IETF Logo Mail Archive

Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 04 July 2020 23:11 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C703B3A11D2 for <rats@ietfa.amsl.com>; Sat, 4 Jul 2020 16:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYZ2kZZ4XtFM for <rats@ietfa.amsl.com>; Sat, 4 Jul 2020 16:11:21 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D2D3A11D1 for <rats@ietf.org>; Sat, 4 Jul 2020 16:11:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 9E878389BC; Sat, 4 Jul 2020 19:08:28 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id tF-ya-P1saDh; Sat, 4 Jul 2020 19:08:28 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id D77DB389BB; Sat, 4 Jul 2020 19:08:27 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 895E264F; Sat, 4 Jul 2020 19:11:18 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Thomas Fossati <Thomas.Fossati@arm.com>, "rats@ietf.org" <rats@ietf.org>
In-Reply-To: <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com>
References: <ietf-rats-wg/architecture/issues/116@github.com> <28098.1593568476@localhost> <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 04 Jul 2020 19:11:18 -0400
Message-ID: <22564.1593904278@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Ay_0LQziC0-PkCf8A3iWMtlPd2s>
Subject: Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2020 23:11:24 -0000

Thomas Fossati <Thomas.Fossati@arm.com> wrote:
    > Personally, I am not convinced that an in-band pii flag is needed.

Just to be clear, the alternative is an out-of-band PII flag, which is to
say, a configuration on the Verifier for that claim.

This implies that the Verifier always knows all the claims that it will
receive, and that Verifiers and Attesters are never upgraded
out-of-sequence.

Remember that some of this question came up because we were discussing
whether a Verifier would have to provide Evidence as to it's trustworthiness
to the *Attester* before the Attester would trust it with PII Evidence.

Now, consider that we have some use cases for mutual Attestation (Hi Guy!)
and, and maybe we wind up with another way in which to deadlock...

    > On the Attester side, the privacy problem can be addressed by an
    > attestation API that allows the caller to selectively turn off claims
    > that are PII -- either with per-claim switches, or by presenting
    > pre-canned PII-revealing and PII-hiding interfaces to the Evidence
    > generation service. We expect the attesting endpoint to make the right
    > decision about what can be hidden and what needs to be revealed
    > depending on context.

Yes, but that's not really the point.
It's not that the Attester code base does not know which claim contains PII
or not, it's that it doesn't know if it can rely upon the Verifier to do
the right thing.

Can this even work across legal jurisdictions with different requirements and
mandates?

    > On the Verifier side, I'd expect that the log/audit anonymisation and
    > retention policies for Evidence are an integral part of the service
    > configuration.  So, no need for an in-band signal about what is to be
    > considered PII since the Verifier is going to be made aware of it by
    > some out-of-band means.

    > That leaves the RP, which I'm not fully sure about.  However, my gut
    > feeling is that the Attester will have to trust the RP to do the right
    > thing since no in-band pii flag will ever be able to restrict what a
    > malicious RP can do with the obtained PII.

    > Am I missing anything?

I think that up to know there has been a single vertical of Attester/Verifier/RP
being all built by the same vendor.  Things like changes to what is PII,
or introduction of new claims could be coordinated internally.

As we move towards a multi-vendor situation the rollout of new claims will
occur in an unpredictable way.

    > PS: Maybe there is a requirement for EAT profiles to specify in their
    > privacy considerations what claims are PII and what is the expected
    > treatment by actors in the attestation chain.  This is EAT's job, not at
    > the architecture doc level though.

I'm okay if the answer is that EAT will include some kind of flag, but
that we don't have to assume it exists at an architectural level.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email