IETF Logo Mail Archive

Re: [Rats] New RATS Architecture document

Giridhar Mandyam <mandyam@qti.qualcomm.com> Tue, 10 September 2019 16:28 UTC

Return-Path: <mandyam@qti.qualcomm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67C981201CE for <rats@ietfa.amsl.com>; Tue, 10 Sep 2019 09:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 53DCyjTxRjEg for <rats@ietfa.amsl.com>; Tue, 10 Sep 2019 09:28:36 -0700 (PDT)
Received: from alexa-out-sd-01.qualcomm.com (alexa-out-sd-01.qualcomm.com [199.106.114.38]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9F0212010D for <rats@ietf.org>; Tue, 10 Sep 2019 09:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1568132915; x=1599668915; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=I1UZWDGnYqAHY2t+9unjaX/Ay5oG4rxvIcXjkAIN4mo=; b=hrLNA+lDBYlrF8rgcnd3fyu95xav0QEekjSzuhINOA4E6BTzez6MjVxu kSdN9jCGiAyjbArQWi7ReNq/BjSrU0u2gkqJp7QcA77ZQmnQu0u5ahwXv iKbMXYEvqwmF58B1QEoJ43ScptGqT6+0bKyaRClhnxicMP+I9rm6+saHn c=;
Received: from unknown (HELO ironmsg-SD-alpha.qualcomm.com) ([10.53.140.30]) by alexa-out-sd-01.qualcomm.com with ESMTP; 10 Sep 2019 09:28:34 -0700
Received: from nasanexm01c.na.qualcomm.com ([10.85.0.83]) by ironmsg-SD-alpha.qualcomm.com with ESMTP/TLS/AES256-SHA; 10 Sep 2019 09:28:34 -0700
Received: from NASANEXM01C.na.qualcomm.com (10.85.0.83) by NASANEXM01C.na.qualcomm.com (10.85.0.83) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 10 Sep 2019 09:28:33 -0700
Received: from NASANEXM01C.na.qualcomm.com ([10.85.0.83]) by NASANEXM01C.na.qualcomm.com ([10.85.0.83]) with mapi id 15.00.1473.005; Tue, 10 Sep 2019 09:28:33 -0700
From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] New RATS Architecture document
Thread-Index: AQHVZ9l0CvdpLTeRnUKRQb/BzQqfg6clFv1g
Date: Tue, 10 Sep 2019 16:28:33 +0000
Message-ID: <fe9e3870aaa6419697db4536e1f0718c@NASANEXM01C.na.qualcomm.com>
References: <471c785f-1cd8-62ff-431a-075ce9c35058@sit.fraunhofer.de>
In-Reply-To: <471c785f-1cd8-62ff-431a-075ce9c35058@sit.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.80.80.8]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ATlF1dyQTPLBU62-uD7pBnZfwaA>
Subject: Re: [Rats] New RATS Architecture document
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 16:28:38 -0000

Henk and other editors of the architecture doc,

I appreciate the effort put into this latest revision, and I will review it with a fresh eye. 

I do have one overarching question:  why is this document listed as 'Standards Track' (as opposed to 'Informational')?  I had expressed my concerns about this in an earlier review of the doc:  https://mailarchive.ietf.org/arch/msg/rats/9iIrnD9YixKCuwOGKtvGZIzd_bU. 

Since the editors' team is composed of experienced IETF'ers, I assume that there are solid reasons for doing so.  If you all have stated them before, I hope you do not mind me requesting that you lay out your reasons again because I seemed to have missed it.

-Giri

-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of Henk Birkholz
Sent: Tuesday, September 10, 2019 6:13 AM
To: rats@ietf.org
Subject: [Rats] New RATS Architecture document

-------------------------------------------------------------------------
CAUTION: This email originated from outside of the organization.
-------------------------------------------------------------------------

Hi all,

we created a fully revised architecture document that maps and represents the state of the current discussion and the material presented at the last IETF meeting.

The current Editor's version can be found here:

> https://ietf-rats.github.io/draft-birkholz-rats-architecture/draft-bir
> kholz-rats-architecture.html

We will submit a new version the day after the RATS virtual interim.

TL;DR
Below you can find a list of essential changes & a list of action items still to be addressed.


This version of the RATS Architecture document:

* does not define or uses the terms "root(s) of trust" (RoT) or "Trust 
Anchor" (TA) at the moment. (Note: It is a fact that the Asserter Role 
_is_ a TA for the Verifier Role and that an Attester Role _could_ rely 
on RoTs. But - this content will not go into the main body of this 
document),

* does define RATS Roles, Messages, and Principals formerly known as 
"Actors" (borrowing heavily from ABLP),

* provides an even more "base" interaction model diagram for the RATS 
Roles than presented in the last IETF meeting slide deck:

> https://datatracker.ietf.org/meeting/105/materials/slides-105-rats-sessb-rats-architecture-interaction-model-challange-response-yang-module-information-module-00.pdf

* introduces a framework for "level of confidence" in the 
trustworthiness of an Attester and the endorsement of the protection 
characteristics of its "Attesting Computing Context", allowing for other 
entities to use this framework and fill it with, e.g., openly defined 
levels of confidence metrics,

* is not based on the primitive of "trust" but the concept of 
"trustworthiness" as illustrated by the RATS charter,

* simplifies the definitions of Attester and Verifier that seemed to 
have caused some unfortunate confusion following the proposal of Giri 
and starting with commonly-accepted definitions and then justify why 
they may need to be modified,

* differentiates between the Attesting Computing Environment and the 
Attested Computing Environment better, which both are components of an 
Attester,

* uses the "Claim" concept as a building block to compose Evidence, 
Known-Good-Values and Endorsements. Conversely, the "Assertion" concept 
is dropped in this proposal (as initially suggested by Laurence, IIRC?). 
(Note: this was done to simplify the discussion about the information 
model. Please also note: Due to the {J|C}WT definition of "Claim", a 
key/value pair is implied, which is already a data model decision and 
not mandated by an information model), and

* analogously, now uses the term Known-Good-Values instead of 
Attestation Assertions.


For future versions the authors intent:

* to elaborate on the use of RATS Principals, including more exemplary 
diagrams of RATS Role composition and interaction between RATS 
Principals based on the use case document (and by that address a unified 
mapping to TEEP, RIV, and models that use EAT),

* to shift some of the focus on technical-trust as proposed by Thomas. 
(the Endorsements provided by an Asserter are a first step into that 
direction),

* still not to define the roots of trust terms nor invent new words for 
them :) But - start to reference them on a minimal level and define a 
base set of primitives they can provide in order to describe what they 
actually are and can do in the context of RATS as proposed by Ira, Simon 
and Thomas,

* to introduce and define a concise scope for layered attestation, 
addressing, e.g., the staging of Computing Environments and the 
(un-)availability of an Attesting Computing Environment at certain 
points of time, or, another example given, addressing the 
differentiation of an attested boot sequence of an Attester and an 
Attester running TEEs or rich systems for years,

* to address the change of Roles of a Principal over time as proposed by 
Ian,

* to move the remaining architectural sections in the EAT draft into the 
RATS Architecture draft, and

* to shift some of the focus on the out-of-band trust establishment in 
order to illustrate a coherent RATS ecosystem (e.g. the provisioning of 
key material is not include in the "base diagram" anymore for now - this 
will be more elaborated on in future section of the architecture).


Viele Grüße,

Henk






_______________________________________________
RATS mailing list
RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email