IETF Logo Mail Archive

Re: [Rats] New RATS

"Smith, Ned" <ned.smith@intel.com> Wed, 01 June 2022 18:47 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 105F3C157B4D for <rats@ietfa.amsl.com>; Wed, 1 Jun 2022 11:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.87
X-Spam-Level:
X-Spam-Status: No, score=-2.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaotjUFFYnbz for <rats@ietfa.amsl.com>; Wed, 1 Jun 2022 11:47:09 -0700 (PDT)
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F032BC14CF1E for <rats@ietf.org>; Wed, 1 Jun 2022 11:47:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1654109228; x=1685645228; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=mMynapXg8ODQcBgvSVsNzJt1Dw8qNIzh0kyRkW0PqLI=; b=cs4gZlQomqU9Tr8nbC0H9KCxUDkd5QehmNVyIpE51Fze1ZxKHglWNnWj ZdypuQZwmT3m+LiUWwa4fu63axQSNKZhQ4SzJE6lmm8LSYYK4o5C3JOWc wFL/WeY1dX5R7lOrG8wZP2KCzybkL90bEDX3QwYqwJzaHOV5xLNaoI1MI yO5FgRUaMKjTG9crmHQE9Uv4/Zx3VBqan2qJaV4XRSOutnjIHkIAnMbT0 awiZ7QCpaYGLTEQLktgDJ1yB7dZkt7eAqVdpYglyyJmIE5GWKvzkZQloT Q/Uutysvz0ZpyoSBL5+5D7oRRyLj+1FJNByL0yzrvmdwcHAgn3MkQFhyP w==;
X-IronPort-AV: E=McAfee;i="6400,9594,10365"; a="275411204"
X-IronPort-AV: E=Sophos;i="5.91,269,1647327600"; d="scan'208,217";a="275411204"
Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jun 2022 11:47:04 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.91,269,1647327600"; d="scan'208,217";a="720913025"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga001.fm.intel.com with ESMTP; 01 Jun 2022 11:47:04 -0700
Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Wed, 1 Jun 2022 11:47:03 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Wed, 1 Jun 2022 11:47:03 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.43) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Wed, 1 Jun 2022 11:47:03 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FgzC+6Mw11H8CvtWaWKkayeRVgu3z+ECgRk5GD2CxsDjrehGPrVbnEnfN40SVanSEieZDaKeh2CrCle3kSfC3HtjiTgiUkULrL8QcgumfxITI+0g6R1PAU1XFius0sHDLi8BrdR2T5NDDwo40Pv1rnh5PHhE2gs2zVQG8zPb5rpMTIJ8uH/A4BPZUnt++eOW+zok7sYQwPs2T+59Cf0Nyi7hLeIEDr2JUPeOZV1l1J/+PySIbXNx8xqxfijacNqixaygxLzZKyP5VcHTuxlk98n6khNDY7Mv+VndBA/La2VHReNpZTKRAc9Ky3TI2gRmMjjitnmeg3eKYEjhEBO9HQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mMynapXg8ODQcBgvSVsNzJt1Dw8qNIzh0kyRkW0PqLI=; b=B3Bym6TGvOa9xpo9mx6+lvD3ql3bwuBn+Qse6AYScDWcksMi/c7eIfBa7n7jPNheuJcbumYtOaOx9T1x1c4gaoiSgpSViuQeXiFnDZ4mcnVXDKWQWir6wqqAwgbtFt1rf98F3dVEX+KgGfNSTd06zotSz0YQQJRLkgwDaUJrOZ6rQmpPhHQmIeA59KXbf+79M6Za1TrNCT822XJg2UtRMc/oAkJ2y0agFmA+5zh1DWDlgnvVXal8/5WYbMSm8SaPoe0W4oB6cx8fG2Mr8T/vcGsML2KmS+lOiyLROg113cIg0mlyJM5z/91tMypYxZYSzr2PDQa86av4wNI51Rzf7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by DM5PR11MB1721.namprd11.prod.outlook.com (2603:10b6:3:10::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5293.17; Wed, 1 Jun 2022 18:47:01 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5dfe:31c7:a62a:d8b8]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5dfe:31c7:a62a:d8b8%3]) with mapi id 15.20.5314.012; Wed, 1 Jun 2022 18:47:01 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Simon Frost <Simon.Frost@arm.com>, "rats@ietf.org" <rats@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Rats] New RATS
Thread-Index: Adh0GG2wOl1fGdhXSJ+DJzH62+JLawAvzhYAACx/bnAACOqfgA==
Date: Wed, 01 Jun 2022 18:47:01 +0000
Message-ID: <8DEE55C1-1658-40C6-9EFA-9BA55C0664EC@intel.com>
References: <AS8PR08MB6392C7D0CC195B30CBC789CBEFDD9@AS8PR08MB6392.eurprd08.prod.outlook.com> <974C4ABC-20AC-4858-AEEA-5822ABA0DD78@intel.com> <AS8PR08MB6392C365BB06F62FA8A087D0EFDF9@AS8PR08MB6392.eurprd08.prod.outlook.com>
In-Reply-To: <AS8PR08MB6392C365BB06F62FA8A087D0EFDF9@AS8PR08MB6392.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5d5f368f-3f1c-4e42-a825-08da43ff1d5c
x-ms-traffictypediagnostic: DM5PR11MB1721:EE_
x-microsoft-antispam-prvs: <DM5PR11MB1721E282C48E3167DC04026EE5DF9@DM5PR11MB1721.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rrCNZsqhJiMHltZ+gqNSz1cR6fcfTTJUhF+CRLhBFzVPRGr63gf2MwZ3dzluXcoE5sFrLe7INdUSx368nHAn2QZB0mU/waVlb/1O2Ef5/HClMQ/4kxEIMAoFN7QP9PdsUYs9XCQR3bmEaSuxb629lgkaCUA9sLPFKXLLnwqG6oBw6k1cU/o80wOj0Ewtzd9+HbJXRIEKOiilLCqwC/uaqbLN20SKXUNoNSL0SNCpkQN2HMy3D9JPrtY1AIZtuZLKpE71vZE2ueiRcJ4JbwCnUlAty5GfiYWgnhslvBcfWbfP691/tHpi3VDxaO0mQvtGzvR6GfDe/4QlonFDg+ClARRhXJJZPUBBWZhIRJGzpOPQemiElbSGrcSk0xsPg+/m9RQ4oKQP2Pm5sAfnr7bxzmx7yUJVEHJ6rT9whlNf4WCDTrUMNM5bEOVTVfh5aq3LhFZ58lExEl1vfYNxSE/ccojQumrzBapb/d3F95PFLvThGJP97uBE/L9J2arMH65TWnCnhCPfGN3cwgpTBr88M3GidjgoSOzpWCHDSmI+9o6TI9T9EWefjqn+FDM43X5dBUEYWONcZu+jtD2FY89cklBp9bhF0QSSowkisbmc7ZIANYPtQyP3GLH0H/F/gbMYZZ8ZsSY/my/eHv5QFOMrCSZBmA8wqje1Vpz4eLo4M/CKXmT00IkwvME59eDjiZIUFQ2hhgdKyIoPyERh9Mg0K5QZZHAF3CuOWgkGEesulG3NQQV2bNB/Y/+tJUzszARxI1TeusXW9O3/omZKVEjAJcd2OqMhWCyg1+1lqzl5ofghyiVUYC1+EBLIL7KK1BrhL0Qlx420HKCk3OIp90vn2CYe2HVwikKsk65R4PgUs5s=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(76116006)(86362001)(508600001)(6512007)(8936002)(5660300002)(4326008)(8676002)(71200400001)(316002)(66446008)(64756008)(66946007)(966005)(110136005)(6486002)(66476007)(66556008)(38100700002)(26005)(82960400001)(2906002)(53546011)(36756003)(6506007)(186003)(2616005)(83380400001)(122000001)(38070700005)(33656002)(166002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 702lwmXqJO5J/HmZ4jIg56C56lM/vfGSuoViQjfK3uBgAJ1UzxUjv5oyJ2M77g9voomnBw40xq0gwU1JMQXOqIobPtzACDhG3iuWcMcVd0B2RUd6wWjouNA6r+GnpcLiSwQT+ACSf3w3rat2bARkQbfBUf3ZwIQuDt5NORQnfRHkUkCFUDMn8n6s/BmhLadVMQprrI5vNJqLexcydM3VW8BFW1DwB7DcxOoHbkDQwk+B2SNVO5IuZt6zvaFXwHyn7Yeln18AmfooK491koJTwvVYMoH+p2niBX5VZWnuXgbixyHhBHnUgH/d82nT5B/uPgiPEXAs52iXIvwosrWYqgDietUhA0YTwYx9s+WwAz7D7RQyViaL/a2gr+1tqXRtzvPRlD0HfKIDf7damI+pmQ5SayBJcqHBYRVIbH9f5uQUSUXHe6pizMMZei2mWpk/8haevJFUVX8ngmEefsEjrFnwv89qt1UGikE6CEXd+r+t4wq6qLW3SrPX25bRbimuZPLuMASFJ0mgUQm8QsywwxPBR2LuV3VlsnBjcMeS7BHZV14I5K1fdDcS0r4v9CkM7AhH7ZT+IYRL/xznsjbeqGFC6Bx/f1H0f3cEcWJm4tCb+oL54oCsfF6RDSje0CWlamNCmuyv7gk+4ghpagkZCXvaOX1Tz+PAyZC15UjnLeImBPe/03J/CprZusIh/+Z+9ayJ0/LLsih93GswysqdRkuAjji4v2KcoPRszeoGtQJj0OprwsWdYuYtyqmvZTd6bNhEKFsshPAzDvc+H3wm0GLGfQs8ESbjyZ7Swrd50Sb3wOmRtipOvivbEl8lm46TSP5o5cHd4S98wgsBCcDGfrG1tglHSS2zqmUIUpE+nuFWc9zfgJ/k+dWZMc38xMZ8E00cfYxwVJ/Ft8SD5wvmybb8YaKJop6Fzvwg9KE7PDgbJjfw+yrAf1GtoOKuBeSMc2jWZZqVRRFNGnF083AflEGHcEO+7LrlG/LPVNIZH97aq8vJFvONZhM6QhHeb0o8IcwHK/fNEt+XWCQguwKNGYwHcYncuUjv3EFP7jjLljWm00WDl8b+qOBj9R0Y3ke0HD2wKs0jHiO83hb7MbE1wT72p3n6iBWXzZuXbAS1aiXBlb84jXEN9M9LOeZlpHxqC7ZuGfU7iwkFuzDABEKkT6dExL10448Hmmp6vcWedwUmXlrLkrr5cG36hoQT9jFAYMDE3I6zj0IFrPL2HXhcXoAU7z9DOw3iXjzuYAdX07HUW6MTnEhHXLUC9ozBHCqoTZMvWMl+xy/tN21MmS+o1t4RvILaHl/w7GuGoZhSpMNCN9aFZExTeiecIipPBgr7fqBCpZlJlvQg3tdtIf+Nlw033oAPYQR/Y4L3Zx95bgvrovq0C06wupa6xPYQNq+A5euQPsx4BFKQm2A87ZfYlRgsN/V26hXPQE56SWOuLwJJ0EMcp0VnIg09v2WfuAmqp3nj1vm3evOLg3XiPyHv5ODV8bwF+UYA05KWufXYSjkFUmcGWALKuVOJAxG1f7Qa9jV6aTNm8f+7u+BVdYrWUyVCSOAJ/w/jyB5gMv8jZUOcVin/2u+P+cs9di261tEWNMShFlWjiDfcomtQwbmk8ToVW8fqUUwmYMsDFWt5QthUo/O6LrcI8jkmN7QBQJ+LFsmo76h/qZ16cfWgZFQ1Mov1tDTj+Pu77Ovj+FxVa8jxShUDt9TOUE5Ou+ypYGV37UUjqcEdQRYWRe4wHNIqbQixNSr4ECpU6rx4fxdGQcw=
Content-Type: multipart/alternative; boundary="_000_8DEE55C1165840C69EFA9BA55C0664ECintelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d5f368f-3f1c-4e42-a825-08da43ff1d5c
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jun 2022 18:47:01.4523 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XQqIhvwdEXnuS/4R3xsCGSWqiHAlopoaQ7ON+be2WWl1I0Xpdo5Vh+F/CctNEKR4bHRR+R4SefU9GuAx2J16RQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1721
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0QQnwaJAFCBhIn2r0WgQDLAuCzk>
Subject: Re: [Rats] New RATS
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2022 18:47:13 -0000

>> Should a $$EAT-CBOR-Tagged-Token or $$EAT-CBOR-Untagged-Token be signed for integrity protection – for example using COSE/JOSE?
>I’m not sure I fully understand the question, but I don’t think that all tokens require a top level signer, for reasons expressed in this doc (and in UCCS).
I was looking for a definitive starting point for a signed / unsigned object that contains Evidence. It’s OK to say it is a $$EAT-CBOR-[Un]Tagged-Token, but this is an extensibility socket that could be extended to something else (hence isn’t the concrete starting point). If COSE/JOSE is the starting point, then I at least know where to put the Tagged-Collection payload if it should be signed.

It seems there should be conventions for how to extend at a top level socket? For example, MUST/MUST NOT an extension begin with a CBOR global tag and MUST there be a registered content type definition? And should global tagging disambiguate the content that is intended to be used as Evidence (or some other conceptual message type envisaged by the RATS Architecture)?

Not sure requiring collections to start with 2 entries makes sense since a parser that supports collections can already support singletons vs. having to find a singleton-only parser.

Thx,
Ned



From: Simon Frost <Simon.Frost@arm.com>
Date: Wednesday, June 1, 2022 at 12:36 AM
To: "Smith, Ned" <ned.smith@intel.com>, "rats@ietf.org" <rats@ietf.org>
Cc: Thomas Fossati <Thomas.Fossati@arm.com>
Subject: RE: [Rats] New RATS

Ned
> The RATS Arch doesn’t use the term ‘Attestee’…
That’s a typo, thanks for pointing it out, I’ll change it to Attester.

> I didn’t see a reference to DEB objects. Could that be included?
DEB objecta are included, but not deeply discussed because I’ve not really seen a use case for them yet. There is a reference to DEBs as collection entries both in the text and the CDDL


> Should a $$EAT-CBOR-Tagged-Token or $$EAT-CBOR-Untagged-Token be signed for integrity protection – for example using COSE/JOSE?

I’m not sure I fully understand the question, but I don’t think that all tokens require a top level signer, for reasons expressed in this doc (and in UCCS).



Thanks for the review

Simon

From: Smith, Ned <ned.smith@intel.com>
Sent: 31 May 2022 18:18
To: Simon Frost <Simon.Frost@arm.com>; rats@ietf.org
Cc: Thomas Fossati <Thomas.Fossati@arm.com>
Subject: Re: [Rats] New RATS

Simon,
A couple of comments. The RATS Arch doesn’t use the term ‘Attestee’. Would it be appropriate to use ‘Attester’ or possibly ‘Target Environment’ if the objective is to refer to the environment (object) from which claims are collected by an ‘Attesting Environment’?

I didn’t see a reference to DEB objects. Could that be included?


Should a $$EAT-CBOR-Tagged-Token or $$EAT-CBOR-Untagged-Token be signed for integrity protection – for example using COSE/JOSE?



Thanks,

Ned


From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> on behalf of Simon Frost <Simon.Frost@arm.com<mailto:Simon.Frost@arm.com>>
Date: Monday, May 30, 2022 at 4:34 AM
To: "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>
Cc: Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>>
Subject: [Rats] New RATS

FYI. I’ve just submitted a new draft for a proposed extension to the top level object in EAT.

There’s a full justification in the doc, but as a quick summary, there are difficulties in creating a top level ‘envelope’ object for a multi-token system while remaining compatible with EAT. Given the recent move to fix the list of top level objects but embrace extensions, this approach seems to be an appropriate proposal.

See: https://datatracker.ietf.org/doc/draft-frost-rats-eat-collection/ & https://github.com/SimonFrost-Arm/draft-frost-rats-eat-collection

Thanks
Simon

Simon Frost
Senior Principal Systems Solution Architect, ATG, Arm
Mob: +44 7855 265691

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email