monavij
commented
5 days ago @muhammad-usama-sardar Thanks for reaching out to us directly. You clearly misunderstood my mention of interoperable-RATLS. First, Interoperable-RATLS was designed to solve a very different problem. The only reason I pointed you to interoperable RA-TLS was because you kept referring to our original RA-TLS research paper as a spec for RA-TLS protocol. We never defined a spec or a new secure channel protocol. Our paper does not modify TLS protocol at all, but rather adds attestation support with an idea of using X509 cert extensions. The goal was easily adoptable and easy to use without needing protocol or even library updates, as standardization efforts can take years. One additional motivation was that it can also work with other X509 enabled protocols, e.g., S/MIME for messaging. This would allow us to have a unified approach to attestation across multiple use cases.
The RA-TLS approach clicked with several projects and several implementations emerged that were not interoperable. We saw a short term need to define a common format for the X509 cert extensions used by different projects and that is how interoperable RA-TLS was born and it nicely addressed that problem. At least two projects Gramine and Occlum have implemented and validated interoperable RA-TLS.
- "Standard"
And you are right I may have used the term “standard” and I take that back. I agree with you there is NO standard for RA-TLS. Our goal was to establish common interoperable, easy and quickly adoptable and good practices (which we still believe). What I suggest is that we collaborate on a more explicit spec as well as on what security properties are truly required and which ones are only desirable. As with many things, it seems in this space there is room for multiple (valid) approaches.”
- Subject = Issuer -> All certs are self-signed.
You are right that original white paper from 2018 includes just the self-signed certs, and all implementations use that idea. In Gramine documentation we provide environment variables to set the expiry date for certs and anyone deploying Gramine in production needs to pay attention. The values you mention are just default values, just like default signing keys are also not to be used in production. https://gramine.readthedocs.io/en/stable/attestation.html - Look for environment variables.
To consider its formal verification, we need proper specification of how it works with the CA-signed certs,
You are right. That is my whole point, you have formally verified something that is not specified at all. Since that white paper in 2018 we have thought about alternates to CA-signed certs in the contest of few other projects. Turns out we never published this idea, but it’s been implemented in few projects. So, I am happy to discuss this line of work with you.
So, to wrap up, I am glad that you are contacting the original authors of the white paper. If you would like to help specify and enhance RA-TLS, then we are happy to collaborate with you and explore IETF standardization of X509 cert extensions. Please reach out to us directly to schedule a small group discussion with the original authors of RA-TLS white paper.
muhammad-usama-sardar
Context/background: Discussion during the invited talk at Intel
@monavij claimed that this new "standardized" solution of interoperable attested TLS allows CA-signed certs in addition to self-signed certs. She also mentioned that the repo has specifications, which she would like to be verified.
First, CCC is not a standardization body. Standardization happens in standardization bodies, such as IETF. Sure, CCC can help in doing the work required for standardization but just by having something agreed by some of the developers does not make it a "standard". There is not even an Internet-Draft on this proposal in the IETF TLS WG (the most relevant WG for standardization of this proposal), and I find it strange to claim interoperable attested TLS as a standard already.
Moreover, TLS WG requires high assurances of security and has recently introduced formal analysis as part of the adoption process to maintain these assurances. Our research and discussions in SIG show that RA-TLS is a broken protocol and it is not possible to fix it reasonably within the pre-handshake solution. I don't believe IETF TLS WG will even adopt such a broken protocol for standardization.
Please clarify in which standardization body the protocol was standardized.
I checked the three provided certificates in the repo:
and had a quick check using the following command:
openssl x509 -in <certname>.pem -textGramine:
openssl x509 -in gramine-cert.pem -textshows:Issuer: CN = RATLS, O = GramineDevelopers, C = US Subject: CN = RATLS, O = GramineDevelopers, C = US Validity: Not After : Dec 31 23:59:59 2030 GMT CA:FALSE
SGX SDK:
openssl x509 -in intel-sgxsdk-cert.pem -textshows:Issuer: CN = Intel SGX Enclave, O = Intel Corporation, C = US Subject: CN = Intel SGX Enclave, O = Intel Corporation, C = US Validity: Not After : Dec 31 23:59:59 2050 GMT CA:FALSE
RATS TLS:
openssl x509 -in rats-tls-cert.pem -textshows:Issuer: O = Inclavare Containers, CN = RATS-TLS Subject: O = Inclavare Containers, CN = RATS-TLS Validity: Not After : Feb 22 17:10:22 2024 GMT CA:FALSE
Conclusion:
As far as my memory goes, it was never mentioned in any SIG meetings about how the interoperable RA TLS proposal works with the CA-signed certs. The current specifications in the repo also do not seem to mention anything about this. A quick look at the implementations shows that they support only self-signed certs at the attester side, and some implementations allow only self-signed certs (depth = 0) at the verifier side. To consider its formal verification, we need proper specification of how it works with the CA-signed certs, at least the changes in the flow of the protocol shown in slide 11/34 in the talk.