IETF Logo Mail Archive

Re: [Rats] FW: [EXTERNAL] New Version Notification for draft-ounsworth-rats-x509-evidence-00.txt

Carl Wallace <carl@redhoundsoftware.com> Wed, 25 October 2023 16:30 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65477C14CF15 for <rats@ietfa.amsl.com>; Wed, 25 Oct 2023 09:30:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hC2qKcwtX8Y1 for <rats@ietfa.amsl.com>; Wed, 25 Oct 2023 09:30:05 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88584C14CF0C for <rats@ietf.org>; Wed, 25 Oct 2023 09:30:05 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-41cd6e1d4fbso34029691cf.1 for <rats@ietf.org>; Wed, 25 Oct 2023 09:30:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; t=1698251404; x=1698856204; darn=ietf.org; h=mime-version:thread-topic:message-id:cc:to:from:subject:date :user-agent:from:to:cc:subject:date:message-id:reply-to; bh=RGklGK9hJTugGv4VwOAlJriArjfMFuXL0jGGBWuh4oo=; b=0Y6l4Fa4PIqvO/1fhOlD+lgIv9LKAxiV8m0q1UP5A+AsPL8BF1CX6Uf18DHxZ2l4E/ HdtlKAoNW3VSZPhBgkfMYmeyAPrlhXSatMr60jdDoxAX8/Cp46dIb8nGAb1oB6+5fU48 e06f9ZP99rIQLIly3hKzRnaILboTrboaPq8ic=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698251404; x=1698856204; h=mime-version:thread-topic:message-id:cc:to:from:subject:date :user-agent:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RGklGK9hJTugGv4VwOAlJriArjfMFuXL0jGGBWuh4oo=; b=tcKB6bLOCZ92PVTVtvbBw8RyxdGGutSQbaZrAl6aLJBQfdGRBi/HS6gAqsQo9Ezu6I eLEWH5zOXpTzJWy/SWlPpRk86klFBqIyXYeCoAUR1RHsrayIv1a63OBn+UdMisxFpbAv o2QUcjZxA5TLLlJ0p1Y/YtZbDLzyZSjKYb3oQWphHTaAGCYW5tUKkD1PwKhBTo/gPbto lly8qwW5TkeJUrgGkcJ37X3hbiYI9hXn3MAIGmrvQXT80lpy8bL1EpG6IyM34OwQECgK XCL1lsMEOiaC1dj+5xU+UrR5WXKxEW0mzoySochYk46BCknI9PaIPvo1zXotE7Upwzff raxw==
X-Gm-Message-State: AOJu0YzlMogd5DKUfTHRZWmSxJOEYbqVgMeHGDj3KWT3gSrbuvojX2PZ XL6Jzhs7RiAN+jkawh9V2QLZ++iNmA0Yjs12M3Y=
X-Google-Smtp-Source: AGHT+IHX8nYR2nNXwm7QS1VB73cNNIJenAGeFMBiHzUrbe/kKzeNRKbnMvCF0gZjngISfAWsqQErSA==
X-Received: by 2002:ac8:5801:0:b0:418:1ba6:2b37 with SMTP id g1-20020ac85801000000b004181ba62b37mr15367121qtg.63.1698251404064; Wed, 25 Oct 2023 09:30:04 -0700 (PDT)
Received: from [192.168.2.16] (pool-96-255-232-167.washdc.fios.verizon.net. [96.255.232.167]) by smtp.gmail.com with ESMTPSA id e13-20020ac845cd000000b004196d75d79csm4341118qto.46.2023.10.25.09.30.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Oct 2023 09:30:03 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.78.23102103
Date: Wed, 25 Oct 2023 12:30:03 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>
CC: Russ Housley <housley@vigilsec.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
Message-ID: <574E01F6-C97F-4AE3-923A-0A2D5B2EC073@redhoundsoftware.com>
Thread-Topic: [Rats] FW: [EXTERNAL] New Version Notification for draft-ounsworth-rats-x509-evidence-00.txt
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3781081803_628160281"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0XCkNkQU6T2bs0GoxIemkuBQVPA>
Subject: Re: [Rats] FW: [EXTERNAL] New Version Notification for draft-ounsworth-rats-x509-evidence-00.txt
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2023 16:30:10 -0000

Here are some comments, questions and nits from a first read of the new draft.

 

Comments/Questions

- In section 3.2, if EAT semantics are retained, you don't need the type field as the type is indicated in the first byte of the UEID value. The definition could just be claim_ueid ::= OCTET STRING. If you intend to not convey the type as the first byte, using a tagged CHOICE would save a few bytes vs a separate type field. Same comment applies to section 3.3. You could reuse the CHOICE definition in the claim_sueids type. 

- To align with EAT, section 3.3 should define the claim as SEQUENCE OF claim_sueid (note, the existing claim_sueids should be singular since it only conveys on SUEID). UTF8String may be a better first for the label field instead of OCTET STRING since it is a text value.

- The definition in section 3.4 does not really align with EAT semantics because the structure uses OCTET STRING for all three types and PEN is an int. A tagged CHOICE is likely right here. There are also size constraints. For example:

 

claim_oemid ::= CHOICE {

                pen INTEGER,

                ieee [0] OCTET STRING (SIZE 3),

                random [1] OCTET STRING (SIZE 16)

}

 

- In section 3.5, you could express the constraints a la EAT as:

                claim_hwmodel ::= OCTET STRING (SIZE 1..32)

 

- In section 3.6, the type should probably be UTF8String.

- In section 3.7, why PrintableString instead of UTF8String?

- In section 3.9, given both measurement-value and signer-id are hashes, why not use a SEQUENCE with alg identifier and value? You could define sha256 as default to avoid unnecessarily bloating the structure in the default case.

 

  HashValue ::= SEQUENCE {

      algorithm         AlgorithmIdentifier

                            DEFAULT mda-sha256,

      value             OCTET STRING }

- 

 

Nits

- s/consitute/constitute

- In first sentence of introduction, change ', which' to 'and'

- s/EAP profile/EAT profile

- s/time prefer/time, prefer

- s/supposed to be/intended to be

- In last sentence of introduction, change 'context' to 'contexts'

- The last paragraph of security considerations is a bit clunky. Why is there a need to try to split out verifying evidence vs preparing attestation results? The signature will be checked as part of path validation in any event. I'd delete the first sentence.

 

 

 

From: RATS <rats-bounces@ietf.org> on behalf of Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Date: Monday, October 23, 2023 at 2:08 PM
To: "rats@ietf.org" <rats@ietf.org>
Cc: Russ Housley <housley@vigilsec.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
Subject: [Rats] FW: [EXTERNAL] New Version Notification for draft-ounsworth-rats-x509-evidence-00.txt

 

Hi RATS! 

(he-he-he)

 

This is both an -00 announcement and a request for a speaking slot at 118.

 

 

This is work emerging from the LAMPS design team that has also produced draft-ietf-lamps-csr-attestation. 

 

This draft is an EAT profile (sortof) targed at FIPS and Common Criteria certified HSMs. This draft encodes EAT claims, plus a few HSM-specific claims, into X.509 certificate extensions – ie we’re using X.509 as the evidence statement format because the HSM vendor community represented in our design group unanimously decided that staying within X.509 ASN.1 is preferable from an implementation perspective compared with CBOR / CMW which would be entirely new code within HSM firmware boundaries.

 

We imagine that the publication path for this document is RATS with Russ Housley as the expert reviewer for all the X.509 certificate extensions that this draft will register with IANA.

 

 

PS sorry for the weird urldefense links. That’s my corp email filter.

---

Mike Ounsworth

 

From: internet-drafts@ietf.org <internet-drafts@ietf.org> 
Sent: Monday, October 23, 2023 12:59 PM
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>; Hannes Tschofenig <hannes.tschofenig@gmx.net>; Mike Ounsworth <Mike.Ounsworth@entrust.com>
Subject: [EXTERNAL] New Version Notification for draft-ounsworth-rats-x509-evidence-00.txt

 

A new version of Internet-Draft draft-ounsworth-rats-x509-evidence-00. txt has been successfully submitted by Mike Ounsworth and posted to the IETF repository. Name: draft-ounsworth-rats-x509-evidence Revision: 00 Title: X. 509-based Attestation 

 
A new version of Internet-Draft draft-ounsworth-rats-x509-evidence-00.txt has
been successfully submitted by Mike Ounsworth and posted to the
IETF repository.
 
Name:     draft-ounsworth-rats-x509-evidence
Revision: 00
Title:    X.509-based Attestation Evidence
Date:     2023-10-23
Group:    Individual Submission
Pages:    12
URL:      https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ounsworth-rats-x509-evidence-00.txt__;!!FJ-Y8qCqXTj2!YKUosO2y-QX6kn5tveLLlnGkD8zrTz-OVSkntiWXewmDFxQYnAQOeZ-QprQMmFwa6UM08hYguj0vX9FcqnvjD4oJBcSCNA$
Status:   https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ounsworth-rats-x509-evidence/__;!!FJ-Y8qCqXTj2!YKUosO2y-QX6kn5tveLLlnGkD8zrTz-OVSkntiWXewmDFxQYnAQOeZ-QprQMmFwa6UM08hYguj0vX9FcqnvjD4pDgrQ81w$
HTML:     https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ounsworth-rats-x509-evidence-00.html__;!!FJ-Y8qCqXTj2!YKUosO2y-QX6kn5tveLLlnGkD8zrTz-OVSkntiWXewmDFxQYnAQOeZ-QprQMmFwa6UM08hYguj0vX9FcqnvjD4qbFzD2wg$
HTMLized: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ounsworth-rats-x509-evidence__;!!FJ-Y8qCqXTj2!YKUosO2y-QX6kn5tveLLlnGkD8zrTz-OVSkntiWXewmDFxQYnAQOeZ-QprQMmFwa6UM08hYguj0vX9FcqnvjD4qEwXIktQ$
 
 
Abstract:
 
   This document specifies Claims for use within X.509 certificates.
   These X.509 certificates are produced by an Attester as part of the
   remote attestation procedures and consitute Evidence.
 
   This document follows the Remote ATtestation procedureS (RATS)
   architecture where Evidence is sent by an Attester and processed by a
   Verifier.
 
 
 
The IETF Secretariat
 
 
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. 

_______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email