IETF Logo Mail Archive

Re: [Rats] Verifier Input instead of Endorsement?

Dave Thaler <dthaler@microsoft.com> Tue, 30 June 2020 03:56 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 215D13A0AB1 for <rats@ietfa.amsl.com>; Mon, 29 Jun 2020 20:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-tJZzhTSImQ for <rats@ietfa.amsl.com>; Mon, 29 Jun 2020 20:56:12 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2097.outbound.protection.outlook.com [40.107.237.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A27E3A0AAE for <rats@ietf.org>; Mon, 29 Jun 2020 20:56:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FXa/ORo5k36sGLFH/gKtzlXHYcKVhYvzz4Zntnf1TCiLjCbS7hXrWU4lAChptLuHIkWksZPwivfCTTXSHUQ5JkP1CmsL6ZqzJPv4AucVyPM38zufZ2WlTQ5UdYs6X8SGotrB5br+hpKnBPCJMNQ6jZIE7wto7mKn9+dl6S+hFEzcztdzZgzDk/Q5zWFizwEjRVN4omDaDGLQEPtRMtsW4X1BH6Ww/9jRL8EZ0+KT78eWiPLTuTCAcB4lOZRXXFtG3aXSU/z7kDaCZBH62GH1t4CLBBT8pXQmQc3h9M9RG9xT6jVTLSHuGRXKrMZEHMlyOpG8tdK6/OjzZ9mNTUzWkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g0dKuWHMcZu8e1yN+rzStU8NihOL+5YWKq4FOgXQVgQ=; b=THS6S+IFveVrTx3nYU1znoW3G8XdPDwW1neFqaNIPVMRuw3LezKxO9XToQuFMfze/SJkrmzcIeo7gxtmy3xBebJqJOr00wT3ddiAdgJQnQf1YSW9cp4eEYzvnud1XM1htFjAQJGXCs4teSG2ggeordJ0sxiYQ1uoXx+tovVYHpDiF3E4Vc0gWO4f49Dt4fkUCzXZD6raoHYEaetTv5fqZHW22qsar5ICMsXwLBziNXeSEUiX6bFq4kIMrGxZlyMBbuT/MBsN0lYc0UeftlqsgwO4NmWfize+Im33wigr3gTAB1/Pn+ydCx/Smob4VWbsjcpwERmRNupyYQrdz+iACg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g0dKuWHMcZu8e1yN+rzStU8NihOL+5YWKq4FOgXQVgQ=; b=TNcHxS/6qLwrm1LQXL22tOnPH3GMt5WCQYpSOBfLA85XU3zyrNMd4yxwSIJZ6bhEJ+Os5yjBUlwKQMtXCR8/twRB5n7cdUqGGhitChM1D0PpHCDU7T2ypaiTglWqJYboh4bs1t4n84w3m45riJ6ZOQlgtZ/E97tYa68lhBPqaIc=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (2603:10b6:207:30::33) by BL0PR2101MB0899.namprd21.prod.outlook.com (2603:10b6:207:36::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.2; Tue, 30 Jun 2020 03:56:10 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::29cb:295d:97bc:3f7f]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::29cb:295d:97bc:3f7f%9]) with mapi id 15.20.3174.001; Tue, 30 Jun 2020 03:56:10 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Verifier Input instead of Endorsement?
Thread-Index: AQHWTkP+FnrtkqE4YE232Ks3KGvDAKjwhzrw
Date: Tue, 30 Jun 2020 03:56:09 +0000
Message-ID: <BL0PR2101MB10279501A4ECA5BB7B6AED63A36F0@BL0PR2101MB1027.namprd21.prod.outlook.com>
References: <878E068C-DAFD-4441-94F7-BA79CAF7FED6@island-resort.com>
In-Reply-To: <878E068C-DAFD-4441-94F7-BA79CAF7FED6@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-30T03:56:09Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=19eceaed-ea6f-4eec-99c8-29cd17012219; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: island-resort.com; dkim=none (message not signed) header.d=none;island-resort.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:9780:16f0:5c6d:a267:2ce1:5e74]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 469767cb-3d83-4ec6-2c6b-08d81ca98658
x-ms-traffictypediagnostic: BL0PR2101MB0899:
x-microsoft-antispam-prvs: <BL0PR2101MB089965EA7C7EF2188480A7FDA36F0@BL0PR2101MB0899.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:785;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uRR2gBYrqiPUW7USaSaIpdWqiVkGDSYR+de6iyD03aGEyoEiBCtxbMPhprfCamb6oHsGwoug+1sZZ4TMsv/FfPh6fW+R01wdUdMr8c+hRIncvd/IQMhy41eC3yJiDvvQm6a7lRPd3lDfRczDo4CGCvtfzsQ0vB7hUqW0Tny27PYM7nfV+pseFNnbv3y5kAwrl9un2iEbn2r9iWIpZSpZxKhzGQgIfx9+TXgVUZagMYSokMy0uA1B3Bx86ZMiAY7Yh/cF5oefnKzp6ac4zqticz4naNkPwrN0jtT9QVzBH7GDMJIhYfcCffvOPmpnqO5Ja3sGATcALvS7I1yzurum96KZLagso/a54lWVe5NzkT0WNkHWGeIVZw0tz9w5JR5DpkVWnJAxFnQ9gOKCHP5Rgw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR2101MB1027.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(39860400002)(376002)(366004)(396003)(2906002)(82960400001)(82950400001)(71200400001)(83380400001)(10290500003)(86362001)(53546011)(166002)(186003)(6506007)(8936002)(478600001)(66946007)(33656002)(66446008)(64756008)(66556008)(66476007)(7696005)(76116006)(110136005)(8990500004)(55016002)(9686003)(5660300002)(8676002)(316002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: c+Y8k0iYzl89OXeK0YQwMgFfKZAYZd1EsWBYc/l/inXJyopNocN9Tuk7yeoI7dRvXwFBwUh+19qRZEl3Voe3Ed4XFsebMwmI9U2XU1C1arYNf5k9Yzsf6Xqi+yxLt0FvBy+m/nBQOSr5jb/a7sCzD1rTG9UvvKJQ5mKDzwhFRVMOSnq6vPkA6RuqIyYQdRliAO2xbu1wAuNDzEz8Y3Aqt+oVI8RpJLYfH2O4UPcqmgsx4YkCs8dbT2f5Kl1iLiP3bCtPRuIkEBnN8i7fb45NEeP+p7f9syQ6EZbPExRDgpJg/R4orQbRFeZ1qNAJvl1XkfhcHm3m2vEjW1mW9X5tRvr4o2JGmh6hM7kRBA3aW/EC3zEAu2tgGeetr53k7FpC4vhPHLU/gDApNa7ZedxqyHK1c2Ffaj/sJdNNEkEubUpyL1Kg3aacDjGpHFgOefHFf3lNA67QRdUN9wSurefC1iuLSn/hljTHugvu8T6bRB9BbmSNajJgpMetq28ZN6KiTZIdEAWO9Ci/ARkedF1RT6fdIhisVZeoCExh1ZsYxwCFswAoQU2sK3XENA0iF5lK
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR2101MB10279501A4ECA5BB7B6AED63A36F0BL0PR2101MB1027_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR2101MB1027.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 469767cb-3d83-4ec6-2c6b-08d81ca98658
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2020 03:56:10.0582 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YBVaC+BgRTyFTT7bcKj/GpQmRzU2ZKrNOCJzC+bGq5Puh5fcZTatJnbPRBr2rVby02yGnJDpM5a0n1z/AH3w9trNce9O/nEkurm1vp1xDK8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR2101MB0899
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/FBnlnqRokzGODXOcknP97J3MwkQ>
Subject: Re: [Rats] Verifier Input instead of Endorsement?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 03:56:14 -0000

I don’t like the term “Verifier Input” since “Appraisal Policy for Evidence” is also Verifier Input, so I would find it confusing.
I think that the rules for what to put in Attestation Results (bullet 3), as well as “known-good/reference values” if such exist
(and there can be valid policies where they may not exist, or rather where the policies use more complex rules than
a simple test for equality against a constant) are conceptually part of Appraisal Policy.

I do agree that Appraisal Policy can be conveyed to the Verifier in many different ways, and may be composed
of different things from different sources.

Dave

From: RATS <rats-bounces@ietf.org> On Behalf Of Laurence Lundblade
Sent: Monday, June 29, 2020 11:34 AM
To: rats@ietf.org
Subject: [Rats] Verifier Input instead of Endorsement?

Stepping back a bit on the definition of an Endorsement, I think the four inputs to a Verifier are these:
  - Key material for verifying trust in the Attester
  - Known-good/Reference values for comparison with claims
  - Static implicit claims that are passed to RP's via Attestation Results
  - Appraisal Policy

These can and will be conveyed to the Verifier in many different ways:
  - X.509 certs with extensions
  - Signed documents
  - HTTP queries against the Attester/device manufacturer
  - Remote SQL or some other sort of database access to manufacturer(s)
  - Data storage like flash drives the are hand carried into the Verifier's site
  - One-time special file transfers
  - Ceremonial procedures with M out of N people physical present approving transfer

It seems like shoe-horning all of the above (except policy) into an Endorsement, like I’ve tried to do<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-rats-wg%2Farchitecture%2Fpull%2F94&data=02%7C01%7Cdthaler%40microsoft.com%7Cf15ace6e8b4b447eebc008d81c5b1f33%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637290524986365098&sdata=2NktPX%2B3LJXjMEjEFoM8kpUIy6yOxte%2BuhFYr1ETN4g%3D&reserved=0>  is too much. I tried this shoe-horning because I think the architecture document needs to cover all this and Endorsements was what was in it. A typical Endorsement seems to be just the first two mentioned, X.509 and signed documents expanding its definition to include database access is a stretch.

Rather than defining Endorsement, I’d like to define Verifier Input:

          *******************   ************     ****************
          * Manufacturer(s) *   * Verifier *     * Relying Party*
          *******************   *  Owner   *     *  Owner       *
                       |        ************     ****************
                       |              |                 |
         Verifier Input|              |                 |
                       |              |Appraisal        |
                       |              |Policy           |
                       |              |for              | Appraisal
                       |              |Evidence         | Policy for
                       |              |                 | Attestation
                       |              |                 |  Result
                       v              v                 |
                     .-----------------.                |
              .----->|     Verifier    |------.         |
              |      '-----------------'      |         |
              |                               |         |
              |                    Attestation|         |
              |                    Results    |         |
              | Evidence                      |         |
              |                               |         |
              |                               v         v
        .----------.                      .-----------------.
        | Attester |                      | Relying Party   |
        '----------'                      '————————‘


Endorsements must still be mentioned, but as one form of Verifier input just like EAT is one form of Attestation Evidence.

Verifier Input would be defined as:
  - Key material for verifying trust in the Attester
  - Known-good/Reference values for comparison with claims
  - Static implicit claims that are passed to RP's via Attestation Results

To do this, I’d replace the current PR<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-rats-wg%2Farchitecture%2Fpull%2F94&data=02%7C01%7Cdthaler%40microsoft.com%7Cf15ace6e8b4b447eebc008d81c5b1f33%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637290524986365098&sdata=2NktPX%2B3LJXjMEjEFoM8kpUIy6yOxte%2BuhFYr1ETN4g%3D&reserved=0> and issue<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-rats-wg%2Farchitecture%2Fissues%2F65&data=02%7C01%7Cdthaler%40microsoft.com%7Cf15ace6e8b4b447eebc008d81c5b1f33%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637290524986375092&sdata=GfM5qElO4teNdjfABlmVayeGXuYHWBDqHTVtpeeew7g%3D&reserved=0> I have on Endorsements with a new PR. It will be a fair bit of work, so I want to see if there is some consensus first.

LL

v2.23.0 | Report a Bug | By Email