Re: [EAT] [Rats] Attestation BoF charter updates?

Carl Wallace <carl@redhoundsoftware.com> Wed, 24 October 2018 16:59 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692E9130E2E for <eat@ietfa.amsl.com>; Wed, 24 Oct 2018 09:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEUy0jefF9Rr for <eat@ietfa.amsl.com>; Wed, 24 Oct 2018 09:59:50 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28FC41288BD for <eat@ietf.org>; Wed, 24 Oct 2018 09:59:50 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id q41-v6so6366494qtq.10 for <eat@ietf.org>; Wed, 24 Oct 2018 09:59:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=DVhaabc95KVH8xiQ5o2br8IZJAQ51bgMMSDKWOjT4n0=; b=G0iMuafBuXfigyjeyVMsVAUid8I4YAu58SjztHRpilnqOinzgnZmH+TNDR7fAdBt6Z fqCq0/ufVpht51wtncYAqhYmHtRQpx2zyOPNzqQmhP0PRZDf9uxX22LCoGsJ5ydVKqf8 6PATay6k9oRqQgn0eD0u5nCyf9sKO91GUWvSs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=DVhaabc95KVH8xiQ5o2br8IZJAQ51bgMMSDKWOjT4n0=; b=lH9b2b7dBx82NSsBHMwUuLwbmmV+vwm/g7uX/6JXRYhnOApUvCYLvu6hgsm2BNl4xp HzI0CkCR/QYjdBJ1za63SNJQtWyutdGG7Byic3mRnpM4VSYg/wUwPfn4kyLtXEeJqKMD bv4B9z+SOodSm2/47wFmQzqmiCXnq/csoL7azOxGLO6qdJkoF0GoLknj+9b67W7C6D/M CXZhpVEkNkLNs5x7dXAchenGjKah0MusQJeWOI+nStmHhWVHHqxmYWYkK2ga79w5obnw gbAvLf7Y+qy2/nIDUBefQBM9TaU99SJl115FHPf6tGo0+24BIPk/JN1PCr9rSruVdUQV 5uDw==
X-Gm-Message-State: AGRZ1gJxeL9GAxxbe4+uBnb2RFhwoyNeZPHiY7oaFxyYmYq34MrnsQEn stGLLLFecwtBLMgJcEYv0MuX/g==
X-Google-Smtp-Source: AJdET5dYm+2jmw5aUUljGxqMYP+0v/ustgB02WEs1Vx6ry+6ngQLwWVGS7Ud0Ss7hp2cgSUNtnMhYg==
X-Received: by 2002:a0c:ec45:: with SMTP id n5mr3168788qvq.91.1540400389077; Wed, 24 Oct 2018 09:59:49 -0700 (PDT)
Received: from [192.168.2.27] (pool-108-28-91-61.washdc.fios.verizon.net. [108.28.91.61]) by smtp.googlemail.com with ESMTPSA id m64-v6sm3077277qkf.18.2018.10.24.09.59.45 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 24 Oct 2018 09:59:48 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.7.6.170621
Date: Wed, 24 Oct 2018 12:59:41 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "Smith, Ned" <ned.smith@intel.com>, "eat@ietf.org" <eat@ietf.org>, "rats@ietf.org" <rats@ietf.org>
Message-ID: <D7F61CDB.C3FB7%carl@redhoundsoftware.com>
Thread-Topic: [EAT] [Rats] Attestation BoF charter updates?
References: <D7F4B1E4.C3BF8%carl@redhoundsoftware.com> <D0C08E47-DBB6-4AAD-95EF-F952155D3152@qti.qualcomm.com> <581DD29C-85D9-4BD8-A0EE-41761ED773B4@intel.com> <D7F4D350.C3CFF%carl@redhoundsoftware.com> <FFA0BB14-48AB-45CE-8D7A-53D43821FC7D@intel.com> <D7F4E84F.C3D97%carl@redhoundsoftware.com> <FCF1711D-4936-4D35-A75D-84B88C076151@intel.com> <D7F4F54C.C3DB8%carl@redhoundsoftware.com> <8340B1B8-775D-4932-B432-29B715A3B45D@qti.qualcomm.com> <D4F3DF93-D63F-4254-8014-9039B856B760@sit.fraunhofer.de> <91CD33FE-A023-464F-A49F-04B38A2A6274@qti.qualcomm.com> <543135F2-9D4F-4411-A561-21B4751EBE26@sit.fraunhofer.de> <D7F619D9.C3FAF%carl@redhoundsoftware.com> <eec02b2e-bf1b-a9ae-96ca-590a1563c222@sit.fraunhofer.de>
In-Reply-To: <eec02b2e-bf1b-a9ae-96ca-590a1563c222@sit.fraunhofer.de>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/t-YSik9VObXwMt2jYMeCVFrqaoI>
Subject: Re: [EAT] [Rats] Attestation BoF charter updates?
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 16:59:53 -0000

Got it. No boiling the ocean intended. Goal for me is to present
attestations to CAs to inform cert issuance. This typically involves ASN.1
and cert mgmt protocols (of which there sadly are many). Multiplicity of
cert mgmt protocols notwithstanding, this ought not be too much scope
creep here. A single attribute definition could serve at least three of
them.

On 10/24/18, 12:55 PM, "EAT on behalf of Henk Birkholz"
<eat-bounces@ietf.org on behalf of henk.birkholz@sit.fraunhofer.de>; wrote:

>Hello Carl,
>
>as ASN.1 has been there for quite some time, virtually anything is in
>some way represented via an ASN.1 based format in some way, I'd say. Of
>course this opens up a very wide spectrum of attestation related
>content, too.
>
>That does not mean everything attestation related represented via
>something ASN.1 based is in scope for the initial phase. We have to make
>a few careful decisions here, is all I am saying.
>
>"we could add text to the WG description indicating that the WG will
>work with relevant WGs to identify where attestations may be useful in
>PKI infrastructures" could likely prove to be a very big endeavor and
>should maybe be included in a later phase? We are excluding provisioning
>at the moment and that seems to be significant more vital to remote
>attestation procedures (IMHO). I am highlighting this as a point of
>reference wrt to scoping.
>
>Viele Grüße,
>
>Henk
>
>
>On 10/24/2018 06:45 PM, Carl Wallace wrote:
>> Not sure I follow.
>> 
>> From: RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> on
>> behalf of Henk Birkholz <henk.birkholz@sit.fraunhofer.de
>> <mailto:henk.birkholz@sit.fraunhofer.de>>
>> Date: Wednesday, October 24, 2018 at 12:42 PM
>> To: Jeremy O'Donoghue <jodonogh@qti.qualcomm.com
>> <mailto:jodonogh@qti.qualcomm.com>>
>> Cc: Michael Richardson <mcr+ietf@sandelman.ca
>> <mailto:mcr+ietf@sandelman.ca>>, "Smith, Ned" <ned.smith@intel.com
>> <mailto:ned.smith@intel.com>>, Carl Wallace <carl@redhoundsoftware.com
>> <mailto:carl@redhoundsoftware.com>>, "eat@ietf.org
>> <mailto:eat@ietf.org>" <eat@ietf.org <mailto:eat@ietf.org>>,
>> "rats@ietf.org <mailto:rats@ietf.org>" <rats@ietf.org
>> <mailto:rats@ietf.org>>
>> Subject: Re: [Rats] [EAT] Attestation BoF charter updates?
>> 
>>     It is in the current charter text, because I think your answer in
>>     the quote below is well met.
>> 
>>     "ASN.1 is already player for a number of attestation formats. Any
>>     reason to exclude it?
>> 
>>     None I can technically justify."
>> 
>>     However, even boiling of the ocean is subject to phasing - and the
>>     ASN.1 related wording is not intended to be a loophole ;-)
>> 
>>     Viele Grüße,
>> 
>>     Henk
>> 
>> 
>> 
>>     On October 24, 2018 6:32:15 PM GMT+02:00, Jeremy O'Donoghue
>>     <jodonogh@qti.qualcomm.com <mailto:jodonogh@qti.qualcomm.com>>
>>wrote:
>> 
>>         I think you already have text which keeps this scenario in scope
>>         in the latest draft (the bit about ASN.1 interoperability). From
>>         my perspective this is enough for now.
>> 
>>         Jeremy
>> 
>>>         On 24 Oct 2018, at 17:27, Henk Birkholz
>>>         <henk.birkholz@sit.fraunhofer.de
>>>         <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
>>>
>>>         Please all keep in mind that we are intending to cut work
>>>         items into phases. While we are starting to agree more than we
>>>         disagree, I think, we should continue to pay attention to
>>>         scoping, please. Not now does not mean never!
>>>
>>>         Viele Grüße,
>>>
>>>         Henk
>>>
>>>         On October 24, 2018 2:46:21 PM GMT+02:00, Jeremy O'Donoghue
>>>         <jodonogh@qti.qualcomm.com <mailto:jodonogh@qti.qualcomm.com>>
>>>         wrote:
>>>
>>>             I have the following understanding (possibly
>>>             misunderstood) from this thread:
>>>
>>>               * It is desirable to have syntax for incorporating sets
>>>                 of Claims in structures that are defined in ASN.1. At
>>>                 the surface level this may be straightforward because
>>>                 claims are essentially (key, value) pairs - the key
>>>                 potentially being implicit in some cases, but there
>>>                 could be important semantic differences in the meaning
>>>                 of signing in Attestation formats vs legacy formats,
>>>                 and there may be challenges in mapping some CBOR or
>>>                 JSON constructions to ASN.1.
>>>               * The main use-case under discussion is to address
>>>                 mechanisms to enable an attestation to be presented to
>>>                 a CA in the context of a certificate request protocol.
>>>                 If I have correctly understood this, it means that a
>>>                 direct mapping of the Claims in an attestation to an
>>>                 X.509 certificate is a non-goal as the CA would be
>>>                 responsible for correctly interpreting the semantics
>>>                 of the Claims and incorporating them into an issued
>>>                 certificate in ways that make sense in the X.509 world.
>>>
>>>
>>>             I think we need to take care to limit the scope of work
>>>             items in this area as there exists a considerable existing
>>>             body of specifications in this area. Girl has mentioned
>>>             ACME, and Carl mentioned SCEP, for which a new version
>>>             appears to be nearing publication.
>>>
>>>             My suggestion is that it should be in scope to define a
>>>             syntax for describing attestations which which could be
>>>             transported via certificate request protocols such as ACME
>>>             and SCEP, but that the question of how the semantics of
>>>             attestations are managedin their use-cases is a question
>>>             for the WGs owning those specifications.
>>>
>>>             Looking at the current SCEP draft
>>>             
>>><https://datatracker.ietf.org/doc/draft-gutmann-scep/?include_text=1>,
>>>             it might be sufficient for the CRIAttributes definition
>>>             (from RFC2986) to include the ASN.1 encoding of an
>>>             attestation. ACME seems to encode the CSR in RFC2986 for
>>>             as well, so this might be workable.
>>>
>>>             In terms of the charter text (which is what is really in
>>>             scope here) we could add text to the WG description
>>>             indicating that the WG will work with relevant WGs to
>>>             identify where attestations may be useful in PKI
>>>             infrastructures. I think the existing charter text already
>>>             covers the possibility of defining Claims to enable
>>>             transport of an X.509 certificate as part of an
>>>attestation.
>>>
>>>             Please let me know if I have misunderstood. I will be
>>>             posting an update to the text shortly which I believe
>>>             covers this.
>>>
>>>             Jeremy
>>>
>>>>             On 23 Oct 2018, at 20:57, Carl Wallace
>>>>             <carl@redhoundsoftware.com
>>>>             <mailto:carl@redhoundsoftware.com>> wrote:
>>>>
>>>>             <snip>
>>>>>             [nms] Right. In order for the CA (verifier) to
>>>>>             distinguish the certifying key is an ‘attestable key’
>>>>>             vs. a traditional CSR. The CA should look for a
>>>>>             signature from the mfg cert over the CSR (certificate
>>>>>             management message?) containing the generated public
>>>>>             key. I’m still not seeing where there is a self-signed
>>>>>             (issued) certificate in the equation.
>>>>             This began with request to codify binding to certificate
>>>>             request protocols, not for a self signed certificate.
>>>>>
>>>
>>>
>>>         --
>>>         Sent from my Android device with K-9 Mail. Please excuse my
>>>         brevity.
>> 
>> 
>>     -- 
>>     Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>     _______________________________________________ RATS mailing list
>>     RATS@ietf.org <mailto:RATS@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/rats
>> 
>
>_______________________________________________
>EAT mailing list
>EAT@ietf.org
>https://www.ietf.org/mailman/listinfo/eat