On 15.12.25 18:38, Michael Richardson wrote:
Mike Ounsworth <[email protected]> wrote: > I am going to make a maybe bold statement here. I have seen Evidence -- > I've played with TPM attestation, I've seen PSA Tokens, I'm designing > the PKIX-Key-Attest format. But I have never seen an AR. I have, but not in production yet. Thomas gave me an example for this document, btw. > I've never > actually held one in my hand. I find these discussions about what > features should and should not be supported for ARs to be rather too > abstract. I also very much agree. Much in AR4SI, etc. is too abstract for my taste. > For example, would an AR satisfying the question "Prove that the > device's secure boot chain is intact" be syntactically and semantically I don't think that this is a statement I care about in the AR. * I expect if the boot chain is not intact then then there will be no AR. (if *secureboot* itself failed, then the RoT is probably not secure. That's a complete failure, and it's undetectable, btw) > interoperable with one satisfying the question "Prove that the device > is joined to the Corp Domain and that the currently logged-in user > matches the CN in the cert request". Given that I have never actually * "device is joined to the corp domain" <- I think that I would expect the AR to just say, "corp-domain=corp.example". I don't know exactly what Evidence would be involved for the Verifier to support that, but I don't see a problem. * "matches the CN in the cert request" is very specific, and I would not expect this. I would expect "[email protected]" in the AR. Not every CSR is even going to be about a client certificate.
There small but relevant difference between assessing the trustworthiness of a remote peer via Evidence or sending out trustworthy telemetry via Evidence after trustworthiness was established.
I am using the term "telemetry" here as that is explicitly listed as a potential content of Evidence.
A prominent source of ARs are all Arm devices that support PSA or CCA. _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
