[Lake] evaluation of attestation results by EDHOC "clients"
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 05 June 2024 18:38 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89906C169431 for <lake@ietfa.amsl.com>; Wed, 5 Jun 2024 11:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3UazQJZuw24 for <lake@ietfa.amsl.com>; Wed, 5 Jun 2024 11:38:10 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17670C14CF0D for <lake@ietf.org>; Wed, 5 Jun 2024 11:38:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 3F4EC38990 for <lake@ietf.org>; Wed, 5 Jun 2024 14:38:08 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id S36Xd_C71epQ for <lake@ietf.org>; Wed, 5 Jun 2024 14:38:06 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 2588D3898F for <lake@ietf.org>; Wed, 5 Jun 2024 14:38:06 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1717612686; bh=ZOE+e6q+qr29QH1dA3pagf3NlDWlsM27gUBOMS8EuaM=; h=From:to:Subject:Date:From; b=bPz4phe5Yxs7mDEEg6+pbbM6AHCDbECqT6NaZ9ZYp2E+UYNlg59DaelpNmEoYsKIN Lk6udzoIEcQIXwNgDK3Flk57DrOXL0WYGGULXsSsRtcSCXR42Ro95T5Nk0FkOVCtvp +1Unx/awt09IiUgB+3zdtTz1zBrhMEj25N2KXcGOhFzk1GbUhR+JY774+w138wPF4z VI4asNOVQ8r6IU4PF4RByZD+a/xlzNACD1YOpJgbw93UP6y2CiqGdoXeThwycAEqN2 OMPwUYZhyHATEAepbExl7KGPD2wWJKuqzmqKaRYVaUaPMt3EapfTOSibCOIdLEznYR Ju8ns4LFsVJLQ==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 899E4375 for <lake@ietf.org>; Wed, 5 Jun 2024 14:38:05 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: "lake@ietf.org" <lake@ietf.org>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 05 Jun 2024 14:38:05 -0400
Message-ID: <25805.1717612685@obiwan.sandelman.ca>
Message-ID-Hash: H3Y2TR3J6NJ7JS5JU7Z7RURBFAWZY544
X-Message-ID-Hash: H3Y2TR3J6NJ7JS5JU7Z7RURBFAWZY544
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Lake] evaluation of attestation results by EDHOC "clients"
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/o2oujiDacHm2m9a5y7W50oUsY7o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Owner: <mailto:lake-owner@ietf.org>
List-Post: <mailto:lake@ietf.org>
List-Subscribe: <mailto:lake-join@ietf.org>
List-Unsubscribe: <mailto:lake-leave@ietf.org>
{sorry for the length}
Yuxuan Song explained her document draft-song-lake-ra to me with the help of
Goran and Malisa. As I said on the list before, doing remote attestation as
part of an onboarding process makes a lot of sense.
Independant of that process, there are questions. The documents' diagram:
https://www.ietf.org/archive/id/draft-song-lake-ra-00.html#figure-1
does map very well to the U/V/W of:
https://www.ietf.org/archive/id/draft-ietf-lake-authz-01.html#figure-2
{I did not see before that it is proposed to carry the Evidence in message-3.
I thought that would be too late, and it had to go in message-1}
(Except that re-using "V" for Verifier vs JRC is a problem we should avoid.)
My contention, which I think the group agreed with, is that one probably
wants to do continuous assurance, that is, to repeat the remote attestation.
Do you want to have two protocols and two code paths? (redundant code in a
constrained device?). I suggested that *maybe* the remote attestation should
use it's own /.well-known Path, and that it would just occur after
onboarding, and regularly onwards. Maybe it's weird to onboard a device only
to kick it out again immediately because it failed remote attestation, but
given continuous assurance, this could happen at any time.
Anyway, if devices are being onboarded and then failing regularly, then I
think there are other, bigger problems. (And if the battery on the device
gets run down because of this; well... that's one fewer attacker...)
We discussed the possibility that whenever doing a subsequent remote
attestation, that it could happen as part of a PSK-based EDHOC "rekey".
I can live with that.
We also discussed the opposite situation: where a constrained device needs to
consider the security posture of the (edge?) compute node which is going to
collect the sensor data. This is a far more difficult situation.
In general, the situation is that the device needs to consider the
*Attestation Results*, since there is no reasonable way a constrained device
can competently evaluate the evidence directly. This is, unlike the above
situation, a passport model. Somewhere a Verifier has produced the right
results. The question in this case is how is the U-device provisioned with
the right public key with which to evaluate the results?
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
- [Lake] evaluation of attestation results by EDHOC… Michael Richardson
- [Lake] Re: evaluation of attestation results by E… Yuxuan SONG