2024 objectives

[thomas-fossati]

@dcmiddle on Slack:

---

Dear SIG members,

The TAC has begun creating a set of priorities as we did for 2023.

Please consider setting SIG goals for 2024 that we can reflect in the TAC. I think it’s helpful to get ourselves and our companies aligned by having consistent objectives for the year.

Perhaps the Chairs could draft 3-5 goals so the broader SIG can have a structured discussion. The final set should be no larger than 3-5.

Example goals:

• Identify and address obstacles in the interoperability of authentication, authorization and attestation for confidential computing
• Align definitions across other organizations like IETF, IAB, etc.
• Draft formal document describing CCC’s views on and definition of Attestation. See also this page.

You may wish to reference the original SIG materials for inspiration.

---

[thomas-fossati]

@wenhuizhang on Slack:

• Clarify properties and specifications cloud-based confidential computing attestation and authorization products should follow, to get the certifications, such as SOC2, ISO/IEC 27001 etc.

• Cross-architecture integrity measurement and attestation API collaboration

• Userspace code integrity measurement and attestation for SAAS and PAAS confidential computing products

[thomas-fossati]

@laggarcia on Slack:

• I think that the goal suggested by Nathaniel McCallum around standards for remote attestation might very well fit here in the Attestation SIG as well.

[muhammad-usama-sardar]

One of the high-level goals could be: formal specification and verification of attestation mechanisms. This verification goal could entail all the three subprojects:

1. Formal specification project:

   • extending the formal guarantees to the Relying Party, i.e., how the Relying Party can verify the Verifier
   • verifying the configuration at runtime (vs. design-time)

2. Interoperable TLS: e.g., formal verification of Intel's RA-TLS protocol

3. Attested TLS: e.g., verifying that the proposed solution maintains all properties of TLS protocol

as well as standardization work in IETF/IRTF:

• work with RATS, TEEP and TLS WGs as well as UFMRG: e.g., fix the issue that I found in formal verification of TEEP protocol at Hackathon (IETF 118) and integrate our artifacts of remote attestation with TEEP protocol artifacts.

[wenhuizhang]

@wenhuizhang on Slack:

• Clarify properties and specifications cloud-based confidential computing attestation and authorization products should follow, to get the certifications, such as SOC2, ISO/IEC 27001 etc.

• Cross-architecture integrity measurement and attestation API collaboration

• Userspace code integrity measurement and attestation for SAAS and PAAS confidential computing products

Yup, the target outputs are in forms of:

1. White paper
2. open source API SDK
3. Demo and tutorial on best practices of the API SDK

[gkostal]

Workload Identity in Attestation Results

https://github.com/CCC-Attestation/meetings/issues/17

[dcmiddle]

@jdbeaney something like Objective: simplify the attestation landscape for Relying Parties Key Result: Out of the n possible evidence formats align on recommending m formats. (m= 1, 2, ?)

[gkostal]

@dcmiddle , @thomas-fossati - can we close this issue? We are in the 2nd half of 2024, so I presume the 2024 objectives are known. 😄

[dcmiddle]

@gkostal Well let's consider it 2H'24 then. :) I'd like the SIG Chairs to figure out some tangible deliverable. Our conversations on formats and best practices are a very good use of people's time. However, I would also like to be able to say at the end of the year though some measurable accomplishment(s).