Re: [Rats] EAP and RIV

Guy Fedorkow <gfedorkow@juniper.net> Tue, 05 May 2020 13:38 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46ECC3A0766 for <rats@ietfa.amsl.com>; Tue, 5 May 2020 06:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=sLsKAwmb; dkim=pass (1024-bit key) header.d=juniper.net header.b=k/688nMD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veqb1FGf9_8D for <rats@ietfa.amsl.com>; Tue, 5 May 2020 06:38:35 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77F8C3A074D for <rats@ietf.org>; Tue, 5 May 2020 06:38:35 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 045DXUb5023243; Tue, 5 May 2020 06:38:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=kufgr+gwJuzj1AaFYARlh5Gazsh7nHpUxxUTmzE4wJI=; b=sLsKAwmbciKiQVYInnytkRBUWGPaynrZS86TjGJOAa0daPhLhImFnL9wefqsKLD8CaHP KcCZDkJ0PE4xJyH+eK1OOCO0C17tsssGS/9kb7FcBbfjl3lRe0TrjquXGdIdVnbR7wr/ VoJYGsc7Lg7CjI8+TezMxiiEMlmMOCvJ9c9OPJP2SfRz8WvXsFxnS5XltHxR6VIlgfi/ gmRWdqe0fw9km6RkcQ2Ppj4EUgN2Q6StSprHKnO9uL2C31rAglWo1F2g8IhFyP53T2ua NW/JlobljMAQF8yT3hms+U1aCzLlg/W16QyDKYIL1JCyd6n+eAPL9nD0q0uSo0hfy2hY Jw==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2171.outbound.protection.outlook.com [104.47.55.171]) by mx0a-00273201.pphosted.com with ESMTP id 30s7vqcwfn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2020 06:38:33 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=huK1kArnK8BN9vFUpmm4d6iizNQ/5/Y0KNk+N6pTrgDYE4q9nsNfMTSo+N30UaaEQUENq7rLV33oCTmQ7sLvtFSztz5S6hBe2ZbpnBaAInjz/DpJ7YDEv3tmU9Q5RgmtiDEdoMCYdffxfYtjk7cfrcC8xDmTWkKti/9Ust9sF1vr07OJc8WjLaOhNxSdObGPlC9hJpmnQRWQgL0rMww3LFL1aW2P1U6K4y/h9LxVj4DYoDFBcnFObpKfuHCdERQGjNBrROch/4CIjKaVapDGhiQ3HoB1UyyGog/QiZj6pP3bnv2A4rGT6J4qmuy1a9NEszp91zLBCNEo1Ez4q9W+HQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kufgr+gwJuzj1AaFYARlh5Gazsh7nHpUxxUTmzE4wJI=; b=hYRxGTn1HGw2mFFjv12lGzoFCCHmH1gH9PlUgePJLO7n4oSt8CQ4OPje3gIyhZOG35I08XQgzjxyvzlHHHRelDzgixoD381tNgWIvkWgblqHnn/K357SeYx7p/zGkv/9IY39TLv4lJCyzGEGt8eTMnWW2pcS6zQN2xRs8stsY7nmdWBeleBzVMzX9sA+0U7ZnDnOzpqZNIRrG9TEhq2dSI95dmfQ6/UJQ7jNcQv1SuXACVyE9dgKKY9KKXpJPJplNniyM2IFDMyfo5u6wlQEgdv3kFYuW89Ebs/OrqPThIDGgHCpjv4y867KN/CBd99CUomvDedA5K5zHd1QFdBO6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kufgr+gwJuzj1AaFYARlh5Gazsh7nHpUxxUTmzE4wJI=; b=k/688nMDnFGGITScBuPHNGYfEwkWcI7HtLdQeAB/lAQUkA7PBk5s8ulSaMxeUW1qND8c/pYc1ecaTu3KWq+LOCyITzUX3huwUg/URubWvpE+FHNAQJjBJjCWY5F7BQ7LDtiwqgly7gnW7whK3ExS6U0sVQg+/nKh8c5Cjs2tHGo=
Received: from DM6PR05MB6889.namprd05.prod.outlook.com (2603:10b6:5:204::22) by DM6PR05MB6217.namprd05.prod.outlook.com (2603:10b6:5:11c::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.11; Tue, 5 May 2020 13:38:31 +0000
Received: from DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::99d5:e781:8291:de1]) by DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::99d5:e781:8291:de1%7]) with mapi id 15.20.2979.025; Tue, 5 May 2020 13:38:30 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>, "rats@ietf.org" <rats@ietf.org>
CC: "Eric Voit (evoit)" <evoit@cisco.com>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Thread-Topic: EAP and RIV
Thread-Index: AdYeTCobkYAYRM1VRf6xELAVi8jZkwEJh93QABubc1A=
Date: Tue, 05 May 2020 13:38:30 +0000
Message-ID: <DM6PR05MB688976FF56E41668112A5A79BAA70@DM6PR05MB6889.namprd05.prod.outlook.com>
References: <DM6PR05MB688962B3DF67581C8B5FEA21BAAD0@DM6PR05MB6889.namprd05.prod.outlook.com> <BYAPR02MB442214E3AFEED6791E2068E481A70@BYAPR02MB4422.namprd02.prod.outlook.com>
In-Reply-To: <BYAPR02MB442214E3AFEED6791E2068E481A70@BYAPR02MB4422.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-04-29T17:36:31.2692252Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=c02af8ae-3ed5-4f79-92d0-32376b0e7160; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
authentication-results: qti.qualcomm.com; dkim=none (message not signed) header.d=none;qti.qualcomm.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [73.89.130.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 7556e49d-bf7f-4152-83ca-08d7f0f9997e
x-ms-traffictypediagnostic: DM6PR05MB6217:
x-microsoft-antispam-prvs: <DM6PR05MB621709DD03174AEF7E40D7EFBAA70@DM6PR05MB6217.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0394259C80
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Gt1KnwoUm6jpHqn3dVsXijfVyDXpSvCnAAufxUnY0ChFKDntNZMvKNThQJMMf716a6KJKPt0hDRO78b0aZFYvh3utwGK3Bujub+dM1GCYSklLaE5ydbZuf+UcdPknkzAKrlx6gdJr+Ony/fOCYY4SLseVB7fnA8KbWWS9txVuNFf40DyXrR5gKRHZw7Upgq1QfL4uJ/x5eakBlkuB7YI8299qUA2veSKz/iE4S0apHr9gkoqy49M9AS7Qb2aHJ3Jw5i3KBgJKuyG1XduVBtuq/YTF8c9X4g3wS1gpy6ZC2GZmKQYRCPGrYN9Fm/NlKsO9utB0fWdB6md7F4lMyD+E/pi+3AnIg5Vm40rIU8dXdt18pROIjTzCj0uondQYWYO5dfVSfFVo2M4wlN/nTbgDpu2H8OGDSZK4t4q5TeDPoTYZDpn9W60NQnCNLF24FphzFfpldZb/te77yAznVRnJkuqANbgr1v3Zz0uOcOKmL5d98Z/Yn/VY+pS/jnE/4mla7NpPsNNsEgNVihYCiH8zUAiUWzUjvvcl7+/MaasO6eK8QnPq5TSK5+149uM4zBXYxyVEgNQiOqiT73DmXZHKVKUm5/wQUMg9vXrybUIXmg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6889.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(136003)(396003)(376002)(39860400002)(346002)(33430700001)(7696005)(6506007)(53546011)(26005)(86362001)(9686003)(66446008)(66556008)(478600001)(186003)(66476007)(66946007)(66616009)(64756008)(316002)(7116003)(54906003)(76116006)(4326008)(55016002)(110136005)(33656002)(99936003)(71200400001)(5660300002)(33440700001)(8936002)(8676002)(2906002)(3480700007)(9326002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 9Pj2/9xIjY40+v1AssZD0638LmafIIjqPBACU653VobuqPtmPpxePKbWEuiLGMbOsxZcchQ7hFOxbEySnmruOhA+L/fUir6Ur8IFtikG8gIwHj8uuzEbf/9CixCg1MDVvFSGy3W9ZYcexIzvs7GCvKbYa8DXr3ZXDctg2CI8Y3zFvGJG6ZEL0nzk/0yFVgnBss3u7Ucb2DSnR2CGFhTv/TdIaP440QnOwDHe+ncjNvHlLHQzqZFub0nN0F+XfaYV9glQxRsoTh8dSbOOX8UEUzoy0/0pC12HCsWnHdtbFVK3EQBgNV3n8oJbCvKerTUgttBZ2OdFm0lnb1aQlQgf/yP0zotH7iW9d2h4/1ARVEFEFcEjT7VEphQx8Djcqiqrp/vKmU6a2y/BaOk5V1imYn0oRoZQ75BB/gAiZkYKQObjV0XC4OKeCXZNBmnBm6jykOK9144Ux30WDB13+HsHY3GqO2CALvA6HCFhoiK2Y6Zdj+raYnhzBwAgMblrDgDBgLvdhpgw0/D4yLQSB7iVfVbz8mC9zODfP9EQPeJqHDfxif3+XdLdtcEwvFtRcwvPrKCSi1YQzcS5fc/1zSEnzlvzjjz2OtRXhxJI76+rQ/ZJ+Vx3TvTXfdLJiNKHj8T5WcLzTfM8/kc2YqVBeJ3nKotWAQDmu4JU+sTJJryS5dvDvOlN3t+VWfoHxCvEWKyqZT7+Sl+sSQBinDEcjSVf+Ijl55FRH3n0pEFUm+aLaihSm/EfoO6bMLrOySc3sDbu8KOBRoBMo1mJThFgQ6KugJvL7CneNAgR0TM5OgrTnsw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0335_01D622C0.ED5F2870"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 7556e49d-bf7f-4152-83ca-08d7f0f9997e
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2020 13:38:30.7963 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JPgq4qO5i1A8FzLFNzyRxCUXKQfi0eoveBMKfK8wntYI2qfu+9GlpAZagVgmtV4RXIigTG8V1xCxshoCni8McQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB6217
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-05-05_08:2020-05-04, 2020-05-05 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 suspectscore=0 clxscore=1011 mlxlogscore=999 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005050109
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/m4JPBgd3dZDVgVliJec5MRkDmIM>
Subject: Re: [Rats] EAP and RIV
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 13:38:38 -0000

Hi Giri,

  I'm sure the exchanges described in RIV to validate authenticity of the
software infrastructure could be carried in EAT format, although I don't
know the EAT operational environment well enough to know if there's someone
who'd use it.

  RIV without the TPM is a bit further afield, for a couple of reasons:

*	For better or worse, the TPM data structures are idiosyncratic.
Alan Turing would say that any computer could replicate them, but that
doesn't mean it would be a good idea, if there's no TPM under there.  If
there's a use case that provides a credible firmware TPM with no hardware
chip under it, and EAT is the right protocol, that's a different matter.
*	More broadly, RIV as it now stands assumes the security environment
outlined in the Security Considerations section of the draft.  As I
understand it, a number of the assumptions there are not of interest in the
EAT world.

  Let me know if I'm missing the intent of your question, though!

 

Thanks

/guy

 

 

 

Juniper Business Use Only

From: RATS <rats-bounces@ietf.org> On Behalf Of Giridhar Mandyam
Sent: Monday, May 4, 2020 8:19 PM
To: rats@ietf.org
Subject: Re: [Rats] EAP and RIV

 

[External Email. Be cautious of content]

 

Sorry - I may be misunderstanding the request.  I did mention on the call
that it would be desirable for RIV to also support EAT
(https://tools.ietf.org/html/draft-ietf-rats-eat-03
<https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-rats-eat-
03__;!!NEt6yMaO-gk!QCFXstAmbwteEHm3-wmya3RFwSPeg7qJ9EmW4_hxpzF3gKZapd62eQtVr
3taRK5fX_M$> ).  Examples include home routers (802.11) that often do not
have a HW TPM.

 

I did not however mention EAP (https://tools.ietf.org/html/rfc3748
<https://urldefense.com/v3/__https:/tools.ietf.org/html/rfc3748__;!!NEt6yMaO
-gk!QCFXstAmbwteEHm3-wmya3RFwSPeg7qJ9EmW4_hxpzF3gKZapd62eQtVr3taGIjDOik$> ),
although that could be an interesting use case for attestation.

 

-Giri Mandyam

 

From: RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> > On Behalf
Of Guy Fedorkow
Sent: Wednesday, April 29, 2020 10:37 AM
To: rats@ietf.org <mailto:rats@ietf.org> 
Cc: Jessica Fitzgerald-McKay <jmfmckay@gmail.com <mailto:jmfmckay@gmail.com>
>; Eric Voit (evoit) <evoit@cisco.com <mailto:evoit@cisco.com> >
Subject: [Rats] EAP and RIV

 

Someone asked about adding a protocol support for EAP to the RIV TPM
Attestation draft on the RATS call yesterday, but I wasn't quick enough to
write down the name.  Could anyone interested in this contact me?

  Thanks

/guy

 

 

Juniper Business Use Only

 

Juniper Business Use Only