Re: [Rats] Call for Adoption: EAT draft

[Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>]

Hi Carsten,

Thanks for raising your questions to the list (and authors).  I'll respond
with my take on it and would like to hear from the authors as well.

First, once a document is adopted, it becomes the product of the WG.  If
the WG would like it to strictly to have the attestation data use a CWT,
then the WG can specify that.  We don't have to wait on additional
iterations of the document to request adoption though.  I read through the
document and think it is well developed enough for adoption.  If you'd like
the document to take on a different shape, the way to do that is through
adoption, not more iterations outside of the WG process.

On Wed, May 22, 2019 at 3:24 PM Carsten Bormann <cabo@tzi.org> wrote:

> > The Entity Attestation Token (EAT)
> > https://datatracker.ietf.org/doc/draft-mandyam-rats-eat/
> >
> > This begins a 2 week period to determine interest in adopting this draft
> as a working group item.  The poll will close on May 24th EOD PDT.
>
> Hi Kathleen,
>
> I am definitely interested in this work.  This is important, and I’d like
> to be able to convince myself we are doing it right.
>

Your participation in review cycles would be most appreciated, especially
once adopted.

>
> I apologize for maybe being a bit slow on the uptake, but currently I
> don’t have enough data to make a decision that the present document is on
> the trajectory yet where I’d normally ask for WG adoption.  Maybe this
> adoption call simply is a few weeks (draft revisions) too early.
>
> While we can fix a lot of details in the WG process, I’d like to
> understand some fundamentals before committing to the trajectory I don’t
> understand.
>
> For instance, I’d like to understand whether an EAT is a token or a
> protocol message in some as yet undescribed protocol.  E.g., there is the
> 11, nonce.  Is this the same thing that would be 7, cti in RFC 8392?  Or is
> it really something that is about an attestation protocol?  If this is a
> nonce, what does the “nonce” mean?  A single-use token?  A nonce that isn’t
> quite a nonce but only can be reused in a limited context?  How does the
> nonce bind to that context?
>

Right the text of the draft from the start in the introduction does say
it's the same as CWT for the attestation, but it doesn't say it uses CWT:

   Moreover, the
   attestation data is defined in the form of claims that is the same as
   CBOR Web Token (CWT, see [RFC8392]).

Section 1.2 goes on to say:
   As per Section 7 of [RFC8392], the
   verification method is in the CWT using the CBOR Object Signing and
   Encryption (COSE) methodology (see [RFC8152]).

The intent of using CWT and CBOR is more clear here.



> More generally, I’d like to understand whether an EAT *Is* a CWT, or *Is
> like* a CWT.
> Can I put in an “exp” claim?  If yes, why do we need a new CBOR tag for
> something that essentially is a CWT?  Wouldn’t it be useful to explain when
> a CWT is an EAT and when it is just a plain CWT?  Tagging outside the COSE
> sign/mac isn’t enough (an attacker can change the tag and make a confusion
> attack).  Is this spec really the place to define a “loc” claim and its
> subclaims?  Is subclaims a concept that is only for EATs or is it for CWTs
> in general?
>

I agree, having EAT use CWT is cleaner.  If something is lacking, the COSE
WG is open again...

>
> I could go on explaining my lack of understanding here, but I think it
> should be clear that there are a lot of questions on *what* we are doing
> here (as opposed to *how* we are doing it, which is what the WG process is
> good for nailing down).  A couple of iterations on this document might
> allow us to make a much better case that this is indeed going to be one of
> the base documents for the WG.  Or maybe it really is a couple or three
> documents waiting to hatch from the eggshell.  We still have > 6 weeks
> before I-D deadline for Montreal to clean this up.
>

I get your point, the references to both JOSE and COSE make it a bit
confusing.  However, in reading through the full draft, they plan to use
the CWT registry, so I think there's just some minor cleanup to do that
should not stop adoption.  My opinion is that we can straighten it up as a
WG document.

It would be helpful for the authors to chime in on intent around CWT in
case I missed anything.

Thank you,
Kathleen

>
> Grüße, Carsten
>
>

-- 

Best regards,
Kathleen