[Rats] Response to Eliot's major issues with EAT
Laurence Lundblade <lgl@island-resort.com> Thu, 23 June 2022 19:09 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47198C159497 for <rats@ietfa.amsl.com>; Thu, 23 Jun 2022 12:09:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M5wnJB0Gw4Bq for <rats@ietfa.amsl.com>; Thu, 23 Jun 2022 12:09:09 -0700 (PDT)
Received: from p3plsmtpa06-03.prod.phx3.secureserver.net (p3plsmtpa06-03.prod.phx3.secureserver.net [173.201.192.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC416C15A721 for <rats@ietf.org>; Thu, 23 Jun 2022 12:09:08 -0700 (PDT)
Received: from [192.168.1.8] ([75.80.148.139]) by :SMTPAUTH: with ESMTPA id 4SCQotupedgin4SCRoa478; Thu, 23 Jun 2022 12:09:08 -0700
X-CMAE-Analysis: v=2.4 cv=Q+4XX66a c=1 sm=1 tr=0 ts=62b4ba54 a=qS/Wyu6Nw1Yro6yF1S+Djg==:117 a=qS/Wyu6Nw1Yro6yF1S+Djg==:17 a=NEAV23lmAAAA:8 a=T2Pc-6NVIQfoD6XhyXcA:9 a=QEXdDO2ut3YA:10 a=ZOsr-ibFmY2cWPWB:21 a=_W_S_7VecoQA:10
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CA4E547B-F30C-453C-9C4C-306BC0FCE9A3"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Message-Id: <0863D6CF-B076-4099-9D17-10EAC65CB589@island-resort.com>
Date: Thu, 23 Jun 2022 12:09:06 -0700
To: Eliot Lear <lear@cisco.com>, rats <rats@ietf.org>
X-Mailer: Apple Mail (2.3445.104.21)
X-CMAE-Envelope: MS4xfIWy5wOGAxdVTZatxf+dnb4W6dRwmtIBn95wozHhYSy9lS6QwsJIrqkudFAkcMyodfWvCCNBKFgSoyfsNVhCx98SiOuJRmY5qs6q7hX+jMCY+TvaStIz QD/tQaffYnOgq1Fk+jCB7QIa4UFHPy4REdZ2JSLDytyAQxdU+Fnh8v27ITrDpLxx9igsYownjXRwmbhHRXTCpMTFIbUiYfL+g3Q=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/FhBZ1o6erosUz4lBxAEkbLbwWF0>
Subject: [Rats] Response to Eliot's major issues with EAT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 19:09:11 -0000
Here’s PR’s and comments on the major issues from Elot’s IoT review of EAT. I have made some PR’s for the minor issues, but haven’t listed them here. Thanks for the comments. They are making the document better. LL > Major: > > The most major problem with the document is this: > > 7. Profiles > > This EAT specification does not gaurantee that implementations of it > will interoperate. The variability in this specification is > necessary to accommodate the widely varying use cases. An EAT > profile narrows the specification for a specific use case. An ideal > EAT profile will guarantee interoperability. > > This is quite counter-cultural to the IETF. You start with the > smallest set of functionality and then expand outward to cover > different use cases that make use of different extensions. I'm > not saying that profiles would not be necessary, but that some > additional thought be given to extension mechanisms. > > This statement in particular is quite disturbing. > > In some cases CDDL may be created that replaces CDDL in this or other > document to express some profile requirements. > > Not only is this counter-cultural, but it would require an Updates: > header on any such profile, and would further just be plain out > confusing. > > In short, the profile mechanism is harmful to the very concept of > interoperability. The updated text points out the sections in CBOR, COSE and JWT that discuss implementation variation. COSE actually use the term “profile” to name its section. As I commented previously, I think EAT profiles are a mechanism to explicitly tackle all this stuff all in one place that predated EAT (and is mentioned in various RFCs already). https://github.com/ietf-rats-wg/eat/pull/215 https://github.com/ietf-rats-wg/eat/pull/216 https://github.com/ietf-rats-wg/eat/pull/210 > > Section 4.1: > > The nonce MUST have 64 bits of entropy as fewer bits are unlikely to > be secure. A maximum nonce size is set to limit the memory required > for an implementation. > > There are two sides to this equation: the generator of the nonce and > the consumer. How is the generator supposed to know how much memory > the consumer has? The memory use of the nonce for the consumer is capped by the specification of a maximum size. That maximum is 74 bytes per nonce which is a relatively small amount that any implementation should be able to afford. I think it is right to cap the size of the nonce and a few other critical and common claims like UEID, but obviously we can’t cap them all. > > Section 4.2.1: > > UEIDs are variable length. All implementations MUST be able to > receive UEIDs that are 33 bytes long (1 type byte and 256 bits). No > UEID longer than 33 bytes SHOULD be sent. > > 256/8 = 8. 8+1 = 9. I don't understand the parenthetical. Clarifications here <https://github.com/ietf-rats-wg/eat/pull/196>. No more need to do math. > > Between Section 4.2.1 and 4.2.2 there is a particular use case I would > like to understand: > > If a system integrator resells a bunch of components that have been > tied together, what guidance is given as to which [S]UEID should be > exposed and for what purpose? Does the consumer consume a full array > of each of these things? What's the intent? The main intent here is that this is use case specific and that detailed behavior should be addressed by a profile. There’s no way this document can address all the use cases. Wording improvement to SUEDs is here: https://github.com/ietf-rats-wg/eat/pull/197/files > > Section 4.2.6: > > Please do not use a free-form text field for the software. That makes > comparisons and authorities quite difficult. In fact between this > section and section 4.2.7, you may wish to consider using Package > URLs. > It seems like there a lot of ways of naming SW and no particular one that is as broadly applicable as EAT is so it’s not really possible to create a broad standard here. So the purpose of this claim is kind of a crude last resort (that I think will be valuable and useful). Note that this claim is to describe the final SW build/load for a finished device. Package URLs seem more about naming SW libraries that will be used in the build process. That said, I have no objection to a claim for them, but think it should be outside of EAT. I made some wording improvements: https://github.com/ietf-rats-wg/eat/pull/217 > Section 4.2.8: > > As a whole this section is a bit too talkative. Also, there are many > claims programs, and so I question the value its value. If it is seen > as important, then some qualitative statement about specific > certifications seems more appropriate. A very controversial claim. See other discussion on RATS list. It tries very hard to explain why it is not based on certification and that if you want a list of certifications you should use a DLOA. Any suggestions to make it more clear without being more talkative? > > In general the CDDL for uints in particular requires .size values. > Otherwise you are just asking for random failures based on the limits > of varying tests. I went through all int and uint in the CDDL to see where a size could be imposed. I added a limit <https://github.com/ietf-rats-wg/eat/pull/201> for CoAP content-format. Others like bootseed and time stamps shouldn’t have a limit. The PEN registry doesn’t specify a limit and there is no limit on OID arc integers so I have not put a limit on it, but maybe we should. A limit of 32 bits would certainly be enough. > > 4.2.15 DLOA > > This claim is typically issued by a Verifier, not an Attester. When > this claim is issued by a Verifier, it MUST be because the entity has > received the certification in the DLOA. > > Unclear antedent. Perhaps you mean: > > This claim is typically issued by a Verifier, not an Attester. > Verifiers MUST NOT issue this claim unless they have received the > the certification in the DLOA. > > Same issue with multiple DLOAs. > > Also, is it possible that DLOAs will be produced in JSON at some point > in the future? If so, why not allow for that by not mentioning XML, > and simply requirng observance of HTTP Content-type semantics? I’ve made fixes here <https://github.com/ietf-rats-wg/eat/pull/200>. To allow for JSON DLOAs I’ve removed any mention of XML. However this still relies on the DLOA standard so it would be up to it to specify JSON. > > Section 4.2.16 > > Can a software manifest be an SPDX or CycloneDX document or a pointer > to same? There's a WHOLE lot of the former out there, and the latter > is growing in popularity. If this is the case, let's define > appropriate types now. > > If there is no CoAP identifier > registered for the manifest format, one should be registered, perhaps > in the experimental or first-come-first-served range. > > This sentence seems redundant, and the policy aspects opens this work > up to the peril of a policy change for the IANA registry. There’s not any restrictions put on what can be use here, so yes an SPDX or CycloneDX can be used here. I floated the question of registering it now on the RATS list and no one expressed any interest, so I haven’t done anything to add that to EAT > > Section 9 > > The IANA will not know what to do with this section as most of it is > not directed to them. Much of it might be better suited as a > standalone document. But it does raise the question of whether or not > some sort of subregistry should be formed for new claims, where an > appropriate evaluation could be managed through the IANA process (pick > your favorite). How that would be accomplished I leave to you. A lot of the early discussion in RATS was about how to define claims. It was a lot and it seems valuable to me so I wanted to capture and keep it. I’ve moved it into an appendix. https://github.com/ietf-rats-wg/eat/pull/202
- [Rats] Response to Eliot's major issues with EAT Laurence Lundblade
- Re: [Rats] Response to Eliot's major issues with … Kathleen Moriarty
- Re: [Rats] Response to Eliot's major issues with … Laurence Lundblade