[Rats] Re: A small number of new "CMW Claims" as an alternative to submods
"lgl island-resort.com" <lgl@island-resort.com> Mon, 09 December 2024 19:04 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65343C1519BB for <rats@ietfa.amsl.com>; Mon, 9 Dec 2024 11:04:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CxnS7b6MixBk for <rats@ietfa.amsl.com>; Mon, 9 Dec 2024 11:04:28 -0800 (PST)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2132.outbound.protection.outlook.com [40.107.93.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57369C1519AC for <rats@ietf.org>; Mon, 9 Dec 2024 11:04:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=k6OgXd+aHpdABv6ZX5XuA9KF2c+t6UOVhxxJKoE79lwXaD5wGU7K/NOjtcGNBe+01cq8U8LT3sZJ50VYPGJjLzkZbw/m4oM8l85U9H6dKAvVsfLTDCNKBVrxVLkveLtZAYbNJvKv5ErVxOxxSqZezLSX7Mue6avC8vubbug5eq9NNumPoQUTJO1iM3f0HBHNUNCRqF9kFp+/F5/lgwJJKEYGitEgFdqEYOjR+fZfRQp0yQ9F4N1wJpmP5EtxsgUKlmnESVF6kEycC1SeOrd5/o/xlTd6R2GbQ5ZXTW08NsHAwWM8fVUCsY8O43GiEBf0Z1ERLY0o7ZpgJ4acsbo7vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=h8AQioSefhUguXTT9UBDP3tXq2aCri0j/uhwkQYeSgc=; b=op5R7uT2alJPxCu0XQ4KquCTd+jBQaGXTvQfH3TGJrbZ9+KjhPKXvXViUKlCJSLqKvC+ua5YR3LuvWbiSVqeUQODqfzxE51DZDE5R+OwVmjMBx17WxgVPkMgXtW9y2XDmY1NGVZuzDp9KLXdgb1MOliOL23qFPCCbhhkiFMVj4uRP7bOctprDTeWuPpS7W3u/+WqVaEIp/JVbVYjLAdln51Kdtfz9jmmFUbqE7wE7WDct9slhoP95m9ywlKpcmC2V7+uml4zHjw30HI7ss9aQVIqmkaxRIiEy2H51rgOLksHiEFUxUAv91cWpD63MeF6zliFBZIYzsf1YR44v23kmQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by IA3PR22MB5808.namprd22.prod.outlook.com (2603:10b6:208:51c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.11; Mon, 9 Dec 2024 19:04:24 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::8515:3aa6:3ced:15e]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::8515:3aa6:3ced:15e%4]) with mapi id 15.20.8230.016; Mon, 9 Dec 2024 19:04:23 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: "Smith, Ned" <ned.smith@intel.com>
Thread-Topic: [Rats] A small number of new "CMW Claims" as an alternative to submods
Thread-Index: AQHbSm0o2m9qwHOzF0q8zngLxfXG7w==
Date: Mon, 09 Dec 2024 19:04:23 +0000
Message-ID: <0D3D1BD8-A3B7-479A-A11F-C14A4CC9593C@island-resort.com>
References: <ad4afdbc-7622-5dea-126e-aabf6bef2960@ietf.contact> <CA+1=6ydmexEU34d1Ub3tQkBhTfNDrrDHPRYz-VnnyQCe1OS8Jg@mail.gmail.com> <B8BFF19B-BE25-4C32-84EC-337268A6B3B9@island-resort.com> <CO1PR11MB516948D22F656540629B775DE5332@CO1PR11MB5169.namprd11.prod.outlook.com> <CA+1=6yeLNKkLKwybsKDW4LoaabhrcwbVNY1Q1GG30iKzFAaCCw@mail.gmail.com> <CO1PR11MB5169CA43E9D877E3D9017936E53C2@CO1PR11MB5169.namprd11.prod.outlook.com>
In-Reply-To: <CO1PR11MB5169CA43E9D877E3D9017936E53C2@CO1PR11MB5169.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|IA3PR22MB5808:EE_
x-ms-office365-filtering-correlation-id: 9f67ba3c-05ab-423d-525c-08dd18844b7e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|7053199007|8096899003|38070700018;
x-microsoft-antispam-message-info: rCpwZ61EVuCn3GOzxiQRxuwXvukdg0fteDoTiejboZBBUBnb8V8R0+H9tD2utFNJVqc3z9tOJzhPLB/OlIVXy2ip8Ub9bKrSjU91Nu8tCG/RimjdWFnsI/ONaerrXqSb8wjMsl6NWP9nERf5XAMSQlO1sfklg0DSUFchj2GqflMEABLqXZfYmBZruDPAfluTs7P5F/08USb15q1g+74/9UGBxX30I3NQqV8YQ01Sx5Pj92lZ5T/ISfxDYBz8pbKUuCfWhgmyTWBQDVW0z4O52jOWk7s1Wi+Moq7cXWPpdBTZhJ7jI3fWG1LrHr0xI4G36H3Miw4bR3c+mvQqfuUyHnVxDRDoMHCijHSjeZ7NtqnT4ZDL25723fExQsQg5TFrsbCSkMrug5EOu3mGGHx804jPO0WpS3/rvOmK6zPa7Nizz/I1A9//ORhpRlxD9lYTbHL+PhOkRbmZ0xo0dhmY0inzt8ID2Z5NH4Zc0H6H3PTx9OKrDxtO9gwBoyJItIPfCghmvUWGbsLeS6I6pRF20PSPa057sLio5g1E2XJvtV3n/9izckgpCG7F1u6VA7rYahjqfhgUKWrOidSPprMfBkJIc37M62WFSZKsAIeCG3jIPBt6tfEV6COz13NK2AkLJUHj7UZhMHurNL5cZpRP7jl35RQj3alfkjpbz4huz5GW5OeFgAUGk2q3u15X+ook9utgWS2ajerTcoe8gmnddYX3pmn2K4xIEMf2TkwUTpxA/9OYqxQlCTi67mJTg1nIES5ndIjwB5VCsX3GEkrLh1ySwjhiW/YQb3r+AeKqYCtY30I/rNb2WRqwVGQ8zYye4MIjQfRZOG6ffYLsr9vNqPA9zNDiLKDdOZWPzOzlpsxv0hYAsXkG4fNOvSYQTHZSHycHjhZLFHOy9MEWUgNuYwBSfsq2j2hAxZ75Sgb4Ru2zDNEL8WkwEIGiGQrcM/vK3m1rz8OROWuj0NREcaqqn9GVAXZrOCV+1AWSm3ZuLvcK1U2Hj+jVmVPDkOXcBDOsQ92rC6kQfaihUTARF/eLwgjrA/9RsMyAIgbA7Fi7eVtg5bW/0aC8hOodT9zaHmU+h4zMpc0VwO68+jAjY+cGdvYGYTTS5vUx7RZ/DVLPYPcrEm0yP6LfkxrBNzEXzK+xatvuQtZgzpjFbE3zjLAUcPY2oiIpFVKjnZ90IyfFXxnO3DRtWbPYC1QnKmbPzjm3fqk87gSwDZO4zC8DnfagLzzue7+nE9rq3SwOwYUTlK82bLZNPrFni7YCRw17tjzPhsjYbYipJTAAYl7NVhAL7LOZVAWqZtt4AB8+BiV5oKgrfk7/Mw7zcOU3fHMb5fEoXi2QGYrjmqPcj/S0mEfMeQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR22MB3092.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(7053199007)(8096899003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lMEBKfKS7KXqYJoVvGbkAr/IEmgmf59hcLtDgraZ4r7NVroAyzf4ECFAbepUwVXmhNdUFWAjvZWvec1eLoDo5sxZgtyZOVYScDINam2pjszDFgOALlb1TRMVMrKK9/qkK2A29N2rps3ZNjFh1WMZ0+4ZvFF1qvCCOLsE1VYMG+K6FmeNqpPKQK9vfAyRi6cUWo7aQihgpVeP2hgL1jgi+zWYxNQEXJNzgT/NmcrgAWLe9Iii53jXJ2cUjG+t+mfpt0eq52j468xFhAecwOArrVCoTH7hKAsNchZfNzk9Ikk6C8Lcfy3KZCkw3AkKQbflixYEup+z6fAjG+6gm6fBR1H71OxkWlvGFNEV+4E77l60a5Uq8wVvoNVrm2Of6n62Go+UgFyM4qKlCoK9k93G6NQYaANGkIa8B27cvPx8/+H0RTkkenmoDj7flptBCgOHXVEKMRYipIefJpkvUZIH9VTJOrsqfpVI5kX4wJvbTEz96zqViZhjKCpVMpxLSq5MdiSOWxd8BPFxpnU/DhoMG0hh1Gfhq6bBZN0jM95cm8AEzVCCF+Tpc22po+heJOxIRBbDd1RVr3MmqspxCPfY+2r9qNgAFCyzg7narTgj0kq0lc/XiNSy4jGNiA01fm67qwkczRUHFrlkmkwFpubKk/9KdJ5RmiLKHYDtl4v3jjAuWIgQqPS/b0WCpQhT6tBdgQhj7y8aurSIJSIiWTpeweVoeYc0psZ0d8fEWT/iO0QEgGixxDrDWwyKvTqN53jlXF4/KXtkreUm8bd2WeLTbejBBTyKgz979OJSGLZoYFztyC6zroZXXzjp/AN/lrOkeF6F066xyY9m9LgsKLJ3tmpQYL9CDDnqbSjJXVaRUWc4MjXcQGciCcn48B3E8vX3u04DOIXXepHe86ktMqu019uEaT9MADiMyjX8RE+GqP9SJeK5oekxQ08QZvgssiOnXJpLyi131UbU5NBoZQnUcI4imTrR+LCn5EA2ovVsE6HZSej5cpDJ3gdpDobOKclto+HXBzvtoumlap+NRyTPbhUM4ZUXZj8/992Zfkb2BP6IZqpMAQOdjcxFI3XHRuJHTjfyAfpew20eAI/s1im16uM40jpg0zRr3RNekCJfC5aoadq59nwYugTWCqZvFpmhm2/9Q7T+LsXPefJK5Ka+hsRLETRrGeOF2YNNerF4x5pko/7ZJE2AW7tkBl6/gFf2w1xDecQ/acjnnDDOwxCSq0GYNWXMZIijlB0bZnigGvakgQLG4Zmo8J3786M6t1sdLu6HzO3jKF05ycZouK1Enqt4aUxe9gBxuc0kvOnXYWES2Wy7NJtNZ8zcb0y6Uy8u7KeSPB9+1N5j4LDi3IbVf/GIHn5eUOneb/3Ekpn6Hea0heviO+ZQ4BPGZEMf5cgmg2wUOyRSkyjl7D5UJDk4Il+54xUPEbpefZBQOk8k4x1B+YHQPxxZuMSwXvWzYFFHAgNHNVYZnbCdXigkTWr0dg0vYo8D0DfxGKKx+VU84cKTyaHlbuTps0PtI0qaOyn1csiYs+3mGqa9XdYqLo3rdXvDbzWvhdOag+df0nscldJ0z2XkpaXyntF7knjM22DE1SKV0sDaMhxU07tLTBoqgw==
Content-Type: multipart/alternative; boundary="_000_0D3D1BD8A3B7479AA11FC14A4CC9593Cislandresortcom_"
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f67ba3c-05ab-423d-525c-08dd18844b7e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2024 19:04:23.7385 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: akcHFs1gpC/42c/h4734MQmxTxdlNRlrETJNZsdad50Eqm1AArchIWayyuWZWgv8w340onFgcP5QJMHIgpSDeA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA3PR22MB5808
Message-ID-Hash: 3CDLCXYMJMEPVZA5N6XJ2HIIVP3M6I4T
X-Message-ID-Hash: 3CDLCXYMJMEPVZA5N6XJ2HIIVP3M6I4T
X-MailFrom: lgl@island-resort.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Thomas Fossati <thomas.fossati@linaro.org>, Henk Birkholz <henk.birkholz@ietf.contact>, "rats@ietf.org" <rats@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: A small number of new "CMW Claims" as an alternative to submods
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/1NU9LCy42-syc6zM1RqJT4Q6l0c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>
I would define nested-token as a composition of attestation evidence or attestation results all for the same device. A nested-token MUST contain all evidence or all results. It must not be a mixture. The format of a nested-token is a CMW collection. Security considerations for nested-token: When a nested-token claim appears in an EAT, UCCS or CMW, it MUST be protected from SESA (subordinate evidence substitution attack; see other RATS email thread). It MUST be secured by attestation-oriented key material. It's fine (and probably necessary) to define other claims for other purposes that are in the format of a CMW collection. Recall my example where the EAT manifests and EAT measurements claims are the same format, but are for different purposes. LL On Dec 9, 2024, at 10:25 AM, Smith, Ned <ned.smith@intel.com> wrote: From: Thomas Fossati <thomas.fossati@linaro.org<mailto:thomas.fossati@linaro.org>> Date: Monday, December 9, 2024 at 09:14 To: Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> Cc: lgl island-resort.com<http://island-resort.com/> <lgl@island-resort.com<mailto:lgl@island-resort.com>>, Henk Birkholz <henk.birkholz@ietf.contact<mailto:henk.birkholz@ietf.contact>>, rats@ietf.org<mailto:rats@ietf.org> <rats@ietf.org<mailto:rats@ietf.org>> Subject: Re: [Rats] Re: A small number of new "CMW Claims" as an alternative to submods hi Ned, On Mon, 9 Dec 2024 at 00:50, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote: > > > “Nested-tokens” is CMW format and is for whole tokens. The big gain here is there’s only one token nesting structure in all of RATS and it uses the good content type mechanism. > > I think “nested-tokens” is a misnomer as CMWs can contain payloads that are not “tokens”. It depends on what we mean by "tokens" :-) If we use it to mean a "claims representation format" (as per RFC7519), it may be fit for purpose across different conceptual messages and serialisations. [nms] That was my point. A CMW media-type format could be broader than “claims representation format”. It could be a payload produced by a TPM or a vendor specific format. The benefit of CMW as a universal adapter goes away if it no longer is universal. cheers, t
- [Rats] A small number of new "CMW Claims" as an a… Henk Birkholz
- [Rats] Re: A small number of new "CMW Claims" as … Thomas Fossati
- [Rats] Re: A small number of new "CMW Claims" as … lgl island-resort.com
- [Rats] Re: A small number of new "CMW Claims" as … Thomas Fossati
- [Rats] Re: A small number of new "CMW Claims" as … Smith, Ned
- [Rats] Re: A small number of new "CMW Claims" as … Thomas Fossati
- [Rats] Re: A small number of new "CMW Claims" as … Smith, Ned
- [Rats] Re: A small number of new "CMW Claims" as … Smith, Ned
- [Rats] Re: A small number of new "CMW Claims" as … lgl island-resort.com
- [Rats] Re: A small number of new "CMW Claims" as … lgl island-resort.com
- [Rats] Re: A small number of new "CMW Claims" as … Smith, Ned
- [Rats] Re: A small number of new "CMW Claims" as … Thomas Fossati
- [Rats] Re: A small number of new "CMW Claims" as … Simon Frost
- [Rats] Re: A small number of new "CMW Claims" as … lgl island-resort.com
- [Rats] Re: A small number of new "CMW Claims" as … Smith, Ned
- [Rats] Re: A small number of new "CMW Claims" as … Henk Birkholz