Re: [Rats] FW: New Version Notification for draft-shaw-rats-rear-00.txt

Thomas Fossati <Thomas.Fossati@arm.com> Wed, 08 July 2020 16:22 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E513A0F03 for <rats@ietfa.amsl.com>; Wed, 8 Jul 2020 09:22:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jUfYMjrP; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jUfYMjrP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6r12bOJydrvW for <rats@ietfa.amsl.com>; Wed, 8 Jul 2020 09:22:22 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60065.outbound.protection.outlook.com [40.107.6.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 124143A0EEF for <rats@ietf.org>; Wed, 8 Jul 2020 09:22:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lUhs+etERlbCCTH6z0Cs9fHqH5wKPK2ioD5KHEuT0Ig=; b=jUfYMjrP8Xqxxg6xBPznYTpXiiC2aj0F5E1W6g7bvowmMT+TtW26Hmbj4awH1iDx9qyBU1tnXGXXPca8SzJgSsfd9JyNzxtuJ1iXlQ6AcMzXfx3phgkwtPL6Vrn/NxNhCFFxaa1/6eihUgGF57zYx2yOLIBQH8jBk9DrzdF3I8M=
Received: from AM5PR1001CA0051.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:206:15::28) by VI1PR08MB3487.eurprd08.prod.outlook.com (2603:10a6:803:88::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.23; Wed, 8 Jul 2020 16:22:19 +0000
Received: from AM5EUR03FT003.eop-EUR03.prod.protection.outlook.com (2603:10a6:206:15:cafe::81) by AM5PR1001CA0051.outlook.office365.com (2603:10a6:206:15::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.22 via Frontend Transport; Wed, 8 Jul 2020 16:22:18 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT003.mail.protection.outlook.com (10.152.16.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.21 via Frontend Transport; Wed, 8 Jul 2020 16:22:18 +0000
Received: ("Tessian outbound 7de93d801f24:v62"); Wed, 08 Jul 2020 16:22:18 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: cf3ee1c0e3e3a0d6
X-CR-MTA-TID: 64aa7808
Received: from 7ffca9fb4c66.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 5D9E175A-853F-4FDD-B06E-B9210557ABF0.1; Wed, 08 Jul 2020 16:22:13 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 7ffca9fb4c66.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 08 Jul 2020 16:22:13 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DqbDsRsYprlv+WodR4Ey81HW8Xu3ye0GU92GbZXxyqN7j/C5h+qvP9h4zrbWeEgtBVr1RRF/RqDPDqIW9ycy8XO6/B5xTwDc0YMuVRlVmt+PP4Vacb7BligIIjXD5CErRbnrs4ljXmyPTUzTopdydLLuf+nlf1w9lXWjcRyVhRsNhQcbSRrtPlr4FLTDGL+oLsrZY/opyf0pMhHAqGou0yP1NAgKPfE4B+LZiXrOlmbKuoy7GTltzWwjm7tReAhwtK3vYKyDpbv6JbRPuSWYjvIXzaqwbXZH+7CMr/iHTxMfG0abggFCfj3N4GwNfSHS8zBxeWGvuyuUybtBZ5WF6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lUhs+etERlbCCTH6z0Cs9fHqH5wKPK2ioD5KHEuT0Ig=; b=McthJs74IMBawgML+mUAH87yXxE0U8juLyvjlZ+hMY3t/d5L8QAbdTEefnQo9YvCjLuH0kWFa0xANuGwJeQFor5OaWzzrqDOXGM5fXaI8CfRGKSOuwIzvXr6KZl73AUjBcEkEOLFGIIFf6tL0qCuw9Hs/qlBMhMH/XuN7IVrZxuyCw048ZklTxaS7n32B8vHR77aMZOlME/SOw5DyDtbt0WU1eahXu6XH5abr+cvBockKMejuwSXhNh3FaK+DCsDoFhhBkSZuHjVLeAtjrrq4cGNtxoux3W6XNDR/Rya75uHykvrTpLAD6Q9181ZCyBVdl+zJBRuUgg+IIajV2mcSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lUhs+etERlbCCTH6z0Cs9fHqH5wKPK2ioD5KHEuT0Ig=; b=jUfYMjrP8Xqxxg6xBPznYTpXiiC2aj0F5E1W6g7bvowmMT+TtW26Hmbj4awH1iDx9qyBU1tnXGXXPca8SzJgSsfd9JyNzxtuJ1iXlQ6AcMzXfx3phgkwtPL6Vrn/NxNhCFFxaa1/6eihUgGF57zYx2yOLIBQH8jBk9DrzdF3I8M=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (2603:10a6:20b:73::23) by AM6PR08MB3832.eurprd08.prod.outlook.com (2603:10a6:20b:89::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.20; Wed, 8 Jul 2020 16:22:12 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::459b:bcf3:b888:c906]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::459b:bcf3:b888:c906%6]) with mapi id 15.20.3153.029; Wed, 8 Jul 2020 16:22:12 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: "rats@ietf.org" <rats@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Rats] FW: New Version Notification for draft-shaw-rats-rear-00.txt
Thread-Index: AQHWQNlFdH/OqKSRhkWewqKHNl+chKjVRQwAgCWAIQCAA1HBgA==
Date: Wed, 8 Jul 2020 16:22:11 +0000
Message-ID: <0FCAA0DF-1EBA-4883-81FB-FB468CCE5CD4@arm.com>
References: <9CB821D0-26D5-499C-9F60-CFF066AE6A87@arm.com> <D66A2E01-D604-405C-94D5-47E1502794CC@gmail.com>
In-Reply-To: <D66A2E01-D604-405C-94D5-47E1502794CC@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
Authentication-Results-Original: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.11.185.80]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 3d9c252f-2c5b-4f5b-83ee-08d8235b15e7
x-ms-traffictypediagnostic: AM6PR08MB3832:|VI1PR08MB3487:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR08MB34876030990EDA7404306E599C670@VI1PR08MB3487.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 8LAKF/ZNOu+1CQGcgEbTvPfmCr2wy8MaKP22UiAPJ09mwYYSrVJcU2ggSgnG/3ozEHXyfMfVBX2ZQmZw/3IwwFHmRF6sahv251ntRf/bMgFHMk3JH4+fLEfLY4BD455SrXFT+qttBQEhq3IjKyduvFxFN0XBK7dx6Hod3as07PCcTeI3Ywe4zTxvkG+Rtmb12ngNI2XF8tMNOuqxhmP+AoX0XCmQ9n7TpbsVNJC5uRWHMvj/U0Ze/XYKsnFjHf1M9IL3iXbAb2Fo3HsA4EUrXYRSwyzcwz6mfs00lRHmCsG2zM7Uvx8pl8SvWBsGV/+emlZtf5qPmPm81rSHnULt/A==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4231.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(396003)(39860400002)(136003)(366004)(316002)(36756003)(6916009)(6512007)(86362001)(33656002)(478600001)(4326008)(66946007)(26005)(186003)(6506007)(53546011)(71200400001)(54906003)(2616005)(83380400001)(8936002)(8676002)(2906002)(5660300002)(76116006)(91956017)(66476007)(66446008)(64756008)(66556008)(6486002)(15650500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: PjqlTChuh2FkHnLvokg+m4n4Bebh96+eW5QJh3t6UDZUPrWETuw2TjeEg5CuJCB2SMEcRKhH1HnZf8SHwg/bKz68qAratbDg4HKczzw+TkO0ZiNr6LlrS7uJT/idkRX11U3kj/99tWA9rO9ppt8YdYOszRzi9FqbA0b/t9VzCNme2oPQdDZCoB58ya1E+ng7hFovyT89LI+LqFBPl6+q75AUxrwbbjaxZDkMLO5Y/EvgMAPVjZ3IgoJ9RrF24AvcdvvDpSgDwRFC98Am50zVvzw+tCf+harCwZbU5lwGJ2UN9VDgzoWlv+LzygPVqVv74IxnH+OMBNwDF/8mnqMrhtgF/34YJ08JKqoSaEUi5TnmehBAgJjNdeJ3ARA9kW7Cvwd4dP+iTUqQYjv0McvpLDDO0rbAmSqfKVggvnSRC5Vr7fQ+37+JdYNNdwNdn7SVpE5SOWore734o/BlH9wR+Q7OUFV5TBxRYqd/nVtqAiU=
Content-Type: text/plain; charset="utf-8"
Content-ID: <5791F388C7579B47B5C1F791ACA6518B@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3832
Original-Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT003.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(396003)(39860400002)(136003)(346002)(376002)(46966005)(6506007)(53546011)(478600001)(83380400001)(36906005)(70206006)(186003)(6862004)(6512007)(5660300002)(82310400002)(36756003)(316002)(81166007)(26005)(15650500001)(6486002)(356005)(8676002)(33656002)(47076004)(4326008)(2616005)(86362001)(54906003)(336012)(8936002)(70586007)(82740400003)(2906002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: b4875b43-5186-4d0e-ccb8-08d8235b11d9
X-Forefront-PRVS: 04583CED1A
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: pFi+bIwnYKe8iEuFarezm8fpLbMhfc735Uedec3ih19sDMNpNzslVKDP7L3eYEnI258LMXt3Ar9c+/CG6VjXv/gX45T/vr25txoXVBL3hDRwXbeEZi/1+H6qVFeLDdb525PtZ+ZGkXVTm+mzU62twkHEMM4tpKL3sOSU8cIEVyt/fFJZZq8WIZHXCe6d4wzBy2bf0SlPb/KhXNVr9bh27iRPSwV3MByE4h1r2b11AJlo6NirKMGa/KLWatFU6hzw2S38B3eOFR13REAXXhHPN55BCxuTXLRFBtZKLQt5A3j2aH1RpYMm6LQtupQdTE9+YsnR57+WkE3Xj9UJ+I3eMeuDDc1R+/iATeyIOO69Kv2Pdx41EnvUfrYQYt5vZmNBPjMaj5vxnAzt6KwqY0qE5g==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jul 2020 16:22:18.8765 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d9c252f-2c5b-4f5b-83ee-08d8235b15e7
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT003.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3487
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/8A_rOW51tPvrsv1Fm90LFF6BBTo>
Subject: Re: [Rats] FW: New Version Notification for draft-shaw-rats-rear-00.txt
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 16:22:25 -0000

Hi Kathleen,

I hadn't come across SCAP before.  This looks interesting and certainly
relevant, so thanks for pointing out the potential relation with our
draft.

On 06/07/2020, 15:41, "Kathleen Moriarty" <kathleen.moriarty.ietf@gmail.com> wrote:
> Since we have a number of RESTful protocols in use to exchange
> formatted data, it would be good to explicitly state support for these
> protocols.  SCAPv2.0 has adopted ROLIE [RFC8322].  Since SCAP is how
> posture assessment is performed, it would be good to include this
> capability to enable a smooth transition to the use of remote
> attestation for simplified posture assessment as this work evolves.

Clarifying question.  In principle, the mechanics specified in the draft
can be used to bind attestation data to *any* resource.  So, ROLIE feeds
are certainly in scope.  However, it seems to me that in the SCAP
architecture the "natural" attestors are the Endpoints.  And, on the
Endpoint, posture collection is pulled using one of NEA/SWIMA, or
NETCONF, or some other specific MDM protocol, depending on the
Endpoint's type/class.  So, wouldn't NETCONF be a more suitable target
than ROLIE in this case?

> Similarly, RedFish is in use for server management across several
> platforms.  I’ve been working with the DMTF to improve security of
> RedFish just in case it could be used.
>
> There are likely other protocols that may be used, and leaving this
> open to accommodate various RESTful protocols may be the best approach
> towards enabling adoption.

+1 -- Though I'm a bit unsure about what strategy would you suggest?

One of the base constructs provided in the draft, namely the way to bind
the resource representation with the attestation Evidence by hashing it
in to the nonce claim, is very broadly applicable.  So there's that.
However, the REST-y bits (verbs & content types) are slightly more
"rigid" in the sense that although the attested resource can be anything
you want it to be, the outer shell has a very precise format that is not
open to manipulation.

cheers, thanks!




IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.