IETF Logo Mail Archive

Re: [Rats] draft-ietf-rats-architecture-12

Daniel Migault <mglt.ietf@gmail.com> Wed, 03 November 2021 22:09 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D81B3A12C6 for <rats@ietfa.amsl.com>; Wed, 3 Nov 2021 15:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnY4mupCi2mK for <rats@ietfa.amsl.com>; Wed, 3 Nov 2021 15:09:41 -0700 (PDT)
Received: from mail-ua1-x92d.google.com (mail-ua1-x92d.google.com [IPv6:2607:f8b0:4864:20::92d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50ACB3A12C4 for <rats@ietf.org>; Wed, 3 Nov 2021 15:09:41 -0700 (PDT)
Received: by mail-ua1-x92d.google.com with SMTP id e2so7198794uax.7 for <rats@ietf.org>; Wed, 03 Nov 2021 15:09:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0ruBq1aYy55xS0tTyl7RfXD7oRDOtJzcJ184cYpZHUA=; b=oYw6o4j1aWg5ZEgxDpjywTEjAslFxbNSrU6b2Pv9+I8jMV9to/5Qx6xcyKInRIIWBz UTrYxsrEUMiSVK267uy+2LDLd3RIBox0Dt5uMMiUHOvQf2Io0/DArB+ZUlgzHgAhicFM 62oB7QFwFUvwDxZu4HFrXC7wopx4oiF+nXLc0Lo0nhCTVoZwtGkEpdpeM0DbvhZu4SwW tDJSuysd3C43P+GCCjZrMLngRJoNCz2A3Kx4wD5wqSosNb2GI/QOWExhTDAxL8sgde49 W+tZqIc7469/7NdtgGudHKqp0/vTO8yzhx1jQavZSLq2wqwmWJcfJme9Ln8fnoYjkFfV FDmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0ruBq1aYy55xS0tTyl7RfXD7oRDOtJzcJ184cYpZHUA=; b=GWWHQygOP0l95MZr5YJkmiNeK9cnVA/qdIGTCzSDMTW6ApuBY67j/82VEIpdG8Dra2 6k/zWMGkip/POsqZ2HzEL0ZVUmItoA3noFBvfSrqePDJdixrnrRqD9nNRXQ/uQemDrjt 0SlP1orYGd5XQErgOa4DvafKf6N/QL98q+FKMVQxXfZB3j5wnp1x46ewEVrfy/LK9v2/ cEXEsGLYYolXHCcugsvj7R5kjNNgiuaTkVwsObRvmbcBJs3oudY2cTHC/LVa1R25EAO1 WEkZg+46hhnRxrCTq80/lSviVo6GmAiCjMEDFoTUHQw4w4jVMgG013juF8MDd2YJrI+v Pflg==
X-Gm-Message-State: AOAM5318Fpz4XKYhvmgUC6aOCpHiqD2sSNc9I0uIZ0sRUReNvozObnva 8uLrT0LvS7SvmpHZdoJWd2Ur2NRJu3peW8Jy8Qk=
X-Google-Smtp-Source: ABdhPJzxCaqtGql+202pnUwALAugTOFxkdXuW8o+X1YufoBOZpUWIDh/1e6O3tBwKIGRnRhN15j/cxNGkCwHj12EnHs=
X-Received: by 2002:a05:6102:f12:: with SMTP id v18mr37368603vss.23.1635977379718; Wed, 03 Nov 2021 15:09:39 -0700 (PDT)
MIME-Version: 1.0
References: <CADZyTk=ZbSUYxywzVONYjo59JVf56r8kAhpKqtXgE2=k2uZ5uA@mail.gmail.com> <8748.1635932817@localhost> <CADZyTkm93nPQvp1vBk7ViGtyLXN6Os_-Tf+GuUygn3-4LTxkug@mail.gmail.com> <21823.1635977093@localhost>
In-Reply-To: <21823.1635977093@localhost>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 03 Nov 2021 18:09:28 -0400
Message-ID: <CADZyTk=-ttpJLZmRDDT_TeXtPwHfUMo7Bn_kAiyhhXOpX9apMQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: rats@ietf.org
Content-Type: multipart/alternative; boundary="000000000000942b9d05cfe9aaaf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/90irMHXAJGDW-KkPwTsGa3GHd5k>
Subject: Re: [Rats] draft-ietf-rats-architecture-12
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2021 22:09:46 -0000

On Wed, Nov 3, 2021 at 6:04 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Daniel Migault <mglt.ietf@gmail.com> wrote:
>     > Thanks for the response. Let me rephrase myself.  Suppose that Target
>     > Environment and Attesting Environment are different pieces of
>     > hardware.
>
> yes, that's somewhat reasonable for some TPM environments.
>
>     > I
>     > am saying this mostly as it is unclear to me if TPM is assumed to be
> part
>     > of the CPU or as another piece of hardware.
>     > What I was trying to say is that the verifier trusts the Attesting
>     > Environment  and will trust in the Evidence.
>
>     > However, there is also an implicit trust the claims retrieved by the
>     > Attesting Environment from the Target Environment are not tampered.
>
> yes, we can't defend against that.
> If you have such a situation, then you need another Attesting Environment.
> The Composite scenario is an example of that.
> A real life scenario is a router chassis and a series of line cards.
> Another real life scenario is a PC enclosure and smart-NICs and/or GPUs.
>
>     > If we
>     > do not have that trust, the Attesting Environment will only be able
> to
>     > attest claims that cannot be trusted.
>     > Things can be simplified when the Target Environment and Attesting
>     > Environment are part of the same hardware as there is a need to
> trust the
>     > hardware. If the TPM is a different chip, it needs to be extended
> with the
>     > BIOS and we need to trust this is the BIOS actually stored in the
> ROM.
>
> There are real life attacks against the I2C that is used to talk to the
> TPM.
> They can be mitigated if the I2C communication is encrypted to the TPMs
> public key, but this requires that the system "bios" have a secure place to
> put the TPM's public key.   This is possible some platforms that have some
> secure space inside the CPU.
>
>     > I do not think the figure needs to be changed and become more
> complex. I
>     > think it looks great.
>
> Good.
> How can we change the text to include your concern?
>
>     >> My question was what means self-assert in the following sentence:
>
>     > """
>
>     mcr> In layered attestation, a root of trust is the initial Attesting
>     mcr> Environment.  Claims can be collected from or about each layer.
> The
>     mcr> corresponding Claims can be structured in a nested fashion that
>     mcr> reflects the nesting of the Attester's layers.  Normally, Claims
> are
>     mcr> not self-asserted, rather a previous layer acts as the Attesting
>     mcr> Environment for the next layer.  Claims about a root of trust
>     mcr> typically are asserted by an Endorser.
>
>     > """
>
>     > To me, as I understand the figure Claims are provided by the Target
>     > Environment to the Attesting Environment. In my view the Attesting
>     > Environment is responsible to add some trust to the Claim.
> Re-reading the
>     > text, I have the impression this is what is being said.
>     > I think what upset me was the use of self-asserted while the
> document never
>     > put assertion in the Target Environment.
>
> some change needed?
>
>     >> > """
>     >> > The
>     >> > final Evidence thus contains two sets of Claims: one set about the
>     >> > bootloader as measured and signed by the BIOS, plus a set of
> Claims
>     >> > about the kernel as measured and signed by the bootloader.
>     >> > """
>     >>
>     >> > I understand that the set of claims are combined together with for
>     >> example
>     >> > a hash function. In other words, Evidence is not (necessarily) a
>     >> list of
>     >> > claims that can easily be extracted from the Evidence.
>     >>
>     >> Extending a single PCR in a TPM results in a single Claim.
>     >> The Claims are not fed into the TPM.
>     >> Any hash (ECDSA w/SHA256 for instance) involved in signing the
> Evidence,
>     >> is a
>     >> property of the signing algorithm, and not part of the Claim.
>     >>
>     >> > If my understanding is correct, I would maybe clarify "contains".
> I
>     >> also
>     >> > have the impression cascading carries the notion of recurrence
> where
>
>     >> > section 8.4
>     >>
>     >> > _Strength of Function_ this is a markdown notation I suspect.
>     >>
>     >> Yes, and in text form, that's how we represent italics, just like
> in email.
>     >> In HTML it shows up in italics.
>     >>
>
>     > sure I was wondering if that were intentional.
>
> Yes, intentional.
>
>     >>
>     >> > By default, the Relying Party does not believe the Attester to be
>     >> > compliant.  Upon receipt of an authentic Attestation Result
>     >>
>     >> > I do not see any reason to perform attestation if the Attester is
>     >> known to
>     >> > be compliant. I am wondering if "by default" is appropriated or
>     >> should be
>     >> > instead replaced by something around Upon starting an attestation,
>     >> the
>     >> > Relying....
>     >>
>     >> In the beginning ("by default"), the universe was without form, and
> all
>     >> Attesters were
>     >> untrusted.  Then, on the first day, God created the Verifier, and
> used it
>     >> to
>     >> evaluate Evidence, and separated the void into the Trusted and the
>     >> Untrusted.
>     >>
>
>     > ;-)
>
> . o O ( then the elder ghods caused a post-quantum event... )
>
>     >>
>     >> > It is a bit unclear to me what authentic means
>     >>
>     >> It means, for instance that the signature has checked out.
>     >> But, not every system uses signatures directly.
>     >> It could also indirect through session security, e.g.: TLS
>     >>
>
>     > Does authentic means authenticated then ? If not what is the
> difference ?
>
> Yes.
> Evidence that has had a signature check would be authenticated.
> Evidnece that was passed over a secure channel would not be have a
> signature
> check, but would be trusted (due the channel) to be authentic.
>
>     >> Evidence = signed(claims)
>     >>
>     >>
>     > ok. I think the text is fine and that I was influenced by the hash of
>     > hashes I wanted to represent a set. Not sure it is not only me.
>
> I think that some of the underlying historic implementation infects the
> discussion.
>
>
Exactly. will check if I can propose something to improve the text by the
end of the week, but I am not too worried. The text is already in a good
shape and the document is easy to read.

>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email