IETF Logo Mail Archive

Re: [art] [Teep] [Last-Call] Artart last call review of draft-ietf-teep-architecture-16

Carl Wallace <carl@redhoundsoftware.com> Mon, 11 April 2022 20:25 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A0873A1784 for <art@ietfa.amsl.com>; Mon, 11 Apr 2022 13:25:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9o0Z8fwZT71 for <art@ietfa.amsl.com>; Mon, 11 Apr 2022 13:25:05 -0700 (PDT)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78F663A17B5 for <art@ietf.org>; Mon, 11 Apr 2022 13:25:05 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id d9so4830249qvm.4 for <art@ietf.org>; Mon, 11 Apr 2022 13:25:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=0MqJqVqXiRr4b4GAcailKkWLg9MpXQE1doDv6uCXKZ8=; b=p2Ef+4ESdp8gVQV/iGH2ji1kKBRlyZnKyjWOA5cOxkJo9cBN/wjkhUzkzNgK84FbY/ 9Or9ZMCfA7zoGIWUnr76BScCO6beXkHsC98JIlNb4+1+ChJ4SDDphSPhripukWhywUK6 KpF6omDxhQZuiArfL6GmrYm6nYqtpY/CbPTIU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=0MqJqVqXiRr4b4GAcailKkWLg9MpXQE1doDv6uCXKZ8=; b=tXt1sGSx6qTXrL4cdR9S42UQTKDx4n1opGUuRgDYIAYGUmmDN/PRsMTeC5Bv3NXicG oVAOlVgFm/wgLtW3mEYF7kiAvJcAtuszE9b5o9Tfv35nxuGx17xyFENnYHJA0M+YFXKw v9fu2ciI1az/1tG/EOoLGNjJognRdRAriiHLwNlI5rIi8BLFDk9DMZ1pTUEWxgarjROA VUn8okCpLAXaloUz0iR7g7AkESaeng3oUdDwn+kIlRcKdRL1onbzB24fNZJMhZMoEGTV aDMhVaykNEiZ9pywVb19uJ31G6QlJ49/sCJ1AaMG/I9sRvmPnbFINzq99y2Zka3shuFW 3BGA==
X-Gm-Message-State: AOAM530tqehvIvpG0y+pYIqeEcSUmhdtOp/RxqtBbqSLpguj6VwG0IvE 3TVLjjUZyJ4s3eBeMgpONAciqg==
X-Google-Smtp-Source: ABdhPJx9TxBnPHgfRabNjXRK86IYjM+7d2Zq7c4W3ZQKBsmIxfXPjuPlqRRkWXVJcwRUs8ih/EWY0g==
X-Received: by 2002:a05:6214:b6b:b0:444:45c2:fc64 with SMTP id ey11-20020a0562140b6b00b0044445c2fc64mr5949401qvb.103.1649708703555; Mon, 11 Apr 2022 13:25:03 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-88-168.washdc.fios.verizon.net. [173.66.88.168]) by smtp.gmail.com with ESMTPSA id q8-20020a05622a04c800b002e06d7c1eabsm25847805qtx.16.2022.04.11.13.25.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Apr 2022 13:25:02 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.59.22031300
Date: Mon, 11 Apr 2022 16:25:02 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Mingliang Pei <mingliang.pei@broadcom.com>
CC: Russ Housley <housley@vigilsec.com>, "art@ietf.org" <art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "teep@ietf.org" <teep@ietf.org>, "draft-ietf-teep-architecture.all@ietf.org" <draft-ietf-teep-architecture.all@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Message-ID: <FFF80308-7170-47DF-BF1D-533B7EE1AE3C@redhoundsoftware.com>
Thread-Topic: [Teep] [Last-Call] Artart last call review of draft-ietf-teep-architecture-16
References: <164850526406.21554.6982960206540476351@ietfa.amsl.com> <DBBPR08MB5915B3398715EE22DF06BEBFFA1E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CABDGos6QOEabsz1YfQ_X2uQkQm+9L1WdynksTsTD+T26y_UNXQ@mail.gmail.com> <F88F6DC2-B2AE-45AF-B68E-1A1C75C575EA@vigilsec.com> <CABDGos4QOf+GS5JFbK50D6PORFb=UqpfAzjxSp5xcQLCSoub6Q@mail.gmail.com> <CABDGos5fBpe8eLNB1xtZM_qo4gxkUQMBiFNqFh=ag+tvW2gOkw@mail.gmail.com> <05D72290-98A8-4DA9-9E90-88AC12E76D63@redhoundsoftware.com> <CABDGos7mcpK212tHZRUZ7dQOdJiN5d+74voiM3LzYFdjTHXHTA@mail.gmail.com> <CABDGos7ww9tPdsr-TZ7rxsWeHNgPPmEFsTqGcUcY-JU95UtPwg@mail.gmail.com>
In-Reply-To: <CABDGos7ww9tPdsr-TZ7rxsWeHNgPPmEFsTqGcUcY-JU95UtPwg@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3732539102_1560786918"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/6Y9wKOmLdVzq-0NcW8_A1dOEDcg>
Subject: Re: [art] [Teep] [Last-Call] Artart last call review of draft-ietf-teep-architecture-16
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 20:25:20 -0000

That’s good too. Thanks.

 

From: Mingliang Pei <mingliang.pei@broadcom.com>
Date: Monday, April 11, 2022 at 3:23 PM
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: Russ Housley <housley@vigilsec.com>, "art@ietf.org" <art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "teep@ietf.org" <teep@ietf.org>, "draft-ietf-teep-architecture.all@ietf.org" <draft-ietf-teep-architecture.all@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Subject: Re: [Teep] [Last-Call] Artart last call review of draft-ietf-teep-architecture-16

 

Hi Carl,

 

Considering "associated data" is already described in the first part of the definition for "used to constraint the types", I think your wording is fine.

The revised full definition will look as follows.

 

Trust Anchor: As defined in {{RFC6024}} and {{I-D.ietf-suit-architecture}},
    "A trust anchor represents an authoritative entity via a public
    key and associated data.  The public key is used to verify digital
    signatures, and the associated data is used to constrain the types
    of information for which the trust anchor is authoritative. 

    The Trust Anchor may be a certificate, a raw public key or other structure, 

    as appropriate. It can be a non-root certificate when it is a certificate.

 

I made this to the PR now. Please review.

 

Thanks,

 

Ming

 

 

On Mon, Apr 11, 2022 at 11:29 AM Mingliang Pei <mingliang.pei@broadcom.com> wrote:

Hi Carl,

 

Good point, thanks. A trust anchor intends to allow associated constraint information, which is implementation specific, along with the main underlying key material being a public key or a certificate. For the revised definition, instead of allowing "other structure as appropriate", how about we still call out the core key material being a "certificate or public key", and other information along with them as appropriate? In other words, how about the following?

 

The Trust Anchor may be a certificate or a raw public key with optionally other constraint information or extensions. The structure of Trust Anchors is implementation specific."

 

Thanks,

 

Ming

 

 

On Mon, Apr 11, 2022 at 6:08 AM Carl Wallace <carl@redhoundsoftware.com> wrote:

 

From: TEEP <teep-bounces@ietf.org> on behalf of Mingliang Pei <mingliang.pei=40broadcom.com@dmarc.ietf.org>
Date: Thursday, April 7, 2022 at 8:40 PM
To: Russ Housley <housley@vigilsec.com>
Cc: Mingliang Pei <mingliang.pei=40broadcom.com@dmarc.ietf.org>, "art@ietf.org" <art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "teep@ietf.org" <teep@ietf.org>, "draft-ietf-teep-architecture.all@ietf.org" <draft-ietf-teep-architecture.all@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Subject: Re: [Teep] [Last-Call] Artart last call review of draft-ietf-teep-architecture-16

 

See PR: https://github.com/ietf-teep/architecture/pull/236, thanks, Ming

 

[CW] Is it a certainty that constraints will not be needed for trust anchors? The trust anchor definition references “associated data”, which would be used constrain use of the trust anchor. An option other than certificate or public key may would be needed if constraints may be defined (because constraints can’t be added to the certificate without breaking the signature and a raw public key has no means to express constraints). Perhaps, "The Trust Anchor may be a certificate, a raw public key or other structure, as appropriate." might be better to leave open the possibility of constraining a trust anchor. RFC5914 defines syntax that allows for associated data to be packaged alongside a public key or a certificate, as an example of an alternative.

 

<snip>


This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

v2.23.0 | Report a Bug | By Email