2024 objectives

[thomas-fossati]

@dcmiddle on Slack:

---

Dear SIG members,

The TAC has begun creating a set of priorities as we did for 2023.

Please consider setting SIG goals for 2024 that we can reflect in the TAC. I think it’s helpful to get ourselves and our companies aligned by having consistent objectives for the year.

Perhaps the Chairs could draft 3-5 goals so the broader SIG can have a structured discussion. The final set should be no larger than 3-5.

Example goals:

• Identify and address obstacles in the interoperability of authentication, authorization and attestation for confidential computing
• Align definitions across other organizations like IETF, IAB, etc.
• Draft formal document describing CCC’s views on and definition of Attestation. See also this page.

You may wish to reference the original SIG materials for inspiration.

---

[thomas-fossati]

@wenhuizhang on Slack:

• Clarify properties and specifications cloud-based confidential computing attestation and authorization products should follow, to get the certifications, such as SOC2, ISO/IEC 27001 etc.

• Cross-architecture integrity measurement and attestation API collaboration

• Userspace code integrity measurement and attestation for SAAS and PAAS confidential computing products

[thomas-fossati]

@laggarcia on Slack:

• I think that the goal suggested by Nathaniel McCallum around standards for remote attestation might very well fit here in the Attestation SIG as well.

[muhammad-usama-sardar]

One of the high-level goals could be: formal specification and verification of attestation mechanisms. This verification goal could entail all the three subprojects:

1. Formal specification project:

   • extending the formal guarantees to the Relying Party, i.e., how the Relying Party can verify the Verifier
   • verifying the configuration at runtime (vs. design-time)

2. Interoperable TLS: e.g., formal verification of Intel's RA-TLS protocol

3. Attested TLS: e.g., verifying that the proposed solution maintains all properties of TLS protocol

as well as standardization work in IETF/IRTF:

• work with RATS, TEEP and TLS WGs as well as UFMRG: e.g., fix the issue that I found in formal verification of TEEP protocol at Hackathon (IETF 118) and integrate our artifacts of remote attestation with TEEP protocol artifacts.

[wenhuizhang]

@wenhuizhang on Slack:

• Clarify properties and specifications cloud-based confidential computing attestation and authorization products should follow, to get the certifications, such as SOC2, ISO/IEC 27001 etc.

• Cross-architecture integrity measurement and attestation API collaboration

• Userspace code integrity measurement and attestation for SAAS and PAAS confidential computing products

Yup, the target outputs are in forms of:

1. White paper
2. open source API SDK
3. Demo and tutorial on best practices of the API SDK

[gkostal]

Workload Identity in Attestation Results

https://github.com/CCC-Attestation/meetings/issues/17

[dcmiddle]

@jdbeaney something like Objective: simplify the attestation landscape for Relying Parties Key Result: Out of the n possible evidence formats align on recommending m formats. (m= 1, 2, ?)

[gkostal]

@dcmiddle , @thomas-fossati - can we close this issue? We are in the 2nd half of 2024, so I presume the 2024 objectives are known. 😄

[dcmiddle]

@gkostal Well let's consider it 2H'24 then. :) I'd like the SIG Chairs to figure out some tangible deliverable. Our conversations on formats and best practices are a very good use of people's time. However, I would also like to be able to say at the end of the year though some measurable accomplishment(s).

[muhammad-usama-sardar]

Summarizing the progress on objectives envisioned in November last year:

One of the high-level goals could be: formal specification and verification of attestation mechanisms. This verification goal could entail all the three subprojects:

1. Formal specification project:

   • extending the formal guarantees to the Relying Party, i.e., how the Relying Party can verify the Verifier
   • verifying the configuration at runtime (vs. design-time)

Need specification of the protocol for this work, currently not a priority

2. Interoperable TLS: e.g., formal verification of Intel's RA-TLS protocol

Formal verification completed and paper under submission

3. Attested TLS: e.g., verifying that the proposed solution maintains all properties of TLS protocol

Formalization of relay attacks currently in progress

as well as standardization work in IETF/IRTF:

• work with RATS, TEEP and TLS WGs as well as UFMRG: e.g., fix the issue that I found in formal verification of TEEP protocol at Hackathon (IETF 118) and integrate our artifacts of remote attestation with TEEP protocol artifacts.

Presented formal analysis at UFMRG meeting and several side-meetings in IETF 120. Similar activities are planned for IETF 121.

---

Additional objectives that were not envisioned last year:

• Formalization of Post-handshake protocol (work on SCONE attestation and KBS protocol in progress)
• Survey of attested TLS/attestation in confidential computing

[dcmiddle]

@muhammad-usama-sardar thanks for updating status.

Chairs, during the most recent TAC meeting our Executive Director, @MikeCamel, brought forward a number of technical specification / definition issues that came out of a draft paper he circulated in the community. Among them are a variety of attestation terms. This SIG seems the best place within the CCC to address those gaps. One specific term was Workload. I'd like to ask the SIG to prioritize #17 in order to arrive at some definition(s) of workload.

There is about 3 months left in the working year and I wonder if the SIG could take a goal of delivering the definition in this remaining time.

[muhammad-usama-sardar]

Among them are a variety of attestation terms.

@MikeCamel I understand that the term "workload" is currently a priority but it would be helpful if you could list down all the attestation-related terms for which you are seeking definitions (so we can see the overlap with our planned survey and/or scope our survey accordingly).