Standardization and Open-source Implementation of Attested TLS for Confidential Computing
- Track: Confidential Computing
- Room: UD6.215
- Day: Sunday
- Start (UTC+1): 12:05
- End (UTC+1): 12:25
- Room livestream: ud6215
- Chat: Join the conversation!
Summary
Attested TLS is a fundamental building block of confidential computing. We have defended our position (cf. expat BoF) to standardize the attested TLS protocols for confidential computing in the IETF, and a new Working Group named Secure Evidence and Attestation Transport (SEAT) has been formed to exclusively tackle this specific problem. In this talk, we present the design choices for standardization of attested TLS, namely pre-handshake attestation, intra-handshake attestation, and post-handshake attestation. We present the journey of standardization effort showing replay, diversion and relay attacks on pre-handshake attestation and intra-handshake attestation (see paper and formal proof). We finally present the post-handshake attestation candidate draft for standardization to gather feedback from the community, so that it can be accommodated in the standardization.
Technical details
We propose a specification that defines a method for two parties in a communication interaction to exchange Evidence and Attestation Results using exported authenticators, as defined in RFC9261. Additionally, we introduce the cmw_attestation extension, which allows attestation credentials to be included directly in the Certificate message sent during the Exported Authenticator-based post-handshake authentication. The approach supports both the passport and background check models from the RATS architecture while ensuring that attestation remains bound to the underlying communication channel.
WiP Implementation
WiP Implementation uses the veraison/rust-cmw implementation of RATS conceptual messages wrapper. It includes a test which demonstrates using it with QUIC (for transport) and Intel TDX (as confidential compute platform): tests/quic_tdx.rs.
Useful links
- IETF SEAT WG: https://datatracker.ietf.org/wg/seat/about/
- Subscribe to SEAT WG mailing list: https://mailman3.ietf.org/mailman3/lists/seat.ietf.org/
- Spec: https://datatracker.ietf.org/doc/draft-fossati-seat-expat/
- Proposed for adoption at CCC Attestation SIG: https://github.com/CCC-Attestation/governance/issues/20
Speakers
 |
Muhammad Usama Sardar |
 |
peg |