Attendees

• @ansasaki
• @aplanas
• @deeglaze
• @edwards-n
• @ematery
• @galmasi
• @husky-parul
• @Isaac-Matthews
• @kkaarreell
• @maugustosilva
• @mayaCostantini
• @marcostork
• @mdrocco
• @mbestavros
• @mheese
• @mruffin
• @mpeters
• Niteesh Dubey
• @ruocco
• @stringlytyped
• @stefanberger
• @THS-on
• @tpletcher-hpe
• @tylerfanelli
• @ueno
• @sarroutbi
• @sergio-correia
• @gnurugs
• Shiva Dasari
• Christian Schilling

Time: 24/09/2025 15:00 UTC (https://www.timeanddate.com/worldclock/fixedtime.html?msg=Keylime+Meeting\&iso=20250924T15)

Google Meet joining info
Video call link: https://meet.google.com/nos-bkdi-cnn
Or dial: ‪(DE) +49 30 300195060‬ PIN: ‪607 390 654 8381‬#
More phone numbers: https://tel.meet/nos-bkdi-cnn?pin=6073906548381
Or join via SIP: sip:[email protected]

Topics

• New releases:
  • Keylime v7.13.0
  • Agent v0.2.8
• Push model updates
  • #keylime-push-attestation channel on CNCF Slack
  • Publicly accessible project: Agent-driven attestation
  • We are currently working on the authentication based on the Proof of Possesion of the AK
  • The changes to the Verifier are being rebased on top of current master and should be merged soon
    • The current tests for the pull-model attestation should continue to pass
• Keylime and Post-Quantum Cryptography
  • Planned enhancement proposal: support dual certification on all server components
    • This will allow deployments using different key types at the same time for TLS (e.g. RSA and ML-DSA)
• Mentorship project CMW, EAT in collaboration with Veraison
  • Veraison Mentorship: Harmonizing Open-Source Verifiers with RATS Standards veraison/.github#6
• Enhancements:
  • 123_verifier_evidence_types123_verifier_evidence_types enhancements#124
    • Add support for other evidences types to the evidence verification endpoint
    • Merged!
    • The implementation was also merged: verify/evidence: Add evidence types, SEV-SNP verification keylime#1788
  • 126_verify_evidence_jwt 126_verify_evidence_jwt enhancements#127
    • Add JWT format response for the one-shot attestation endpoint
    • Merged!
    • Implementation pending
• Open PRs:
  • Keylime:
    • #1802 - New manpages for keylime_verifier, keylime_registrar, keylime_agent, keylime-policy
    • #1799 - verifier, tenant: Use timeout set via request_timeout for HTTP requests
    • #1781 - fix: resolve extreme line-too-long violations in keylime/tenant.py
    • #1777 - Add support for CMW evidence format - server side
    • #1731 - Push authentication
    • #1715 - Allow separate CA and logging configurations for components
    • #1693 - Add agent-driven (push) attestation protocol
    • #1670 - Add webhook for receiving and modifying registrar identity trust decisions
    • #1668 - Add support for EK Certificate Chain, resolves #1552
    • #1545 - Add support for a reject list in runtime policy
  • Agent:
    • #1131 - build(deps): bump tempfile from 3.21.0 to 3.23.0
    • #1130 - build(deps): bump clap from 4.5.45 to 4.5.48
    • #1128 - Improve logging coherency and consistency across Keylime codebase
    • #1125 - Implement minimal RFC compliance for Location header and URI parsing
    • #1122 - build(deps): bump pest from 2.8.1 to 2.8.2
    • #1118 - build(deps): bump chrono from 0.4.41 to 0.4.42
    • #1113 - build(deps): bump uuid from 1.17.0 to 1.18.1
    • #1108 - Integrate authentication middleware into ResilientClient
    • #1107 - Add unwrap/panic detection for Push Model files
    • #1104 - [DONOTMERGEYET] Make compilation to fail on warnings
    • #1068 - keylimectl: A replacement for keylime_tenant in rust
    • #1051 - add support for CMW evidence format - agent side
    • #986 - Update rust-config to 0.15
    • #658 - Remove deprecated zmq revocation notification feature