IETF Logo Mail Archive

[Rats] CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 22 November 2019 15:43 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF831120909 for <rats@ietfa.amsl.com>; Fri, 22 Nov 2019 07:43:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.642
X-Spam-Level:
X-Spam-Status: No, score=-0.642 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MALFORMED_FREEMAIL=1.355, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id segvDzUnbzfc for <rats@ietfa.amsl.com>; Fri, 22 Nov 2019 07:43:33 -0800 (PST)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB84D1208E0 for <rats@ietf.org>; Fri, 22 Nov 2019 07:43:32 -0800 (PST)
Received: by mail-pl1-x632.google.com with SMTP id o9so3254411plk.6 for <rats@ietf.org>; Fri, 22 Nov 2019 07:43:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :mime-version:content-transfer-encoding; bh=VaeeKn7IGBvhcubObVs2zEzZ34peX0lKF4nqbKkq/lA=; b=q1PoZ40uCEnwp6m8soIjoRr0Up/nTzq/H3rl8pvsRx8qdp3ysGhkfYGO+Z1UF9GPKu 7TtfdmT+UlmuqAHjTFvIh65Sj4x2OBcNeuC6iIy/uMDPHBTYdpaHSX+fO2PDHH+jCSQT 9ndevuGt4nmocOL74uP/jb6EMf2UOXo3xFiuY3isyNC57wHQpGm7IMplef0gg5+01AIb EJZQcIUkE8bfKdDHtEjRyzsKLmT4WUS0XnUBIaA5nlp03fdCQFu+zfOlLNST9b0Qlyl1 4LnnwGIXm5qunyP39yYfpk8DseXxbytlA+63tP9mE5xehZ74W/yrp+XDSqzH9BtepCY8 81Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:mime-version:content-transfer-encoding; bh=VaeeKn7IGBvhcubObVs2zEzZ34peX0lKF4nqbKkq/lA=; b=DuJhCdIdvSXE9dvxngXyu0xmj2/VRZn2vu5BSsXtfxNWZop6G4ijttOxTK99ECuKTE 9EARE8X4sTQlIhAsNkmTmudE4wbaANIWE0zM1ZPOAafJBbBXOojQPJ2d1rBjN4PrdRmM ZecdfBojG1CRkx+TK2Y+d50OBitFWzN35Yc2nAiEAphgnbk5KF8MA8++UAC4T7hLkGId lc8h8gsqKoO7gRj816X/Zf93EGBouMgFpoYi+K40nefgqlQ3SzC+u+ZqQHxgQqFGa0xM s3tf4RJ1AOiVuxM7/k89SlczYI7wRMTwZzhxGSqnORKjIhIwkh22l1dkFzrv0jMtbXhL iCcw==
X-Gm-Message-State: APjAAAW4Fgr0dalnk5geFW+lEYGZfsx8TxK4c3OZ8EC5ybWGLYyvL44i uQLUCFtp0zlg40WegYfFiSg=
X-Google-Smtp-Source: APXvYqxMaY5l8LLkcFwlhGlCNNlpZD+q0xB5RSX4j8kxY7qmemzbJw0ZjsjaQlX6+rsN5g6KoGY6RA==
X-Received: by 2002:a17:902:b215:: with SMTP id t21mr15080973plr.332.1574437412349; Fri, 22 Nov 2019 07:43:32 -0800 (PST)
Received: from [172.16.12.5] ([58.185.87.21]) by smtp.gmail.com with ESMTPSA id n12sm6729039pgb.32.2019.11.22.07.43.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2019 07:43:31 -0800 (PST)
User-Agent: Microsoft-MacOutlook/10.1f.0.191110
Date: Fri, 22 Nov 2019 23:43:29 +0800
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: "rats@ietf.org" <rats@ietf.org>
Message-ID: <5D88882F-E40F-43C8-BC79-C5913845FE87@gmail.com>
Thread-Topic: CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/5R084Bn4uFsDl6rKEYeQyEAIbGw>
Subject: [Rats] CoSWID, was Re: Reviewing EAT for enterprise/cloud use cases
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 15:43:38 -0000

Hi Kathleen,

I was assuming CoSWIDs (or SWIDs) to become claims anyway, this wasn’t what I was asking. My question was whether SWIDs today cover the most common technologies that we use to deploy software, other than traditional RPM (and equivalent) software packages:

* Language-specific packages deployed directly into the OS, such as Python PIP and Ruby gems.
* Language-specific packages deployed into application servers, such as Java WAR files and NPM packages.
* Docker containers that consist of multiple "layers", each possibly including several RPM packages as well as other stuff, like individual copied files.
* Lambda functions that are built using their own custom toolset.

I am completely ignorant about the SWID ecosystem, so maybe the answer is Yes to all of the above (though a quick Google search came up with nothing). Any help from experts would be appreciated.

Thanks,
	Yaron

From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Friday, November 22, 2019 at 22:15
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] Reviewing EAT for enterprise/cloud use cases



On Fri, Nov 22, 2019 at 12:57 AM Yaron Sheffer <mailto:yaronf.ietf@gmail.com> wrote:
I have read the EAT draft, specifically with a “cloud” use case in mind. To clarify, what I'm looking for is the capability:
 
- To attest to software components that are running inside VMs, containers (either on VMs or bare metal), and anonymous containers (function-as-a-service, such as AWS Lambda).
- Such components may be deployed in arbitrary hierarchies (VM-in-VM etc.).
- Attestation of running (as opposed to installed) components. For example, container code may be pulled from a remote repository shortly before it is run.
- To support diverse roots-of-trust, such that when a hardware root-of-trust is unavailable, we can have a hypervisor or an orchestration server (e.g. Kubernetes) as the RoT, even if that means a lower level of trust.
 
I think in general, EAT can be made to fit these use cases, given its recursive structure. But not surprisingly given its origins, the draft would need quite a few changes.
 
* 1.2 (and 3.12): why not spell out that a submodule can be either a hardware or software component?
* 1.2: why *dedicated* root of trust, what is it dedicated to? A RoT may have other functions; a system may in general have multiple RoTs. The word "dedicated" is not repeated anywhere else in the document, nor is it explained.
* 1.3 continues to only talk hardware, e.g. when defining the "manufacturer". Software has a manufacturer too.
* 3.3: the notion of UEID is fundamentally incompatible with some component types that we would wish to attest. For example, the lifetime of a function-as-a-service container may be less than a second, and even if it has an identity during its lifetime, there is no registry or persistent record of this identity. Is a UEID required in this scheme?
* 3.4: hey, finally some software!
 
I think we still don't have a handle on identifying running software, and CosWID may not be the whole answer. CosWID is more like traditional software inventorying, and we need something that will cover dynamic modern software.

I'm going to write up some text for the CoSWID draft that would have a CoSWID in an EAT (CWT).  If the entire CoSWID (or even SWID) were in a claim, allowing you to add other claims, would this suffice for your use case?

I think I'll write a draft specific to what CoSWID looks like in an EAT as a follow up and would like coauthors.  I was thinking that might go into SACM, referencing the EAT work.

Best regards,
Kathleen

 
Thanks,
                Yaron
 
_______________________________________________
RATS mailing list
mailto:RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email