IETF Logo Mail Archive

Re: [Rats] Working Group Last Call for UCCF draft

"Smith, Ned" <ned.smith@intel.com> Tue, 29 August 2023 18:55 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 157DAC153CA0; Tue, 29 Aug 2023 11:55:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYki1oOvTfd2; Tue, 29 Aug 2023 11:55:01 -0700 (PDT)
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43442C1519B7; Tue, 29 Aug 2023 11:55:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1693335301; x=1724871301; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=CAbhmqvYHInxds9BRGnBc5BpL2BP/vCwIri6klYj2kw=; b=ls39mm+TmFtSaYsJ0VOHq4pj0wGAbQDJRYYXDAQj8VdQ2TKC4nyRB02n QFYvWFcjX1AQUFuHHS/2bdzYYn8i+RcolVwkcFEPIC/F+wCn/pAHO0ycs I2zvJhvZsIskS2vpN+VgCfVm2GeCYXwQUnWEywz9Nc5aPPHI8fDtEuoPs km3X+nul863fCs4dfi5WJG94Gvxxxw9TLdffI/Ic0iXHugczTbZ6WfSou dkuh0x+HXwkgaODfFsFzClZnfWrjNjEsyolzlYbd9ASzR5Xdvih+WrXWL GzD1EWzVX/M9j2jJVGnHjj0X4W/TsDWCBYrCkMtg8tPtDP9tcKqSoB/Bh g==;
X-IronPort-AV: E=McAfee;i="6600,9927,10817"; a="378170845"
X-IronPort-AV: E=Sophos;i="6.02,211,1688454000"; d="scan'208";a="378170845"
Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Aug 2023 11:54:41 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10817"; a="912518793"
X-IronPort-AV: E=Sophos;i="6.02,211,1688454000"; d="scan'208";a="912518793"
Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orsmga005.jf.intel.com with ESMTP; 29 Aug 2023 11:54:40 -0700
Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Tue, 29 Aug 2023 11:54:40 -0700
Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27 via Frontend Transport; Tue, 29 Aug 2023 11:54:40 -0700
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.106) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.27; Tue, 29 Aug 2023 11:54:39 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N7gj3jf9Q6W14m58Q+m3p0HPnCLmcV6rrDiu9GJGlOIWaQq5MLrPCoFBawWBxlaIGXCCaDdeGuNcv4VFe2a+Q7rd+YcOZWJqqAmWEYWMZ1fhGHWp4uL+QecmvbL3xHf9j+MSAMvhpdEInt6wj3sXKfTNHwvKQHHpwsBYYxOSWlbJdFcYoX8Dbjmabu2IaW85T6jUTr7J86Pi8QB8J90vKjQt9j87GgpKmvS7VEeTyk20+/qQ1hw9mMsdojmDNBsSoQYDSRQcMKp9CGpMaZTqAM/UBh5vsTEAgyaFlHvkjaCzeqDHm+PaT4unJDh/Wimcmmmx7IwuZKwSeRv5VmjTPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CAbhmqvYHInxds9BRGnBc5BpL2BP/vCwIri6klYj2kw=; b=jj7eUtAlOJz9PnRcNTBBBmSz6PKWH6jkhU2u8X3htccaqzNcfLuw5f3P4RDUcfNwQLxY08zklP0WYpYYc4KU0ZrjtClaartf9l+2iMn3JJCqy+gpvv822+mPdfcGfbgbz/AbdOCk1J4i/J9Gf32UAK2vRUZ9D6ap8TzYd3o6/8JzzqLoKSkboAGul/2VJWbRemCZL1zocgkZPthyiIAKtxtPWJ3RADbA8sL4DmV0jy1I1cluA2FqxF5moHEF2/UShstx1qNFf3Q8gLKaITRNx5lXpU7hA3Xy763YE1/1d4pZewyQR+LG/c/4Grgloa14VU1MAxygRERsWTXih8/Pow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by PH0PR11MB4902.namprd11.prod.outlook.com (2603:10b6:510:37::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.18; Tue, 29 Aug 2023 18:54:37 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5fb6:7200:97a4:b7e9]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5fb6:7200:97a4:b7e9%6]) with mapi id 15.20.6699.035; Tue, 29 Aug 2023 18:54:37 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Thomas Fossati <tho.ietf@gmail.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: rats <rats@ietf.org>, cose <cose@ietf.org>
Thread-Topic: [Rats] Working Group Last Call for UCCF draft
Thread-Index: AQHZ2BKsFPYoR+uVCUesD/q+CCvry7ABiBOA//+m8IA=
Date: Tue, 29 Aug 2023 18:54:37 +0000
Message-ID: <431E2012-B1E1-436E-9377-8EB079E087D0@intel.com>
References: <CAHbuEH7Kj821CZJxbbs_5WW+XhK3xzePmWXjc878k=r2Gs=nJA@mail.gmail.com> <CAObGJnNCOGxZmWFHnM21jrDuXjWqm1rOcZUzMyJWQmFenuKSZA@mail.gmail.com>
In-Reply-To: <CAObGJnNCOGxZmWFHnM21jrDuXjWqm1rOcZUzMyJWQmFenuKSZA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.76.23081800
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|PH0PR11MB4902:EE_
x-ms-office365-filtering-correlation-id: c60df965-c1f6-41bf-c902-08dba8c16484
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rytcbzh5fiWmhGYavfDB7eCi3oc7KXg9k/Fo/fe8qTVDNL1KHL2f91P4r5qoIoNV5q9IXQV7GpucXoo5K+TZ3Xca3hzTbLdbUIvX5v/1Mo3jiusqKrjULA5pA6+xkbwgA0yWdl1Resbc2nqZwvj/HwLFHQuGCwIlvmla2akFYmih96PNLVaMUspJRbfkvTaEXqxPfiVJz8Vwcwir+f5SJsnjYRnQHtX1+sQaOead8deee8437H+SEhZfW/iwueGh3IL2AImd1WWQKX+yKKN5c1vDtEOgXnulFw2ZU53xBXtqYEemhaG3SqaxKkPjoIMHczgotAn36ccmWUzPCPOlpwNV8avL1flxKvhKx0y4Af5fv85U4OTNGU5MftoQ8BSBgJv6LftffMNllZnyTKk+z0IO1ce34wOClOOAk5zW30XOmQCqzQTRL9EmevtIT6S1hLGbt3LJyjhFTwxy4VObotUWZW9qqcjf9r7DYZQZTwaT4jPt2Ut26aEPCCVhHBrx+2XCYkFojrYzfkOU7wQaJtuUPV52AUAcQ66GE7m4xI6ci4hu5/X0n9WoGQ5+jNHzLnnzyKa+oSQk3pQj/IgAHIIVa7Ltm6rwncXGzsyM8FyRXV79VEDnPiyLssxNurYeKeKMDO38qvCssN+Ujcqq8rESvmkFXAMrdVaTwfCKuPHt+rDLj0bkCEkInRwXWboz
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(346002)(366004)(136003)(376002)(39860400002)(1800799009)(186009)(451199024)(8936002)(122000001)(110136005)(53546011)(478600001)(76116006)(6506007)(66556008)(71200400001)(64756008)(66446008)(66476007)(66946007)(54906003)(6486002)(966005)(38070700005)(316002)(38100700002)(41300700001)(82960400001)(6512007)(36756003)(26005)(8676002)(5660300002)(83380400001)(2906002)(2616005)(86362001)(33656002)(4326008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8THaFbsNl6Rul0lUZTsQgGFASfMt1bEScHQXAc7PsYAfS/xh4u9YDmUIg8f6fJicTkYmdGs92D2cekKfJ/hqJW0fnJ17eHI246tK6TwVcwvtff/c1O+pSlrTc0QPLiboDSEXT9+NgQf6HRBqXvpXf7/Bozs9h9N2hfXlDKGhMlHpB+Go31DmMx9P2a/tFDFtQ+ScKv3VzFl8U4FPBaoESCqWWmDab+0fb4GZlHAhfx+vhmbjXuvjAjc7BWpbiljMTop7tVGJJdbAHkPEKzRDrVHk8j05LaeiCRD72FpSIJUt5Oe+/VLvse1+ZrAf53OsFMOwltkUoeHkhR+UqyFcE30OK+sshRD248A/B8UB2Cley/L9FWeBrr9D9sLJQOadOk6N02YMZJqAewvqiRKzklT5LJUG/dJfWiUK5TKPv9G8jHymDp4Z3GAEP9OmDZJ0cYIlaPVW0zyjq0EmLylUJaYtgKxsr5TZ1idSIRRK9tswcKvIrAi4iWeRrQWd6FT9qlz8Lxun1FIVKDZMHGcMN7HEgs22DNXL/dmDdlqhaygHdRlIEbQUz8loyV5PNVHCoOBNfFVNdVVJp7UYbFp1dtOF1z0PunYSUEbl1B+m8veJZR0U7+WhUs9okcbDT39ZINzLDSIlyG2KoETh7CQlFb3la/QOlZ0EHyehoQ8Thhm425q1sd3HueXV9grLmf4Bcn9GXg6pjVtYesmW0dH2R+MzU4VBS0T2OJR0pMmSXO9s12WNO0s/lLqZiTEVqxPVPLBCQXY8PQtpe3miU/rXii9wzFAzXJjrto9iruSTh3ipbSWp7Bos7R7CmlcT4WJocfE/qbMElI3yU+S2ooSDLwqQ6WihM0mV6RcLho7MnoTVcYOKUpXUWf/Q1khnHzyIclMldoamOcId3uBaCWCZZzEyisb3Peouyg2WH5HwBy0oA/CcpeHgAnJ6t+eD2DjSn2hsVPFBZLzT92Nj2bwpZLVVPu6BeywxYm3OYU4UXEtG9TUH7pLjU++Reaa+xKp0a3VcTkqixJa7zscH/+CgbcGuAW0c3Q57p5wnWOlNlkMJFAwyE8r6OK1nLJBLMIj8RupSBd4ekixl2zwvO+PjxhwoSqwEbmtoR7MEFwJ9uK5Krg0LKOMECIB3Gpp+54oD6/e44Lfi3yjEvGrr1ZFx40GR5DjFGW1lIcM/bm48HQ8/hDjHWnqJ+YWd/htWwElnvLPAAlKB7b3FOBJDNtWvOnHIl0MnioCqwYnxPWbOXjVTWLcB1VKBPlVijbT82NM2+Sdfuh0PKmKbpoYUSJrdJEYsr154P2gZ4xaDt24HwBKPgppSBlGLR5EkqN55qGsQvcnMGejk0LQP+SzzYg7PDqPNTZE9ag1ixAapzFJLR7hQOk+ezZx2gZ72pxhaTx11KLJN81pB3wtIx+ryKbh0FdsCBBt7QeW/FqORlrPO9mOBU1eHZ8NQzWsSygKRenj67XImedeqktC7MLQJzJ0NSnsBBjKAu9A/dqcXvx/3wnN74OftKN8T1iOahWDv6Vrw2ajX11FFmCjgjXw7vepDjX4a+56j55choHcYsQaq+gOtU7Xo4e6R7vMT4McSTK5k
Content-Type: text/plain; charset="utf-8"
Content-ID: <29958B90E593AB4DB5181134AE93F006@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c60df965-c1f6-41bf-c902-08dba8c16484
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2023 18:54:37.1088 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ht3uoetJRcT9qptnhxz8sv2bneDZ/oNG4FKRDW2r5tyrrrg/qRQdpnX5O+R3ouJ/DQTB8rNnmc0aL+ihWOt6hQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4902
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/2AgNy3YTiYaP2eU91LKcBglLTLQ>
Subject: Re: [Rats] Working Group Last Call for UCCF draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2023 18:55:06 -0000

Here's the paragraph in 9334 that uses 'secure channel':
"Conceptual messages (see Section 8) carrying sensitive or
   confidential information are expected to be integrity protected
   (i.e., either via signing or a secure channel) and optionally might
   be confidentiality protected via encryption.  If there isn't
   confidentiality protection of conceptual messages themselves, the
   underlying conveyance protocol should provide these protections."

The UCCS usage context should echo the above assumption that integrity and possibly confidentiality of conceptual messages is protected by some form of wrapper technology if it isn't provided as part of the conceptual message itself. 

A detached signature is still a form of a conceptual message. A conceptual message that is wrapped by another conceptual message is still a form of a conceptual message. A conceptual message containing a "detatched claimset" is also a form of a conceptual message.

Cheers,
Ned (not as co-chair)

On 8/29/23, 10:17 AM, "RATS on behalf of Thomas Fossati" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of tho.ietf@gmail.com <mailto:tho.ietf@gmail.com>> wrote:


Hi UCCS authors,


It looks that the assumption is that since UCCS drops the COSE
envelope there must be a semantically equivalent "secure channel"
provided via a transport / object security primitive that replaces
COSE's services.


I'd like to point out another possible use of UCCS is to implement
what EAT calls a "detached claims-set".


We are experimenting with that for confidential compute workload
attestation (see [1]). But the mechanism is generally applicable when
stacking claims-sets in hierarchical attesters.


For example, we use UCCS as a "sidecar token" that is coupled (using
an EAT collection [2] rather than a DEB) to a "main," signed EAT that
contains the UCCS's digest in one of its claims. Note that this is
not in contradiction with EAT, in fact §4.2.18.2 of -21 has:


[...] EAT, however, doesn't require use of a detached
EAT bundle. Any other protocols may be used to convey detached
claims sets and the EAT containing the corresponding detached
digests.


It looks like this case is not discussed in the current draft.
So my question is: should it? Or should a different draft document
such practice?


I read §3 of UCCS:


[...] As UCCS were initially created for use in RATS Secure Channels, the
following section provides a discussion of their use in these
channels. Where other environments are intended to be used to convey
UCCS, similar considerations need to be documented before UCCS can be
used.


to support the latter, and that's OK, but then I reckon we should be a
bit more precise in the scoping parts of the doc (abstract, intro,
title) to be explicit about this "pre-existing secure channel"
assumption.


For example, this sentence in the abstract "[…] discusses conditions
for its proper use" could be "discusses its use over pre-established
secure channels". There are a few other places where this kind of
surgery could be made as well.


Other than that, I think the document is in very good shape and ready to ship.


cheers, thanks


[1] https://github.com/CCC-Attestation/attested-tls-poc/blob/main/doc/parsec-evidence-cca.md <https://github.com/CCC-Attestation/attested-tls-poc/blob/main/doc/parsec-evidence-cca.md>
[2] https://datatracker.ietf.org/doc/draft-frost-rats-eat-collection/ <https://datatracker.ietf.org/doc/draft-frost-rats-eat-collection/>


On Sat, Aug 26, 2023 at 1:44 PM Kathleen Moriarty
<kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
>
> Greetings!
>
> The working group last call for https://datatracker.ietf.org/doc/draft-ietf-rats-uccs/ <https://datatracker.ietf.org/doc/draft-ietf-rats-uccs/>
> begins now and will run for 4 weeks per discussion at the IETF 117 meeting. Review requests are also requested from COSE working group members. Last call ends 9/23/2023.
>
> There are a few remaining questions that I need assistance from authors on prior to IETF last call. Could each author and others with knowledge of IPR please disclose any at this time as well.
>
> Thank you!
>
> --
>
> Best regards,
> Kathleen
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>






-- 
Thomas


_______________________________________________
RATS mailing list
RATS@ietf.org <mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email