[IDS] CertificationState and remote attestation

[IDS] CertificationState and remote attestation

Randy Turner rturner at amalfisystems.com
Tue Jun 23 23:17:48 UTC 2009


Hi Dave,

I always thought "certification state" was some value that was  
"approved" by some 3rd party certification organization.

And I thought "configuration state" might be something akin to what  
you have derived below.

"Certification State" was something similar to what I included in a  
previous email regarding FIPS certification.  For "products" that are  
certified, the certification is for a particular model number and  
software version.  If you're just certifying a software module (like  
openssl), then you would provide the cert lab with a version and  
either source or binary module, pre-configured to execute the cert  
tests.

That's why I stressed that any "validation module" that wants to  
verify the HCD_configuration_state needs to know "WHICH" certification  
that this value reflects, and WHAT the correct value should be.  For a  
FIPS certification, this would be "FIPS 140-2" and "FF02CH001F00" (a  
sample hash/fingerprint)

Example certifications might be:

Common Criteria (possibly multiple certifications)
FIPS
ICSA (for firewall/security appliances)
"Works with Vista" or any of the half-dozen Microsoft logo certs you  
can test against


My interpretations of these HCD_configuration and HCD_certification  
states are based on what I think are the original rationale (going way  
back) for these values...

Based on my understanding of "certification state", we would need to  
support "one or more" certification states, depending upon how many  
different types of certifications
are maintained by the device.

If my interpretation of the rationale for certification and  
configuration states differs from the group, I'm sure someone will let  
me know :)

Randy


On Jun 23, 2009, at 8:39 AM, Dave Whitehead wrote:

>
> So, would something like the following be of use?
>
>
> Device with device certificate and key pair.  (Same for SHV)
>
> Device also has certificate of SHV.  (and vise versa)
>
> CertificationState = Hash(all required HCD attributes)
>
> CertificationStatement = CurrentDataTime + CertificationState
>
> CertificationIntegrity = Sign(CertificationStatement, Device[PrivKey])
>
> HCD_CertificationState = Encrypt(CertificationIntegrity, SHV[PubKey])
>
>
> Just wondering ...
>
> dhw
>
> David H. Whitehead
> Development Engineer
> Lexmark International, Inc.
> 859.825.4914
> davidatlexmarkdotcom
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean. _______________________________________________
> ids mailing list
> ids at pwg.org
> https://www.pwg.org/mailman/listinfo/ids

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2433 bytes
Desc: not available
URL: <http://www.pwg.org/pipermail/ids/attachments/20090623/56206877/attachment.p7s>


More information about the ids mailing list