Re: [Rats] Attestation Results for Connectivity
"Eric Voit (evoit)" <evoit@cisco.com> Mon, 26 April 2021 23:48 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037A53A35DF for <rats@ietfa.amsl.com>; Mon, 26 Apr 2021 16:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jlgEUsQY; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=wgswszMJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kIm33l_h97RO for <rats@ietfa.amsl.com>; Mon, 26 Apr 2021 16:48:07 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 311C33A35DB for <rats@ietf.org>; Mon, 26 Apr 2021 16:48:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16740; q=dns/txt; s=iport; t=1619480887; x=1620690487; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=eBNN+YK3RBVPFoytUFiqpB6NAW87Afce60zgpKLz59M=; b=jlgEUsQY5au6P7lEeF0xDMyhYJAIAJZi9t7WQKhjYi34OmDfMnj+/PX8 aWhC2PjgV7LaDCY37CfniXZpM9w/x5x5Dh/nLN4G2RXHwBQ1BmTgSE0KL o4/DbmBt/JtHPpr6ID79hgpqbClJ1doWQkkvA0E+QTccfmnj0nS5+odax Q=;
X-Files: smime.p7s : 3975
X-IPAS-Result: A0DsAQBPUIdgmIQNJK1aHAEBAQEBAQcBARIBAQQEAQGCEoFTKSh+LC42MQuEOINIA4U5iG4Djy2KFYFCgREDVAQHAQEBCgMBASoIAgQBAYFygl4CgXoCJTgTAgMBAQEDAgMBAQEBAQUBAQECAQYEFAEBAQEBAQEBaIVQDYZEAQEBBCMdAQEuCQELBAIBBgIOAwQBAQEqAgICMB0IAQEEDgUIBoJeBAEBgX5XAx8QAQ6OXpBtAoofeoEygQGCBAEBBoEzARNBgxUDFYIMBwMGgTqBU4EmhAuGUxcQHIFJQoETQ4JfPoJgAQMYgQgJARIBCxgFEBUMAoJdNoIrgU8aKjEGCCoOHQcEFAkKARsPASAwFh0OBwclEgMEJ1gJDwOQPAgLDhQlgkFCiCSeOQqDDoEig2WCd4FzjHWGShCDUT6KR4YXkCOQCqNXKhyETQICAgIEBQIOAQEGgWshDywwcHAVO4JpUBcCDo4fDA0JgQIBAgaCQ4pdcwIBNQIGAQkBAQMJfIlOgTUBM10BAQ
IronPort-PHdr: A9a23:Z0/TrxTL9nJXrHDSaPE/VuaaVdpso0fLVj590bIulq5Of6K//p/rI E3Y47B3gUTUWZnAg9pBiuHMtLvnV3BG6pGE4zgOc51JAhkCj8he3wktG9WMBkCzKvn2Jzc7E 8JPWB4AnTm7PEFZFdy4awjUpXu/vjsTEQ/4Lg17OqL+HYuBx8iy3vq5rpvUZQgAjTGhYLR0e ROxqwiZtsQfjYZ4bKgrzR6cqXpTcOMQzmRtdjqu
IronPort-HdrOrdr: A9a23:aUlggqrQDlv83fQxHCpwCHQaV5toK9V00zAX/kB9WHVpW+SivY SHgOkb2RjoiDwYRXEnnpS6NLOdRG7HnKQV3aA4Bp3neAX9omOnIMVZ7YXkyyD9ACGWzIBg/I 9aWexFBNX0ZGIUse/T6gO1Cstl5dGB/ryhi+u29QYTcShBQchbnmBEIyycFVB7QxQDIJI/Go aV6MYvnUvfRV08aMOnCn4ZG9XSvtGjruOmXTcqJT4CrDOPgzSh9aLgH3Gjvis2fjtTzd4ZgB P4uiPj4KHLiYDf9jb90Cvp441SiJ/dzLJ4dbCxo+w0DhmptQqyfoRmXNS5zXAIicWi8kwjnt WJgzpIBbUI11rrcmu4oQTg1mDbuV5EgRKPuDzo40fLmsD3SCk3DMBMn+tiA2bkwnA9t9Jx2r 8j5RP+i7NrDAjNlCm4x9/EWwACrDvNnVMekPUeh3EabI0GaLU5l/1nwGppFv47bUbHwbFiNN MrINDX5f5Qf1/fRWvepHNTzNulWWl2NguaQ2AZ0/blkAR+rTRc9Q811cYflnAP+NYWUJ9f/d nJNaxuifVnUtIWV6RgH+0MKPHHSFDlcFbpCia/MF7nHKYINzbmsJjs+og44+msZdguwIYtno /CFHdVr3Q7dU6rKcDm5uwPzjn9BEGGGRj9wMBX4JZ0/pfmQqDwDCGFQFcy18S6pfESBdDaRu azNJpaD+SLFxqoJa95mynFH7VCI3gXV8MY/vwhXUiVn87NIor28uzXGcyjYobFIHIBYCfSE3 EDVD/8KIFr9UawQEL1hxDXRjfockz79pRgDbjC84EoudEwH7wJljJQpUWy58mNJzEHmLcxZl FCLLTulb7+o3K382bO52BgIQFcEU5R/bXlXxpx1Es3GnKxVYxGl8SUeGhU0nfCDAR4VdnqHA lWoEky5bi6NIWKxScpC8uuN2WTi3d7ngPTc74s3om4oev1cJIxCZgrHJFrHQLQDhpvhEJBs2 FYcjIJQUfZCxLjgaiol4YvGenabtVw6T3bevJ8mDb6jwG8rdtqbmYHVzSuOPTn8DoGdn5xvB lN1IMxxJCHgi2iLGMjhv9QCiw9VE2nRJRcDAqEY41InKvMYw8YdxbRuRWqzzcuZ2Ht60Iewk vmICH8Q4CWPnNt/lZFz63t7FR4Ml+4Qns1QHV7vYphfF6250pb2fOXZ6a1zmuaYkYDxOZYKz 3efT4OOGpVtqKK/RqOmC+1EH0sypA1V9atf4gLYvXd3GigJ5aPkrxDF/hI/Ix9PNSrqeMTV/ mDEjXlYA/QGqcs2waPoGwiNzQxoH44kenw0BmN1hnz4FcvRf7TKk9hXbcVPpWV6HXlXe+B1N F8gcguteW9dmX3Zdju89CbUxdTbhfSq3WxVecmtNRdur8zrqJ6G93DSiTTvUs3lSkWPYPxjg cTUa576LfONstmeNETYTtQ+h4smM6UJEUmvwTqCoYFDB4Qpm6eO8nM76vDqLIpDEHEvgf2NF WF+yBW/vvOXUK4pPUnIrN1JX4TZFk36Xxk8u/HapbZDx+ycfpfuFW9KX2wfdZmOea4MKRVqg w/5d6Gn+WaLXWlnA/RuCZ2OaJI/SKsR9ioDAeFBO5P9Ji7ND2389yXyd/2iC2yTz2xL1kcj8 lCc0cba8xYkDksjIEtyEGJO+TKi1Ngl0Eb+C1tk17mx5Ov72jaF1xXKAGxuOQjYRBDdnyTyd nf+eeW1H7h8CFI1JnKGkBXZMxPEbErP/7KBjYrL9MRsr6u97cuhSoGYA5GNR9ItAzA
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,252,1613433600"; d="p7s'?scan'208";a="701649563"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Apr 2021 23:48:05 +0000
Received: from mail.cisco.com (xbe-aln-007.cisco.com [173.36.7.22]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 13QNm3fe016017 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 26 Apr 2021 23:48:05 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xbe-aln-007.cisco.com (173.36.7.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Mon, 26 Apr 2021 18:48:03 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 26 Apr 2021 19:48:02 -0400
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 26 Apr 2021 19:48:01 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ND3aIA2y0SIjOkek5gkxo2Qe88j/hQS4W2T09Rjajry99ZV6MagDtcYjMelISW7xDkGTKsTsgvCCnmreYGa8EK4OGexxIokNayB3UD+WhTF8J5D34LNWJ6BbVQSfXoxJsqHMoOxW5WhUsOKnaSmYSp8LUz03DWghvEa5k2UkqpUzHxDEZXgLd51TdJZ3+7yUPZDRF7D6mADXXSVD/3bHsy1HkG3kJvKLQHAp/AVxZ9QD8Tt7QbeA4GTUw3tWvVDkVwCXKUENSxz2MLcDyy2c6DKQVVVa8D7U+goO5DY+coYw+uhnnhi16vk40610dB0lnLjrHHitDVMknZf2+LyPwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q9xw2IbN8+4UF5XHFzw6TyhJ2EZi7ddtg1MrO0b7buA=; b=cBm6Ll3v7wa0IiFo1gZkb633xxfk3k6iqdW665TTnKnGmGZSuhix1U3uPjrCV/4EELkaUBZ3zyuWr6Dri6lAz6OTyginywjApo+IsYhuZr214T2jn+migw5/DlF3ARzrQxHCsyYYTfaPIU5wQP7iMpwc4A1jf1Q/8BwaeYlyT7s9ezKLEvg1wFEPt9rrRqLvRuUn0Vms34epiLyIuWp5bDo6JFHzVJ8qwzwI3czz/IsjWXOmY2ZjNLvUeEiydUGBfohGFdSASxm8C8ZWQGTu/RG3g3Q+3wW8cyRUiKac9/AMkRegBafWOw1lUUE5r+E5FwXYF+XBbWVI5xJ1Qx9A6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q9xw2IbN8+4UF5XHFzw6TyhJ2EZi7ddtg1MrO0b7buA=; b=wgswszMJTcHpCYRiEHaQ5O3xx1NM0wVvgjy9yWNz5jW8nbGnlm3O4B9lEsPPHqip7KMTy3CvVLw0casbV8w3VE1tpUmQlRhQShhfJVIFu8VqZx5utmyCo7s0k3FbZRV29YP2urjrvEIoeQcIsY7v50IJjr8FLc1TeYjvj0yQOlU=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL0PR11MB2947.namprd11.prod.outlook.com (2603:10b6:208:33::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.25; Mon, 26 Apr 2021 23:48:00 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::f571:5dd6:fe20:3ab0]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::f571:5dd6:fe20:3ab0%4]) with mapi id 15.20.4065.027; Mon, 26 Apr 2021 23:48:00 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Dave Thaler <dthaler@microsoft.com>
CC: "Scarlata, Vincent R" <vincent.r.scarlata@intel.com>, Thomas Hardjono <hardjono@mit.edu>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Attestation Results for Connectivity
Thread-Index: Adc6vyX7FkhIWsfsStOCm1vuFlVj/AAFhfSAAAG46eAAAdOjgAACk1uw
Date: Mon, 26 Apr 2021 23:48:00 +0000
Message-ID: <BL0PR11MB3122ED51F75B8A25E4CAB5D6A1429@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <BYAPR11MB3125D582622D87EA0C968CCBA1429@BYAPR11MB3125.namprd11.prod.outlook.com> <60E7A6FC-B607-42D4-BDAD-F8C9699991CC@arm.com> <BYAPR11MB3125262FEE722E8BB2ACCAC0A1429@BYAPR11MB3125.namprd11.prod.outlook.com> <BYAPR21MB17360620AE7B56BC3BBBABD6A3429@BYAPR21MB1736.namprd21.prod.outlook.com>
In-Reply-To: <BYAPR21MB17360620AE7B56BC3BBBABD6A3429@BYAPR21MB1736.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=fca082cd-430a-45db-98a1-d1aa415d5fd5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-04-26T21:30:54Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: microsoft.com; dkim=none (message not signed) header.d=none;microsoft.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [108.18.141.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1cd3ff87-86ec-4fe0-c442-08d9090db99f
x-ms-traffictypediagnostic: BL0PR11MB2947:
x-microsoft-antispam-prvs: <BL0PR11MB29470D550D36D2FED2B9A327A1429@BL0PR11MB2947.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tBJLKWcHVkdaaU5g0WmoU2et0kDPsiJbOlclUAa7+7GvK3m7fDj2YeZBRfBesVRTjg+i4cC5Nhp+iHyRQP1Ma9bzBnvhqMXO+MYIRf13VicpBCIqXLpm2djW0PLN99JrQ2T2MZNAlMZ/tuVY4cGIWWpHEHQqXAvuP+gERWz4E4Wo859n102FfLAMWdAchfiCEsDL2DUpah54GpGik+QMSlfKYsrPa/2tGqJMh/6T+2Mz4V2J0w2amcZ3saVM78PXMyiI4lFRvDyn2v+hahnDqUwZ8NCOJl7r7PlCqAn48Jh5gyqc5NQU7tZybWxj3QYBXtuNJhoHRjwCkYRTryywz08K6zFZFOX6rA/n+33wAE6EtdM0clzXujFVZhzAdIXKJg2hWX4uMWmdDqdUZ1tiJdtnBeaPLPCBbfJzExbG15y2dkr8cXmTkxWVWA5A4iUYau7S2N2Y3xUTKbrlVFzY35YgbP2Ieo+dcIUK9E40UR/EeHsz9ZJpnCrQAeMaCvbkwbQWdYTHbkfqIFE8tNrjvi4rtBVO6P9xdgnXi2OwykHrlSKmN7kSFDwbhwr+P7ieWLZko1WcXbteiPS19bOICT8XGLewgAy+C12zMJtpVPQcfe5SeMn8T30FBveJde26P/wKZKgw4fbpq2pp9w55uz9yGZRwf/RgVgeWsie3AFuV572lVWoCG+OyWCpfT4hl
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39860400002)(396003)(136003)(366004)(346002)(2906002)(76116006)(966005)(71200400001)(86362001)(8676002)(5660300002)(8936002)(316002)(64756008)(66476007)(66616009)(66946007)(66446008)(66556008)(54906003)(478600001)(45080400002)(52536014)(53546011)(6506007)(33656002)(7696005)(6916009)(4326008)(26005)(99936003)(38100700002)(122000001)(3480700007)(83380400001)(186003)(9686003)(55016002)(66574015); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 4la/7Yflj7pCEnXUBzgo4p55qggaJokQ+vSyhLpQS7oNKPZENYc/EfLuGjAGBClWhzL20oWMYeO0uJZM8fy8kP4eFBHDJTcioLnkcqXH7JgaZpqy18StqBmDNS6D9YKEMJCJkNA178Wp5ZI38TTdIMDoD0vgMF9wgQhZCD+r/rsBNrd/2EYAnfLncCjVdkEWMEriWVucpG+x89wX7hVPb+m7finE2Ds0ZzzzfQHUfkVzRXeLBZ8UvWoXM+WfuafFoCatNUyWPv7Lub5oo41SyV7TE5bnxI9MJAUZTldHf1VASf1J7/27x7ZCLm/S1IZEjfspdoTwAgE7ZUc/LgWLjRMc+AFpPqKeYToVi+5bSygH+eSZMv3m2KY+n3AnL7lioZyVBdKXHWsvkXbs+7BK00RejKOUEX9jpqK/2A0xDgDC4jiT+FjWXeg+lrIHnSEFW1LdkP/JPbyt3nJyS+Bciqrx+NTy/8ypU1AAF/s33dWVWgBlvWU7UjN4Ch7GJqevHtiXt87t/WVsYIkbZ4TqzoIrBV/wwYLkV1YvfYUI/3MPjf80Oh/7jdHvssZ1p7xx0jzo4Bg2zrdqGkvGpGxv3gvaQXuKsQPXm7PkuhLoMjCLbYUOpuGiN9AA0KedW3VhXCOe81DFkKir4DcmBdQhjM0m68w3Z0v1IjdKCkFvruEeIuSuPzpcS0+sAg/ukKBD8KOwLZGsY3t2mWk9YJdCd8K51m45WsnMfZUh8Jx1maL81UR5kKQomw8SPdCspG71vQCox9BOWjfOuwFZsbErq76Ti3W0UZR1+weUkXDPyOg+1u8x+BP4ld2EjMj8XMA/sPWlZbIWm4TfkqhfEn/lmKwa9L22ZYqrZ9gLf+ZSB7KXoDoQYrA5khfegb+kp0PTIsblIOj5CAJpDGRzu6b6S6c9e0K0ZSWFnoXkRmgbUo9jJ1YWzc/HQ/CGHVBLhrb2MBWCnYoUpXNe5If7bPJsm6B4i+cUKMkqNftGZ36JSuvWkMRqxhRjL/jElwfFhYMN65ZUQWwItQPNMbY0Nkt2s1ONtaOYrOjpKyNh3RseHhtNj/JAZJLi+/5NLvVmNtD6b0PMESRWdNkQ3ZsG/Q5Ciwuwe0y9hAAOh8+taCjojAN0Dbx2C6heF5pe6f5bWscfGeu/Og9TfzK9YKXziRzaUuQDYWCT3IV3S2IeXZi3v0TQ/KECImd3LtfGkkXJtNV6Z29pzeiZ2CbcZ0JNvJKugQZckvLDfW/p+N657EqbR5tuGTGEazwD2aDGpmtcFnKezchHzhN7c1A0iUtY5sInp2DXzW7OngYUdX4VUcbl+dm42RezajDPWJbrG39p3zS1
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00AF_01D73AD4.F3CF5D10"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1cd3ff87-86ec-4fe0-c442-08d9090db99f
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2021 23:48:00.2246 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RbLesgmbVN4tgnYvQ2aKJD/QEWMoeE5yqG+Ff6SejdazHMakasCy9bxzR1Ftcheh
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB2947
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xbe-aln-007.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/2_OsGHdiz6JIus-9VAJZo0EMZsA>
Subject: Re: [Rats] Attestation Results for Connectivity
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2021 23:48:13 -0000
Hi Dave,
Thanks so much for the quick feedback! Some thoughts on some of the comments below:
[DT1]: Terminology problem: Evidence is offered to a Verifier, not a Relying Party
[EV1]: With terminology, the question is how to handle things at the abstract view when the terminology itself is clunky. I agree with you that the 100% correct thing to say (and what is said in places like Figure 1) is a joint combination of "Relying Party and Verifier". Perhaps over time we can find a way to say this which isn't so weighty.
[DT2]: Why? Firewalls don't do this in general, so such a requirement requires justification.
[EV2]: A communication establishment which fails to a specifically targeted peer typically has a reason. The mental model is List of HTTP status codes like HTTP 404 page not found error.
[DT3]: Terminology problem: Evidence goes to a Verifier not a Relying Party.
[EV3]: Here it is quite straight-forward to change the definition to "a combined Relying Party + Verifier"
[DT5]: This sounds directional (connect FROM a relying party TO an attester) instead of generic ("communicate with")
[EV5]: Makes sense, how about "will accept a connection request from".
[DT6]: And this sounds directional in the opposite direction from the paragraph above. Shouldn't these be direction agnostic? And also "connection" vs "connectionless" (TCP vs UDP) agnostic?
[EV6]: Ultimately we will have bi-directional attestation on the same transport; e.g., EAP over TLS. So we are trying to write this as unidirectional requirements over a bi-directional transport layer connection. I expect work smithing will be needed as this progresses so that all constituents are happy. As for TCP vs UDP should be agnostic; of course the definition of connection varies based on where in the networking stack you live :-). "UDP connection" has 100K hits on Google.
[DT7]: I'd argue that each Attesting Environment (e.g., each OS or firmware vendor) might similarly support a different set of claims so this is not unique to hardware chips.
[EV7]: We can change 'hardware chip' to 'Attesting Environment'.
[DT8]: Rather than duplicating claim concepts for affirming vs detracting, can't you collapse them and have affirming vs detracting be part of the value? Not collapsing complicates the test matrix, e.g. to deal with
cases where both exist for the same concept in the same message.
[EV8]: Very interesting comment. Effectively we would have a boolean (affirming or detracting) associated with a type of claim. As for whether a (conflicting?) affirming or detracting result come from a particular Appraisal Policy for Attestation Results: it is possible to avoid that risk by having a state machine which dictates that such intersections are not possible. See the end of Appendix B. But perhaps we can enforce this via the datatypes themselves.
[DT9]: Does this mean that the Verifier can authenticate both the hardware and the firmware?
[EV9]: In draft-voit-rats-trustworthy-path-routing, we broke out hardware and firmware. However I was unable to find a real case where a customer might be good with the hardware being ok, but they were not ok with the firmware being not ok. So from the perspective of the Relying Party + Verifier B, if Verifier A finds any issue here, then flag it. In general, it is useful to collapse failure states where the Relying Party + Verifier will take the same action no matter what.
[DT10]: Is there a difference between authentication (as in "authentic") vs verification?
[EV10]: Same comment as [EV9], if the Verifier finds an issue, it should flag it. Without such a discovered issue no explicit claims should be made.
[DT11]: This description contradicts the name. The name says it's only about the HW as an Attesting Environment, but the description implies that it is about any Attesting Environment. Presumably the description should be fixed.
[EV11]: agree that it is a specific Attesting Environment. It read ok to me, but we are happy to work toward text which works for all.
[DT12]: executables != files. Some executables can be dynamically downloaded and installed without ever being stored as files. (Javascript code running in a browser is one example, but there are many more, including ones running natively, not in an interpreter)
[EV12] Good catch. Will change 'file' to 'executable'.
[DT13]: If I understand right, this is not about runtime memory, it's just about what's stored passively?
[EV13]: Yes
[DT14]: This is a normative reference in the references section. Does that mean this claim is only usable for a GP compliance device? If so, the name should change. If not, the reference should change.
[EV14]: It is not just for GP compliant devices. If this draft is adopted, we can work the references appropriately.
[DT15]: Can't parse grammar. What verb goes with "storage space"?
[EV15]: 'storage space' is a noun to me. Likely need more info to work this.
[DT16]: This reference is specific to an Open Module Terminal Platform and not to nodes in general. Does that mean this claim is only usable for OMTP devices? If so, the name should change. If not, then this doc should either cite it only as an example, or find a more general normative reference.
[EV16]: Like [EV14], if adopted, we can work the nomenclature.
[DT18]: No idea what this means.
[EV18]: If a claim is automatic as a result of coming from a specific type of TEE, does the claim need to be (redundantly) articulated? I would assert no. But I could be convinced otherwise.
[DT21]: This seems overly limiting based on some of the claims shown that might not affect the communication in question (e.g., file-system-anomaly).
[EV21]: I violently agree. In fact our implementation does what you said. Time to tweak the text.
[DT22]: Either I misunderstand the definition, or SGX cannot provide this at all.
[EV22]: In theory, a TEE embedded Verifier could do some of this. We could work specifics over time. But it certainly wouldn't be precluded by SGX.
Thanks,
Eric
> -----Original Message-----
> From: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
> Sent: Monday, April 26, 2021 5:32 PM
> To: Eric Voit (evoit) <evoit@cisco.com>; Thomas Fossati
> <Thomas.Fossati@arm.com>; rats@ietf.org
> Cc: Scarlata, Vincent R <vincent.r.scarlata@intel.com>; Thomas Hardjono
> <hardjono@mit.edu>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
> Subject: RE: Attestation Results for Connectivity
>
> Hi Eric, et al. I have read the document and added my comments in a marked
> up copy at
> https://www.microsoft.com/en-us/research/uploads/prod/2021/04/draft-voit-
> rats-attestation-results-00-DTreview.pdf
>
> BTW, the CCC SIG is indeed called the "CCC Attestation SIG" and not the "CCC
> AAA SIG" 😊
>
> Dave
>
> -----Original Message-----
> From: RATS <rats-bounces@ietf.org> On Behalf Of Eric Voit (evoit)
> Sent: Monday, April 26, 2021 12:01 PM
> To: Thomas Fossati <Thomas.Fossati@arm.com>; rats@ietf.org
> Cc: Scarlata, Vincent R <vincent.r.scarlata@intel.com>; Thomas Hardjono
> <hardjono@mit.edu>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
> Subject: Re: [Rats] Attestation Results for Connectivity
>
> I meant to the CCC AAA SIG :-) But this will get the word out for sure.
>
> Eric
>
> > -----Original Message-----
> > From: Thomas Fossati <Thomas.Fossati@arm.com>
> > Sent: Monday, April 26, 2021 2:49 PM
> > To: rats@ietf.org
> > Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; Thomas Hardjono
> > <hardjono@mit.edu>; Scarlata, Vincent R
> > <vincent.r.scarlata@intel.com>; Thomas Fossati
> > <Thomas.Fossati@arm.com>; Eric Voit (evoit) <evoit@cisco.com>
> > Subject: Re: Attestation Results for Connectivity
> >
> > <shameless_plug>
> >
> > Tomorrow, we are discussing this topic at the CCC Attestation SIG meeting.
> > Needless to say, everyone is more than welcome to join the call.
> >
> > For the details regarding agenda & zoom link, see:
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .google.com%2Fdocument%2Fd%2F1NkiS78knPhDO0vA9ElS-
> &data=04%7C01%7C
> >
> dthaler%40microsoft.com%7C7058c2c5167b495c547a08d908e5d7da%7C72f98
> 8bf8
> >
> 6f141af91ab2d7cd011db47%7C1%7C0%7C637550605542933134%7CUnknown
> %7CTWFpb
> >
> GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0
> >
> %3D%7C1000&sdata=BNx%2FHfu7ptDXErqqe0vgNuVWr1kBb00GnHbbFH7
> m2OU%3D&
> > amp;reserved=0 bQOHNu783gGPdmTEbbOoOOU/edit?usp=sharing
> >
> > cheers!
> >
> > </shameless_plug>
> >
> > On 26/04/2021, 18:12, "Eric Voit (evoit)" <evoit@cisco.com> wrote:
> > >
> > > We have just submitted a new draft: Attestation Results for
> > > Connectivity
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fda
> > > tatracker.ietf.org%2Fdoc%2Fdraft-voit-rats-attestation-results%2F&am
> > >
> p;data=04%7C01%7Cdthaler%40microsoft.com%7C7058c2c5167b495c547a08d
> 90
> > >
> 8e5d7da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63755060554
> 2933
> > >
> 134%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJB
> > >
> TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3LaG5MGjcx3q1izo6sKzhc
> uK
> > > 7fTXT2BwZBw93AOb6jA%3D&reserved=0
> > >
> > > This draft defines reusable Attestation Result information elements.
> > > When these elements are offered to Relying Parties as Evidence,
> > > different aspects of Attester trustworthiness can be evaluated.
> > > Additionally, where the Relying Party is interfacing with a
> > > heterogenous mix of Attesting Environment and Verifier types,
> > > consistent policies can be applied to subsequent information
> > > exchange between each Attester and the Relying Party.
> > >
> > > We would be very interested in your thoughts and input!
> > >
> > > Thanks,
> > >
> > > Eric Voit – evoit@cisco.com
> > > Henk Birkholz – henk.birkholz@sit.fraunhofer.de
> > > Thomas Hardjono – hardjono@mit.edu
> > > Thomas Fossati – Thomas.Fossati@arm.com
> > > Vincent Scarlata – vincent.r.scarlata@intel.com
> >
> > IMPORTANT NOTICE: The contents of this email and any attachments are
> > confidential and may also be privileged. If you are not the intended
> > recipient, please notify the sender immediately and do not disclose
> > the contents to any other person, use it for any purpose, or store or
> > copy the information in any medium. Thank you.
- [Rats] Attestation Results for Connectivity Eric Voit (evoit)
- Re: [Rats] Attestation Results for Connectivity Thomas Fossati
- Re: [Rats] Attestation Results for Connectivity Eric Voit (evoit)
- Re: [Rats] Attestation Results for Connectivity Dave Thaler
- Re: [Rats] Attestation Results for Connectivity Eric Voit (evoit)