[Rats] Re: AD comments on draft-ietf-rats-msg-wrap

Laurence Lundblade <lgl@island-resort.com> Mon, 22 September 2025 18:22 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4DEEE66F0149; Mon, 22 Sep 2025 11:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.695
X-Spam-Level:
X-Spam-Status: No, score=-1.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=island-resort.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCxU3FKyTjxh; Mon, 22 Sep 2025 11:22:01 -0700 (PDT)
Received: from sender4-op-o12.zoho.com (sender4-op-o12.zoho.com [136.143.188.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 66D9766F013E; Mon, 22 Sep 2025 11:22:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1758565315; cv=none; d=zohomail.com; s=zohoarc; b=UrhyFrpMSOHd5ECAMhBeHyV6mO8OPAoZS/utU1v9TRRy7m8H6ndZdSdSDCM8aMEVfLcg9j8y+iacZrtegI9hrubLbAJvTM+uLgt+mVknenau0O3xNYo4aXv2nI4ET9G2dCIaZguNWVHVGNT3YgAHITpwBLgcloWSfu8bgZ7qopQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758565315; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=r7RSeeBRhhU2S6h3lns/oCKLUJWR1lThBH2NkvPEmqk=; b=TZwC1C/XihvMFCmVLh+qbW9cZTXSuaReoVk3n/i4n5Kkb3hU8isei1Fr8WA0ug6ynpYTb34K0tPmTWkfLpaD3PADxfo6ptt3/StMMRo42Hf6KiSYdKOs10CQbm342G6Ll0LoX5wsSZJdYKuP2Er+0XnhdZ3o81U5jfLJDGXCJbw=
ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=island-resort.com; spf=pass smtp.mailfrom=lgl@island-resort.com; dmarc=pass header.from=<lgl@island-resort.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1758565315; s=island; d=island-resort.com; i=lgl@island-resort.com; h=From:From:Message-Id:Message-Id:Content-Type:Mime-Version:Subject:Subject:Date:Date:In-Reply-To:Cc:Cc:To:To:References:Reply-To; bh=r7RSeeBRhhU2S6h3lns/oCKLUJWR1lThBH2NkvPEmqk=; b=eaAaAnyrwEVHZvtbtP99LXCF6thCjEy/Dg5x6EVVwKU28oytgjmHjs62Lb7DgkXj OUD1O5W/DZTCFkksHqWav6wlxKtrzZX6xoZr2a4umWodOgMU2iK8uQG5Q2pa5QwZJbS iYcl8Znr7TWSf8o+oYc4Zq62ks+IIpbPVYf+xtDw=
Received: by mx.zohomail.com with SMTPS id 1758565312518276.8369940739299; Mon, 22 Sep 2025 11:21:52 -0700 (PDT)
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <F18F5001-6A6F-44EF-9C07-E8666636EA40@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BF48F6ED-0B76-432A-8F09-615AB7BA028B"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.500.181.1.5\))
Date: Mon, 22 Sep 2025 11:21:41 -0700
In-Reply-To: <CA+1=6yfj6x6erd8LebTQMQ4PeSVcOp_qOF=+TkakgUy8nYoqDw@mail.gmail.com>
To: Thomas Fossati <thomas.fossati@linaro.org>
References: <CAGgd1Oek4OB-QfscufVNcAxPVGw6aSx9H-B3-_9bpHk2m5j6hQ@mail.gmail.com> <CA+1=6ycJLmpD9Sw8wLWeqVKfrfeyzUpfyHzM_pU4EEcy2oK4_Q@mail.gmail.com> <FB9319E8-7A96-4F98-B871-8C5C897CA2F4@island-resort.com> <CA+1=6yfj6x6erd8LebTQMQ4PeSVcOp_qOF=+TkakgUy8nYoqDw@mail.gmail.com>
X-Mailer: Apple Mail (2.3826.500.181.1.5)
X-ZohoMailClient: External
Message-ID-Hash: 6U4YKFMHSBABG4FRFP3FJVAG2HPFV44X
X-Message-ID-Hash: 6U4YKFMHSBABG4FRFP3FJVAG2HPFV44X
X-MailFrom: lgl@island-resort.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Deb Cooley <debcooley1@gmail.com>, draft-ietf-rats-msg-wrap.authors@ietf.org, rats-chairs <rats-chairs@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: AD comments on draft-ietf-rats-msg-wrap
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0SgtEa_0eKUoxAISX54ffmh4-BM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>


> On Sep 22, 2025, at 11:06 AM, Thomas Fossati <thomas.fossati@linaro.org> wrote:
> 
> Hi Laurence!

Hi. Sorry to be disruptive...


> On Mon, 22 Sept 2025 at 18:34, Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> wrote:
>> 
>> 
>> 
>> On Sep 22, 2025, at 8:34 AM, Thomas Fossati <thomas.fossati@linaro.org> wrote:
>> 
>> Section 3.1:  Record CMWs can only be JSON or CBOR?  No other conceptual message representations are possible?
>> 
>> 
>> Yes.  CMWs only have CBOR and JSON representations.  There was an
>> attempt to define an ASN.1 CMW (see [1]), but the working group was
>> not particularly enthusiastic about it, so we did not pursue it
>> further.
>> 
>> [3] https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/wiki/CMW-in-ASN.1
>> 
>> 
>> I am enthusiastic about ASN.1 support. I think it will be needed in the long run. The principle is:
>> - JSON because it is widely used
>> - CBOR because it is efficient, modern and compact
>> - ASN.1 because so many security environments are ASN.1 only (certifications and such)
>> - Absolutely no other encodings because this isn’t let 1,000 flowers bloom; just what is necessary
>> 
>> I also think it is important that it not diverge in semantics from CBOR and JSON. Said another way, we don’t have to discuss semantics. They are already defined. We just need the encoding.
>> 
>> I know Mike O and his project is not enthusiastic about this, but we can do it without them. We have enough expertise in the group without them. We also really do not want any ASN.1 defined by other projects to have divergent semantics from the CBOR and JSON semantics.
>> 
>> If there is urgency to get CMW done sooner, rather than later and ASN.1 would be too much of a delay, I understand, but I prefer the idea of taking care of all the encoding at once and in one document.
> 
> We discussed this a while ago, but I would like to restate the reasons
> why I believe we should not add the ASN.1 CMW to this document:
> (1) We do not yet have the buy-in from the "natural" stakeholders,
> i.e., Mike O. and the PKIX crew.

I think this is a non-issue:

A) We have enough ASN.1 expertise to do the job without them.

B) We will not, MUST not, change the CMW semantics for Mike O and the PKIX team. It would be very bad to have the CMW semantics different depending on the encoding. Mike O and the PKIX have to live with the CMW semantics now defined. 


> (2) We need the current CMW feature set in more than one place: aTLS,
> aCSR, Arm CCA attestation, device assignment and more, and we need it
> now.

I understand and maybe that is the overriding reason.


> In case we manage to unlock (1), we could quickly put together a
> separate document that updates CMW.
> I would be more than happy to help draft such a document.

There is some effort saving both for us writing documents and those reading documents if it is all done in one place.

LL