A JSON-encoded Detached EAT Bundle. + When decoding, the array of two is decoded. The first item indicates + the type and encoding of the nested token. If the type string is not + "CBOR", then the token is JSON-encoded and of the type indicated by + the string. - ; This describes a nested token that occurs inside a JSON-encoded - ; token. It uses an array that is made up of a type indicator and the - ; actual token. This is a substitute for the CBOR tag mechanism that - ; JSON does not have. + If the type string is "CBOR", then the token is CBOR-encoded. The + base64url encoding is removed. The CBOR-encoded data is then + decoded. The type of nested token is determined by the CBOR-tag. It + is an error if the CBOR is not a tag. Nested-Token = [ type : "JWT" / "CBOR" / "UJCS" / "DEB", nested-token : JWT-Message / B64URL-Tagged-CBOR-Token / DEB-JSON-Message / UJCS-Message ] - ; This text is a Tagged-CBOR-Token (see cbor-token.cddl) that is - ; base64url encoded. For example, it is a CWT that is a COSE_Sign1 - ; that is a CBOR tag that has been base64url encoded. - B64URL-Tagged-CBOR-Token = tstr .regexp "[A-Za-z0-9_=-]+" -3.23.1.3. Detached Submodule Digest +3.25.1.3. Detached Submodule Digest This is type of submodule equivalent to a Claims-Set submodule, except the Claims-Set is conveyed separately outside of the token. This type of submodule consists of a digest made using a cryptographic hash of a Claims-Set. The Claims-Set is not included in the token. It is conveyed to the Verifier outside of the token. The submodule containing the digest is called a detached digest. The separately conveyed Claims-Set is called a detached claims set. @@ -1614,92 +1657,81 @@ Probably, every data item in it is of fixed length. The integrity protection for the larger Claims Sets will not be as secure as those originating in hardware block, but the key material and hardware-based claims will be. It is possible for the hardware to enforce hardware access control (memory protection) on the digest registers so that some of the larger claims can be more secure. For example, one register may be writable only by the TEE, so the detached claims from the TEE will have TEE-level security. - The data type for this type of submodule is an array It contains two - data items, an algorithm identifier and a byte string containing the - digest. + The data type for this type of submodule MUST be an array It contains + two data items, an algorithm identifier and a byte string containing + the digest. + + When decoding a CBOR format token the detached digest type is + distringuished from the other types by it being an array. In CBOR + the none of other submodule types are arrays. + + When decoding a JSON format token, a little more work is required + because both the nested token and detached digest types are an array. + To distinguish the nested token from the detached digest, the first + element in the array is examined. If it is "JWT", "UJCS" or "DEB", + the the submodule is a nested token. Otherwise it will contain an + algorithm identifier and is a detached digest. A DEB, described in Section 5, may be used to convey detached claims sets and the token with their detached digests. EAT, however, doesn't require use of a DEB. Any other protocols may be used to convey detached claims sets and the token with their detached digests. Note that since detached Claims-Sets are usually signed, protocols conveying them must make sure they are not modified in transit. -3.23.2. No Inheritance +3.25.2. No Inheritance The subordinate modules do not inherit anything from the containing token. The subordinate modules must explicitly include all of their claims. This is the case even for claims like the nonce. This rule is in place for simplicity. It avoids complex inheritance rules that might vary from one type of claim to another. -3.23.3. Security Levels +3.25.3. Security Levels The security level of the non-token subordinate modules should always be less than or equal to that of the containing modules in the case of non-token submodules. It makes no sense for a module of lesser security to be signing claims of a module of higher security. An example of this is a TEE signing claims made by the non-TEE parts (e.g. the high-level OS) of the device. The opposite may be true for the nested tokens. They usually have their own more secure key material. An example of this is an embedded secure element. -3.23.4. Submodule Names +3.25.4. Submodule Names The label or name for each submodule in the submods map is a text string naming the submodule. No submodules may have the same name. -3.23.5. CDDL for submods +3.25.5. CDDL for submods - ; This is the part of a token that contains all the submodules. It - ; is a peer with the claims in the token, but not a claim, only a - ; map/object to hold all the submodules. + The submodule type is distinguished in the encoded bytes by its data + type, map/object for a Claims-Set, string for nested token and array + for a detached submodule. Nested tokens are byte-string wrapped when + encoded in CBOR and base64 encoded for JSON. $$claims-set-claims //= (submods-label => { + text => Submodule }) - ; A submodule can be: - ; - A simple Claims-Set (encoded in the same format as the token) - ; - A digest of a detached Claims-Set (encoded in the same format as - ; the token) - ; - A nested token which may be either CBOR or JSON format. Further, - ; the mechanism for identifying and containing the nested token - ; depends on the format of the surrounding token, particularly - ; because JSON doesn't have any equivalent of a CBOR tag so a - ; JSON-specific mechanism is invented. Also, there is the issue - ; that binary data must be B64 encoded when carried in - ; JSON. Nested-Token is defined in the format specific CDDL, not - ; here. - - ; Note that at nested token can either be a signed token like a CWT - ; or JWT, an unsigned token like a UCCS or UJCS, or a DEB (detached - ; EAT bundle). The specific encoding of these is format-specific - ; so it doesn't appear here. - Submodule = Claims-Set / Nested-Token / Detached-Submodule-Digest - ; This is for both JSON and CBOR. JSON uses text label for - ; algorithm from JOSE registry. CBOR uses integer label for - ; algorithm from COSE registry. In JSON the digest is base64 - ; encoded. - Detached-Submodule-Digest = [ algorithm : int / text, digest : bstr ] 4. Unprotected JWT Claims-Sets This is simply the JSON equivalent of an Unprotected CWT Claims-Set [UCCS.Draft]. @@ -1746,31 +1778,27 @@ normal rules apply for use or non-use of a tag. When it is sent as a submodule, it is always sent as a tag to distinguish it from the other types of nested tokens. The digests of the detached claims sets are associated with detached claims-sets by label/name. It is up to the constructor of the detached EAT bundle to ensure the names uniquely identify the detached claims sets. Since the names are used only in the detached EAT bundle, they can be very short, perhaps one byte. - ; Top-level definition of a DEB for CBOR and JSON - Detached-EAT-Bundle = [ main-token : Nested-Token, detached-claims-sets: { + tstr => cbor-wrapped-claims-set / json-wrapped-claims-set } ] - ; text content is a base64url encoded JSON-format Claims-Set - json-wrapped-claims-set = tstr .regexp "[A-Za-z0-9_=-]+" cbor-wrapped-claims-set = bstr .cbor Claims-Set 6. Endorsements and Verification Keys The Verifier must possess the correct key when it performs the cryptographic part of an EAT verification (e.g., verifying the COSE/ JOSE signature). This section describes several ways to identify the verification key. There is not one standard method. @@ -1844,21 +1872,21 @@ Compressed X.509 and CBOR Native certificates are defined by CBOR Certificates [CBOR.Cert.Draft]. These are semantically compatible with X.509 and therefore can be used as an equivalent to X.509 as described above. These are identified by their own header parameters (c5t, c5u,...). 6.1.4. Claim-Based Key Identification For some attestation systems, a claim may be re-used as a key - identifier. For example, the UEID uniquely identifies the device and + identifier. For example, the UEID uniquely identifies the entity and therefore can work well as a key identifier or Endorsement identifier. This has the advantage that key identification requires no additional bytes in the EAT and makes the EAT smaller. This has the disadvantage that the unverified EAT must be substantially decoded to obtain the identifier since the identifier is in the COSE/JOSE payload, not in the headers. @@ -1881,21 +1909,21 @@ 7. Profiles This EAT specification does not gaurantee that implementations of it will interoperate. The variability in this specification is necessary to accommodate the widely varying use cases. An EAT profile narrows the specification for a specific use case. An ideal EAT profile will guarantee interoperability. The profile can be named in the token using the profile claim - described in Section 3.18. + described in Section 3.20. A profile can apply to Attestation Evidence or to Attestation Results or both. 7.1. Format of a Profile Document A profile document doesn't have to be in any particular format. It may be simple text, something more formal or a combination. In some cases CDDL may be created that replaces CDDL in this or other @@ -2132,21 +2160,21 @@ This specification gives no blanket requirements to narrow CBOR serialization for all uses of EAT. This allows individual uses to tailor serialization to the environment. It also may result in EAT implementations that don't interoperate. One way to guarantee interoperability is to clearly specify CBOR serialization in a profile document. See Section 7 for a list of serialization issues that should be addressed. - EAT will be commonly used where the device generating the attestation + EAT will be commonly used where the entity generating the attestation is constrained and the receiver/Verifier of the attestation is a capacious server. Following is a set of serialization requirements that work well for that use case and are guaranteed to interoperate. Use of this serialization is recommended where possible, but not required. An EAT profile may just reference the following section rather than spell out serialization details. 8.3.1. EAT Constrained Device Serialization o Preferred serialization described in section 4.1 of [RFC8949] is @@ -2166,98 +2194,77 @@ o Deterministic encoding described in Section 4.2 of [RFC8949] is not required. o Basic validity described in section 5.3.1 of [RFC8949] must be followed. The EAT encoder must not send duplicate map keys/labels or invalid UTF-8 strings. 8.4. Collected Common CDDL - ; This is the fundamental definition of a Claims-Set for both CBOR - ; and JSON. It is a set of label-value pairs each of which is a - ; claim. - ; - ; In CBOR the labels can be integers or strings with a strong - ; preference for integers. For JSON, the labels are always strings. - ; - ; The values can be anything, with some consideration for types that - ; can work in both CBOR and JSON. - Claims-Set = { * $$claims-set-claims, * Claim-Label .feature "extended-label" => any } Claim-Label = int / text string-or-uri = tstr time-int = #6.1(int) - ; This is CDDL for the 7 individual claims that are defined in CWT - ; and JWT. This CDDL works for either CBOR format CWT or JSON format - ; JWT The integer format CWT Claim Keys (the labels) are defined in - ; cwt-labels.cddl. The string format JWT Claim Names (the labels) - ; are defined in jwt-labels.cddl. - - ; $$claims-set-claims is defined in claims-set.cddl - $$claims-set-claims //= (iss-label => text) $$claims-set-claims //= (sub-label => text) $$claims-set-claims //= (aud-label => text) $$claims-set-claims //= (exp-label => ~time) $$claims-set-claims //= (nbf-label => ~time) $$claims-set-claims //= (iat-label => ~time) - ; TODO: how does the bstr get handled in JSON validation with the - ; cddl tool? TODO: should this be a text for JSON? - ; $$claims-set-claims //= (cti-label : bytes) $$claims-set-claims //= (nonce-label => nonce-type / [ 2* nonce-type ]) nonce-type = bstr .size (8..64) - $$claims-set-claims //= (ueid-label => ueid-type) ueid-type = bstr .size (7..33) $$claims-set-claims //= (sueids-label => sueids-type) + sueids-type = { + tstr => ueid-type } - oemid-pen = int oemid-ieee = bstr .size 3 - oemid-random = bstr .size 16 $$claims-set-claims //= ( oemid-label => oemid-random / oemid-ieee / oemid-pen ) $$claims-set-claims //= ( - chip-version-label => hw-version-type + hardware-version-label => hardware-version-type ) - $$claims-set-claims //= ( - board-version-label => hw-version-type - ) +hardware-version-type = [ + version: tstr, + scheme: $version-scheme +] +hardware-model-type = bytes .size (1..32) $$claims-set-claims //= ( - device-version-label => hw-version-type + hardware-model-label => hardware-model-type ) +$$claims-set-claims //= ( sw-name-label => tstr ) +$$claims-set-claims //= (sw-version-label => sw-version-type) - hw-version-type = [ +sw-version-type = [ version: tstr, - scheme: $version-scheme + scheme: $version-scheme ; As defined by CoSWID ] - $$claims-set-claims //= ( sw-name-label => tstr ) - $$claims-set-claims //= ( security-level-label => security-level-cbor-type / security-level-json-type ) security-level-cbor-type = &( unrestricted: 1, restricted: 2, secure-restricted: 3, @@ -2305,28 +2312,27 @@ latitude = 1 / "latitude" longitude = 2 / "longitude" altitude = 3 / "altitude" accuracy = 4 / "accuracy" altitude-accuracy = 5 / "altitude-accuracy" heading = 6 / "heading" speed = 7 / "speed" timestamp = 8 / "timestamp" age = 9 / "age" - $$claims-set-claims //= (uptime-label => uint) $$claims-set-claims //= (boot-seed-label => bytes) +$$claims-set-claims //= (odometer-label => uint) $$claims-set-claims //= ( intended-use-label => intended-use-cbor-type / intended-use-json-type ) - intended-use-cbor-type = &( generic: 1, registration: 2, provisioning: 3, csr: 4, pop: 5 ) intended-use-json-type = "generic" / @@ -2327,68 +2333,55 @@ csr: 4, pop: 5 ) intended-use-json-type = "generic" / "registration" / "provisioning" / "csr" / "pop" - $$claims-set-claims //= ( dloas-label => [ + dloa-type ] ) dloa-type = [ dloa_registrar: ~uri dloa_platform_label: text ? dloa_application_label: text ] - $$claims-set-claims //= (profile-label => ~uri / ~oid) - - oid = #6.4000(bstr) ; TODO: Replace with CDDL from OID RFC - $$claims-set-claims //= ( manifests-label => manifests-type ) manifests-type = [+ $$manifest-formats] - ; Must be a CoSWID payload type - ; TODO: signed CoSWIDs coswid-that-is-a-cbor-tag-xx = tagged-coswid - $$manifest-formats /= bytes .cbor coswid-that-is-a-cbor-tag-xx - ; TODO: make this work too - ;$$manifest-formats /= bytes .cbor SUIT_Envelope_Tagged - - $$claims-set-claims //= ( +$$manifest-formats /= bytes .cbor coswid-that-is-a-cbor-tag-xx$$claims-set-claims //= ( swevidence-label => swevidence-type ) swevidence-type = [+ $$swevidence-formats] - ; Must be a CoSWID evidence type that is a CBOR tag - ; TODO: fix the CDDL so a signed CoSWID is allowed too coswid-that-is-a-cbor-tag = tagged-coswid $$swevidence-formats /= bytes .cbor coswid-that-is-a-cbor-tag - $$claims-set-claims //= (swresults-label => [ + swresult-type ]) verification-result-cbor-type = &( verification-not-run: 1, verification-indeterminate: 2, verification-failed: 3, fully-verified: 4, partially-verified: 5, + ) verification-result-json-type = "verification-not-run" / "verification-indeterminate" / "verification-failed" / "fully-verified" / "partially-verified" verification-objective-cbor-type = &( @@ -2409,227 +2402,142 @@ "partial" swresult-type = [ verification-system: tstr, objective: verification-objective-cbor-type / verification-objective-json-type, result: verification-result-cbor-type / verification-result-json-type, ? objective-name: tstr ] - ; This is the part of a token that contains all the submodules. It - ; is a peer with the claims in the token, but not a claim, only a - ; map/object to hold all the submodules. - $$claims-set-claims //= (submods-label => { + text => Submodule }) - ; A submodule can be: - ; - A simple Claims-Set (encoded in the same format as the token) - ; - A digest of a detached Claims-Set (encoded in the same format as - ; the token) - ; - A nested token which may be either CBOR or JSON format. Further, - ; the mechanism for identifying and containing the nested token - ; depends on the format of the surrounding token, particularly - ; because JSON doesn't have any equivalent of a CBOR tag so a - ; JSON-specific mechanism is invented. Also, there is the issue - ; that binary data must be B64 encoded when carried in - ; JSON. Nested-Token is defined in the format specific CDDL, not - ; here. - - ; Note that at nested token can either be a signed token like a CWT - ; or JWT, an unsigned token like a UCCS or UJCS, or a DEB (detached - ; EAT bundle). The specific encoding of these is format-specific - ; so it doesn't appear here. - Submodule = Claims-Set / Nested-Token / Detached-Submodule-Digest - ; This is for both JSON and CBOR. JSON uses text label for - ; algorithm from JOSE registry. CBOR uses integer label for - ; algorithm from COSE registry. In JSON the digest is base64 - ; encoded. - Detached-Submodule-Digest = [ algorithm : int / text, digest : bstr ] - ; Top-level definition of a DEB for CBOR and JSON - Detached-EAT-Bundle = [ main-token : Nested-Token, detached-claims-sets: { + tstr => cbor-wrapped-claims-set / json-wrapped-claims-set + } ] - ; text content is a base64url encoded JSON-format Claims-Set - json-wrapped-claims-set = tstr .regexp "[A-Za-z0-9_=-]+" cbor-wrapped-claims-set = bstr .cbor Claims-Set 8.5. Collected CDDL for CBOR -; The top-level definition of a CBOR-encoded token. - CBOR-Token = Tagged-CBOR-Token / Untagged-CBOR-Token -; All forms of a CBOR-encoded token that are a CBOR tag. - Tagged-CBOR-Token = CWT-Tagged-Message Tagged-CBOR-Token /= UCCS-Tagged-Message Tagged-CBOR-Token /= DEB-Tagged-Message -; All forms of a CBOR-encoded token that are not a CBOR tag. - Untagged-CBOR-Token = CWT-Untagged-Message Untagged-CBOR-Token /= UCCS-Untagged-Message Untagged-CBOR-Token /= DEB-Untagged-Message -; The payload of the COSE message is always a Claims-Set - CWT-Tagged-Message = COSE_Tagged_Message CWT-Untagged-Message = COSE_Untagged_Message UCCS-Message = UCCS-Tagged-Message / UCCS-Untagged-Message + UCCS-Tagged-Message = #6.601(UCCS-Untagged-Message) UCCS-Untagged-Message = Claims-Set DEB-Tagged-Message = #6.602(DEB-Untagged-Message) DEB-Untagged-Message = Detached-EAT-Bundle -; This specifies how one fully-formed token is nested inside a -; CBOR-format token. The fully-formed nested token is any valid -; token, CBOR or JSON (JWT, CWT, UCCS, DEB...) The mechanism for -; identifying the type of the nested token is specific to the format -; of the surrounding token, CBOR in this case. -; -; A primary reason this is encoding-specific is that JSON does not -; have an equivalent to CBOR tags. -; -; If the data type here is text, then the nested token is JSON -; format, one of a JWT, UJCS or JSON-encoded DEB. The means for -; distinguishing which is in the definition of JSON-encoded -; Nested-Token. If the data type is bstr, then the nested token -; is CBOR format. It is byte-string wrapped and identified by a -;CBOR tag. - Nested-Token = tstr / ; A JSON-encoded Nested-Token (see json-nested-token.cddl) bstr .cbor Tagged-CBOR-Token -; This is the CDDL definition of the labels for a CBOR format web -; token, a CWT. The CDDL for the claims is in web-token-claims.cddl - iss-label = 1 sub-label = 2 aud-label = 3 exp-label = 4 nbf-label = 5 iat-label = 6 -cti-label = 7; The following Claim Keys (labels) are pre-assigned by IANA. -; They are for CBOR-based tokens (CWT and UCCS). -; They are not expected to change in the final publication as an RFC. - -nonce-label = 10 -ueid-label = 11 -oemid-label = 13 -security-level-label = 14 -secure-boot-label = 15 -debug-status-label = 16 -location-label = 17 -profile-label = 18 -submods-label = 20 - -; These are not yet assigned in any way and may change. -; These are intentionally above 24 so as to not use up -; single-byte labels. - -sueids-label = -chip-version-label = -board-version-label = -device-version-label = -sw-name-label = -sw-version-label = -uptime-label = -boot-seed-label = -intended-use-label = -dloas-label = -manifests-label = -swevidence-label = -swresults-label = + cti-label = 7nonce-label = 10 + ueid-label = 256 + sueids-label = 257 + oemid-label = 258 + hardware-model-label = 259 + hardware-version-label = 260 + secure-boot-label = 262 + debug-status-label = 263 + location-label = 264 + profile-label = 265 + submods-label = 266 + security-level-label = + uptime-label = + boot-seed-label = + odometer-label = + intended-use-label = + dloas-label = + sw-name-label = + sw-version-label = + manifests-label = + swevidence-label = + swresults-label = 8.6. Collected CDDL for JSON -; A JWT message is either a JWS or JWE in compact serialization form -; with the payload a Claims-Set. Compact serialization is the -; protected headers, payload and signature, each b64url encoded and -; separated by a ".". This CDDL simply matches top-level syntax of of -; a JWS or JWE since it is not possible to do more in CDDL. - JWT-Message = text .regexp [A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+ -; This defines the JSON equivalent of a UCCS message, a token with -; no integrity or authenticity protection. - UJCS-Message = Claims-Set -; This describes a nested token that occurs inside a JSON-encoded -; token. It uses an array that is made up of a type indicator and the -; actual token. This is a substitute for the CBOR tag mechanism that -; JSON does not have. - Nested-Token = [ type : "JWT" / "CBOR" / "UJCS" / "DEB", nested-token : JWT-Message / B64URL-Tagged-CBOR-Token / DEB-JSON-Message / UJCS-Message ] -; This text is a Tagged-CBOR-Token (see cbor-token.cddl) that is -; base64url encoded. For example, it is a CWT that is a COSE_Sign1 -; that is a CBOR tag that has been base64url encoded. - B64URL-Tagged-CBOR-Token = tstr .regexp "[A-Za-z0-9_=-]+" -; This is the CDDL definition of the labels for a JSON format web -; token, a JWT. The CDDL for the claims is in web-token-claims.cddl - iss-label = "iss" sub-label = "sub" aud-label = "aud" exp-label = "exp" nbf-label = "nbf" iat-label = "iat" -cti-label = "cti"; The following are claim names for JSON encoded tokens. +cti-label = "cti"nonce-label /= "nonce" ueid-label /= "ueid" sueids-label /= "sueids" -nonce-label /= "nonce" oemid-label /= "oemid" +hardware-model-label /= "hwmodel" +hardware-version-label /= "hwversion" security-level-label /= "seclevel" secure-boot-label /= "secboot" debug-status-label /= "dbgstat" location-label /= "location" -uptime-label /= "uptime" profile-label /= "eat-profile" -intended-use-label /= "intuse" +uptime-label /= "uptime" boot-seed-label /= "bootseed" -submods-label /= "submods" -timestamp /= "timestamp" -manifests-label /= "manifests" -swevidence-label /= "swevidence" +odometer-label /= "odometer" +intended-use-label /= "intuse" dloas-label /= "dloas" -swresults-label /= "swresults" sw-name-label /= "swname" sw-version-label /= "swversion" +manifests-label /= "manifests" +swevidence-label /= "swevidence" +swresults-label /= "swresults" +submods-label /= "submods" latitude /= "lat" longitude /= "long" altitude /= "alt" accuracy /= "accry" altitude-accuracy /= "alt-accry" heading /= "heading" speed /= "speed" 9. IANA Considerations @@ -2753,148 +2661,323 @@ distinguish claims with early assignment. Also, the following paragraph should be removed. The claims in this section have been (requested for / given) early assignment according to [RFC7120]. They have been assigned values and registered before final publication of this document. While their semantics is not expected to change in final publication, it is possible that they will. The JWT Claim Names and CWT Claim Keys are not expected to change. + In draft -06 an early allocation was described. The processing of + that early allocation was never correctly completed. This early + allocation assigns different numbers for the CBOR claim labels. This + early allocation will presumably complete correctly + o Claim Name: Nonce o Claim Description: Nonce o JWT Claim Name: "nonce" (already registered for JWT) - o Claim Key: 10 + o Claim Key: TBD (requested value 10) o Claim Value Type(s): byte string o Change Controller: IESG + o Specification Document(s): [OpenIDConnectCore], *this document* o Claim Name: UEID o Claim Description: The Universal Entity ID o JWT Claim Name: "ueid" - - o CWT Claim Key: 11 + o CWT Claim Key: TBD (requested value 256) o Claim Value Type(s): byte string o Change Controller: IESG o Specification Document(s): *this document* - o Claim Name: OEMID + o Claim Name: SUEIDs - o Claim Description: IEEE-based OEM ID + o Claim Description: Semi-permanent UEIDs + + o JWT Claim Name: "sueids" + + o CWT Claim Key: TBD (requested value 257) + + o Claim Value Type(s): map + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: Hardware OEMID + + o Claim Description: Hardware OEM ID o JWT Claim Name: "oemid" - o Claim Key: 13 + o Claim Key: TBD (requested value 258) - o Claim Value Type(s): byte string + o Claim Value Type(s): byte string or integer o Change Controller: IESG o Specification Document(s): *this document* - o Claim Name: Security Level + o Claim Name: Hardware Model - o Claim Description: Characterization of the security of an Attester - or submodule + o Claim Description: Model identifier for hardware - o JWT Claim Name: "seclevel" + o JWT Claim Name: "hwmodel" - o Claim Key: 14 + o Claim Key: TBD (requested value 259) - o Claim Value Type(s): integer + o Claim Value Type(s): byte string + + o Change Controller: IESG + o Specification Document(s): *this document* + + o Claim Name: Hardware Version + + o Claim Description: Hardware Version Identifier + + o JWT Claim Name: "hwversion" + + o Claim Key: TBD (requested value 260) + + o Claim Value Type(s): array o Change Controller: IESG o Specification Document(s): *this document* o Claim Name: Secure Boot o Claim Description: Indicate whether the boot was secure + o JWT Claim Name: "secboot" - o Claim Key: 15 + o Claim Key: TBD (requested value 262) o Claim Value Type(s): Boolean o Change Controller: IESG o Specification Document(s): *this document* o Claim Name: Debug Status o Claim Description: Indicate status of debug facilities o JWT Claim Name: "dbgstat" - o Claim Key: 16 + o Claim Key: TBD (requested value 263) - o Claim Value Type(s): integer + o Claim Value Type(s): integer or string o Change Controller: IESG o Specification Document(s): *this document* o Claim Name: Location o Claim Description: The geographic location - o JWT Claim Name: "location" - o Claim Key: 17 + o Claim Key: TBD (requested value 264) o Claim Value Type(s): map o Change Controller: IESG o Specification Document(s): *this document* o Claim Name: Profile o Claim Description: Indicates the EAT profile followed o JWT Claim Name: "eat_profile" - o Claim Key: 18 + o Claim Key: TBD (requested value 265) + + o Claim Value Type(s): URI or OID - o Claim Value Type(s): map o Change Controller: IESG o Specification Document(s): *this document* o Claim Name: Submodules Section - o Claim Description: The section containing submodules (not actually - a claim) + o Claim Description: The section containing submodules o JWT Claim Name: "submods" - o Claim Key: 20 + o Claim Key: TBD (requested value 266) o Claim Value Type(s): map o Change Controller: IESG o Specification Document(s): *this document* 9.3.2. To be Assigned Claims - TODO: add the rest of the claims in here + (Early assignment is NOT requested for these claims. Implementers + should be aware they may change) + + o Claim Name: Security Level + + o Claim Description: Characterization of the security of an Attester + or submodule + + o JWT Claim Name: "seclevel" + + o Claim Key: TBD + + o Claim Value Type(s): integer or string + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: Uptime + + o Claim Description: Uptime + + o JWT Claim Name: "uptime" + + o Claim Key: TBD + + o Claim Value Type(s): unsigned integer + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: Boot Seed + + o Claim Description: Identifies a boot cycle + + o JWT Claim Name: "bootseed" + + o Claim Key: TBD + + o Claim Value Type(s): bytes + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: Intended Use + + o Claim Description: Indicates intended use of the EAT + + o JWT Claim Name: "intuse" + + o Claim Key: TBD + + o Claim Value Type(s): integer or string + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: DLOAs + + o Claim Description: Certifications received as Digital Letters of + Approval + + o JWT Claim Name: "dloas" + + o Claim Key: TBD + + o Claim Value Type(s): array + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: SW Name + + o Claim Description: The name of the SW running in the entity + + o JWT Claim Name: "swname" + + o Claim Key: TBD + + o Claim Value Type(s): map + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: SW Version + + o Claim Description: The version of SW running in the entity + + o JWT Claim Name: "swversion" + + o Claim Key: TBD + + o Claim Value Type(s): map + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: SW Manifests + o Claim Description: Manifests describing the SW installed on the + entity + + o JWT Claim Name: "manifests" + + o Claim Key: TBD + + o Claim Value Type(s): array + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: SW Evidence + + o Claim Description: Measurements of the SW, memory configuration + and such on the entity + + o JWT Claim Name: "swevidence" + + o Claim Key: TBD + + o Claim Value Type(s): array + + o Change Controller: IESG + + o Specification Document(s): *this document* + + o Claim Name: SW Measurment Results + + o Claim Description: The results of comparing SW measurements to + reference values + + o JWT Claim Name: "swresults" + + o Claim Key: TBD + + o Claim Value Type(s): array + + o Change Controller: IESG + + o Specification Document(s): *this document* 9.3.3. Version Schemes Registered by this Document IANA is requested to register a new value in the "Software Tag Version Scheme Values" established by [CoSWID]. The new value is a version scheme a 13-digit European Article Number [EAN-13]. An EAN-13 is also known as an International Article Number or most commonly as a bar code. This version scheme is the ASCII text representation of EAN-13 digits, the same ones often printed @@ -2937,67 +3020,90 @@ Certain EAT claims can be used to track the owner of an entity and therefore, implementations should consider providing privacy- preserving options dependent on the intended usage of the EAT. Examples would include suppression of location claims for EAT's provided to unauthenticated consumers. 10.1. UEID and SUEID Privacy Considerations A UEID is usually not privacy-preserving. Any set of Relying Parties - that receives tokens that happen to be from a single device will be - able to know the tokens are all from the same device and be able to - track the device. Thus, in many usage situations UEID violates - governmental privacy regulation. In other usage situations a UEID - will not be allowed for certain products like browsers that give - privacy for the end user. It will often be the case that tokens will - not have a UEID for these reasons. + that receives tokens that happen to be from a particular entity will + be able to know the tokens are all from the same entity and be able + to track it. + + Thus, in many usage situations UEID violates governmental privacy + regulation. In other usage situations a UEID will not be allowed for + certain products like browsers that give privacy for the end user. + It will often be the case that tokens will not have a UEID for these + reasons. An SUEID is also usually not privacy-preserving. In some cases it may have fewer privacy issues than a UEID depending on when and how and when it is generated. There are several strategies that can be used to still be able to put UEIDs and SUEIDs in tokens: - o The device obtains explicit permission from the user of the device + o The entity obtains explicit permission from the user of the entity to use the UEID/SUEID. This may be through a prompt. It may also be through a license agreement. For example, agreements for some online banking and brokerage services might already cover use of a UEID/SUEID. o The UEID/SUEID is used only in a particular context or particular use case. It is used only by one Relying Party. - o The device authenticates the Relying Party and generates a derived + o The entity authenticates the Relying Party and generates a derived UEID/SUEID just for that particular Relying Party. For example, the Relying Party could prove their identity cryptographically to - the device, then the device generates a UEID just for that Relying - Party by hashing a proofed Relying Party ID with the main device + the entity, then the entity generates a UEID just for that Relying + Party by hashing a proofed Relying Party ID with the main entity UEID/SUEID. Note that some of these privacy preservation strategies result in - multiple UEIDs and SUEIDs per device. Each UEID/SUEID is used in a - different context, use case or system on the device. However, from + multiple UEIDs and SUEIDs per entity. Each UEID/SUEID is used in a + different context, use case or system on the entity. However, from the view of the Relying Party, there is just one UEID and it is still globally universal across manufacturers. 10.2. Location Privacy Considerations Geographic location is most always considered personally identifiable information. Implementers should consider laws and regulations governing the transmission of location data from end user devices to servers and services. Implementers should consider using location - management facilities offered by the operating system on the device + management facilities offered by the operating system on the entity generating the attestation. For example, many mobile phones prompt the user for permission when before sending location data. +10.3. Replay Protection and Privacy + + EAT offers 2 primary mechanisms for token replay protection (also + sometimes known as token "freshness"): the cti/jti claim and the + nonce claim. The cti/jti claim in a CWT/JWT is a field that may be + optionally included in the EAT and is in general derived on the same + device in which the entity is instantiated. The nonce claim is based + on a value that is usually derived remotely (outside of the entity). + These claims can be used to extract and convey personally-identifying + information either inadvertently or by intention. For instance, an + implementor may choose a cti that is equivalent to a username + associated with the device (e.g., account login). If the token is + inspected by a 3rd-party then this information could be used to + identify the source of the token or an account associated with the + token (e.g., if the account name is used to derive the nonce). In + order to avoid the conveyance of privacy-related information in + either the cti/jti or nonce claims, these fields should be derived + using a salt that originates from a true and reliable random number + generator or any other source of randomness that would still meet the + target system requirements for replay protection. + 11. Security Considerations The security considerations provided in Section 8 of [RFC8392] and Section 11 of [RFC7519] apply to EAT in its CWT and JWT form, respectively. In addition, implementors should consider the following. 11.1. Key Provisioning Private key material can be used to sign and/or encrypt the EAT, or @@ -3067,28 +3172,23 @@ each claim subset for a downstream consumer is created in the form of a nested EAT. Then transport security between the receiving and downstream consumers is not strictly required. Nevertheless, downstream consumers of a nested EAT should provide a nonce unique to the EAT they are consuming. 12. References 12.1. Normative References - [CBOR.OID] - Bormann, C., "Concise Binary Object Representation (CBOR) - Tags for Object Identifiers", draft-ietf-cbor-tags-oid-08 - (work in progress), May 2021. - [CoSWID] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. Waltermire, "Concise Software Identification Tags", draft- - ietf-sacm-coswid-19 (work in progress), October 2021. + ietf-sacm-coswid-20 (work in progress), January 2022. [DLOA] "Digital Letter of Approval", November 2015, . [EAN-13] GS1, "International Article Number - EAN/UPC barcodes", 2019, . [FIDO.AROE] The FIDO Alliance, "FIDO Authenticator Allowed Restricted @@ -3122,24 +3222,32 @@ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . + [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data + Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March + 2014, . + [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, . + [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", + RFC 7516, DOI 10.17487/RFC7516, May 2015, + . + [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, . [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- Possession Key Semantics for JSON Web Tokens (JWTs)", @@ -3172,66 +3280,65 @@ [RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. Tschofenig, "Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March 2020, . [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, . + [RFC9090] Bormann, C., "Concise Binary Object Representation (CBOR) + Tags for Object Identifiers", RFC 9090, + DOI 10.17487/RFC9090, July 2021, + . + [ThreeGPP.IMEI] 3GPP, "3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Numbering, addressing and identification", 2019, . [UCCS.Draft] Birkholz, H., O'Donoghue, J., Cam-Winget, N., and C. Bormann, "A CBOR Tag for Unprotected CWT Claims Sets", - draft-ietf-rats-uccs-01 (work in progress), July 2021. + draft-ietf-rats-uccs-02 (work in progress), January 2022. [WGS84] National Geospatial-Intelligence Agency (NGA), "WORLD GEODETIC SYSTEM 1984, NGA.STND.0036_1.0.0_WGS84", July 2014, . 12.2. Informative References [BirthdayAttack] "Birthday attack", . [CBOR.Cert.Draft] Mattsson, J. P., Selander, G., Raza, S., Hoeglund, J., and M. Furuhed, "CBOR Encoded X.509 Certificates (C509 - Certificates)", draft-ietf-cose-cbor-encoded-cert-02 (work - in progress), July 2021. + Certificates)", draft-ietf-cose-cbor-encoded-cert-03 (work + in progress), January 2022. [Common.Criteria] "Common Criteria for Information Technology Security Evaluation", April 2017, . [COSE.X509.Draft] Schaad, J., "CBOR Object Signing and Encryption (COSE): Header parameters for carrying and referencing X.509 certificates", draft-ietf-cose-x509-08 (work in progress), December 2020. - [ECMAScript] - "Ecma International, "ECMAScript Language Specification, - 5.1 Edition", ECMA Standard 262", June 2011, - . - [FIPS-140] National Institue of Standards, "Security Requirements for Cryptographic Modules", May 2001, . [IEEE.802-2001] "IEEE Standard For Local And Metropolitan Area Networks Overview And Architecture", 2007, . [OUI.Lookup] "IEEE Registration Authority Assignments", . [RATS.Architecture] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote Attestation Procedures Architecture", - draft-ietf-rats-architecture-12 (work in progress), April - 2021. + draft-ietf-rats-architecture-15 (work in progress), + February 2022. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, . + [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple + Authentication and Security Layer (SASL)", RFC 4422, + DOI 10.17487/RFC4422, June 2006, + . + [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code Points", BCP 100, RFC 7120, DOI 10.17487/RFC7120, January 2014, . + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + . + [RFC9039] Arkko, J., Jennings, C., and Z. Shelby, "Uniform Resource Names for Device Identifiers", RFC 9039, DOI 10.17487/RFC9039, June 2021, . [W3C.GeoLoc] Worldwide Web Consortium, "Geolocation API Specification 2nd Edition", January 2018, . @@ -3304,24 +3420,24 @@ A.1. Simple TEE Attestation This is a simple attestation of a TEE that includes a manifest that is a payload CoSWID to describe the TEE's software. / This is a UCCS EAT that describes a simple TEE. / 601({ / nonce / 10: h'948f8860d13a463e', - / security-level / 14: 3, / secure-restricted / - / secure-boot / 15: true, - / debug-status / 16: 2, / disabled-since-boot / - / manfests / 35: [ + / security-level / 261: 3, / secure-restricted / + / secure-boot / 262: true, + / debug-status / 263: 2, / disabled-since-boot / + / manfests / 273: [ / This is byte-string wrapped / / payload CoSWID. It gives the TEE / / software name, the version and / / the name of the file it is in. / h' da53574944a60064336132340c01016b 41636d6520544545204f530d65332e31 2e340282a2181f6b41636d6520544545 204f53182101a2181f6b41636d652054 4545204f5318210206a111a118186e61 636d655f7465655f332e657865' @@ -3346,40 +3462,87 @@ / role / 33: 2 / software-creator / } ], / payload / 6: { / ...file / 17: { / ...fs-name / 24: "acme_tee_3.exe" } } }) -A.2. EAT Produced by Attestation Hardware Block +A.2. Submodules for Board and Device +/ This example shows use of submodules to give information / +/ about the chip, board and overall device. / +/ / +/ The main attestation is associated with the chip with the / +/ CPU and running the main OS. It is what has the keys and / +/ produces the token. / +/ / +/ The board is made by a different vendor than the chip. / +/ Perhaps it is some generic IoT board. / +/ / +/ The device is some specific appliance that is made by a / +/ different vendor than either the chip or the board. / +/ / +/ Here the board and device submodules aren't the typical / +/ target environments as described by the RATS architecture / +/ document, but they are a valid use of submodules. / + +{ + / nonce / 10: h'948f8860d13a463e8e', + / UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea', + / HW OEM ID / 258: h'894823', / IEEE OUI format OEM ID / + / HW Model ID / 259: h'549dcecc8b987c737b44e40f7c635ce8' + / Hash of chip model name /, + / HW Version / 260: ["1.3.4", 1], / Multipartnumeric version / + / SW Name / 271: "Acme OS", + / SW Version / 272: ["3.5.5", 1], + / secure-boot / 262: true, + / debug-status / 263: 3, / permanent-disable / + / timestamp (iat) / 6: 1526542894, + / security-level / 261: 3, / secure restricted OS / + / submods / 266: { + / A submodule to hold some claims about the circuit board / + "board" : { + / HW OEM ID / 258: h'9bef8787eba13e2c8f6e7cb4b1f4619a', + / HW Model ID / 259: h'ee80f5a66c1fb9742999a8fdab930893' + / Hash of board module name /, + / HW Version / 260: ["2.0a", 2] / multipartnumeric+suffix / + }, + + / A submodule to hold claims about the overall device / + "device" : { + / HW OEM ID / 258: 61234, / PEN Format OEM ID / + / HW Version / 260: ["4012345123456", 5] / EAN-13 format (barcode) / + } + } +} +A.3. EAT Produced by Attestation Hardware Block / This is an example of a token produced by a HW block / / purpose-built for attestation. Only the nonce claim changes / / from one attestation to the next as the rest either come / / directly from the hardware or from one-time-programmable memory / / (e.g. a fuse). 47 bytes encoded in CBOR (8 byte nonce, 16 byte / / UEID). / 601({ / nonce / 10: h'948f8860d13a463e', - / UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea', - / OEMID / 13: 64242, / Private Enterprise Number / - / security-level / 14: 4, / hardware level security / - / secure-boot / 15: true, - / debug-status / 16: 3, / disabled-permanently / - / chip-version / 26: [ "3.1", 1 ] / Type is multipartnumeric / + / UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea', + / OEMID / 258: 64242, / Private Enterprise Number / + / security-level / 261: 4, / hardware level security / + / secure-boot / 262: true, + / debug-status / 263: 3, / disabled-permanently / + / HW version / 260: [ "3.1", 1 ] / Type is multipartnumeric / }) -A.3. Detached EAT Bundle +A.4. Detached EAT Bundle In this DEB main token is produced by a HW attestation block. The detached Claims-Set is produced by a TEE and is largely identical to the Simple TEE examples above. The TEE digests its Claims-Set and feeds that digest to the HW block. In a better example the attestation produced by the HW block would be a CWT and thus signed and secured by the HW block. Since the signature covers the digest from the TEE that Claims-Set is also secured. @@ -3390,62 +3553,64 @@ 602([ / First part is a full EAT token with claims like nonce and / / UEID. Most importantly, it includes a submodule that is a / / detached digest which is the hash of the "TEE" claims set / / in the next section. / / / / This token here is in UCCS format (unsigned). In a more / / realistic example, it would be a signed CWT. / - h'd90259a80a48948f8860d13a463e0b500198f50a4ff6c058 - 61c8860d13a638ea0d19faf20e040ff51003181a8263332e - 310114a163544545822f5820e5cf95fd24fab71446742dd5 - 8d43dae178e55fe2b94291a9291082ffc2635a0b', - + h'd90259a80a48948f8860d13a463e190100500198 + f50a4ff6c05861c8860d13a638ea19010219faf2 + 19010504190106f5190107031901048263332e31 + 0119010aa163544545822f5820e5cf95fd24fab7 + 1446742dd58d43dae178e55fe2b94291a9291082 + ffc2635a0b', { / A CBOR-encoded byte-string wrapped EAT claims-set. It / / contains claims suitable for a TEE / - "TEE" : h'a50a48948f8860d13a463e0e030ff51002182381 - 585dda53574944a60064336132340c01016b4163 - 6d6520544545204f530d65332e312e340282a218 - 1f6b41636d6520544545204f53182101a2181f6b - 41636d6520544545204f5318210206a111a11818 - 6e61636d655f7465655f332e657865' + "TEE" : h'a50a48948f8860d13a463e19010503190106f519 + 01070219011181585dda53574944a60064336132 + 340c01016b41636d6520544545204f530d65332e + 312e340282a2181f6b41636d6520544545204f53 + 182101a2181f6b41636d6520544545204f531821 + 0206a111a118186e61636d655f7465655f332e65 + 7865' } ]) / This example contains submodule that is a detached digest, / / which is the hash of a Claims-Set convey outside this token. / / Other than that is is the other example of a token from an / / attestation HW block / 601({ / nonce / 10: h'948f8860d13a463e', - / UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea', - / OEMID / 13: 64242, / Private Enterprise Number / - / security-level / 14: 4, / hardware level security / - / secure-boot / 15: true, - / debug-status / 16: 3, / disabled-permanently / - / chip-version / 26: [ "3.1", 1 ], / multipartnumeric / - / submods/ 20: { + / UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea', + / OEMID / 258: 64242, / Private Enterprise Number / + / security-level / 261: 4, / hardware level security / + / secure-boot / 262: true, + / debug-status / 263: 3, / disabled-permanently / + / hw version / 260: [ "3.1", 1 ], / multipartnumeric / + / submods/ 266: { "TEE": [ / detached digest submod / -16, / SHA-256 / h'e5cf95fd24fab7144674 2dd58d43dae178e55fe2 b94291a9291082ffc2635 a0b' ] } }) -A.4. Key / Key Store Attestation +A.5. Key / Key Store Attestation / This is an attestation of a public key and the key store / / implementation that protects and manages it. The key store / / implementation is in a security-oriented execution / / environment separate from the high-level OS, for example a / / TEE. The key store is the Attester. / / / / There is some attestation of the high-level OS, just version / / and boot & debug status. It is a Claims-Set submodule because/ / it has lower security level than the key store. The key / @@ -3454,24 +3619,24 @@ / / / A key and an indication of the user authentication given to / / allow access to the key is given. The labels for these are / / in the private space since this is just a hypothetical / / example, not part of a standard protocol. / / / / This is similar to Android Key Attestation. / 601({ / nonce / 10: h'948f8860d13a463e', - / security-level / 14: 3, / secure-restricted / - / debug-status / 16: 2, / disabled-since-boot / - / secure-boot / 15: true, - / manifests / 35: [ + / security-level / 261: 3, / secure-restricted / + / secure-boot / 262: true, + / debug-status / 263: 2, / disabled-since-boot / + / manifests / 273: [ h'da53574944a600683762623334383766 0c000169436172626f6e6974650d6331 2e320e0102a2181f75496e6475737472 69616c204175746f6d6174696f6e1821 02' / Above is an encoded CoSWID / / with the following data / / SW Name: "Carbonite" / / SW Vers: "1.2" / / SW Creator: / @@ -3483,69 +3648,69 @@ -80001 : { / The key -- A COSE_Key / / kty / 1: 2, / EC2, eliptic curve with x & y / / kid / 2: h'36675c206f96236c3f51f54637b94ced', / curve / -1: 2, / curve is P-256 / / x-coord / -2: h'65eda5a12577c2bae829437fe338701a 10aaa375e1bb5b5de108de439c08551d', / y-coord / -3: h'1e52ed75701163f7f9e40ddf9f341b3d c9ba860af7e0ca7ca7e9eecd0084d19c' }, - / submods / 20 : { + / submods / 266 : { "HLOS" : { / submod for high-level OS / / nonce / 10: h'948f8860d13a463e', - / security-level / 14: 1, / unrestricted / - / secure-boot / 15: true, - / manifests / 35: [ + / security-level / 261: 1, / unrestricted / + / secure-boot / 262: true, + / manifests / 273: [ h'da53574944a600687337 6537346b78380c000168 44726f6964204f530d65 52322e44320e0302a218 1F75496E647573747269 616c204175746f6d6174 696f6e182102' / Above is an encoded CoSWID / / with the following data: / / SW Name: "Droid OS" / / SW Vers: "R2.D2" / / SW Creator: / / "Industrial Automation"/ ] } } }) -A.5. SW Measurements of an IoT Device +A.6. SW Measurements of an IoT Device This is a simple token that might be for and IoT device. It includes CoSWID format measurments of the SW. The CoSWID is in byte-string wrapped in the token and also shown in diagnostic form. / This EAT UCCS is for an IoT device with a TEE. The attestation / / is produced by the TEE. There is a submodule for the IoT OS (the / / main OS of the IoT device that is not as secure as the TEE). The / / submodule contains claims for the IoT OS. The TEE also measures / / the IoT OS and puts the measurements in the submodule. / 601({ / nonce / 10: h'948f8860d13a463e', - / security-level / 14: 3, / secure-restricted / - / secure-boot / 15: true, - / debug-status / 16: 2, / disabled-since-boot / - / OEMID / 13: h'8945ad', / IEEE CID based / - / UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea', - / sumods / 20: { + / security-level / 261: 3, / secure-restricted / + / secure-boot / 262: true, + / debug-status / 263: 2, / disabled-since-boot / + / OEMID / 258: h'8945ad', / IEEE CID based / + / UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea', + / sumods / 266: { "OS" : { - / security-level / 14: 2, / restricted / - / secure-boot / 15: true, - / debug-status / 16: 2, / disabled-since-boot / - / swevidence / 36: [ + / security-level / 261: 2, / restricted / + / secure-boot / 262: true, + / debug-status / 263: 2, / disabled-since-boot / + / swevidence / 274: [ / This is a byte-string wrapped / / evidence CoSWID. It has / / hashes of the main files of / / the IoT OS. / h'da53574944a600663463613234350c 17016d41636d6520522d496f542d4f 530d65332e312e3402a2181f724163 6d6520426173652041747465737465 7218210103a11183a318187161636d 655f725f696f745f6f732e65786514 @@ -3612,21 +3777,21 @@ f884e4e1e8e86299 58c2dbc702741443 a913e34de9333be6' ] } ] } }) -A.6. Attestation Results in JSON format +A.7. Attestation Results in JSON format This is a UJCS format token that might be the output of a Verifier that evaluated the IoT Attestation example immediately above. This particular Verifier knows enough about the TEE Attester to be able to pass claims like security level directly through to the Relying Party. The Verifier also knows the Reference Values for the measured SW components and is able to check them. It informs the Relying Party that they were correct in the swresults claim. "Trustus Verifications" is the name of the services that verifies the @@ -4086,27 +4251,59 @@ o OEM ID is specifically for HW, not for SW o HW OEM ID can now be a PEN o HW OEM ID can now be a 128-bit random number o Expand the examples section o Add software and version claims as easy / JSON alternative to CoSWID +D.13. From draft-ietf-rats-eat-11 + + o Add HW model claim + + o Change reference for CBOR OID draft to RFC 9090 + + o Correct the iat claim in some examples + + o Make HW Version just one claim rather than 3 (device, board and + chip) + + o Remove CDDL comments from CDDL blocks + + o More clearly define "entity" and use it more broadly, particularly + instead of "device" + + o Re do early allocation of CBOR labels since last one didn't + complete correctly + + o Lots of rewording and tightening up of section 1 + + o Lots of wording improvements in section 3, particularly better use + of normative language + + o Improve wording in submodules section, particularly how to + distinguish types when decoding + + o Remove security-level from early allocation + + o Add boot odometer claim + + o Add privacy considerations for replay protection + Authors' Addresses Laurence Lundblade Security Theory LLC EMail: lgl@securitytheory.com - Giridhar Mandyam Qualcomm Technologies Inc. 5775 Morehouse Drive San Diego, California USA Phone: +1 858 651 7200 EMail: mandyam@qti.qualcomm.com Jeremy O'Donoghue