[Rats] Re: Hint Discussion in CSR Attestation Draft

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 23 June 2024 19:28 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C863DC14F60A; Sun, 23 Jun 2024 12:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ucV5wcZireqL; Sun, 23 Jun 2024 12:28:12 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 845B8C14F5FE; Sun, 23 Jun 2024 12:28:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 8B6F43898B; Sun, 23 Jun 2024 15:28:11 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id SPayIkymQ9Fz; Sun, 23 Jun 2024 15:28:09 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 7CC4A38988; Sun, 23 Jun 2024 15:28:09 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1719170889; bh=CZdtT61tpJO2EtAGET89bIrRrA0tH1WPFgBuiRbAUoc=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=WvN56xeJFQRso4ZsR10hWSpi6w9KPnPk8UtSfiEZxQAIEzSytXcKzCK0elF8vwxwJ Eh7rK244p2nFTos2VAsdjaPssBSWeUxp0AHJc0706WvpdJE66fRecq9Lb651Iq+8LD gzbNb/n3TIsV+KgUwkWVNrDB6CRO/LoZPR/qcXHUi+CMJiuXPGMe+cn2UKjWsr+OlN zv8pDQgb5ud8WGm7+OB7Ub3XxbwWdksvLsRwCfSkTWnO7tTpnUTuy5bFWJqeSWlgLf h0Tzea7Rd9DP7Ng5RJJu4jgBTTHSOjAWMluiqsmK1cf8pAbf3rYSMer8ICQ9+RxNAF PasWC9zRmpMzQ==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 78F1524F; Sun, 23 Jun 2024 15:28:09 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Henk Birkholz <henk.birkholz@ietf.contact>
In-Reply-To: <30ebbbcc-0fe5-ff91-0fe8-f27743e2b330@ietf.contact>
References: <AS8PR10MB742727BFEC71CB78468FB0E7EECD2@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <0145e095-e684-d2ee-58d5-41aee54a4b3b@ietf.contact> <2627.1718830718@obiwan.sandelman.ca> <30ebbbcc-0fe5-ff91-0fe8-f27743e2b330@ietf.contact>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 23 Jun 2024 15:28:09 -0400
Message-ID: <11102.1719170889@obiwan.sandelman.ca>
Message-ID-Hash: V4ESNDNHRVIYAAB4CUEOWC3VMJTY62TM
X-Message-ID-Hash: V4ESNDNHRVIYAAB4CUEOWC3VMJTY62TM
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Hint Discussion in CSR Attestation Draft
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/50WvMdx6AwbqZb4Er1370nKQdCM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Henk Birkholz <henk.birkholz@ietf.contact> wrote:
    > so a MUD file cannot point to feasible Verifiers?

It's not that you can't put a pointer like this into a MUD file.
The issue is that there is no context for CSR Attestation in which a MUD URL
will be retrieved.  Sure, the hint present in the CSR EvidenceStatement could
be a MUD URL, but that seems like a useless layer of indirection to me.

And it probably could make sense for some environments where MUD is already
used, such as with draft-itef-suit-mud!   I feel that we are lacking a few
pieces on the IETF "standard" MUD/SUIT/RATS ecosystem:

1) a standard SUIT Status Tracker
2) that also can distribute (multicast if practical) firmware updates to
   devices
3) that can collect RATS Evidence when it retrieves the SUIT Report
4) that can collect firmware from $vendor into a local repo, reducing the
   bandwidth, privacy and MUD impact of devices fetching their own firmware.

I hope the SUIT documents will finish the various review stages they are in,
and SUIT can consider rechartering to deal with these things.  I think that
RATS and SUIT were well chartered to interact with existing environments, to
embrace them, and now it is time to extend.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide