Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Dave Thaler <dthaler@microsoft.com> Wed, 13 November 2019 01:06 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C41E4120091 for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 17:06:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEOoDAdWmPHu for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 17:06:44 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800092.outbound.protection.outlook.com [40.107.80.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4F80120019 for <rats@ietf.org>; Tue, 12 Nov 2019 17:06:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X8Grd80omvgtxp1lRB9kK8APMrv8YFYkv2+dp+8ehztMDMOvWnf8AsPVIOJRcuDsRlxL3xFAefSBIr3eBH7le8ns6gOrJa8c8/FY9nQ1ZZy7ODxbjY3G7VpXD5JEJ7iqBxOtAbJ7S/8Z0GyNv23ljLpoYU0ukpLASeTcacv0KQOTLaYErlSi9X4Q+6i/5VpsLwYaUMUwfut4sfWxJN1Cz/2+FKFRoWXYVHV0/EWpL31/d7JibGaSdBgx3/eVOm5I/rGvTX9tJGyZxafWrwyLf/wi+ykWgMt48h2yVWrbC8UzW0WEvqvLmMMti9U5tPiKkIzNUBmQgcPrj7PVrGXHEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6kkFhOy4TxuS59YgSiTsebIj0VupU5psEHvd6Eg+7tQ=; b=TCDKrCmZyT3zl5H12wszKKDEbuaHOfhouw0KvEeXiDuu0ynPJJPlAneyGTVJ8Ihi/rU4bTdH1Aysn1TlB46O49XHvCFxXdDO0U2TF72SNd9UEKWBKpwyx+isO2xs32lRVV8lAOzn7HF4mXo5ZxY7YoEnM3VbE53XgkOtuDsH8xE2LS4pah8Sv1cqkM/ySujHCjFXJuBwV9PJPQe4rkjtGj/ixCfG0MYeRd4Exbhuy1VFCMiaP9a6voOKhfGLEVueFvE4sEkgQY6s6qzr/IUfCiGFpNoYyu1PQM5Qcy9wo/5rQBA8FMT2q3S5hIU806ffch2lP+tucHBXE2CBSzU6AA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6kkFhOy4TxuS59YgSiTsebIj0VupU5psEHvd6Eg+7tQ=; b=VcUAUSmSDnWvD06kWjNnSbrEj3XAmEBdOOTvCIQxwFb70qNwx2itLYedFbUqTYBM7Qj5cJF4rLyDGUNO0DrhAHyfIzO9/7FzLunCPPaQXbVMjapSoTDGDqRCIKgB8ci/cHfSdwGHghTdCtr4pFsXq4nwtgBRO0iWGf1Ov8lVxQ0=
Received: from MWHPR21MB0784.namprd21.prod.outlook.com (10.173.51.150) by MWHPR21MB0800.namprd21.prod.outlook.com (10.175.142.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.11; Wed, 13 Nov 2019 01:06:42 +0000
Received: from MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439]) by MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439%12]) with mapi id 15.20.2474.001; Wed, 13 Nov 2019 01:06:42 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Call for adoption (after draft rename) for Yang module draft
Thread-Index: AQHVlCwI8/lytau3hU+AhCwtIdg/0ad+jL2AgAAHhQCAAAO1AIAF46wAgACM2YCAAG6hAIAA8mAAgAABTYCAAem3UA==
Date: Wed, 13 Nov 2019 01:06:41 +0000
Message-ID: <MWHPR21MB0784F5159696656707877EB7A3760@MWHPR21MB0784.namprd21.prod.outlook.com>
References: <8B173958-FC2A-4D1D-A81C-F324AB632CD7@cisco.com> <147F9159-6055-4E55-ABDC-43DFE3498BF1@island-resort.com> <ce5f8206-74dc-36bb-0093-a93045d5c67f@sit.fraunhofer.de> <0A7E3A4F-8534-4E98-BCB7-1454E07699F4@island-resort.com> <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com> <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com> <ba12a686-1b34-21a3-388c-bbe01c01a408@sandelman.ca> <4A83CDF5-D29F-4279-8B03-E9D23299EB53@island-resort.com> <0C6940B0-E93F-4274-9D00-DEC4119B8F69@island-resort.com>
In-Reply-To: <0C6940B0-E93F-4274-9D00-DEC4119B8F69@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-13T01:06:42.1510302Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=f976b92f-4ab8-49a2-a593-4f2eb951dafd; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2001:4898:80e8:0:f8a5:16bc:386f:88f5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9d89c441-91b4-4b30-82b4-08d767d5beb1
x-ms-traffictypediagnostic: MWHPR21MB0800:
x-microsoft-antispam-prvs: <MWHPR21MB0800DF684A72CDC8449A1567A3760@MWHPR21MB0800.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5797;
x-forefront-prvs: 0220D4B98D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(366004)(136003)(396003)(189003)(199004)(4326008)(6246003)(46003)(76176011)(446003)(7696005)(2906002)(11346002)(71200400001)(186003)(53546011)(74316002)(9686003)(102836004)(476003)(486006)(10290500003)(10090500001)(6506007)(6116002)(33656002)(790700001)(6306002)(86362001)(99286004)(55016002)(54896002)(236005)(52536014)(14454004)(66476007)(478600001)(966005)(76116006)(66946007)(71190400001)(8990500004)(229853002)(8936002)(606006)(22452003)(81166006)(66446008)(8676002)(5660300002)(66556008)(81156014)(14444005)(110136005)(256004)(25786009)(7736002)(6436002)(316002)(64756008); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0800; H:MWHPR21MB0784.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HTeYBkyHw2B95h2EisYVXRjFPCzOiARIdU5/o+pDZfNIrx0z88AldHU35XbdyjdoQ5X6jjefiXaAiBKaRuv46H0PbrKFw+PgL1FLrjpWdVh8NynJdBiY5CuCNX6nDYYyvmSInPmfOsW2fleVwprToNlHpDryzxAqTt1QhEL3drMeVR+nS0T98vaNrvmNRhExFGV2PuM+7/AAZ0ggTM97QxSwSKzPD0Yt1H1yAS/iCqX9i99u/PbUkTK8hmwSqU4BLoPBkcvXKZQXFfWmf/slVOaXBNalmG5x3n6RvSuLZwMOlRUL7/KXmORIL0udOqX17lXWX9G+HySrO3AqKLSbCRqj5hzZFFqW3WqVYzORLPrpjfdQ9CmGArT3Mtq6dzTdGSWTb2mzHjpekDm1yiZlzxo2Nlt8U740FYN5vITl5ksGlkyERBFKKGgHvp7/STfX
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB0784F5159696656707877EB7A3760MWHPR21MB0784namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d89c441-91b4-4b30-82b4-08d767d5beb1
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2019 01:06:41.9164 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VupB2w3XpTcr6h1Ki2homZpKrN4wqzCccmkHBJFR0slyYhX+3SU7v4c1lav2z7C9XOPzLP3dhrP5J5kXTyyjm0xdsu5TKHUKD61OsQykvU0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0rfKpN47WUp5Nmk9Gh-EIi2QICY>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 01:06:47 -0000

For my thoughts on the more general topic here, see https://tools.ietf.org/html/draft-thaler-rats-architecture-01#section-4

Here’s one relevant paragraph (but the other paragraphs there are relevant too):
   Especially for constrained nodes, however, there is a desire to
   minimize the amount of parsing code needed in a Relying Party, in
   order to both minimize footprint and to minimize the attack surface
   area.  So while it would be possible to embed a CWT inside a JWT, or
   a JWT inside an X.509 extension, etc., there is a desire to encode
   the information natively in the format that is natural for the
   Relying Party.

Dave

From: RATS <rats-bounces@ietf.org> On Behalf Of Laurence Lundblade
Sent: Monday, November 11, 2019 11:53 AM
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: rats@ietf.org
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft

One more note on this. It seems wrong-headed to try express claims in YANG. To do that we’d need to invent a YANG signing standard (YOSE?). Seems like YANG should be thought of as RPC / conveyance / transport here, not as a way to format a signed attestation token.

LL



On Nov 11, 2019, at 11:47 AM, Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:

On Nov 10, 2019, at 9:20 PM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:


I think the value add to the larger RATS effort of adding EAT support
to this YANG protocol is really high. It a core thing to do that helps
bring together the two attestation worlds and make the TPM and EAT
work here less like ships in the night.

Can you explain what it would mean to add EAT support for a YANG module?

The EAT is an opaque chunk of data in YANG. I’m not a YANG expert, but maybe like this:

Server                               Device
GetAttestationTypes —>
                                <- TYPE_TPM, TYPE_CWT /* bit flags */

GetAttestation(TYPE_CWT , nonce) —>
                                <— CWT Token /* a full signed token */

I assume YANG can carry opaque binary data of moderate size.

The yang module information model would have an element for a nonce and for an opaque EAT. It would not describe any internals of the EAT. The information model for the EAT is separate in the EAT document.

LL