Re: [Rats] Why variability is needed (Re: EAT Profiles)
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 17 September 2022 17:14 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BE76C1522AD for <rats@ietfa.amsl.com>; Sat, 17 Sep 2022 10:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLm2ehzMwoBI for <rats@ietfa.amsl.com>; Sat, 17 Sep 2022 10:14:51 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB153C1522A1 for <rats@ietf.org>; Sat, 17 Sep 2022 10:14:51 -0700 (PDT)
Received: from dooku.sandelman.ca (dynamic-077-011-033-222.77.11.pool.telefonica.de [77.11.33.222]) by relay.sandelman.ca (Postfix) with ESMTPS id 111491F480; Sat, 17 Sep 2022 17:14:50 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 7170C1A0FCB; Sat, 17 Sep 2022 19:14:49 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Laurence Lundblade <lgl@island-resort.com>, rats@ietf.org
In-reply-to: <B48D92C7-9304-4B28-BDA5-8C447CF951B8@island-resort.com>
References: <71934.1663019954@dooku> <6D74BAE0-3B37-4A1F-9966-96EB60B9D675@island-resort.com> <240776.1663329145@dooku> <B48D92C7-9304-4B28-BDA5-8C447CF951B8@island-resort.com>
Comments: In-reply-to Laurence Lundblade <lgl@island-resort.com> message dated "Fri, 16 Sep 2022 11:23:01 -0700."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 17 Sep 2022 19:14:49 +0200
Message-ID: <396614.1663434889@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/3dWweOUe1eqa5z_qKvjPUgkwHwY>
Subject: Re: [Rats] Why variability is needed (Re: EAT Profiles)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Sep 2022 17:14:55 -0000
Laurence Lundblade <lgl@island-resort.com> wrote: > Here’s use cases that diverge from 6.3 to serve as examples that cover > just about everything listed in 6.3 > Composite of pure HW attester and TEE/HLOS attester > - HW uses non-preferred encoding of integers to output registers directly > - HW is simpler because an indefinite length map is used to hold the Claims-Set Okay, so could we call the first profile "Purple" and the one of the HW attester above "Brown", and name them in the EAT document? > JSON attester - Some one doesn’t use CBOR Well, yes, but isn't not using CBOR, so it's automatically not a CBOR Protocol. It's "Blue" > Chinese Attester - Must use Chinese crypto > Don’t trust NIST - Want Edwards algorithm. See TEEP profile. I don't think that profiles should name crypto algorithms. Please see RFC https://www.rfc-editor.org/rfc/rfc8247.html for what we should do, if we really need to write down MTIs. I don't think we can/should though. > Multiple signing for PQ - Use COSE_Sign instead of COSE_Sign1 to sign > with a PQ algorithm (e.g. LMS) and widely supported algorithm > (e.g. ECDSA) (I know someone doing this) I agree that this is a difficult part. I'd prefer the EAT said that things that verify EATS (i.e. Verifiers and RPs) MUST support both COSE_Sign and COSE_Sign1. > Time-based freshness - A highly constrained environment has trusted > time and wants avoid sending a nonce Seems like a reasonable thing to be able to say. I'd still like EAT to offer a clearer palette. > X.509-based keys/endorsements - Rather than using a kid, the leaf cert > / endorsement is included per draft-ietf-cose-x509 "If kid is absent, but x5c is present, then a verifier may assume ..." > Privacy/confidentiality required - The use case requires the encryption > of the EAT - Also may want to explicitly disallow UEID because it is > PII That seems both out of scope (the encryption is will need to be bolted on), and entirely reasonable for the user to list forbidden claims. > EAT carried by a tag-using CBOR protocol - The protocol carrying the > EAT wishes to use the CWT/COSE tag numbers to identify the item as CWT > and the type of protection it wants Can you give me an example here? Will this user register then own CBOR Tag? (What's a CWT Tag? I think a typo..) I'm pushing for EAT specifying somewhere between four and ten variations (with clear names), rather than allowing NxMxPxQxZ combinations to exist. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Thomas Fossati
- Re: [Rats] EAT Profiles Laurence Lundblade
- Re: [Rats] EAT Profiles Laurence Lundblade
- Re: [Rats] EAT Profiles Smith, Ned
- Re: [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Hannes Tschofenig
- Re: [Rats] EAT Profiles Hannes Tschofenig
- Re: [Rats] EAT Profiles Thomas Fossati
- Re: [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Laurence Lundblade
- [Rats] EAT Claim Constraining (was Re: EAT Profil… Laurence Lundblade
- [Rats] Why variability is needed (Re: EAT Profile… Laurence Lundblade
- Re: [Rats] EAT Profiles Smith, Ned
- Re: [Rats] Why variability is needed (Re: EAT Pro… Michael Richardson
- Re: [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Hannes Tschofenig
- Re: [Rats] EAT Profiles Henk Birkholz
- Re: [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Hannes Tschofenig
- Re: [Rats] EAT Profiles Carl Wallace
- Re: [Rats] EAT Profiles Thomas Fossati
- Re: [Rats] EAT Profiles Thomas Fossati
- Re: [Rats] EAT Profiles Smith, Ned
- Re: [Rats] EAT Profiles Michael Richardson
- Re: [Rats] EAT Profiles Henk Birkholz
- Re: [Rats] EAT Profiles Carl Wallace
- Re: [Rats] Why variability is needed (Re: EAT Pro… Smith, Ned
- Re: [Rats] EAT Profiles Thomas Fossati
- [Rats] Profile identifier (was Re: EAT Profiles) Laurence Lundblade
- Re: [Rats] Profile identifier (was Re: EAT Profil… Smith, Ned
- Re: [Rats] Profile identifier (was Re: EAT Profil… Russ Housley
- Re: [Rats] Profile identifier (was Re: EAT Profil… Michael Richardson
- Re: [Rats] Profile identifier (was Re: EAT Profil… Michael Richardson
- Re: [Rats] Profile identifier (was Re: EAT Profil… Giridhar Mandyam
- Re: [Rats] Profile identifier (was Re: EAT Profil… Henk Birkholz
- Re: [Rats] Profile identifier (was Re: EAT Profil… Giridhar Mandyam
- Re: [Rats] Profile identifier (was Re: EAT Profil… Henk Birkholz
- Re: [Rats] Profile identifier (was Re: EAT Profil… Giridhar Mandyam
- Re: [Rats] Profile identifier (was Re: EAT Profil… Henk Birkholz
- Re: [Rats] Profile identifier (was Re: EAT Profil… Giridhar Mandyam
- Re: [Rats] Profile identifier (was Re: EAT Profil… Smith, Ned
- Re: [Rats] Profile identifier (was Re: EAT Profil… Laurence Lundblade
- Re: [Rats] Profile identifier (was Re: EAT Profil… Michael Richardson
- Re: [Rats] Profile identifier (was Re: EAT Profil… Michael Richardson
- Re: [Rats] Profile identifier (was Re: EAT Profil… Smith, Ned
- Re: [Rats] EAT Profiles Dave Thaler