IETF Logo Mail Archive

Re: [EAT] [Rats] Attestation BoF charter updates?

Denis <denis.ietf@free.fr> Fri, 12 October 2018 13:33 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79804130DD1 for <eat@ietfa.amsl.com>; Fri, 12 Oct 2018 06:33:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQoNQcPEB1I0 for <eat@ietfa.amsl.com>; Fri, 12 Oct 2018 06:33:21 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE24F130E1F for <eat@ietf.org>; Fri, 12 Oct 2018 06:33:20 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 4DF1578032A for <eat@ietf.org>; Fri, 12 Oct 2018 15:33:18 +0200 (CEST)
To: eat@ietf.org
References: <5D773C02-5083-4B10-A705-782E28FD8ADB@island-resort.com> <f84515dd-2e1a-7e66-7c23-b16f8f425d2a@sit.fraunhofer.de> <D7E5069D.C2E65%carl@redhoundsoftware.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <c72a3b6c-88f2-d452-96be-947a4be1d9c8@free.fr>
Date: Fri, 12 Oct 2018 15:33:22 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <D7E5069D.C2E65%carl@redhoundsoftware.com>
Content-Type: multipart/alternative; boundary="------------212E5902AB82DB0E68AF2BC2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/s-8IkQ89ZOThOREPu_zhPdZxE3Q>
Subject: Re: [EAT] [Rats] Attestation BoF charter updates?
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 13:33:25 -0000

  A quick feedback about charter/ietf-rats-charter.md


  The introduction mentions:
  "In summary, RATS expose trusted claim sets to detailed Attestation
  Evidence enables a Verifying Party
               to retrace every step that led to its current Operational
  State.


  Such set of claims may be useful in some contexts, but not always. In
  many cases, it is sufficient to know that the device supports
  a set of operations/functionalities and that it operates as expected,
  does what is required and does not do other things (e.g. no back door
  is present).
  A typical example is a secure element, like a smart card.


  The "Problem Statement" is currently described as follows:

(1) Establishing a sufficient level of confidence that a communication 
partner is a trustworthy endpoint. This is a fundamental challenge.
      Currently, there are no agreed upon standards that define a 
minimal set of Reference Values and Attestation Evidence that distinguishes
      a trustworthy execution environment over one that isn't.

The question is not only whether the device has a trustworthy execution 
environment or not, but whether the device is capable to support a specific
set of functions (obviously using a trustworthy execution environment).

The "Problem Statement" (1)**should be rephrased as:

"Establishing a sufficient level of confidence that some data originates 
from a trustworthy device (e.g., an end-user device, platform or endpoint,
servers, IoT devices, device subsystems and sub-modules) designed to 
support a specific set of operations/functionalities and that it operates
as expected, does what is required and does not do other things that 
could impact the security of that set of operations/functionalities 
(e.g. no back
door is present).

The "Problem Statement" continues as follows:

(2) Today, there is no common, standard way for Relying Parties to know 
the provenance and characteristics of a device (e.g., an end-user device,
platform or endpoint, servers, IoT devices, device subsystems and 
sub-modules) that may be requesting services.

Knowing the provenance of the device is not always necessary. What is 
important is to know that a specific set of functions is (securely) 
supported by the device.
There already exists a common way to know the characteristics of a 
device by issuing to the device a public key certificate which will only 
be issued to the device
if it fulfills an expected set of functionalities. In such a case a 
syntax for a trusted claim sets**is not needed.

The simplest cases should also be part of the framework.

Note: I personally appreciate that privacy is an aspect that will/should 
be taken into consideration.

Denis

> As with the earlier draft, there are many references to verify and
> verifier in the lead up to the deliverable but no deliverables describing
> verification rules. I'd like to see rules in one of these documents and
> think it worth citing in the deliverables. Are bindings to certificate
> management protocols out of scope?
>
> On 10/11/18, 9:49 AM, "RATS on behalf of Henk Birkholz"
> <rats-bounces@ietf.org on behalf of henk.birkholz@sit.fraunhofer.de> wrote:
>
>> Hi all,
>>
>> sorry for the delay. Please find an updated charter proposal here:
>>
>>> https://github.com/ietf-rats/charter/blob/RC2/ietf-rats-charter.md
>> The BoF proponents tried to merge all comments and proposals on
>> keystores, existing solutions, provenance & device characteristics, etc
>> that were raised on the list - and align them in homogeneous fashion.
>>
>> This draft is intended to focus the discussion and improve the wording.
>>
>> Viele Grüße,
>>
>> Henk
>>
>> On 10/06/2018 08:23 AM, Laurence Lundblade wrote:
>>> Hi Henk,
>>>
>>> Bangkok IETF is getting close, will you be able to update the charter
>>> for the attestation BoF to properly include EAT?  I sent you some text
>>> that just needs to be pasted along with some comments. It doesn’t look
>>> like there’s been any updates.
>>>
>>> LL
>>>
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
>
> _______________________________________________
> EAT mailing list
> EAT@ietf.org
> https://www.ietf.org/mailman/listinfo/eat

v2.23.0 | Report a Bug | By Email