Re: [Rats] Function of an endorsement relative to evidence

Laurence Lundblade <lgl@island-resort.com> Tue, 14 June 2022 04:13 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E04CC14F746 for <rats@ietfa.amsl.com>; Mon, 13 Jun 2022 21:13:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZUkKlKMg8Ek for <rats@ietfa.amsl.com>; Mon, 13 Jun 2022 21:13:29 -0700 (PDT)
Received: from p3plsmtpa12-09.prod.phx3.secureserver.net (p3plsmtpa12-09.prod.phx3.secureserver.net [68.178.252.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 166F3C14F733 for <rats@ietf.org>; Mon, 13 Jun 2022 21:13:28 -0700 (PDT)
Received: from [192.168.1.4] ([75.80.148.139]) by :SMTPAUTH: with ESMTPA id 0xviosTqFsIcO0xvjo10vH; Mon, 13 Jun 2022 21:13:27 -0700
X-CMAE-Analysis: v=2.4 cv=E/MIGYRl c=1 sm=1 tr=0 ts=62a80ae7 a=qS/Wyu6Nw1Yro6yF1S+Djg==:117 a=qS/Wyu6Nw1Yro6yF1S+Djg==:17 a=48vgC7mUAAAA:8 a=EUspDBNiAAAA:8 a=K6EGIJCdAAAA:8 a=6iQCUivUthXknDmfZmwA:9 a=QEXdDO2ut3YA:10 a=gBGHHSTl7QMVXiX2Po8A:9 a=shn6lMgqeZPocR6V:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=rMCfJy6NHDicN4J276Yl:22 a=L6pVIi0Kn1GYQfi8-iRI:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <ECB277FB-0EA9-40B3-B4E2-7033EB7AB0B7@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E71C02C3-A4EA-4C44-8005-A92135B09C23"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Mon, 13 Jun 2022 21:13:26 -0700
In-Reply-To: <458fba10-db39-8a90-6a1e-f6ca125143b0@sit.fraunhofer.de>
Cc: rats <rats@ietf.org>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
References: <6F919543-37BA-484B-AA7E-BAC3497EB125@island-resort.com> <ee639c74-b365-e127-b4ec-d6f9df0014e6@sit.fraunhofer.de> <3907E124-5080-442C-801C-C14F227687E6@island-resort.com> <458fba10-db39-8a90-6a1e-f6ca125143b0@sit.fraunhofer.de>
X-Mailer: Apple Mail (2.3445.104.21)
X-CMAE-Envelope: MS4xfMzXciAKbBaS5w0+Qdv3t0Z6WP9OpDrLn85/3rKPkcxBZiK4WgFl/nG2btcjVC5H3VCUfJE2KGw2zyJS6yOyI83AdXgxXjzsXVVyGJrK9+vmJcTMgAGI Sbx5KT/vrgTykTdm3LEEpBSov770huQCYImy8geNyiq37vf5M6ol4lmB71sj/DX9eKRqL0Hjlik8zZe+uvpPyo69Aq27KJ1KhvMB7m86jz0TwWz6i0QP2IyX
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0DLWKMxPEHYMTx6G65W8VSnEBcg>
Subject: Re: [Rats] Function of an endorsement relative to evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2022 04:13:31 -0000

> 
> On Jun 7, 2022, at 11:09 PM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote:
> 
> Hi Laurence,
> 
> okay just fore representative purposes, I am doing this once now. Please don't be mad with me :-)
> 
> What are attestations?

Hi Henk, here’s a hierarchy of levels of attestation depth:

1) Device Identity
The RP knows who made the device and maybe a few basic characteristics such as the model and version. This involves only two parties, the Attester Manufacturer and the Relying Party. The RP gets the public key for verification from the Attester Manufacturer. The RP is mostly on their own to decide if the device is trustworthy.

2) Device Identity and Configuration
Now the RP gets configuration information such as whether debug is enabled, SW versions and maybe even measurements. It’s still just a two-party set up with the Attester Manufacturer and Relying Party. The Relying Party is getting the reference values from the Attester Manufacturer and verifying against Evidence themselves. The Relying Party decides if they go ahead with the transaction if the SW or configuration is out of date.

3) Device Identity and Configuration Verified by the Attester Manufacturer
Now the Attester Manufacturer is running a Verification service. The RP gets Attestation Results that may be a summary and may include a recommendation from the Attester Manufacturer as to whether to trust the device. There are still only two parties involved. I would call this self-assessment, same as 1) and 2) because there is no separate organization cross-checking what the Attester Manufacturer is evaluating about the device.

4) Device Identity and Configuration Verified by a 3rd Party
Now the Verification is being run by a 3rd party that is neither the RP or the Attester Manufacturer. The RP gets Attestation Results from a trusted 3rd party. This is where attestation is clearly not self-assessment, because there are three separate parties involved and the Attester Manufacturer can’t just do what they want.

5) Device Identity and Configuration Verified by a 3rd Party plus Certification
This is the ultimate system with four parties. The 4th party is the certification issuer. This might be FIPS, GlobalPlatform, FIDO or Common Criteria based programs. Certification is above and beyond checking SW versions, measurements and vulnerabilities databases provided by the 3rd party. Certification gives deep review and threat analysis of the architecture and implementation of the Attester. 

I think there are a few other variations that make sense, but they don’t fall neatly into this monotonically increasing hierarchy so I haven’t written them out. In particular, there might be certification, but no independent 3rd party running a RATS verification.

I think all of these are attestation. The minimum for attestation is a device cryptographically proving its identity with the verification key being obtained from some place other than the device.

I am interested in how a definition of “believable” (a very subjective word) aligns with this hierarchy.

LL


An alternate definition of attestation could be: “an IETF process where Henk and Laurence have long discussions that are often annoying and occasionally entertaining." :-) :-)


> 
> On 06.06.22 21:44, Laurence Lundblade wrote:
>> I’m using this thread to comment on the general issue of claims in endorsements vs attestations even though some of that discussion is in the other thread.
>> It’s right that attestations should not be signed by the same key as endorsements:
>> - The type of exposure to attack of the two signing keys are very different
>> - They have very different deployment, operational and life-cycle characteristics
>> I don’t know what the Endorsement standard will look like, but agree that going for a unified Endorsment/Attesation design now is a leap we’re not ready for. But, I don’t think we need that to progress the issue at hand.
>> That said, I stand by my comment (quoted far below) that data items can get from the Endorser/AttesterManufacturer to the Verifier either through 1) an Endorsement protocol/token or 2) by being embedded in the Attester at time of manufacture as a static claim.
>> Restating as three paths:
>>    1a) Signed Endorsement transmitted B2B perhaps secured by TLS
>>    1b) Independently signed Endorsement embedded in the Attester that
>>    the Attester conveys to the Verifier along with the Evidence
>>    2) A static claim in Evidence
>> I don’t think we’re ready to design an Endorsement token/protocol here and now so no further discussion on 1a) or 1b).
>> Think about these static Attestation claims set by the Attester Manufacturer:
>>    OEMID: Set once at manufacturer time and never changes; it is the
>>    same for large numbers of devices
>>    UEID: Set once at manufacturing and never changes; it is different
>>    for each device
>>    HW Version and Mode: Set once at manufacturing time and never
>>    changes; large groups have the same ID
>> We’re fine with these being set and sent as claims. They don’t have to be in an Endorsement, right? Some of them could be in an Endorsement, but there is nothing wrong with them in Evidence.
>> Of course if they are sent in Evidence, then there has to be an Endorsement that tells the Verifier they can believe these claims in Evidence and the signature on Evidence has to be verified.
>> To me security-level (the static statement of designed security level; see here <https://mailarchive.ietf.org/arch/browse/rats/?qdr=d <https://mailarchive.ietf.org/arch/browse/rats/?qdr=d>>) is pretty much the same as the above claims in the way it is conveyed securely.
>> What ever the outcome for security-level is, I think getting to common understanding of how claims are secured relative to Endorsements is critical to Rats.
>> LL
>>> Begin forwarded message:
>>> 
>>> *From: *"Eric Voit \(evoit\)" <evoit=40cisco.com@dmarc.ietf.org <mailto:evoit=40cisco.com@dmarc.ietf.org> <mailto:evoit=40cisco.com@dmarc.ietf.org <mailto:evoit=40cisco.com@dmarc.ietf.org>>>
>>> *Subject: **Re: [Rats] security-level claim (was Re: WGLC for https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat> <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat>>)*
>>> *Date: *June 6, 2022 at 11:05:43 AM PDT
>>> *To: *Giridhar Mandyam <mandyam@qti.qualcomm.com <mailto:mandyam@qti.qualcomm.com> <mailto:mandyam@qti.qualcomm.com <mailto:mandyam@qti.qualcomm.com>>>, "rats@ietf.org <mailto:rats@ietf.org> <mailto:rats@ietf.org <mailto:rats@ietf.org>>" <rats@ietf.org <mailto:rats@ietf.org> <mailto:rats@ietf.org <mailto:rats@ietf.org>>>
>>> 
>>> I am not suggesting any changes to the charter.   I am trying to help
>>> articulate an Endorsed security-level claim capable of transiting an
>>> Attester.  And that it is possible to verify this transit has happened
>>> without modification.   To me this falls under the RATS charter item [6]
>>> which says: "Standardize interoperable data formats to securely declare and
>>> convey endorsements and reference values."
>>> 
>>> I believe endorsements need to signed with a private key not found in the
>>> Attester.  And I believe any endorsements transiting the Attester need to be
>>> passed through to the Verifier and/or Relying Party with this signature
>>> intact.
>>> 
>>> This is why I proposed requirements (1) & (2) below.  These requirements can
>>> be met using a single properly constructed x5chain or an x5bag.
>>> 
>>> Eric
>>> On Jun 6, 2022, at 9:44 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de> <mailto:henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>> wrote:
>>> 
>>> Hi Laurence,
>>> 
>>> On 04.06.22 23:16, Laurence Lundblade wrote:
>>>> The fundamental purpose of an Endorsement is to tell the Verifier that they can believe what they get in Evidence. There may be some varying degree here from claim to claim and device to device, but the basic  principle always holds.
>>> 
>>> Well, actually I'd say that is a subset of what Endorsements are about. The few components in a Attester that you cannot produce Evidence about need Endorsements instead.
>>> 
>>> If an Attester does not know that is painted green, then that is a Claim about the Attester that has to come from the outside, has to be endorsed trusted third party (and here we go traditional... manufacturer, owner, etc.), because the Attester would never know that (only in weird cases, that is not the point) on its own devices.
>>> 
>>> On 05.06.22 21:34, Michael Richardson wrote:
>>>> So, it is*NEVER*  useful as Evidence.  EVER.
>>> 
>>> As the Attester can at the very best "cache" or "carry" an Endorsement put there during manufacturing, I think I have to agree with Michael here. Please note, in order to be useful and believable, the Endorsement is not signed by the Attester, but the Endorser! With key material not available to the Attester.
>>> 
>>> Viele Grüße,
>>> 
>>> Henk
>>> On Jun 4, 2022, at 2:16 PM, Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com> <mailto:lgl@island-resort.com <mailto:lgl@island-resort.com>>> wrote:
>>> 
>>> This is a step back for framing for the security-level discussion.
>>> 
>>> The fundamental purpose of an Endorsement is to tell the Verifier that they can believe what they get in Evidence. There may be some varying degree here from claim to claim and device to device, but the basic  principle always holds.
>>> 
>>> Assuming for the sake or argument here that the Attester Manufacturer and Endorser are the same, it goes like this. The Endorser/AttesterManufacturer only puts private keys into devices that it knows are built correctly. They won’t lie. They’ll protect their keys. They produce correct claims. This really is the fundamental work of the Endorser/AttesterManufacturer above all else.
>>> 
>>> For example, maker of a device with a TPM selects a good TPM and also carefully writes the boot code that does the measurement. They make sure that the devices that the TPM is soldered into always has the good boot code. Then they publish the public keys supplied with the TPM to the Verifier so it knows it can trust the measurements.
>>> 
>>> In the TPM world, you can’t really have the Attester send much more than PCRs in Evidence, but in the non-TPM world, lots of stuff can go into Evidence.
>>> 
>>> Tell me if you disagree with this!
>>> 
>>> 
>>> By all that, Evidence can be a parallel channel for the Endorser/AttesterManufacturer to convey claims to the Verifier.
>>> 
>>> The Endorsement can mean “believe all the Evidence from this Attester”. (It might always not be all the Evidence, but it will always be some of the Evidence).
>>> 
>>> By this it is entirely reasonable for security-level to be transmitted either as an Endorsement or in Evidence.
>>> 
>>> 
>>> I think there is also room for security-level in Evidence in composite device attestation. One Attester may have a good way to evaluate the security-level of a subsystem, perhaps a subsystem that varies from device to device.
>>> 
>>> LL
>>> 
>>> _______________________________________________
>>> RATS mailing list
>>> RATS@ietf.org <mailto:RATS@ietf.org> <mailto:RATS@ietf.org <mailto:RATS@ietf.org>>
>>> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>