Section three is the relevant bit:
"Every user generates and uses a new key (ephemeral key) every time an attestation
blob has to be signed. There are some unique challenges with this. If every attestation
blob is signed with a brand-new key, how to infer the anonymous identity at the minimum to
determine the genuineness of the platform and hence the attestation. It then follows that
we need an anonymous identity that is cryptographically bound to a unique trusted identity
and that the unique identity is never revealed to any entity other than the
You generate a new AIK every-time.
You would follow the flow as illustrated by:
"Service request Part 1 (Platform Anonymous Identity Validation)"
The takeaway here, is that the privacy-ca always knows who it is, but the service provider
does not. So you trust the privacy CA with your privacy in that model.
> -----Original Message-----
> From: Eduardo Falcão <eduardolfalcao(a)gmail.com>
> Sent: Wednesday, September 2, 2020 10:35 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Re: IMA determinism
> Thanks, Roberts and Nicolas.
> Other doubt that arose here is about privacy...
> In the attestation process, the machine being attested sends the public portion
> of its EK to the Attestor, and thus the Attestor could identify the machine by this
> key (if it requests attestation multiple times).
> Some considerations are pointed here (https://tpm2-
> tools.html#privacy-considerations), where different AIK, for instance, could be
> generated for each user, but they apply only for scenarios where the machine
> being attested has multiple users. If the machine itself doesn't have any user,
> then using multiple AIK will not make any difference.
> Do you have any alternative or thoughts for this situation?
> Best regards
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org