[Rats] 答复: 答复: 答复: use case document updates on Roots of Trust
"Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com> Tue, 17 September 2019 02:54 UTC
Return-Path: <frank.xialiang@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 874E81200E7 for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 19:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGFG_wJnJTst for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 19:54:43 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8563112001E for <rats@ietf.org>; Mon, 16 Sep 2019 19:54:43 -0700 (PDT)
Received: from LHREML711-CAH.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id C9F344D37057572BC86F; Tue, 17 Sep 2019 03:54:41 +0100 (IST)
Received: from DGGEMM403-HUB.china.huawei.com (10.3.20.211) by LHREML711-CAH.china.huawei.com (10.201.108.34) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 17 Sep 2019 03:54:41 +0100
Received: from DGGEMM511-MBX.china.huawei.com ([169.254.1.135]) by DGGEMM403-HUB.china.huawei.com ([10.3.20.211]) with mapi id 14.03.0439.000; Tue, 17 Sep 2019 10:54:33 +0800
From: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
To: Carl Wallace <carl@redhoundsoftware.com>
CC: Laurence Lundblade <lgl@island-resort.com>, "Salz, Rich" <rsalz@akamai.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: 答复: 答复: [Rats] use case document updates on Roots of Trust
Thread-Index: AQHVbQC9b1FVNejyuUeZ7UAM1P/bZKcuo7oAgACGzrA=
Date: Tue, 17 Sep 2019 02:54:34 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F13E8F7960@dggemm511-mbx.china.huawei.com>
References: <D9A5BCFC.EB494%carl@redhoundsoftware.com> <D9A5C0B5.EB4B6%carl@redhoundsoftware.com>
In-Reply-To: <D9A5C0B5.EB4B6%carl@redhoundsoftware.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.159.76]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/7Vy0dij6sA3Y1HapP5EL8bMMJr0>
Subject: [Rats] 答复: 答复: 答复: use case document updates on Roots of Trust
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 02:54:47 -0000
Do all these exemplar solutions include integrity measurement and verification functionalities in trust anchor, in addition to the certificate issuance and verification? -----邮件原件----- 发件人: Carl Wallace [mailto:carl@redhoundsoftware.com] 发送时间: 2019年9月17日 10:45 收件人: Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com> 抄送: Laurence Lundblade <lgl@island-resort.com>; Salz, Rich <rsalz@akamai.com>; Michael Richardson <mcr+ietf@sandelman.ca>; rats@ietf.org 主题: Re: 答复: 答复: [Rats] use case document updates on Roots of Trust Or more applicable here, many current attestations. Though these are formatted as certificates. On 9/16/19, 10:36 PM, "Carl Wallace" <carl@redhoundsoftware.com> wrote: >TAMP messages are an example. But any signature could apply, whether a >public key is a trust anchor or not is not up to the verifier. > >On 9/16/19, 10:21 PM, "Xialiang (Frank, Network Standard & Patent Dept)" ><frank.xialiang@huawei.com> wrote: > >>Can you give some other examples? >> >>-----邮件原件----- >>发件人: Carl Wallace [mailto:carl@redhoundsoftware.com] >>发送时间: 2019年9月17日 10:19 >>收件人: Xialiang (Frank, Network Standard & Patent Dept) >><frank.xialiang@huawei.com> >>抄送: Laurence Lundblade <lgl@island-resort.com>; Salz, Rich >><rsalz@akamai.com>; Michael Richardson <mcr+ietf@sandelman.ca>; >>rats@ietf.org >>主题: Re: 答复: [Rats] use case document updates on Roots of Trust >> >>The definition of a trust anchor does not limit the scope to >>certificate chains. >> >>> On Sep 16, 2019, at 8:51 PM, Xialiang (Frank, Network Standard & >>>Patent >>>Dept) <frank.xialiang@huawei.com> wrote: >>> >>> Hi Carl, >>> The other big difference between them is the object they deal with: >>>RoT >>>is for integrity measurement value chain, CA is for certificate chain. >>> >>> Hope it is helpful. >>> >>> B.R. >>> Frank >>> >>> -----邮件原件----- >>> 发件人: RATS [mailto:rats-bounces@ietf.org] 代表 Carl Wallace >>> 发送时间: 2019年9月16日 20:26 >>> 收件人: Laurence Lundblade <lgl@island-resort.com>; Salz, Rich >>> <rsalz@akamai.com> >>> 抄送: Michael Richardson <mcr+ietf@sandelman.ca>; rats@ietf.org >>> 主题: Re: [Rats] use case document updates on Roots of Trust >>> >>> I took Rich's statement to be more from a relying party perspective >>>and your detail to be more what one might find in a policy describing >>>nature of the root of trust, which is not that different from how one >>>may describe a trust anchor/CA in a PKIX context in a policy that >>>describes how a CA are operated, etc. Two sides of the same coin. >>> >>> On 9/15/19, 4:50 PM, "RATS on behalf of Laurence Lundblade" >>> <rats-bounces@ietf.org on behalf of lgl@island-resort.com> wrote: >>> >>>>> On Sep 12, 2019, at 3:31 PM, Salz, Rich <rsalz@akamai.com> wrote: >>>>> >>>>> I do not see a meaningful difference between "trust anchor" and >>>>> "trust root" and "root(s) of trust." All of them: >>>>> - Are pieces of data (certificate or key is not meaningful) >>>>> - Used to verify something such as a certificate or signature >>>>> - Are trusted by the application, based on actions that are >>>>> "out of band" of the application itself >>>> >>>> This is not how I understand a root of trust, nor how I think it is >>>>generally used in the TCG or TEE worlds. I think a root of trust >>>>involves a CPU, memory and SW that actively does something like boot >>>>and measure a device. There is usually a boundary around it so that >>>>other software on the device, like the high-level OS, can’t corrupt >>>>it. >>>> When it is doing reporting as in RATS it will have a private key >>>>that can do some signing. >>>> When it is doing trusted/secure boot, it will also have a public >>>>key to verify the software it loads. >>>> >>>> LL >>>> >>>> >>>> _______________________________________________ >>>> RATS mailing list >>>> RATS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/rats >>> >>> >>> _______________________________________________ >>> RATS mailing list >>> RATS@ietf.org >>> https://www.ietf.org/mailman/listinfo/rats
- Re: [Rats] =?UTF-8?B?562U5aSN?=: =?UTF-8?B?IOetlO… Carl Wallace
- Re: [Rats] =?UTF-8?B?562U5aSN?=: =?UTF-8?B?IOetlO… Carl Wallace
- [Rats] 答复: 答复: 答复: use case document updates on R… Xialiang (Frank, Network Standard & Patent Dept)