[Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt
Henk Birkholz <henk.birkholz@ietf.contact> Thu, 11 June 2026 08:43 UTC
Return-Path: <henk.birkholz@ietf.contact>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0F043FF39160 for <rats@mail2.ietf.org>; Thu, 11 Jun 2026 01:43:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781167406; bh=MyGgOeOI+cnFL0jay0ou6ae1wyqZguFyQ9VbxYMdGvg=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=P7nZalZvmKvt3ND+p5Fe3MkYbX61Q9+Ha46f927ArG9jT0zC5Vu3u+y2t57ZQIEmY niL3B0Omlkjc8bUMQ9ZLyx/uTWPEEvtIC+kGUjCHSMR2WS0M/aE7F9irwsyZvBGNJm O0KE3LuMymG1WIkOMLZVX082a3CgHLsRSOOlscVo=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.423
X-Spam-Level:
X-Spam-Status: No, score=-4.423 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.624, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ietf.contact
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CJo_RsQ5vfNs for <rats@mail2.ietf.org>; Thu, 11 Jun 2026 01:43:25 -0700 (PDT)
Received: from smtp02-ext3.udag.de (smtp02-ext3.udag.de [62.146.106.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 98030FF38E56 for <rats@ietf.org>; Thu, 11 Jun 2026 01:43:19 -0700 (PDT)
Received: from [134.102.161.87] (eduroam-pool13-343.wlan.uni-bremen.de [134.102.161.87]) by smtp02-ext3.udag.de (Postfix) with ESMTPA id 8E458E0100; Thu, 11 Jun 2026 10:43:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ietf.contact; s=uddkim-202310; t=1781167392; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vHva4hiWc09SKs1Y470RTJxmqqmnYs28dqO8Jhl6tp4=; b=kRiPs+UL/ShcwXGPMtMhfKQsOwKanuasXLVG9z6sBMwwoFNInbD/boDWJwhtF2TWNjLfEv HOBuKDCo+t80t2buZuiRZx6pfh+F3d0sXz37u/uH3sce8m7lCcOmZkrC3SthGhK4LGH3S7 N/9aOOS/9Ms82Zq9SXSXr1PXTHo4s3drR3CbGuUSMWBtmso8mVmoKL4V1ufKQmArY9X5+T sTjkdyzyHitLu5JRwieYC5yKH0gUuPZNSDTRy82eJHQyfuOlWL3QIHgio8gIo4iODZ/1MJ ftnuUipmZUvMNqi7xerIlqhX65zj55n+cq0JAsdU4o515tmQv9BZ/eubsPHFYQ==
Authentication-Results: smtp02-ext3.udag.de; auth=pass smtp.auth=henk.birkholz@ietf.contact smtp.mailfrom=henk.birkholz@ietf.contact
Message-ID: <5b8284b7-7a88-917a-9ddc-bace9ff2d517@ietf.contact>
Date: Thu, 11 Jun 2026 10:43:09 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Thomas Fossati <thomas.fossati@linaro.org>
References: <177979461501.860642.12102997924387917673@dt-datatracker-5b4c8598b5-4ztf9> <CA+1=6ycGS0_aWN2QS0NekBc5G+02M8h3buhado90rrwgvFsM-Q@mail.gmail.com> <14c17207-95ba-391a-f05c-180c6de66666@ietf.contact> <CA+1=6yfrNaqQUnMuQMo9XCYOqa_7K34eS+59+wsU3eJRfErONg@mail.gmail.com> <1971324.1779996819@dyas> <CA+1=6ydMA4-M1hsvYedH8qOsPmoF4HRsaGunCppsxU7T7yx86Q@mail.gmail.com> <11839.1780168291@obiwan.sandelman.ca> <CAHxYnaP9xgGO3RJ32uRC764QW5nUfspGwc+Wwp5YaopsuLGaag@mail.gmail.com> <3080.1780934453@obiwan.sandelman.ca> <CA+1=6yeqSgcR1sXTNYD98Zy5aTDK8mY9d8kbq4k9Vm5VitQRrw@mail.gmail.com> <11827.1781016447@obiwan.sandelman.ca> <6a5690bb-129f-1405-9ff8-de956acc2231@ietf.contact> <VI0PR08MB11565630F65BA5DB555C427F68A1A2@VI0PR08MB11565.eurprd08.prod.outlook.com> <dd001881-7d95-91cd-8e50-c44b45adbb1b@ietf.contact> <CA+1=6yfG1psReu8Lx4rvuSJna424d+axxGFd=KJh-w2-XPO0+g@mail.gmail.com>
From: Henk Birkholz <henk.birkholz@ietf.contact>
In-Reply-To: <CA+1=6yfG1psReu8Lx4rvuSJna424d+axxGFd=KJh-w2-XPO0+g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: SS6MUAWJWQD634HNOX4WUEYFZDWFSGYL
X-Message-ID-Hash: SS6MUAWJWQD634HNOX4WUEYFZDWFSGYL
X-MailFrom: henk.birkholz@ietf.contact
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ionut Mihalcea <Ionut.Mihalcea@arm.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>, nd <nd@arm.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/CltepqtUVjOYDyWCHrrrGkV_Y3I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>
On 10.06.26 13:35, Thomas Fossati wrote: > Hi Henk, > > On Wed, 10 Jun 2026 at 12:38, Henk Birkholz <henk.birkholz@ietf.contact> wrote: >> so... the Verifier could take on that burden? > > That would amount to saying that the verifier: > 1. MUST support all two/three encoding variants, and > 2. MUST expose an API that allows the client to select which variant to use. This is like saying "it MUST support all types of evidence transformations" which is obviously not the intend, right? Some Relying Parties will support the default conveyance via COSE_Key, some will require a Verifier to do it for them. > > Very few verifiers, if any, will accept that burden. There is simply > too much complexity to maintain. > Bear in mind that the three variants are not exactly isomorphic, and > there are subtle differences between any two of them that would result > in information being lost when switching between formats. > >> We have not specified a >> lot about the Relying Party influencing the form and shape of Evidence >> and ultimately the Attestation Result. As a Verifier already is burdened >> with Evidence transformation (e.g., >> https://datatracker.ietf.org/doc/draft-ietf-rats-evidence-trans/) it >> seems to me that it is also its duty to exhibit some "Relying Party >> empathy" and transform key material into a representation appropriate >> for the Relying Party. > > IIUC, the idea is that since the verifier already handles many > complicated tasks, adding one more wouldn't be a problem. > This is not a particularly compelling argument, isn't it? > > cheers, t > > >> EAR is about Attestation Result content. If you go with just one "key >> representation" allowed in Attestation Results, some Relying Parties >> will always get some transformation burden assigned (and by excluding >> the COSE variant which is common in IoT, it mabye is the IoT devices >> that might carry the largest part of that burden). >> >> >> Viele Grüße, >> >> Henk >> >> On 10.06.26 12:25, Ionut Mihalcea wrote: >>> Hi Henk and all, >>> >>> In the long term I agree that transformation is inevitable, but given >>> the current ecosystem, Lindy's law, and the need to get designs and >>> software out, we need to support something akin to SPKI anyway. And dual >>> support (COSE_Key + SPKI) is not a burden for a Verifier, but (in my >>> view at least) relying parties are meant to be the least-RATS-savvy >>> entities, so any complexity or divergence would best be consumed by the >>> other participants instead. >>> >>> I'd lean towards simplicity and vote for SPKI only. >>> >>> Cheers, >>> Ionut >>> >>> *From: *Henk Birkholz <henk.birkholz@ietf.contact> >>> *Date: *Wednesday, 10 June 2026 at 11:01 >>> *To: *Michael Richardson <mcr+ietf@sandelman.ca>; Thomas Fossati >>> <thomas.fossati@linaro.org>; rats@ietf.org <rats@ietf.org> >>> *Subject: *[Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt >>> >>> THB, a COSE_Key (and if the symmetry is required JWK) as a single source >>> of truth to derive from does not seem overly burdensome to me. >>> Transformation will be inevitable in any case. >>> >>> On 09.06.26 16:47, Michael Richardson wrote: >>> > >>> > Thomas Fossati <thomas.fossati@linaro.org> wrote: >>> > >> It's also, as I recall, the format for DNSSEC DNSKEY RR >>> (isn't it? I >>> > >> could check) >>> > >>> > > It doesn't look like SPKI to me: >>> > >>> > > $ dig DNSKEY ietf.org +short 256 3 13 >>> > > oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 >>> > > KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== 257 3 13 >>> > > mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ >>> > > KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== >>> > >>> > Yes, RFC3110 defines the RSA DNSKEY (and KEY), which is not SPKI. >>> > And RFC4025 uses KEY format. And RFC9373 says RFC8080 describes >>> EdDSA, which >>> > is also not SPKI. >>> > I seemed to pattern match (Hallucinate!) that we used the SPKI object >>> > somewhere way outside of any ASN.1 attached protocol... in something >>> major. >>> > >>> > Why does this matter? because libraries that load it, without >>> bringing in a >>> > full DER parser. >>> > >>> > -- >>> > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT >>> consulting ) >>> > Sandelman Software Works Inc, Ottawa and Worldwide >>> > >>> > ** My working hours and your working hours may be >>> different. ** >>> > ** Please do not feel obligated to reply outside your normal working >>> hours ** >>> > >>> > >>> > >>> > >>> > >>> > _______________________________________________ >>> > RATS mailing list -- rats@ietf.org >>> > To unsubscribe send an email to rats-leave@ietf.org >>> >>> _______________________________________________ >>> RATS mailing list -- rats@ietf.org >>> To unsubscribe send an email to rats-leave@ietf.org >>> >>> _______________________________________________ >>> RATS mailing list -- rats@ietf.org >>> To unsubscribe send an email to rats-leave@ietf.org
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Thomas Fossati
- [Rats] I-D Action: draft-ietf-rats-ear-04.txt internet-drafts
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Henk Birkholz
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Thomas Fossati
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Michael Richardson
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Thomas Fossati
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Michael Richardson
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Nathanael Ritz
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Thomas Fossati
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Nathanael Ritz
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Michael Richardson
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Thomas Fossati
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Michael Richardson
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Henk Birkholz
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Ionut Mihalcea
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Henk Birkholz
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Thomas Fossati
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Ionut Mihalcea
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Henk Birkholz
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Henk Birkholz
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Thomas Fossati
- [Rats] Re: I-D Action: draft-ietf-rats-ear-04.txt Michael Richardson