Re: [Rats] CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 22 November 2019 18:20 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D35421208BD for <rats@ietfa.amsl.com>; Fri, 22 Nov 2019 10:20:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8WJCLaFB2l5 for <rats@ietfa.amsl.com>; Fri, 22 Nov 2019 10:20:50 -0800 (PST)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADCDB1208B8 for <rats@ietf.org>; Fri, 22 Nov 2019 10:20:50 -0800 (PST)
Received: by mail-ot1-x329.google.com with SMTP id w11so7021965ote.1 for <rats@ietf.org>; Fri, 22 Nov 2019 10:20:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j0ZVVcj82WA1flcpQcZ7aiPPV9lSEBMMwN7Mdb/n7g0=; b=HU2/eSgIsJd3ZmZnAttpIxKfBlWvScTu41yEj3L19Ji3QGgIYlr1p0FoGwRfbfEN0q 7eltFH9hQHs/fJREwA7o+6WPIA0n+fl2PMglOEARKHUkXlXdGlV9e4/ImsjKZrOtbO1a GD0x8pqR9BaD+5xOLcsnil/lRwiBm2aBoO/jGLwAA9gQgNyUOjv/GIO1Ju4y9qcOGWwU PSTuPdMZraoEujeXrlBFtvS4vNloIsx2feVZXuR+WXPNfF9TC39hFSdx+kOSxxirL7U7 VPtFm4CO/BBGDHzL3WlIqsJnStmP9zMEek8P0wrLZPrtpBaMsutzeTbVsur2I2d4Gvb2 2qSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j0ZVVcj82WA1flcpQcZ7aiPPV9lSEBMMwN7Mdb/n7g0=; b=DMIUVmTwNR+mArWmfSYlrzmkfVtOzZ69R45+kDMBVRpRHYtJkafu7HZ/UWLSLI9n5A fv36nPPUbmlTy3WQNQCKWgWDDFibaSaEFN6mznKNU0Ku3Q0aYNMhUnm3HEaMUGJNopiI ACnzwBc4RB36P1q4Sfz3Ws0u5S/N1IuXT3Wl0APCfTTclGBbgBGWh5vwZRx+uwMv/nky R1cZZWhooGmGeHvmHCnPfT+OPARSWA/pLphm5RbFmLx9mpFnSsaDI8addDT/XKGfbtG9 jdC5juZuC74KX8CJ/lKBFvAIQCm74kCLm3aV8ymbVm9ZGoAmsaliEVbvCxuQX3r/9g7x n/XA==
X-Gm-Message-State: APjAAAU/U8SfkViWpYqu84eFGJPhLo0RxL6ahEgCIPwKMXWL2GIwSdTL gFhI9WGCVYWOB5QsjIsx4OglGrKYQQQOFMabAJrlkyyW
X-Google-Smtp-Source: APXvYqxmXoKaFj7IUTGVRBkkCKeA/HYLA5og+/evKhrlEAQ5ghxlrVE4N1kwPoaWFkvJyULH+PtH+Q/Oi7x0+5s5w9c=
X-Received: by 2002:a05:6830:15a:: with SMTP id j26mr11501783otp.342.1574446849949; Fri, 22 Nov 2019 10:20:49 -0800 (PST)
MIME-Version: 1.0
References: <5D88882F-E40F-43C8-BC79-C5913845FE87@gmail.com>
In-Reply-To: <5D88882F-E40F-43C8-BC79-C5913845FE87@gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 22 Nov 2019 13:20:13 -0500
Message-ID: <CAHbuEH6u5yfGT=ZVPLmiedgx8wofBApeG6qZnknWi71zkKRbEQ@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Dave Waltermire <davewaltermire@gmail.com>, "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>
Cc: "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000358a220597f379ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0eEea63uhhoqIUYs9tCFxho8Pa4>
Subject: Re: [Rats] CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 18:20:53 -0000
Hi Yaron, I am copying Dave and Stephen in case they are not following RATS as closely as they do SACM. Have you looked at the CoSWID draft in SACM? It contains the full SWID format as it is translated into CoSWID. It may answer some of your questions. I'm swamped today, but can look at this stuff more next week or the following week and am interested. Best regards, Kathleen On Fri, Nov 22, 2019 at 10:43 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > Hi Kathleen, > > I was assuming CoSWIDs (or SWIDs) to become claims anyway, this wasn’t > what I was asking. My question was whether SWIDs today cover the most > common technologies that we use to deploy software, other than traditional > RPM (and equivalent) software packages: > > * Language-specific packages deployed directly into the OS, such as Python > PIP and Ruby gems. > * Language-specific packages deployed into application servers, such as > Java WAR files and NPM packages. > * Docker containers that consist of multiple "layers", each possibly > including several RPM packages as well as other stuff, like individual > copied files. > * Lambda functions that are built using their own custom toolset. > > I am completely ignorant about the SWID ecosystem, so maybe the answer is > Yes to all of the above (though a quick Google search came up with > nothing). Any help from experts would be appreciated. > > Thanks, > Yaron > > From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> > Date: Friday, November 22, 2019 at 22:15 > To: Yaron Sheffer <yaronf.ietf@gmail.com> > Cc: "rats@ietf.org" <rats@ietf.org> > Subject: Re: [Rats] Reviewing EAT for enterprise/cloud use cases > > > > On Fri, Nov 22, 2019 at 12:57 AM Yaron Sheffer <mailto: > yaronf.ietf@gmail.com> wrote: > I have read the EAT draft, specifically with a “cloud” use case in mind. > To clarify, what I'm looking for is the capability: > > - To attest to software components that are running inside VMs, containers > (either on VMs or bare metal), and anonymous containers > (function-as-a-service, such as AWS Lambda). > - Such components may be deployed in arbitrary hierarchies (VM-in-VM etc.). > - Attestation of running (as opposed to installed) components. For > example, container code may be pulled from a remote repository shortly > before it is run. > - To support diverse roots-of-trust, such that when a hardware > root-of-trust is unavailable, we can have a hypervisor or an orchestration > server (e.g. Kubernetes) as the RoT, even if that means a lower level of > trust. > > I think in general, EAT can be made to fit these use cases, given its > recursive structure. But not surprisingly given its origins, the draft > would need quite a few changes. > > * 1.2 (and 3.12): why not spell out that a submodule can be either a > hardware or software component? > * 1.2: why *dedicated* root of trust, what is it dedicated to? A RoT may > have other functions; a system may in general have multiple RoTs. The word > "dedicated" is not repeated anywhere else in the document, nor is it > explained. > * 1.3 continues to only talk hardware, e.g. when defining the > "manufacturer". Software has a manufacturer too. > * 3.3: the notion of UEID is fundamentally incompatible with some > component types that we would wish to attest. For example, the lifetime of > a function-as-a-service container may be less than a second, and even if it > has an identity during its lifetime, there is no registry or persistent > record of this identity. Is a UEID required in this scheme? > * 3.4: hey, finally some software! > > I think we still don't have a handle on identifying running software, and > CosWID may not be the whole answer. CosWID is more like traditional > software inventorying, and we need something that will cover dynamic modern > software. > > I'm going to write up some text for the CoSWID draft that would have a > CoSWID in an EAT (CWT). If the entire CoSWID (or even SWID) were in a > claim, allowing you to add other claims, would this suffice for your use > case? > > I think I'll write a draft specific to what CoSWID looks like in an EAT as > a follow up and would like coauthors. I was thinking that might go into > SACM, referencing the EAT work. > > Best regards, > Kathleen > > > Thanks, > Yaron > > _______________________________________________ > RATS mailing list > mailto:RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats > > > > -- > > Best regards, > Kathleen > > > -- Best regards, Kathleen
- [Rats] CoSWID, was Re: Reviewing EAT for enterpri… Yaron Sheffer
- Re: [Rats] CoSWID, was Re: Reviewing EAT for ente… Kathleen Moriarty
- Re: [Rats] CoSWID, was Re: Reviewing EAT for ente… Yaron Sheffer