| Internet-Draft | Carrying Remote Attestation Evidence in | March 2026 |
| Liu, et al. | Expires 26 September 2026 | [Page] |
This document specifies how Remote Attestation evidence, as defined by the IETF RATS architecture, can be conveyed within a Workload Identity Token (WIT) as used in the WIMSE (Workload Identity for Micro-Services Environments) framework. The WIT includes attestation measurements that enable fast-path policy evaluation without requiring immediate access to full evidence. The WIT is bound to the HTTP request using OAuth 2.0 Demonstrating Proof-of-Possession (DPoP), ensuring that attestation claims are protected against replay and token theft.¶
This specification defines a two-tier verification model: lightweight verification using embedded measurements for common scenarios, and deep verification using externalized evidence for high-assurance requirements. This enables secure, cross-domain verification of workload integrity without requiring direct access to platform-specific reference values, while enabling efficient deployments.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 26 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In some scenarios of the security-sensitive environments, workloads need to prove not only their identity but also the integrity of their execution environment. The WIMSE framework defines the Workload Identity Token (WIT) for conveying identity between workloads. However, to support confidential computing and remote attestation across administrative domains (e.g., multi-cloud), the WIT need to carry verifiable attestation evidence.¶
This document extends the WIT specification by defining standard claims for attestation and specifying their integration with WIMSE and the RATS architecture [RFC9334].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.¶
This document uses terms from the RATS architecture [RFC9334], including "Evidence", "Endorsement", and "Reference Value". It also assumes familiarity with WIMSE [I-D.ietf-wimse-s2s-protocol] and OAuth 2.0 DPoP [RFC9449].¶
A WIT conveying attestation information MUST include the claims defined in this section. When attested_environment is true, the measurements claim MUST be present to enable fast-path policy evaluation. All attestation claims MUST be protected by the WIT's digital signature and bound to the request via DPoP. The WIT implementation follows the JWT Best Current Practices [RFC8725].¶
This specification defines a two-tier verification model:¶
attested_environment
The "attested_environment" claim is a REQUIRED boolean value indicating
whether the workload is running in an environment capable of producing
valid remote attestation evidence.¶
If true, the measurements claim MUST be present, and the verifier SHOULD
evaluate the measurements against its local policy. If false or absent,
no attestation verification is performed.¶
tee_type
The "tee_type" claim is a REQUIRED string (when attested_environment is true)
identifying the type of Trusted Execution Environment (TEE). This value determines
the format of the measurements claim. Registered values include:¶
"intel-tdx" - Intel Trust Domain Extensions¶
"amd-sev-snp" - AMD Secure Encrypted Virtualization - Secure Nested Paging¶
"intel-sgx" - Intel Software Guard Extensions¶
"arm-cca" - ARM Confidential Compute Architecture¶
This value enables policy-based decisions (e.g., "only accept intel-tdx") and determines how the verifier interprets the measurements claim.¶
New TEE types MAY be registered through the IANA registry defined in Section 7.2.¶
measurements
The "measurements" claim is REQUIRED when attested_environment is true.
It contains a summary of key attestation measurements that enable fast-path
policy evaluation without retrieving full evidence. The measurements object
provides sufficient information for relying parties to make authorization
decisions for common scenarios.¶
The measurements object MUST contain the following members:¶
type:algorithm:registers:summary:Verifiers MUST validate that the type field matches the tee_type claim. Verifiers MAY use the summary field for fast comparison against known-good values before inspecting individual registers.¶
evidence_ref
The "evidence_ref" claim is an OPTIONAL URI pointing to a resource that
contains the full RATS Evidence (e.g., in CWT or EAT format). The resource
MUST be accessible over HTTPS with TLS 1.2 or higher, and verifiers MUST
validate the server certificate according to their trust policy.¶
This claim enables the deep-path verification tier. When present, relying parties MAY retrieve the full evidence for cryptographic verification of the complete attestation chain. This is RECOMMENDED for high-assurance scenarios or when local policy requires validation beyond the measurements claim.¶
Example: https://kbs.customer.example/evidence/abc123¶
The evidence resource MAY be hosted by a customer-operated Key Broker Service (KBS) or cloud provider attestation service. Verifiers MUST authenticate the evidence source and validate signatures according to their trust policy.¶
Alternatively, full Evidence MAY be embedded directly as a separate claim
(e.g., evidence_cwt), but this is NOT RECOMMENDED due to size
constraints in HTTP headers. The measurements + evidence_ref approach provides
better performance and scalability.¶
This section defines the structure of the registers object for each supported TEE type. Implementations MUST follow these formats when generating or validating measurements claims.¶
For tee_type="intel-tdx", the measurements type MUST be "tdx-rtmr"
and the registers object MUST contain Runtime Measurement Registers (RTMRs):¶
{
"type": "tdx-rtmr",
"algorithm": "sha384",
"registers": {
"rtmr0": "hex_encoded_48_bytes",
"rtmr1": "hex_encoded_48_bytes",
"rtmr2": "hex_encoded_48_bytes",
"rtmr3": "hex_encoded_48_bytes"
},
"summary": "sha384:abc123..."
}
RTMR semantics:¶
rtmr0: Initial boot measurements (BIOS, bootloader)¶
rtmr1: OS loader and kernel measurements¶
rtmr2: System configuration measurements¶
rtmr3: Application and runtime measurements¶
All RTMR values MUST be hex-encoded SHA-384 hashes (96 hex characters). The summary field SHOULD be the SHA-384 hash of the concatenation of rtmr0||rtmr1||rtmr2||rtmr3.¶
The measurement format for tee_type="amd-sev-snp" is TBD.
Future versions of this specification will define the snp-pcr format
including vTPM PCR values and SNP-specific launch measurements.¶
The measurement format for tee_type="intel-sgx" is TBD.
Future versions of this specification will define the sgx-mr format
including MRENCLAVE and MRSIGNER values.¶
New TEE types can be supported by defining a new measurement type and corresponding registers structure. Implementations encountering an unknown type value MUST either reject the WIT or fall back to evidence_ref verification if present.¶
To register a new TEE type and measurement format, follow the IANA registration process defined in Section 7.2. The registration MUST include:¶
The following figure shows a complete example of a WIT payload containing attestation measurements:¶
{
"sub": "spiffe://example.com/ns/default/sa/workload-a",
"iss": "https://wimse-ca.example.com",
"iat": 1700000000,
"exp": 1700003600,
"jti": "a1b2c3d4-e5f6-7890-g1h2-i3j4k5l6m7n8",
"attested_environment": true,
"tee_type": "intel-tdx",
"measurements": {
"type": "tdx-rtmr",
"algorithm": "sha384",
"registers": {
"rtmr0": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456789012345678901234567890abcd",
"rtmr1": "f1e2d3c4b5a67890123456789012345678901234567890abcdef1234567890abcdef123456789012345678abcd",
"rtmr2": "1a2b3c4d5e6f78901234567890123456789012345678901234567890abcdef1234567890abcdef1234567890ab",
"rtmr3": "9f8e7d6c5b4a321098765432109876543210fedcba9876543210fedcba9876543210fedcba987654321098ab"
},
"summary": "sha384:2f5d8c9e1a3b7f4e6d8c2a1b9e7f3d5c8a4b6e1f9d3c7a5b2e8f4d1c6a9b3e7f"
},
"evidence_ref": "https://kbs.customer.example/evidence/tdx/abcd1234"
}
This JSON represents the payload (claims set) of a signed WIT JWT. The attestation claims (attested_environment, tee_type, measurements, evidence_ref) are standard top-level members of the JWT payload. The measurements enable fast-path policy evaluation, while evidence_ref provides access to full attestation evidence for deep verification when required.¶
The entire WIT is base64url-encoded and signed (e.g., using RS256), forming the token transmitted in the Workload-Identity-Token header. A typical WIT with embedded measurements is approximately 800-1200 bytes when encoded, suitable for HTTP headers.¶
As required by [I-D.ietf-wimse-s2s-protocol], the WIT MUST be bound to the HTTP request using OAuth 2.0 DPoP [RFC9449].¶
Note that the DPoP proof binds to the exact WIT string via the "ath"
claim, which contains the SHA-256 hash of the WIT presented in the
Workload-Identity-Token header, ensuring that the attestation claims cannot be
substituted or replayed.¶
The DPoP private key is assumed to be securely held by the workload; this specification does not define how the relying party verifies that the DPoP key was generated within the attested TEE. This verification is delegated to the WIT issuer, which validates the TEE evidence before issuing the WIT.¶
The following diagram illustrates how a workload in Domain A (e.g., Cloud Provider X) authenticates to a service in Domain B (e.g., Cloud Provider Y) using a WIT that carries attestation measurements. The two-tier verification model enables both fast-path policy evaluation and optional deep verification, with DPoP ensuring request binding and replay protection.¶
+----------------+ +----------------+ +----------------+
| Workload A | | Service B | | Attestation |
| (Domain A) | | (Domain B) | | Verifier / |
| | | | | Policy Engine |
+----------------+ +----------------+ +----------------+
| | |
| 1. Generate WIT with | |
| attestation claims | |
| (e.g., tee_type, | |
| attested_environment)| |
|------------------------>| |
| 2. Create DPoP proof | |
| bound to WIT (ath) | |
| and HTTP request | |
|------------------------>| |
| | 3. Validate DPoP: |
| | - Signature |
| | - htu/htm match |
| | - jti not replayed |
| | - ath == hash(WIT) |
| |------------------------>|
| | 4. Fetch Evidence (if |
| | evidence_ref present)|
| |<------------------------|
| | 5. Evaluate attestation |
| | against local policy |
| | (e.g., "only intel-tdx")|
| | |
|<------------------------| 6. Accept or reject |
| Request | based on result |
| | |
+-------------------------+-------------------------+
Steps in detail:¶
attested_environment,
tee_type, measurements, optionally evidence_ref).
The measurements claim contains TEE-specific register values that enable
fast policy evaluation.¶
ath claim, along with the HTTP method
(htm) and URL (htu). This binds the attestation measurements
to this specific request.¶
Workload-Identity-Token and DPoP headers.¶
evidence_ref (over TLS) and perform cryptographic
verification of the complete attestation chain. This includes validating the
TEE hardware signature, verifying the certificate chain to root-of-trust,
checking TCB (Trusted Computing Base) status, and validating measurements match
the evidence. Service B MAY cache the evidence verification result to avoid
repeated fetches for subsequent requests from the same workload.¶
Access Decision: Based on the evaluation, Service B grants or denies access. The verification tier used (fast-path vs. deep-path) MAY be logged for audit purposes.¶
Note that no direct trust relationship between the TEE attestation root (e.g., Intel TDX root key) and Domain B is required. Instead, Domain B relies on its configured policy about which TEE types it accepts.¶
This specification assumes the following trust model and threat environment:¶
Trust Assumptions:¶
Future versions of this specification may define mechanisms for cryptographically binding the DPoP key to the TEE measurements, enabling relying parties to verify this binding independently of the issuer.¶
Attacker Model:¶
Out of Scope: This specification does not address attacks against the TEE hardware itself (e.g., side-channel attacks, physical attacks), nor does it address compromise of the WIT issuer's signing keys. Protection against such threats requires additional operational and architectural measures outside the scope of this document.¶
The following security considerations apply to implementations of this specification:¶
jti and request binding (htm, htu,
ath) prevents replay of WITs containing attestation measurements.
The ath claim cryptographically binds the measurements to this
specific request, preventing an attacker from reusing measurements from
a compromised token.¶
This document registers new claims in the "JSON Web Token Claims" registry established by [RFC7519].¶
IANA is requested to create a new registry titled "WIMSE WIT TEE Types" under the "WIMSE" namespace. This registry maintains identifiers for Trusted Execution Environment types used in the tee_type claim.¶
Registration of new TEE type values follows the "Specification Required" policy as defined in [RFC8126]. The designated experts are appointed by the IETF Security Area Directors. The designated expert SHALL verify that:¶
In case of dispute or disagreement with the designated expert's decision, the registrant may appeal to the IETF Security Area Directors.¶
The registration template consists of the following fields:¶
The initial registry contains the following entries:¶
| TEE Type | Description | Measurement Type | Reference |
|---|---|---|---|
| intel-tdx | Intel Trust Domain Extensions | tdx-rtmr | [[THIS DOCUMENT]], Section 3.5.1 |
| amd-sev-snp | AMD Secure Encrypted Virtualization - SNP | TBD | [[THIS DOCUMENT]], Section 3.5.2 |
| intel-sgx | Intel Software Guard Extensions | TBD | [[THIS DOCUMENT]], Section 3.5.3 |
| arm-cca | ARM Confidential Compute Architecture | TBD | TBD |