IETF Logo Mail Archive

Re: [Rats] draft-birkholz-rats-uccs

Laurence Lundblade <lgl@island-resort.com> Sat, 13 March 2021 21:05 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70203A0D5C for <rats@ietfa.amsl.com>; Sat, 13 Mar 2021 13:05:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XW6TVmUC7U4j for <rats@ietfa.amsl.com>; Sat, 13 Mar 2021 13:05:26 -0800 (PST)
Received: from p3plsmtpa12-09.prod.phx3.secureserver.net (p3plsmtpa12-09.prod.phx3.secureserver.net [68.178.252.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 397113A0D5A for <rats@ietf.org>; Sat, 13 Mar 2021 13:05:26 -0800 (PST)
Received: from [192.168.1.81] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id LBRslolT7Hr94LBRtlPhET; Sat, 13 Mar 2021 14:05:25 -0700
X-CMAE-Analysis: v=2.4 cv=DvqTREz+ c=1 sm=1 tr=0 ts=604d2915 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=IkcTkHD0fZMA:10 a=pGLkceISAAAA:8 a=K6EGIJCdAAAA:8 a=-tXRvV1g6tWVs4C0IpUA:9 a=QEXdDO2ut3YA:10 a=L6pVIi0Kn1GYQfi8-iRI:22
X-SECURESERVER-ACCT: lgl@island-resort.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <CAObGJnNGqGLKVq7Xi_-GL5w-xFNhULg4BPR18pdRWoSCvKYRiQ@mail.gmail.com>
Date: Sat, 13 Mar 2021 13:05:24 -0800
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "rats@ietf.org" <rats@ietf.org>, Giridhar Mandyam <mandyam@qti.qualcomm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8213283A-18D1-40FD-9980-3CEA037F4DEA@island-resort.com>
References: <VI1PR08MB2639119D9BB1C98A1FBF3863FA6F9@VI1PR08MB2639.eurprd08.prod.outlook.com> <BYAPR02MB442217661B96C66A8881DD89816F9@BYAPR02MB4422.namprd02.prod.outlook.com> <659C7D3E-B5C9-484F-85E8-5D48E2C2F856@island-resort.com> <VI1PR08MB2639F0B6CDC8DA24A300BA22FA6F9@VI1PR08MB2639.eurprd08.prod.outlook.com> <E98547E5-6F6D-4CDE-9F7E-54D8B5C3BCD5@island-resort.com> <CAObGJnNGqGLKVq7Xi_-GL5w-xFNhULg4BPR18pdRWoSCvKYRiQ@mail.gmail.com>
To: Thomas Fossati <tho.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfDLBl3z9w9f12QBFb0Z1NHL4FC238NDbvbkEvfOjiBycuo7A/k9gszSHTmSjnE8yeJ/0ELzNsCV1CdB+deoMcsGDTdhu0GQQOOYZPSLa0gBMzpmFgwHX F618lMEolaYzjeNTW7JYT54aeqFgfLOL9fijENxzPIxjrF7iQyNS1uXa/29ZNsgpUcAqsv2Dwync8O/42OgFAWPg8xVCsFCCw2pEW8TSOXZZIZ58NFp6Z2ST I95jpwnC7+4NW83rytli11Fv1Hh5BJ81FYmeOzgkyXF19IBhNJ9uDEAVOnmAAq3F
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/8BXlnSxluVMK1cT9LMLKXoLepss>
Subject: Re: [Rats] draft-birkholz-rats-uccs
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Mar 2021 21:05:28 -0000


> On Mar 13, 2021, at 12:32 PM, Thomas Fossati <tho.ietf@gmail.com> wrote:
> 
> Hi Laurence, just a small note,
> 
> On Sat, Mar 13, 2021 at 7:06 PM Laurence Lundblade
> <lgl@island-resort.com> wrote:
>> To me putting all the security discussion in to the UCCS spec is like putting the TLS and IPsec standard into the HTML, JSON or XML standards. HTML, UCCS… just define data formats. The difference here is that CWT which has security built in and came first where as HTML, JSON and XML were invented first without security.
> 
> I see this in a slightly different way: we take a data format that has
> a "secure by default" label on it and we strip off the very thing that
> makes it secure.  Since we are changing its commonly understood
> semantics, it's probably wise that we simultaneously state why and
> when this is acceptable, along with the assumed threat model.

Agree that something must be said for this reason.

Just don’t think it should go into the full set of security considerations or describing a designed solution because both vary by use case and problem domain. It is not possible to anticipate all the use cases and problem domains. 

We don’t have any standard that says how you should securely transfer particular data formats like HTTP, XML or JSON. There is no “Secure transfer of HTML” standard. Instead we have security protocols like TLS, COSE, JOSE and such which can be used to secure data in general.

As I mentioned before, I think it would be good to split the document in two, something I hadn’t thought of before.

But, I’m still OK with it as is. This is just a fun discussion :-)

LL

v2.23.0 | Report a Bug | By Email