1.6. Main results
-
All analyzed binding mechanisms and the corresponding implementations of intra-handshake attestation are vulnerable to relay attacks.¶
-
Early exporter helps achieve level 1 binding.¶
-
Our proposed mechanism helps achieve level 2 binding.¶
-
It may not be possible to achieve level 3 in intra-handshake attestation alone without additional assumptions.¶
| Property | Mechanism #1,2,4,6 | Mechanism #3,5,7 | Proposed mechanism |
|---|---|---|---|
| G1 : Correlation of Evidence to gxy | ❌ | ✅ | ✅ |
| G2 : Correlation of Evidence to kch | ❌ | ❌ | ✅ |
| G3 : Correlation of Evidence to kc | ❌ | ❌ | ❌ |
1.6.1. Implications of Research for IETF SEAT WG
-
We believe post-handshake attestation alone, such as draft-fossati-seat-expat, can achieve level 3 binding.¶
-
The research suggests that recent hybrid proposals (combination of intra-handshake attestation and post-handshake attestation) draft-fossati-seat-early-attestation and draft-ritz-seat-facts may add unnecessary complexity of intra-handshake attestation without adding any security benefit compared to post-handshake attestation alone, such as draft-fossati-seat-expat.¶
1.6.2. Implications of Research for IETF TLS WG
-
Remote attestation within the handshake is very dangerous, since to our knowledge, it is one of the highest scored vulnerabilities in confidential computing literature (see this).¶
Given the high-severity vulnerabilities, the developers and maintainers of intra-handshake attestation MUST urgently move to post-handshake attestation.¶
1.6.3. Implications of Research for Agent2Agent
Intra-handshake attestation does more damage than protection for AI agents.¶