Re: [Rats] Partial Profiles (was Re: New Version Notification for draft-tschofenig-rats-psa-token-13.txt)
Thomas Fossati <thomas.fossati@linaro.org> Mon, 04 September 2023 07:15 UTC
Return-Path: <thomas.fossati@linaro.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61489C15155B for <rats@ietfa.amsl.com>; Mon, 4 Sep 2023 00:15:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nyrvH2sqGDtf for <rats@ietfa.amsl.com>; Mon, 4 Sep 2023 00:15:33 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39330C14CE33 for <rats@ietf.org>; Mon, 4 Sep 2023 00:15:33 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2b962c226ceso17466011fa.3 for <rats@ietf.org>; Mon, 04 Sep 2023 00:15:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1693811731; x=1694416531; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=pKy4/h08n7qDUR8v5BQsWjnnzlZNxSr85VqyxCSnhwU=; b=XFFx2joI7GelI2EUt7LVOigezjya/MfESnhP0VWJ7UJ0aGNclN+5tD/42ItGKEuoAw 701kWx23LmR9/CehY1E3bJDH1diuBDdxzvs613tMhUMGbdzF+G9xmGcUxHnSyjlMgSjI qCT7ZcvIxo96ixqL9qGlwdLEIKzYOLXLS4QNXOJk5g/oDMoivnTxW5NABPVWAd93LuFC kh1yR6Hheq9p/l2FR/H6YGnb4Bgxp3mO8B2AUmxfIDNfHogi1AIMViun+GAvoPtQdTsz cUxXX72hFlTkI8PJ4JVVvNS2A73grgo0Vn6BYeuO3udT1h4+oHxkcxEE8AbE1vDpgxPX vwxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693811731; x=1694416531; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pKy4/h08n7qDUR8v5BQsWjnnzlZNxSr85VqyxCSnhwU=; b=Efvwh1JsgcBj+ZNbxXcc3ydlL0kYymUQyIUfKjEsVjfBXo23rlixGJiJJvLrKuBOtz XFT0WIeZeKwHjjLT4piCtzEVq0STn27iCepKYrt91zKE+HP4qCH2j7MbCgaxC3Hgc/9B 22vFDEv+l5cXXvBDj0BIt9fAqoVbz1XC7mCGueL0EHo6WF106CFxPwnKd8cLNaYRZdsV wD8tb/QAkxsoWX5+H7+TWU2hHEZ3wsZW4cS7ypd2kQugJXz8WQfWBot2CUTEeK9rFlk3 PeJHAlFtzPw3hsYe22rqML78EPXxEzDGTLxWWpWapD6JEL++BVUBs+2qE2MKakpIXYd4 WXKg==
X-Gm-Message-State: AOJu0Yy7fcw0ARgUsYAxB/C0jchPLfiMfWjdRQnP6laywFYPi60SBk/+ caediMwcfokJPw+GBXvhZrgX3/ZSRybw7vXxpQCDb6Hu0mKR28iVFHffqA==
X-Google-Smtp-Source: AGHT+IFWNrjqgaiNwsJ2wp1Qpl2UHAQni3Vdr4qk+JJgqbQ3nbpqWhI+4h+ASyG5N5aSKByw6Ts7CqUruRoCbJykNgw=
X-Received: by 2002:a2e:3c02:0:b0:2bc:b61d:44c9 with SMTP id j2-20020a2e3c02000000b002bcb61d44c9mr5550414lja.53.1693811730720; Mon, 04 Sep 2023 00:15:30 -0700 (PDT)
MIME-Version: 1.0
References: <169358319952.22584.5522382198109168002@ietfa.amsl.com> <CA+1=6yf4YmduV-V_9_tLKJtDV5erRKHW6JzZt1w4Y4kKw2A-Qg@mail.gmail.com> <31907C23-3C21-4070-AB4D-6D045EEAB578@island-resort.com>
In-Reply-To: <31907C23-3C21-4070-AB4D-6D045EEAB578@island-resort.com>
From: Thomas Fossati <thomas.fossati@linaro.org>
Date: Mon, 04 Sep 2023 09:15:14 +0200
Message-ID: <CA+1=6ycaA_tUa-WA9r+B=JE9BhLHjMfJ=_GOyTjNnb5wdDo-=Q@mail.gmail.com>
To: "lgl island-resort.com" <lgl@island-resort.com>
Cc: "rats@ietf.org" <rats@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/1cKlhuiEonXHcD74dgGECo52z80>
Subject: Re: [Rats] Partial Profiles (was Re: New Version Notification for draft-tschofenig-rats-psa-token-13.txt)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2023 07:15:37 -0000
Hi Laurence, This is awesome feedback, thank you so much! To track your review I have opened: * https://github.com/thomas-fossati/draft-psa-token/issues/89 * https://github.com/thomas-fossati/draft-psa-token/issues/90 * https://github.com/thomas-fossati/draft-psa-token/issues/91 We will need to sit down and discuss among co-authors what to do about this "partial profile" item. In the meantime, we can continue the conversation on GitHub. Cheers & thanks again! On Sun, 3 Sept 2023 at 20:50, lgl island-resort.com <lgl@island-resort.com> wrote: > > Hi Thomas, here’s my comments > > 1) Preferred encoding > There is no requirement of preferred serialization. Particularly integer and integer arguments do not have to be in the shortest form. I think it should probably require it like the EAT Constrained Device Standard Profile > > 2) Base on EAT Constrained Device Standard Profile? > When PSA token started there was no EAT Constrained Device Standard Profile. Now there is. You could rebase the document to be a variant of EAT Constrained Device Standard Profile. You’d just say “PSA Token is the same as the EAT Constrained Device Standard Profile with these differences”. The differences are 1) any algorithm can be use, 2) claims Client ID, Secure Lifecycle,… are added, 3) freshness model allows epoch handles. Just a thought. > > 3) Partial Profile > (I get beat up when I make comments like this, but here goes…) This is a partial profile. It doesn’t guarantee interoperability because it doesn’t lock down algorithms, key identification or freshness. The EAT Constrained Device Standard Profile is not a partial profile like this because it does lock these down. If you leave it as a partial profile, I think you have to call this out. You have to say “further profiling is needed for real client-server interoperation”. Also, if you leave it as is, I think the EAT profile identifier should be removed because it doesn’t identify anything useful. > > My suggestion to deal with the partial profile issue is to define one or more full profiles. Lock down the algorithms and key identification and such for one or more profiles. This doesn’t preclude a future PQ token and such. A PQ token is just a different profile to be defined in the future. It can be easily described as the PSA Token profile with PQ algs. > > Basically, I’d like to discourage partial profiles that don’t interoperate. Maybe the EAT draft should be more clear on this. Maybe it should say that profiles with profile identifiers MUST NOT have any variability that would allow for non-interoperable implementations. > > LL > > > > > > On Sep 1, 2023, at 8:52 AM, Thomas Fossati <thomas.fossati@linaro.org> wrote: > > > > Hi folks, > > > > We have just published -13 of the PSA token, which we reckon is really > > close to final. > > > > So, given EAT is progressing towards publication, we are planning to > > submit the PSA draft to the ISE shortly. > > > > Whilst we tried hard to tick all the boxes in §6 of EAT, we'd love to > > get some more eyeballs on it because it's one of the first EAT > > profiles and as such it might become a blueprint for others. > > Therefore it's quite critical that we make it as good as possible. > > > > Thank you very much, > > cheers! > > > > > > ---------- Forwarded message --------- > > From: <internet-drafts@ietf.org> > > Date: Fri, 1 Sept 2023 at 17:46 > > Subject: New Version Notification for draft-tschofenig-rats-psa-token-13.txt > > To: Adrian Shaw <adrianlshaw@acm.org>, Hannes Tschofenig > > <Hannes.Tschofenig@gmx.net>, Mathias Brossard > > <Mathias.Brossard@arm.com>, Mathias Brossard > > <mathias.brossard@arm.com>, Simon Frost <Simon.Frost@arm.com>, Simon > > Frost <simon.frost@arm.com>, Thomas Fossati > > <thomas.fossati@linaro.org> > > > > > > A new version of Internet-Draft draft-tschofenig-rats-psa-token-13.txt has > > been successfully submitted by Thomas Fossati and posted to the > > IETF repository. > > > > Name: draft-tschofenig-rats-psa-token > > Revision: 13 > > Title: Arm's Platform Security Architecture (PSA) Attestation Token > > Date: 2023-08-31 > > Group: Individual Submission > > Pages: 32 > > URL: https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-13.txt > > Status: https://datatracker.ietf.org/doc/draft-tschofenig-rats-psa-token/ > > HTML: https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-13.html > > HTMLized: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token > > Diff: https://author-tools.ietf.org/iddiff?url2=draft-tschofenig-rats-psa-token-13 > > > > Abstract: > > > > The Platform Security Architecture (PSA) is a family of hardware and > > firmware security specifications, as well as open-source reference > > implementations, to help device makers and chip manufacturers build > > best-practice security into products. Devices that are PSA compliant > > are able to produce attestation tokens as described in this memo, > > which are the basis for a number of different protocols, including > > secure provisioning and network access control. This document > > specifies the PSA attestation token structure and semantics. > > > > The PSA attestation token is a profiled Entity Attestation Token > > (EAT). > > > > This specification describes what claims are used in an attestation > > token generated by PSA compliant systems, how these claims get > > serialized to the wire, and how they are cryptographically protected. > > > > > > > > The IETF Secretariat > > > > _______________________________________________ > > RATS mailing list > > RATS@ietf.org > > https://www.ietf.org/mailman/listinfo/rats > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats
- [Rats] Fwd: New Version Notification for draft-ts… Thomas Fossati
- [Rats] Partial Profiles (was Re: New Version Noti… lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Thomas Fossati
- Re: [Rats] Partial Profiles (was Re: New Version … lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Simon Frost
- Re: [Rats] Partial Profiles (was Re: New Version … lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Thomas Fossati
- Re: [Rats] Fwd: New Version Notification for draf… Michael Richardson
- Re: [Rats] Fwd: New Version Notification for draf… Thomas Fossati
- Re: [Rats] Partial Profiles (was Re: New Version … lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Smith, Ned
- Re: [Rats] Fwd: New Version Notification for draf… Hannes Tschofenig