**Session Date/Time:** 23 Jul 2025 12:30 # rats ## Summary The RATS working group meeting covered three presentations: an update on the COSE Reference Integrity Manifest (CORIM) draft, an update on the Reference Interaction Models draft, and a new draft proposing key negotiation integrated into remote attestation. A call for adoption was made for the COServe draft. Discussions focused on the readiness of documents for working group last call, the relationship between different drafts and their alignment with the RATS architecture, and the scope of the RATS charter regarding protocol specifications. ## Key Discussion Points * **CORIM Update:** * Discussion on early adopters and their relationships (e.g., AMD, Google, Intel, Oracle). It was agreed to take this discussion to the mailing list. * Request for more reviews of the CORIM draft before working group last call. * Clarification that outstanding review comments need to be addressed before proceeding to working group last call. * **Reference Interaction Models:** * Progress on incorporating feedback from Usama. * Remaining 20% of feedback requires further discussion and consensus-building. * Goal to achieve working group last call in six to eight weeks. * **Key Negotiation Integrated into Remote Attestation:** * Suggestion to connect with the confidential container community regarding their keybroker service and protocol. * Need for clarification on how much protocol work falls within the RATS charter. * Discussion on the overlap with the lake working group's draft on attestation over ad hoc protocol. * Distinction between attesting the trustworthiness of a stakeholder in key negotiation versus using established trustworthiness to perform key negotiation. * **COServe:** * Call for adoption of the COServe draft. * Requests for a diagram illustrating the connection between COServe and other RATS documents (e.g., multi-verifier graph, posture assessment draft) and its mapping to the RATS architecture. * Clarification of the scope of COServe as pertaining to the endorsement and reference value side (supply chain to verifier). * Discussion of the relationship between COServe and CORIM, with COServe adding query and pull capabilities to CORIM's assertive format. ## Decisions and Action Items * **CORIM:** Authors to address outstanding review comments and then initiate working group last call. * **Reference Interaction Models:** Hank to work with Usama to resolve the remaining 20% of feedback items. * **Key Negotiation Integrated into Remote Attestation:** Frank to explore the suggestions and feedback provided, especially regarding connections to other relevant work. * **COServe:** Authors to create a diagram illustrating the connection between COServe and other RATS documents and its mapping to the RATS architecture. Revisit call for adoption on Friday or after the diagram is available. ## Next Steps * Continue discussions on the mailing list for CORIM early adopters and their relationships. * Address outstanding review comments for CORIM and Reference Interaction Models. * Explore the suggested connections and related work for the key negotiation draft. * Develop a diagram illustrating the relationships between COServe and other RATS documents. * Revisit the call for adoption for COServe, considering the diagram and feedback. * Presentations by all presenting on Friday were to submit as soon as possible to allow more time to review --- **Session Date/Time:** 25 Jul 2025 12:30 # rats ## Summary The RATS working group meeting covered a variety of topics related to remote attestation, including conceptual message wrappers, measured components, remote attestation over ad-hoc protocols, distributed remote attestation, posture assessment, extending trust path routing, evidence vs trusted self-assertions, remote attestation with multiple verifiers, and attested TLS. The meeting involved presentations, discussions, and requests for feedback on ongoing drafts. ## Key Discussion Points * **Conceptual Message Wrappers (CMW):** Debate on the use of the term "authentication" within the CMW context, with concerns about potential misinterpretations and overlap with attestation provided by other protocols. The need for precise qualifiers when using "authentication" was highlighted. * **Eat Measured Component:** Request for working group last call. * **Remote Attestation over Ad Hoc:** Presentation on using ad hoc protocol with external authorization data (EAD) for IoT attestation, focusing on fast trust establishment and lightweight communication. Discussion on use cases and the practicality of applying remote attestation for device onboarding scenarios. * **Distributed Remote Attestation:** Proposal of a distributed ledger-based architecture for remote attestation involving multiple verifiers, addressing scalability and trust sharing concerns. Concerns were raised regarding increased complexity and the necessity of multiple verifiers compared to a single, trusted verifier. * **RATS Posture Assessment:** Introduction of a draft aiming to standardize claims for scalable remote posture assessment, using structured evidence and policy-aware verification. Discussions touched on the specific measurements to be conducted and the overlap with attestation protocols. * **Extending Trust Path Routing:** Presentation on extending trusted path routing to runtime behavior, evaluating trust based on threat exposure of devices. Challenges included diverse attestation models, efficiency, path-level assessment, and inter-domain interoperability. * **Evidence vs. Trusted Self Assertions:** Debate on terminology surrounding evidence in scenarios where devices provide assertions about themselves, with a focus on defining endorsed assertions. * **Remote Attestation with Multiple Verifiers:** Presentation and discussion on a draft concerning composite attestation. Concerns and support for adoption were voiced. * **PKI-Based Evidence for HSMs:** Introduction to using PKI based evidence for remote attestation of Hardware Security Modules. The discussion surrounded the information model and the proper terminology to use when discussing claims, measurements, and attributes. * **Proof of Residency Aware Location Claim:** Discussed adding trusted geolocation to attested claims. * **Proof of Position for Auditor Managed Endorsements:** Discussed getting a third party to attest for device characteristics. * **Attested TLS:** A summary of the discussed requirements for atTLS. ## Decisions and Action Items * **CMW:** Resolve the "authentication" terminology issue offline and bring the resolution back to the mailing list. * **Eat Measured Component:** Solicit for doctor shepherd. * **Remote Attestation over Ad Hoc:** Provide technical comments to the lake list and keep RATS apprised of the last call. * **Remote Attestation with Multiple Verifiers:** Take the discussion to the mailing list and potentially hold an interim meeting for further discussion before calling for adoption. * **PKI-Based Evidence for HSMs:** Discuss nomenclature. * **atTLS:** Continue the discussion on the atTLS mailing list. ## Next Steps * Address comments from the meeting on respective drafts. * Continue discussions on mailing lists. * Schedule interim meetings as needed.