|
I believe work done by the RATS WG is IETF work related to end-point security. Remote ATteStation allows an end device to provide cryptographically secured evidence of its manufacture, running state, SW versions, measurements and similar to the peer it is communicating with. The peer may choose to use this evidence to fully trust, limit trust or not-at-all trust the device. The protocols defined by RATS (e.g., EAT) are primarily formats for encoding and authenticating the evidence about an end device. They don’t set any particular requirement for the privacy or security of the implementation for which evidence is given. In my view, strongly defining requirements for an implementation’s privacy/security and evaluating against such requirements is a certification activity, not a protocol design activity. We don’t do certification in the IETF. That’s more an activity for organizations like the FIDO Alliance, the Wi-Fi Alliance, automotive groups and such. These organizations have legal, policy and business structure needed for certification, to issue logos and such. This seems in alignment with comments from Tony, Ekr and others that there’s limits on what we can do in the IETF. I know lots of you want this organization to do more, but I don’t see it so much with our current business, legal and organizational structure around designing and defining protocols. That said, I think work on RATS is an IETF contribution that goes a bit beyond the usual protect-in-transit security model to one where the end points are not implicitly trusted. LL |
