IETF Logo Mail Archive

Re: [EAT] [Rats] Rats and EAT

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 11 July 2018 05:16 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8535B130EC9; Tue, 10 Jul 2018 22:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3CpFajaS87m; Tue, 10 Jul 2018 22:15:58 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40088.outbound.protection.outlook.com [40.107.4.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4266F130E11; Tue, 10 Jul 2018 22:15:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YSx5sc1Y9aGSoCUu+iNkQ1jyBSKWfFvyGfiF4BpR6h8=; b=XiEztkMbmVWSIf/3FN0mwdPg9AR4tNBrNd2cZClrjY/LU+aeCWpJ7oLgDN0HMbHjDw6kPOYO+pYnMiwh+9MipVqMnbTrHwpXOc5xN85Bg1FoZ0D7nTOhV1shVBFSVrceDo/1hzZwln7xvmfRYXC488UecspqDfgc8eihpm0tUVs=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1392.eurprd08.prod.outlook.com (10.167.198.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.20; Wed, 11 Jul 2018 05:15:53 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db%10]) with mapi id 15.20.0930.022; Wed, 11 Jul 2018 05:15:53 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Laurence Lundblade <lgl@island-resort.com>, Diego Lopez <dr2lopez=40icloud.com@dmarc.ietf.org>
CC: Yaron Sheffer <yaronf.ietf@gmail.com>, "eat@ietf.org" <eat@ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [EAT] [Rats] Rats and EAT
Thread-Index: AQHUFvRy8vtKLH8FtEyayYi5vTl4W6SJFdmAgABlLwA=
Date: Wed, 11 Jul 2018 05:15:53 +0000
Message-ID: <VI1PR0801MB21125196C5AE9B9081422752FA5A0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <eb1d952b-1e73-4c41-bf12-82299b44ff3d@me.com> <0FE06C34-D430-451C-834B-0A39082160BA@island-resort.com>
In-Reply-To: <0FE06C34-D430-451C-834B-0A39082160BA@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [218.51.127.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1392; 7:DpV2Srj9eWVls6LZWhg7m2rYt5zn+wb1sJTuEXR+XixAo+Km2vob540sXhOSo+rurfTS9Y3VbRz3iFXnfwcro3DZRb5h8ZjOs77mXt7vEF6HpgOlNh7oYAQeXa4biqQXvlNUdhmhI7YojU/LNKt76QmPm5b7UR/2sAoP+0ctXV51mN4Bk2Wy43jjbEtbFdmOV0TweUeJbHcVdY4ws9ofLxdZvZK/bdkUU7D0zBv9PNdZLwXAATA8o/Bu7Kh/I2cx
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c5dc695e-f53b-4277-6222-08d5e6ed5ff5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1392;
x-ms-traffictypediagnostic: VI1PR0801MB1392:
x-microsoft-antispam-prvs: <VI1PR0801MB1392AEBBFEAE4D5D87400434FA5A0@VI1PR0801MB1392.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(180628864354917)(84792000423722)(120809045254105)(192374486261705)(223705240517415)(3650984025655)(21748063052155)(81160342030619)(5213294742642);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231311)(944501410)(52105095)(3002001)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:VI1PR0801MB1392; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1392;
x-forefront-prvs: 0730093765
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(346002)(136003)(376002)(366004)(40434004)(52314003)(69234005)(189003)(199004)(15404003)(14454004)(74316002)(76176011)(66066001)(256004)(55016002)(45080400002)(316002)(54906003)(105586002)(2906002)(478600001)(5024004)(97736004)(72206003)(966005)(6436002)(14444005)(5660300001)(110136005)(4326008)(236005)(186003)(9686003)(6306002)(2900100001)(68736007)(8676002)(54896002)(81166006)(3846002)(6506007)(53546011)(33656002)(229853002)(106356001)(26005)(8936002)(25786009)(11346002)(81156014)(102836004)(790700001)(53936002)(99286004)(7696005)(476003)(7736002)(6116002)(6246003)(39060400002)(486006)(5250100002)(606006)(86362001)(446003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1392; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: rbI0pvtN9o4bSuHpKbj2pHEIBFzNLwcygUpt3R8TY9wgmyH/yi5gE2wYu7MGWOSfEcCjscVRQGINlhfntFpxiJpglpT45gFGR4GjorQ5m5NID7FRzQNroN8V4IkpKtJz7RfBDQy1Hq9ocvmIF/qPXRpT2BZOnnSPSOfD2Kk5W09ON0G+aH58QFmr/lpr0w+xItElme0H4VvNP/NZnnC7PjNrhofH6LJU6r80pxQcgRM65o0+sB3VmLY+Ecv1YfihX3p0wNLge6NbQ27KOWOthylYMBXrUkBqgKTlNI1sWys8QNka0CI0Ggl52vYZEFGD1+lm2k43gmi8m9jGqHx75B+oJ4WoZu68XgFBfeHQRH8=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB21125196C5AE9B9081422752FA5A0VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c5dc695e-f53b-4277-6222-08d5e6ed5ff5
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2018 05:15:53.3346 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1392
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/Nuq-CBKr2NwKeS5DxtdpZrPp8KI>
Subject: Re: [EAT] [Rats] Rats and EAT
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 05:16:02 -0000

Here is what I believe we should / could learn from NEA.

NEA (via the TCG) came up with the idea that devices would communicate their posture to the network when performing network access authentication. Posture refers to the hardware or software configuration of an endpoint as it pertains to an organization's security policy.

I believe NEA was unsuccessful to accomplish its goal because it was too difficult for enterprise network operators to keep track of software installed on devices and to make a reasonable policy decision.

As such, I think it would be better to communicate information about the device with less granularity.

Ciao
Hannes

From: Laurence Lundblade [mailto:lgl@island-resort.com]
Sent: 11 July 2018 08:01
To: Diego Lopez
Cc: Hannes Tschofenig; Yaron Sheffer; eat@ietf.org; rats@ietf.org
Subject: Re: [EAT] [Rats] Rats and EAT

Here’s a little compare-contrast between EAT and NEA. Please correct and forgive incorrect characterizations I might have made about NEA.

EAT uses CBOR and wants to accommodate translation to JSON and compatibility with web infrastructure, NEA used TLV.

EAT signs and possibly encrypts the claims with COSE so they form a self-secured token that can be transported by any other protocol. NEA defines a back-and-forth protocol and is more of an end-end solution.

EAT orients around key material provisioned to the entity by the manufacturer that is to be used for signing the token. This signing of a nonce by an entity serves to prove the device is not a fake.

EAT wishes to accommodate different signing schemes including privacy-preserving schemes like ECDAA. NEA seems to assume some secured transport (e.g., TLS) will be available.

NEA is oriented around network management, trying to track the security posture of devices in an enterprise's network. EAT is broadly targeted at establishing trust between entities, often consumer devices (phones, refrigerators, cars...) and servers/services (online banking, IoT services, enterprise authentication…).

LL





On Jul 8, 2018, at 12:46 PM, Diego Lopez <dr2lopez=40icloud.com@dmarc.ietf.org<mailto:dr2lopez=40icloud.com@dmarc.ietf.org>> wrote:

Hi Hannes,

I was not deeply involved in the work, but NEA seemed to be focused on a particular use case (that of user devices attaching to a network) and not to the more general problem of mutual attestation in more P2P relationships, that I think are the most relevant right now. And it seems to me that at the moment NEA produced its work, user devices were not that much able of performing the procedures defined by the WG...

Anyway, I think there are several of these procedures that are applicable to P2P environments, once adequately adapted.

Be goode,

--
Eih bennek eih blavek!

Dr Diego R. Lopez
dr2lopez@icloud.com<mailto:dr2lopez@icloud.com>
https://es.linkedin.com/in/dr2lopez

On Jul 08, 2018, at 06:54 PM, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Hi Diego,

what do you think are the lessons we can learn from NEA?
It clearly wasn’t as successful as hoped. I am sure there are reasons for that.

Ciao
Hannes


From: Diego Lopez [mailto:dr2lopez@icloud.com]
Sent: 09 July 2018 01:45
To: Hannes Tschofenig
Cc: Yaron Sheffer; Laurence Lundblade; rats@ietf.org<mailto:rats@ietf.org>; eat@ietf.org<mailto:eat@ietf.org>
Subject: Re: [EAT] [Rats] Rats and EAT

And the use of NEA results is mentioned at least in one of the drafts on remote attestation referred in a previous message. Using NEA’s findings is certainly in our aim.

Be goode,
--
Likely to be brief and not very
elaborate as sent from my mobile
Diego R. Lopez

On 8 Jul 2018, at 15:39, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Hi Yaron,

Eliot mentioned NEA on the mailing list. It would be interesting to hear what lessons can be learned from NEA.

Ciao
Hannes

From: EAT [mailto:eat-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: 08 July 2018 06:51
To: Laurence Lundblade; rats@ietf.org<mailto:rats@ietf.org>; eat@ietf.org<mailto:eat@ietf.org>
Subject: Re: [EAT] [Rats] Rats and EAT

I'm a bit surprised that nobody's mentioning the work done by the IETF NEA working group<https://datatracker.ietf.org/wg/nea/about/>. Yes, it's been some time ago, but the people involved were (to the best of my knowledge) involved with the TCG community.
NEA was about desktop machines and NAC rather than mobile devices, but hey, by now we should be looking for solutions that encompass both technologies!
See this diagram<https://wiki.strongswan.org/projects/1/wiki/trustednetworkconnect> on how the complex NEA/TNC architecture fits together, including the TPM.
Thanks,
    Yaron

On 06/07/18 22:20, Laurence Lundblade wrote:
Hey EAT and Rats folks, just became aware of IETF attestation work running in parallel. Seems like EAT is focused more on an independent signed, self-secured data structure with a lot of clams. Rats, seems more TPM and full protocol centric, but I’m still reading.

Here’s a list of attestation work that Diego and Henk made:
https://datatracker.ietf.org/doc/draft-pastor-i2nsf-nsf-remote-attestation/
https://datatracker.ietf.org/doc/draft-birkholz-i2nsf-tuda/
https://datatracker.ietf.org/doc/draft-mandyam-eat/
https://datatracker.ietf.org/doc/draft-mandyam-tokbind-attest/
https://datatracker.ietf.org/doc/draft-birkholz-reference-ra-interaction-model/
https://datatracker.ietf.org/doc/draft-birkholz-yang-basic-remote-attestation/
https://datatracker.ietf.org/doc/draft-birkholz-attestation-terminology/

A couple of other interesting non-TPM “attestation" technologies:
- FIDO<https://www.w3.org/Submission/2015/SUBM-fido-key-attestation-20151120/> does attestation of FIDO authenticators
- Android KeyStore<https://developer.android..com/training/articles/security-key-attestation> uses the term to mean proving the provenance of a stored key
- IEEE 802.1AR is kind of an attestation too

FYI, the IETF attestation events I know of so far are:
 - I’ll present EAT at HotRFC Sunday around 18:00
 - Secdispatch discussion of EAT (and Rats?) Monday at 15:30 (At least I hope; no confirmation yet)
 - EAT BarBof Monday at 18:00
 - Rats BarBof Thursday after dinner

I will attend them all :-)

LL

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
EAT mailing list
EAT@ietf.org<mailto:EAT@ietf.org>
https://www.ietf.org/mailman/listinfo/eat
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you..
_______________________________________________
EAT mailing list
EAT@ietf.org<mailto:EAT@ietf.org>
https://www.ietf.org/mailman/listinfo/eat
_______________________________________________
EAT mailing list
EAT@ietf.org<mailto:EAT@ietf.org>
https://www.ietf.org/mailman/listinfo/eat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email