Re: [Rats] Composite Evidence

Laurence Lundblade <lgl@island-resort.com> Fri, 24 January 2020 00:41 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17EA71200F9 for <rats@ietfa.amsl.com>; Thu, 23 Jan 2020 16:41:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wM1-91ptLF-F for <rats@ietfa.amsl.com>; Thu, 23 Jan 2020 16:41:46 -0800 (PST)
Received: from p3plsmtpa06-04.prod.phx3.secureserver.net (p3plsmtpa06-04.prod.phx3.secureserver.net [173.201.192.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9649C120019 for <rats@ietf.org>; Thu, 23 Jan 2020 16:41:46 -0800 (PST)
Received: from [192.168.1.76] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id un2dimZpj6NxFun2eiACd4; Thu, 23 Jan 2020 17:41:44 -0700
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <BYAPR11MB253690686524F2557CEE33FCA10E0@BYAPR11MB2536.namprd11.prod.outlook.com>
Date: Thu, 23 Jan 2020 16:41:43 -0800
Cc: "Smith, Ned" <ned.smith@intel.com>, Michael Richardson <mcr@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <937DAF5E-CC8D-4552-8E4C-9CF67EC9C640@island-resort.com>
References: <BYAPR11MB2536867559E1A20682A1FC2BA10F0@BYAPR11MB2536.namprd11.prod.outlook.com> <25403.1579747229@localhost> <BYAPR11MB2536EEF62BD7B1C53EC59659A10F0@BYAPR11MB2536.namprd11.prod.outlook.com> <85492C6F-E854-448F-9507-BBAC25455392@intel.com> <14896.1579811757@localhost> <B7A7F7E5-EC09-44C4-AE02-C480E6D7F8D9@intel.com> <BYAPR11MB253690686524F2557CEE33FCA10E0@BYAPR11MB2536.namprd11.prod.outlook.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfDPnWjGx3XrbbBPVnyIhPfLWHieJpm/COHImSFupxvVDLgnJ5yH/xWBF6Qw0o/mCOnmb/D0w/jiL41wiMUDtU6TKlA4TtYGGgFkVHLYZT0ylxnlb/Sro oTGuzTiKkHvoW0g+2SiThryVPVDrjTIkS5Fl/bm81rSza2Qs2FRW/bsSGaTE1AQ86C+S+xuVCOYGpNJybILR9+FFGQG1mqSljNxoICgdryPCNQDg6ehJFtWw z4xy+8A6n9mxeryyGSHrDg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/5SMTbBE5mmQ86b9IRnmjbiGoTl8>
Subject: Re: [Rats] Composite Evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 00:41:50 -0000

Not up to speed on this thread but two comments:

- It seems the notion of target environment is important here.
- I am interested in implications for EAT submods. Seems you should be able to express this stuff in EAT.

LL

> On Jan 23, 2020, at 4:12 PM, Eric Voit (evoit) <evoit@cisco.com> wrote:
> 
> 
> 
>> -----Original Message-----
>> From: RATS <rats-bounces@ietf.org> On Behalf Of Smith, Ned
>> Sent: Thursday, January 23, 2020 6:11 PM
>> To: Michael Richardson <mcr@sandelman.ca>ca>; rats@ietf.org
>> Subject: Re: [Rats] Composite Evidence
>> 
>> See [%] marker inline below.
>> 
>> On 1/23/20, 12:36 PM, "RATS on behalf of Michael Richardson" <rats-
>> bounces@ietf.org on behalf of mcr@sandelman.ca> wrote:
>> 
>> 
>>    Smith, Ned <ned.smith@intel.com> wrote:
>>> The semantics of 'union composite evidence' (below) seems to suggest
>>> that the local Verifier that produced 'ar' is itself an attestable
>>> claim. The Attester asserts that the Attestation Results from a local
>>> Verifier are trustworthy and that they originated from a sub-
>> component
>>> of its Target environment.
>> 
>>    Yes.
>>    As explained by Eric in his diagram, the "ar" results might not be produced
>>    locally, they may be the result of a trip to a different (remote) verifier.
>>    Or as you suggest, they may be produced within some TEE, for which there
>> are
>>    evidence claims about why it's trust worthy.
>> 
>>    I think that this all maps to what I understand about TEEP actually.
>> 
>>> Another way to think about it is the Attesting environment knows
>> that
>>> the Target environment includes a Verifier and wants to assert that
>> the
>>> Verifier has trustworthiness properties - possibly by returning its
>>> SWID tag value. The Remote Verifier can then evaluate the
>>> trustworthiness of the SWID tag.
>> 
>>    Sure, that is a specific way.
>>    I think that the Chassis+Line Card situation also can work as an example.
>> 
>>> Based on that, if the Remote Verifier trusts the Local Verifier then
>>> the local Attestation Results are not claims asserted by the Attesting
>>> environment, but claims asserted by the Local Verifier. The only claim
>>> that seems to make sense from the Attesting environment's
>> perspective
>>> is that an 'ar' value from its Target was forwarded to a Remote
>>> Verifier. Signing the local Verifier's ar payload just asserts that the
>>> forwarding action has taken place. This is an argument for defining an
>>> 'Attestation Results forwarded' claim. Maybe this isn't that valuable
>>> in terms of a trustworthiness claim?
>> 
>>    [%] I think you are saying that rather than documenting that we forward a
>> union
>>    of evidence and attestation results, that we document that will create a
>> kind
>>    of evidence, which includes attestation results?
>> Maybe. It really is a case of multiplexing several conversations over the same
>> conveyance mechanism, but otherwise conversations could be de-
>> multiplexed (without creating unnecessary cross-dependencies). For example
>> in both Passport and BK-Check topology models, a message is simply relayed.
>> The endpoints are still the way they're defined in the Roles Arch diagram.
>> 
>> Email may not be the best way to try to illustrate but here goes. I assert that
>> Eric's diagram can be recast into two graphs where graph (a) is the sub-
>> component attester (A1), the local verifier (V1) and a relying party (RP). The
>> second graph (b) consists of the top level Attester (A2), a remote verifier (V2)
>> and the same relying party (RP).
>> Looks something like:
>> (a) A1 --- E1 ---> V1 --- AR1 ---> RP;
>> (b) A2 --- E2 ---> V2 --- AR2 ---> RP.
>> 
>> However, since A1 and V1 don't have a conveyance path to RP, they use the
>> one established by (b). The Combination topological model shows a case
>> where the Attester is relying/forwarding attestation results. Normally, an
>> attester doesn't consume attestation results. This same thing is happening in
>> Eric's example because AR1 is piggy backed with E2 on its way to V2 and AR1
>> is also piggy backed with AR2 on its way to RP.
>> 
>> I don't think we want to position that because AR1 is piggy backed with E2
>> that this creates a new type of Evidence (E3). It is still just (AR1, E2).
>> 
>> If it makes sense to define "routing claims" that assert that A2 intended to
>> piggy back AR1 with E2 then that should imply that if E2 = (c1) and c2 =
>> routing claim then E2' = (c1, c2). The conveyance still carries (AR1, E2') , but
>> possibly the c2 claim names AR1 as the piggy i.e. c2.name = "AR1".
>> 
>> V2 can verify the c2 claim and create an AR2' claim c3.name="AR1" and send
>> (AR1, AR2'); where AR2 = (c4,...,cn) and AR2' = (c3, c4,...,cn). RP can similarly
>> verify c3. Namely, the c3.name="AR1" claim is inspected to have payload AR1
>> as piggy.
>> 
>> The "routing" claims are ancillary to the basic roles and messages that are
>> the core basis for trust among the endpoint entities -  IMO. The core flows
>> are separable from routing. Routing shouldn't lead us down a path of having
>> new types of evidence (E3).
> 
> I agree that routing itself doesn't imply a new type of evidence.   What we do have at Attester is some trigger for when to collect the specific set of claims which are needed by the Relying Party to accomplish a particular use case. 
> 
> Eric
> 
>>> If however the Attesting environment wanted to make a stronger
>>> trustworthiness assertion it would have some other way to collect
>>> Evidence about the Targeted sub-components (who must already
>> have their
>>> own Attesting environments). But if the Attesting environment could
>> do
>>> this then it must be the same environment as the sub-components'
>>> Attesting environments. In which case, there is no need for a local
>>> Verifier - it is just complexity for complexity's sake.
>> 
>>    I think that I agree.
>> 
>>    It could be that there are competitive or regulatory reasons why the Lead
>>    Attester does not wish to reveal the types of the line cards attached.
>>    Consider an automobile (or passenger rail car, or human-rated Rocket)
>> that
>>    needs to attest that it has four good tires (which passed their 20,000km
>>    inspection), but which does not wish to reveal which manufacturer
>> provided
>>    those tires.  Passing on evidence directly would be a problem.
>> [nms] Privacy is an important consideration. If Evidence is privacy sensitive,
>> then it can be encrypted. The routing claims don't require transparent
>> Evidence to name them. Could compute a hash of E or AR or if endpoints
>> have security associations, then E and AR can be encrypted and a digest of
>> ciphertext becomes its name for the purpose of routing claims (see my
>> response above).
>> 
>>> The case of a local Verifier working with a remote Verifier is
>>> semantically the same as a Remote Verifier working with another
>> Remote
>>> Verifier. So, I don't see why Evidence and Attestation Results formats
>>> need to do anything special - like 'union composite evidence'.  It just
>>> says that Verifier1 may evaluate Evidence about Verifier2 before
>>> trusting Attestation Results from Verifier2.
>> 
>>    Thus my query up at [%].
>> 
>> 
>> 
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats