Re: [Rats] Comments on draft-birkholz-rats-architecture-01
Laurence Lundblade <lgl@island-resort.com> Sun, 14 July 2019 19:39 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9291120172 for <rats@ietfa.amsl.com>; Sun, 14 Jul 2019 12:39:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JK2dKBSBMRE2 for <rats@ietfa.amsl.com>; Sun, 14 Jul 2019 12:39:08 -0700 (PDT)
Received: from p3plsmtpa12-01.prod.phx3.secureserver.net (p3plsmtpa12-01.prod.phx3.secureserver.net [68.178.252.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0A6B120165 for <rats@ietf.org>; Sun, 14 Jul 2019 12:39:08 -0700 (PDT)
Received: from [192.168.0.107] ([67.237.247.208]) by :SMTPAUTH: with ESMTPSA id mkKwh4tJYdXg4mkKxhUNDn; Sun, 14 Jul 2019 12:39:08 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <A5E5E10D-D423-4EA6-B99B-6BE925FB8DFD@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_37A72663-2508-4E20-BBA6-A06E4D78B8F7"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sun, 14 Jul 2019 12:39:06 -0700
In-Reply-To: <CAN40gSuge3=-dKTtUz2bWVTzBDX0rqmr1sj=NT_-OVRH90o=9A@mail.gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "Ned Smith (ned.smith@intel.com)" <ned.smith@intel.com>, "henk.birkholz@sit.fraunhofer.de" <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>, Nicolae Paladi <nicolae.paladi@ri.se>, "monty.wiseman@ge.com" <monty.wiseman@ge.com>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, Thomas Hardjono <hardjono@mit.edu>
To: Ira McDonald <blueroofmusic@gmail.com>
References: <0189ed44bcf749c18e9b6612b2728553@oc11expo23.exchange.mit.edu> <8C52026F-A4D1-4CA5-901A-C20CC2396DF5@ri.se> <20190713023817.GU16418@mit.edu> <CAN40gSuge3=-dKTtUz2bWVTzBDX0rqmr1sj=NT_-OVRH90o=9A@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-CMAE-Envelope: MS4wfJCbnO7DlpYxEXDb0tLg/uaE0CW+g1WOMAkufU3RUQyMaMo10UOLIe4TcEhZSrUpRcC+Hca3LGUsXOTd5ymx2wawVEaf0KVUt/7FSM1BJDa5x1pCWU2c MxVhJktckg2d1Ue5fymMCmNKUeENQ9aflMJvnj8xncDkqXR1umd7wMbDfuMHGx3y4Oy745noEDM52tNxnGR9uD+/O7mWb5UUM8cLGyVDMFzIv5ByLK+3WRxm neyQ7ZTweq6WSzPlfyxdZ6UfAwRtVHflxkzX/r5LCV5dF5TlUacRECPbcOJ1p8rugMv3vSd2+qhEsdk/m5JZXobeHFRSEPHuPb6yvwHXV8el82tBu3wgJMi3 e58Rc2ptS6OtESEUOE2Wc2qeVyLPaFNqJgLMR7GCH+tn5yXsFZEqjbsnWRads/+0jkWzANylhSyO1Guxl6N3Z2RG+4yarw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/4_JVMF6LQ_UocDfzjpOsW3d_VH4>
Subject: Re: [Rats] Comments on draft-birkholz-rats-architecture-01
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jul 2019 19:39:12 -0000
My framing for this is not binary, in this day and age of risk engines and machine learning. The relying party receiving the attestation is going to take whatever data is attested in as part of a decision that will probably involve other data such as transaction history and type. For example: - A payment might be allowed if it is tiny and the risk of losing the customer is high even if the attestation seems wrong. Or vice-versa, the payment is large and the customer expects best protection. I’m pretty sure PayPal, VISA, Mastercard, Experian and such operate this way. - a biometric authentication may not be allowed even though the attestation is excellent because the risk engine recognizes a pattern of fraud based on other non-attested data. - A bad attestation from a router might be considered an isolated event until more evidence is accumulated. No one is went to the wire closet. I also consider the security technology used to protect the signing key and attestation creation subsystem variable in security. And it needs to be considered in relation to the capacity of the attacker. A TEE (little defense against chip probing) might be consider quite good for small to medium $ payments backed by a risk engine. An EAL 6 secure element may be the only thing considered OK for access to a nuclear facility with no risk engine back up. I prefer to never characterize something as trustworthy or as secure in any RFCs we create. CWT and JWT don’t seem to go down this path either. (Correct me if I’m wrong, but I think maybe TCG does use the secure/non-secure framing. If so, I do NOT think we should bring it in here.) LL > On Jul 13, 2019, at 7:13 AM, Ira McDonald <blueroofmusic@gmail.com> wrote: > > Hi, > > About binary "trustworthy". > > This is a fundamental fallacy. Neither "trustworthy" > nor "secure" are *ever* binary. That's basic to the > security by design approach. > > Cheers, > - Ira > > Ira McDonald (Musician / Software Architect) > Co-Chair - TCG Trusted Mobility Solutions WG > Co-Chair - TCG Metadata Access Protocol SG > Chair - Linux Foundation Open Printing WG > Secretary - IEEE-ISTO Printer Working Group > Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG > IETF Designated Expert - IPP & Printer MIB > Blue Roof Music / High North Inc > http://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic> > http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc> > mailto: blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com> > PO Box 221 Grand Marais, MI 49839 906-494-2434 > > > > On Fri, Jul 12, 2019 at 10:38 PM Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>> wrote: > Cherry-picking one point... > > On Mon, Jul 08, 2019 at 02:44:56PM +0000, Nicolae Paladi wrote: > > Hello, > > > > Some comments on draft-birkholz-rats-architecture-01<https://tools.ietf.org/html/draft-birkholz-rats-architecture-01 <https://tools.ietf.org/html/draft-birkholz-rats-architecture-01>> > > > [...] > > 7.1.1<https://tools.ietf.org/html/draft-birkholz-rats-architecture-01#section-7.1.1 <https://tools.ietf.org/html/draft-birkholz-rats-architecture-01#section-7.1.1>>. How the RATS Architecture Addresses the Lying Endpoint Problem > > > > > > > > > > > > RATS imply the involvement of at least two players (roles) who seek > > to overcome the lying endpoint problem. The Verifier wishes to > > consume application data supplied by a Computing Context. But before > > application data is consumed, the Verifier obtains Attestation > > Evidence about the Computing Context to assess likelihood of poisoned > > data due to endpoint compromise or failure. Remote Attestation > > argues that a systems's integrity characteristics should not be > > believed until rationale for believability is presented to the > > relying party seeking to interact with the system. > > > > “Likelihood” implies a probabilistic approach to trustworthiness (e.g. 42% likelihood of poisoned data”). Is that really feasible? And if so, is it actually of any use? IMO trustworthiness is binary (“trustworthy or not trustworthy”), or binary and conditional/contextual (“trustworthy if used for certain actions”). > > My personal thinking here is along the lines of "this data makes me > confident that only someone who was able to subvert my supply chain and > surreptitiously replace the TPM chip in the sealed device delivered to me > would be able to forge the attestation evidence; I don't think I'm the > target of such an attack, so there's a low likeliyhood of endpoint > compromise". Or, as James Mickens put it more glibly in > https://www.usenix.org/system/files/1311_05-08_mickens.pdf <https://www.usenix.org/system/files/1311_05-08_mickens.pdf> there's a > Mossad/not-Mossad distinction in the potential attackers, and if the Mossad > is a threat, you're gonna be Mossad'ed upon no matter what you do. > > -Ben > > _______________________________________________ > RATS mailing list > RATS@ietf.org <mailto:RATS@ietf.org> > https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats> > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats
- [Rats] Comments on draft-birkholz-rats-architectu… Thomas Hardjono
- Re: [Rats] Comments on draft-birkholz-rats-archit… Nicolae Paladi
- Re: [Rats] Comments on draft-birkholz-rats-archit… Benjamin Kaduk
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Laurence Lundblade
- Re: [Rats] Comments on draft-birkholz-rats-archit… Nicolae Paladi
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Smith, Ned
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Adrian Shaw
- Re: [Rats] Comments on draft-birkholz-rats-archit… Laurence Lundblade