[Rats] Re: Freshness with Nonces

Carl Wallace <carl@redhoundsoftware.com> Wed, 19 June 2024 09:57 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9866BC14F71D for <rats@ietfa.amsl.com>; Wed, 19 Jun 2024 02:57:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DbrLZkinP6Ca for <rats@ietfa.amsl.com>; Wed, 19 Jun 2024 02:57:17 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4673BC14F6F2 for <rats@ietf.org>; Wed, 19 Jun 2024 02:57:16 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id af79cd13be357-797b24b8944so592400885a.0 for <rats@ietf.org>; Wed, 19 Jun 2024 02:57:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; t=1718791035; x=1719395835; darn=ietf.org; h=mime-version:thread-topic:message-id:to:from:subject:date :user-agent:from:to:cc:subject:date:message-id:reply-to; bh=EVry8xQwcM7ehDOlC0PsGhzb2TVnmD6IIQJIujDjo9w=; b=cgxUa9dPGo7O6P8f/njIRhCm4c+5J9Ppm+giBnMgU3yseLLc1NJ7MP4Ek2Ebnx2/dP tNps88gy8rRq9N5m0Lk/C+xEskTzM8MznkfeO1AGM6Oc4HJ8eGbWbWTA8mBZh7qC4rhk GzjZQRcZvxWgKLYvEegphbFa9/wRKgYdHmnoU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718791035; x=1719395835; h=mime-version:thread-topic:message-id:to:from:subject:date :user-agent:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EVry8xQwcM7ehDOlC0PsGhzb2TVnmD6IIQJIujDjo9w=; b=t46at4AuEyun+0cX93NpECtoSaY4FWZmtGqasxnVBCQNooxXVSN0ciErTPq9OWrM2n 3rm3zAMh+jo44RSNWtkwvkZDNxgGY/AcPUEAj7//arbC8qp2/7oYBzwUOoNJ8ijEB9Vv tsAQdoeKpTXhFxXmFVeCP8frND7CfhxMVCSc+gJra4iazSr9/lSMauFotqi4gyZYXWXw bCJ/J+LGWERRnMnem7f2k9Yt+Ui2hHR3KsBSJq1Gu6CEWI/M34E3i1NV8bpytT8P99Y+ d7qvskh1ih2mhNNTZoFxo2olR/UOJbDd+05wK9kZfmIaeOC8T1j0SjkY2vAoHMkcUrFE ClHQ==
X-Forwarded-Encrypted: i=1; AJvYcCXeRGLvKiglTciU8GJ6b0XNRPMyUgqnHei9xwxkeLD1n9DMmj9Y+JKayHaMgBtw6wsGoVM1CZXBkVTbZIaQ
X-Gm-Message-State: AOJu0YzLaHMV4M+3RL+8PsBpmUc6g3LCgLDTmuPu9bPqnztIEfcSW8jl ojX+/H//0TErP/M3NNB1BmqSsjYOCcl20bMo0XZMzen+3GVcs/i17d5K+AIE+eA=
X-Google-Smtp-Source: AGHT+IFDZryVHDXFf29ofX4/fLG96drVa2UIE2QfyZ+TYJBK5hljFeCABgmQqDGQjl4MhvBQcaYlZg==
X-Received: by 2002:a05:620a:2416:b0:795:ffde:2275 with SMTP id af79cd13be357-79bb3ebdbbamr228477285a.53.1718791035188; Wed, 19 Jun 2024 02:57:15 -0700 (PDT)
Received: from [192.168.4.77] (pool-96-255-232-167.washdc.fios.verizon.net. [96.255.232.167]) by smtp.gmail.com with ESMTPSA id af79cd13be357-798aacb1c94sm593890085a.5.2024.06.19.02.57.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Jun 2024 02:57:14 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.86.24060916
Date: Wed, 19 Jun 2024 05:57:13 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
Message-ID: <3D0F8C7D-D1C6-4014-B69B-714771152A7E@redhoundsoftware.com>
Thread-Topic: [Rats] Freshness with Nonces
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3801621434_472417458"
Message-ID-Hash: HJ6C24DIHEXGFDFQGGXKDIMXCMOLRFJO
X-Message-ID-Hash: HJ6C24DIHEXGFDFQGGXKDIMXCMOLRFJO
X-MailFrom: carl@redhoundsoftware.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Freshness with Nonces
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/5pQ0kY_5wlLHlz6J_1sntens0ig>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Inline…

 

From: "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>
Date: Monday, June 17, 2024 at 8:33 AM
To: "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
Subject: [Rats] Freshness with Nonces

 

Hi all,

 

In the RATS architecture the Evidence is processed by the Verifier. For a given Verifier to check for replays timestamps, nonces, and epochs have been introduced. I only talk about nonces here.

 

The nature of nonces is that they are randomly selected by the party that checks against replays, the verifier in our case. Section 10.2 of RFC 9334 talks about nonce-based freshness.

 

No problem so far. However, when we integrate CSR attestation (which carries the evidence) into a certificate management protocol like EST or CMP we must request the nonce in advance before the attester is able to include the nonce in the signed evidence. 

 

[CW] I don’t think this “we must request the nonce” is correct, at least where “we” includes the attester. In some cases, the attester is acting upon instructions provided to it. Those instructions may include a nonce. An example of this arrangement is a SCEP payload in the iOS OTA protocol. How the MDM (or whatever prepared the instructions) obtained the nonce is irrelevant to the attester and, in my experience, need not be signaled in the subsequent request.

 

This raises questions about how the relying party (in the background check model) obtains that nonce without conveying any extra information from the attester to the relying party about which verifier to select.

 

What information should be used by the attester and subsequently by the relying party to determine the verifier before transmitting the evidence?

 

[CW] Your question raises questions about how the attester knows where to obtain that nonce without having been provided any extra information.

 

Ideally, the RATS architecture should have provided an answer to this question but unfortunately it does not.

 

[CW] I think this discussion is hinting at a desire for some attestation verification protocol. It may be that sticking an extensible field where the hint is now is the thing to do, to facilitate the relatively abstract current hint mechanism or a future, more concrete, link to a verification service.

 

Ciao
Hannes

 

PS: We (Hendrik and I) thought that the hint introduced in the CSR attestation would have been a good candidate for this determination. In our mental model the hint would be something like an FQDN because in the passport model of the RATS architecture the attester also needs to have the FQDN (or even a URL) of the verifier to get the communication working.

 

_______________________________________________ RATS mailing list -- rats@ietf.org To unsubscribe send an email to rats-leave@ietf.org