[Rats] Re: Hint Discussion in CSR Attestation Draft

Carl Wallace <carl@redhoundsoftware.com> Fri, 21 June 2024 19:12 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9CC9C14CE42 for <rats@ietfa.amsl.com>; Fri, 21 Jun 2024 12:12:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uapmozw-R7k1 for <rats@ietfa.amsl.com>; Fri, 21 Jun 2024 12:12:51 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11F89C1D52F3 for <rats@ietf.org>; Fri, 21 Jun 2024 12:12:50 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-795ca45c54cso129035685a.0 for <rats@ietf.org>; Fri, 21 Jun 2024 12:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; t=1718997169; x=1719601969; darn=ietf.org; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:cc:to:from:subject:date:user-agent:from:to :cc:subject:date:message-id:reply-to; bh=BWCSCYmNU698XADAeuxceTtE/zQzp8ie9wEi9ycjcu4=; b=j4NKAUiKIPh55DdKaOCAxcZH7CrvXfuXwwbaEMRDQy94otSYapfwig6N1mKjdiO3Wl NOP1ytOkAFTGN95SBXwnSY0LiP4j2neN3XEgJfp5cg4hQQgIUdwENbJgkUJdurVo+4lZ x3qa9Bm2Ir0Mh16MONeU4Hj0K5cHcF9HfM8k4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718997169; x=1719601969; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:cc:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BWCSCYmNU698XADAeuxceTtE/zQzp8ie9wEi9ycjcu4=; b=fPhGWdXNh1CIFATwcDinNmuntFUNAzOHkXTQkOjjzkxtU6s175E85tfsKXUU4lF/Sv PQitK+MMc+uGikSnAgAjvNs5pT5MVQVJbw1+/GVGUVOU96ZVvoHSX0lEGNkqJM0pvFjj BNOR8Rl0oY7i9U4OB1/3oU/RAn20Uzn5oBYuNrTrVboGQs8X/oSMnh+73sxjOTRQkPbO ZHh40XPlUV/4MgpFWsLZ6TD/w3cLQyORZBmDsr3FYlr20odNRVncD0TEGsdfYKnA7zVk XM9XYs0u2cFPNrusOQP8+l4R6Z7/dq1jYbYUA4i6a7LI5zIXJYv/d6XV32RUNjoD/YQM ek8g==
X-Forwarded-Encrypted: i=1; AJvYcCW0N02FB6DZUzy187PS8Fnwr+EWviceEuUmtSZI/+FzthGn7qOneD8Cvkd/bwR5epFs08bQ7AwH0y5KkXse
X-Gm-Message-State: AOJu0Yy0xvHfMFKFSuGHY4hlP+DTbIoa9SZZUfkyuOesuYpIrFM0siGa GGVSHL3Lnb0XvMS9CaonbcLYJNfdtTrUB1HfEG6f6oOI3Wz3ARrfjD8tkGgQoi7yohV17jw2eaD Lzqo=
X-Google-Smtp-Source: AGHT+IE+JvijJY52thIVxo2hhVjZpv/pdDcUwTAa5mvndslBNz6D4CyW4QbEQWwGZFH5oYLvHZ0V/g==
X-Received: by 2002:a05:620a:84c6:b0:798:c9db:951b with SMTP id af79cd13be357-79bb3ee3617mr1002788285a.74.1718997169301; Fri, 21 Jun 2024 12:12:49 -0700 (PDT)
Received: from [192.168.4.77] (pool-96-255-232-167.washdc.fios.verizon.net. [96.255.232.167]) by smtp.gmail.com with ESMTPSA id af79cd13be357-79bce8c4736sm110126485a.61.2024.06.21.12.12.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jun 2024 12:12:48 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.86.24061443
Date: Fri, 21 Jun 2024 15:12:48 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Thomas Fossati <tho.ietf@gmail.com>
Message-ID: <E7968891-2903-4A53-8A8C-060BFBE349AA@redhoundsoftware.com>
Thread-Topic: [Rats] Re: Hint Discussion in CSR Attestation Draft
References: <AS8PR10MB742727BFEC71CB78468FB0E7EECD2@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <0145e095-e684-d2ee-58d5-41aee54a4b3b@ietf.contact> <2627.1718830718@obiwan.sandelman.ca> <FB01F359-84F4-4AAD-82F7-1CF2356DCD4B@redhoundsoftware.com> <CAObGJnO6bn5xEpqPxc46HRh3v2BnmxbE0YXwfNv9BtQnNV9Mag@mail.gmail.com>
In-Reply-To: <CAObGJnO6bn5xEpqPxc46HRh3v2BnmxbE0YXwfNv9BtQnNV9Mag@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Message-ID-Hash: LP22L6WLFDLBPE4QSPD2BF66N7A4P2MV
X-Message-ID-Hash: LP22L6WLFDLBPE4QSPD2BF66N7A4P2MV
X-MailFrom: carl@redhoundsoftware.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, Henk Birkholz <henk.birkholz@ietf.contact>, "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Hint Discussion in CSR Attestation Draft
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/CwKtmic3yfrAkxbhlsNr44q1xn0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Inline...

On 6/21/24, 2:56 PM, "Thomas Fossati" <tho.ietf@gmail.com <mailto:tho.ietf@gmail.com>> wrote:


Hi Carl,


On Fri, Jun 21, 2024 at 8:24 PM Carl Wallace <carl@redhoundsoftware.com <mailto:carl@redhoundsoftware.com>> wrote:
> On 6/19/24, 4:58 PM, "Michael Richardson" <mcr+ietf@sandelman.ca <mailto:mcr+ietf@sandelman.ca> <mailto:mcr+ietf@sandelman.ca <mailto:mcr+ietf@sandelman.ca>>> wrote:
> <large snip>
> ht> In the CSR attestation draft we suggested to use a hint,
> ht> i.e. information that helps the relying party to select a verifier
> ht> that can help process the evidence. Since this hint will not be used
> ht> in all deployments, for example in deployments that only have a single
> ht> verifier, this hint is optional. As such, those who do not want to use
> ht> the optional hint do not need to look at it. For the other use cases
> ht> it provides value. Hence, I don’t really understand the objections
> ht> and I don’t want to remove the hint!
>
> I guess I've lost track of who and why this is being objected to.
>
> [CW] As an attester, how would you populate the hint field?


That may be information that is injected at manufacturing time into
the device and updated via its device management infra. An example
here [1].


[1] https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-22.html#section-4.5.1 <https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-22.html#section-4.5.1>


> As a verifier, how would you consume the hint field?


You wouldn't. The hint is a routing label that is used by the relying
party to decide which verifier to contact for handling this specific
piece of attestation evidence. When evidence reaches the verifier the
hint is no more.

[CW] OK, so relying party, not verifier. How would the relying party use a "free form" label to route anything? 

cheers!
-- 
Thomas