Re: [Rats] [Iotops] 802.1AR device identity

Eliot Lear <> Sun, 14 March 2021 08:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CAE2A3A1F4B; Sun, 14 Mar 2021 00:22:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -11.9
X-Spam-Status: No, score=-11.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tSrUAOp5_l0r; Sun, 14 Mar 2021 00:22:51 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 84A3F3A1F4A; Sun, 14 Mar 2021 00:22:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=7631; q=dns/txt; s=iport; t=1615710170; x=1616919770; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=HkNaz6c17umO9kQeh7rk3bNxfEvLob84xpyuBidgSXg=; b=YDvZTRgcVBxhvHHCRsEa8JOp4g4l0wmeFEmm9hIRzF7HwsIlNigRnFFz liIGOiwxM4HiuqM7wWZK+2xwCrpMUcenTK5mG3FelN0GG4uI78kkYJnXB wNoxNxRRz0ByVFedQBQvax7etlpzBrLHYuWolBhAuk08cuuRDCvXXdzdY o=;
X-Files: signature.asc : 488
IronPort-HdrOrdr: A9a23:fay7EKEtH5CN+3ZvpLqEaseALOonbusQ8zAX/mp6ICY0TuWzkc eykPMHkSLlkTp5YhsdsP2JJaXoexLh3LFv5415B9ifdSng/FClNYRzqbblqgePJwTb+vRG3a ltN4hyYeeAbmRSqcb/7E2GH807wN+BmZrEuc7kw31gTR5nZshbhm8TNi+hHkJ7XwVAD5Yifa DshPZvnSaqengcc62AakUtYu6rnayvqLvWJToPBxsq82C1/FeVwY+/NQSE1REDVD4K5rEu/Q H+4mrEz5Tmle2nwRnB0GKW1bBqoZ/Kz9tOA9HksLlzFgnR
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,245,1610409600"; d="asc'?scan'208,217";a="34169395"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Mar 2021 08:22:45 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id 12E8Mj9K011797 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 14 Mar 2021 08:22:45 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_0DE1A019-940F-4EBB-BF81-AFC0ED2D4535"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Eliot Lear <>
In-Reply-To: <22167.1615685681@localhost>
Date: Sun, 14 Mar 2021 09:22:44 +0100
Message-Id: <>
References: <> <> <22167.1615685681@localhost>
To: Michael Richardson <>
X-Mailer: Apple Mail (2.3654.
X-Outbound-SMTP-Client:, []
Archived-At: <>
X-Mailman-Approved-At: Mon, 15 Mar 2021 00:11:33 -0700
Subject: Re: [Rats] [Iotops] 802.1AR device identity
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 Mar 2021 08:22:53 -0000

[moving rats to bcc… continuing discussion on iotops]

Hi Michael,

> (It could be that there are modes where another IDevID can be installed, but
> the original would not be removed.  Whether this is an LDevID or IDevID is
> open to intepretation)


>> I’ve had this thought in two
>> different contexts: What if the signature algorithm, CA, or private key
>> used to protect the iDevID has been compromised?
> Then, the device is broken.
> I think you would certainly agree that this can be the only answer if the
> software signing key is compromised, right?

The device is vulnerable.  The question is whether a repair can be effected.

>> Can one recover with an update?
>> What if there are attributes in the cert that I want to
>> dink and share with the deployment?
> Please define "dink" for me.  I know of only one definition from the school yard.
> Does this mean remove? replace?


>> I’d like to take that latter case off the table, but then we need to
>> seriously think about RATS or SUIT providing a standard protected TLV
>> list that deployments could receive through a standard interface.
>> These are attestations of a form, but they’re not really measurements,
>> as has been previously discussed here.
> Can you give me an example of one of these attributes?

Soooo…. Here’s an example:

Suppose I am a system integrator who needs to assemble a device out of constituent components that includes a particular software load.  I wish to claim to be the manufacturer of the device, as I am the one producing the final product.  I want to therefore provide the onboarding service.  That requires a change of URL for the MASA in BRSKI terms.  I may also wish to change the MUD-URL based on the software load.

The core question I am asking is this: we have attributes about the device I these certificates that really could be elsewhere.  But where?