Re: [Rats] RIV and the RATS architecture

Dave Thaler <dthaler@microsoft.com> Mon, 04 November 2019 20:57 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E33FC12010F for <rats@ietfa.amsl.com>; Mon, 4 Nov 2019 12:57:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0GyaxSVs7-3 for <rats@ietfa.amsl.com>; Mon, 4 Nov 2019 12:57:40 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on071d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe41::71d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54476120800 for <rats@ietf.org>; Mon, 4 Nov 2019 12:57:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bkMDAbr4R9V3yG6m7Tces7+XXB+qEraNB5Fgf3h9uJgJwoufmumQxbo+/3SCxNbZp9VB+0IngzX98RnOsYbcZcUemjl+ck9YZDfvXu3KQt5bKQW0BZ3CZlRFCVCGf+RWlr4mj9nnu8Sr8qSgBPgYPcwT7aQ9EPMWEEf1cjPoQfq0QZRwMTMvok3KFJc4qBtNmZpiubwn+ag2VU1SGoQNmapdoA4mfL7Ku3bcm3b/aRhGqt1eElaPK89FjazctnNGF85biMDTfelh1/+TOCRfVfpl3cVayITT5qoH/ORuJPtXN2981I+jHD/felVZLFkUF5kQ14lO0W0RK5uYAWbmPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x41oOS7jrQ7DW7Zb/9iij3Wbb8GxEHCTBb9oB+6ntvY=; b=Pu0LdZMheUJU87Rv9JBj6zghDc34vM+lCW5Gco/2rfKk9Ye+xmBPIIsUZnhZ9tnhc3pBbeRLXoLf+eP/GXq6cCQNadu2q98tECG44Hyh0DJZayQvbl3WXUkDPXbQxbwHaDY1ZScbT5rYVRGeCOC/vR5WRl06QLbqm3psqszUFxf0euY/f7h5aVfrKPSjh+Z1dxKxRkEnU4lBN73ikzHGdkfAmPiHJIkfhIRrIUIYevXTq5zrCnRk1QsX6AGPEDk3xSEUKvbEY2TYyhu6iv0vc4eVzSp4HY00g4i6dP86pTSJkDokiMsII3nSKNPIAADaXVQJqMYiGUV02263xH+wqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x41oOS7jrQ7DW7Zb/9iij3Wbb8GxEHCTBb9oB+6ntvY=; b=BYGV6AeM7MwuRUWxemx/LpFtlSipbyo9z2yxYcVEWXhVErJqF222aNSP30pbcTa0W9FFVfi1FyFyEnlozYWvVLlGHV6QQk9gBthtBxcuNdzXtDO1MBlh1yXvshqo9IUi/wNc//iyrghaGtxciNHVwKU34w03gCfRm//7Sx1tofE=
Received: from MWHPR21MB0784.namprd21.prod.outlook.com (10.173.51.150) by MWHPR21MB0750.namprd21.prod.outlook.com (10.173.51.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.20; Mon, 4 Nov 2019 20:56:12 +0000
Received: from MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439]) by MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439%11]) with mapi id 15.20.2430.017; Mon, 4 Nov 2019 20:56:12 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org>
CC: "rats@ietf.org" <rats@ietf.org>, Thomas Hardjono <hardjono@mit.edu>, "Smith, Ned" <ned.smith@intel.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Thread-Topic: RIV and the RATS architecture
Thread-Index: AdWQISZnKaC7gFC9RTeTGiVYLOxchQDLr02g
Date: Mon, 4 Nov 2019 20:56:09 +0000
Message-ID: <MWHPR21MB0784B018797AB320A5B7C54CA37F0@MWHPR21MB0784.namprd21.prod.outlook.com>
References: <BYAPR05MB4248980FA30CDF1ABCCC7E78BA630@BYAPR05MB4248.namprd05.prod.outlook.com>
In-Reply-To: <BYAPR05MB4248980FA30CDF1ABCCC7E78BA630@BYAPR05MB4248.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=dc0a14cb-52f7-481f-9452-45415e41c007; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-04T20:56:07.9046064Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2019-10-31T19:26:53.5191743Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=c07f85d3-3baa-4bca-9285-7a27b371dd42; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2001:4898:80e8:2:5e6c:e46e:3572:93d5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e8face39-3772-455b-c190-08d761696d1a
x-ms-traffictypediagnostic: MWHPR21MB0750:
x-microsoft-antispam-prvs: <MWHPR21MB0750EB9B67464F6C3259D36FA37F0@MWHPR21MB0750.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0211965D06
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(346002)(39860400002)(376002)(136003)(189003)(199004)(8990500004)(966005)(66556008)(66476007)(66446008)(52536014)(46003)(6666004)(71200400001)(10090500001)(86362001)(71190400001)(6306002)(64756008)(54896002)(6246003)(9686003)(606006)(4326008)(76116006)(66946007)(54906003)(236005)(6436002)(10290500003)(478600001)(14444005)(256004)(55016002)(2906002)(790700001)(6116002)(25786009)(186003)(74316002)(7696005)(76176011)(22452003)(316002)(81156014)(14454004)(99286004)(81166006)(33656002)(486006)(476003)(8936002)(8676002)(11346002)(446003)(7736002)(229853002)(5660300002)(53546011)(6506007)(102836004); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0750; H:MWHPR21MB0784.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4FN9crTLn/Kv9EnxPAVJwIhU/VeZtDSDun6JE3Uey2sNkBQTAzWRY7dHJUkj/3Dhz7MdNYYjyKX1rhUic0K/Gby5o4Ef3NVxI7qkVzuoFD9H6HP1Twmuqx2iJyalINXozSOWC4MdaZV4BzpOUyPzarIXPpZXm+XXHa5D9+WkXROTXlmPEQyYBWls3t+/BXxVQotzIG+tMwyfvXlrYvXbpoieABdYvMM6ENRMAbQ8wMeOqc5TGbnXnvRsWpNDnjqYJpM3pgzpGPFBOvjo9eTmjAnaStbpCsNxO/PParX7IeZX9htETdoRs0oP3Wjsaa0xWFncwiZMJUlWifza4oXKDkq+VOvqgA7QqTa/eGPQI0jt97UqasRmDgKwA5+/aZnEgmhrzADw//8ATdmQqzXJB1/iop/X4ez6e75LYUhi0IdT167VIIXsTbnOAqzbHBAY
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB0784B018797AB320A5B7C54CA37F0MWHPR21MB0784namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e8face39-3772-455b-c190-08d761696d1a
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2019 20:56:09.0970 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Aq0RBuUvkq2ZXY6GtuOeGs+Nwu5MS7o/UZr82oJwPgiSoY4mIZm1Gz5d1mOTD6GtrNGRA+ZKGfb+5czpKyW3jIw5T8DZBSzicMI8rywxBJs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0750
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/8nRf-g-SwP_WpFVImEUHpH43dsI>
Subject: Re: [Rats] RIV and the RATS architecture
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 20:57:50 -0000

Hi Guy, sorry for the delay, I was at a conference (Open Source Summit, Confidential Computing Consortium, and Linux Security Summit were all co-located) all last week and traveling there/back.

Responses inline below...

From: RATS <rats-bounces@ietf.org> On Behalf Of Guy Fedorkow
Sent: Thursday, October 31, 2019 12:27 PM
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
Cc: rats@ietf.org; Thomas Hardjono <hardjono@mit.edu>du>; Smith, Ned <ned.smith@intel.com>om>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>de>; Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Subject: [Rats] RIV and the RATS architecture

Hi Dave,
  Thanks for your doc https://tools.ietf.org/html/draft-thaler-rats-architecture-00<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-thaler-rats-architecture-00&data=02%7C01%7Cdthaler%40microsoft.com%7C520adf8cc884437d639508d75e385c4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637081468537546960&sdata=20zFPTGCbLybPlTaNB2E6uSb3re0G2bYPGC8F9TNXis%3D&reserved=0>amp;reserved=0>.
  Do you have a view as to how the TPM-based attestation described in RIV would fit with the proposed categorization?
https://tools.ietf.org/html/draft-fedorkow-rats-network-device-attestation-00<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-fedorkow-rats-network-device-attestation-00&data=02%7C01%7Cdthaler%40microsoft.com%7C520adf8cc884437d639508d75e385c4d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637081468537556953&sdata=VTByXHpjuEMkojKjjly0i0BbnvujhB4fIpQaqiPFDKA%3D&reserved=0>

Great question. From my reading of draft-fedorkow-rats-network-device-attestation-00, it's a background check model, as section 2.3 of your doc explains:
>   3.  A Relying Party, which has access to the Verifier to request
>       attestation and to act on results.

That sentence above is by definition the background check model.
That is, the Attester talks to the Relying Party, the Relying Party then requests a background check by consulting a Verifier,
and will accept whatever answer the Verifier decides.
There are ways where you could use the passport model for network device attestation,
but your document only covers the background check model.

  It doesn't seem to be a passport, since the attester only provides raw evidence, not a pre-approved passport

Agreed, from my reading of your document.

  It doesn't seem to be a background check, as it's the verifier that collects and analyzes the evidence.

If I understand your point here, you're saying that the verifier talks directly to the attester (e.g., by querying the yang module), without going back through the relying party, and that that seemed to you to be different from a classic "background check" diagram.  Did I get your point correctly?

If so, then I see it as a variation of the background check model, as opposed to a separate model per se.

  I'm not sure it matters to RIV, as we haven't drawn much distinction between the relying party and the verifier...  As you say, if they're on the same machine, the distinction is almost moot.

Agree.

And if they're not, I think the communication is out of scope for RIV (if not for RATS).

I disagree that it's out of scope for RATS.

I have no opinion on whether it's out of scope for RIV, since I still have some confusion on the intended scope of RIV.
I note that your document constrains its scope (in section 1.5) to only TPM-based embedded devices, and not other
types of devices.   I couldn't tell if the scope of RIV and the scope of the draft (which does not have RIV in the name, or in
section 1.5) are similar or one is a subset of the other.   Indeed, the title of the document is far wider than just TPM-based
embedded devices, so in that sense the title doesn't match the scoping in section 1.5.   Just explaining why there's not
enough information for me to have an opinion on verifier-relying party communication in RIV.

There can be other network attestation solutions that look quite different from the flow in your draft
(and I have no skin in this game, so don't have a bias towards any solution in particular).   For example,
some other solution might involve a RADIUS server being a Verifier, so the verifier - relying party communication might
be RADIUS in that example.   There's many ways to construct solutions, and so I imagine there's probably multiple
solutions already out there, since the NEA problem is not new even in the IETF (https://tools.ietf.org/wg/nea/ has
pointers to RFCs for anyone reading this who's not already aware of it).

  But it would be good ensure the architecture and the applications of it actually do fit together...

Absolutely.

Dave

  Thanks
/guy






Juniper Business Use Only