Laurence Lundblade <[email protected]> wrote:
    > Not sure what precisely is meant by posture assessment, but I
    > don’t think attestation/RATS requires measurements at all. A
    > single evidence message that just identifies the device as made
    > and secured by some OEM is enough.

Yes.  We have a single authentication flow that asserts th device serial
number.   But, as every authentication flow is a potential remote attestation
flow, I guess, every remote attestation flow can be degenerated to doing just
authentication :-)

My only problem with the nomenclature for acme-device-attest is that it will
attract people looking for remote attestation, and fail to attract people who
want device authentication.

Abstract says:
  } This document specifies new identifiers and a challenge for the
  } Automated Certificate Management Environment (ACME) protocol which
  } allows validating the identity of a device using attestation.

and a clue should be the lack of the word **remote** before attestation.
It's authentication, or even authorization, but not attestation.

    > (FIDO needs device attestation because the user is no longer
    > presenting their authentication credential to the server. Instead
    > the user presents their credential (e.g. fingerprint) to the
    > device and the device authenticates to the server. The server
    > wants to know the device is a trusted intermediary. There’s no
    > measurement of the device in FIDO attestation).

Yes, there is no measurement of the state of the smartphone REE.
There is an endorsement of the fingerprint scanning hardware as a trusted 
intermediary.
My understanding is that hardware, and the firmware that processes the
fingerprint is part of some securely booted trusted execution environment.
That this endorsement is often a "group" key as well to preserve PII.

device-attest does ot preserve PII, in fact, exactly the opposite.

--
Michael Richardson <[email protected]>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Acme mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to