Re: [Rats] draft-ietf-rats-architecture-12
Daniel Migault <mglt.ietf@gmail.com> Wed, 03 November 2021 22:09 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D81B3A12C6 for <rats@ietfa.amsl.com>; Wed, 3 Nov 2021 15:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnY4mupCi2mK for <rats@ietfa.amsl.com>; Wed, 3 Nov 2021 15:09:41 -0700 (PDT)
Received: from mail-ua1-x92d.google.com (mail-ua1-x92d.google.com [IPv6:2607:f8b0:4864:20::92d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50ACB3A12C4 for <rats@ietf.org>; Wed, 3 Nov 2021 15:09:41 -0700 (PDT)
Received: by mail-ua1-x92d.google.com with SMTP id e2so7198794uax.7 for <rats@ietf.org>; Wed, 03 Nov 2021 15:09:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0ruBq1aYy55xS0tTyl7RfXD7oRDOtJzcJ184cYpZHUA=; b=oYw6o4j1aWg5ZEgxDpjywTEjAslFxbNSrU6b2Pv9+I8jMV9to/5Qx6xcyKInRIIWBz UTrYxsrEUMiSVK267uy+2LDLd3RIBox0Dt5uMMiUHOvQf2Io0/DArB+ZUlgzHgAhicFM 62oB7QFwFUvwDxZu4HFrXC7wopx4oiF+nXLc0Lo0nhCTVoZwtGkEpdpeM0DbvhZu4SwW tDJSuysd3C43P+GCCjZrMLngRJoNCz2A3Kx4wD5wqSosNb2GI/QOWExhTDAxL8sgde49 W+tZqIc7469/7NdtgGudHKqp0/vTO8yzhx1jQavZSLq2wqwmWJcfJme9Ln8fnoYjkFfV FDmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0ruBq1aYy55xS0tTyl7RfXD7oRDOtJzcJ184cYpZHUA=; b=GWWHQygOP0l95MZr5YJkmiNeK9cnVA/qdIGTCzSDMTW6ApuBY67j/82VEIpdG8Dra2 6k/zWMGkip/POsqZ2HzEL0ZVUmItoA3noFBvfSrqePDJdixrnrRqD9nNRXQ/uQemDrjt 0SlP1orYGd5XQErgOa4DvafKf6N/QL98q+FKMVQxXfZB3j5wnp1x46ewEVrfy/LK9v2/ cEXEsGLYYolXHCcugsvj7R5kjNNgiuaTkVwsObRvmbcBJs3oudY2cTHC/LVa1R25EAO1 WEkZg+46hhnRxrCTq80/lSviVo6GmAiCjMEDFoTUHQw4w4jVMgG013juF8MDd2YJrI+v Pflg==
X-Gm-Message-State: AOAM5318Fpz4XKYhvmgUC6aOCpHiqD2sSNc9I0uIZ0sRUReNvozObnva 8uLrT0LvS7SvmpHZdoJWd2Ur2NRJu3peW8Jy8Qk=
X-Google-Smtp-Source: ABdhPJzxCaqtGql+202pnUwALAugTOFxkdXuW8o+X1YufoBOZpUWIDh/1e6O3tBwKIGRnRhN15j/cxNGkCwHj12EnHs=
X-Received: by 2002:a05:6102:f12:: with SMTP id v18mr37368603vss.23.1635977379718; Wed, 03 Nov 2021 15:09:39 -0700 (PDT)
MIME-Version: 1.0
References: <CADZyTk=ZbSUYxywzVONYjo59JVf56r8kAhpKqtXgE2=k2uZ5uA@mail.gmail.com> <8748.1635932817@localhost> <CADZyTkm93nPQvp1vBk7ViGtyLXN6Os_-Tf+GuUygn3-4LTxkug@mail.gmail.com> <21823.1635977093@localhost>
In-Reply-To: <21823.1635977093@localhost>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 03 Nov 2021 18:09:28 -0400
Message-ID: <CADZyTk=-ttpJLZmRDDT_TeXtPwHfUMo7Bn_kAiyhhXOpX9apMQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: rats@ietf.org
Content-Type: multipart/alternative; boundary="000000000000942b9d05cfe9aaaf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/90irMHXAJGDW-KkPwTsGa3GHd5k>
Subject: Re: [Rats] draft-ietf-rats-architecture-12
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2021 22:09:46 -0000
On Wed, Nov 3, 2021 at 6:04 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Daniel Migault <mglt.ietf@gmail.com> wrote: > > Thanks for the response. Let me rephrase myself. Suppose that Target > > Environment and Attesting Environment are different pieces of > > hardware. > > yes, that's somewhat reasonable for some TPM environments. > > > I > > am saying this mostly as it is unclear to me if TPM is assumed to be > part > > of the CPU or as another piece of hardware. > > What I was trying to say is that the verifier trusts the Attesting > > Environment and will trust in the Evidence. > > > However, there is also an implicit trust the claims retrieved by the > > Attesting Environment from the Target Environment are not tampered. > > yes, we can't defend against that. > If you have such a situation, then you need another Attesting Environment. > The Composite scenario is an example of that. > A real life scenario is a router chassis and a series of line cards. > Another real life scenario is a PC enclosure and smart-NICs and/or GPUs. > > > If we > > do not have that trust, the Attesting Environment will only be able > to > > attest claims that cannot be trusted. > > Things can be simplified when the Target Environment and Attesting > > Environment are part of the same hardware as there is a need to > trust the > > hardware. If the TPM is a different chip, it needs to be extended > with the > > BIOS and we need to trust this is the BIOS actually stored in the > ROM. > > There are real life attacks against the I2C that is used to talk to the > TPM. > They can be mitigated if the I2C communication is encrypted to the TPMs > public key, but this requires that the system "bios" have a secure place to > put the TPM's public key. This is possible some platforms that have some > secure space inside the CPU. > > > I do not think the figure needs to be changed and become more > complex. I > > think it looks great. > > Good. > How can we change the text to include your concern? > > >> My question was what means self-assert in the following sentence: > > > """ > > mcr> In layered attestation, a root of trust is the initial Attesting > mcr> Environment. Claims can be collected from or about each layer. > The > mcr> corresponding Claims can be structured in a nested fashion that > mcr> reflects the nesting of the Attester's layers. Normally, Claims > are > mcr> not self-asserted, rather a previous layer acts as the Attesting > mcr> Environment for the next layer. Claims about a root of trust > mcr> typically are asserted by an Endorser. > > > """ > > > To me, as I understand the figure Claims are provided by the Target > > Environment to the Attesting Environment. In my view the Attesting > > Environment is responsible to add some trust to the Claim. > Re-reading the > > text, I have the impression this is what is being said. > > I think what upset me was the use of self-asserted while the > document never > > put assertion in the Target Environment. > > some change needed? > > >> > """ > >> > The > >> > final Evidence thus contains two sets of Claims: one set about the > >> > bootloader as measured and signed by the BIOS, plus a set of > Claims > >> > about the kernel as measured and signed by the bootloader. > >> > """ > >> > >> > I understand that the set of claims are combined together with for > >> example > >> > a hash function. In other words, Evidence is not (necessarily) a > >> list of > >> > claims that can easily be extracted from the Evidence. > >> > >> Extending a single PCR in a TPM results in a single Claim. > >> The Claims are not fed into the TPM. > >> Any hash (ECDSA w/SHA256 for instance) involved in signing the > Evidence, > >> is a > >> property of the signing algorithm, and not part of the Claim. > >> > >> > If my understanding is correct, I would maybe clarify "contains". > I > >> also > >> > have the impression cascading carries the notion of recurrence > where > > >> > section 8.4 > >> > >> > _Strength of Function_ this is a markdown notation I suspect. > >> > >> Yes, and in text form, that's how we represent italics, just like > in email. > >> In HTML it shows up in italics. > >> > > > sure I was wondering if that were intentional. > > Yes, intentional. > > >> > >> > By default, the Relying Party does not believe the Attester to be > >> > compliant. Upon receipt of an authentic Attestation Result > >> > >> > I do not see any reason to perform attestation if the Attester is > >> known to > >> > be compliant. I am wondering if "by default" is appropriated or > >> should be > >> > instead replaced by something around Upon starting an attestation, > >> the > >> > Relying.... > >> > >> In the beginning ("by default"), the universe was without form, and > all > >> Attesters were > >> untrusted. Then, on the first day, God created the Verifier, and > used it > >> to > >> evaluate Evidence, and separated the void into the Trusted and the > >> Untrusted. > >> > > > ;-) > > . o O ( then the elder ghods caused a post-quantum event... ) > > >> > >> > It is a bit unclear to me what authentic means > >> > >> It means, for instance that the signature has checked out. > >> But, not every system uses signatures directly. > >> It could also indirect through session security, e.g.: TLS > >> > > > Does authentic means authenticated then ? If not what is the > difference ? > > Yes. > Evidence that has had a signature check would be authenticated. > Evidnece that was passed over a secure channel would not be have a > signature > check, but would be trusted (due the channel) to be authentic. > > >> Evidence = signed(claims) > >> > >> > > ok. I think the text is fine and that I was influenced by the hash of > > hashes I wanted to represent a set. Not sure it is not only me. > > I think that some of the underlying historic implementation infects the > discussion. > > Exactly. will check if I can propose something to improve the text by the end of the week, but I am not too worried. The text is already in a good shape and the document is easy to read. > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > -- Daniel Migault Ericsson
- [Rats] draft-ietf-rats-architecture-12 Daniel Migault
- Re: [Rats] draft-ietf-rats-architecture-12 Thomas Fossati
- Re: [Rats] draft-ietf-rats-architecture-12 Daniel Migault
- Re: [Rats] draft-ietf-rats-architecture-12 Michael Richardson
- Re: [Rats] draft-ietf-rats-architecture-12 Smith, Ned
- Re: [Rats] draft-ietf-rats-architecture-12 Daniel Migault
- Re: [Rats] draft-ietf-rats-architecture-12 Daniel Migault
- Re: [Rats] draft-ietf-rats-architecture-12 Michael Richardson
- Re: [Rats] draft-ietf-rats-architecture-12 Daniel Migault
- Re: [Rats] draft-ietf-rats-architecture-12 Daniel Migault