Re: [Rats] CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 24 November 2019 09:00 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A180D1200FA for <rats@ietfa.amsl.com>; Sun, 24 Nov 2019 01:00:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.641
X-Spam-Level:
X-Spam-Status: No, score=-0.641 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.355, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8u8g55Zt0RJ for <rats@ietfa.amsl.com>; Sun, 24 Nov 2019 01:00:14 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A46D120020 for <rats@ietf.org>; Sun, 24 Nov 2019 01:00:14 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id l17so11994974wmh.0 for <rats@ietf.org>; Sun, 24 Nov 2019 01:00:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=DODlbRQjQe/vTr/2qkfIKDTsAv3r6IJMRN+PH17Zgj0=; b=lOYe5Jmsgu93Hc/aGgENXJ8yl7fg44gtqzzRzZ9lVLl0MxiDHU7OR6Bp8F4mHBxT6k 15SV1Y5gSNA2GrthTvruPL7VK6L4hdB3ljT0wYSoahpGndKnXZfdSDJEXo49mh5TCrYU 9JQJj0/hnxbEJX2Uwc+C3F/QX/chgkVV76QqFyZutxPpJ9WLHAdBCkWbirYh16u2+30n Ecm/KiNjsqp865n+PneGoV+gC5GyLsVe4j4wOGagI3Ucusfa1PmsJiYRwK3U/glmsB6+ TTc67aqgXqzCbrDrtS6sOLGfzdKBhE8WYKH7lFJFQW6UZ9uk++4nhgIogG+qYCpSlXbE E1Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=DODlbRQjQe/vTr/2qkfIKDTsAv3r6IJMRN+PH17Zgj0=; b=QY+mzZXwn1DCwQKu/GZbINA0S51G4zwfCtN17i7Yr3OtLVbfB1WYHRlvz7ka3GsjMt a/L2fT7cncv7pV5dTvvkoZDaTQrEVbLuZGr1YT+V//MjG/kfPDxi+W70W+xswrAEXYV7 zzJS8rzQh0tYHDZCVC8SYH8teNvGS+JUJE+btGhn+9JdyZONySy5aI+Yc0x5j0E/KTrD dkuyvyuus6bVisy1N5SQGUFUM2o9eiYEI2T70H7qe4Ze4/uhFnhNYzsO6/5hANlXVoQZ 8mMBMyoJAdL0lLDsuw/FKGv/jWkA/oxo8amvrKPnuFxsFieHyXw6X9p8Yq8m2pErsVTX gz1g==
X-Gm-Message-State: APjAAAWqeHV1VdtbBUlur2tw6GeKH9gkoRpoLYbpxcAjYtQ4MspCR8kJ ktiGSllTCdnJ3yfDjfiRqaE=
X-Google-Smtp-Source: APXvYqz5NfbQNcymg88mrlbUVvAhifgr5emtzOUImxjkB3GhA0T4ecJluI2S80sGEJpwILlbVfj7UA==
X-Received: by 2002:a7b:cb97:: with SMTP id m23mr4769521wmi.69.1574586012577; Sun, 24 Nov 2019 01:00:12 -0800 (PST)
Received: from [10.0.0.146] (bzq-109-67-99-114.red.bezeqint.net. [109.67.99.114]) by smtp.gmail.com with ESMTPSA id d13sm5205990wrv.88.2019.11.24.01.00.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Nov 2019 01:00:11 -0800 (PST)
User-Agent: Microsoft-MacOutlook/10.1f.0.191110
Date: Sun, 24 Nov 2019 11:00:10 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Dave Waltermire <davewaltermire@gmail.com>, "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>
CC: "rats@ietf.org" <rats@ietf.org>
Message-ID: <93829618-28A7-417A-B9EA-90CC27E36CE3@gmail.com>
Thread-Topic: CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases
References: <5D88882F-E40F-43C8-BC79-C5913845FE87@gmail.com> <CAHbuEH6u5yfGT=ZVPLmiedgx8wofBApeG6qZnknWi71zkKRbEQ@mail.gmail.com>
In-Reply-To: <CAHbuEH6u5yfGT=ZVPLmiedgx8wofBApeG6qZnknWi71zkKRbEQ@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3657438011_802347946"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/-0dqQynbKENPWd0sRvEYzoj6yO0>
Subject: Re: [Rats] CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2019 09:00:16 -0000
Hi Kathleen, Thanks for the reference. I just read the draft, and I don’t think it answers my questions. Best, Yaron From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Date: Friday, November 22, 2019 at 20:20 To: Yaron Sheffer <yaronf.ietf@gmail.com>, Dave Waltermire <davewaltermire@gmail.com>, "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov> Cc: "rats@ietf.org" <rats@ietf.org> Subject: Re: CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases Hi Yaron, I am copying Dave and Stephen in case they are not following RATS as closely as they do SACM. Have you looked at the CoSWID draft in SACM? It contains the full SWID format as it is translated into CoSWID. It may answer some of your questions. I'm swamped today, but can look at this stuff more next week or the following week and am interested. Best regards, Kathleen On Fri, Nov 22, 2019 at 10:43 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: Hi Kathleen, I was assuming CoSWIDs (or SWIDs) to become claims anyway, this wasn’t what I was asking. My question was whether SWIDs today cover the most common technologies that we use to deploy software, other than traditional RPM (and equivalent) software packages: * Language-specific packages deployed directly into the OS, such as Python PIP and Ruby gems. * Language-specific packages deployed into application servers, such as Java WAR files and NPM packages. * Docker containers that consist of multiple "layers", each possibly including several RPM packages as well as other stuff, like individual copied files. * Lambda functions that are built using their own custom toolset. I am completely ignorant about the SWID ecosystem, so maybe the answer is Yes to all of the above (though a quick Google search came up with nothing). Any help from experts would be appreciated. Thanks, Yaron From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Date: Friday, November 22, 2019 at 22:15 To: Yaron Sheffer <yaronf.ietf@gmail.com> Cc: "rats@ietf.org" <rats@ietf.org> Subject: Re: [Rats] Reviewing EAT for enterprise/cloud use cases On Fri, Nov 22, 2019 at 12:57 AM Yaron Sheffer <mailto:yaronf.ietf@gmail.com> wrote: I have read the EAT draft, specifically with a “cloud” use case in mind. To clarify, what I'm looking for is the capability: - To attest to software components that are running inside VMs, containers (either on VMs or bare metal), and anonymous containers (function-as-a-service, such as AWS Lambda). - Such components may be deployed in arbitrary hierarchies (VM-in-VM etc.). - Attestation of running (as opposed to installed) components. For example, container code may be pulled from a remote repository shortly before it is run. - To support diverse roots-of-trust, such that when a hardware root-of-trust is unavailable, we can have a hypervisor or an orchestration server (e.g. Kubernetes) as the RoT, even if that means a lower level of trust. I think in general, EAT can be made to fit these use cases, given its recursive structure. But not surprisingly given its origins, the draft would need quite a few changes. * 1.2 (and 3.12): why not spell out that a submodule can be either a hardware or software component? * 1.2: why *dedicated* root of trust, what is it dedicated to? A RoT may have other functions; a system may in general have multiple RoTs. The word "dedicated" is not repeated anywhere else in the document, nor is it explained. * 1.3 continues to only talk hardware, e.g. when defining the "manufacturer". Software has a manufacturer too. * 3.3: the notion of UEID is fundamentally incompatible with some component types that we would wish to attest. For example, the lifetime of a function-as-a-service container may be less than a second, and even if it has an identity during its lifetime, there is no registry or persistent record of this identity. Is a UEID required in this scheme? * 3.4: hey, finally some software! I think we still don't have a handle on identifying running software, and CosWID may not be the whole answer. CosWID is more like traditional software inventorying, and we need something that will cover dynamic modern software. I'm going to write up some text for the CoSWID draft that would have a CoSWID in an EAT (CWT). If the entire CoSWID (or even SWID) were in a claim, allowing you to add other claims, would this suffice for your use case? I think I'll write a draft specific to what CoSWID looks like in an EAT as a follow up and would like coauthors. I was thinking that might go into SACM, referencing the EAT work. Best regards, Kathleen Thanks, Yaron _______________________________________________ RATS mailing list mailto:RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats -- Best regards, Kathleen -- Best regards, Kathleen
- [Rats] CoSWID, was Re: Reviewing EAT for enterpri… Yaron Sheffer
- Re: [Rats] CoSWID, was Re: Reviewing EAT for ente… Kathleen Moriarty
- Re: [Rats] CoSWID, was Re: Reviewing EAT for ente… Yaron Sheffer