2.1. Network Endpoint Assessment

2.1. Network Endpoint Assessment

Network operators want trustworthy reports that include identity and version information about the hardware and software on the machines attached to their network. Examples of reports include purposes (such as inventory summaries), audit results, and anomaly notifications (which typically include the maintenance of log records or trend reports). The network operator may also want a policy by which full access is only granted to devices that meet some definition of hygiene, and so wants to get Claims about such information and verify its validity. Remote attestation is desired to prevent vulnerable or compromised devices from getting access to the network and potentially harming others.

Typically, a solution starts with a specific component (sometimes referred to as a "root of trust") that often provides a trustworthy device identity and performs a series of operations that enables trustworthiness appraisals for other components. Such components perform operations that help determine the trustworthiness of yet other components by collecting, protecting, or signing measurements. Measurements that have been signed by such components are comprised of Evidence that either supports or refutes a claim of trustworthiness when evaluated. Measurements can describe a variety of attributes of system components, such as hardware, firmware, BIOS, software, etc., and how they are hardened.

Attester: A device desiring access to a network.

Relying Party: Network equipment (such as a router, switch, or access point) that is responsible for admission of the device into the network.