IETF Logo Mail Archive

Re: [Rats] EAT Profiles

"Smith, Ned" <ned.smith@intel.com> Wed, 14 September 2022 19:03 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E8DC14F737 for <rats@ietfa.amsl.com>; Wed, 14 Sep 2022 12:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.672
X-Spam-Level:
X-Spam-Status: No, score=-2.672 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ldNrbB7uY3S for <rats@ietfa.amsl.com>; Wed, 14 Sep 2022 12:03:26 -0700 (PDT)
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22793C14F732 for <rats@ietf.org>; Wed, 14 Sep 2022 12:03:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663182206; x=1694718206; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=u/oE+cxbwnP840nJdmWrfws3DzCh+6HnL+maOW2ZhNg=; b=IXhmBLfIRyvJgis4oXiSAYO3YDTS8f6rkPBRSEL9unimVQU5Hw8jFpXJ VWqMc1Nm569UdD/6pzCSiJ5L23Ck9b7mySSKQXtYOyNq8QMLHriTlJdgg yA7A7Plz0udgEHMWscLLiFVyWoGdxrwUWW9YA01LuFZ2n6jS0AXvowm+J tzg33hudNYEr09+v1ks9BFBmeT0BTC9i34eMfDY/1LqOwBFwfVYZ71U0j hQgeo1DPGbxJiZsrYrdOo8lqJRI48vAvXBst3KDL4VfCWPupMNbiGTAMN gqmK7ztrGO6Sz8/RpV4tu4w0ptIB6Dc+Jm0OpFUlxdZ1IFv6OKHxzWAyk A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10470"; a="285559501"
X-IronPort-AV: E=Sophos;i="5.93,315,1654585200"; d="scan'208,217";a="285559501"
Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2022 12:03:25 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.93,315,1654585200"; d="scan'208,217";a="685420220"
Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga004.fm.intel.com with ESMTP; 14 Sep 2022 12:03:24 -0700
Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 14 Sep 2022 12:03:24 -0700
Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 14 Sep 2022 12:03:22 -0700
Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Frontend Transport; Wed, 14 Sep 2022 12:03:22 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.40) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Wed, 14 Sep 2022 12:03:21 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zog4MMtCL9XHBiOT6C1IQ8iwCuLUOeKEHWdlDnUpwHCgH2yd5prfsXN3slIhu/d9NEUkaTuKugG6OQrI3N29zqwcbZzDr2uiA8lEQLRt38K05smw3W5ADLI5CFNJON4CDIgq3akCkUYlVZpdRctsdCAtADjeOCmv8cQ26hMLNnBKKc8c9IA/8QLNpNXq5xe4/5LBiUMGRTILRj06y/3/EP4ISZLatirBPC48BV2fwGVJvL2oFXVWU1lACB9Yo0CZf62CquiFHKmiutX3qpsJzpeLyEosOtuomUjl97hTK80wWI5hemdqRo0jNPi0O4oRFqkRuKc5+tVwqLjgnFFq/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u/oE+cxbwnP840nJdmWrfws3DzCh+6HnL+maOW2ZhNg=; b=COXY2cagizXYUZyr1nz3QSj1aQJ48KNkfqeKglqKRbP/Ay0vyq1TgIhFf9CuqeaopOb0PnnLn6Uv1UAzYsyoJezeNrljP3v4R75NKE/6Xz2McMcnN5frJB+oZxNHP6cl754Etj+NDOOA33yscjrANYSgdnzgDhHRP4dwJ9VqXp9YPWghdGlM5ZQ/OuFa10E1tiTplpdt5PJTlpxCboEbNcZN9MtE2mGWbeJthd7IsHEp7atxfq+HmeGFSNT7rolWRP7j7Xa10jLNgv7wavf2MkMuD0/FQgNSkKlVu/XNcz9f8EYz9jo0ZoZdvx8YEiY8dgf+3dRIgiDuTA9kUDB6pA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by SA2PR11MB5209.namprd11.prod.outlook.com (2603:10b6:806:110::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.22; Wed, 14 Sep 2022 19:03:20 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da%5]) with mapi id 15.20.5612.023; Wed, 14 Sep 2022 19:03:20 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] EAT Profiles
Thread-Index: AQHYyEtV8Kv81tPlmkOf+Jnakzi5Fa3fQG+A//+S74A=
Date: Wed, 14 Sep 2022 19:03:20 +0000
Message-ID: <193AEE1A-4BEF-4BCB-804D-3C4B0D96DAA3@intel.com>
References: <71934.1663019954@dooku> <6D74BAE0-3B37-4A1F-9966-96EB60B9D675@island-resort.com>
In-Reply-To: <6D74BAE0-3B37-4A1F-9966-96EB60B9D675@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.64.22081401
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|SA2PR11MB5209:EE_
x-ms-office365-filtering-correlation-id: e7e1e8ad-ed11-4b9d-16aa-08da9683ca34
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 64XsZD2EeK+sQk98gsMjogoKAGU3yoeu6PZ8rGQ6PWWfQnLpgUATIv5qaMBTJUWlAvst0aTArEly1+JLURxPHcsnf+BJOGHtiPlTwlSczldwHkJELI352xYByLQD8sdcu5ReWuSgQdMe6qpGfPPajPADbNphVNw/KaOACdWKTibNTlGi1PA2ws7gr7xfSTAT7LDOi0fsUJFdYJpOU/ulxhmQliS1jw7W0t5yYb8HvHgQWPqOmRtVtEA+BBTA5Dt9n2JVEeTwDagdAdJeSa3iahw09tL9nTm1gSgEdBkXrSUtg8RQv9CmpVB+4ysou8nXwRK3oonejY2XcYBsM8DtreJDb87EoABoaTkn6iAMKAdqkj63NRYAZLyqqBLTXYmZJE5KuatOrrEt7XkM6bEfdgtmvwkr4jIGMDfpIYjomRjCHMgJVzVQGyCBb8i3YqWesTHBDM1qnKp5tOTDpKaHN1oCc4B9YTbAAjFUdb7mYP4YckrsaAXvemDX7MBZ1qcLEsXLVHw3FGjm3h39bztQX+CeTd4qSIhOEtcd+PNzre7IGB4RyiJbNwT9GPhcNeTdP4oTxAOGaLTQS7ePpotRVifJ/Rb5rP7qJj0s+RShGWVrq0mZ8YK9tXI72fSIhblLo6UVzmAwmit30Yp7rds1yKpujgzzMbpVzR3fV+exA+2L5hT+eLpA9USfQT+RbfHfOIKCDq/z6NflXLlmVKu3HfS8kix9cXGQB0lQb+uxuaiUqB/QxWUrmXrKePJdmaxRkODhaH2nx4efqcJ3LxDvQG5X/LtWxR3xZ+6viv6Dbo0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(376002)(136003)(366004)(396003)(346002)(451199015)(6512007)(2616005)(186003)(82960400001)(41300700001)(122000001)(38100700002)(8676002)(4326008)(64756008)(91956017)(5660300002)(66556008)(26005)(66446008)(66476007)(76116006)(8936002)(66946007)(33656002)(36756003)(38070700005)(86362001)(2906002)(83380400001)(316002)(110136005)(6506007)(478600001)(71200400001)(53546011)(6486002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IEnCMjpnCU+QS5j+7u3krJzH4HPEl/sfK/eBNmL+ydciy9Le5rNIbsvS35hcSrEzkfWl/D/gs0gfkY4KEx0YOJ1YjdIzN2ja036tm4YFJmPte6SYHX/lbGFlEl+sQb3p71EswymFOxC/srdDEL3d/0RAVgbrF80rVAfQzb/ls4Umt317XU3FHg9W+LOv20+mamMWWzBzrNvdC3FlFeZfGYa7WS2wTR9UFvdK7oFSPSh0+zl6IW4ln9IzD9Aumb4dHufnyLqHm0tVv6SLVUBNteUH7/UCTvCyx7u63okhXhEp9dimYRZ1lUwDqZ8GmkFhlY3hkJ5VpzG/yS58J0YEPPCIFxbyGmaClcXGxv86jz+LQUs97gjMMahaVovj6MVQegEjZyZ0kZbcmt/OQBprkhy90dEle91UcE+SUOKFAEORvyqlJyLzPl100gyZ26hUdH9xVXquJ1pR0Ui0xbaMarYS0aNSkH2cAnzawHgkhJer5xsceip5usQ8JVNBePpV2fSwvqRFXwsoHO99Z4tfOnnA79ToU8en7gYhTed0v09JPdKwdvV2qkNWtFWQT79tj6tCjYXEazrpGtyFyIHR75sHduglxGsKvSyjU8tYg9KSBJ6+otc3WOoPSiz4hMEJa1QIHfFR6pZWVTVgD1+19unG0WZIQ4//Swip7q3Ja/utPQM0pSf1Whiy0hcbdpqN5JpHD7L6HB0djvCR5fGHqUXZ8pSnXWgwBlIMgk/pTCTr5g72qn+sPnIFv2c5tl+O/a/QnZs4cESwDVvd9zrt9zR6QAq+vCAdcSMzUzBMfGagWYqjTef4por7c7pcYDrHjmuh2SdQ67cdE31IJDXhbSUAX4BwoTG8kc+BHVOto9qy1anN1+HBgNsf29TkKRr8DJym9DCmWLiA8Dr9dyVlk3L71LFiVC3IF351o8JTDoXJCUGjqc4xa3rIyZ1KxIaXrkJ4kJh6nJd7sN2EG6zVVdfxV3brDrfT//gYKF9tTYLGdhlyBA5+SjNcouGgx7PbIS7pSxI62MMvw8IW6N6dT56c7X75XRADO3tZr+srqNEWEWRxr9V0Jx5an9unVXcdDvojuXnyqVzBQR7PtzHKSjW6/i93LQCq1UQlRqIug6XvR0XNi5gd1RPWMYq+GCYOsp6aRi3ZQ1yEmzoZNYWCa6nd+B+B/Xzz8Obxy8BemNtHf31cd4HlVrwUKd4yGCoxC73L2XpJxPOO8JIeWHOjSi3DYF9nqhJAzZHPaqMEt5SvfHuj/+z4oWDcfoO2Mw7g3z8EP/JpfQwyDB20YzsdN5dv5V+S8LXJLBVPVAaFqBmfVxM6HfZLgYIa8G6NXQHbOVpCdTMmwmHn3dsEA0HUcYP4C7qNQi/8Lw3XrVFiH+aZP0u5RhvBwCFVdigehms2H4PDXlfOIubX5trfhZa6Klb+J3Tzm0cZ+b8Xw8cPgHNLkIh77cZSmENpOmUCTv5wzPBQof+s4fsVrAAESCU7BGazpdy5crxFhnxr4566IUkK6R3weQnZlHnwJTGx79DZP7pHj+Sy2GMN4Eo70us9o7TREjGPYENxaNw7dfdWHN7/AJOKC2J9pmhsb6gsw/jKq/40pOhc4i9iFoPI6DwKJw==
Content-Type: multipart/alternative; boundary="_000_193AEE1A4BEF4BCB804D3C4B0D96DAA3intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e7e1e8ad-ed11-4b9d-16aa-08da9683ca34
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2022 19:03:20.2858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2M+cruNuJ1AzXAfDWt8lG9kXZ9VyYfnYL0qHXCmnL3tXHCN5hsrpTcPGPqluPcYrvccrlVvXbb7xSrWHWSxugQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR11MB5209
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/AdplmSWBNiHHLPsyAGuNIhPR8vg>
Subject: Re: [Rats] EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2022 19:03:30 -0000

Maybe I’m not following the intent of this thread. Is it providing feedback regarding a TEEP profile and if so, is there some aspect of it that reflects on EAT (or any other RATS draft) that motivates a change to the draft?

If TEEP defines a profile, wouldn’t the TEEP WG own definition, publication etc…?

Thx,
Ned

From: RATS <rats-bounces@ietf.org> on behalf of Laurence Lundblade <lgl@island-resort.com>
Date: Wednesday, September 14, 2022 at 11:34 AM
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] EAT Profiles




On Sep 12, 2022, at 2:59 PM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:

Second, the next bunch of items:


Use of JSON, CBOR, or both: CBOR only.
CBOR Map and Array Encoding: Only definite length arrays and maps.
CBOR String Encoding: Only definite-length strings are allowed.
CBOR Preferred Serialization: Encoders must use preferred serialization,
and decoders need not accept non-preferred serialization.
COSE/JOSE Protection: See Section 8.
Detached EAT Bundle Support: DEB use is permitted.
Verification Key Identification: COSE Key ID (kid) is used, where the key
ID is the hash of a public key (where the public key may be used as a raw
public key, or in a certificate).
CBOR Tags: CBOR Tags are not used.

I really don't like the EAT has not made a clear judgement on these things
already.   I'd really really like EAT to be far more opinionated.

CWT has most of this variability and it is a standards track RFC. Should the CWT authors have been more opinionated? Should someone write a follow-on RFC to it that says what CBOR serialization it should use, what key ID scheme to use, ...?

I don’t know if there have or have not been interoperability issues with CWT deployment. Probably there’s few issues with the CBOR parts because everyone just follows along with the preferred serialization and no one is trying to implement CWT in pure hardware. Possibly there are some issues with algorithm selection. Probably there just isn’t very much deployment, so we haven’t run into much.

I’m not trying to be argumentative here. I just want to get to the bottom / heart of the issue.



The above list looks like it will be 95% of CBOR-based EAT "profiles"
Could EAT just write this down, and give it a name?

What I wonder about here is layered or partial profiles.

We could write down the CBOR serialization selections and call it a profile, but that doesn’t give 100% end-end interoperability because it doesn’t pick the COSE algorithm, key identification scheme and such.

I’m a bit scared of the notion of partial/layered profiles because that adds complexity to EAT, but it doesn’t seem out of the question.

I’m open to solutions here and want to figure out what makes good sense.


That way, we can well tested libraries that do the right thing here.
I think that really this is where Eliot is coming from.

My COSE/CWT/EAT libraries deals with the variability this way:
- Receiving indefinite length maps/arrays — Supports because the CBOR library does. Can be turned off by #ifdef to save object code.
- Receiving Indefinite length strings — Not supported because a memory allocator is required and my library doesn’t want to depend on one
- Preferred serialization — Always sends it and can receive it
- Sending non-preferred — The point of this would be to reduce object code or implement in HW. This is not supported.
- Algorithms — Variable support for depending on library version and crypto library used
- Key ID — Public APIs allow caller to do what they want
- Custom COSE headers — No support yet, but eventually by public API so caller can do what they want.
- Claims — Public APIs allow the caller to do what they want

The library uses a mix of approaches for different issues. It has to be flexible because it may be used in a variety of use cases. It doesn’t guarantee interoperability by itself.


EAT is all a la carte, and we are asking for a coordinated, three course set-menu.
(Please pair the wine with the fish.)

Good analogy! :-)

The desire for small code size is a really big factor here. Weight watchers are definitely implementing EAT in scenarios where code and memory size are big issue.

Not sure we can provide one set menu when some are vegan, some are teetotalers and some have nut allergies, and some really really like cheese steak with a beer.

Maybe EAT is the restaurant supply company and the profile authors are the restaurants with the set menu?

LL

v2.23.0 | Report a Bug | By Email