IETF Logo Mail Archive

[Rats] Review of <draft-ietf-rats-reference-interaction-models>

"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Wed, 29 November 2023 16:45 UTC

Return-Path: <hannes.tschofenig@siemens.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA92C15108C for <rats@ietfa.amsl.com>; Wed, 29 Nov 2023 08:45:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9A6e7pihWdM for <rats@ietfa.amsl.com>; Wed, 29 Nov 2023 08:45:20 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2087.outbound.protection.outlook.com [40.107.7.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6F99C14CF1A for <rats@ietf.org>; Wed, 29 Nov 2023 08:45:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Mfn0uGbzy5h0c/rOLptn9wX8u2RLBWuI7pTsUa/ZckPtTy+oXr2T8tohpzst2PTl3vpI9OUd+a7X0Z2NLbnkA0u9pDGgc1baKCa5LGvBv4N4VgSmzLZyQtQrq7kffjmGE3KqszRgj/aFFx5SsIgyDopDMWN+lEit6+PBHEu/yB4YT4DsfURcau2gB9O50xj5uXVvtmIfFn/G9wyXbFvtu1GxLe+iWTsJSiFHpD4q1Sa25KVtKM1j+aKN0VhOTOdRmKzocIRWDOt0UxpNMQGbocGFAMo6y03rI9EC9+j/5W+1oHzcKVuCfyqSQoy54QyufvK+jm3oef/NRkuwrD31bA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0U4F9J4gOFfTI4iDEglA8bZ9yh8+MITSGWO/CXczTvs=; b=eDZIxqT8PWHAS/MDWVBw3WRt8FsxH6/SXeboB4xiKzs4WD2EwBM3rXHWPu5ChHoIHBYQdzBoAqpCh5LLz29/WmWIINprOPor6tMUC3ZThwiidpFteXkozcx5U3lV2AQCV/xxo60W7UScY0hmJAkJVJACwmxPCv+J28gwbNmuMwAfD5/3E5h5bvtB+SLo5nnMXy7SB4NeExg38sEMo+cZF92LldOEauxDW6Osh0lQtgVPu0YNM3jjn2WWfSsLmoj3jDihkHowAwfqP/ME4O51FWxm7YUWdXzTEKu5q+f6pxaGraSMm4cnaVXQvrAIOi/HBitMuh209CCwgS2ZpbtX5A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0U4F9J4gOFfTI4iDEglA8bZ9yh8+MITSGWO/CXczTvs=; b=d5vswWVUWZhNBKGVTA02RAqOh9O2TxHOBRoFI3nS3qB5DbRi6aJdNmytVogjQAua1Rbrl+ByZWb4k/UQ+sT+8klO3y8qZ0nOc9bN0KvRPKLFTS11Ro2DyrYJtxlLS+FxJEmLGm+AQ1jPwUMLPnlVqjziR0R0dh0zNAvQpBOHfHOBRkLL8l+uChX0PjD3sCLYth7MCBsCCkw7Tc0OQvtjhXV1qKxPur9aMCltuBu/fImkeGwyNE13xR7jUP1GxezEuMNb1P8hl8UoguW4iM6Yy729QXf6fgtj7uvPvjW0njAAJ9kmDC4Pc/EKwpiVE78gFbvZGRf8cGx5VkxPQvxwiw==
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5ab::22) by AS4PR10MB6086.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:581::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7046.22; Wed, 29 Nov 2023 16:45:17 +0000
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::3219:723c:10ee:c70e]) by AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::3219:723c:10ee:c70e%4]) with mapi id 15.20.7046.023; Wed, 29 Nov 2023 16:45:17 +0000
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: rats <rats@ietf.org>
Thread-Topic: Review of <draft-ietf-rats-reference-interaction-models>
Thread-Index: Adoi4EFblzc+pdeASO+Ef/9BA9lf5A==
Date: Wed, 29 Nov 2023 16:45:16 +0000
Message-ID: <AS8PR10MB7427EC7A44AC90D0D3CB642CEE83A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=85fc8d66-d34f-4496-b575-5ae361ef3613; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-11-29T16:21:11Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR10MB7427:EE_|AS4PR10MB6086:EE_
x-ms-office365-filtering-correlation-id: 33b9b14a-2d49-4d8e-928a-08dbf0fa911a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bPtAL+5wEnZ3c/XEG/OeXlf/iY2MZEifweIZELyalM6+KHmErupM19tM+ojwehNQ/ume61HHOeWSFJxWVlGI9vn3TfPaCX+5zw/gx5p8ZOnL8LH1e7AT4pJe8KtJpW8xK83RW7GJgGbqqmnyl/7ZlLhlxo2p0eufuPsjV9mdXXQGH60QVOrNmA6iLUUSSPcy7fI+wgfbumUJDUFnUHZlQYW18atSW2jdeIr8Smg9Cvdl371wEHv/W4PGFLfiUYZmLrYMbudtUHocVYD2DYqgAhEFPbGZ2sd/+3F/f/gZlwUnFJVaia6/NxOM3K3hylFD2HeWOu5nXmaNLJR4nOg/l0WSWO7Z8a7xnitCl1RlBvY6kMmFerawwMBT7P12cupqCyy2i5KLGXRNpZq0jCaWMSM/M3fdU1vO4LudKib54rBJhKBLBkhn1qDOmhfrW+EXq5s8J/MdmwVr7Q7Or8rj77wjQEGC0vwTmp3dwtS3k22iTVSRU6aHPD2fE+un8mgzTu347Dhpod/ysLBew1letc1FZlyqTFdewMvNJDSvNtdsNsMv5bBsKTjgQNFG0qQc/rSc/tJjTvAwZxfiFlAW3ZBgh51Qikf9ISf5/TZs3sgkRqTgjlms6MF59FBF40Mb
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(346002)(396003)(39860400002)(376002)(366004)(136003)(230922051799003)(451199024)(1800799012)(186009)(64100799003)(122000001)(316002)(38100700002)(66446008)(66476007)(66556008)(26005)(76116006)(66946007)(64756008)(6916009)(71200400001)(478600001)(82960400001)(38070700009)(7696005)(52536014)(6506007)(86362001)(2906002)(55016003)(9686003)(5660300002)(33656002)(8936002)(41300700001)(83380400001)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iXUE4iPhOSORkk0vpX3xjRSexymbv/nTDvbZlhjqurMJHh1+j8s4w17V60aA0DBx5URlSyV8LLKcEbnn53tRB1o+JDZqZuPk9WCHKsQb2Xb9TUyLZMEI7TnidOzEODmjukO6XZVGzsDCPgOamiBlzBb0RIQdQ/gA6drcrRal0AKCsXOgWEaF7rKk5VLpEZqtK5C2hfwBtKrBXPIycdXVHVO0TKw60C6yZ++QL6k5CVaRm7hUbsOwO3Oga5l0JRFh4aXryJuQcFIAqe5vAKku2jU3pLc5CJJOwb6mfY38tRnTwSPv/J9wQgqWCkXsMsxjLRb0slxV3hsp6S5yRwzPF5WRZxF7qvSBDKNvuvdquT4v80GNJ4YnlG18DETgf+kDGcHLbb+x7pviMVFH88P0uG/VbFpcjQEz4/jbhVqEP/oEmTephp1jtLjo9W7bqhLCpE6qgsPPRD73iZmWsrvaYyx3bbCHqhf6P5Qbt6AX12ErdR0CifUIYAWcWmqFLX/MJH79Ang0gAETXrYJsieVb8CO124YRE1WEE5Wva1G/OJlRFepNIrSAOXNaoptU0EbrstmRVyUDHMTGiazsidMx9wZEJrLvxt3VdxIh4/6QeA4ZdJc+AtbmBcvTOUQo41r1Q8Jb9fiit81EitevpmnAc04xfSPlrJXkuVNTzCridTdBIDmhLHoW7BX6uOxKo/ryjOr50qELF1kuHoumppgX2dJn6OI7q4BGEMbKtaMWikLyifN94tLnv4cZ9pm7AVNemHnM8rmWDtndA3H25tVKeoLzoB8NDHvdLq4JtrtQLCfReeFWZlZF5TD7HCLyVplW0SymKCzo9gJv/iGpt16YyrBYjnl1Nvroe6AThyNqkXNFRCYMsFAgV+U8d1/kwbKYXcATTazqGt0AzhFfVZZPpMPSHRGAS8KuoSWj+mcySh6pj6yQAWGkT9bHKtbcE7SeK8C7j200BuZl3Zlav02bq0W2xM1jc8yoPU7Ufr4gzj/BHkm6wMRo3gb1qoJJrGeaI/pRWBjcRjwcN/RrfcapKiyuks5AHHtIwhSelpGOjxeHt4GldF4vXdubSj+r1Q0z3A5WoaMA9KXuJ+CLG/lUYEzz1WvSvJXLxw2i45idLrQzosZxYIvQ15gYMBPY8MSV3YBEb3DHtM9Aq0pDfYv0AYPIf9DMi4vbfKHsgvdGiWvJGd2OKf82nehp0pe2CK/LZgjwRBZhhWteUOXmp+xnnAi/1uue8lp/Ap+F8WMFDUTWEk2PgpS+fv0lEMyaqtFt9GhdK0rUEp3p2ahyDFDyLWexscuSvj2VimOdk5MApsfLHbpJzCBTV8kvnaHmcBcwjII4O2EXJpfKMkZ6dp+sWKxki9U6n7h8vbRjstmlm3Ej2BxW/x4Tzsz5CH56hFLuMQJBX3lwroe/HMCCEl2SxNI+3q3xGVGkl5dnBkLmaXtRetbEcjBrtX06GwUeo/BzBEymOVCGwqZM+btH9cxOvyBkBm09ljQD9yjG+AZ7/XKQj9OdKDmHwreOGN9wKZ8B/OWpDW8SUyqpW5JzP4JkMxOmCEc4GQhyx031DAkmrfHwVwjAqZODXnnzOCUtkroh3Wf8MiXgzADOIuFP3yiUw==
Content-Type: multipart/alternative; boundary="_000_AS8PR10MB7427EC7A44AC90D0D3CB642CEE83AAS8PR10MB7427EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 33b9b14a-2d49-4d8e-928a-08dbf0fa911a
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2023 16:45:16.9593 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BsdBwX3bmpCQm9hzQHGaRHKRIwpDAClLhgGy/HyYHFnE0Sa6s9bbNfFStLpKj7FMQFWJZ2xdPBn6nb+j6WRURwygZHe9cgZ5rlpXQfh6RYo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR10MB6086
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/4YitOna_O8_bK42euXGf8gvc9ic>
Subject: [Rats] Review of <draft-ietf-rats-reference-interaction-models>
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Nov 2023 16:45:24 -0000

Hi all,

I have read through <draft-ietf-rats-reference-interaction-models> and have a few questions.

At the core, the document tries to define information elements that are supposed to be used by a Verifier to ask an Attester for Evidence.
In the request from the Verifier to the Attester, the following information elements are mandatory:


  *   Authentication secret ids
  *   Handle
  *   Claim Selection

None of these terms are defined in the RATS architecture document. The claim selection is supposed to give the Verifier a chance to tell the Attester what claims to return in the Evidence. The Handle corresponds to the freshness mechanism used (such as a nonce) and the authentication secret id allows the Verifier to tell the Attester what keys to use to sign the Evidence.

A couple of questions arise:


  1.  Why has the nonce term been renamed to handle?


  1.  How should the Verifier know what Claims to ask for given that it is not likely to know what attestation technology the Verifier supports? The model assumes that the Attester is so flexible to report a subset of the claims and the Verifier also needs to be flexible to know that a certain subset of claims make sense from a processing point of view. Is flexibility really a good approach here?

  1.  How does the Verifier know what values for the authentication secret ids to convey to the Attester given that it is not likely to know upfront what attestation keys the attester will have stored? Do you expect the Attester to have many different Attestation Keys to choose from? Why is the term "Authentication Secret ID" used instead of "Attestation Key ID" or something along those lines?

The authors seem to make a number of assumptions that need further explanation.

Ciao
Hannes

v2.23.0 | Report a Bug | By Email