IETF Logo Mail Archive

Re: [Rats] EAT Profiles

"Smith, Ned" <ned.smith@intel.com> Mon, 19 September 2022 16:08 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11EEAC14CF11 for <rats@ietfa.amsl.com>; Mon, 19 Sep 2022 09:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.674
X-Spam-Level:
X-Spam-Status: No, score=-2.674 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcCut2jz0n2Z for <rats@ietfa.amsl.com>; Mon, 19 Sep 2022 09:08:42 -0700 (PDT)
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40A42C14F719 for <rats@ietf.org>; Mon, 19 Sep 2022 09:08:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663603722; x=1695139722; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=OB8URGt0jgYuWpOFWqjkeDx2/OetqtoyocCmhllkSdc=; b=DVGUf6ai8t5CEUB6g3FIeMaLdraU1zTURw5H5F1oL4echC1GPeoW+KuT x1vkJ3B6CbYRdBpu3yUCnA1I69MKAJv9doRLCdF/0ECdaNzFZxmCS4yIj NrjyouHu3O4J+g30+FOkhedmSFGMkxxHz0RdDcxVgJPM5cnGantaRPV2m GSb9Rd5nWAVCroa0DXwR+DI6SAg74VDSJo5JuA+QvIU2RmvAl3epv26jh /UNqK4eSrbtH5yiJGb1MeX4jZzMl6KoMHE0cCJkx5T7MKEF0TM7cVMEgu F6zbD+YIsAft49qsC31AIgmrRD0GfkmgQcUIjMkeWakf/oYGEFqBRKgx/ g==;
X-IronPort-AV: E=McAfee;i="6500,9779,10475"; a="299432760"
X-IronPort-AV: E=Sophos;i="5.93,328,1654585200"; d="scan'208,217";a="299432760"
Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Sep 2022 09:08:39 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.93,328,1654585200"; d="scan'208,217";a="760926139"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga001.fm.intel.com with ESMTP; 19 Sep 2022 09:08:38 -0700
Received: from orsmsx601.amr.corp.intel.com (10.22.229.14) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 19 Sep 2022 09:08:37 -0700
Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Frontend Transport; Mon, 19 Sep 2022 09:08:37 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.43) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Mon, 19 Sep 2022 09:08:37 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Og6TUez7HAMcQ6sh2csQR13+Mzy0b0ovb7twBHORTf5PUzqIOOZZZiLTFMRov/YalDzhgem1R2LW32kX8Lc9tlrG4sVdLW/sTlf29eGzTB4tWLPrQtVuZyvip4rOhV2Sp5gN3KeE4lBn1VCG2oTNFCvROvCmah4JDPe2ktf+j41AKQjk84/FvS2DKfGilUgfEpsUvo9iwp37cRWYvyIUQ7oADH5bNl3ec/iQmOUWDLdft+LaRGwK6t3PhBTMLBaM6PdT6eMgeIt97lVS7Q9lo5NUF0WlXuCRNZXGL5ZAROIvdeoEnWHhKWnRiD97rGN2whMM5RotC5Vs96aHOlwUKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OB8URGt0jgYuWpOFWqjkeDx2/OetqtoyocCmhllkSdc=; b=lTuwES+5D6zDrG92lM86nyCwn6K75S+eL3l2IAV/w/e5XEi1+2EqAq5gyGgdguFSSNXLvqFWZOis8mMkqQNZ6Qyg2AjREf7ZIWBAiQ8fGqwyM0nAEt43G6nltX/33H6K5H6HnTEYXCBTpz1oFoa+GLUfqEb2oE+XMv6N1xeVTin9QlLXrHumHo6CGuky+QaqhvAngBll8e0MNSqzg9Jgiux72P4sX1ATIpwz9kretpSZEQ+6g8Dv2xD/97F6ypMpj2NJX8UDSJpSe9dnMbvRKuQC4llE4QtiWn2BPC1FqwG3MLUoMqBEBvwI+YzMf2QOgpYB4nhTcei9fFvDHTWIww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by CH3PR11MB7203.namprd11.prod.outlook.com (2603:10b6:610:148::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5632.21; Mon, 19 Sep 2022 16:08:35 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da%5]) with mapi id 15.20.5632.021; Mon, 19 Sep 2022 16:08:35 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Thomas Fossati <tho.ietf@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] EAT Profiles
Thread-Index: AQHYyEtV8Kv81tPlmkOf+Jnakzi5Fa3iM6sAgAAKPgCABGAjgIAAJfGAgAAQzAD//6lqAA==
Date: Mon, 19 Sep 2022 16:08:35 +0000
Message-ID: <C2FA407E-F290-404C-92CA-EBC64B3AE4A9@intel.com>
References: <71934.1663019954@dooku> <DBBPR08MB5915AC23726BF997EB9E44C4FA489@DBBPR08MB5915.eurprd08.prod.outlook.com> <19805.1663344806@dooku> <AS8PR08MB5911DB2FE9608541698983B0FA4D9@AS8PR08MB5911.eurprd08.prod.outlook.com> <636099.1663593501@dooku> <CAObGJnMkQFz23+JQ0bpDUJhsG=XG-16JsmH1yq=qTWBEhsw8uA@mail.gmail.com>
In-Reply-To: <CAObGJnMkQFz23+JQ0bpDUJhsG=XG-16JsmH1yq=qTWBEhsw8uA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|CH3PR11MB7203:EE_
x-ms-office365-filtering-correlation-id: c7cf0913-dfce-48a8-b819-08da9a5934a7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2y3sGOvwbAPoKuc8Pdd/g30bg/okdk5jSCL4zX0Hgc1rDpMd33qFi2bCsBdCvPDwg79RHsxTx76SbXOSnLnzTUyZj8zm7C+UvErTKzQyuGjZGn5r1If87hrqYFAxwUQHtUH3xKPMwjn0WFZ2u8+A+6NNUeM/6/JfOQati9rx7YFFhTylO1lWlk1Bg804m/2d2bVoWosCiatY9cKN4n6T+Lp/SG6KOkf5jn50rwhAWojnhKvcehgNourWoxQIhy0D/wjIGHRfT0ufgNNDbFSJ0E8hMACBSoDmyRt4rT14Spmj/oBfRlH/QL8X0J8KBiffoTU5FlOtUFIH4fV3G8Nhy1zEy/LuDE482VtN1kQiL3OEWy9HxStYagnyENz1IFAfYwc/yUjwxbeZ76utArmxKSwsMS0hZKP/IZwejGyYXygmQuYlSkaMhJOaL2obe9h4p9/7bDrPXgOchI3w3ieg2WUG5ZdD5LMO1mr1SvqyxRznPM6hyaUbtzTORtzNXV+fivks+S6EkjWdynbj9E5PKKDjcj+UtZeaz/mHv1Gl8nIR8wNxDbZ0FKM4J6rpN1JoHdHhrfJhfU4PU26z6k15/mDGiVEbuyR3aPDMerNZMlJrSYgD1fbLUQGBm337YR8SNe7aOCLC4mjiLQErU9thrFQgDOfKFSeU9GKT6jnE08y1bSh6KkcXtnHQqgNE0/8BgRcTCYFM/CUDwI3OG7liVCo2ERjUiN4y08F4FwSSbQfPFvS5/jVAhrOnXFwJi0z/euv+IkgsJj5OBJYXwKzCT/EnU2XR0Bhr2XDjftLGw0Y=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(346002)(39860400002)(376002)(396003)(136003)(366004)(451199015)(2906002)(66899012)(36756003)(122000001)(316002)(82960400001)(38100700002)(4326008)(8676002)(66556008)(76116006)(66446008)(5660300002)(66476007)(64756008)(66946007)(91956017)(8936002)(54906003)(110136005)(86362001)(186003)(478600001)(2616005)(38070700005)(6512007)(26005)(33656002)(83380400001)(6486002)(41300700001)(6506007)(71200400001)(53546011)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: k0SWIRnfONJXq1dI0COfQBIUMHQurz/I7jixk6C+UoedJi15T9FqEUjqgk6NlNx4M+AYU+Qzi3I+T5fC9W8bCe2hLQsI5yzSabsMcVZq7HFTQriOZSkJ7FJqiG/lnB1Q1xEibRdD2cyuNMR9hUioMou87CKFUFcfWjoCNWNQK2YpJNGYsjcqAvAHbWNmXDlmKM1Ma6mypIuzcB0fCzqWdyW0jVKacLYqOIZ5VR6w/7Ogaw8lBZeDdToDndKiRUV4wAkrgGpMAH0LrwY7/6cupfHNWg6c9Y2htKOjKMhVj9tUgB/3TwFTTbz+POI+c+6PNador4MwGISPEBlyULlUncDu/e2bk7KuIx7TYJIeI9gpOfSfwYLP/nVmteZf7TuNiasmr6k1riljCMBdYx297JqKo7A2Tn57mOonyob2T61hBGUgMQeaEsqJ5FfArJIKg39RIqW4oJO9A8kdSXV9wpoWau80vN2agMpXVJiKe+mMt71Dx3vDtGsJyn9EN5XKMmhJSN3PeMqpbMx9N2c+orH+xUYB3jalP46RJxGk3eXu9TDBG/ZWRj9jd4U3ebZUFbJaD6m5OrB2wHllsvrmxekxR1dCBTjfiGJI/99CtqxX4Zn9NWUGGDj+NsEEB1mE3xGP/zBmLTm0uRjjNkVhJpYSlwJ3rGhxysPwZvrhO5ScCBmKSVHtTjbQ3WjCSLSMG3gnf5JpddGP0ATbFW3Ac/WKMHyRlQ3AjNERym7WhhvPEzXnd58+N4BtZiwwybE7J4sS3tvDiIUN5qpT/XGqKfWWdY9y19+flXYY503GTGNrLsm5k92euArp6nbeEdI20uo1DQx8yN9paFpAeEpVp6cRwYM4gmhHrDZlrwY3pIpquA3l/J5ZDiLb0Uf7zG1njqKQ6rxkL0IzNjkVCVamJE5cCDTe19F70t0jfHpeoNNZEdlCKdqdCBcLv7g/uzWd4qdUwsxmReyR81Ns/Uvi9lQ3UKYgF6N9ZHPJ6M3KmmuPugDoeCtrobQ2/LXB4W+Z95QQNN3SDYJT8a0oe2UYjF1+5kGS54VYy750EnclnFIJHQnEh3Q5vQrAMX83Q/bCzOIzl9SIqtao5L9Q1HSm50i/v1HKn6QYITZc6379OW/aPcmzYhd59xld/B46gYbxgxB5qv3MfFELpuspazkWQzns5p26VSXGLVnJcqIBzpPUsx7yoOgnPa2/qKosCqjnfRwadIAuWH5Qk+mVr0W3wG8t6x8Nij4/HWRfyAHJkWYO1lnk87zwWfD8H5gWAWcmksju8FsxrB2AnK2sA4aVG612pL/oSpi0xuIO832PCY+qpMxJFszf7zRZr44mQNAS+8x8XPM2tDdr7t1EhSuhObJbb5zwuTHHL4OPGzZ1NCTOFsjSGKjoW068QUJRoiPYdCYeYFljzOThb6VjICp45CG5LyLmZsUU/Zx1AKr/H/By3HMjt+Ux72SA+2DuQBYeP5xeTuh0PntZLl6uokpFt0P0q51Tgf49meRBt4ZqMiAgZXtNJaHX6szKYqTmE7Pc9eRWSpnjGQsYsZaLapEI/PoKxMzmUdXmh4rpGNO2+yjERijI1HXsaqAQpNe2IrWm
Content-Type: multipart/alternative; boundary="_000_C2FA407EF290404C92CAEBC64B3AE4A9intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c7cf0913-dfce-48a8-b819-08da9a5934a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2022 16:08:35.1895 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TrnfI0wXaH8PuqaXC/vSLBVVGJ4cfC2KI4GNkIQlUoyrVP+Ec5wFShQi64q9S+fpXImm8G+NAzVA8fYBu0Okeg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR11MB7203
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Di7fPwNIJpVeNInhog6LaP38KXI>
Subject: Re: [Rats] EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 16:08:46 -0000

This thread started out about interoperability and has morphed into code reuse. Both are reasonable topics, but did the interoperability topic get resolution?

Profile Interoperability summary:

  *   Given n profiles, we need n libraries because each profile is different from the other (n-1) profiles. (even if there is 99% code reuse, there is still 1% that is different otherwise they would be the same profile).
  *   Not clearly stated, but implied(?) that profiles don’t have optionality (otherwise there would be more than one profile hiding inside a profile). Agree?
  *   Profile identifiers are globally distinguishable/unique (there’s no profile registry – and we don’t want one?). Implied: if a profile changes there is a new profile identifier assigned.
  *   A goal of profiles is to remove optionality that is possible under EAT?
  *   Another goal is a profile is a subset of EAT (more constrained)
  *   Another goal is a profile can be a superset of EAT (extended to satisfy product specific considerations). Are there any constraints on proper/improper ways to specify “superset” functionality (e.g., only by way of a defined extension point)?
  *   Other I’ve overlooked?
-Ned

From: RATS <rats-bounces@ietf.org> on behalf of Thomas Fossati <tho.ietf@gmail.com>
Date: Monday, September 19, 2022 at 7:19 AM
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] EAT Profiles

hi Michael,

On Mon, Sep 19, 2022 at 2:18 PM Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>> wrote:

Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
    > [Hannes] We have created a library that produced an EAT based on our
    > profile and it was not too complex.

You missed the point.
You create *A* library that deals with *your* profile.

So, we need N libraries for N-profiles, and since the EAT document has quite
a large number of possible combinations, each use of EAT will wind up with
its own library.  There will be no reuse, which was the point of doing this work.

I have to strongly disagree with the conclusion that "there will be no reuse".
We reuse *a lot* of existing library code: COSE (~8k LOC), CBOR (~17k LOC) & EAT (~3.5k LOC for the claims we inherit).
On top of that we push the profile-specific code that adds the PSA attester claims and wraps all the other bits together into one interface.  That amounts to (~3k LOC), which, considering we support two profiles (current and legacy) with one codebase, I reckon it's OK.  Besides, with this library we support both attesters and verifiers.
Basically, the delta amounts to defining the claims' set that have no EAT equivalent.  I expect anyone designing an EAT-based token today to take advantage of the richer EAT vocabulary compared to what was available to us when we started the PSA token work (i.e., March 2019).

    > [Hannes] Maybe you could post it to the TEEP list.

The EAT question is what a profile should say here.

IME §6.2. of EAT is doing a great job.  The only surprising bit in TEEP (for me) is the absence of mandatory claims: can it really contain *any* claims and still be called a TEEP token?  It seems strange, but as it's been said, this is really a question for the TEEP WG to answer.

cheers,
--
Thomas

v2.23.0 | Report a Bug | By Email