TLS Exported Attestation (expat)
bofreq-fossati-tls-exported-attestation-expat-02
| Document | Type | Approved BOF request | |
|---|---|---|---|
| Title | TLS Exported Attestation (expat) | ||
| Last updated | 2025-06-26 | ||
| State | Approved | ||
| Editor | Thomas Fossati | ||
| Responsible leadership | Paul Wouters | ||
| Additional resources |
draft charter
|
||
| Send notices to | (None) |
Name: TLS Exported Attestation (expat)
Description
Traditional TLS handshakes authenticate peers primarily based on static, long-term credentials like X.509 certificates.
However, in many scenarios, particularly with the rise of Trusted Execution Environments (TEEs) and the increasing security demands for IoT devices and confidential workloads, it's crucial also to ensure the runtime integrity of the peer.
Remote attestation addresses this by allowing an entity to produce verifiable Evidence about its current state—such as proving that its software and firmware haven't been tampered with, that secure boot is enabled, or that cryptographic keys are securely stored within a hardware-protected environment.
This provides a much stronger assurance of trustworthiness, helping to prevent attacks that might compromise a system even if its traditional credentials remain valid, and enables authorization policies based on richer security signals.
To address this need for enhanced, verifiable trustworthiness, this BOF proposes to standardize a post-handshake exchange for TLS that enables the attestation of one or both TLS endpoints.
Such a mechanism would allow an entity to produce Evidence about itself for another party to evaluate. A standard method for secure communication incorporating attestation into and from these environments using TLS would foster the growth of the application ecosystem, independent of the specific remote attestation technology.
This effort will focus on leveraging TLS 1.3 as-is and will not extend the TLS protocol itself or create new remote attestation technologies.
The scope of this effort is on IoT devices, confidential computing workloads and similar closed environments; Attestation of workloads on the open Internet is not in scope, and the proponents acknowledge the privacy concerns that would be associated with attestation on the Internet.
The goal is to produce a single specification for this post-handshake attestation exchange.
The Internet Draft Remote Attestation with Exported Authenticators will serve as the starting point for this work.
Required Details
- Status: WG Forming
- Responsible AD: Paul Wouters
- BoF Chairs: Nancy Cam-Winget, Wes Hardaker
- BOF proponents: Thomas Fossati <thomas.fossati@linaro.org>, Ionuț Mihalcea <ionut.mihalcea@arm.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, Hannes Tschofenig <hannes.tschofenig@h-brs.de>, Tirumaleswar Reddy <k.tirumaleswar_reddy@nokia.com>, Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
- Number of people expected to attend: TBD
- Length of session (1 or 2 hours): 2 hours
- Conflicts (whole Areas and/or WGs)
- Chair Conflicts: TBD
- Technology Overlap: TLS, RATS
- Key Participant Conflict: TBD
Information for IAB/IESG
To allow evaluation of your proposal, please include the following items:
- Any protocols or practices that already exist in this space: RFC9334 (Remote Attestation Architecture), various remote attestation technologies (TPM 1.2, TPM 2.0, cloud provider TEEs). The Internet-Draft Remote Attestation with Exported Authenticators provides a starting point.
- Which (if any) modifications to existing protocols or practices are required: A new post-handshake TLS message exchange will be specified. Existing TLS 1.3 will be used as-is for the handshake and secure transport.
- Which (if any) entirely new protocols or practices are required: Specification of the post-handshake TLS attestation exchange. Guidance on Evidence freshness and state management at the TLS and/or application level.
- Open source projects (if any) implementing this work: TBD
Agenda
- Introduction and Goals (based on the charter)
- Use cases
- Discussion of the draft-fossati-tls-exported-attestation
- Charter discussion, open issues and next steps
Speakers and timing TBD.
Links to the mailing list, draft charter, if any, relevant Internet-Drafts, etc.
- Mailing List: attested-tls@ietf.org
- Draft charter: https://github.com/tls-attestation/exported-attestation/wiki/BoF-Charter
- Relevant Internet-Drafts:
- https://datatracker.ietf.org/doc/draft-fossati-tls-exported-attestation/