IETF Logo Mail Archive

Re: [EAT] EAT slides posted in git hub

Laurence Lundblade <lgl@island-resort.com> Tue, 17 July 2018 20:14 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8734130DE2 for <eat@ietfa.amsl.com>; Tue, 17 Jul 2018 13:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMZ1oOB0rJaa for <eat@ietfa.amsl.com>; Tue, 17 Jul 2018 13:14:53 -0700 (PDT)
Received: from p3plsmtpa06-08.prod.phx3.secureserver.net (p3plsmtpa06-08.prod.phx3.secureserver.net [173.201.192.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB3B112785F for <eat@ietf.org>; Tue, 17 Jul 2018 13:14:52 -0700 (PDT)
Received: from dhcp-8d21.meeting.ietf.org ([31.133.141.33]) by :SMTPAUTH: with ESMTPSA id fWMzfceNxLau2fWN0fcGyr; Tue, 17 Jul 2018 13:14:52 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <788DF14C-9F84-4463-A9A7-8B69396BC9E3@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C5EA852F-2F98-48E2-B5A8-E734F2C40E21"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 17 Jul 2018 16:14:45 -0400
In-Reply-To: <DB6PR0801MB1799C12BA7865548B0D47420975C0@DB6PR0801MB1799.eurprd08.prod.outlook.com>
Cc: "eat@ietf.org" <eat@ietf.org>, "rats@ietf.org" <rats@ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
To: Suresh Marisetty <Suresh.Marisetty@arm.com>
References: <E8E79F27-F064-499E-B0AF-5446B22BB0ED@island-resort.com> <DB6PR0801MB1799C12BA7865548B0D47420975C0@DB6PR0801MB1799.eurprd08.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-CMAE-Envelope: MS4wfBdv9S1BaMy4FSR3fRJnMLnCu5c/0v2i3I9ws7GzctR4IH44hdUpgBpjmI9Gr1RhMZVKUWwIN09n35QeMaCGCHmmv4FEkNtGt1pTeAVbwug2KLSfvF2Q eluWWZvfCoKjpsDNL9Rybff1cyKfzZx5lrfSI8Nc92R8V+wRmHbJ7Mty+FmMBG4WqJhZ7I/UGTvrSTQU/JAKnsECziAidn0aH9nlyY1XOFut1RvUU4dsLnEC cz6kVhxBYt+02AS4Qbay2jjs0Dpo0Zl4rQMJGaoUutc=
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/JOydLyt9SSMI0ggWRqLz93Bbnww>
Subject: Re: [EAT] EAT slides posted in git hub
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 20:14:57 -0000

Don’t want to have too large a discussion across these three mailing lists, but will make a few comments here.

There was some consensus in yesterday’s meetings that EAT should focus on standardizing just claims in the token — the "EAT Token" gray box between Entity and Relying Party in diagram below. The end-end flow should be described for context, but not standardized. The EAT draft would mention assumptions it makes, such as the existence of key material to perform the signing and verification.  This makes good sense to me and is more or less what is in the current draft. 

I am of the opinion that it is not practical to try for any general standard for the establishment of key material to sign tokens and services to verify tokens them at this time. There are too many manufacturing, deployment and use case specific issues. Even BRSKI and FIDO don’t standardize the primordial steps. Also, some of what needs to be done is going to happen over serial ports to devices or through chip test equipment on manufacturing lines which is not really where IETF works.

I agree that the solution is incomplete without establishment of this key material, but what I think is needed now is motivation for the chip and device vendors to invest.  A big reason for creating and standardizing EAT is to create momentum and interest with relying parties that will eventually turn into incentive for device vendors to invest. Unlike SW, device key establishment can add a per-chip cost for manufacturing time, for new assembly line equipment like HSMs and new operational security procedures, so incentive is needed. 

LL








> On Jul 17, 2018, at 11:57 AM, Suresh Marisetty <Suresh.Marisetty@arm.com> wrote:
> 
> Hi Laurence,
>  
> One question I have is regarding the overall flow, which includes:
> Zero Touch Onboarding
> Attestation (EAT as you described)
>  
> Is the current thinking that onboarding can be any methods adopted from: IETF-BRSKI, FIDO, IETF-SZTP, SDO, etc. and EAT will piggyback on it?
>  
> In my view, the EAT solution will be complete when it is combined with a proposed/recommended onboarding method, which is the critical piece of the overall solution.
>  
> Thanks
> Suresh Marisetty
>  
>  
> From: EAT <eat-bounces@ietf.org <mailto:eat-bounces@ietf.org>> On Behalf Of Laurence Lundblade
> Sent: Tuesday, July 17, 2018 8:29 AM
> To: eat@ietf.org <mailto:eat@ietf.org>; rats@ietf.org <mailto:rats@ietf.org>; secdispatch@ietf.org <mailto:secdispatch@ietf.org>
> Subject: [EAT] EAT slides posted in git hub
>  
> The EAT slides presented at secdispatch, plus a longer set of slides are here <https://github.com/eat-ietf-wg/eat-slides> on GitHub.
>  
> LL
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
> EAT mailing list
> EAT@ietf.org <mailto:EAT@ietf.org>
> https://www.ietf.org/mailman/listinfo/eat <https://www.ietf.org/mailman/listinfo/eat>

v2.23.0 | Report a Bug | By Email