Summary

Attested TLS is a fundamental building block of confidential computing. We have defended our position (cf. expat BoF) to standardize the attested TLS protocols for confidential computing in the IETF, and a new Working Group named Secure Evidence and Attestation Transport (SEAT) has been formed to exclusively tackle this specific problem. We would like to present the candidate draft for standardization and gather feedback from the community, so that it can be accommodated in the standardization.

Technical details

We propose a specification that defines a method for two parties in a communication interaction to exchange Evidence and Attestation Results using exported authenticators, as defined in RFC9261. Additionally, we introduce the cmw_attestation extension, which allows attestation credentials to be included directly in the Certificate message sent during the Exported Authenticator-based post-handshake authentication. The approach supports both the passport and background check models from the RATS architecture while ensuring that attestation remains bound to the underlying communication channel.

WiP Implementation

WiP Implementation uses the veraison/rust-cmw implementation of RATS conceptual messages wrapper. It includes a test which demonstrates using it with QUIC (for transport) and Intel TDX (as confidential compute platform): tests/quic_tdx.rs.