IETF Logo Mail Archive

Re: [Rats] EAT Profiles

Carl Wallace <carl@redhoundsoftware.com> Mon, 19 September 2022 17:15 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C95C14CE20 for <rats@ietfa.amsl.com>; Mon, 19 Sep 2022 10:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7Tc4iOg1jth for <rats@ietfa.amsl.com>; Mon, 19 Sep 2022 10:15:53 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFDE6C14CF09 for <rats@ietf.org>; Mon, 19 Sep 2022 10:15:53 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id p1-20020a17090a2d8100b0020040a3f75eso6762215pjd.4 for <rats@ietf.org>; Mon, 19 Sep 2022 10:15:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent:from:to:cc :subject:date; bh=CZC++tiku4Pov8LztYVqh6aP5GBca8wNh/Mb1VkJUF0=; b=e6TcCOGwfV1Znjf/7S1no6c3FLlBFJpmkfZ8m8SxnVMZ5iIqDTyQQWPSZkvMmPCmK6 D/NObVEt3W8cXxKdNOli0MCl93aFCAR5uJQZKOu1hgrUgRzJgTx5pnE7nZ1Rnbst3Cyh aq1UvTthlW2prDkuNtwjlB9Nf+tQDsqcHq53A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date; bh=CZC++tiku4Pov8LztYVqh6aP5GBca8wNh/Mb1VkJUF0=; b=6QbVHsQ7+MWBUkVHnqaAgri4j2bTrmwyTaLFFPnLh279bM2mURs9PlttV4/ekODJ1n YwXH6gAjmdA4JL/AngpGTBZudIdQYBmRcalK67lE8UB1xuvrJ42gctboGqOcNRSigXd5 I9zw/w4N/eCWh1DsndKlyS2KtH0FdkbRP+5WUrvUJ8EECR/O1vNldgv9Fl8EmvcBAGEU 3et7qFYyik3bTa4klQ1GitFt7cMaY0TE8Lbr8IL1THRfsEdoyknLN23XuQb6+4vABXlx BuUCqByB39q34yfT3wDxWQrrRtYE1IhNESw9vJ74eQvxTE7RyTphMBLYvrg7fuCVPJg1 9Vfg==
X-Gm-Message-State: ACrzQf3DLZK58lEQ2wb2KtvSU7dDvYi81gl3Z7A4PcYQXxz/WDiYPW4G AJMOK6MmURCX17HjUH0HTV1xzA==
X-Google-Smtp-Source: AMsMyM6xRlXFP6AtUC9cdzNcb/lvRy7PzB6xNJfMzGg8FJl/JAbV7OxKYJ+xJlHGq+adnjqoLsWMjA==
X-Received: by 2002:a17:90b:3010:b0:202:d36b:73db with SMTP id hg16-20020a17090b301000b00202d36b73dbmr21715177pjb.24.1663607752923; Mon, 19 Sep 2022 10:15:52 -0700 (PDT)
Received: from [192.168.1.2] ([2600:100f:b114:ef24:3d11:51b5:93fc:e1f6]) by smtp.gmail.com with ESMTPSA id q17-20020a170902f35100b00172b87d9770sm20666953ple.81.2022.09.19.10.15.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Sep 2022 10:15:52 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.65.22091101
Date: Mon, 19 Sep 2022 10:15:49 -0700
From: Carl Wallace <carl@redhoundsoftware.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "rats@ietf.org" <rats@ietf.org>
Message-ID: <844AF856-9A28-48BF-9A2A-F0214E9C00C8@redhoundsoftware.com>
Thread-Topic: [Rats] EAT Profiles
References: <71934.1663019954@dooku> <DBBPR08MB5915AC23726BF997EB9E44C4FA489@DBBPR08MB5915.eurprd08.prod.outlook.com> <19805.1663344806@dooku> <AS8PR08MB5911DB2FE9608541698983B0FA4D9@AS8PR08MB5911.eurprd08.prod.outlook.com> <636099.1663593501@dooku> <73263C15-D995-404D-843D-13C2ED4B0BC5@redhoundsoftware.com> <837335.1663604698@dooku>
In-Reply-To: <837335.1663604698@dooku>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/4aPobjOeJbRTcfjgBVzCSP1EjxU>
Subject: Re: [Rats] EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 17:15:58 -0000

Inline...

On 9/19/22, 9:24 AM, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:


    Carl Wallace <carl@redhoundsoftware.com> wrote:
        CW> This does not follow from Hannes' statement. Another vendor may use
        CW> some library to produce EATs for their profile and yet another vendor
        CW> may use the same library to produce EATs for a different
        CW> profile. From elsewhere in the threads, I also do not see why a
        CW> cookbook of profiles (i.e., your yellow, brown, red, etc. examples)
        CW> could not be produced referencing EAT as a base specification.

    It could be produced, but it actually would be difficult for many entities to procure.
    Being able to say, in an RFP, "RFCXXXX Yellow Profile" would be perfectly
    acceptable to international trade agreements.   The users of the profiles
    that become RFCs will also be relative easy.  

[CW] This is exactly what is emerging with the TEEP and PSA profiles. There will be RFCs for those. I was noting that someone may write an RFC for some profiles with broad appeal if/when those emerge. There is already one in the EAT spec.

Then the waters get murky when we get
    to other profiles that might only be published by vendors and consortia.
    They don't have standing in trade agreements... some ITU types claim that
    RFCs actually don't count.

[CW] There is nothing to be done about the fact that different use cases will require different claims, specific uses of common claims, etc. That EAT sustains this is a good thing to my eye. That there is a sibling specification for reference values to support verification is also a good thing. There will always be profiles, even if no new claims are defined (for example in a different profiling idiom, certificate profiles may define names, URIs, policy OIDs, etc. but no custom structures).

    Anyway, in every other security area, we have looked at multiplicity of
    options and decide that we don't want every option.  We've gone to either
    crypto suites being explicit, or UI suites where we don't present the user
    with all possible options.

[CW] That this is not the case is part of the issue here. COSE and JOSE are sources of optionality that profiles address. Additionally, EAT is paying some freight for being an early spec that straddles JSON and CBOR. Let's say it didn’t and chose CBOR only then a parallel spec that provided JSON emerged. How would we be any better off?

    I'm just asking for the same thing.


    --
    Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
     -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email