IETF Logo Mail Archive

[Rats] AD Review of draft-ietf-rats-architecture-15

Roman Danyliw <rdd@cert.org> Tue, 03 May 2022 21:54 UTC

Return-Path: <rdd@cert.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94129C1594B0 for <rats@ietfa.amsl.com>; Tue, 3 May 2022 14:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WF8otS22to52 for <rats@ietfa.amsl.com>; Tue, 3 May 2022 14:54:01 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0714.outbound.protection.office365.us [IPv6:2001:489a:2202:c::714]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 132C2C14F731 for <rats@ietf.org>; Tue, 3 May 2022 14:54:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Jci6qSFXKVsTvJ0JKNhJGdffwzNFv80k5hh5DOm6QHarAii5fapJ358Yw6jppZoAW81gE7MrbWv7TUNTRhBz/FvtHQVccYJKMdEPmDJx6N/BrsH000ZlNW7VoNgiAUTTXBWt3dy0CN6wkm80ufSBPfZHy6+SDYXzpPN29CkvWS84PaHpOe5aCMgNCcPpCQTFrlp8QxgC9EeT3UJU2s7VMwFdzdEyIhvh/+hbNRi8qyPB0BAO10VX0T8YLlpv7xASjshBgUhuBLuNJW3reqP4iT9ZyM3+CZG6w0+LaOsHcN+XwdB6rNrvd/++XRUlUSdNjxvVeiQf49aOPkYsVTQc7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=l9VyrqM3RBdxn4kJ7IUnupzCdpmPj+9fgeQVionL0E8=; b=VLeQksAkq2E2xhC0KjGXLlZYy+j8MMDHVZxvrFgwrkB6Gd3IkmjfFkqa7sn0OXQBQX6OZGxwSf9Gk0sn4cKWyxfvf0ZjYMeX2O9iZXLYUu9tcL91oiFy9DsN4RPO8/EMi2vkw5Apa2Dsmxf5ctgXUtnWmj3W/HdNhrSq+enUk0nDbidTNY+vlYWUvke6+HirLDGpmD9IPH0W2OZ4HClkYG7RtFK1qHznzwS+Hi4PwxkH4ieQnOaHSE3g7p6f8/U7SEWqKVXeE4DiyKJrGqUddS5xC33H1EkzEd8KZx0S8WOmXTSJ1QcbSvQAJLBTW9Oc5bEjztygMkShiLNrRqQE/Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l9VyrqM3RBdxn4kJ7IUnupzCdpmPj+9fgeQVionL0E8=; b=dRYEadiXDAaHBVf1zHf1TLB1brHUxNta1GAWGJHhERrR926arvJtJmAn0vCYV+QLUeuTL4PpZ8aW7zhs16HW/izL75tJN6U9wYIURBwHcZHtOXp744Ue2jUEqKSddgEKTVXqyF8oHTKE3CEb8OQklaNCDkKWnsSTCx71isQgvMM=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1669.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Tue, 3 May 2022 21:53:55 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61d4:e6f0:d8e4:7722]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61d4:e6f0:d8e4:7722%6]) with mapi id 15.20.5186.028; Tue, 3 May 2022 21:53:55 +0000
From: Roman Danyliw <rdd@cert.org>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: AD Review of draft-ietf-rats-architecture-15
Thread-Index: AdhfNo/YbgZCs0OMSiqFXlqIAvRN0w==
Date: Tue, 03 May 2022 21:53:55 +0000
Message-ID: <BN2P110MB110748C2C81E515E5E7277C5DCC09@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 47778af6-e4f3-4cf1-d93a-08da2d4f6b40
x-ms-traffictypediagnostic: BN2P110MB1669:EE_
x-microsoft-antispam-prvs: <BN2P110MB1669EFE5F491B0F15A9551E3DCC09@BN2P110MB1669.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RWxHnEgegAM0bkqltlMnFclCQ11VGRpzhE37uFE99tPrgApVBZQhkv5c5UgKztM4OrEaNEa+ycO6+e78IIPVAztYXdugT+DOuaPY1zQA4SMOqPqVk8KRxnzDCrLNy6kSup8JL1U4snOVkQN6CMsv8hHIOBUMlnhV67Eg/LVVdwcA80mpVyXrUhjj8Zuj6/wpQ+Px6GIdjfsfLW7uyS8kI55JR3w64DGcDjImZy47zNlYWkMVsH4eFWn69yfW6uVVXRj6rBfQASSrDuawWm9DH4iRApJv9E6C1rFTrYC9oq2U7qPY8LvkqlKcwBzk7MDG92j5vD/dQP0kq8A11FzgGhwd3vx5x7cm0q8fsJHZR5nPxNw4rL+CNgPkMEX+m/s+7wqYSQYSfA8Sc4Ro/tRkAahPo35mlSVIYPb3lRhAtuTNYh8K3sD52jOXZu4TN0XRa8d2L27t7d6t0qfV7gq2WbcMTU0Cvk8q0UUepndNKLviFbrwYYCakYs7UK4E5xNmyl5jzr7gywYJ3V1lmXsOicGD25ZWgs06UkkweUQwV7yq1UvUrsQ0plDa3nna87xQjXhQ3JHqZcff7HdrQd0gxKZiXsbiQmEgqcJqtMQcRiuD99rw3Ki+wMHBYzeh0v+E85v3Oz9+PTBmbyxn9nnN/KfLBwLmaQNJE9oP5K4b2o8N51CvcFVElW1pbiteTE8UjQugMRmCEB87o9uvMxQH5tvVlnwn73QiCX7w78aPj3s=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(966005)(38070700005)(38100700002)(71200400001)(76116006)(66556008)(55016003)(64756008)(83380400001)(66946007)(66476007)(66446008)(122000001)(6916009)(82960400001)(8936002)(8676002)(9686003)(2906002)(33656002)(6506007)(7696005)(186003)(52536014)(5660300002)(498600001)(86362001)(21314003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: W7/CqJToNtpLRDGKjRhQ4OkdU9S4tl9qDCpnpTIVnrwc2T47w0WaJruFXw3h/yD214caGBplkmr+EmmBIrwcCpRCPRKHc7ylBpl0rImudKXGg4dEXpc7r/rUm8urROqe63kg53FD6UsgGg0Vy7DXAQTcaBopaBa2RH41Q5mexQOCistUiodRM/T+uRqKvKMK07n8PE1dDSU0JGqVUFaCekMoPR8ka4LCS8OV50E4oJTVhSznnjgTEX7wWA5Mb0SYyRjHvdXYkLvT3kNC11h/2d4IcAlefWs++/NHhmaPf6pSNEEQrcRZWQSi9GCthf2AjJ4jq3YvPb3FgQeIjacvBdd+uFs66JNDiY3AkR5e78R62Krrh5sl//aG+ud9cLjB6x612JAW/g+EhDhZhr5LlOyhv5i9N43OuVeYnCcxBZpC6UjWlHJmjnd5gGfEEIw2uHut1VhbLKEHNhYlouLisccmirQBHZLh3MCN+OLgCbc=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 47778af6-e4f3-4cf1-d93a-08da2d4f6b40
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2022 21:53:55.0955 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1669
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/aTkCwycskva3qVbKiT_M2s-gpsY>
Subject: [Rats] AD Review of draft-ietf-rats-architecture-15
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 May 2022 21:54:02 -0000

Hi!

I performed an AD review of draft-ietf-rats-architecture-15.  This is a follow-up to the early review I did on -13 per  https://mailarchive.ietf.org/arch/msg/rats/V0tee4ohWoSzR6xGqu92GXuZneA/.  Issues previously mentioned against the -13 not mentioned here can be considered resolved -- Thank you!

** Section 4.*.  Editorial.  

[Roman's comments on -13]

-- Section 4.1.  In the definition of relying party, what does the sentence fragment "Compare /relying party/ in [RFC4949]" mean?
-- Section 4.2.  Per the definition of "Claim", what does "Compare /claim/ in [RFC7519]" mean?
-- Section 4.2.  Per the definition of "Appraisal Policy for Attestation Results", what does "Compare /security policy/ in [RFC4949]" mean?

[Author's response] 
https://mailarchive.ietf.org/arch/msg/rats/zGTPhKrQfRfC14MTT_TKku5G5kY/

https://github.com/ietf-rats-wg/architecture/issues/357

[Roman's response on -15] 

I continue to hold the position that this language "Compare /xxx/ in RFC####" is not clear.  In the natural language sense, that phrase doesn't parse.  If the semantics are being taken from Section 2.6 of RFC4949, please explain that. However, it seems confusing to explicitly be listing antonyms (which RF4949 suggests is the meaning of the "Compare" notation).  In the case of a claim, is it an antonym -- isn't a claim here in fact similar to the one in Section 2 of RFC7519?

** Section 5. 

[Roman's comments on -13]

There is something foundational I am not following about this section.  The interactions described here do not conform behaviors described in the terminology in Section 4 or the high-level reference architecture of Figure 1.  I'm not sure how to reconcile this discrepancy.  

Minimally, these discrepancies in Figure 5 and 6 are not consistent with the roles defined in Section 4.

[restated here but same feedback on -13]

-- Figure 5.  Shows the Attester consuming Attestation Results

-- Figure 5.  Shows the Attester producing Attestation Results

-- Figure 6: Shows Relying party consuming Evidence

-- Figure 6: Shows the Relying Party producing/passing Evidence

The introductory text states that "[t]he discussion that follows is for illustrative purposes only and does not constrain the interactions between RATS roles to the presented patterns."  I don't follow what is being illustrated in the context of RATS.  What is the takeaway for implementers or designers from this section?

[Author's response] https://github.com/ietf-rats-wg/architecture/issues/358

[Roman's response on -15] The above github comment addressed a few issues from the -13 review, but not this one.

** Section 8.1.  

[Roman's comments on -13]
In the spirit of inclusive terminology please use alternative phrasing for "man-in-the-middle attackers".

[Roman's comment on -15] 
I didn't see a response here.  I'd appreciate consideration on making this change.

** Section 10.  

[Roman's comment on -13]

I found the level of detail on this section on freshness out of place and inconsistent with the level of abstraction found in the rest of the test.  In most other section, generic interaction of roles, artifacts, their associated topologies, and high level security properties was noted.  This section delves into specific implementation choices.  In particular, is the WG sure that it needs all of the details of Section 10.3.  Even among all of the Section in 10.*, this stands out. It doesn't seem to provide enough detail to be create interoperability but goes beyond simply introducing the concept.

[Roman's comment on -15] Thanks for the extra paragraph to explain why this section is here.  I will confess that I still don't understand why these details are here and stand by my original comment.  It's much more than I would have expected for an architecture (especially considering the extra material in Section 16/Appendix -- 10 pages/almost 20% of the document is devoted to time issues).  If the WG feels like it needs it, I won't push back.  However, if this is the watermark of the level of detail, let's make sure that there is equal treatment for other security issues too.  See my feedback on Section 12.

** Section 12.  

[Roman's comments on -13]
I didn't come away from this section with a strong, consistent understanding of which interactions needs which security properties or what considerations are need for which roles.  Section 12.2 is at least clear on integrity, but it also makes vague allusions to other properties.  

-- Section 12.2  This section lists that there might be a need to support additional security properties and provides list (i.e., E2E encryption, DoS protection, authentication, etc.) .  What actionable guidance should be taken from this text?   How should one reason about those properties?

-- The overall Section 12 seems silent on:

o Endorsers and endorsements?
o Reference values?
o What is the implication of combining roles into a single entity as described in Section 3.4 and 6.  Does this lack of separation present any additional issues?
o Compositional devices per Section 3.3?

[Roman's comment on -15]
I didn't see any discussion on text changes in this section related to these comments.  I saw https://github.com/ietf-rats-wg/architecture/issues/367 which seemed to match this feedback, but the associated pull request seemed to fix an editorial issue.


** Section 12.1.2.1.  Editorial.

[Roman's feedback on -13]

OLD
So, this is why, in general, ...

NEW
Commonly,

** Section 12.2.  Editorial.  

[Roman's feedback on -13]
The section title of "Integrity Protection" seems narrow given the content of this section.

** Section 12.4. 

[Roman's feedback on -13]
 Since RFC5280 is being invoked here, is there an expectation that certificates in RATS would confirm to this profile?

** Section 16.  Can the thinking of this section be explained.  It seems out of place, and borders on being a solution.  The rest of this document talks about notional roles and architectures.  This text is focused on a particular nuance of message flow.  I'm wondering if we need it.  My thinking was to move this text to draft-birkholz-rats-epoch-markers.  As an aside, I did notice that draft-birkholz-rats-epoch-markers is using the amount of text on this topic in this document to motivate it's existence. 

My concern is that this text begs questions such as 

-- Why isn't a nonce or getting treatment in Section 4 as a consumer/producer if this is going to be first order item being exchanged?

-- Why isn't an Epoch ID Distributor depicted any role or architecture diagram?

-- (Not a comprehensive list) The flows depicted in the Examples don't align with the roles in Section 4.  Example 1 and 2, an Attester is shown here as consuming attestation results.  Example 5 shows a Relying Party producing Evidence.

Regards,
Roman

v2.23.0 | Report a Bug | By Email