Re: [Rats] Partial Profiles (was Re: New Version Notification for draft-tschofenig-rats-psa-token-13.txt)
"lgl island-resort.com" <lgl@island-resort.com> Mon, 04 September 2023 18:31 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D2EC15109A for <rats@ietfa.amsl.com>; Mon, 4 Sep 2023 11:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peG61837aVVQ for <rats@ietfa.amsl.com>; Mon, 4 Sep 2023 11:31:45 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2115.outbound.protection.outlook.com [40.107.220.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD902C15E406 for <rats@ietf.org>; Mon, 4 Sep 2023 11:31:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nKr9G+9KLAvcknt+nnKWn5QTWFc3yUwzYyaVNaYVpucNSLuUop5zQdUfI2ugttBoHw1m6bWz3NTD9fuoZZYlmYYzYlQLSrz+rFuWwE4AQKTQapSp0FvQXuQ96a6mxKv44RubK4aubh3DdWKFc/PNLj2AjpOwTsGD4XZneW+hIih8szdZr33W+/nPu9eN7oI8DQVlN8afU9p/pTlGLTM/aNKy1fmtaRjCPZ+N0kTdq+o5E4DInyCvjVxYvfktbao/SEoiru9jRFd98uXJBt/C2Ftu0WRf+EKWhEWRr71NlepLpj3/BQBO4pfN8WKjqrHhr5GlrOLiSGhOLalzd9CpNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=a63/P0Fneu9dZeF1An1Tvbz0EEr3uXYo7xjpviu2lAs=; b=LxD9PbiqOeSuteCU7M6fglGzrLrVBi47YTTarUZ7eHPCRWL1IsudOvTTJqvoqBKJSDcY8bxVOTBkJlCEBOhLFTxGCmciWcnr1+OucnEY7BWpHxqrrXdqwf25oO++SSmWI+FWmCvHyXBQGzAUPq0J0mM/KizuheAJVvw9IFvl8DQWpkO91RoVnVTrdl41A50WLueC384c7ZNPS8a0Gf8aWo/LAGMVXLwOA4LK7H9/GFs3hIz/zCWpn5yWUEV7STjXrxvPSiw9kXa018USHwCCp9GnZ737pyXvok4pzPvTI02WVjjms20MSbUUUDoqUVrPSNfr/MfGLkzFO0kuttAM1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by CYYPR22MB4363.namprd22.prod.outlook.com (2603:10b6:930:c0::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.30; Mon, 4 Sep 2023 18:31:43 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934%3]) with mapi id 15.20.6745.030; Mon, 4 Sep 2023 18:31:42 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Thomas Fossati <thomas.fossati@linaro.org>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Partial Profiles (was Re: New Version Notification for draft-tschofenig-rats-psa-token-13.txt)
Thread-Index: AQHZ3v+ZmUjvT23FSk2M66Kq8JX+cLAK/g4A
Date: Mon, 04 Sep 2023 18:31:42 +0000
Message-ID: <8BC9CCA6-110C-4478-9041-01E6CEB09958@island-resort.com>
References: <169358319952.22584.5522382198109168002@ietfa.amsl.com> <CA+1=6yf4YmduV-V_9_tLKJtDV5erRKHW6JzZt1w4Y4kKw2A-Qg@mail.gmail.com> <31907C23-3C21-4070-AB4D-6D045EEAB578@island-resort.com> <CA+1=6ycaA_tUa-WA9r+B=JE9BhLHjMfJ=_GOyTjNnb5wdDo-=Q@mail.gmail.com>
In-Reply-To: <CA+1=6ycaA_tUa-WA9r+B=JE9BhLHjMfJ=_GOyTjNnb5wdDo-=Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|CYYPR22MB4363:EE_
x-ms-office365-filtering-correlation-id: 6188d58b-2848-4a67-50f2-08dbad752fc3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5RGQmhm4tZM5X0iIUO1njm46QLMqgoVXXOgYfoq2Il3Y4sdqXi6n0o3rruqLYGZ48hM0pCYCVGMZPVnC/DEOkk8iGp5T5PmSDPMNSo5Z28RJoGjbMdwZBITIp99DmVxoR9Bzr4RyF4lSAZ3QQiEbHo1ktPLAXI3vDjNcMZgQ503CrS3jhdF53cEUe2XKCT4nS5PI/CGlH2Yb8Q0wtla9DIERC5aZJAALhEjL3urXdkxJBBKuPK7fmhSmk9k492yeKGFDDipaQglnoKAg0kT8+d4UdAwrgFuP7dIkFdXwZXgnrm60OCJ0c68fZX4RnzFhVkLcfLwjRKR9Z3FzfL5yrX3LUgwkM901xBwC8nMsRGkw20P0GrObJpLAYOhaudUJprdSggO/otmN5yQ59+Y6V0xhQNyES1fFQ12h2PCsXpNQS5b3ShibQ++c/xaTLSwCXUcK9c7zIsFzJfis9PeMCia1dmHpNyR685iq5qR9cnlnp0k1wplGpfBz2GSpBOQgCMfwa0s960cXCTcPeGBSUXbeS9bvG8zo+Z7Zd5BHTYCX2xr85N1b8rRUc43t2kaum7Hd1AzizX48xoDoi/0QIfcUbJBkDlAYCXOz4QAhhgUkV4viZGh8YNS48lh9U45cas8UES8GpuS9dmRSBsEhTOwny+ETVvV6rNGl9s4rpOw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(376002)(366004)(136003)(396003)(346002)(1800799009)(451199024)(186009)(8676002)(8936002)(5660300002)(316002)(6916009)(64756008)(36756003)(66556008)(2906002)(66476007)(66946007)(76116006)(66446008)(4326008)(66899024)(41300700001)(6506007)(53546011)(6486002)(26005)(6512007)(15650500001)(166002)(122000001)(71200400001)(38100700002)(66574015)(38070700005)(478600001)(966005)(2616005)(83380400001)(86362001)(33656002)(21314003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: AUqtCSzkvDpqEkMziGmcL5eNttuB0orJZvRL+HK+Ue5fo+Djfq0qUu0/w+pSKrGZnZ6IozEjrmmdc1J2+uHEPSPU2qGaO5znJQPQlEAAlBnc61kPupzwRU4PJUZDvsTyDj1pMJEHCJ+3mc5D9jLD5w8jAAe20pt0ogysOXdzBRWdfnba6DOG+0j1bmbCm9sULG2WjkFWs9CwsBwUbUPF8QKpEFHBQ53+jGBcpQe+eToLphvndt3BPnuZmJMFKj4Cuh4hJW993uT8jk8jiV0oNonoaV3+ib6vM7Ou5tNBDl9FkGXHP0pZRo7gG3PBXIS0eFCVTryjIQHDuNIK1Fuyf4/6mlT82Boxk1kFT4LzyM6CkjoueVhwp3+FTUv+H8AKsammFpYdbif6t48y081fFTqrf41HKB45mHgcIMkbv72l2SBFFcLB1xY09i6vJzNT22Hj++eofOdV2BOOh/qgTkhwmcRJhIME+wlzy0eQiEf1JV7cFBPJ8uOBdY7EUYgFhn0F+IMDWa6Ivv53T74+FvreZ2o4zVqsmo+5QxjqUSvLhuuOlSr9NC1OC+acbcPcKyoCbiNJw1TtQW536v4mYuGdzlFpVs9thWvN0ePIecB+LS7TlS3fo8Lmo6uNdYRZWijRrt2a7Re/e9WscnT2zrCELd+Unb20RDZvz0YVL3eATtDpxCyZFlZwHjGWE3f/XO2e8sZI6iK3+1d4XXY55wemYFCP1iz1jMKnqH3L+TYI8Ifs6beTy31yeTxmQleK6DHMSRiKb+JBN/wAa6UcU1fDyiX2ImHKzapC4JbkkW74dHDNv34iWwEsXPPuT94WqXhn1V5j1w19VyyoslDLoodK3pRpXUXspDqWAGTxFHqgAE1Fm34NwASmmEJJHGTNyw9Dl2dNQ7cKnVyUmR4XRc+EBFusCyJbjRMxhSp8al6ns3VKbZHDXUqHe/kJ7fMM+noYZLYjiBYNI+yMQgJeKBc+N5KKt3x79OoVSQnAWWRzLz/4tYlc/5xOFgwXwWDZ7Ssc9pRkh36CLUfMRCRlBWq8BKtwcbEwxIy6Ly5/WmMkh7+0DEIcE2lV58M9/8d8m9gKOYE/sr7/ul8vcIf9YvCLa92U2tewq5ZoYEiJGp3EA4152+5SPk3P+BK5uq5m1WOE8axwpGFKXWhZw62TXHoQpdaXSIa+6leaV+bVgg9u0LzNkcMTAaZXbj8vlsbjhGtXIuUaTQ+mQbOFor6Wf8Tw8zKMdcpoeJfz5FJ9w6/QTkB2pe2iurFs6EPRrgUX/4ZaHOjdAlTWu9J/UgvQBoQJ/9JyHz1Y3egcdJusOFe61OFcXMxzCn5k7Xq9yyM2buJOrsymzJbV7Rs6SITS8ci8MLnrU98Ve+H6DPKchc2ud+YJxuoAuGmD1ox7iFe/K73DVL0NON9HlOOzRFi3rXKZiSVdzjPmbTo381DUvr86XEdj9j7kg/6fEImAieDs6U7tvPe9BbH12Lr6qf2Hwl/RBrTmlbG4D+JAm7dIblTNZLeCdXu2b7vNpDawcgpK05+zIsQZCLyZSxzUXEuNss9qPiUfhBTMxM9DJZldLC0a3hMYhz0/5ojNb9ml8MenZD9cpX00tVQ92wiL8IJrZA==
Content-Type: multipart/alternative; boundary="_000_8BC9CCA6110C4478904101E6CEB09958islandresortcom_"
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6188d58b-2848-4a67-50f2-08dbad752fc3
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2023 18:31:42.6909 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CyJcZRzTmhv6HowDJUY+s0K1M3h/4262rOLqY2AES9Am8hvWk7vDYD2OXI6oBaLu1C7y72mtA8y+/52iwfPLcg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR22MB4363
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/CqEngka8yP3GlX3HF2Jwt-G3GiU>
Subject: Re: [Rats] Partial Profiles (was Re: New Version Notification for draft-tschofenig-rats-psa-token-13.txt)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2023 18:31:49 -0000
I’ve create a PR for EAT discussing full and partial profiles<https://github.com/ietf-rats-wg/eat/pull/404> (text pasted in below). I think it is fairly important and a good thing to add, but I fear it is significant that it might delay EAT because it is more than just procedural correction. I think it is fairly important because there is not good clarity about interoperation of protocols like CBOR, COSE, CWT and EAT in the IETF. LL A "full" profile is one that fully guarantees interoperability when a sender and receiver both adhere to it. A "partial" profile doesn't provide that guarantee. For example, a profile that allows the use of signing algorithms by the sender that the receiver is not required to support is a partial profile. The sender might choose a signing algorithm that some receivers don't support. A full profile requires the receiver to support every signing algorithm a sender can choose. A full profile doesn't require that the receiver be able to process absolutely everything that might be sent, but it should guarantee the essentials will operate. For example, signing and freshness are critical and should be guaranteed. Many claims are not and do not have to be guaranteed. Partial profiles are discouraged. It is better to define several full profiles perhaps derived from each other. That way each profile is actually usable. It is relatively easy and inexpensive to define profiles as they don't have to be standards track and don't have to be registered anywhere. For example, rather than leaving the signing algorithms unspecified perhaps to accommodate post-quantum algorithms, a profile can specify the NIST signing algorithms. When the post-quantum algorithms are selected, a derived profile that adds the new algorithms can be specified. The derived profiles can be as simple as stating "the 'Xxx PQ' profile is the same as the 'Xxx' profile with the addition that the receiver must implement the 'yyy' post-quantum algorithm." A "eat_profile" claim SHOULD NOT be used to identify partial profiles. On Sep 4, 2023, at 12:15 AM, Thomas Fossati <thomas.fossati@linaro.org> wrote: Hi Laurence, This is awesome feedback, thank you so much! To track your review I have opened: * https://github.com/thomas-fossati/draft-psa-token/issues/89 * https://github.com/thomas-fossati/draft-psa-token/issues/90 * https://github.com/thomas-fossati/draft-psa-token/issues/91 We will need to sit down and discuss among co-authors what to do about this "partial profile" item. In the meantime, we can continue the conversation on GitHub. Cheers & thanks again! On Sun, 3 Sept 2023 at 20:50, lgl island-resort.com <lgl@island-resort.com> wrote: Hi Thomas, here’s my comments 1) Preferred encoding There is no requirement of preferred serialization. Particularly integer and integer arguments do not have to be in the shortest form. I think it should probably require it like the EAT Constrained Device Standard Profile 2) Base on EAT Constrained Device Standard Profile? When PSA token started there was no EAT Constrained Device Standard Profile. Now there is. You could rebase the document to be a variant of EAT Constrained Device Standard Profile. You’d just say “PSA Token is the same as the EAT Constrained Device Standard Profile with these differences”. The differences are 1) any algorithm can be use, 2) claims Client ID, Secure Lifecycle,… are added, 3) freshness model allows epoch handles. Just a thought. 3) Partial Profile (I get beat up when I make comments like this, but here goes…) This is a partial profile. It doesn’t guarantee interoperability because it doesn’t lock down algorithms, key identification or freshness. The EAT Constrained Device Standard Profile is not a partial profile like this because it does lock these down. If you leave it as a partial profile, I think you have to call this out. You have to say “further profiling is needed for real client-server interoperation”. Also, if you leave it as is, I think the EAT profile identifier should be removed because it doesn’t identify anything useful. My suggestion to deal with the partial profile issue is to define one or more full profiles. Lock down the algorithms and key identification and such for one or more profiles. This doesn’t preclude a future PQ token and such. A PQ token is just a different profile to be defined in the future. It can be easily described as the PSA Token profile with PQ algs. Basically, I’d like to discourage partial profiles that don’t interoperate. Maybe the EAT draft should be more clear on this. Maybe it should say that profiles with profile identifiers MUST NOT have any variability that would allow for non-interoperable implementations. LL On Sep 1, 2023, at 8:52 AM, Thomas Fossati <thomas.fossati@linaro.org> wrote: Hi folks, We have just published -13 of the PSA token, which we reckon is really close to final. So, given EAT is progressing towards publication, we are planning to submit the PSA draft to the ISE shortly. Whilst we tried hard to tick all the boxes in §6 of EAT, we'd love to get some more eyeballs on it because it's one of the first EAT profiles and as such it might become a blueprint for others. Therefore it's quite critical that we make it as good as possible. Thank you very much, cheers! ---------- Forwarded message --------- From: <internet-drafts@ietf.org> Date: Fri, 1 Sept 2023 at 17:46 Subject: New Version Notification for draft-tschofenig-rats-psa-token-13.txt To: Adrian Shaw <adrianlshaw@acm.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Mathias Brossard <Mathias.Brossard@arm.com>, Mathias Brossard <mathias.brossard@arm.com>, Simon Frost <Simon.Frost@arm.com>, Simon Frost <simon.frost@arm.com>, Thomas Fossati <thomas.fossati@linaro.org> A new version of Internet-Draft draft-tschofenig-rats-psa-token-13.txt has been successfully submitted by Thomas Fossati and posted to the IETF repository. Name: draft-tschofenig-rats-psa-token Revision: 13 Title: Arm's Platform Security Architecture (PSA) Attestation Token Date: 2023-08-31 Group: Individual Submission Pages: 32 URL: https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-13.txt Status: https://datatracker.ietf.org/doc/draft-tschofenig-rats-psa-token/ HTML: https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-13.html HTMLized: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token Diff: https://author-tools.ietf.org/iddiff?url2=draft-tschofenig-rats-psa-token-13 Abstract: The Platform Security Architecture (PSA) is a family of hardware and firmware security specifications, as well as open-source reference implementations, to help device makers and chip manufacturers build best-practice security into products. Devices that are PSA compliant are able to produce attestation tokens as described in this memo, which are the basis for a number of different protocols, including secure provisioning and network access control. This document specifies the PSA attestation token structure and semantics. The PSA attestation token is a profiled Entity Attestation Token (EAT). This specification describes what claims are used in an attestation token generated by PSA compliant systems, how these claims get serialized to the wire, and how they are cryptographically protected. The IETF Secretariat _______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats _______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats
- [Rats] Fwd: New Version Notification for draft-ts… Thomas Fossati
- [Rats] Partial Profiles (was Re: New Version Noti… lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Thomas Fossati
- Re: [Rats] Partial Profiles (was Re: New Version … lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Simon Frost
- Re: [Rats] Partial Profiles (was Re: New Version … lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Thomas Fossati
- Re: [Rats] Fwd: New Version Notification for draf… Michael Richardson
- Re: [Rats] Fwd: New Version Notification for draf… Thomas Fossati
- Re: [Rats] Partial Profiles (was Re: New Version … lgl island-resort.com
- Re: [Rats] Partial Profiles (was Re: New Version … Smith, Ned
- Re: [Rats] Fwd: New Version Notification for draf… Hannes Tschofenig