Laurence Lundblade <[email protected]> wrote: > Not sure what precisely is meant by posture assessment, but I > don’t think attestation/RATS requires measurements at all. A > single evidence message that just identifies the device as made > and secured by some OEM is enough.
Yes. We have a single authentication flow that asserts th device serial
number. But, as every authentication flow is a potential remote attestation
flow, I guess, every remote attestation flow can be degenerated to doing just
authentication :-)
My only problem with the nomenclature for acme-device-attest is that it will
attract people looking for remote attestation, and fail to attract people who
want device authentication.
Abstract says:
} This document specifies new identifiers and a challenge for the
} Automated Certificate Management Environment (ACME) protocol which
} allows validating the identity of a device using attestation.
and a clue should be the lack of the word **remote** before attestation.
It's authentication, or even authorization, but not attestation.
> (FIDO needs device attestation because the user is no longer
> presenting their authentication credential to the server. Instead
> the user presents their credential (e.g. fingerprint) to the
> device and the device authenticates to the server. The server
> wants to know the device is a trusted intermediary. There’s no
> measurement of the device in FIDO attestation).
Yes, there is no measurement of the state of the smartphone REE.
There is an endorsement of the fingerprint scanning hardware as a trusted
intermediary.
My understanding is that hardware, and the firmware that processes the
fingerprint is part of some securely booted trusted execution environment.
That this endorsement is often a "group" key as well to preserve PII.
device-attest does ot preserve PII, in fact, exactly the opposite.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
