Secure Evidence and Attestation Transport M. U. Sardar Internet-Draft TU Dresden Intended status: Informational 13 January 2026 Expires: 17 July 2026 Early Attestation is Broken draft-usama-seat-early-attestation-is-broken-00 Abstract Sheffer et al. published [I-D.fossati-seat-early-attestation] on 9th January, 2025 and despite being wildly out of scope of SEAT charter, the draft made its place -- getting two-thirds of meeting time -- in the agenda for upcoming SEAT interim meeting within hours of publishing. In comparison, our request to present [I-D.fossati-seat-expat] fully within the charter was refused. In this document, we disprove the claim made in [I-D.fossati-seat-early-attestation] for backward compatibility with standard TLS [I-D.ietf-tls-rfc8446bis]. We argue that [I-D.fossati-seat-expat] is a much more reaonsable way of achieving the goal within the scope of SEAT charter. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://muhammad- usama-sardar.github.io/seat-early-attestation-broken/draft-usama- seat-early-attestation-is-broken.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft- usama-seat-early-attestation-is-broken/. Discussion of this document takes place on the Secure Evidence and Attestation Transport Working Group mailing list (mailto:seat@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/seat. Subscribe at https://www.ietf.org/mailman/listinfo/seat/. Source for this draft and an issue tracker can be found at https://github.com/muhammad-usama-sardar/seat-early-attestation- broken. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Sardar Expires 17 July 2026 [Page 1] Internet-Draft Early Attestation is Broken January 2026 Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 17 July 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Out of Scope . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Comparison with our draft . . . . . . . . . . . . . . . . 4 4. Broken Claims . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Proof . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. Comparison with our draft . . . . . . . . . . . . . . . . 4 5. Breaking Formal Proofs . . . . . . . . . . . . . . . . . . . 4 5.1. Comparison with our draft . . . . . . . . . . . . . . . . 4 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 8.2. Informative References . . . . . . . . . . . . . . . . . 5 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 Sardar Expires 17 July 2026 [Page 2] Internet-Draft Early Attestation is Broken January 2026 1. Introduction We argue that: * [I-D.fossati-seat-early-attestation] is out of scope of SEAT WG charter. * Several claims in [I-D.fossati-seat-early-attestation] are broken. Specifically, we prove that proposed key schedule is inconsistent with [I-D.ietf-tls-rfc8446bis]. * [I-D.fossati-seat-early-attestation] breaks most -- if not all -- proofs done to date for TLS 1.3. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Out of Scope [SEAT-Charter] has: | The attested (D)TLS protocol extension will not modify the (D)TLS | protocol itself. It may define (D)TLS extensions to support its | goals but will not modify, add, or remove any existing protocol | messages or modify the key schedule. Contrary to the crystal clear statement of scope: * Section 4.1 of [I-D.fossati-seat-early-attestation] adds a new protocol message named "Attestation". * Section 5.6 of [I-D.fossati-seat-early-attestation] modifies the key schedule. Both are subtle and error-prone. Such intesive changes should not bypass FATT process at TLS WG by any means. SEAT has just a mention of formal analysis in its charter and no real process. SEAT also does not have the blessing of many TLS experts. It makes pursuing such a work in SEAT almost surely to lead to failure. We recommend the authors of [I-D.fossati-seat-early-attestation] to submit the draft to TLS WG, where such changes are in scope. Sardar Expires 17 July 2026 [Page 3] Internet-Draft Early Attestation is Broken January 2026 3.1. Comparison with our draft In comparison, [I-D.fossati-seat-expat] makes no changes to TLS and is fully in scope of SEAT charter. 4. Broken Claims Too many claims in [I-D.fossati-seat-early-attestation] are broken. We present one example which invalidates most of other claims. The key schedule proposed in Section 5.6 of [I-D.fossati-seat-early-attestation] is not consistent with [I-D.ietf-tls-rfc8446bis]. Using notations from [Key-Schedule]: hs = HKDF-Extract(salt1,gxy) whereas this draft proposes: hs' = HKDF-Extract(0,gxy) 4.1. Proof Using definition of salt1 [Key-Schedule]: salt1 != 0 Therefore, it comes that: hs != hs' Hence, the key schedule in [I-D.fossati-seat-early-attestation] is inconsistent with [I-D.ietf-tls-rfc8446bis]. 4.2. Comparison with our draft In comparison, [I-D.fossati-seat-expat] uses standard TLS key schedule without any changes. 5. Breaking Formal Proofs Because of above key schedule change, the draft breaks most -- if not all -- proofs done to date for TLS 1.3. 5.1. Comparison with our draft In comparison, we are making a careful effort to preserve security properties for our draft [I-D.fossati-seat-expat]. Sardar Expires 17 July 2026 [Page 4] Internet-Draft Early Attestation is Broken January 2026 6. Security Considerations This draft helps make this world more secure by refuting the security claims in [I-D.fossati-seat-early-attestation] and by pushing against disruption of FATT process of TLS WG. Security is dependent on weakest link and we believe [I-D.fossati-seat-early-attestation] is the weakest link in the security of TLS. Hence, we view post- handshake attestation as the most appropriate option. 7. IANA Considerations This document has no IANA actions. 8. References 8.1. Normative References [I-D.ietf-tls-rfc8446bis] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", Work in Progress, Internet-Draft, draft- ietf-tls-rfc8446bis-14, 13 September 2025, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 8.2. Informative References [I-D.fossati-seat-early-attestation] Sheffer, Y., Mihalcea, I., Deshpande, Y., Fossati, T., and T. Reddy.K, "Using Attestation in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", Work in Progress, Internet-Draft, draft-fossati-seat-early- attestation-00, 9 January 2026, . [I-D.fossati-seat-expat] Fossati, T., Sardar, M. U., Reddy.K, T., Sheffer, Y., Tschofenig, H., and I. Mihalcea, "Remote Attestation with Exported Authenticators", Work in Progress, Internet- Sardar Expires 17 July 2026 [Page 5] Internet-Draft Early Attestation is Broken January 2026 Draft, draft-fossati-seat-expat-00, 20 October 2025, . [Key-Schedule] Sardar, M. U., "Perspicuity of Attestation Mechanisms in Confidential Computing: Validation of TLS 1.3 Key Schedule", October 2025, . [SEAT-Charter] IETF, "Secure Evidence and Attestation Transport (SEAT): Charter for Working Group", . Acknowledgments We thank the authors of [I-D.fossati-seat-early-attestation] for putting together something, which is already long overdue. Since the proof in Section 4.1 is based on the working done in [Key-Schedule], we thank all those acknowledged there: namely Arto Niemi, Hannes Tschofenig, Thomas Fossati, Eric Rescorla, and Ionut Mihalcea Author's Address Muhammad Usama Sardar TU Dresden Email: muhammad_usama.sardar@tu-dresden.de Sardar Expires 17 July 2026 [Page 6]