IETF Logo Mail Archive

Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?

Thomas Fossati <Thomas.Fossati@arm.com> Fri, 03 July 2020 09:21 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3443A0B63 for <rats@ietfa.amsl.com>; Fri, 3 Jul 2020 02:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=z3sd79K5; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=z3sd79K5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xVrKa85loVCx for <rats@ietfa.amsl.com>; Fri, 3 Jul 2020 02:21:00 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150080.outbound.protection.outlook.com [40.107.15.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A91023A0B6D for <rats@ietf.org>; Fri, 3 Jul 2020 02:20:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uxf/AzL2u8leK4At01ClXx3yA+HWZgZkoXViHny2m+E=; b=z3sd79K5b6/6Mvj7XX1Zq7nEVOehE5DQ8OYH7jGbU9a+hXg/gXs40P+Z+4mW4obN3UsphERaVwIGVgUIEjGK8DUxZ3WiERxSXor3ps9wXye9w1B82o8OzkW6soXPnv2ANaVemKWGdki/0n8TaqZHuUwfGgRP6d4+qjOlp7NsxxI=
Received: from AM6P194CA0096.EURP194.PROD.OUTLOOK.COM (2603:10a6:209:8f::37) by DB7PR08MB3001.eurprd08.prod.outlook.com (2603:10a6:5:23::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.21; Fri, 3 Jul 2020 09:20:57 +0000
Received: from AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:8f:cafe::99) by AM6P194CA0096.outlook.office365.com (2603:10a6:209:8f::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.23 via Frontend Transport; Fri, 3 Jul 2020 09:20:57 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT039.mail.protection.outlook.com (10.152.17.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.24 via Frontend Transport; Fri, 3 Jul 2020 09:20:57 +0000
Received: ("Tessian outbound f7489b7e84a7:v62"); Fri, 03 Jul 2020 09:20:57 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 69989eb07482ac9a
X-CR-MTA-TID: 64aa7808
Received: from 0b8e139c7b36.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E68CA66E-7700-4642-9719-00459E58F876.1; Fri, 03 Jul 2020 09:20:51 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 0b8e139c7b36.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 03 Jul 2020 09:20:51 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lkv8w2ifFmirAQL+AcifNW9juS18uqEGbDEjyvFBqIGVJFgsghMgAt6xYot+hi+6sKHEwM+cHxOy20girfFbBGHOYAWIvoRO4UW8SuN3gPdR+ju2ob7S6/mImJj2g5WTOM/lBz95leb8hnHRvrURrau18NcqfsSfMUJ6bVfqE+mh9k984asnEStQlBTJMTDIs6HLeTJKdJes3wHf0DuBaShmNYovSFo3n0SIqQW522gTc1gUGErMoui1tQzVQWUiyuEsDOQN0QdNir+3THEkBMaYmH/OuDUnQH+33Lxjfs2VVRIShYJW0qQhI/Uslj2+0qWq5aiEM4qCouFlYzxdyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uxf/AzL2u8leK4At01ClXx3yA+HWZgZkoXViHny2m+E=; b=heit2LrJGA7fTQtYnh5xEVNc1Qm+/2bZBnYgx4oRYDFRqSORzEtP8RlwDD6D2SEvy3l7yI/oy0cPWJ7OEIBP9PSznaRLKfuChhVG7qqZnh//f3rfNf0zyUo6EQ6USIGsgejOt3oaLMvVSsUW49kCzefBy9gF/GUpuU68Avw8mVa3GmohGjhg8uWSZSzvSxFaRJZOiXjj3/5PfGdZcqjl4vwiSHr/lSz9HM19z/vqzqqgdIB+svdPMGBvdxPA2foqDKwju7kkpM8Z1BuXfMjm2vxZyHhEWK4BRuOHxv1ZXJ956EQGg9k8q6rBiPZwWGzP6Gy/QagEonO2s74aV42Dbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uxf/AzL2u8leK4At01ClXx3yA+HWZgZkoXViHny2m+E=; b=z3sd79K5b6/6Mvj7XX1Zq7nEVOehE5DQ8OYH7jGbU9a+hXg/gXs40P+Z+4mW4obN3UsphERaVwIGVgUIEjGK8DUxZ3WiERxSXor3ps9wXye9w1B82o8OzkW6soXPnv2ANaVemKWGdki/0n8TaqZHuUwfGgRP6d4+qjOlp7NsxxI=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (2603:10a6:20b:73::23) by AM7PR08MB5399.eurprd08.prod.outlook.com (2603:10a6:20b:104::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.24; Fri, 3 Jul 2020 09:20:50 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::459b:bcf3:b888:c906]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::459b:bcf3:b888:c906%6]) with mapi id 15.20.3153.028; Fri, 3 Jul 2020 09:20:50 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Rats] should Evidence containers be explicit about Personally Identiable Information?
Thread-Index: AQHWT0qg16qdO1UkpEOwcIPLbGmPlKj1qKoA
Date: Fri, 03 Jul 2020 09:20:50 +0000
Message-ID: <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com>
References: <ietf-rats-wg/architecture/issues/116@github.com> <28098.1593568476@localhost>
In-Reply-To: <28098.1593568476@localhost>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
Authentication-Results-Original: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
x-originating-ip: [217.140.99.251]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: bad26627-1cf9-4b00-a702-08d81f3264b0
x-ms-traffictypediagnostic: AM7PR08MB5399:|DB7PR08MB3001:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <DB7PR08MB30017BC8FB780E2E883F35B09C6A0@DB7PR08MB3001.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:9508;
x-forefront-prvs: 045315E1EE
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: FLtxb7KTzFq9nuEIZJb0anth3t4OQehnkrOPkB5YSH9PBU8/k2MzcWLKnYHzoZplZw2VyqJ0HGAm2sRz7Ftru1hZYMiNApLFe4oVYbR93bUbGz2j/jFfrHw2JVXdb9gQQjUcaOcKpys0N8YRRTYOdtLxII8JdOmxRLKhwVJKY3bJi9WJwS0lpqONIHFP5F0CvzPnuO488d4FfnaIEOZ2rVCLHIErWuJQhLbst5NDq0RlVuSVBhUm7wSon1s29GviSIn9p0GwsWvj1GZiMsXbGtS9g+MjRKn+fSetc+HwSX+/jrJga4WjlaJatpe4zdSxlZKkgdQ3K+/ZBr4GDpEVvQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4231.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(376002)(366004)(39860400002)(346002)(2906002)(86362001)(6486002)(5660300002)(66946007)(83380400001)(8936002)(8676002)(76116006)(66476007)(91956017)(53546011)(6506007)(66446008)(66556008)(64756008)(36756003)(6512007)(186003)(26005)(4326008)(2616005)(316002)(110136005)(33656002)(478600001)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: UVtHVB4QrHiwOUEF3cru8TEF4GAyV2JDsRIoA9eodBAsEI8acdnO0RNZl8DAY+o0P4lvUGm8vNnw7Cv2NivJm4yZ3InU+qB0U/N8ABkPZDvfc84gmV7Wo5HB4A4+1WPnx/woYSVI1gAVk9Jv7EsGdcfsx3o3plvMDvgsq5Ci8aVJMO4yFapmFn6fFeU+W3qkcn6Gt0Be/wNGm6QWmyFUfreEXJaOi9X17p1mhZ9f+H8MJriZBZEZWhj6YSFU3eR/Xf6geGCBb26109UwGm5i1VC1+wu3GL/bf+Sia/jIC5SiJfsEVinwhSnuzzgrCx4FOcIJ3KP9Eo2B06pePjZk3HnA3wk1fiQ7f0vcO2DSRHyXjn8azDEl+P2T9V92yn65b1Xh2GHX3sBwYxyqkoQEjCyKrujVN47B0jgzR/SXq2j49Dv8KjNdBcPMIlTdkENXN3XfX/FLr/+hkgiVSGdRrhmesDwLTqRnjhYVfRd//l5JSUJ1lrMp0jTn2ywu4AvW
Content-Type: text/plain; charset="utf-8"
Content-ID: <6CE1884255724D4CB0A13306D4F58C8B@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR08MB5399
Original-Authentication-Results: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(376002)(39860400002)(136003)(46966005)(26005)(86362001)(186003)(33656002)(6486002)(70206006)(336012)(356005)(8676002)(82310400002)(83380400001)(47076004)(81166007)(82740400003)(8936002)(36906005)(316002)(5660300002)(2616005)(6512007)(4326008)(53546011)(6506007)(2906002)(70586007)(478600001)(36756003)(110136005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 59094dd2-68b8-4b4c-77ac-08d81f3260b5
X-Forefront-PRVS: 045315E1EE
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /okGPaTnI28EMOsOrzbHDaDD1lNrCTWrJKguQfoLgYZ5859J3hwvP5jRAJHDIQ7JklJ+86P5F4xiRyVafT0hZinMKg9uUl/zFuueGo2AhaDHQtoDuV1mENHCw4yNfQxMnPXSXj7cyUOQO129uPpzUN//2SpXNP8zGOyLeG3kpvT/Ut9YqL2TQtzRsdnTwmetVMO1frBWM860oL6jFs6gMhrHCRBdCe+q/iTgm+RuOSnpHXqf+lbMQoWMrPf+9ySIgRZ6eKdn0RerYUXe4G4QR+eQ9tWXFz/OYWH7NuFafQQDWvpiy2kGC5mCsoyf3zYcLSdXH1ZTPWHe7+nbgQIfG/cwnogutLQTFFA1Hd4upXvi9MaIfnDK+GEGBsoHBUc+60ir1KZQp7RJwNwZMAWtig==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jul 2020 09:20:57.0460 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bad26627-1cf9-4b00-a702-08d81f3264b0
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3001
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/5NlF6Wv_m0hFqOPUCMkSHgKEf5s>
Subject: Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 09:21:03 -0000

Hi Michael,

Thanks for raising and articulating this point.

On 01/07/2020, 02:54, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:
> I had asked in my aside, if the *ARCHITECTURE* document should create
> a requirement on Evidence (such as EAT) that it should *explicitly*
> flag when it contains PII.
>
> [...]
>
> So part of my question was should we debate this now, and make this an
> architectural requirement for all containers?

Personally, I am not convinced that an in-band pii flag is needed.

On the Attester side, the privacy problem can be addressed by an
attestation API that allows the caller to selectively turn off claims
that are PII -- either with per-claim switches, or by presenting
pre-canned PII-revealing and PII-hiding interfaces to the Evidence
generation service. We expect the attesting endpoint to make the right
decision about what can be hidden and what needs to be revealed
depending on context.

On the Verifier side, I'd expect that the log/audit anonymisation and
retention policies for Evidence are an integral part of the service
configuration.  So, no need for an in-band signal about what is to be
considered PII since the Verifier is going to be made aware of it by
some out-of-band means.

That leaves the RP, which I'm not fully sure about.  However, my gut
feeling is that the Attester will have to trust the RP to do the right
thing since no in-band pii flag will ever be able to restrict what a
malicious RP can do with the obtained PII.

Am I missing anything?

cheers, t

PS: Maybe there is a requirement for EAT profiles to specify in their
privacy considerations what claims are PII and what is the expected
treatment by actors in the attestation chain.  This is EAT's job, not at
the architecture doc level though.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email