| Internet-Draft | ECA | September 2025 |
| Ritz | Expires 1 April 2026 | [Page] |
This document specifies the Ephemeral Compute Attestation (ECA) protocol, which enables ephemeral compute instances to prove their identity without pre-shared operational credentials. ECA uses a three-phase ceremony that cryptographically combines a public Boot Factor (a high-entropy provisioning value), a secret Instance Factor, and a dynamically released Validator Factor to establish attestation evidence. The protocol is transport-agnostic and produces Entity Attestation Tokens (EAT) for consumption by Relying Parties, such as within automated certificate issuance protocols.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 1 April 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
ECA profiles the RATS [RFC9334] "passport model". It assumes familiarity with the roles defined in the RATS architecture.¶
Modern software architecture increasingly relies on ephemeral compute instances, which require a secure and reliable method to bootstrap their identity upon creation. While solutions exist for this problem, they are often tied to a specific vendor's ecosystem or lack the robustness required for certain environments. This creates significant challenges for portability, security, and operational consistency across diverse computing landscapes.¶
Hyperscale cloud providers (e.g., AWS, GCP, Azure) offer Instance Metadata Services (IMDS) that can provide a cryptographically signed token attesting to an instance's identity. This is a mature model for applications developed to run within a single provider's environment. However, IMDS typically relies on HTTP-based access within the instance's network, which can introduce latency in high-throughput scenarios and requires instances to trust the provider's metadata endpoint.¶
Despite the success of provider-native solutions, their approach creates a new set of challenges in a world that is increasingly multi-cloud and security-conscious.¶
Workloads are now frequently designed to be portable across different providers, but their identity bootstrapping mechanisms are not. An application architected to use the AWS Instance Identity Document cannot be moved to GCP, a private cloud, or a bare-metal server without significant re-engineering of its security and trust establishment logic. This friction couples a workload's identity to its location, undermining the core goal of portability.¶
Provider-native identity mechanisms fundamentally require that the cloud provider itself is a trusted entity. The identity token is issued by the provider's infrastructure and its validity rests on that trust. However, in Confidential Computing and other zero-trust scenarios, the threat model must include a potentially malicious or compromised provider. AMD SEV or Intel TDX, for instance, offer memory encryption and remote attestation, but their reports are tied to specific hardware generations, complicating migration across diverse fleets. In these cases, an identity token issued by the infrastructure is insufficient; trust must be anchored in a separate, verifiable source, such as a hardware root of trust (HRoT). TPM-based systems, such as those in TCG specifications, provide measured boot integrity but often require platform-specific endorsement keys, limiting interoperability in hybrid setups.¶
For the vast ecosystem of smaller cloud providers, private clouds,
and on-premise data centers, a standardized IMDS-like service
does not exist. This forces operators into less secure or bespoke
bootstrapping patterns, such as injecting pre-shared secrets via
user-data. While a practical starting point, this approach
re-introduces TOFU risks and creates a broad exposure surface
for secrets in logs, state files, and metadata services,
compounding operational complexity at scale. Traditional TOFU,
as seen in SSH key exchanges, assumes initial connections are
secure but can fail in automated deployments where instances are
spun up frequently without human oversight. For example, in
systems like Kubernetes or OpenStack, user-data injection requires
careful configuration management to prevent accidental exposure
during cluster scaling or migrations. For concrete patterns
addressing these risks, see [I-D.eca-impl] Section 2.1.¶
The Ephemeral Compute Attestation (ECA) protocol is designed to address these limitations directly. It provides a single, open standard that:¶
Decouples Identity from Infrastructure: ECA establishes instance identity through a transport-agnostic protocol, facilitating portability of workloads across environments.¶
Supports Trust Anchoring: ECA's design, allows trust to be anchored by a hardware root of trust (HRoT), providing cryptographic proof of identity that remains effective even if the underlying provider is untrusted.¶
Provides a Standard for Various Environments: ECA offers a standardized bootstrapping mechanism for on-premise, bare-metal, and "alt-cloud" deployments that lack a native identity service.¶
ECA approaches the bootstrapping problem as a cryptographic challenge based on verifiable proof of factor possession, independent of location.¶
Integration with Existing Frameworks: ECA design focus was to complement, not replace, existing identity and attestation frameworks. For detailed exploration of how ECA integrates with ACME, BRSKI, SPIFFE/SPIRE, and other systems, see [
I-D.eca-impl] Section 4 "Integration with Existing Frameworks".¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
BF value acts as a public
challenge token; the protocol security is maintained even if
BF may be exposed in logs or metadata.¶
IF in conjunction
with the BF to authenticate. It may be hardware-derived,
orchestrator-provided, or artifact-based. For concrete patterns
and implementation guidance, see [I-D.eca-impl] Section 2.¶
BF+IF possession.
The VF MUST be bound to the IF (e.g.,
VF = SHA-256(seed || IF)). This binding ensures VF secrecy
against network attackers, as noted in the formal model (see
Appendix A.1).¶
BF+VF) rather than secrecy
of individual components.¶
BF to IF that enables exposure-tolerant
authentication while preventing pre-computation attacks.¶
IF). Three patterns are defined:
hardware-rooted (Pattern A), orchestrator-provisioned
(Pattern B), and artifact-based (Pattern C). For detailed
specifications, see [I-D.eca-impl] Section 2.¶
Exposure Tolerance: Protocol security is maintained even if the Boot Factor becomes public. This reduces the operational burden of protecting bootstrap secrets in logs, configuration systems, or during provisioning.¶
Deterministic Identity: All cryptographic keys are derived deterministically from high-entropy factors, ensuring repeatable identity generation without dependence on potentially weak runtime entropy sources.¶
Transport Agnostic: The protocol's security is derived from the cryptographic content of exchanged artifacts, not the properties of the transport layer. This allows flexible deployment over any simple retrieval mechanism.¶
Relationship to Static Artifact Exchange (SAE): While ECA is a transport-agnostic protocol, the Static Artifact Exchange (SAE) I-D.sae-protocol is the recommended transport mechanism. SAE's static, pull-only model is intentionally minimal to reduce the overall attack surface. This approach reducing common attack surfaces like injection and parser vulnerabilities. By relying on SAE, it re-inforces ECA's proof-driven design that relies solely from the cryptographic content of the exchanged artifacts to achieve its security goals, while mitigating risks particularly regarding freshness guarantees (see Appendix A.2.2.).¶
Privileged Credential Vacuum: The Attester begins its lifecycle
with no privileged operational credentials (e.g., API keys, service
tokens, or passwords). This operationalizes a "verify-then-trust"
model, ensuring that trust is never assumed but must be
cryptographically proven through successful attestation. Operational
credentials are only delivered after a Relying Party (RP) appraises
the Attestation Result (AR) from the Verifier and deems it
acceptable. For post-attestation patterns including re-attestation
and hierarchical trust, see [I-D.eca-impl] Section 3.¶
This section defines abstract properties that MUST hold for any conforming implementation. Concrete algorithms and encodings are defined by profiles (see Section 8 "Profiles").¶
Accept-Once Ceremony¶
eca_uuid.¶
eca_uuid at most once and MUST
treat re-observations as replay and abort. Verifiers SHOULD
use a persistent store (e.g., a database or file) to track
accepted eca_uuid values for at least the expected lifetime
of an Attestation Result to prevent replay.¶
Dual-Channel Binding¶
Privileged Credential Vacuum¶
Authenticated Artifacts¶
Replay & Freshness¶
Termination & State¶
No Attester-Supplied Trust Pinning¶
Note: The security properties of ceremony isolation depend significantly on the transport mechanism. See Section 6.5 for transport-specific security considerations regarding Verifier key management.¶
Transport Minimalism¶
The ECA protocol follows a three-phase ceremony, as illustrated in the figure below. The ceremony begins with the Attester in a privileged credential vacuum, possessing only its initial factors. It concludes with the Verifier producing a signed Attestation Result (AR) upon successful validation, which can then be delivered to the Attester for presentation to Relying Parties (RP).¶
Attester Verifier
(possesses BF, IF) (expects BF, IF)
| |
| Phase 1: Prove Possession of BF+IF |
| (publishes IHB, kem_pub, HMAC) |
|------------------------------------------------->|
| |
| (Validates proof
| at Gates 1-4)
| |
| Phase 2: Receive Validator Factor |
| (retrieves Encrypted {VF, nonce} + Signature) |
|<-------------------------------------------------|
| |
| Phase 3: Prove Joint Possession of BF+VF |
| (publishes signed Evidence EAT) |
|------------------------------------------------->|
| |
| (Appraises EAT
| at Gates 5-11)
| |
|<.................................................. (SUCCESS)
| Attestation
(receives AR for RP) Result (AR)
¶
The Verifier enforces a sequence of fail-closed validation gates in a specific order derived from the protocol's formal model. Each gate represents a critical check that must pass before proceeding.¶
MAC Verification: Verifies the integrity of the Phase-1
payload using an HMAC tag derived from BF and IF.¶
MAC_INVALID.¶
Instance Authorization: Checks if the Attester's identity
(e.g., derived from eca_uuid or IF) is authorized to proceed.¶
ID_MISMATCH.¶
IHB Validation: Confirms that the received Integrity Hash Beacon (IHB) matches the expected value for the authorized instance.¶
IHB_MISMATCH.¶
KEM Public Key Match: Ensures the ephemeral encryption public key in the payload matches the expected key for the session.¶
KEM_MISMATCH.¶
Evidence Time Window: Validates that the iat, nbf, and
exp claims in the final EAT are within an acceptable time skew
(e.g., ±60 seconds).¶
TIME_EXPIRED.¶
EAT Schema Compliance: Checks that the EAT contains all required claims with the correct types and encodings.¶
SCHEMA_ERROR.¶
EAT Signature: Verifies the Ed25519 signature on the EAT
using the public key derived from BF and VF.¶
SIG_INVALID.¶
Nonce Match: Ensures the nonce in the EAT matches the nonce the Verifier issued in Phase 2, proving freshness.¶
NONCE_MISMATCH.¶
JP Validation: Verifies the Joint Possession proof, ensuring the final identity key is bound to the ceremony context.¶
KEY_BINDING_INVALID.¶
PoP Validation: Verifies the final Proof-of-Possession tag,
confirming the Attester's knowledge of both BF and VF.¶
POP_INVALID.¶
Identity Uniqueness (Replay): Persists the terminal state
for the eca_uuid and rejects any future attempts to use it.¶
IDENTITY_REUSE.¶
These gates align with the formal model's events (see Appendix A.1): - Gate 8 Nonce Match (per AttesterUsesNonce event). - Gate 9 JP Validation (per VerifierValidatesWithKey event). - Gate 10 PoP Validation (See Section 8) (per VerifierAccepts event).¶
BF + IF.¶
IHB = SHA-256(BF || IF).¶
{kem_pub, ihb} and an
associated HMAC tag to the repository.¶
VF (≥128 bits) and a 16-byte
nonce.¶
{VF, nonce} using HPKE to the Attester's ephemeral
public key.¶
VF.¶
BF+VF.¶
When using SAE transport I-D.sae-protocol: - Implementations MAY use long-term or ephemeral Verifier keys - Ephemeral per-ceremony keys are RECOMMENDED for operational best practice¶
When using other transports: - Implementations MUST use ephemeral per-ceremony Verifier keys (see Security Considerations Section 6.5.2 for rationale)¶
| State | Description |
|---|---|
INIT
|
New attestation lifecycle initiated. |
AWAITING_ATTESTER_PROOF
|
Awaiting Phase 1 artifacts. |
PROVING_TO_ATTESTER
|
Publishing Phase 2 artifacts. |
AWAITING_EVIDENCE
|
Awaiting Phase 3 artifacts. |
VALIDATING
|
Appraisal of evidence. |
SUCCESS
|
Terminal success state. |
FAIL
|
Terminal failure state. |
| State | Event | Next State |
|---|---|---|
INIT
|
New attestation lifecycle. |
AWAITING_ATTESTER_PROOF
|
AWAITING_ATTESTER_PROOF
|
Phase 1 artifacts retrieved and validated. |
PROVING_TO_ATTESTER
|
PROVING_TO_ATTESTER
|
Phase 2 artifacts published. |
AWAITING_EVIDENCE
|
AWAITING_EVIDENCE
|
Phase 3 artifacts retrieved. |
VALIDATING
|
VALIDATING
|
Appraisal results pass. |
SUCCESS
|
| Any | Any validation check fails or timeout. |
FAIL
|
Trust Boundaries: Without hardware roots of trust, the security
scope is limited to passive network observers rather than
compromised infrastructure providers. Hardware-rooted Instance
Factor Pattern A addresses this limitation. For detailed pattern
specifications, see [I-D.eca-impl] Section 2. This hardware-based
protection is critical for mitigating State Reveal attacks; a
formal analysis confirmed that a compromise of the Attester's
software environment can expose the ephemeral decryption keys used
in Phase 2, thereby compromising the ceremony's core secrets (see
Appendix A.2.3).¶
Exposure tolerance: The protocol is designed to tolerate
incidental exposure of the unique per-use Boot Factor token (BF)
(e.g., in control-plane logs), however this tolerance does not
replace the need for sound operational hygiene. Operators SHOULD
avoid unnecessary public dissemination of BF to minimize
attracting targeted attacks. Security is layered; cryptographic
strength complements, but does not replace, good operational
practices.¶
Secrets Handling: Derived keys are sensitive cryptographic material. Implementations MUST handle them securely in memory (e.g., using locked memory pages) and explicitly zeroize them after use.¶
Exposure Tolerance: A core design principle of this protocol is that the Boot Factor (BF) is considered public information and its security does not depend on the BF's confidentiality. This exposure tolerance is a deliberate architectural choice that enables powerful, flexible provisioning patterns, such as using a public key from an ACME certificate as a verifiable Boot Factor.¶
This design places the entire security burden for the initial
authentication on the confidentiality of the Instance Factor
(IF). The protocol's security is anchored on the Attester proving
its knowledge of the secret IF in conjunction with the public
BF.¶
The operational risk is therefore focused on preventing the
concurrent exposure of both BF and IF. This risk is tightly
time-bounded by two key factors:¶
eca_uuid and
successfully completes the ceremony, the "accept-once" rule
renders any stolen factors for that specific ceremony useless
for future impersonation attacks.¶
Therefore, operational hygiene should focus on protecting the
end-to-end provisioning process to ensure the secrecy of the IF
until the ceremony is complete, rather than on attempting to hide
the public BF.¶
The protocol's security properties have been analyzed using an exploratory ProVerif model. The model positively identifies key security goals such as authentication, freshness, key binding, and confidentiality against a network attacker, assuming a public Boot Factor (BF). For a detailed summary of the formal model, its queries, and the proven properties within the models, see Appendix A.¶
The security properties described in Section 6.1 depend on the
secrecy of the joint factors. These properties will be compromised
if both the Boot Factor (BF) and Instance Factor (IF) are exposed
concurrently before a successful ceremony completes. Therefore,
BF and IF MUST NOT be transmitted together over an unsecured
channel prior to the conclusion of the ceremony. Such exposure
would allow an adversary to intercept the Validator Factor (VF)
and perfectly impersonate the intended Attester.¶
To reduce this risk, operators SHOULD minimize the time window
between when an Attester becomes operational with its BF and when
a Verifier is available to appraise the Attester's evidence.¶
ECA is designed to address two key threat models: the Network Attacker (a Dolev-Yao-style MiTM who controls communication but not participant state) and the Malicious Provider (a privileged insider with control-plane access). The analysis from an exploratory ProVerif model suggests that the protocol, as modelled, defeats the Network Attacker through its Phase 1 MAC and joint possession proofs.¶
The choice of Instance Factor Pattern directly maps to the desired security goals:¶
IF in a hardware root of trust
(HRoT), it enables strong isolation and is sufficient to mitigate
the Malicious Provider threat model.¶
For detailed pattern specifications and implementation guidance,
see [I-D.eca-impl] Section 2.¶
The formal model confirms that the protocol cannot maintain secrecy
of the Validator Factor (VF) if the Attester's runtime state is
compromised and the ephemeral decryption key is extracted. The
confidentiality of VF is critically dependent on the secrecy of
the Attester's ephemeral private decryption key. A formal "State
Reveal" analysis was conducted, where the Attester's ephemeral
private key was deliberately leaked to an attacker (see Appendix
A.2.3). The model confirmed that this compromise allows a passive
network attacker to intercept the Phase 2 ciphertext from the
Verifier and successfully decrypt it, thereby revealing the VF.¶
This result establishes the protocol's security boundary regarding the Attester's runtime state. The only viable mitigation for this threat is the use of IFP Pattern A (hardware-rooted), where the Instance Factor (IF), and by extension all keys derived from it, are protected by a hardware root of trust, making them resilient to software-level compromise.¶
Formal analysis (Appendix A.2.2) identified that long-term Verifier keys enable freshness attacks in theory. However, the protocol's cryptographic binding design ensures these attacks cannot produce valid authentication, limiting impact to denial of service at worst.¶
When using SAE transport I-D.sae-protocol, compromise of Verifier signing keys has negligible security impact:¶
This resilience results from two factors: 1. SAE's pull-only architecture prevents message injection without repository access 2. ECA's cryptographic binding ensures evidence from corrupted ceremonies fails appraisal¶
Given these mitigations, implementations using SAE MAY use long-term Verifier keys with acceptable security properties, though ephemeral keys remain RECOMMENDED for operational hygiene and ceremony isolation.¶
Note: Implementations using push-capable or direct-communication transports MUST use ephemeral per-ceremony keys, as these transports enable active injection attacks that compromise freshness.¶
When using the Static Artifact Exchange (SAE) protocol¶
This mitigation arises from SAE's architectural properties: - Pull-only communication (no push channel to Attester) - Repository-based artifact exchange with access control - Immutability requirements preventing artifact replacement¶
For implementations using direct peer-to-peer communication or push-capable transports, the formal model (Appendix A.2.2) demonstrates that:¶
VF', nonce')
pairs.¶
Therefore, ephemeral per-ceremony keys are normatively mandated (MUST) when not using SAE I-D.sae-protocol or equivalent pull-only, repository-based transports.¶
While SAE mitigates the immediate security impact of key compromise, ephemeral keys remain RECOMMENDED for all implementations because they provide:¶
ECA explicitly does not attempt to address several related but distinct problems:¶
Software-Based Mitigation of Hypervisor Threats: ECA supports full integration with hardware roots of trust (HRoT) where available, and such integration is RECOMMENDED. ECA does not replace the need for HRoTs where the threat model must assume a compromised service provider, hypervisor or related platform, including protections against Attester state compromise (see Section 6.4).¶
Replacement for Single-Cloud IMDS: ECA is not intended to replace provider-native IMDS for simple workloads operating within a single, trusted cloud environment. For such use cases, IMDS provides a simpler, adequate solution. ECA's value is realized in multi-cloud, high-assurance, or non-IMDS environments.¶
Infrastructure Trust Bootstrapping: ECA assumes operational mechanisms exist for manifest distribution, verifier discovery, and PKI infrastructure. It integrates with existing trust foundations rather than replacing them.¶
Identity Framework Replacement: ECA complements rather than
competes with systems like SPIFFE/SPIRE, potentially serving as a
high-assurance node attestor for existing identity frameworks. For
detailed integration patterns, see [I-D.eca-impl] Section 4.¶
Manufacturer Provenance: ECA does not provide supply-chain attestation or manufacturer-anchored trust. ECA handles runtime attestation for transient instances at the software layer.¶
Real-time Performance Optimization: The asynchronous design prioritizes security and reliability over minimal latency. Preliminary efforts suggest total latency of less than 2 seconds using SAE for VM attestation, which is minimal compared to standard cloud VM startup time. Sub-second attestation is not a primary goal, however feedback for secure optimizations are welcomed.¶
This document defines the protocol abstractly. Concrete cryptographic mechanisms are supplied by profiles. A conforming implementation MUST implement at least one profile, and any chosen profile MUST preserve all requirements in Section 3.1.¶
Note: No MTI Algorithms in this Revision. This -00 revision does not define mandatory-to-implement (MTI) primitives. A reference profile ("ECA-VM-v1") is specified in [
I-D.eca-impl] Section 6 as a candidate to enable experimentation and interop with the prototype.¶
Key Separation (Architecture requirement): Regardless of profile, implementations MUST maintain strict separation between: - Phase 2 encryption keys (used by the Verifier to release VF to the Attester), and - Phase 3 identity/signing keys (used by the Attester to sign Evidence/EAT).¶
Profiles typically achieve separation via domain-separated KDF invocations; however, any mechanism that guarantees computational unlinkability between Phase 2 and Phase 3 key material is acceptable, provided Section 3 invariants remain intact.¶
A profile MUST provide a PoP mechanism that proves joint-possession of both factors used across the ceremony and binds the result to the session context. At minimum, the PoP's authenticated input MUST cover:¶
eca_uuid,¶
BF+IF
binding,¶
vnonce).¶
The PoP output MUST be verifiable by the Verifier without additional round trips and MUST be integrity-protected under a key that is infeasible to compute without both factors required by the active profile.¶
| Claim | EAT Key | Value Type | M/O | Description |
|---|---|---|---|---|
| ECA UUID | 2 (sub) | tstr | M | The unique eca_uuid for the attestation lifecycle. The value of this claim MUST be the eca_uuid. |
| Expiration | 4 (exp) | int | M | NumericDate (epoch seconds). MUST be encoded as a 64-bit unsigned integer. |
| Not Before | 5 (nbf) | int | M | NumericDate (epoch seconds). MUST be encoded as a 64-bit unsigned integer. |
| Issued At | 6 (iat) | int | M | NumericDate (epoch seconds). MUST be encoded as a 64-bit unsigned integer. |
| Verifier Nonce | 10 (nonce) | tstr | M | Verifier-issued vnonce (base64url, unpadded) representing exactly 16 bytes of entropy (typically 22 chars). |
| ECA Identity | 256 (EUID) | tstr | M |
eca_attester_id = hex SHA-256 of the Ed25519 public key used to sign this EAT. |
| EAT Profile | 265 | tstr | M |
urn:ietf:params:eat:profile:eca-v1. |
| Measurements | 273 | tstr | M | Integrity Hash Beacon (IHB) (lowercase hex). |
| PoP | 274 (PoP) | tstr | M | Final Proof of Possession tag (base64url, unpadded) computed as defined by the active profile. |
| JP Proof | 276 | tstr | M | Joint Possession proof (lowercase hex), binding the final identity to the ceremony. |
| Intended Use | 275 | tstr | M | The intended use of the EAT (e.g., attestation, enrollment credential binding). |
Values marked "tstr" that carry binary material (e.g., nonces,
tags) MUST specify their encoding. In the ECA-VM-v1 profile (see
[I-D.eca-impl] Section 6), nonce and PoP are base64url
(unpadded); EUID, Measurements, and JP Proof are lowercase
hex.¶
| Claim | Key | Value Type | Description |
|---|---|---|---|
| Issuer | 1 | tstr | An identifier for the Verifier that produced the result. |
| Subject | 2 | tstr | The eca_attester_id identity of the instance that was successfully attested. |
| Expiration | 4 (exp) | int | OPTIONAL. NumericDate defining the AR's validity period. |
| Not Before | 5 (nbf) | int | OPTIONAL. NumericDate defining the AR's validity period. |
| Issued At | 6 | int | NumericDate (epoch seconds) of the successful validation. |
| JWT ID | 7 | tstr | The unique eca_uuid of the attestation lifecycle to prevent replay. |
| Key ID | -1 (kid) | bstr | OPTIONAL. The hash of the Verifier's public key used to sign the AR. |
| Status | -262148 | tstr | The outcome of the attestation. MUST be urn:ietf:params:rats:status:success. |
For failures, the AR payload SHOULD follow the same structure but
with a status of urn:ietf:params:rats:status:failure and an
additional error_code claim (e.g., -262149 as a tstr)
containing the authenticated error. Relying Parties consuming the
AR MUST validate the nbf and exp claims to ensure the AR is
within its validity period.¶
The ECA protocol is transport-agnostic. It requires only that peers have a mechanism to publish and retrieve immutable cryptographic artifacts from a pre-defined Artifact Repository. The Static Artifact Exchange (SAE) protocol I-D.sae-protocol is specified as the recommended pattern to fulfill this requirement. SAE's static, "publish-then-poll" model is intentionally chosen to minimize the attack surface associated with traditional, dynamic APIs. By avoiding direct request processing, it eliminates entire classes of vulnerabilities like injection and parser flaws, ensuring that protocol security is derived from the cryptographic content of the artifacts alone.¶
For detailed operational guidance including scalability, time
synchronization, addressing complexity, and provisioning patterns,
see [I-D.eca-impl] Section 5.¶
IANA is requested to register:¶
This registry defines application-specific error codes that are used in addition to the base error codes defined in I-D.sae-protocol. The Canonical Content string defined here MUST be used as the input to the HMAC-SHA256 function when generating an error signal, as specified by the SAE protocol.¶
| Code | Canonical Content (UTF-8) | Gate | Description |
|---|---|---|---|
MAC_INVALID
|
MAC_INVALID
|
1 | Provided MAC was invalid. |
ID_MISMATCH
|
ID_MISMATCH
|
2 | Provided instance identity was invalid. |
IHB_MISMATCH
|
IHB_MISMATCH
|
3 | Recomputed IHB did not match expected value. |
KEM_MISMATCH
|
KEM_MISMATCH
|
4 | Did not get expected KEM key for the session. |
TIME_EXPIRED
|
TIME_EXPIRED
|
5 | Evidence timestamp was outside valid time window. |
SCHEMA_ERROR
|
SCHEMA_ERROR
|
6 | Attestation token failed schema validation. |
SIG_INVALID
|
SIG_INVALID
|
7 | Attestation token signature failed. |
NONCE_MISMATCH
|
NONCE_MISMATCH
|
8 | Nonce in the EAT did not match the issued nonce. |
KEY_BINDING_INVALID
|
KEY_BINDING_INVALID
|
9 | The key used for validation is not bound to the session's Boot Factor. |
POP_INVALID
|
POP_INVALID
|
10 | The PoP tag was invalid. |
IDENTITY_REUSE
|
IDENTITY_REUSE
|
11 | Attempt to reassign an existing identity. |
PUBLISHER_INVALID
|
PUBLISHER_INVALID
|
- | Attester artifacts were observed at a repository not hosted by the Attester. |
TIMEOUT_PHASE1
|
TIMEOUT_PHASE1
|
- | Attester failed to publish Phase 1 artifacts within timeout |
TIMEOUT_PHASE2
|
TIMEOUT_PHASE2
|
- | Attester failed to publish Phase 2 artifacts within timeout |
TRANSPORT_ERROR
|
TRANSPORT_ERROR
|
- | Underlying transport protocol error |
The design of this protocol was heavily influenced by the
simplicity and security goals of the AGE [AGE] file encryption
tool. The protocol's core cryptographic mechanisms would not be as
simple or robust without the prior work of the IETF community in
standardizing modern primitives, particularly Hybrid Public Key
Encryption (HPKE) in [RFC 9180]. The author wishes to thank the
contributors of these foundational standards for making this work
possible.¶
I-D.eca-impl]The protocol's security properties were analyzed using an
exploratory formal model in ProVerif [ECA-PV-BL-MODEL]. The model
assumes a powerful Dolev-Yao network attacker who can intercept,
modify, and inject messages. It also correctly models the Boot
Factor (BF) as public knowledge from the start, as per the
protocol's "exposure tolerance" principle (Section 3).¶
The analysis was conducted in two parts: verification of the core security properties against a network attacker, and an analysis of the protocol's behavior under specific key compromise scenarios to define its security boundaries.¶
In the baseline model, all core security goals were successfully shown to hold against a network attacker [ECA-PV-BL-PROOF].¶
| Property | ProVerif Query | Result | Interpretation |
|---|---|---|---|
| Authentication |
inj-event(VerifierAccepts(...)) ==> inj-event(AttesterInitiates(...))
|
True | The Verifier only accepts an attestation if a unique Attester legitimately initiated it. This prevents an attacker from impersonating the Attester. |
| Freshness |
event(AttesterUsesNonce(n)) ==> event(VerifierGeneratesNonce(n))
|
True | The Attester will only use a nonce that was genuinely generated by the Verifier for that ceremony. This property is the basis for Gate 8 (Nonce Match) and prevents replay attacks. |
| Key Binding |
event(VerifierValidatesWithKey(pk)) ==> event(AttesterPresentsKey(pk))
|
True | The final identity key that the Verifier checks is unambiguously bound to the Attester that participated in the ceremony, validating Gate 9 (JP Validation). |
| Confidentiality |
not (event(VFReleased(vf)) && attacker(vf))
|
True | The secret ValidatorFactor (VF) is never revealed to a network attacker, satisfying a fundamental security goal of the protocol. |
Additional tests were performed to formally define the protocol's security boundaries under specific compromise scenarios.¶
A test was conducted where an attacker compromises an
InstanceFactor (IF) from one ceremony and attempts to
impersonate a Verifier in a different ceremony [ECA-PV-BL-MODEL].
The model indicated this attack is not possible [ECA-PV-BL-PROOF].
The KCI security query passed, confirming that compromising a
secondary factor (IF) does not allow an attacker to forge
messages from a primary party (the Verifier), as they still lack
the Verifier's private signing key.¶
A test was conducted modeling a compromised long-term Verifier signing key [ECA-PV-AT-FS-MODEL]:¶
Result: The model demonstrated that an attacker can inject
arbitrary (VF', nonce') pairs, breaking the Freshness property
(event(AttesterUsesNonce(n)) ==> event(VerifierGeneratesNonce(n))
was False).¶
Interpretation: While the formal model identifies a freshness violation, the protocol's cryptographic design ensures this only enables denial of service, not authentication bypass:¶
The attacker can cause the Attester to derive keys from (BF,
VF')¶
However, the resulting Evidence will contain:¶
Furthermore, when using SAE transport I-D.sae-protocol, even this DoS attack becomes infeasible without repository write access, as noted in Section 6.5.1.¶
A test was conducted modeling a compromised Attester whose ephemeral private decryption key is leaked [ECA-PV-AT-SR-MODEL].¶
Result: The model demonstrated that this allows a passive
attacker to decrypt the Phase 2 ciphertext and steal the
ValidatorFactor (VF)
(not (event(VFReleased(vf)) && attacker(vf)) was False).¶
Interpretation: This result formally establishes the security boundary discussed in Section 6.4¶
Mitigation: This analysis provides the formal rationale for
hardware-rooted Instance Factor Pattern A when the threat model
must assume compromise of the underlying provisioning platform.
For pattern specifications, see [I-D.eca-impl] Section 2.¶