RATS

Summary

The RATS Working Group met at IETF 125 to review the status of several active drafts, discuss technical updates to core specifications, and evaluate new proposals. Significant progress was reported on draft-ietf-rats-corim, draft-ietf-rats-coserv, and draft-ietf-rats-pkix-key-attestation, with several implementations demonstrated. A poll was taken for the adoption of the "Remote Attestation with Multiple Verifiers" work, showing strong support. The group also discussed challenges in geofencing and residency proofs, particularly regarding sensor spoofing.

Key Discussion Points

Working Group Draft Status

draft-ietf-rats-reference-interaction-models: Hannes Tschofenig reported three minor items remaining to resolve. Once addressed, the document will be ready for final processing.
draft-ietf-rats-daa: Michael Richardson (Shepherd) raised concerns regarding the document's content, noting it currently lacks enough protocol detail for implementation. Hannes Tschofenig clarified that they are waiting for updated TPM 2.0 reference implementations to be incorporated.
draft-ietf-rats-ear: Thomas Fossati noted that version -03 was released with requirements from Confidential Containers, Azure, Intel, and Nvidia. Triage of the issue tracker is ongoing.
draft-ietf-rats-evidence-trans: Ned Smith noted this draft is waiting for draft-ietf-rats-corim to stabilize as it is a primary target.

CoSERV Progress Update

Presenter: Paul Howard
Technical Details: Paul Howard reported the removal of the timestamp field from the query object in draft-ietf-rats-coserv to ensure queries can be used as stable cache keys.
Running Code: Demonstrated an end-to-end proof of concept using the Veraison project with Rust and Go libraries.
Discussion: Jun Zhang questioned how cache freshness is ensured without a timestamp. Paul Howard clarified that timestamps remain in the results/responses, just not in the query itself, following standard HTTP caching semantics.
Request: The chairs were asked to request an HTTP Directorate review.

CoRIM

Presenter: Yogesh Deshpande
Technical Details: Substantial updates were made to draft-ietf-rats-corim to harmonize with SCITT (supporting COSE detached payloads and Hash Envelopes). Section 9 (Verifier Algorithm) was reorganized for better readability.
Domain Dependency: New triples were added to express trust chains (e.g., Layer 0 to Layer 1 in DICE). Yogesh Deshpande emphasized that these represent dependencies between environments, not just identities.

Evidence Encoding for HSMs

Presenter: Hannes Tschofenig on behalf of JP (representing draft-ietf-rats-pkix-key-attestation)
Technical Details: The draft has shifted terminology to align with RFC 9334 (e.g., "attributes" to "claims"). The ASN.1 "ANY" type was replaced with a more specific choice mapping for claim values.
EKU Assignment: Hannes Tschofenig and Russ Housley discussed the assignment of an Extended Key Usage (EKU) OID. It was agreed to include the IANA request for the EKU directly in the RATS draft rather than involving the LAMPS WG.

Reference Interaction Model & Epoch Marker

Presenter: Hannes Tschofenig (covering draft-ietf-rats-reference-interaction-models and draft-ietf-rats-epoch-markers)
Epoch Markers: The outer container structure was removed in favor of a simpler CWT claim (EM).
Privacy: Hannes Tschofenig noted difficulty in identifying specific privacy considerations for an "Epoch Bell." Antoine suggested that variable increments for epochs could prevent external observers from tracking progression.

Secure Wasm App Provisioning with VERAISON: Design Insights

Presenter: Ken Takayama
Technical Details: Ken Takayama shared insights from implementing TEEP on Intel SGX. A critical hardware constraint is the 64-byte limit for report data in SGX/TDX, which necessitates hashing public keys and nonces and transporting the original data separately as additional evidence.

Remote Attestation with Multiple Verifiers

Presenter: Jun Zhang
Technical Details: Updated the security and privacy considerations. The verifier is defined as a critical component in the relying party's trust chain rather than part of the attester's TCB.
Poll: A show of hands indicated strong support (15 yes, 0 no) for adopting this work.

Privacy Preserving Verifiable Geofencing with Residency Proofs for Sovereign Workloads

Presenter: Prasad (for Diego)
Technical Details: Proposed "V-GAP," a profile to bind platform integrity and geographic residency to credential issuance using X.509 extensions.
Discussion: Dave Thaler raised concerns about GPS spoofing, noting that the TPM only attests to what the sensor reports, not the physical truth of the location. Prasad acknowledged the need for hardware-rooted sensor provenance or independent triangulation (e.g., via mobile networks). Kathleen Moriarty noted the need for references to existing SEED work and broader IETF geofencing efforts.

Decisions and Action Items

Decision: Consensus was reached to proceed with a call for adoption on the mailing list for the "Multiple Verifiers" draft.
Action Item: Hannes Tschofenig to resolve the final three items in draft-ietf-rats-reference-interaction-models and conclude the Working Group Last Call.
Action Item: Yogesh Deshpande and CoRIM authors to finalize review feedback responses by the next interim or meeting.
Action Item: draft-ietf-rats-pkix-key-attestation authors to merge EKU OID request text into the next revision.

Next Steps

Mailing list adoption call for the "Multiple Verifiers" proposal.
Progress draft-ietf-rats-endorsements to the IESG (transitioning from Deb Cooley to Chris Patton).
Follow-up discussion on geofencing/residency proofs regarding sensor provenance and coordination with the SEED working group.

Automatic IETF Minutes