Re: [EAT] Implicit vs Explicit Attestation (was Re: Scope, Goals & Background for RATS)
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Fri, 21 September 2018 15:44 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9B3E130E7F; Fri, 21 Sep 2018 08:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRAKn18Xb3rj; Fri, 21 Sep 2018 08:44:50 -0700 (PDT)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8480130ED7; Fri, 21 Sep 2018 08:44:46 -0700 (PDT)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w8LFifl6023813 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 21 Sep 2018 17:44:42 +0200
Received: from [134.102.163.186] (134.102.163.186) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 21 Sep 2018 17:44:36 +0200
To: Laurence Lundblade <lgl@island-resort.com>, Denis <denis.ietf@free.fr>
CC: eat@ietf.org, rats@ietf.org
References: <710df01c-c45f-9d26-b578-e4baa53c6de8@sit.fraunhofer.de> <b3aa7b71-a80a-78fc-aef7-fc9145a3169b@free.fr> <17ba2709-0a0e-859f-2fa2-fd09747273d9@sit.fraunhofer.de> <67234e9e-1543-5ecb-7fd8-3797d529744c@free.fr> <7E4B881E-7AD6-42A1-B2B3-7478DFCCB9FB@island-resort.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <b941c49a-c860-e15d-b6ce-91739c168eeb@sit.fraunhofer.de>
Date: Fri, 21 Sep 2018 17:44:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <7E4B881E-7AD6-42A1-B2B3-7478DFCCB9FB@island-resort.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.163.186]
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/cLKfqIFCNderl9DmQn0q-Ac432c>
Subject: Re: [EAT] Implicit vs Explicit Attestation (was Re: Scope, Goals & Background for RATS)
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2018 15:45:01 -0000
Hello Laurence, please find replies and comments in-line (and sorry for replying in the wrong order...). On 09/20/2018 11:29 PM, Laurence Lundblade wrote: > Forking the discussion here to focus on implicit/explicit attestation. > That seems to be a new term invented in this WG Charter as I haven’t > seen it elsewhere. I’m not sure what it means yet. It seems to have > something to do with how the loop is closed in the Attestation Model > below. In particular the role of the Entity Manufacturer. The term "explicit attestation" wrt to remote attestation is actually "new" in a sense that "implicit attestation" got a sharper focus and is now used in open documents. In consequence, specializing "explicit" attestation next to implicit attestation (wrt to remote attestation) was the smallest and most intuitive semantic step - terminology-wise. Google'ing for (implicit) attestation protocols, I found these TCG documents. The first one uses "implicit attestation" for "strong Device Identity" (same approach as the EAT). The second one is 7 years older and (to my surprise, actually), defines both Attestation and - in fact- Attestation Evidence. I have to admit that we have not taken these definition into account, but will in the next iteration. There does not seem to be a conflict. Also, the semantic equivalent to RIMM seems to be Template Reference Manifest in the second document. > https://trustedcomputinggroup.org/wp-content/uploads/TCG-DICE-Arch-Implicit-Identity-Based-Device-Attestation-v1-rev93.pdf> https://www.trustedcomputinggroup.org/wp-content/uploads/IFM_PTS_v1_0_r28.pdf > > The obvious way to do this (kind of like TLS certs, but flipped): > - The Entity Manufacturer puts a private key + X.509 certificate in each > Entity (device) it makes > - This Entity (device) X.509 certificate is signed by the Entity > Manufactures Root Key > - The Entity uses its private key to sign some Claims > - The Entity sends the signed claims and its X.509 cert to the Relying Party > - The Relying Party gets the Entity Manufacturers Root Cert in a one > time operation and saves it > - The Relying Party chains the device X.509 per to the Entity Root Cert > - The Relying Party uses the public key in the device X.509 to verify > the signature on the Claims This is, in essence, _the_ reference work-flow of implicit attestation, I think. Please note that here the signatures are verified (which is the implicitness) in contrast to appraising the signed (temper-evident, amongst other characteristics) claim sets via reference values (which an Verifier is capable to do wrt explicit attestation). > > One of my guesses for what implicit attestation is — The RP (Relying > Party) does not get any root keys or such from the Entity Manufacturer > or a CA or a trusted third party. They verify the signature solely based > on what is in the signed token they received. The RP probably did send a > nonce and the Entity signed it, so there is proof-of-posession of the > Entity's key, but that key and device could be any device so little is > proved. The RP can remember the Entity’s key and expect it to be the > same next time to give it some value. This is called self-attestation of > surrogate attestation in FIDO. It not considered very secure. The loop > is not closed. I assume that the key remembered by the Relying Party is a public key - inside the x.509? Very likely it is not the private key you did the proof-of-possession for. In any case, please see above wrt implicit attestation. I am not sure what to make of "verify the signature solely based on what is in the signed token they received" - I assume that is different from verifying the signature, as the RP did not get anything from the corresponding CA? I am also assuming that the "RP can expect the same key again" via the accompanying x.509 and therefore can infer characteristics on how the claims should be composed (again)? As the current (wordy) charter text illustrates proof-of-possession is the basis for implicit attestation and in that regard I think we are actually in alignment here. > > Another one of my guesses — The RP does get key material with which to > perform verification, but it is not directly from the Entity > Manufacturer. Instead there is some CA or trusted 3rd party in the loop. > This is a realistic scenario. The loop is closed so it is secure. This is a work-flow that I would very much like to flesh out, homogenize and include more... explicitly :) > > I see this as a topic for technical discussion, not something for > definite in the charter. Well, apparently we are under the impression of... yes and no. In order to get goals/deliverables and scope right we have to agree on what term has which technical meanings, implications and dependencies. Assuming that background and terminology could be pruned from the charter at some point of consensus and then be... and that is my problem here... maintained without changing their meaning (and therefore not implicitly changing the charter). Carsten highlighted the problems with that approach, so while these definitions may go down to a technical level, they are essential to the meaning of the charter. It is a bit of a hen & egg problem, I am afraid, due to the terminology document (evolving into an architecture document) being in flux. Viele Grüße, Henk > > LL > > > > > >> On Sep 18, 2018, at 8:56 AM, Denis <denis.ietf@free.fr >> <mailto:denis.ietf@free.fr>> wrote: >> >> Hi Henk, >> >> I fear that we don't understand each other. >> >>> Hi Denis, >>> >>> there are a lot of topics addressed by your reply. First of all, >>> thank you for the the feedback! >>> >>> We attempted to create a document that is as inclusive as possible - >>> within reason. Hence, it is also solution agnostic. >>> >>> As Andreas just said, Proof-of-Possession of a secret key is intended >>> to be captured by Implicit Attestation. In other words: >>> if you are able to use that secret key to sign something, it implies >>> (that is the "implicitness" here) that "that device has some well >>> known properties". >> >> No. If you are able to use a secret key to sign something, it does not >> mean that you are using a device. >> If a device is able to sign something, it does not necessarily mean >> that what is signed really comes from the device, unless "that device >> has some well known properties". >> >>> The definition of implicit attestation might require some >>> improvement, I assume (and I don't mean by adding even more words). >>> >>> I am a bit confused by the use of "attestation certificate", "private >>> key" and "origin of data exchange" in your reply. >>> >>> If "certificate" in your proposal: >>> >>>> "shared attestation certificates" to designate attestation >>>> certificates that are specific to a batch of devices from the same >>>> model (like in FIDO), >>>> "individual attestation certificates" to designate attestation >>>> certificates that are specific to each device. >>> >>> means identity document, the concepts of "Singular Identity", "Shared >>> Identity", and "Group Identity" are already subsumed in the IETF by >>> the definition of "Identity" in RFC4949. >>> Maybe that fact is a little bit too hidden at the end of the >>> Background section that refers to "cryptographic identities". >>> Highlighting that more up front and referencing RFC4949 >>> explicitly could address that issue. >> >> It does not mean anything from the above list. My arguments have >> nothing to do with "Identity". Typically, an Attestation Certificate >> it is an X509 certificate, as in FIDO. >> >>> >>> Correspondingly, the same secret key can be enrolled on multiple >>> devices, but that is not the same thing as enrolling the same >>> (group/shared) identity document on multiple devices. >> >> The private key of a device is never enrolled but is placed in the >> device by the manufacturer of the device (or the entity that >> personalizes it before making it available to an end-user); >> >>> >>> The smallest identity document I can think of would be a signed >>> public key. More commonly today, it would be an ASN.1-based identity >>> document, I assume. >> >> My arguments are fully unrelated to "identity documents". >> >>> Jumping a bit to the end: >>> >>> Local Attestation is described in the Background section and is >>> referred to again in the Scope section as out-of-scope. >> >> This is fine. >> >>> That said, as Local Attestation can be a prerequisite for Remote >>> Attestation and it also might require some provisioning (via network >>> protocols) in order to work, >>> provisioning protocols that enable local attestation are currently >>> considered in-scope. >>> >>> The fact that the definition of Attestation Evidence is difficult to >>> understand could be the biggest issue here, I think. Especially, >>> because it is the basis for >>> the definition of Remote Attestation, as you highlighted. I will come >>> back to this topic as soon as I have a few more free cycles :) >>> >>> Viele Grüße, >>> >>> Henk >> ... >
- [EAT] Scope, Goals & Background for RATS Henk Birkholz
- Re: [EAT] Scope, Goals & Background for RATS Denis
- Re: [EAT] [Rats] Scope, Goals & Background for RA… Fuchs, Andreas
- Re: [EAT] Scope, Goals & Background for RATS Henk Birkholz
- Re: [EAT] Scope, Goals & Background for RATS Denis
- Re: [EAT] Scope, Goals & Background for RATS Carsten Bormann
- Re: [EAT] Scope, Goals & Background for RATS Michael Richardson
- Re: [EAT] Scope, Goals & Background for RATS Michael Richardson
- Re: [EAT] Scope, Goals & Background for RATS Eric Voit (evoit)
- Re: [EAT] Scope, Goals & Background for RATS Carsten Bormann
- Re: [EAT] Scope, Goals & Background for RATS Melinda Shore
- Re: [EAT] Scope, Goals & Background for RATS Smith, Ned
- Re: [EAT] Scope, Goals & Background for RATS Laurence Lundblade
- [EAT] Implicit vs Explicit Attestation (was Re: S… Laurence Lundblade
- Re: [EAT] Scope, Goals & Background for RATS Diego R. Lopez
- [EAT] Terminology definitions (was Re: Scope, Goa… Laurence Lundblade
- Re: [EAT] Terminology definitions (was Re: Scope,… Henk Birkholz
- Re: [EAT] Implicit vs Explicit Attestation (was R… Henk Birkholz
- Re: [EAT] Scope, Goals & Background for RATS Henk Birkholz
- Re: [EAT] [Rats] Terminology definitions (was Re:… Smith, Ned
- Re: [EAT] Scope, Goals & Background for RATS Laurence Lundblade
- Re: [EAT] Scope, Goals & Background for RATS Henk Birkholz
- Re: [EAT] Scope, Goals & Background for RATS Diego R. Lopez
- Re: [EAT] Implicit vs Explicit Attestation (was R… Laurence Lundblade
- Re: [EAT] [Rats] Implicit vs Explicit Attestation… Fuchs, Andreas
- Re: [EAT] Implicit vs Explicit Attestation (was R… Henk Birkholz
- Re: [EAT] [Rats] Implicit vs Explicit Attestation… Laurence Lundblade
- Re: [EAT] [Rats] Implicit vs Explicit Attestation… Wheeler, David M
- Re: [EAT] Implicit vs Explicit Attestation (was R… Laurence Lundblade
- Re: [EAT] [Rats] Implicit vs Explicit Attestation… Smith, Ned
- [EAT] Naming (was Re: Scope, Goals & Background f… Laurence Lundblade
- [EAT] EAT additions to Charter (was Re: Scope, Go… Laurence Lundblade
- Re: [EAT] EAT additions to Charter (was Re: Scope… Suresh Marisetty
- Re: [EAT] Naming (was Re: Scope, Goals & Backgrou… Diego R. Lopez
- Re: [EAT] EAT additions to Charter (was Re: Scope… Carl Wallace
- Re: [EAT] Naming (was Re: Scope, Goals & Backgrou… Laurence Lundblade