IETF Logo Mail Archive

Re: [Rats] EAT Profiles

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 16 September 2022 11:45 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24A9AC1522D6 for <rats@ietfa.amsl.com>; Fri, 16 Sep 2022 04:45:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6QxiuJRvikXx for <rats@ietfa.amsl.com>; Fri, 16 Sep 2022 04:45:00 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0F97C1522D3 for <rats@ietf.org>; Fri, 16 Sep 2022 04:44:59 -0700 (PDT)
Received: from dooku.sandelman.ca (safest-wave.imp.fu-berlin.de [160.45.38.252]) by relay.sandelman.ca (Postfix) with ESMTPS id C44FD1F480; Fri, 16 Sep 2022 11:44:57 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 6445F1A024D; Fri, 16 Sep 2022 13:44:27 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Thomas Fossati <Thomas.Fossati@arm.com>, "rats@ietf.org" <rats@ietf.org>
In-reply-to: <DB9PR08MB6524C8E33A05AE90F63BAE689C469@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <71934.1663019954@dooku> <DB9PR08MB6524C8E33A05AE90F63BAE689C469@DB9PR08MB6524.eurprd08.prod.outlook.com>
Comments: In-reply-to Thomas Fossati <Thomas.Fossati@arm.com> message dated "Wed, 14 Sep 2022 16:29:45 -0000."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 16 Sep 2022 13:44:27 +0200
Message-ID: <240513.1663328667@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/BTMIKLQtSUoHXkx6RYLCVOclOac>
Subject: Re: [Rats] EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 11:45:01 -0000

Thomas Fossati <Thomas.Fossati@arm.com> wrote:
    > Thanks.  This sounds like a useful exercise.  Could you please have a
    > look at the PSA draft from this angle too?  We have tried hard to make
    > the document a blueprint of a EAT profile definition that others could
    > follow. It'd be good to have confirmation that we are on the right
    > track.

Hi, Looking at section 4.5.
I'm surprised at how little you write compared to TEEP (that's good, I think)
You are just declaring the profile claim value.
Again, I really think a URL is wrong in a constrained environment.

    >> First, this really feels wrong to use a string here for a constrained
    >> object.  My first suggestion is that it be FCFS registry.

    > This is a choice TEEP made (and, BTW, PSA too [1]) For a more compact
    > representation one could use a RFC9090 OID instead, there is no need
    > for a registry.  In fact, choosing URI / OID as the underlying type was
    > a conscious choice to avoid IANA round-tripping.

I think that's a wrong optimization.
A FCFS Registry is an email to IANA, and take as little as one business day
if time zones line up for you.
An OID could be much bigger than a 2-byte CBOR integer.

    >> I really don't like the EAT has not made a clear judgement on these
    >> things already.  I'd really really like EAT to be far more
    >> opinionated.

    > I think that's what the "The Constrained Device Standard Profile" [2]
    > is intended for?  One should use it as baseline, make a few custom
    > choices, define the claims set, and give it a new name.

Ah, this seems new to me.
Why didn't TEEP use it?  It looks identical to me.
Are each of these SHOULDs, or MUSTs?
If they are SHOULDs, then what are the exceptional case?

    > [2]
    > https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat#section-6.3

    >> This totally surprises me.  Are you saying that it's okay for TEEP
    >> evidence to have *NO CLAIMS*?  Surely that can't be right.  If there
    >> was anything I expected to see in a profile it would be a list of
    >> required claims.

    > Agree, this is quite surprising.  In contrast, a good chunk of the PSA
    > document (all of Section 4 [3]) deals with the definition of the claims
    > set.

    >> > Refined Claim Definition: None.
    >>
    >> This is part of what worries me.  There should never be any semantics
    >> changes between profiles for claims.

    > I don't know what is meant by "Refined Claim Definition".  It doesn't
    > look like something required by EAT.

Maybe it's old.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email