►
From YouTube: RATS Architecture Design Team, 2020-10-06
Description
RATS Architecture Design Team, 2020-10-06
A
Don't
really
know
well,
the
best
part
is
teddy
ruxpin
teddy
ruxpin's,
another
character
that
involves
stuffed
animals
and
and
the
best
part
about
it.
Is
that
the
the
villains
that
they're
opposed
to
have
a
union
and
and
when
they
get
to
a
union,
just
fine
break
the
the
villains
they
stop
like
to
go
and
have
a
coffee.
C
A
A
A
A
G
What
can
we
these?
So?
I
think
actually
some
of
these
are
really
hard.
Okay
and
some
aren't,
I
think
the
tester
verifier
one.
I
I
didn't.
I
actually
made
a
comment.
I
don't
know
how
to
deal
with
this
one
today,
because
it
was
so
overloaded
with
different
issues
of
text
and
a
general
disagreement
of
how
this
pr
should
be
handled
in
general,
and
that
was
very,
very
difficult
for
me
to
address
right
now.
G
G
A
A
G
D
D
H
D
Think
your
main
comment
lawrence
is
that
the
word
implicit
you
find
confusing
there,
and
I
would
not
disagree
with
that.
I
think
the
when
you
look
at
the
term
root
of
trust
right,
usually
when
people
talk
about
a
root
and
you
think
about
like
a
certificate
chain
or
the
thing
that
you're,
comparing
against
your
trust,
anchor
list
root
would
be
the
root
of
the
chain.
If
you
are
using
say
endorsements,
then
the
local
hardware
is
in
fact
not
the
root
right.
D
The
endorser
is,
and
so
it
might
be
equally
incorrect
to
refer
to,
in
this
case
the
piece
of
hardware
as
a
route
of
trust,
because
it's
not
the
manufacturer
is
signing
it
and
therefore
it's
not
the
route.
The
manufacturer
is
right,
and
so
that
is
sentence
I
agree,
is
a
little
bit
confusing
in
the
remote
attestation
case.
D
D
G
Yes,
so
this
is
so
so
this
is
saying
I
I
agree
with
dave
that
this
text
is
basically
still
everything
about.
This
is
a
remote.
I
made
a
comment
in
this
section
here
that
is
closely
not
visible,
just
a
little
bit
down,
and-
and
so
so
this
is
the
first
observation
is
this
is
about
remote
attestation
and
it's
all
applicable
to
even
the
parts
about
hardware
and
level
of
assurance
are
applicable
here.
D
Is
do
we
actually
need
to
use
the
term
root
of
trust,
or
can
we
just
delete
that
line,
because
all
the
rest
of
the
text
is
fine?
This
is
just
trying
to
say
introduce
the
term
root
of
trust.
In
some
way.
Do
we
actually
need
to
use
that
elsewhere
in
the
document?
If
we
never
use
the
term
word
of
trust
anyplace,
we
can
just
delete.
D
D
D
D
B
A
Think
I
don't
think
it's
referring
to
local
attestation.
I
think
that
that
what
it's
referring
to
is
that
that
bootloader,
whether
it's
a
hypervisor
or
a
one
block
thing
that
thing
that
that
that
measures
itself
is
effectively
the
verifier
puts
some
implicit
trust
that
it
knows
what
it's
it's
it's
work.
It's
doing!
That's
what
I
understand.
D
My
understanding
was
that
the
key
material
that
is
used
in
remote
attestation,
in
the
case
that's
being
talked
about
the
weaker
security
case,
that
key
material
is
not
provisioned
into
the
hardware
that
key
material
might
be
provisioned
into
the
hypervisor
and
say
you
might
have
a
hypervisor
in
dorser
and
so
on,
and
that's
what
you're,
using
in
your
remote
attestation
case.
That's
how
I
read
it
saying
it's
just
not
baked
into
the
hardware
and
so
it's
weak
for
security,
and
that's
why
797
says
it's
stronger
when
you
can
make
it
into
the
hardware.
B
D
No,
what
you're
the
key,
what
what
that
means?
You're,
implicitly
trusting
that
that's
the
correct
key
material
right,
because
you're
not
completely
simplistically
trusting
in
this
exam
in
the
eg
hypervisor
you're,
not
implicitly,
trusting
the
operating
system.
The
hypervisor
is
the
testing
environment.
The
os
is
the
target
environment,
so
the
hypervisor
generates.
The
evidence
sends
it
off
to
the
verifier.
The
verifier
verifies
it
using
the
key
material
that
was
provisioned
at
the
hypervisor.
J
J
D
D
D
G
Yeah,
no,
it
doesn't
so
you
don't
know
why
they
are
highlighting
this
is
trusted,
so
that
implicitly
gives
the
sentence
some
gravitas
by,
because
now
you
understand
why
this
trust
relationship
is
highlighted.
If
you
remove
implicitly,
you
have
to
add
something
here.
Otherwise
the
sentence:
it's
just
a
weird
fact
that
you
highlighted
you
can
just
remove
the
sentence.
I
think.
D
D
A
D
Trust
perspective,
I
can
tell
you
what
I'm
thinking,
which
is
different
from
what
the
text
says,
and
what
I
can't
tell
is
whether
I
want
to
change
the
text
to
say
what
I'm
saying
or
whether
I'm
missing
some
other
point.
The
text
is
trying
to
get
across
to
me.
The
trust
model
is
you
can
trust,
so
one
approach
is
to
say:
I'm
going
to
trust
the
endorser
and
it's
the
endorser's
job
to
to
tell
me
which
devices
I
should
trust
right.
So
that's
one
model,
and
so
I'm
not
trusting
the
device.
D
D
D
I
implicitly
trust
the
manufacturer
and
I
establish
direct
trust
in
the
device,
and
so
I
get
as
the
owner
of
the
device
that
runs
a
verifier.
In
an
example,
I
get
the
key
from
the
device
I
manually
inspect
the
device
I
go
through
whatever
security
vetting,
and
then
I
put
that
device's
public
key
in
my
trust,
anchor
store.
It
says
I
trust
that
specific
instance,
because
I've
checked
out
this
particular
device
and
think
that
it's
good
independent
of
what
the
manufacturer
says
that
one
you
might
claim
is
weaker.
Some
people
might
claim
it
stronger.
D
I
wouldn't
get
into
that.
I
would
just
say
it's
more
of
a
direct
trust
in
a
device
rather
than
an
indirect
trust
in
a
device
via
the
manufacturer
that
one
does
have
the
property
that
says
just
because
they
device
this
manufacture
manufacturer.
I
don't
trust
it.
I
only
trust
the
ones
that
are
mine,
so
the
three
of
them
that
I
bought
are
the
ones
that
I
trust
not
the
three
that
are
in
the
attacker's
possession
and
so
that's
worth
discussing.
B
D
Is
a
direct
and
there's
an
indirect
indirect
says,
whatever
the
manufacturer
says
is
good
for
me
direct
says
only
the
three
that
I
vetted
myself,
you
know
inspected
to
say
these
are
the
three
keys
that
are
actually
in
my
possession
that
I
have
the
physical
protection
around.
So
nobody
can
do
physical
tampering
on
them
because
I
know
which
ones
these
are,
and
then
I
put
those
three
in
there
and
that's
what
that's.
What
I
might
personally
refer
to
as
direct
trust
and
indirect.
D
Correct
well
often,
yes,
I
don't
know
if
there's
a
case
where
the
answer
would
be
no,
but
my
expectation
would
be
yeah
absolutely
and
I'm
just
using
say
I'm
extracting
the
public
key
when
I
vet
that
device
and
I
buy
it,
and
I
make
sure
that
this
is
the
one
that
I
know,
and
so
I
put
that
say
public
key
into
my
trust-
anchor
store
in
the
verifier
directly,
so
that
I
don't
care
what
the
manufacturer
says
because
he's
going
to
vouch
for
zillions
of
other
devices.
He
made.
D
B
D
D
D
D
J
D
C
J
So
I
think,
there's
another
concept
that
potentially
this
line
is
trying
to
address,
which
is
the
notion
that
we,
that
weaker
trust
is
based
on
complexity.
So,
as
I
kind
of
go
from
a
very
simple
route
of
trust
architecture,
to
a
very
complex
route
of
trust
architecture
based
on
a
hypervisor,
one
could
argue
that
because
of
the
complexity,
it's
weaker
and
so
there's
a
lot
of
implicit
trust
built
around
that
larger
tcb.
If
you
will,
but
you
could
still
have
you
know
an
implicit
trust
in
the
vendor
that
says
I.
J
J
You
could
have
a
but
you,
but
if
you
were
just
talking
about
complexity
and
and
in
the
context
of
complexity
where
in
theory,
everything
is
done
right
right
just
you
know
it's
like
whoever
did
this
knew
what
they
were
doing.
They're
the
smartest
people
on
the
planet.
They
did
it
the
best
way
possible,
but
it's
still
more
complex
and
so
the
complexity.
B
J
A
D
I'm
gonna
be
quiet
for
about
five
minutes,
while
I
author
some
text
just
for
you
guys
to
review,
and
so
I'm
not
gonna
change
any
of
this,
I'm
going
to
generate
a
a
a
delta
that
might
add
two
paragraphs
into
here
and
then
we
can
decide
what
to
do
with
these,
whether
to
keep
any
of
mine
whether
to
merge
them
into
here,
whether
whether
you
use
my
replay
stuff
or
whatever,
I'm
not
sure
yet.
But
let
me
I'm
going
to
write
two
paragraphs,
so
I'm
just
going
to
be
quiet
for
five
minutes.
A
G
H
G
G
J
G
G
G
K
J
G
G
G
G
E
C
J
H
J
J
G
G
D
D
G
G
B
J
B
J
A
Don't
like
that,
I
don't
like
endorser,
because
I
think
of
the
reasons
that
that
lawrence
is
given
is
that
I
that
it's
not
necessarily
the
it's
not
necessarily
a
required
role,
but
I
do
like
the
word
endorsement
and
and
where
I
think
lawrence
and
I
differ,
is
that
I
think
that
endorsement
doesn't
isn't
always
signed.
It
sometimes
just
arrives
in
a
trusted
fashion,
because
it's
keyed
into
the
verifier
by
the
verifier's
owner.
Oh
no,
I
don't
know.
I.
A
G
J
D
A
So
so
so,
in
my
mind,
endorsement
is,
is
key
and
that
it's
bizarre,
maybe
to
think
that
you
can
have
an
endorsement
without
an
endorser.
But
what
I'm
trying
to
say
is
that
it's
in
it
that
relationship
is
is
one
where
we
we
do
something
cryptographically
and
if
it
just
arrives
by
fedex
on
a
piece
of
paper,
you
can
still
get
an
endorsement.
That
way.
L
A
Exactly
I
I
I
take
your
point
okay,
but
I'm
trying
to
say
is
that
so
what
I
really
did
is
I
made
a
measurement
at
some
point
of
of
some
characteristics
of
that
specific
system,
and
then
I
locked
them
down
on
the
verifier
right
and
that's
that's
what
I
did
and
yes,
I'm
the
I'm
acting
in
the
role
of
the
endorser
there,
but
exactly
but
but
what
I'm
trying
to
say
is
that
I
think
that's
just
that's.
That's
that's
not
neces.
H
A
J
K
A
F
J
G
G
D
A
To
be
better,
what's
going
to
be
easy
just
before
we
before
we
do
that,
because
I'd
like
to
close
this
edit
before
I
hit
reload,
I
I
I
will
I
I
we.
We
had
two
sentences,
this
one
and
then
this
two
pieces
and
the
question
was
which
one
did
we
prefer,
and
this
was
lawrence's
original
sentence,
and
this
was
hank's
attempt
to
improve
it.
J
J
Sort
of
broad
observation,
after
having
gone
back
through
version,
six
and
just
reading
kind
of
the
whole
thing
we
seem
to,
we
seem
to
that.
The
text
seems
to
be
inconsistent
about
the
difference
between
an
entity
and
a
role,
and
we
often
use
the
role
name
when
we
mean
an
entity
and
we
sometimes-
and
we
even
say
things
in
the
definition.
Some
of
the
definitions
say
that
a
a
role
is
an
entity
blah
blah
blah,
which
is
wrong.
F
J
A
A
D
C
D
J
D
D
D
A
A
D
G
J
D
D
D
J
D
Because
what
happens
here
and
again,
let
me
tell
you
what
I'm
thinking
and
you
tell
me
how
you
change
the
text.
If
you
want
to
change
in
order
to
do
a
praise
right,
you
need
to
have
a
belief
that
the
tester
can
securely
generate
the
evidence,
and
then
you
have
to
weigh
that
evidence
in
your
term
again
the
values
into
the
evidence
itself
against
the
reference
values.
This
is
only
making
a
statement
about
the
first
part.
D
The
second
part
is
your
tester
may
still
be
using
a
reference
value
provider
to
help
it
appraise
the
evidence,
but
first
you
have
to
figure
out
whether
you
believe
that
it
could
actually
generate
whether
you
should
trust
the
values
that
are
in
the
evidence
themselves.
Is
that
actually
a
correct
statement
of
the
current
state
and
then
you
can
decide
what
that
current
state
matches.
What's
policy.
J
D
My
text
here
is
all
in
the
context
of
whether
you
should
believe
the
evidence
is
a
statement
of
current
state.
You
still
have
to
put
that,
together
with
the
use
of
reference
values
or
whatever,
to
compare
it
against.
You
know
a
desired
stage,
or
you
know
policy
or
whatever
you
want
to
call
it.
But
all
of
this
text
is
about
the
former
part,
which
is
before
you
can
even
do
that.
You
got
to
believe
that
that's
actually
correct
statements
of
the
current
state
and
there's.
D
J
L
D
C
G
H
G
D
D
Please
read
all
of
it
because
in
case
where
you
have
the
tester's
key
material
directly
in
there,
I
claim
that
that
is
the
case
where
there
is
no
endorser
and
the
the
difference
has
to
do
with
how
many,
how
many
chains
of
you
know
one
key
signing.
Another
key
are
there
in
the
chain
that
you're
using
to
verify
the
evidence,
and
in
this
case
there
was
one
less
layer
in
that
level
of
you
know,
certificate
chains
and
that
extra
layer
is
the
endorser
that
is
not
present.
D
So
the
endorser
may
be
the
manufacturer,
you
go
to
the
manufacturer,
you
say:
hey:
did
you
create
this
device?
Yes,
okay,
and
this
is
the
device
that
I
bought.
You
created
it,
you
vouched
for
it
or
whatever,
and
so
I
know
that
this
is
a
you
know
intel
inside
and
it's
the
one
that
I
bought,
and
so
I
put
that
key
into
there
and
at
that
point
evidence
checking
no
longer
checked
for
the
endorser,
which
was
still
there
right.
I
just
did
that
one
time
and
not
the
time
that
I'm
doing
the
evidence.
G
D
A
A
That
an
endorser
vouches
for
the
integrity
of
the
tester's
various
capabilities
and
we
wrote
it
that
way,
because
we
didn't
want
to
say
that
that
key
signing
another
key
was
the
only
way
of
implementing
this
that
the
business
such
as
you
described.
A
direct
trust,
was
also
a
form
of
endorsement
where
you
basically
configure
the
three
devices
you
trust
in.
K
A
Well,
but
that's
why
I
thought
we
said
when
we
wrote
the
definition
of
endorsement.
We
wrote
that
it
was
a
secure
statement.
We
didn't
write,
it
was
a
digital
signature
or
something
we
wrote.
There
was
a
secure
statement
and,
and
that
implied
that
included.
For
instance,
I
loaded
a
configuration
file
with
the
hash
of
the
public
key,
and
that
was
a
secure
statement
as
well
right.
D
D
A
J
D
J
A
D
A
J
E
J
Meant
that
that's
what
we
really
meant
was
the
the
testing
environment,
which
one
could
argue
the
very
first
one
in
the
platform
is
the
root
of
trust,
and
we
all
understand
that
the
root
of
trust-
you
know,
can't
speak
for
itself,
and
so
the
endorsement
is
the
thing
that
speaks
for
the
capabilities
in
the
root
of
trust
and
that
doesn't
have
the
statements
that
can
be
made
about
those
capabilities.
Don't
have
to
only
involve
what
key
you
have.
A
G
G
The
conceptual
message
is
only
our
standard
way
to
do
it,
it'll
be
defined
here
you
can
have
them
collapsed
and
they
don't
have
to
communicate
at
all,
and
then
the
doors
are
just
defines
the
key
with
the
the
measure
into
the
key
store
at
the
trust
or
whatever
you
want,
and
therefore
it
is
not
necessarily
an
endorsement
used
here
when
the
roles
collapse
and
they
collapse.
I
think
and
and
therefore
it's
still
there
and
dave
says
no.
That
is
not
the
case,
because
an
endorsement
outputs
only
key
signed
by
keys.
D
B
D
A
D
Sort
of,
although
the
way
that
I
would
break
it
down,
it's
almost
that
you
you're
not
you're,
not
incorrect.
I
would
say
you're
either
doing
it
at
the
time
of
evidence,
generation,
you're,
verifying
that
the
key
chains
up
to
the
endorser's
key,
which
is
sitting
in
your
trust,
anchor
store
right,
that's
or
you're,
verifying
that
it
changes
up
to
the
device's
key.
D
A
D
A
I
would
make,
but
otherwise
yes,
so
yeah,
so
so-
and
it
comes
back
to
this
and
I'm
still
frustrated
in
general-
that
we
don't
have
a
way
of
of
you're,
essentially
talking
about
a
pki
of
order,
zero,
where
you,
where
you
just
configure
the
tester
hey,
I
have
order
greater
than
one
where
there's
some
some
number
of
of
of
of
artifacts
right.
So
right.
A
So
what
you're
doing
is
you're
accomplishing
the
second
process
or
this.
The
second
paragraph,
where
I
have
some
number
of
devices,
decided
that
I
need
to
indirect,
add
a
layer
of
indirection
right,
internal
layer
of
interaction
right,
but
fundamentally
it's
no
different
than
the
other
one.
It's
just
that
I
decided
to
store
it
differently.
Okay,.
D
A
Hang
on
lawrence
hang
on
lawrence,
so
so,
if,
if
we
so,
if
we
all
agree
with
those
two
to
those
mechanisms-
and
I
think
lawrence
wants
to
disagree-
but
let
me
just
finish:
if
we
all
agree
with
those
things,
then
we're
simply
looking
for
an
appropriate
set
of
language
which
maybe
involves
the
word
endorsement
or
endorser
to
explain
those
processes
now
lawrence.
You
want
to
add
a
another
case.
B
A
A
D
A
J
H
J
J
E
J
J
J
A
A
A
G
And
I
think
michael's
comment
on:
you
have
to
touch
every
device
by
yourself
with
a
zero
in
direction,
and
then
you
can
add
levels
and
bless
them
more
than
one.
At
the
same
time
is,
I
think,
a
very
intuitive
way
to
phrase
this.
Maybe
we
can
have
some
introductory
text
somewhere
in
the
scope
that
helps
us
to
ease
into
this
section
here.
A
A
Yeah,
well,
I
tried
to
start
a
thread
on
sag
or
somewhere
else
about
how
do
you
number
the
levels
of
a
pki
and
because
there's
two
possible
numberings
right,
zero
and
one
based
and
right?
So
so
when,
when
you
do
put
that
when
you
do
configure
that
that
end
device
key
into
your
trust
as
a
trust
anchor,
is
that
a
pki
of
order,
zero
or
one.
A
G
But
the
concept,
I
think
it
was
promoting-
actually
not
hope
we
don't
go
into
the
numbering
thing,
but
direct
versus
indirect
means
has
an
implication
on
how
granular
trust
relationships
has
to
be
established.
I
think
that
is
fine
to
know,
and
I
think
that
makes
this
whole
other
expositional
text
from
dave
it
eases
into
that.
I
think.
A
C
D
D
A
D
J
A
D
G
A
A
A
D
D
D
E
G
A
J
D
D
C
D
D
D
D
A
D
A
A
G
B
G
G
G
D
G
A
G
J
G
A
B
D
C
D
D
J
A
I
would
say
that,
first
of
all,
if
you
believe
it's
closed
by
a
pull
request,
then
you
should
just
answer
that
and
if,
if
at
least
another
person
agrees,
then
then
close
the
issue
and
that
we
should
spend
next
week
going
through.
All
of
that,
I
have
another
ietf
meeting
at
10
o'clock
on
friday.
Now
so
can't
do
that
and
I
don't
know
what
other
times
are
workable
between
hank
and
and
pacific
coast
times
I'll.
Let
you
guys
decide.
G
G
D
A
A
Okay,
so
I'll,
I
will
just
drop
the
calendar
entry
onto
that
as
well.
I
think
we'll
need
the
two
extra
days
for
sure,
okay,
so
that
one's
closed
all
right,
so
let's
come
back.
Anything
we
can
resolve
on
in
between
is
great,
obviously-
and
I
kind
of
wonder
whether
in
some
cases
we
should
take
some
of
these
issues
to
the
mailing
list,
simply
to
hear
what
people
have
to
say.