| Internet-Draft | Early Attestation is Broken | January 2026 |
| Sardar | Expires 17 July 2026 | [Page] |
Sheffer et al. published [I-D.fossati-seat-early-attestation] on 9th January, 2025 and despite being wildly out of scope of SEAT charter, the draft made its place -- getting two-thirds of meeting time -- in the agenda for upcoming SEAT interim meeting within hours of publishing. In comparison, our request to present [I-D.fossati-seat-expat] fully within the charter was refused. In this document, we disprove the claim made in [I-D.fossati-seat-early-attestation] for backward compatibility with standard TLS [I-D.ietf-tls-rfc8446bis]. We argue that [I-D.fossati-seat-expat] is a much more reaonsable way of achieving the goal within the scope of SEAT charter.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://muhammad-usama-sardar.github.io/seat-early-attestation-broken/draft-usama-seat-early-attestation-is-broken.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-usama-seat-early-attestation-is-broken/.¶
Discussion of this document takes place on the Secure Evidence and Attestation Transport Working Group mailing list (mailto:seat@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/seat. Subscribe at https://www.ietf.org/mailman/listinfo/seat/.¶
Source for this draft and an issue tracker can be found at https://github.com/muhammad-usama-sardar/seat-early-attestation-broken.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 July 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
We argue that:¶
[I-D.fossati-seat-early-attestation] is out of scope of SEAT WG charter.¶
Several claims in [I-D.fossati-seat-early-attestation] are broken. Specifically, we prove that proposed key schedule is inconsistent with [I-D.ietf-tls-rfc8446bis].¶
[I-D.fossati-seat-early-attestation] breaks most -- if not all -- proofs done to date for TLS 1.3.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
[SEAT-Charter] has:¶
The attested (D)TLS protocol extension will not modify the (D)TLS protocol itself. It may define (D)TLS extensions to support its goals but will not modify, add, or remove any existing protocol messages or modify the key schedule.¶
Contrary to the crystal clear statement of scope:¶
Section 4.1 of [I-D.fossati-seat-early-attestation] adds a new protocol message named "Attestation".¶
Section 5.6 of [I-D.fossati-seat-early-attestation] modifies the key schedule.¶
Both are subtle and error-prone. Such intesive changes should not bypass FATT process at TLS WG by any means. SEAT has just a mention of formal analysis in its charter and no real process. SEAT also does not have the blessing of many TLS experts. It makes pursuing such a work in SEAT almost surely to lead to failure. We recommend the authors of [I-D.fossati-seat-early-attestation] to submit the draft to TLS WG, where such changes are in scope.¶
In comparison, [I-D.fossati-seat-expat] makes no changes to TLS and is fully in scope of SEAT charter.¶
Too many claims in [I-D.fossati-seat-early-attestation] are broken. We present one example which invalidates most of other claims. The key schedule proposed in Section 5.6 of [I-D.fossati-seat-early-attestation] is not consistent with [I-D.ietf-tls-rfc8446bis].¶
Using notations from [Key-Schedule]:¶
hs = HKDF-Extract(salt1,gxy)¶
whereas this draft proposes:¶
hs' = HKDF-Extract(0,gxy)¶
Using definition of salt1 [Key-Schedule]:¶
salt1 != 0¶
Therefore, it comes that:¶
hs != hs'¶
Hence, the key schedule in [I-D.fossati-seat-early-attestation] is inconsistent with [I-D.ietf-tls-rfc8446bis].¶
In comparison, [I-D.fossati-seat-expat] uses standard TLS key schedule without any changes.¶
Because of above key schedule change, the draft breaks most -- if not all -- proofs done to date for TLS 1.3.¶
In comparison, we are making a careful effort to preserve security properties for our draft [I-D.fossati-seat-expat].¶
This draft helps make this world more secure by refuting the security claims in [I-D.fossati-seat-early-attestation] and by pushing against disruption of FATT process of TLS WG. Security is dependent on weakest link and we believe [I-D.fossati-seat-early-attestation] is the weakest link in the security of TLS. Hence, we view post-handshake attestation as the most appropriate option.¶
This document has no IANA actions.¶
We thank the authors of [I-D.fossati-seat-early-attestation] for putting together something, which is already long overdue.¶
Since the proof in Section 4.1 is based on the working done in [Key-Schedule], we thank all those acknowledged there: namely Arto Niemi, Hannes Tschofenig, Thomas Fossati, Eric Rescorla, and Ionut Mihalcea¶