contextual assessment of attestations / mitigating attestation forgeries #72
Description
Hi,
@KeithMoyer will be bringing an agenda topic from the TAC to the Attestation SIG. I thought I'd create a first draft that he can expand / amend.
We would like to publish patterns / reference guidance for using attestation in context.
Confidential Computing can be used as a defense in depth measure.
In that mode, users will want to assess an attestation in context with the other defenses.
However, most documentation discusses verification in isolation, answering the question:
What is the security state of this TEE?
To understand the security context users may want to answer other questions like:
Is this TEE in a datacenter that I expect?
Is this TEE in a geography I expect / permit?
Is this TEE in a datacenter with physical protections?
Is this TEE communicating from an expected network segment / vlan?
To achieve this are additional TEE attestation claims necessary? Bindings with other defenses / factors?
A common pattern is a key broker that assess evidence like TEE attestation reports in deciding whether to issue some resource like a token.
How should a broker security policy evaluate an attestation report in context with these other factors?
Additional information may mitigate threats like forged attestations, e.g. an attestation endorsement key is extracted and used to forge attestations. A security policy that releases a resource exclusively based on the attestation could be tricked. A security policy that includes broader context raises the attacker's costs to perhaps require also compromising a host in a specific datacenter and vlan.