]> Cryptic Forest Software

Sioux Lookout Canada mike@ounsworth.ca

Crypto4A Inc.

1550A Laperriere Ave Ottawa, Ontario K1Z 7T2 Canada jp@crypto4a.com

University of the Bundeswehr Munich

Neubiberg Bavaria 85579 Germany hannes.tschofenig@gmx.net

Fraunhofer SIT

henk.birkholz@ietf.contact

United States of America monty.wiseman@oracle.com

United States ned.smith.ietf@gmail.com

Security RATS Internet-Draft RATS PKIX HSM This document specifies a vendor-agnostic format for Evidence produced and verified within a PKIX context. The Evidence produced this way includes claims collected about a cryptographic module, such as a Hardware Security Module (HSM), and elements found within it such as cryptographic keys. One scenario envisaged is that the state information about the cryptographic module can be securely presented to a remote operator or auditor in a vendor-agnostic verifiable format. A more complex scenario would be to submit this Evidence to a Certification Authority to aid in determining whether the storage properties of this key meet the requirements of a given certificate profile. This specification also offers a format for requesting a cryptographic module to produce Evidence tailored for expected use. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the RATS Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction This document specifies a vendor-neutral Evidence format for remote attestation in PKIX-based environments, with a focus on hardware security modules (HSMs) and cryptographic keys managed by such devices. The format enables an Attester to convey measured platform and key properties to a Verifier and, ultimately, to a Relying Party in a form that integrates with existing X.509-based trust infrastructures. Concretely, this specification defines: * an ASN.1/DER Evidence envelope containing a to-be-signed section, one or more signature blocks, and optional intermediate certificates; * an entity-and-claim data model organized around transaction, platform, and key entities, identified by OIDs; * encoding and signature-verification processing rules for PKIX Evidence; * an attestation request structure that allows a Presenter to request a scoped subset of entities and claims. The design is intentionally PKIX-native. ASN.1 and DER are used to align with existing certificate tooling, certification authority workflows, and HSM implementations where non-ASN.1 formats are less common. This document does not define a transport protocol for carrying Evidence, does not define Verifier appraisal policy, and does not standardize device-internal authentication/authorization mechanisms. It defines the data model and cryptographic container so that such mechanisms can be applied consistently across deployments.

Use Cases This section covers use cases that motivated the development of this specification.

Remote audit of a Hardware Security Module (HSM) There are situations where it is necessary to verify the current running state of an HSM as part of operational or auditing procedures. For example, there are devices that are certified to work in an environment only if certain versions of the firmware are loaded or only if user keys are protected with specific policies. The Evidence format offered by this specification allows a platform to report its firmware level along with other collected claims necessary in critical deployments.

Key import and HSM clustering Consider that an HSM is being added to a logical HSM cluster. Part of the onboarding process could involve the newly-added HSM providing Evidence of its running state, for example that it is a genuine device from the same manufacturer as the existing clustered HSMs, firmware patch level, FIPS mode, etc. It could also be required to provide information about any system-level keys required to establish secure cluster communication. In this scenario, the Verifier and Relying Party will typically be other HSMs in the cluster deciding whether or not to admit the new HSM. A related scenario is when performing a key export-import across HSMs. If the key is being imported with certain properties, for example an environment running in FIPS mode at FIPS Level 3, and the key is set to certain protection properties such as Non-Exportable and Dual-Control, then the HSM might wish to verify that the key was previously stored under the same properties. This specification provides an Evidence format with sufficient details to support this type of implementation across HSM vendors. These scenarios motivate the design requirements to have an ASN.1 based Evidence format and a data model that more closely matches typical HSM architecture since, as shown in both scenarios, an HSM is acting as Verifier and Relying Party.

Attesting subject of a certificate issuance Prior to a Certification Authority (CA) issuing a certificate on behalf of a subject, a number of procedures are required to verify that the subject of the certificate is associated with the key that is certified. In some cases, such as issuing a code signing certificate , a CA must ensure that the subject key is located in a Hardware Security Module (HSM). The Evidence format offered by this specification is designed to carry the information necessary for a CA to assess the location of the subject key along a number of commonly-required attributes. More specifically, a CA could determine which HSM was used to generate the subject key, whether this device adheres to certain jurisdiction policies (such as FIPS mode) and the constraints applied to the key (such as whether is it extractable). For relatively simple HSM devices, storage properties such as "extractable" may always be false for all keys since the devices are not capable of key export and so the Evidence could be essentially a hard-coded template asserting these immutable attributes. However, more complex HSM devices require a more complex Evidence format that encompasses the mutability of these attributes. Also, a client requesting a key attestation might wish to scope-down the content of the produced Evidence as the HSM contains much more information than that which is relevant to the transaction. Not reducing the scope of the generated Evidence could, in some scenarios, constitute a privacy violation.

Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This specification uses a necessary mixture of PKI terminology and RATS Architecture definitions in order to map concepts between the two domains. The reader is assumed to be familiar with the vocabulary and concepts defined in the RATS Architecture () such as Attester, Relying Party, Verifier. The reader is assumed to be familiar with common vocabulary and concepts defined in such as certificate, signature, attribute, verification and validation. In order to avoid confusion, this document generally capitalizes RATS terms such as Attester, Relying Party, and Claim. Therefore, for example, a "Verifier" should be assumed to be an entity that checks the validity of Evidence as per , whereas a "verifier" could be a more general reference to a PKI entity that checks the validity of an X.509 certificate or other digital signature as per . The following terms are used in this document:

Attestation Key (AK):

Cryptographic key controlled solely by the Attester and used only for the purpose of producing Evidence. In other words, it is used to digitally sign the claims collected by the Attester.

Attester:

The term Attester respects the definition offered in . In this specification, it is also interchangeable with "platform" or "HSM".

Attesting Environment:

As defined in , the Attesting Environment collects the information to be represented in Claims. In practical terms, an implementation may be designed with services to perform this function. To remain consistent with the RATS Architecture, the term "Attesting Environment" is used throughout this specification.

Evidence:

The term Evidence respects the definition offered in . In this specification, it refers to claims, encoded according to the format defined within this document, and signed using Attestation Keys.

Hardware Security Module (HSM):

A physical computing device that safeguards and manages secrets, such as cryptographic keys, and performs cryptographic operations based on those secrets. This specification takes a broad definition of what counts as an HSM to include smartcards, USB tokens, TPMs, cryptographic co-processors (PCI cards) and "enterprise-grade" or "cloud-service grade" HSMs (possibly rack mounted). In this specification, it is interchangeable with "platform" or "Attester".

Key Attestation:

Process of producing Evidence containing claims pertaining to user keys found within an HSM. In general, the claims include enough information about a user key and its hosting platform to allow a Relying Party to make judicious decisions about the key, such as whether to issue a certificate for the key.

RATS:

Remote ATtestation procedureS. Refers to a working group within IETF and all the documents developed under this umbrella of efforts. This specification is developed using concepts developed in RATS but more particularly refers to the RATS Architecture as introduced in .

PKIX:

Public Key Infrastructure based on X.509 certificates. Refers to the framework of technology, policies and procedures used to manage and distribute digital certificate based on and related specifications.

Platform:

The module or device that embodies the Attester. In this specification, it is interchangeable with "Attester" or "HSM".

Platform Attestation:

Evidence containing claims pertaining to measured values associated with the platform itself. In general, the claims include enough information about the platform to allow a Relying Party to make judicious decisions about the platform, such as those carried out during audit reviews.

Presenter:

Role that facilitates communication between the Attester and the Verifier. The Presenter initiates the operation of generating Evidence at the Attester and passes the generated Evidence to the Verifier. In the case of HSMs, the Presenter is responsible of selecting the claims that are part of the generated Evidence.

Trust Anchor:

As defined in and , a Trust Anchor "represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative." The Trust Anchor may be a certificate, a raw public key, or other structure, as appropriate.

Trusted Platform Module (TPM):

A tamper-resistant processor generally located on a computer's motherboard used to enhance attestation functions for the hosting platform. TPMs are very specialized Hardware Security Modules and generally use other protocols (than the one presented in this specification) to transmit Evidence.

User Key:

A user key consists of a key hosted by an HSM (the platform) and intended to be used by a client of the HSM. Other terms used for a user key are "application key", "client key" or "operational key". The access and operations on a user key is controlled by the HSM.

Claims and measurements in generated Evidence The RATS Architecture states that Evidence is made up of claims and that a claim is "a piece of asserted information, often in the form of a name/value pair". The RATS Architecture also mentions the concept of "measurements" that "can describe a variety of attributes of system components, such as hardware, firmware, BIOS, software, etc., and how they are hardened." Some HSMs have a large amount of memory and can therefore contain a substantial amount of elements that can be observed independently by the Attesting Environment. Each of those elements, in turn, can contain a number of measurable attributes. A certain level of complexity arises as multiple elements of the same class can be reported simultaneously in generated Evidence. In this case, multiple similar claims are reported simultaneously but associated with different elements. For example, two independent user keys could be reported simultaneously in Evidence. Each key is associated with a SPKI (SubjectPublicKeyInfo). The measured values for the SPKI of the respective keys are different. To that end, in this specification, the claims are organized as collections where each claim is the association of a claim type with the measured value. The collections, in turn, are organized by entities. An entity represents one of the elements that is observed in the Target Environment. Thus, an entity is associated with a collection of claims. Each claim is the association of a claim type with a measured value. The grouping of claims into entities facilitates the comprehension of a large addressable space into elements recognizable by the user. More importantly, it curtails the produced Evidence to portions of the Target Environment that relate to the needs of the Verifier. See .

Attestation Key Certificate Chain The data format in this specification represents Evidence and requires third-party endorsement in order to establish trust. Part of this endorsement is a trust anchor that chains to the HSM's attestation key (AK) which signs the Evidence. In practice the trust anchor usually is a manufacturing CA belonging to the device vendor which proves that the device is genuine and not counterfeit. The trust anchor can also belong to the device operator as would be the case when the AK certificate is replaced as part of onboarding the device into a new operational environment. The AK certificate that signs the evidence MUST include the Extended Key Usage (EKU) certificate extension, and the EKU certificate extension MUST include the id-kp-attest, as defined in . Note that the data format specified in allows for zero, one, or multiple 'SignatureBlock's, so a single Evidence statement could be un-protected, or could be endorsed by multiple AK chains leading to different trust anchors. See for a discussion of handling multiple SignatureBlocks.

Information Model The Evidence format is composed of two main sections:

• An Evidence section which describes the list of reported entities.
• A signature section where one or more digital signatures are offered to prove the origin of the Evidence and maintain its integrity.

The details of the signature section is left to the data model. The remainder of this section deals with the way the information is organized to form the claims. The claims are associated with entities to help with the organization and comprehension of the information. Entities are elements observed in the Target Environment by the Attesting Environment. Each entity, in turn, is associated with a collection of claims that describes the attributes of the element. Therefore, the Claim description section is a set of entities and each entity is composed of a claim set.

Entity An entity is a logical construct that refers to a portion of the Target Environment's state. It is addressable via an identifier such as a UUID or a handle (as expressed in ). In general, an entity refers to a component recognized by users of the HSM, such as a key or the platform itself. An entity is composed of a type, the entity type, and a collection of claims. The entity type describes the class of the entity while the collection of claims defines its state. An entity MUST be reported at most once in a claim description. The claim description can have multiple entities of the same type (for example reporting multiple keys), but each entity MUST relate to different portions of the Target Environment. It is possible for two entities to be quite similar such as in a situation where a key is imported twice in a HSM. In this case, the two related entities could be associated similar claims. However, they are treated as different entities as they are reporting different portions of the Target Environment. The number of entities reported in a claim description, and their respective type, is left to the implementer. For a simple device where there is only one key, the list of reported entities could be fixed. For larger and more complex devices, the list of reported entities should be tailored to what is demanded by the Presenter. In particular, note that the nonce claim contained with the Transaction entity is optional, and therefore it is possible that an extremely simple device that holds one static key could have its Evidence generated at manufacturing time and injected statically into the device instead of being generated on-demand. This model would essentially off-board the Attesting Environment to be part of the manufacturing infrastructure. In the RATS Architecture, this configuration would refer to the the information provided by the HSM as an Endorsement provided by the manufacturer as opposed to Evidence generated by the Attesting Environment.

Entity Type An entity is defined by its type. This specification defines three entity types:

• Platform : This entity holds claims that describes the state of the platform (or device) itself. Entities of this type hold claims that are global in nature within the Target Environment.
• Key : The entities of this type represent a cryptographic key protected within the Target Environment and hold claims that describes that specific key.
• Transaction : This entity is logical in nature since it is associated with claims that does not describe anything found in the Target Environment. Instead, these claims relate to the current request for Evidence such as a nonce to support freshness.

Although this document defines a short list of entity types, this list is extensible to allow implementers to report on entities found in their implementation and not covered by this specification. By using an Object Identifiers (OID) for specifying entity types and claim types, this format is inherently extensible; implementers of this specification MAY define new custom or proprietary entity types and place them alongside the standardized entities, or define new claim types and place them inside standardized entities. Verifiers SHOULD ignore and skip over unrecognized entity or claim types and continue processing normally. In other words, if a given Evidence would have been acceptable without the unrecognized entities or claims, then it SHOULD still be acceptable with them.

Claim Type Each claim found in an entity is composed of the claim type and a value. Each claim describes a portion of the state of the associated entity. For example, a platform entity could have a claim which indicates the firmware version currently running. Another example is a key entity with a claim that reports whether the key is extractable or not. A value provided by a claim is to be interpreted within the context of its entity and in relation to the claim type. It is RECOMMENDED that a claim type be defined for a specific entity type, to reduce confusion when it comes to interpretation of the value. In other words, a claim type SHOULD NOT be used by multiple entity types. For example, if a concept of "revision" is applicable to a platform and a key, the claim for one entity type (platform revision) should have a different identifier than the one for the other entity type (key revision). The nature of the value (boolean, integer, string, bytes) is dependent on the claim type. This specification defines a limited set of claim types. However, the list is extensible through the IANA registration process or private OID allocation, enabling implementers to report additional claims not covered by this specification. The number of claims reported within an entity, and their respective type, is left to the implementer. For a simple device, the reported list of claims for an entity might be fixed. However, for larger and more complex devices, the list of reported claims should be tailored to what is demanded by the Presenter. Claims of a particular type MAY be repeated within an entity while others MUST NOT. For example, for a platform entity, there can only be one "firmware version" claim. Therefore, the associated claim MUST NOT be repeated as it may lead to confusion. However, a claim relating to a "ak-spki" MAY be repeated, each claim describing a different attesting key. Therefore, the definition of a claim specifies whether or not multiple copies of that claim are allowed within an entity claim set. If a Verifier detects, within a single entity, multiple copies of a claim type that should not be repeated, it MUST reject the Evidence as malformed. Since a Verifier is encouraged to ignore unrecognized claim types, it is possible that a potential rejection is missed. If a Verifier encounters, within the context of an entity, a repeated claim for a type where it is allowed, it MUST treat each one as an independent claim and MUST NOT consider later ones to overwrite the previous one.

Data Model This section describes the data model associated with generated Evidence. For ease of deployment within the target ecosystem, ASN.1 definitions and DER encoding are used. A complete ASN.1 module is provided in . The top-level structures, as ASN.1 fragments, are: An Evidence message is composed of a protected section known as the To-Be-Signed (TBS) section where the Evidence reported by the Attesting Environment is assembled. The integrity of the TBS section is ensured with one or multiple cryptographic signatures over the content of this section. There is a provision to carry X.509 certificates supporting each signature. The SEQUENCE OF SignatureBlock allows for both multi-algorithm protection and for counter-signatures of the Evidence. In an effort to keep the Evidence format simple, distinguishing between these two cases is left up to Verifier policy, potentially by making use of the certificates that accompany each signature. This design also does not prevent an attacker from removing, adding or re-ordering signatures without leaving trace. This is discussed as part of the security considerations in . The TBS section is composed of a version number, to ensure future extensibility, and a sequence of reported entities. For compliance with this specification, TbsEvidence.version MUST be 1. This envelope format is not extensible; future specifications which make compatibility-breaking changes MUST increment the version number. A SignatureBlock is included for each signature submitted against the TBS section. The SignatureBlock includes the signature algorithm (signatureAlgorithm) and the signature itself (signatureValue). It also includes information to identify the authority that provided the signature which is the structure SignerIdentifier (sid). The signer identifier includes a combination of X.509 certificate, SubjectPublicKeyInfo (SPKI) and/or key identifier (keyId). It is expected that a X.509 certificate will be generally used, as it provides the public key needed to verify the signature and clearly identifies the subject that provided the signature. The SPKI and keyId are allowed to support environments where X.509 certificates are not used. The optional certificate list provided in Evidence.intermediateCertificates enables the insertion of X.509 certificates to support trusting the signatures found in signature blocks. This information is intended to provide the certificates required by the Verifier to validate the endorsement on the certificates included with the signatures. intermediateCertificates MAY include any or all intermediate CA certificates needed to build paths. It is not required to include trust anchors. Order is not significant. As described in , the TbsEvidence is a collection of entities. Each entity is associated with a type that defines its class. The entity types are represented by object identifiers (OIDs). The following ASN.1 definition defines the structures associated with entities: In turn, entities are composed of a collection of claims. Each claim is composed of a type and a value. The claim types are represented by object identifiers (OIDs). The following ASN.1 definition defines the structures associated with claims: Each claim type SHOULD be associated with a single entity type. Therefore, it is encouraged to define claim types grouped with their respective entity type. The type of a claim value is dictated by the claim type. When a claim type is defined, the definition must include the type of the value, its semantic and interpretation. The remainder of this section describes the entity types and their associated claims.

Platform Entity A platform entity reports information about the device where the Evidence is generated and is composed of a collection of claims that are global to the Target Environment. It is associated with the type identifier id-evidence-entity-platform. A platform entity, if provided, MUST be included only once within the reported entities. If a Verifier encounters multiple entities of type id-evidence-entity-platform, it MUST reject the Evidence as malformed. The following table lists the claims for a platform entity (platform claims) defined within this specification. In cases where the claim is borrowed from another specification, the "Reference" column refers to the specification where the semantics for the claim value can be found. Claims defined in this specification have further details below.

Claim Type	Claim Value	Reference	Multiple?	OID
vendor	utf8String	RFCthis	No	id-evidence-claim-platform-vendor
oemid	bytes		No	id-evidence-claim-platform-oemid
hwmodel	bytes		No	id-evidence-claim-platform-hwmodel
hwversion	utf8String		No	id-evidence-claim-platform-hwversion
hwserial	utf8String	RFCthis	No	id-evidence-claim-platform-hwserial
swname	utf8String		No	id-evidence-claim-platform-swname
swversion	utf8String		No	id-evidence-claim-platform-swversion
dbgstat	int		No	id-evidence-claim-platform-debugstat
uptime	int		No	id-evidence-claim-platform-uptime
bootcount	int		No	id-evidence-claim-platform-bootcount
fipsboot	bool		No	id-evidence-claim-platform-fipsboot
fipsver	utf8String		No	id-evidence-claim-platform-fipsver
fipslevel	int		No	id-evidence-claim-platform-fipslevel
fipsmodule	utf8String		No	id-evidence-claim-platform-fipsmodule

Each claim defined in the table above is described in the following sub-sections.

vendor A human-readable string that reports the name of the device's manufacturer. This field is for informational purposes only and should not be used in any automated mechanism to compare the Evidence. For the purposes of comparison, the claims oemid and hwmodel should be used. If the device is submitted to FIPS validation, this string should correspond to the vendor field of the submission.

oemid, hwmodel, hwversion, swname, swversion, dbgstat, uptime, bootcount These claims are defined in and are reused in this specification for interoperability. Small descriptions are offered for each to ease the reading of this specification. In case of confusion between the description offered here and the one in , the definition offered in the latter shall prevail. The claim "oemid" uniquely identifies the Original Equipment Manufacturer (OEM) of the HSM. This is a sequence of bytes and is not meant to be a human readable string. The claim "hwmodel" differentiates models, products, and variants manufactured by a particular OEM. A model must be unique within a given "oemid". This is a sequence of bytes and is not meant to be a human readable string. The claim "hwversion" is a text string reporting the version of the hardware. This claim must be interpreted along with the claim "hwmodel". The claim "swname" is a text string reporting the name of the firmware running on the platform. The claim "swversion" differentiates between the various revisions of a firmware offered for the platform. This is a string that is expected to be human readable. The claim "dbgstat" refers to the state of the debug facilities offered by the HSM. This is an integer value describing the current state as described in . The claim "uptime" reports the number of seconds that have elapsed since the HSM was last booted. The claim "bootcount" reports the number of times the HSM was booted.

hwserial A human-readable string that reports the serial number of the hardware module. This serial number often matches the number engraved on the case or on an applied sticker.

fipsboot, fipsver, fipslevel and fipsmodule FIPS 140-3 CMVP validation places stringent requirements on the mode of operation of the device and the cryptography offered by the module, including only enabling FIPS-approved algorithms, certain requirements on entropy sources, and extensive start-up self-tests. FIPS 140-3 offers compliance levels 1 through 4 with increasingly strict requirements. Many HSMs include a configuration setting that allows the device to be taken out of FIPS mode and thus enable additional functionality or performance, and some offer configuration settings to change between compliance levels. The boolean claim fipsboot indicates whether the device is currently operating in FIPS mode. When the claim value is "true", the HSM is running in compliance with the FIPS 140 restrictions. Among other restrictions, it means that only FIPS-approved algorithms are available. If the value of this claim is "false", then the HSM is not restricted to the behavior limited by compliance. The textual claim fipsver indicates the version of the FIPS CMVP specification with which the device's operational mode is compliant. At the time of writing, the strings "FIPS 140-2" or "FIPS 140-3" SHOULD be used. The integer claim fipslevel indicates the compliance level to which the device is currently operating and MUST only be 1, 2, 3, or 4. The fipslevel claim has no meaning if fipsboot is absent or false. The claim fipsmodule is a textual field used to represent the name of the module that was submitted to CMVP for validation. The information derived by combining this claim with the vendor name shall be sufficient to find the associated records in the CMVP database. The FIPS status information found in Evidence indicates only the mode of operation of the device and is not authoritative of its validation status. This information is available on the NIST CMVP website or by contacting the device vendor. As an example, some devices may have the option to enable FIPS mode in configuration even if the vendor has not submitted this model for validation. As another example, a device may be running in a mode consistent with FIPS Level 3 but the device was only validated and certified to Level 2. A Relying Party wishing to know the validation status of the device MUST couple the device state information contained in the Evidence with a valid FIPS CMVP certificate for the device.

Key Entity A key entity is associated with the type id-evidence-entity-key. Each instance of a key entity represents a different addressable key found in the Target Environment. There can be multiple key entities found in Evidence, but each reported key entity MUST describe a different key from the Target Environment. Two key entities may represent the same underlying cryptographic key (keys with the exact same value) but they must be different portions of the Target Environment. A key entity is composed of a collection of claims relating to the cryptographic key. At minimum, a key entity MUST report the claim "identifier" to uniquely identify this cryptographic key from any others found in the same Target Environment. A Verifier that detects Evidence with multiple key entities referring to the same addressable key MUST reject the Evidence. The following table lists the claims for a key entity defined within this specification. The "Reference" column refers to the specification where the semantics for the claim can be found.

Claim Type	Claim Value	Reference	Multiple?	OID
identifier	utf8String	RFCthis	Yes	id-evidence-claim-key-identifier
spki	bytes	RFCthis	No	id-evidence-claim-key-spki
extractable	bool		No	id-evidence-claim-key-extractable
sensitive	bool		No	id-evidence-claim-key-sensitive
never-extractable	bool		No	id-evidence-claim-key-never-extractable
local	bool		No	id-evidence-claim-key-local
expiry	time	RFCthis	No	id-evidence-claim-key-expiry
purpose	bytes	RFCthis	No	id-evidence-claim-key-purpose

An attestation key might be visible to a client of the device and be reported along with other cryptographic keys. Therefore, it is acceptable to include a key entity providing claims about an attestation key like any other cryptographic key. An implementation MAY reject the generation of Evidence if it relates to an attestation key.

identifier A human-readable string that uniquely identifies the cryptographic key. This value often contains a UUID but could also have a numeric value expressed as text or any other textual description. This claim MAY be repeated as some environments have more than one way to refer to a cryptographic key.

spki The value of this claim contains the DER-encoded field SubjectPublicKeyInfo (see ) associated with the cryptographic key.

extractable, sensitive, never-extractable, local These claims are defined as key attributes in and reused in this specification for interoperability. Small descriptions are offered for each to ease the reading of this specification. In case of confusion between the description offered here and the one in , the definition offered in the latter shall prevail. The claim "extractable" indicates that the key can be exported from the HSM. Corresponds directly to the attribute CKA_EXTRACTABLE found in PKCS#11. The claim "sensitive" indicates that the value of key cannot leave the HSM in plaintext. Corresponds directly to the attribute CKA_SENSITIVE found in PKCS#11. The claim "never-extractable" indicates if the key was never extractable from the HSM throughout the life of the key. Corresponds directly to the attribute CKA_NEVER_EXTRACTABLE found in PKCS#11. The claim "local" indicates whether the key was generated locally or imported. Corresponds directly to the attribute CKA_LOCAL found in PKCS#11.

expiry Reports a time after which the key is not to be used. The device MAY enforce this policy based on its internal clock. Note that security considerations should be taken relating to HSMs and their internal clocks. See .

purpose Reports the key capabilities associated with the subject key. Since multiple capabilities can be associated with a single key, the value of this claim is a list of capabilities, each reported as an object identifier (OID). The value of this claim is the DER encoding of the following structure: EvidenceKeyCapabilities ::= SEQUENCE OF OBJECT IDENTIFIER ]]> The following table describes the key capabilities defined in this specification. The key capabilities offered are based on key attributes provided by PKCS#11. Each capability is assigned an object identifier (OID).

Capability	PKCS#11	OID
encrypt	CKA_ENCRYPT	id-evidence-key-capability-encrypt
decrypt	CKA_DECRYPT	id-evidence-key-capability-decrypt
wrap	CKA_WRAP	id-evidence-key-capability-wrap
unwrap	CKA_UNWRAP	id-evidence-key-capability-unwrap
sign	CKA_SIGN	id-evidence-key-capability-sign
sign-recover	CKA_SIGN_RECOVER	id-evidence-key-capability-sign-recover
verify	CKA_VERIFY	id-evidence-key-capability-verify
verify-recover	CKA_VERIFY_RECOVER	id-evidence-key-capability-verify-recover
derive	CKA_DERIVE	id-evidence-key-capability-derive

The use of an object identifier to report a capability allows third parties to extend this list to support implementations that have other key capabilities.

Transaction Entity A transaction entity is associated with the type id-evidence-entity-transaction. This is a logical entity and does not relate to any state found in the Target Environment. Instead, it groups together claims that relate to the request of generating the Evidence. For example, it is possible to include a nonce as part of the request to produce Evidence. This nonce is repeated as part of the Evidence to support the freshness of the Evidence. The nonce is not related to any element in the Target Environment and the transaction entity is used to gather those values into claims. A transaction entity, if provided, MUST be included only once within the reported entities. If a Verifier detects multiple entities of type id-evidence-entity-transaction, it MUST reject the Evidence. The following table lists the claims for a transaction entity defined within this specification. The "Reference" column refers to the specification where the semantics for the claim value can be found.

Claim Type	Claim Value	Reference	Multiple?	OID
nonce	bytes		No	id-evidence-claim-transaction-nonce
timestamp	time		No	id-evidence-claim-transaction-timestamp
ak-spki	bytes	RFCthis	Yes	id-evidence-claim-transaction-ak-spki

nonce The claim nonce is used to provide "freshness" quality as to the generated Evidence. A Presenter requesting Evidence MAY provide a nonce value as part of the request. This nonce value, if specified, SHOULD be repeated in the generated Evidence as a claim within the transaction entity. This claim is similar to the "eat_nonce" as defined in . According to that specification, this claim may be specified multiple times with different values. However, within the scope of this specification, the "nonce" value can be specified only once within a transaction.

timestamp The time at which the Evidence was generated, according to the internal system clock of the Attesting Environment. This is similar to the "iat" claim in . Note that security considerations should be taken relating to the evaluation of timestamps generated by HSMs. See .

ak-spki This claim contains the encoded Subject Public Key Information (SPKI) for the attestation key used to sign the Evidence. The definition and encoding for SPKIs are defined in X.509 certificates (). This transaction claim is used to bind the content of the Evidence with the key(s) used to sign that Evidence. The importance of this binding is discussed in . This claim can be reported multiple times. Each included claim MUST refer to a different attestation key. In other words, this claim should be repeated only if multiple attestation keys are used to sign the Evidence.

Additional Entity and Claim Types It is expected that HSM vendors will register additional Entity and Claim types by assigning OIDs from their own proprietary OID arcs to hold data describing additional proprietary key properties. When new entity and claim types are used, documentation similar to the one produced in this specification SHOULD be distributed to explain the semantics of the claims and the frequency that values can be provided. See , and for handling of unrecognized custom types.

Encoding The structure Evidence is to be DER encoded . If a textual representation is required, then the DER encoding MAY be subsequently encoded into Standard Base64 as defined in . PEM-like representations are also allowed where a MIME-compliant Base64 transformation of the DER encoding is used, provided that the header label is "EVIDENCE". For example:

Signing and Verification Procedures The SignatureBlock.signatureValue signs over the DER-encoded to-be-signed Evidence data Evidence.tbs and MUST be validated with the subject public key of the end entity X.509 certificate contained in the SignerIdentifier.certificate. Verifiers MAY also use Evidence.intermediateCertificates to build a certification path to a trust anchor. Note that the structure Evidence MAY contain zero or more SignatureBlocks. A structure Evidence with zero SignatureBlocks is unsigned and unprotected; Verifiers MUST treat it as untrusted and MUST NOT rely on its claims. More than one SignatureBlock MAY be used to convey a number of different semantics. For example, the HSM's Attesting Environment might hold multiple Attestation Keys using different cryptographic algorithms in order to provide resilience against cryptographic degradation. In this case a Verifier would be expected to validate all SignatureBlocks. Alternatively, the HSM's Attesting Service may hold multiple Attestation Keys (or multiple X.509 certificates for the same key) from multiple operational environments to which it belongs. In this case a Verifier would be expected to only validate the SignatureBlock corresponding to its own environment. Alternatively, multiple SignatureBlocks could be used to convey counter-signatures from external parties, in which case the Verifier will need to be equipped with environment-specific verification logic. Multiple of these cases, and potentially others, could be supported by a single Evidence object. Note that each SignatureBlock is a fully detached signature over the tbs content with no binding between the signed content and the SignatureBlocks meaning that a third-party can add a counter-signature of the Evidence after the fact, or an attacker can remove a SignatureBlock without leaving any artifact. See for further discussion. If any transaction.ak-spki claims are present, the Verifier SHOULD verify that each SignerIdentifier’s SubjectPublicKeyInfo (or the SPKI of its certificate) matches at least one ak-spki value.

Attestation Requests This section is informative in nature and implementers of this specification do not need to adhere to it. The aim of this section is to provide a standard interface between a Presenter and an HSM producing Evidence. The authors hope that this standard interface will yield interoperable tools between offerings from different vendors. The interface presented in this section might be too complex for manufacturers of HSMs with limited capabilities such as smartcards or personal ID tokens. For devices with limited capabilities, a fixed Evidence endorsed by the vendor might be installed during manufacturing. Other approaches for constrained HSMs might be to report entities and claims that are fixed or offer limited variations. On the other hand, an enterprise-grade HSM with the capability to hold a large number of private keys is expected to be capable of generating Evidence catered to the specific constraints imposed by a Verifier and without exposing extraneous information. The aim of the request interface is to provide the means to select and report specific information in the generated Evidence. This section introduces the role of "Presenter" as shown in . The Presenter is the role that initiates the generation of Evidence. Since HSMs are generally servers (client/server relationship) or peripherals (controller/peripheral relationship), a Presenter is required to launch the process of creating the Evidence and capturing it to forward it to the Verifier.

Architecture | | +----------------+ Evidence(5) +------------+ ]]>

The process of generating Evidence generally starts at the Verifier with the generation of a nonce. The nonce is used to ensure freshness of the Evidence and this quality is guaranteed by the Verifier. Therefore, if a nonce is used, it must be provided to the Presenter by the Verifier (1). An Attestation Request (request) is assembled by the Presenter and submitted to the HSM (2). The Attesting Environment parses the request and collects the appropriate measurements from the Target Environment (3). In the previous figure, the HSM is represented as being composed of an Attesting Environment and a Target Environment. This representation is offered as a simplified view and implementations are not required to adhere to this separation of concerns. The Attesting Environment produces Evidence based on the collected information and returns it to the Presenter for distribution (4). Finally, the Presenter forwards the Evidence to the Verifier (5). The aim of the figure is to depict the position of the Presenter as an intermediate role between the Attester and the Verifier. The role of "Presenter" is privileged as it controls the claims included in the Evidence being generated by the Attester. However, the role is not "trusted" as the Verifier does not have to take into account the participation of the Presenter as part of the function of appraising the Evidence. The attestation request, shown in the figure, consists of a structure TbsEvidence containing one ReportedEntity for each entity expected to be included in the Evidence produced by the HSM. Each instance of ReportedEntity included in the request is referred to as a requested entity. A requested entity contains a number of instances of ReportedClaim known as requested claims. The collection of requested entities and requested claims represent the information desired by the Presenter. In most cases the value of a requested claim should be left unspecified by the Presenter. In the process of generating the Evidence, the values of the desired claims are measured by the Attesting Environment within the HSM and reported accordingly. For the purpose of creating a request, the Presenter does not specify the value of the requested claims and leaves them empty. This is possible because the definition of the structure ReportedClaim specifies the element value as optional. On the other hand, there are circumstances where the value of a requested claim should be provided by the Presenter. For example, when a particular cryptographic key is to be included in the Evidence, the request must include a key entity with one of the "identifier" claim set to the value corresponding to the desired key. Some instances of ReportedEntity, such as those representing the platform or the transaction, do not need identifiers as the associated elements are implicit in nature. Custom entity types might need selection during an attestation request and related documentation should specify how this is achieved. The instance of TbsEvidence is unsigned and does not provide any means to maintain integrity when communicated from the Presenter to the HSM. These details are left to the implementer. However, it is worth pointing out that the structure offered by Evidence could be reused by an implementer to provide those capabilities, as described in .

Requested Claims with Specified Values This section deals with the requested claims specified in this document where a value should be provided by a Presenter. In other words, this section defines all requested claims that should set a value in the structure ReportedClaim. Requested claims not covered in this sub-section should not have a specified value (left empty). Since this section is non-normative, implementers may deviate from those recommendations.

Key Identifiers A Presenter may choose to select which cryptographic keys are reported as part of the generated Evidence. For each selected cryptographic key, the Presenter includes a requested entity of type id-evidence-entity-key. Among the requested claims for this entity, the Presenter includes one claim with the type id-evidence-claim-key-identifier. The value of this claim should be set to the utf8String that represents the identifier for the specific key. An HSM receiving an attestation request which selects a key via this approach SHOULD fail the transaction if it cannot find the cryptographic key associated with the specified identifier.

Nonce A Presenter may choose to include a nonce as part of the attestation request. When producing the Evidence, the HSM repeats the nonce that was provided as part of the request. When providing a nonce, a Presenter includes, in the attestation request, an entity of type id-evidence-entity-transaction with a claim of type id-evidence-claim-transaction-nonce. This claim is set with the value of the nonce as "bytes". It is important to note that the Presenter, as an untrusted participant, should not be generating the value for the nonce. In fact, the nonce should be generated by the Verifier so that the freshness of the Evidence can be trusted by the Verifier.

Custom Key Selection An implementer might desire to select multiple cryptographic keys based on a shared attribute. A possible approach is to include a single request entity of type id-evidence-entity-key including a claim with a set value. This claim would not be related to the key identifier as this is unique to each key. A HSM supporting this scheme could select all the cryptographic keys matching the specified claim and report them in the generated Evidence. This is a departure from the base request interface, as multiple key entities are reported from a single requested entity. More elaborate selection schemes can be envisaged where multiple requested claims specifying values would be tested against cryptographic keys. Whether these claims are combined in a logical "and" or in a logical "or" would need to be specified by the implementer.

Custom Transaction Entity Claims The extensibility offered by the proposed request interface allows an implementer to add custom claims to the transaction entity in order to influence the way that the Evidence generation is performed. In such an approach, a new custom claim for requested entities of type "transaction" is defined. Then, a claim of that type is included in the attestation request (as part of the transaction entity) while specifying a value. This value is considered by the HSM while generating the Evidence.

Reporting of Attestation Keys There is a provision for the Attesting Environment to report the attestation key(s) used during the generation of the Evidence. To this end, the transaction claim "ak-spki" is used. A Presenter invokes this provision by submitting an attestation request with a transaction claim of type "ak-spki" with a non-specified value (left empty). In this case, the Attesting Environment adds a transaction claim of type "ak-spki" for each Attestation Key used to sign the Evidence. The value of this claim is an octet string (bytes) which is the encoding of the Subject Public Key Information (SPKI) associated with the Attestation Key. Details on SPKIs and their encoding can be found in X.509 certificates (). This reporting effectively binds the signature blocks to the content (see ).

Processing an Attestation Request This sub-section deals with the rules that should be considered when an Attesting Environment processes a request to generate Evidence. This section is non-normative and implementers MAY choose to not follow these recommendations. These recommendations apply to any attestation request schemes and are not restricted solely to the request interface proposed here. An Attesting Environment SHOULD fail an attestation request if it contains an unrecognized entity type. This is to ensure that all the semantics expected by the Presenter are fully understood by the Attesting Environment. An Attesting Environment MUST fail an attestation request if it contains a requested claim with an unrecognized type with a specified a value (not empty). This represents a situation where the Presenter is selecting specific information that is not understood by the Attesting Environment. An Attesting Environment SHOULD ignore unrecognized claim types in an attestation request. In this situation, the Attesting Environment SHOULD NOT include the claim as part of the response. This guidance is to increase the likelihood of interoperability between tools of various vendors. An Attesting Environment MUST NOT include entities and claims in the generated Evidence if these entities and claims were not specified as part of the request. This is to give control to the Presenter as to what information is disclosed by the Attesting Environment. An Attesting Environment MUST fail an attestation request if the Presenter does not have the appropriate access rights to the entities or claims included in the request.

Verification by Presenter This sub-section deals with the rules that should be considered when a Presenter receives Evidence from the Attester (the HSM) prior to distribution. This section is non-normative and implementers MAY choose to not follow these recommendations. These recommendations apply to any Evidence and are not restricted solely to Evidence generated from the proposed request interface. A Presenter MUST review the Evidence produced by an Attester for fitness prior to distribution. A Presenter MUST NOT disclose Evidence if it contains information it cannot parse. This restriction applies to entity types and claim types. This is to ensure that the information provided by the Attester can be evaluated by the Presenter. A Presenter MUST NOT disclose Evidence if it contains entities others than the ones that were requested of the Attester. This is to ensure that only the selected entities are exposed to the Verifier. A Presenter MUST NOT disclose Evidence if it contains an entity with a claim that was not requested of the Attester. This is to ensure that only the selected information is disclosed to the Verifier. Further privacy concerns are discussed in .

ASN.1 Module =============== NOTE: '\' line wrapping per RFC 8792 ================ PKIX-Evidence-2025 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix-evidence-2025(TBDMOD) } DEFINITIONS IMPLICIT TAGS ::= BEGIN Evidence ::= SEQUENCE { tbs TbsEvidence, signatures SEQUENCE SIZE (0..MAX) OF \ SignatureBlock, intermediateCertificates [0] SEQUENCE OF Certificate OPTIONAL -- As defined in RFC 5280 } TbsEvidence ::= SEQUENCE { version INTEGER, reportedEntities SEQUENCE SIZE (1..MAX) OF ReportedEntity } ReportedEntity ::= SEQUENCE { entityType OBJECT IDENTIFIER, claims SEQUENCE SIZE (1..MAX) OF ReportedClaim } ReportedClaim ::= SEQUENCE { claimType OBJECT IDENTIFIER, value ClaimValue OPTIONAL } ClaimValue ::= CHOICE { bytes [0] OCTET STRING, utf8String [1] UTF8String, bool [2] BOOLEAN, time [3] GeneralizedTime, int [4] INTEGER, oid [5] OBJECT IDENTIFIER, null [6] NULL } SignatureBlock ::= SEQUENCE { sid SignerIdentifier, signatureAlgorithm AlgorithmIdentifier, signatureValue OCTET STRING } SignerIdentifier ::= SEQUENCE { keyId [0] EXPLICIT OCTET STRING OPTIONAL, subjectPublicKeyInfo [1] EXPLICIT SubjectPublicKeyInfo OPTIONAL, -- As defined in RFC 5280 certificate [2] EXPLICIT Certificate OPTIONAL -- As defined in RFC 5280 } EvidenceKeyCapabilities ::= SEQUENCE OF OBJECT IDENTIFIER id-evidence OBJECT IDENTIFIER ::= { 1 2 3 999 } id-evidence-entity OBJECT IDENTIFIER ::= { id-evidence \ 0 } id-evidence-entity-transaction OBJECT IDENTIFIER ::= { id-evidence-\ entity 0 } id-evidence-entity-platform OBJECT IDENTIFIER ::= { id-evidence-\ entity 1 } id-evidence-entity-key OBJECT IDENTIFIER ::= { id-evidence-\ entity 2 } id-evidence-claim OBJECT IDENTIFIER ::= { id-evidence 1 } id-evidence-claim-transaction OBJECT IDENTIFIER ::= { id-\ evidence-claim 0 } id-evidence-claim-transaction-nonce OBJECT IDENTIFIER ::= { id-\ evidence-claim-transaction 0 } id-evidence-claim-transaction-timestamp OBJECT IDENTIFIER ::= { id-\ evidence-claim-transaction 1 } id-evidence-claim-transaction-ak-spki OBJECT IDENTIFIER ::= { id-\ evidence-claim-transaction 2 } id-evidence-claim-platform OBJECT IDENTIFIER ::= { id-\ evidence-claim 1 } id-evidence-claim-platform-vendor OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 0 } id-evidence-claim-platform-oemid OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 1 } id-evidence-claim-platform-hwmodel OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 2 } id-evidence-claim-platform-hwversion OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 3 } id-evidence-claim-platform-hwserial OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 4 } id-evidence-claim-platform-swname OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 5 } id-evidence-claim-platform-swversion OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 6 } id-evidence-claim-platform-debugstat OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 7 } id-evidence-claim-platform-uptime OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 8 } id-evidence-claim-platform-bootcount OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 9 } id-evidence-claim-platform-usermods OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 10 } id-evidence-claim-platform-fipsboot OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 11 } id-evidence-claim-platform-fipsver OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 12 } id-evidence-claim-platform-fipslevel OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 13 } id-evidence-claim-platform-fipsmodule OBJECT IDENTIFIER ::= { id-\ evidence-claim-platform 14 } id-evidence-claim-key OBJECT IDENTIFIER ::= { id-\ evidence-claim 2 } id-evidence-claim-key-identifier OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 0 } id-evidence-claim-key-spki OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 1 } id-evidence-claim-key-extractable OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 2 } id-evidence-claim-key-sensitive OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 3 } id-evidence-claim-key-never-extractable OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 4 } id-evidence-claim-key-local OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 5 } id-evidence-claim-key-expiry OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 6 } id-evidence-claim-key-purpose OBJECT IDENTIFIER ::= { id-\ evidence-claim-key 7 } id-evidence-key-capability OBJECT IDENTIFIER ::= { \ id-evidence 2 } id-evidence-key-capability-encrypt OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 0 } id-evidence-key-capability-decrypt OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 1 } id-evidence-key-capability-wrap OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 2 } id-evidence-key-capability-unwrap OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 3 } id-evidence-key-capability-sign OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 4 } id-evidence-key-capability-sign-recover OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 5 } id-evidence-key-capability-verify OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 6 } id-evidence-key-capability-verify-recover OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 7 } id-evidence-key-capability-derive OBJECT IDENTIFIER ::= { \ id-evidence-key-capability 8 } END ]]>

IANA Considerations Please replace "RFCthis" with the RFC number assigned to this document. For the ASN.1 module found in Section 8, IANA is requested to assign an object identifier for the module identifier (TBDMOD) with a description of "id-mod-pkix-evidence-2025". This should be allocated in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). IANA is asked to define a new arc under "SMI Security for Mechanism Codes" (1.3.6.1.5.5) with the following details:

• OID Value: 1.3.6.1.5.5.<evidence>
• Name: evidence
• Description: Evidence Encoding for Hardware Security Modules
• Reference: RFCthis

Security Considerations

Policies relating to Verifier and Relying Party The generation of Evidence by an HSM is to provide sufficient information to a Verifier and, ultimately, a Relying Party to appraise the Target Environment (the HSM) and make decisions based on this appraisal. The Appraisal Policy associated with the Verifier influences the generation of the Attestation Results. Those results, in turn, are consumed by the Relying Party to make decisions about the HSM, which might be based on a set of rules and policies. Therefore, the interpretation of the provided Evidence may greatly influence the outcome of some decisions. A Verifier MAY reject Evidence if it lacks the claims required per the Verifier's appraisal policy. For example, if a Relying Party mandates a FIPS-certified device, it SHOULD reject Evidence lacking sufficient information to verify the device's FIPS certification status. If a Verifier encounters a claim with an unrecognized claim type, it MAY ignore it and treat it as extraneous information. By ignoring a claim, the Verifier may accept Evidence that would be deemed malformed to a Verifier with different policies. However, this approach fosters a higher likelihood of achieving interoperability.

Simple to Implement The nature of attestation requires the Attesting Environment to be implemented in an extremely privileged position within the HSM so that it can collect the required measurements such as hardware registers and the user keys. For many HSM architectures, this will place the Attesting Environment inside the "security kernel" and potentially subject to FIPS 140-3 or Common Criteria validation and change control. For both security and compliance reasons, there is an incentive for the generation and parsing logic to be simple and easy to implement correctly. Additionally, when the data formats contained in this specification are parsed within an HSM boundary -- that would be parsing Evidence produced by a different HSM -- implementers SHOULD opt for simple logic that rejects any data that does not match the expected format, instead of attempting to be flexible. In particular, the Attesting Environment SHOULD generate Evidence from scratch and avoid copying any content from the request. The Attesting Environment MUST generate Evidence only from information and measurements that are directly observable by it.

Detached Signatures The construction of the Evidence structure includes a collection of signature blocks that are not explicitly bound to the content. This approach was influenced by the following motivations:

• Multiple simultaneous signature blocks are desired to support hybrid environments where multiple keys using different cryptographic algorithms are required to support appraisal policies.
• Provide the ability to add counter-signatures without having to define an envelop scheme.

The concept of counter-signatures is important for environments where a number of heterogeneous devices are deployed. In those environments, it is possible for a trusted actor, intermediary between the Attester and the Verifier, to validate the original signature(s) and apply its own afterwards. The ability to add signature blocks to the Evidence after the original generation by the Attester leads to the unfortunate situation where signature blocks can also be removed without leaving any trace. Therefore, the signature blocks can be deemed as "detachable" or "stapled". Manipulation of the Evidence after it was generated can lead to undesired outcomes at the Verifier. Therefore, Verifiers MUST be designed to accept Evidence based on their appraisal policies, regardless of the presence or absence of certain signature(s). Consequently, Verifiers MUST NOT make any inferences based on a missing signature, as the signature could have been removed in transit. This specification provides the transaction claim "ak-spki" to effectively bind the content with the signature blocks that were inserted by the Attesting Environment. When this claim is provided, it reports the SPKI of one of the attestation keys used by the Attesting Environment to produce the Evidence. This claim is repeated for each of the attestation keys used by the Attesting Environment.

Privacy Some HSMs have the capacity of supporting cryptographic keys controlled by separate entities referred to as "tenants", and when the HSM is used in that mode it is referred to as a multi-tenant configuration. For example, an enterprise-grade HSM in a large multi-tenant cloud service could host TLS keys fronting multiple un-related web domains. Providing Evidence for claims of any one of the keys would involve a Presenter that could potentially access any of the hosted keys. In such a case, privacy violations could occur if the Presenter was to disclose information that does not relate to the subject key. Implementers SHOULD be careful to avoid over-disclosure of information, for example by authenticating the Presenter as described in and only returning results for keys and portions of the Target Environment for which it is authorized. In the absence of an existing mechanism for authenticating and authorizing administrative connections to the HSM, the attestation request authentication approach is described in . Furthermore, enterprise and cloud-services grade HSMs SHOULD support the full set of attestation request functionality described in so that Presenters can fine-tune the content of the generated Evidence such that it is appropriate for the intended Verifier.

Authenticating and Authorizing the Presenter The Presenter represents a privileged role within the architecture of this specification as it gets to learn about the existence of user keys and their protection properties, as well as details of the platform. The Presenter is in the position of deciding how much information to disclose to the Verifier, and to request a suitably redacted Evidence from the HSM. For personal cryptographic tokens it might be appropriate for the attestation request interface to be un-authenticated. However, for enterprise and cloud-services grade HSMs the Presenter SHOULD be authenticated using the HSM's native authentication mechanism. The details are HSM-specific and are thus left up to the implementer. However, it is RECOMMENDED to implement an authorization framework similar to the following. A Presenter SHOULD be allowed to request Evidence for any user keys which it is allowed to use. For example, a TLS application that is correctly authenticated to the HSM in order to use its TLS keys SHOULD be able to request Evidence related to those same keys without needing to perform any additional authentication or requiring any additional roles or permissions. HSMs that wish to allow a Presenter to request Evidence of keys which is not allowed to use, for example for the purposes of displaying HSM status information on an administrative console or UI, SHOULD have a "Attestation Requester" role or permission and SHOULD enforce the HSM's native access controls such that the Presenter can only retrieve Evidence for keys for which it has visibility. In the absence of an existing mechanism for authenticating and authorizing administrative connections to the HSM, the attestation request MAY be authenticated by embedding the TbsEvidence of the request inside an Evidence signed with a certificate belonging to the Presenter.

Proof-of-Possession of User Keys With asymmetric keys within a Public Key Infrastructure (PKI) it is common to require a key holder to prove that they are in control of the private key by using it. This is called "proof-of-possession (PoP)". This specification intentionally does not provide a mechanism for PoP of user keys and relies on the Presenter, Verifier, and Relying Party trusting the Attester to correctly report the cryptographic keys that it is holding. It would be trivial to add a PoP Key claim that uses the attested user key to sign over, for example, the Transaction Entity. However, this approach leads to undesired consequences, as explained below. First, a user key intended for TLS, as an example, SHOULD only be used with the TLS protocol. Introducing a signature oracle whereby the TLS application key is used to sign Evidence could lead to cross-protocol attacks. In this example, an attacker could submit a "nonce" value which is in fact not random but is crafted in such a way as to appear as a valid message in some other protocol context or exploit some other weakness in the signature algorithm. Second, the Presenter who has connected to the HSM to request Evidence may have permissions to list the requested application keys but not permission to use them, as in the case where the Presenter is an administrative UI displaying HSM status information to a system's administrator or auditor. Requiring the Attesting Environment to use the reported application keys to generate Evidence could, in some architectures, require the Attesting Environment to resolve complex access control logic and handle complex error conditions, which violates the "simple to implement" design principle outlined in . More discussions on authenticating the Presenter can be found in .

Timestamps and HSMs It is common for HSMs to have an inaccurate system clock. Most clocks have a natural drift and must be corrected periodically. HSMs, like any other devices, are subject to these issues. There are many situations where HSMs can not naturally correct their internal system clocks. For example, consider a HSM hosting a trust anchor and usually kept offline and booted up infrequently in a network without a reliable time management service. Another example is a smart card which boots up only when held against an NFC reader. When a timestamp generated from a HSM is evaluated, the expected behavior of the system clock SHOULD be considered. More specifically, the timestamp SHOULD NOT be relied on for establishing the freshness of the Evidence generated by a HSM. Instead, Verifiers SHOULD rely on other provisions such as the "nonce" claim of the "transaction" entity, introduced in this specification. Furthermore, the internal system clock of HSMs SHOULD NOT be relied on to enforce expiration policies.

References Normative References In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity. An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims. This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] ITU-T n.d. ITU-T n.d. OASIS PKCS 11 TC NIST, Information Technology Laboratory n.d. ITU-T Crypto4A Inc. Cryptic Forest Software University of Applied Sciences Bonn-Rhein-Sieg X.509 certificates ([RFC5280]) defines the Extended Key Usage (EKU) extension and specifies several key purpose identifiers (KeyPurposeIds) for use with that extension. This document defines a KeyPurposeId for the purpose of signing Evidence to provide remote attestation functions as defined in the RATS Architecture ([RFC9334]). In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community. A trust anchor represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative. A relying party uses trust anchors to determine if a digitally signed object is valid by verifying a digital signature using the trust anchor's public key, and by enforcing the constraints expressed in the associated data for the trust anchor. This document describes some of the problems associated with the lack of a standard trust anchor management mechanism and defines requirements for data formats and push-based protocols designed to address these problems. This document is not an Internet Standards Track specification; it is published for informational purposes. Vulnerabilities in Internet of Things (IoT) devices have raised the need for a reliable and secure firmware update mechanism suitable for devices with resource constraints. Incorporating such an update mechanism is a fundamental requirement for fixing vulnerabilities, but it also enables other important capabilities such as updating configuration settings and adding new functionality. In addition to the definition of terminology and an architecture, this document provides the motivation for the standardization of a manifest format as a transport-agnostic means for describing and protecting firmware updates. This document describes the Certificate Request Message Format (CRMF) syntax and semantics. This syntax is used to convey a request for a certificate to a Certification Authority (CA), possibly via a Registration Authority (RA), for the purposes of X.509 certificate production. The request will typically include a public key and the associated registration information. This document does not define a certificate request protocol. [STANDARDS-TRACK] Cryptic Forest Software Siemens Fraunhofer SIT Certification Authorities (CAs) issuing certificates to Public Key Infrastructure (PKI) end entities may require a certificate signing request (CSR) to include additional verifiable information to confirm policy compliance. For example, a CA may require an end entity to demonstrate that the private key corresponding to a CSR's public key is secured by a hardware security module (HSM), is not exportable, etc. The process of generating, transmitting, and verifying additional information required by the CA is called remote attestation. While work is currently underway to standardize various aspects of remote attestation, a variety of proprietary mechanisms have been in use for years, particularly regarding protection of private keys. This specification defines an ASN.1 structure for remote attestation that can accommodate proprietary and standardized attestation mechanisms, as well as an attribute and an extension to carry the structure in PKCS#10 and Certificate Request Message Format (CRMF) messages, respectively. Intuit Arm Limited Arm Limited Arm Limited Huawei Linaro The TLS handshake protocol allows authentication of one or both peers using static, long-term credentials. In some cases, it is also desirable to ensure that the peer runtime environment is in a secure state. Such an assurance can be achieved using attestation which is a process by which an entity produces evidence about itself that another party can use to appraise whether that entity is found in a secure state. This document describes a series of protocol extensions to the TLS 1.3 handshake that enables the binding of the TLS authentication key to a remote attestation session. This enables an entity capable of producing attestation evidence, such as a confidential workload running in a Trusted Execution Environment (TEE), or an IoT device that is trying to authenticate itself to a network access point, to present a more comprehensive set of security metrics to its peer. These extensions have been designed to allow the peers to use any attestation technology, in any remote attestation topology, and mutually. Fraunhofer SIT Independent Linaro University of Applied Sciences Bonn-Rhein-Sieg Google LLC The Conceptual Messages introduced by the RATS architecture (RFC 9334) are protocol-agnostic data units that are conveyed between RATS roles during remote attestation procedures. Conceptual Messages describe the meaning and function of such data units within RATS data flows without specifying a wire format, encoding, transport mechanism, or processing details. The initial set of Conceptual Messages is defined in Section 8 of RFC 9334 and includes Evidence, Attestation Results, Endorsements, Reference Values, and Appraisal Policies. This document introduces the Conceptual Message Wrapper (CMW) that provides a common structure to encapsulate these messages. It defines a dedicated CBOR tag, corresponding JSON Web Token (JWT) and CBOR Web Token (CWT) claims, and an X.509 extension. This allows CMWs to be used in CBOR-based protocols, web APIs using JWTs and CWTs, and PKIX artifacts like X.509 certificates. Additionally, the draft defines a media type and a CoAP content format to transport CMWs over protocols like HTTP, MIME, and CoAP. The goal is to improve the interoperability and flexibility of remote attestation protocols. Introducing a shared message format such as CMW enables consistent support for different attestation message types, evolving message serialization formats without breaking compatibility, and avoiding the need to redefine how messages are handled within each protocol. National Security Agency n.d. CA/Browser Forum n.d.

Samples A reference implementation of this specification can be found at https://github.com/ietf-rats-wg/key-attestation It produces the following sample Evidence. All signatures throughout the samples chain to the following root certificate:

Simple Platform Evidence This example shows a minimal PKIX Evidence object with only transaction and platform entities a single signature where the AK key is identified only by its SHA1 hash KeyID. In other words, this Evidence describes only the HSM itself (rather than application keys stored within it), and it assumes that the Verifier will be able to look up the AK key by its SHA1 hash. Here is a pretty-print of the Evidence object: [bytes] deadbeefcafebabe Claim[1]: id-evidence-claim-transaction-timestamp -> [time] 20250314120000Z Claim[2]: id-evidence-claim-transaction-ak-spki -> [bytes] 3059301306072a8648ce3d02... ReportedEntity[1]: id-evidence-entity-platform Claim[0]: id-evidence-claim-platform-vendor -> [utf8String] Acme Corp Claim[1]: id-evidence-claim-platform-hwmodel -> [bytes] 48534d2d39303030 Claim[2]: id-evidence-claim-platform-hwversion -> [utf8String] 2.1.0 Claim[3]: id-evidence-claim-platform-fipsboot -> [bool] True Claim[4]: id-evidence-claim-platform-fipslevel -> [int] 3 Claim[5]: id-evidence-claim-platform-uptime -> [int] 86400 Signatures (1): SignatureBlock[0]: algorithm : 1.2.840.10045.4.3.2 signatureValue : 3046022100b5636293faa29f... keyId : 61c1886abaacb48ba275116780ecd4f4e61815ee ]]> For completeness of the sample, the following AK and Intermediate CA certificates are required for verification:

Key Attestation Evidence This example shows a PKIX Evidence object that is attesting two different application keys held within the HSM. For the purposes of this example, the Platform Entity is kept short. This example embeds the AK and Intermediate CA certificates in the Evidence object. It chains to the same root as above. Here is a pretty-print of the Evidence object: [bytes] beefcafebabedead Claim[1]: id-evidence-claim-transaction-timestamp -> [time] 20250314120000Z Claim[2]: id-evidence-claim-transaction-ak-spki -> [bytes] 3059301306072a8648ce3d02... ReportedEntity[1]: id-evidence-entity-platform Claim[0]: id-evidence-claim-platform-hwmodel -> [bytes] 48534d2d39303030 ReportedEntity[2]: id-evidence-entity-key Claim[0]: id-evidence-claim-key-identifier -> [utf8String] 9a25f603-a2c4-4dad-9ee0-a1b4e771f2c3 Claim[1]: id-evidence-claim-key-spki -> [bytes] 3059301306072a8648ce3d02... Claim[2]: id-evidence-claim-key-extractable -> [bool] False Claim[3]: id-evidence-claim-key-never-extractable -> [bool] True Claim[4]: id-evidence-claim-key-sensitive -> [bool] True Claim[5]: id-evidence-claim-key-local -> [bool] True Claim[6]: id-evidence-claim-key-purpose -> [bytes] 300806062a0387670204 ReportedEntity[3]: id-evidence-entity-key Claim[0]: id-evidence-claim-key-identifier -> [utf8String] 85704b99-7097-4bca-93b6-13352f865ace Claim[1]: id-evidence-claim-key-spki -> [bytes] 3059301306072a8648ce3d02... Claim[2]: id-evidence-claim-key-extractable -> [bool] True Claim[3]: id-evidence-claim-key-sensitive -> [bool] False Signatures (1): SignatureBlock[0]: algorithm : 1.2.840.10045.4.3.2 signatureValue : 30450220109323230dea72cf... AK Certificate : present Intermediate Certificates: (1) ]]>

Multi-HSM and Multi-Tenant Key Attestation Evidence Some of the design choices in this Evidence format -- such as extensible Entities and multiple signatures -- are motivated by attempting to future-proof against needing to represent the state of a key in a distributed cloud key management service. TODO:

• Illustrative example of having multiple signatures on a single Evidence.
• Illustrative example of how a vendor might represent that the key being attested is part of a logical tenant or access control group that spans multiple HSMs.

Acknowledgements This specification is the work of a design team created by the chairs of the RATS working group. This specification has been developed based on discussions in that design team and also with great amounts of input taken from discussions on the RATS mailing list. We would like to thank Jeff Andersen for the review comments. We would like to thank Dave Thaler for his guidance.