Re: [EAT] [Rats] Introduction
Laurence Lundblade <lgl@island-resort.com> Mon, 10 September 2018 20:57 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5389B130FFF for <eat@ietfa.amsl.com>; Mon, 10 Sep 2018 13:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPyyzHjXRFg1 for <eat@ietfa.amsl.com>; Mon, 10 Sep 2018 13:57:07 -0700 (PDT)
Received: from p3plsmtpa11-05.prod.phx3.secureserver.net (p3plsmtpa11-05.prod.phx3.secureserver.net [68.178.252.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFCE9131002 for <eat@ietf.org>; Mon, 10 Sep 2018 13:57:04 -0700 (PDT)
Received: from [192.168.1.82] ([76.192.164.238]) by :SMTPAUTH: with ESMTPSA id zTF1f7w17qLFHzTF1f8Rtv; Mon, 10 Sep 2018 13:57:04 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <DFE22393-B77E-4B4F-A2FF-AE557C0871F8@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4D4E5EB3-5D93-4BD3-8189-A1EE1E668632"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Mon, 10 Sep 2018 13:57:03 -0700
In-Reply-To: <6BA94F08BDCB8E44B30675B3FF1834712242C6DA@FRAEML521-MBX.china.huawei.com>
Cc: Shawn Willden <swillden=40google.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>, Carsten Bormann <cabo@tzi.org>, "eat@ietf.org" <eat@ietf.org>
To: AndreRein <Andre.Rein@huawei.com>
References: <CAFyqnhUh0Ncd+VrXyLgrfgZZxcLLAcaQq4nsh16ts5-80wbUAQ@mail.gmail.com> <C2A3D7A2-021E-4BDF-AD3A-981379B4F759@tzi.org> <CAFyqnhX+ycNT34Y7P+4QVE3mL1vLMwnTZNzOpZc5km1+sZiCBQ@mail.gmail.com> <C95E7E39-4DA7-40FD-A2B6-1FCC3B999F17@island-resort.com> <6BA94F08BDCB8E44B30675B3FF1834712242C6DA@FRAEML521-MBX.china.huawei.com>
X-Mailer: Apple Mail (2.3445.8.2)
X-CMAE-Envelope: MS4wfKxI87VFNAEIe1pr0OOglwcgKMx6sJOdtrXtmjokcOIoCMhdp2OGUYLeHxA4bqXHeeKC+xjVKQIzs8zXxgks/WX6BIfJZ2M8g2ovw/aacD5CFlGvNe9N anqxSrD6WnJHWiVEZm9sT/WEkTLVEApUC2DmAsiobHh9kTEGs0dNu08KG9Q8KByrxRGNzcq8ObNd6zcCTtu+EInaj2lcCoxehAwoRxuHRhpg4Oqd6uyxy9Qs qgopzGc4q/ag5gNt4w+j/PUcg3gyMDav59Zv9QR0gXvnTCBekP8HgbuGvdyc6Ecl
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/kWcZfIIbI16RG6HvC2-saboWwg8>
Subject: Re: [EAT] [Rats] Introduction
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Sep 2018 20:57:20 -0000
Thanks for all that Andre, The intention of EAT is try to span both the TCG, TrustZone and other technologies involved with attestation. We haven't added text for measurement claims to the EAT draft yet, but some of us were planning on it and have some first drafts. I say “try to” is because you can’t quite implement EAT using a standard TPM today. TPMs only sign certain data in a particular way, and it is not the CBOR/COSE format used by EAT or CWT (or JWT). The FIDO folks however have a way to use TPMs to sign FIDO attestations <https://fidoalliance.org/specs/fido-v2.0-ps-20150904/fido-key-attestation-v2.0-ps-20150904.html#tpm-attestation>. We may be able to do something similar. We may also just define a way to tag and carry pure TPM remote attestations. Maybe there are 2-3 attestation variants for this. I think the work here should be inclusive of TPM and non-TPM attestations, similar to what FIDO did for similar reasons. TPMs are very broadly deployed and used and there is deep experience with them. Similarly TrustZone and similar technologies are in a billion plus smart phones and should to be included. This is one of the reasons for forming a working group, rather than just defining some additional CWT / JWT claims. (I also think defining those claims in a universal way is interesting work). I have a few other comments on measurement. My understanding is that the TPM measurements taken are boot are still quite good even though the TPM doesn’t make them. This is because it is done in stages. First some very trusted and very small code starts when the CPU comes out of reset. It’s only job is to load the next junk of code and measure it. It stores the measurement in the TPM. The next stage is similar but does more. In this scheme, no code ever measures itself and all code is measured before it starts running. TrustZone-based devices are not so standardized in how they boot and they haven’t done so much with measurement. However TrustZone is more capable than a TPM and can perform measurements of the non-secure world at any time. It doesn’t have to be at boot. This would allow some of the periodic configuration confirmation attestations that the router and network secure functions folks are talking about. LL > On Sep 10, 2018, at 3:21 AM, AndreRein <Andre.Rein@huawei.com> wrote: > > From my perspective you are right that the current discussions around (remote) attestation are very TCG shaped and in general a TPM is often regarded as _the_ security anchor. In a way this makes a lot of sense, because the TPM offers a secure identity (Root of Trust for Reporting (RTR)) and a tamper-proof storage (Root of Trust for Storage (RTS)), both of which are required for an attestation process (at least how it is generally understood today). However, it is important to note that the measurements themselves are not performed by the TPM; the TPM is only used for the secure recording and reporting of measured values during the attestation. Depending on which parts of the system are to be attested, the actual measurements are provided by other (secure) components, starting from an initial (trusted) measurement component (Root of Trust for Measurement (RTM)). > > I don't want to go too much into the technical details here, but I think it makes sense for a general specification of an attestation (and a corresponding protocol) to detach itself from the TPM as a term (I'm not saying that we do this actually) and instead argue on the basis of the RoTs involved. A TPM is an excellent reference implementation that provides certain RoTs in a very secure way, but a TPM provides only one implementation possibility that realizes parts of what is necessary to report a system’s state for conducting a (remote) attestation procedure. > > Best regards, > > Andre > > From: RATS [mailto:rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>] On Behalf Of Laurence Lundblade > Sent: Sonntag, 9. September 2018 18:38 > To: Shawn Willden <swillden=40google.com@dmarc.ietf.org <mailto:swillden=40google.com@dmarc.ietf.org>> > Cc: rats@ietf.org <mailto:rats@ietf.org>; Carsten Bormann <cabo@tzi.org <mailto:cabo@tzi.org>>; eat@ietf.org <mailto:eat@ietf.org> > Subject: Re: [Rats] [EAT] Introduction > > My understanding from the RATS BoF and talking to Henk, Marty and others is that it is about sending the attestations created by TPMs to a remote entity. These attestation messages contain the usual measurements of the running SW that TPMs do. It is very TCG oriented. > > There is some possibility of defining a protocol to carry these attestations, but I don’t think anything has been written. > > There was a lot of interest in this from the network infrastructure folks that want to make sure routers, firewalls and such were booted and still running correctly. > > LL > > > > > > On Sep 7, 2018, at 6:51 AM, Shawn Willden <swillden=40google.com@dmarc.ietf.org <mailto:swillden=40google.com@dmarc.ietf.org>> wrote: > > Thanks. I need to get clear on what rats@ is about. Is there a draft? > > On Fri, Sep 7, 2018 at 6:29 AM Carsten Bormann <cabo@tzi.org <mailto:cabo@tzi.org>> wrote: > On Sep 6, 2018, at 18:37, Shawn Willden <swillden=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote: > > > > Please excuse me if I'm violating some list etiquette with this introduction; it seemed like the best way to jump in. It appears that cross-posting between RATS and EAT is fairly common, so I think I'm good on that front :-) > > Hi Shawn, > > welcome to this discussion! > > Indeed, as long as we are trying to find out what is what between eat@ and rats@, cross-posting is the way to go. > > A thread of three of the messages triggered by your initial message went to eat@ only, though: > > Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/G5WvKAAXc16ixn30MbcfErLmUQ4 <https://mailarchive.ietf.org/arch/msg/eat/G5WvKAAXc16ixn30MbcfErLmUQ4>> > Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/DxM8NcxqPsR6HZXDS1q24lUqMg8 <https://mailarchive.ietf.org/arch/msg/eat/DxM8NcxqPsR6HZXDS1q24lUqMg8>> > Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/61cWm6byj-9tItyjUIi3PyGsCJk <https://mailarchive.ietf.org/arch/msg/eat/61cWm6byj-9tItyjUIi3PyGsCJk>> > > As these are essentially about rats@ content (proof of protection), it would be useful for rats@ people to read them, too (and then reply to both lists, please). > > Grüße, Carsten > > -- > Shawn Willden | Staff Software Engineer | swillden@google.com <mailto:swillden@google.com> | 801-477-4296 > _______________________________________________ > EAT mailing list > EAT@ietf.org <mailto:EAT@ietf.org> > https://www.ietf.org/mailman/listinfo/eat <https://www.ietf.org/mailman/listinfo/eat> > > _______________________________________________ > EAT mailing list > EAT@ietf.org <mailto:EAT@ietf.org> > https://www.ietf.org/mailman/listinfo/eat <https://www.ietf.org/mailman/listinfo/eat>
- [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Smith, Ned
- Re: [EAT] Introduction Suresh Marisetty
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Carl Wallace
- Re: [EAT] Introduction Carsten Bormann
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] [Rats] Introduction Ira McDonald
- Re: [EAT] Introduction Laurence Lundblade
- Re: [EAT] [Rats] Introduction AndreRein
- Re: [EAT] [Rats] Introduction Laurence Lundblade
- Re: [EAT] [Rats] Introduction Henk Birkholz
- Re: [EAT] [Rats] Introduction Michael Richardson