| Internet-Draft | Intra-vs-post | January 2026 |
| Sardar | Expires 26 July 2026 | [Page] |
This document presents a taxonomy of extending TLS protocol with remote attestation, referred to as attested TLS. It also presents high-level analysis of benefits and limitations of each category, namely pre-handshake attestation, intra-handshake attestation and post-handshake attestation.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://muhammad-usama-sardar.github.io/seat-intra-vs-post/draft-usama-seat-intra-vs-post.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-usama-seat-intra-vs-post/.¶
Discussion of this document takes place on the Secure Evidence and Attestation Transport Working Group mailing list (mailto:seat@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/seat. Subscribe at https://www.ietf.org/mailman/listinfo/seat/.¶
Source for this draft and an issue tracker can be found at https://github.com/muhammad-usama-sardar/seat-intra-vs-post.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 26 July 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Based on our extensive analysis of attested TLS [Tech-Concepts], we classify attested TLS into three main categories:¶
In pre-handshake attestation, the signing of Claims [Tech-Concepts] precedes the TLS handshake, while post-handshake attestation applies the reverse. Intra-handshake attestation requires the signing of Claims to be done within the TLS handshake protocol.¶
In this version, we analyze the three categories (without combinations) with a focus on the last two, i.e., intra-handshake attestation and post-handshake attestation.¶
The current scope of this draft is existing specifications and real-world implementations pointed in the given references. Any theoretical solutions are currently out of scope until some specification or implementation emerges.¶
For simplicity, we consider simple Attester with only one Attesting Environment and only one Target Environment [RFC9334]. That is, complicated scenarios such as Composite Device [RFC9334] etc. are out of scope in this version.¶
From RATS perspective, we consider Background Check Model [RFC9334]. Future versions will add Passport Model [RFC9334].¶
From TLS perspective, the scope is limited to TLS 1.3 as per [SEAT-Charter]. That is, older versions of TLS are explicitly out of scope.¶
Regarding remote attestation, we note that:¶
Remote attestation provides guarantees about the state of Attester only at the time at which signing of Claims is done to generate Evidence [Tech-Concepts].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
We use terminology from [RFC9334] and [I-D.ietf-tls-rfc8446bis] slightly loosely (intentionally) for readability. Future versions will tighten it.¶
In addition, we define three temporal terms:¶
In certain deployments, there may be benefits for pre-handshake attestation. As Yaroslav Rosomakho (as individual contributor) observes [Yaroslav-22Jan]:¶
no modification of TLS, no changes to application protocols, and potential caching/scalability.¶
He (as individual contributor) further explains [Yaroslav-22Jan]:¶
Many signed artifacts carry issuance time and validity constraints (e.g., JWT iat/exp [RFC7519], HTTP Message Signatures created/expires [RFC9421], SAML conditions [SAML]). A timestamp alone is not the same as freshness, but a short validity window plus a trustworthy time source can be an acceptable assurance mechanism in some deployments. Likewise, some schemes can provide stronger freshness via verifier-chosen challenges or monotonic counters.¶
There are also security concerns on pre-handshake attestation for use cases such as confidential computing Section 8. Since the Evidence Generation Time could be at any arbitrary point of time in the past compared to the Connection Establishment Time in the case of untrusted clocks as in confidential computing, pre-handshake attestation provides no guarantees about the state of Attester at the Connection Establishment Time and during the Lifetime of Connection.¶
In general, intra-handshake attestation improves the situation where Evidence Generation Time is the same as Connection Establishment Time, assuming freshness mechanisms, such as unpredictable, single-use challenge and clear replay handling, are in place.¶
In following subsections, we present the benefits and limitations of intra-handshake attestation.¶
Intra-handshake attestation does not require a new application-layer protocol or message exchange. Evidence and related metadata are conveyed within handshake via TLS extensions. TLS is responsible for conveyance of the Evidence; it does not perform appraisal of Evidence or authorization. Appraisal of Evidence, policy evaluation, and trust decisions are performed by application-level components that consume the attestation properties exposed by the TLS stack. As a result, while no new application-layer protocol is required, applications do incorporate additional trust logic to interpret attested connection properties and make security-relevant decisions.¶
Related to this, Markus Rudy shares his practical experience [Markus-16Jan]:¶
Conveying the evidence is not enough, it needs to be verified as well in order to end up with a trustworthy channel. We decided to integrate verification into the handshake, too, but that has massive drawbacks: Verification can take orders of magnitude longer than normal TLS handshakes, and usually involves remote calls, affecting all sorts of timeouts. However, doing the verification at the application level would require forwarding information from the handshake (e.g. nonce), at which point the application needs to be fully aware of the handshake protocol in order to verify it, breaking the intended layering.¶
It is claimed that intra-handshake attestation avoids extra round trips for use cases which require remote attestation only once during Connection Establishment Time.¶
However, this may only be valid in cases when the Connection Establishment Time without remote attestation is significantly higher than the time for generation and appraisal of Evidence, such as cross-continent. For instance, Markus Rudy shares his practical experience [Markus-16Jan]:¶
I don't think saving extra roundtrips is an appropriate design goal when attestation is required. Generating evidence alone takes much longer than normal network roundtrip times, not even speaking of verification.¶
On request, he kindly conducted an experiment and shared his preliminary results of experiment based on attested TLS implementation in Edgeless Systems Contrast where Coordinator is one of the components [Markus-19Jan]:¶
I did a quick experiment in our testing lab, running on the same machine as the Coordinator:¶
TCP connections are local, and thus the TCP connection establishment unsurprisingly takes only 0.5ms. But even to neighbouring nodes in the same cluster, the TCP handshake takes below 2ms.¶
I measured generation of evidence including the TLS session establishment, but with these numbers I don't think it makes a lot of difference:¶
SNP: Median time of 140ms from TCP SYN to TLS channel established and evidence sent to the client.¶
TDX: Median time of 1020ms, same procedure. I don't know why it is that slow, it should only be making machine-local remote calls, if any.¶
So far, I only managed to measure TDX verification, which adds another 340ms. This is bound by remote HTTP requests, afaiu, and could be optimized with locally cached collateral, CRL, etc. I'd expect SNP to exhibit similar timing, because verification does similar remote calls.¶
AMD is probably quicker because they're trading off with the appraisal time: the AMD report is not self-contained and can be generated with only the VM and the SP, but for verification you need to fetch the VCEK from somewhere, whereas the Intel quote includes the PCK cert and possibly other things that need to be fetched from a host service, if not the internet.¶
We summarize that in the following table:¶
| Property | Intel TDX | AMD SEV-SNP |
|---|---|---|
| Generation of Evidence + TLS | 1020 | 140 |
| Appraisal of Evidence | 340 | not available (expected ca. 340) |
However, Yaroslav Rosomakho (as individual contributor) raises a concern [Yaroslav-22Jan]:¶
The argument that avoiding an extra RTT is not a relevant goal may depend heavily on deployment topology (LAN vs same-region vs cross-continent).¶
We invite the WG to submit their analysis results for cases such as:¶
Since limited Claims are available at the Evidence Generation Time, it does not provide complete security posture of the Attester, such as runtime integrity of Attester. Examples include dynamic Claims, such as weights of trained model and contextual data in the case of AI agents/agentic AI [I-D.jiang-seat-dynamic-attestation], [Edward-20Jan], [I-D.aylward-aiga-1]. These dynamic Claims are neither available for pre-handshake attestation nor for intra-handshake attestation.¶
To be made secure for confidential computing, it requires invasive changes in TLS protocol, as deep as key schedule and adding or modifying existing handshake messages [ID-Crisis], which are explicitly out of scope of [SEAT-Charter]:¶
The attested (D)TLS protocol extension will not modify the (D)TLS protocol itself. It may define (D)TLS extensions to support its goals but will not modify, add, or remove any existing protocol messages or modify the key schedule.¶
A detailed analysis of different binding mechanisms for intra-handshake attestation has been shared with the WG [RelayAttacks].¶
It provides no guarantees about the state of Attester during the Lifetime of Connection. This is a security concern in long-lived connections where state of Attester (at workload or platform level) may change after Connection Establishment Time. Examples include AI agents/agentic AI [I-D.jiang-seat-dynamic-attestation], [Edward-20Jan], [I-D.aylward-aiga-1]. Note that session resumption is a new connection [I-D.ietf-tls-rfc8446bis].¶
Because of signature in Evidence generation and verification of signatures during appraisal, this leads to high handshake latency. This may not be desirable for some applications.¶
Markus Rudy shares his practical experience [Markus-16Jan]:¶
Conveying the evidence is not enough, it needs to be verified as well in order to end up with a trustworthy channel. We decided to integrate verification into the handshake, too, but that has massive drawbacks: Verification can take orders of magnitude longer than normal TLS handshakes, and usually involves remote calls, affecting all sorts of timeouts. However, doing the verification at the application level would require forwarding information from the handshake (e.g. nonce), at which point the application needs to be fully aware of the handshake protocol in order to verify it, breaking the intended layering.¶
As Yaroslav Rosomakho (as individual contributor) observes [Yaroslav-22Jan], note that Post-Quantum (PQ) transition may change the baseline. We argue that while PQ is unavoidable within TLS handshake, remote attestation is avoidable (see Section 6).¶
With several attacks (see Section 8), attestation in TEEs may not yet be mature enough to be integrated within TLS handshake.¶
Ayoub Benaissa remarks [Ayoub-16Jan]:¶
TLS might not be well suited to include this in its protocol. Not sure TEEs are even as mature for the people to see that it should be included right now. The plan to make it a post-handshake protocol makes more sense right now. A future where it's incorporated into TLS might exist, but I don't think there is enough motivation right now.¶
Markus Rudy shares his practical experience [Markus-16Jan]:¶
"Keeping attestation out of the application logic" is not as straightforward as it sounds. In the background-check model, the attester needs to collect evidence in response to the relying party's challenge (nonce). We were lucky that the Golang TLS stack can be supplied with arbitrary closures that are called during the handshake, but in my experience this is a rare design choice and may also be difficult to implement in other languages.¶
Ayoub Benaissa remarks [Ayoub-16Jan]:¶
An intra-handshake requires much more work compared to a post-handshake. People need to agree on how to add this as optional in TLS (we can't force everyone to use it of course), the standard needs to be implemented by major libraries, and then it will be available in major client/server applications. If any of the prior steps doesn't go through, it means you have to patch your components to make it work, which is not convenient / less secure.¶
Markus Rudy shares his practical experience [Markus-16Jan]:¶
There's only so much information in a TLS alert message, and it's definitely not enough to understand remote verification failures. While I understand this to be a deliberate design choice by TLS, I found this to be a hindrance for operating and debugging a large number of services in practice.¶
Post-handshake attestation improves the situation further by signing the Claims during Lifetime of Connection, i.e., at the time when it is actually required. Hence, together with use cases requiring one-time attestation, it covers the use cases of long-lived connections requiring re-attestation. For post-handshake attestation, first round of remote attestation MUST be done immediately after Connection Establishment Time, and Relying Party (RP) [RFC9334] MUST not send any secure data until Evidence is successfully appraised.¶
As Yaroslav Rosomakho (as individual contributor) proposes [Yaroslav-22Jan]:¶
an explicit shim or gating layer that performs attestation after the TLS handshake completes but before any application data is exchanged. This is operationally distinct from both intra-handshake attestation and fully application-integrated post-handshake attestation. Such an approach could preserve standard TLS handshake behaviour and latency characteristics, avoid invasive TLS changes, and still prevent application data from flowing until attestation succeeds. It may also mitigate some of the application-layer complexity by localizing attestation handling to a well-defined enforcement point (e.g., a sidecar or connection gate) rather than requiring per-protocol integration.¶
So a promising idea is to have an attested TLS library as a layer in between TLS implementation and application layer.¶
TLS (any implmentation) -> Attested TLS library -> Application Layer¶
In following subsections, we present the benefits and limitations of post-handshake attestation.¶
In general, it allows re-authentication and re-attestation without tearing down the connection.¶
Since all Claims are available at the time of post-handshake attestation (during Lifetime of Connection), it provides complete security posture of the Attester.¶
It does not require any change in TLS protocol.¶
It provides guarantees about the state of Attester during the Lifetime of Connection. This is particularly helpful in long-lived connections where state of Attester may change after Connection Establishment Time.¶
Since the signature in Evidence generation and verification of signatures during appraisal happen after Connection Establishment Time, there is no additional latency.¶
Yaroslav Rosomakho (as individual contributor) shares his concern [Yaroslav-22Jan]:¶
I don't think that moving latency related to attestation into after handshake is always a good thing. In some real-time and streaming applications, a spike after the session is established may be much more disruptive than paying a cost during the handshake.¶
We believe this concern can be resolved by the layering described in Section 5.¶
Except for first round of remote attestation, post-handshake attestation outperforms the intra-handshake attestation (one round trip), which requires re-establishing the connection (1.5 round trip).¶
Ayoub Benaissa remarks [Ayoub-16Jan]:¶
We already implemented a post-handshake protocol and have a full demo working. We were able to do this in a matter of weeks. That's because you don't need to modify any TLS implementation, but only add a few verification steps after the usual TLS handshake. This is almost the same on the client and server side.¶
Production-grade deployments, including Google STET [Keith-STET-CCC] and SCONE [SoK-Attestation], exist.¶
Post-handshake attestation has relatively easier formal analysis and verification. The same may apply to audit.¶
Markus Rudy remarks [Markus-16Jan]:¶
(Formal) verification of a protocol and audit of its implementations might be much easier if it ran on top of TLS. Existing proofs and certifications would not need to be reevaluated.¶
In post-handshake attestation, design, verification and audit effort will be one-time and any protocol (e.g., Noise) which has support for exporters can then use it without changing each and every protocol.¶
Markus Rudy shares this requirement [Markus-16Jan]:¶
It should be possible to port the general shape of a post-handshake attested TLS protocol to other protocols that provide secure channels and session binding (Noise comes to mind).¶
Post-handshake attestation may require changes at the application layer. However, changes at the application layer do not necessarily imply modifications to application business logic or data exchange protocols. Attestation-related functionality may be realized via application-level signalling (Exported Authenticators [RFC9261]) and trust logic, which may be implemented in intermediary components (e.g., proxies, sidecars, or middleware) on both client and server sides. These components are responsible for exchanging and appraising attestation evidence and enforcing trust or authorization decisions before application data is processed. This is analogous to common production deployments in which TLS termination and certificate handling are performed by a fronting proxy, while the application itself remains unchanged and resides behind it.¶
We argue that post-handshake attestation is unavoidable (e.g., re-attestation to track changes after Connection Establishment Time for long-lived connections). Use cases where pre-handshake attestation and intra-handshake attestation are insufficient include AI agents/agentic AI [I-D.jiang-seat-dynamic-attestation].¶
Intra-handshake attestation only adds unnecessary complexity which is avoidable. All identified use cases [I-D.mihalcea-seat-use-cases] where intra-handshake attestation seems suitable can be covered by post-handshake attestation (by doing attestation round immediately after Connection Establishment Time) but not the other way around.¶
[SEAT-Charter] includes TLS client as RATS Attester. Client could be a low-power IoT device. There are use cases where periodic or on-demand attestation is required, such as periodic attestation for long-lived, low-power IoT devices or in IoT swarms that need to synchronize software versions before coordinated operations or after configuration updates.¶
Moreover, we note some observations from LAKE WG:¶
Michael Richardson shares his insight [MCR-LAKE]:¶
I have a half-written document on putting EAT into the full BRSKI protocol. A reason that I stopped is that I realized that doing security posture evaluation at onboarding time (only) wasn't enough. It has to be done regularly. So having a protocol used at onboarding time and another one during normal operation meant that the onboarding one would have bugs that never get fixed, since the code only runs once.¶
He further shares [MCR-LAKE2]:¶
My contention, which I think the group agreed with, is that one probably wants to do continuous assurance, that is, to repeat the remote attestation.¶
Do you want to have two protocols and two code paths? (redundant code in a constrained device?). I suggested that maybe the remote attestation should use it's own /.well-known Path, and that it would just occur after onboarding, and regularly onwards. Maybe it's weird to onboard a device only to kick it out again immediately because it failed remote attestation, but given continuous assurance, this could happen at any time.¶
Göran Selander observes [Goran-LAKE]:¶
Indeed, if the authentication procedure is repeated at a later stage, for whatever reason, e.g. key rotation, it should be possible to repeat the attestation procedure.¶
Prominent implementations of intra-handshake attestation are all vulnerable to relay attacks [RelayAttacks]. Some of them are abusing the extensions of TLS, such as SNI and ALPN, for conveyance of attestation nonce [RelayAttacks].¶
Google [Keith-STET-CCC], Microsoft [Stunes-vTPM-CCC], and SCONE [SoK-Attestation] are all using post-handshake attestation.¶
Most of the document is about security considerations. Also, Security Considerations of [RFC9334] and [I-D.ietf-tls-rfc8446bis] apply. In addition:¶
Pre-handshake attestation is vulnerable to replay [RA-TLS] and diversion [ID-Crisis] attacks. Moreover, pre-handshake attestation leads to a single point of failure.¶
Without significant changes to the TLS protocol: Intra-handshake attestation is vulnerable to diversion attacks [ID-Crisis]. We reported these attacks to TLS WG in February 2025 [Usama-TLS-26Feb25]. A formal proof is available [ID-Crisis-Repo] for further research and development. Since reporting to TLS WG, these attacks have been practically exploited in TEE.fail, Wiretap.fail, and BadRAM. More recently, we found that intra-handshake attestation also does not bind the Evidence to the application traffic secrets, resulting in relay attacks [RelayAttacks]. A detailed analysis of binding mechanisms is available at [RelayAttacks].¶
No attacks on post-handshake attestation are currently known. Post-handshake attestation avoids replay attacks by using fresh attestation nonce. Moreover, it avoids diversion and relay attacks by binding the Evidence to the underlying TLS connection, such as using Exported Keying Material (EKM) [I-D.ietf-tls-rfc8446bis], as proposed in Section 9.2 of [ID-Crisis]. [RFC9261] and [RFC9266] provide mechanisms for such bindings. Efforts for a formal proof of security of post-handshake attestation are ongoing.¶
From the view of the TLS server, post-handshake attestation offers better security than intra-handshake attestation when the server acts as the Attester. In intra-handshake attestation, due to the inherent asymmetry of the TLS protocol, a malicious TLS client could potentially retrieve sensitive hardware-level information from the Evidence without the client's trustworthiness (i.e., authentication) first being established by the server. This information (e.g., vulnerable firmware version) can be exploited for attacks. In post-handshake attestation, the server can ask for client authentication and only send the Evidence after successful client authentication.¶
This document has no IANA actions.¶
We gratefully thank the following:¶
Peg Jones for review of early draft before submission of -00¶
Paul Wouters for review of section 4 of -00¶
Ayoub Benaissa for review of -00 and sharing his practical experiences¶
Markus Rudy for review of -00 and sharing his practical experiences and for conducting experiments with TDX and SNP on our request¶
Mike Bursell (Executive Director, Confidential Computing Consortium) for review of -01 [Mike-19Jan]¶
Yaroslav Rosomakho (as individual contributor) for detailed review of -02 [Yaroslav-22Jan]¶
Pavel Nikonorov (GENXT / IIAP NAS RA) contributed text in Section 4.1.1 and Section 5.2.1.¶
-01¶
Added scope section to address comments of Paul Wouters¶
Added comments of Ayoub Benaissa as quotes¶
Added some subsections to incorporate practical experiences of Markus Rudy¶
Extended security considerations¶
-02¶
Added experiments by Markus Rudy¶
Removed our experiments¶
Added reference to use cases document to address comment of Mike Bursell¶
-03¶