IETF Logo Mail Archive

Re: [Rats] draft-ounsworth-rats-x509-evidence-00

Carl Wallace <carl@redhoundsoftware.com> Thu, 09 November 2023 13:52 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05514C14CEFD for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 05:52:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.605
X-Spam-Level:
X-Spam-Status: No, score=-1.605 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_ABOUTYOU=0.5, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BwSpYBzplehU for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 05:51:57 -0800 (PST)
Received: from mail-oo1-xc30.google.com (mail-oo1-xc30.google.com [IPv6:2607:f8b0:4864:20::c30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58A89C15C2A3 for <rats@ietf.org>; Thu, 9 Nov 2023 05:45:12 -0800 (PST)
Received: by mail-oo1-xc30.google.com with SMTP id 006d021491bc7-5875c300becso498373eaf.0 for <rats@ietf.org>; Thu, 09 Nov 2023 05:45:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; t=1699537511; x=1700142311; darn=ietf.org; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent:from:to:cc :subject:date:message-id:reply-to; bh=2ZfD6qeWY/0e6PC54IbL5zHWfbnunGQxY0MAqEqVJxI=; b=Am900lA3KkrQUhtsXQiCCSDJWR+lOMG5DgkOQdF4Zc4qPyljQPgM/eoe74NipAMjaF V3FQpPrjzDuwdnbgL+dH/NnRTaTqItsFEI7qQaO4cERDEjlwiLI6Tq3fLv3nInJ1c0gC huiV1hAiheRxEpCGQcbY4S4BG5kUy8mwdMiqQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699537511; x=1700142311; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2ZfD6qeWY/0e6PC54IbL5zHWfbnunGQxY0MAqEqVJxI=; b=u6pmgHbE2AMsXN6zqblFxCWiwKwndgXRCW4zeyOs2CkCLdmzMiOz2/nR1ItqNTtPud 9Mp9vefvvLZfA/ciJjJ+/ksqBL4raIr5kR1PJM1nrAVZO2I4SbJnHosvSUHH4hw/Ns7J N9mxdnuyeuHSChzgqw1ssOxjwy7vvDZOPhaK1JVF9gUtaNm/NbvcFlZzFJIXH9HJqjPf mujOAo4Z4JpvuQnvqscyU3FYvZrQKDRqE6tiqCs6Ye+5LdybAo880LOWKqVCnNCwjeeu JtBnwLp+rtH0KLQt4xrNZLioAY0lPOonKfAsUZUmNH9L5Jnsdh/73nHzOjNcXj3jvMVy Dy2A==
X-Gm-Message-State: AOJu0YyBdoBJ8J3Lp+bMwgrtKDSxRzmMySqTdoe7a+JWg5MMt4Nh6/oi ZBd8q0Jd6ZlZ5/6ATCOtiWvhtFV8mJASWwlpvkI=
X-Google-Smtp-Source: AGHT+IFXDncxlMmh8gvCSUddykiWYBdVY8Xjy1kmbWUzFWq4Wk/1gRAGAlC5Ewa715iHI6CkCi9lMQ==
X-Received: by 2002:a05:6358:904e:b0:168:e7da:30ad with SMTP id f14-20020a056358904e00b00168e7da30admr5140379rwf.10.1699537511418; Thu, 09 Nov 2023 05:45:11 -0800 (PST)
Received: from [192.168.2.16] (pool-96-255-232-167.washdc.fios.verizon.net. [96.255.232.167]) by smtp.gmail.com with ESMTPSA id g11-20020a05620a218b00b0076ef3e6e6a4sm2016367qka.42.2023.11.09.05.45.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 05:45:11 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.78.23102801
Date: Thu, 09 Nov 2023 08:45:10 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, rats@ietf.org
Message-ID: <7DC2D9E1-F052-48A1-B5A8-978D52275EE5@redhoundsoftware.com>
Thread-Topic: [Rats] draft-ounsworth-rats-x509-evidence-00
References: <6FCC00F5-1FAE-4CCD-9ED2-DA2BA923E7F7@island-resort.com> <011801da130d$74579390$5d06bab0$@gmx.net> <66c6191b-c393-69da-a849-f44da369917a@sit.fraunhofer.de>
In-Reply-To: <66c6191b-c393-69da-a849-f44da369917a@sit.fraunhofer.de>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/1Ek1ODYYF49TgybrobW_Hrwdsak>
Subject: Re: [Rats] draft-ounsworth-rats-x509-evidence-00
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 13:52:02 -0000

On 11/9/23, 8:09 AM, "RATS on behalf of Henk Birkholz" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:


I think this discussion is mood as was pointed out in the meeting 
already. Please see:


https://www.rfc-editor.org/rfc/rfc9334.html#figure-9 <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9>

[CW] I don't think that diagram renders this discussion moot. X.509 certificate-based attestations have existed since before RATS (and before we called attestation evidence). There's not even much question about potential for including claims in an X.509 certificate within current RATS documents (see section C.3 of EAT). I think the questions are: 1) do we want to provide ASN.1 definitions for claims and 2) do we want to keep claim definitions (roughly) in sync across ASN.1/CBOR/JSON. Re: 1), there's seems to be general acceptance of defining claims in ASN.1 for the most part (though no one really answered Brendan's question regarding why ASN.1 was disallowed for SUIT but is allowed here). Question 2) needs some more discussion. There was an exchange between Mike and Laurence during the presentation yesterday that highlights a potential difference of opinion between I-D author(s) and participants in the working group that could impact the adoption question.

On 09.11.23 14:05, hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> wrote:
> Hi Laurence,
> 
> The charter says:
> 
> “
> 
> Standardize data models that implement and secure the defined 
> information model (e.g., CBOR Web Token structures [RFC8392 
> <https://datatracker.ietf.org/doc/rfc8392/> <https://datatracker.ietf.org/doc/rfc8392/&gt;>], JSON Web Token structures 
> [RFC7519 <https://datatracker.ietf.org/doc/rfc7519/> <https://datatracker.ietf.org/doc/rfc7519/&gt;>]).
> 
> “
> 
> CWT and JWT are mentioned as examples. The group already works on 
> another evidence format, namely the TPM-based stuff.
> 
> I would say that the document fits nicely within the scope of the charter.
> 
> Regarding the document split. I am open to discussions about your 
> suggestion, which assumes adoption in the group.
> 
> Ciao
> 
> Hannes
> 
> *From:*RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> *On Behalf Of *lgl island-resort.com
> *Sent:* Donnerstag, 9. November 2023 13:59
> *To:* rats <rats@ietf.org <mailto:rats@ietf.org>>
> *Subject:* [Rats] draft-ounsworth-rats-x509-evidence-00
> 
> I think it might be better to split this into two drafts.
> 
> First, define how to put CWT/JWT claims into ASN.1 and make an X.509
> attestation token.
> 
> Second, define the FIPS and CC status claims for CBOR, JSON and ASN.1.
> 
> I wish we didn’t have to do the first, but understand that we might. 
> Note that the RATS charter says we work on CBOR and JSON. There was a 
> little discussion about ASN.1 back in the early days and we certainly 
> put it off back then. There was also YANG discussion. Search the RATS 
> mail archive for ASN.1.
> 
> I’m much more interested in the FIPS and CC status claims. I would like 
> to define them for CBOR, JSON and ASN.1. If they are booleans this is 
> trivial. The would get registered in the CWT and JWT IANA registries.
> 
> One of the reasons I’d like to define them for CBOR and JSON is so 
> there’s a known and accepted way to translate their ASN.1 claims into JSON.
> 
> Also, the X.509 definition should be for Attestation Results as well as 
> Evidence. There’s no reason to restrict it and there’s no work to allow 
> use as Attestation Results.
> 
> LL
> 
> (sent incorrectly the first time only to the rats-chairs; meant it for 
> the list)
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>


_______________________________________________
RATS mailing list
RATS@ietf.org <mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email