Hi Carsten, On Sun, Jul 23, 2023 at 03:10:43PM +0200, Carsten Bormann wrote: > Whether anyone whose statements you are willing to base your > authorization on is willing to endorse the manufacturer’s claims is > one of the authorization questions hidden in attestation…
As I understand there can also be other valuable statements in the voucher: For example, I may not make much of the vendor's statement that this is actually a device they produced running firmware version X. But provided I trust them to the point that if they say it's version X it really is (possibly aided by by any RATS things through which the silicon vendor confirms that claim), I'd put much value in an escrow agent's attestation that says that they hold firmware and firmware signing keys, and that they will be escrowed as soon as the vendor stops providing updates. At any rate, I think that the next iteration of the document will be more ACE EST, and for EST it doesn't matter too much whether that initial all-privileged device owner is established through EST, TOFU or something like EAP-NOOB. BR c -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
signature.asc
Description: PGP signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
