IETF Logo Mail Archive

Re: [Rats] [IAB] IAB Statement on the Risks of Attestation of Software and Hardware on the Open Internet

Tommy Pauly <tpauly@apple.com> Tue, 03 October 2023 23:35 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2AE4C17EB6E for <rats@ietfa.amsl.com>; Tue, 3 Oct 2023 16:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-YfI613q5AD for <rats@ietfa.amsl.com>; Tue, 3 Oct 2023 16:35:04 -0700 (PDT)
Received: from rn-mailsvcp-mx-lapp03.apple.com (rn-mailsvcp-mx-lapp03.apple.com [17.179.253.24]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D4AC16B5A2 for <rats@ietf.org>; Tue, 3 Oct 2023 16:35:04 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by rn-mailsvcp-mx-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S1Z00WPW5ECFR20@rn-mailsvcp-mx-lapp03.rno.apple.com> for rats@ietf.org; Tue, 03 Oct 2023 15:35:03 -0700 (PDT)
X-Proofpoint-ORIG-GUID: T6d8muZOLvnIonxg8b6azN9CoFOh3l4b
X-Proofpoint-GUID: T6d8muZOLvnIonxg8b6azN9CoFOh3l4b
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-10-03_18:2023-10-02, 2023-10-03 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 malwarescore=0 bulkscore=0 adultscore=0 phishscore=0 mlxscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2310030170
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=pD3u26AZ1UGKri1fk1WXtrCfEAxJDU38vE2t3+6SL1g=; b=olYuPnI7dzTb8toSw1udiYNhLTj48HzsSxvkeMR8ntsenGCkGjwqE+dNCmjigbkJyRJy z0DPSRwqVtMnHPbpB9dXezQ72QoqmHibHODodtDlSXpCmGZjF02MVx8Ga8hWnX8t3ikd A1MXdJTe0wGXDpQPhIr0CHj33kWICUtkHcOfRDuJvt0ocLoRngS4UToW2RgGabMdfdjk dHWARHuHCAVlBpPesXdMaMIsnSFfg2mXCWXDmhTt1UHnpnFsKMm6Kt+NWeuZnIkJ4rlp Ps1HPXsQka6K70JUT7pcLliZpm0czUo1UDVcwR5T+0KxsSpukZWHjqwa0szR1MQrmsRg Sg==
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S1Z00F2E5ED5QD0@rn-mailsvcp-mta-lapp02.rno.apple.com>; Tue, 03 Oct 2023 15:35:02 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) id <0S1Z00900503P100@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Tue, 03 Oct 2023 15:35:02 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 81ca60fce39c2560b6c4a7e5841f9b8f
X-Va-E-CD: 2820d4cf342ed19c27bebacb2dad883d
X-Va-R-CD: 89957d06e431d9682fa958ae97876f97
X-Va-ID: cbf4e3bc-8660-4998-b184-15701c97b744
X-Va-CD: 0
X-V-A:
X-V-T-CD: 81ca60fce39c2560b6c4a7e5841f9b8f
X-V-E-CD: 2820d4cf342ed19c27bebacb2dad883d
X-V-R-CD: 89957d06e431d9682fa958ae97876f97
X-V-ID: 76fbe7d4-b5e6-4eef-816e-dfb09ed0941c
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-10-03_18:2023-10-02, 2023-10-03 signatures=0
Received: from smtpclient.apple ([17.234.105.246]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPSA id <0S1Z00ZMZ5ECXH00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Tue, 03 Oct 2023 15:35:01 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <62F90CB5-4EF4-4E17-A86F-84ED79A88291@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_F1D93B0E-9597-4D59-AB1E-737DAE9CC79D"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
Date: Tue, 03 Oct 2023 15:34:50 -0700
In-reply-to: <C199AC7D-74A7-41A9-94B7-812DBED57B29@intel.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "dthaler1968=40googlemail.com@dmarc.ietf.org" <dthaler1968=40googlemail.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>, "iab@iab.org" <iab@iab.org>, Michael Richardson <mcr+ietf@sandelman.ca>
To: "Smith, Ned" <ned.smith@intel.com>
References: <169627945480.62917.5309122275327869344@ietfa.amsl.com> <16966.1696299372@localhost> <12f601d9f634$abe84ac0$03b8e040$@gmail.com> <CAHbuEH4KLyb-wACba3fOjufDWmkva3sENNy+BmZf-BFT6NK_VA@mail.gmail.com> <C199AC7D-74A7-41A9-94B7-812DBED57B29@intel.com>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/G1LDPQJPoPpbrI120TJeiBBIWrA>
Subject: Re: [Rats] [IAB] IAB Statement on the Risks of Attestation of Software and Hardware on the Open Internet
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2023 23:35:07 -0000


> On Oct 3, 2023, at 3:24 PM, Smith, Ned <ned.smith@intel.com> wrote:
> 
> +1 to comments from Michael, Dave, and Kathleen.
>  
> I have procedural concerns with the IAB statement as it seems to endorse the opinion of the Web Environment Integrity <https://github.com/RupertBenWiser/Web-Environment-Integrity> authors, which is not an official IETF document AFAIK. Consequently, it is difficult to assess whether the IAB endorsement reflects broader consensus within the IETF.

To be clear, the statement is not endorsing the Web Environment Integrity proposal; rather, it is pointing to such uses of attestation (that are designed to verify specific versions of browsers on specific platforms) are problematic. That proposal is not an IETF proposal, nor an official W3C proposal, but is proposing a direction that could cause harm to the Internet ecosystem.

Thanks,
Tommy

>  
> It is good to see a discussion thread starting that considers issues, use cases, requirements, and concerns of attestation in the broader web context, but the culture of the IETF would be to have that discussion before the IAB formalizes an opinion.
>  
> -Ned
>  
> From: RATS <rats-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
> Date: Tuesday, October 3, 2023 at 1:22 PM
> To: "dthaler1968=40googlemail.com@dmarc.ietf.org" <dthaler1968=40googlemail.com@dmarc.ietf.org>
> Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "iab@iab.org" <iab@iab.org>, "rats@ietf.org" <rats@ietf.org>
> Subject: Re: [Rats] IAB Statement on the Risks of Attestation of Software and Hardware on the Open Internet
>  
> Greetings.
>  
> I would also be happy to work with the IAB to create a better statement. I am in agreement with Michael and Dave. The current statement reads as though some uses of attestation were conflated in ways those of us working on it would have been able to assist to provide greater clarity towards the goals of the IAB for openness.
>  
> The ability to assure the firmware and software of a system using standards and widely deployed hardware is critical to leveling the playing field for security, better serving those with fewer resources. The technology has the potential to reduce the need for external scanners, while enabling lower cost methods to implement integrity and posture assurance with standard formats and protocols. More likely, it will provide a method of assurance for those with few resources. Those with more resources might use attestation plus external scanning tools that are in use today. These checks on software or system changes also aids in the detection of lateral movement of attackers. The earlier attackers can be detected, the better for those impacted. Attestation provides a standards based method to implement this integrity checking to meet zero trust requirements.
>  
> Thank you for considering these comments and the offer to assist.
>  
> Best regards,
> Kathleen
>  
> On Tue, Oct 3, 2023 at 4:03 PM <dthaler1968=40googlemail.com@dmarc.ietf.org <mailto:40googlemail.com@dmarc.ietf.org>> wrote:
>> Michael Richardson writes: 
>> > IAB Executive Administrative Manager <execd@iab.org <mailto:execd@iab.org>> wrote:
>> >     > On 25 September 2023, the Internet Architecture Board (IAB) posted a
>> >     > new IAB Statement on the Risks of Attestation of Software and Hardware
>> >     > on the Open Internet[1].
>> > 
>> >     > [1]
>> >     > https://datatracker.ietf.org/doc/statement-iab-statement-on-the-risks-of-
>> > attestation-of-software-and-hardware-on-the-open-internet/
>> > 
>> > It's an interesting statement, and I suspect that I agree with the intent.
>> > As written, it fails to inform: you need to know what the treacherous uses of
>> > remote attestation are (and then take two steps not detailed in this
>> > statement) in order to understand the statement.
>> > I think that this should be revised, and it shouldn't be so timid.
>> > 
>> > As an author of RFC9334, I'm rather surprised that this statement was issued
>> > without any consultation with us.
>> > 
>> > As written, I find this statement useless.
>> > I would be happy to work with the IAB to craft a better statement.
>> 
>> I have to say I 100% agree with Michael here.  I admit I too had a fairly strong negative emotional
>> reaction reading the IAB statement, very similar to early drafts of draft-iab-protocol-maintenance
>> which I provided feedback about it being potentially harmful as worded, and we worked to
>> improve it to become a much better document RFC 9413.   I had provided feedback saying
>> that I agreed with much of the intent, but the way it was worded could be taken to promote
>> harmful principles that were not intended.   I have exactly the same feedback on this IAB
>> statement.
>> 
>> Some specific feedback follows.
>> 
>> > the use of such attestation as a barrier to access otherwise open protocols and services
>> > would negatively impact the evolution of the Internet as a whole
>> 
>> Analogy: disallowing access to those who cannot attest is in many ways analogous to
>> disallowing access to those who cannot use encryption.   Thus, by extension the IAB could equally say
>> "the requirement to use encryption everywhere as a barrier to access otherwise open services
>> would negatively impact the evolution of the Internet as a whole".   I, and I suspect many others,
>> would disagree with that principle, that encrypting everywhere is important to secure the
>> Internet and allow open services to continue being open and viable.   I would argue that
>> a comparison between attest-everywhere and encrypt-everywhere is valid.
>> (Full disclosure: I am the author of the statement "Every authentication use case is an
>> attestation use case." and my response here is consistent with that.)
>> 
>> > Adding client attestation into otherwise open systems can significantly reduce openness for the Internet broadly.
>> 
>> I think this is a red herring / mischaracterization.  The use of attestation does not reduce openness any more
>> than the use of authentication or encryption do.   You might argue that authentication and encryption both
>> DO reduce openness, and you might have a valid point there.   But in all three cases, I argue it's not the addition
>> of the technology itself that reduces openness, it's specific POLICIES that one can apply.   And those policies
>> could be done with authentication (e.g., restricting what type of identity, or what domain you connect from,
>> what IP address range you connect from, etc.) too.   In my view, the IAB would be better replacing the statement
>> about attestation with a statement about policy restrictions regardless of whether we're talking about authentication
>> or attestation.
>> 
>> > Attestation of client software and hardware is distinct from user authentication. User authentication verifies
>> > the identity of a user or a credential associated with a user, and is compatible with any implementation that
>> > supports the correct form of authentication.
>> 
>> I appreciate the IAB trying to do a compare/contrast here.  But I think the IAB misses a number of key points here.
>> User authentication does not mean the request actually originated from that user nor that the user consented to it,
>> and so is weak security without attestation.  Only authentication with attestation can ensure that it was not
>> compromised by malware subverting the user's intent, and so the IAB statement can be misread as an argument
>> against security, much like arguing against encrypting everywhere would.
>> More on "is compatible with any implementation" below.
>> 
>> > In contrast, attestation of client software and hardware places explicit restrictions on the implementations
>> > that are allowed to participate in the protocol.
>> 
>> Again, only in the same sense as requiring encryption does.  Specific POLICY can place restrictions on implementations,
>> but that's the policy not the existence of attestation itself.
>> 
>> > Restricting access via attestation of software or hardware would limit the development of new protocols and
>> > extensions to existing protocols, lock users into a limited ecosystem of applications, and hamper the ability
>> > to audit implementations, conduct measurements, or perform essential security research.
>> 
>> One could make the same statement about "Restricting access via requiring encryption would limit ..." or
>> "Restricting access via POLICIES around user authentication would limit...".  And I suspect there would be
>> lots of interesting discussion around those two claims too.   Calling out attestation here specifically seems
>> to me to more confuse the issue than help.
>> 
>> > The IAB invites those in the industry and standards community working on client attestation in open services
>> > to engage with the relevant IETF working groups (in particular, Privacy Pass and RATS)
>> 
>> To echo Michael's comment, I think those of us in the IETF RATS WG would invite those in the IAB to engage
>> with the WG to revise the IAB statement.
>> 
>> Thanks for listening,
>> Dave Thaler
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org <mailto:RATS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/rats
> 
> 
>  
> -- 
>  
> Best regards,
> Kathleen

v2.23.0 | Report a Bug | By Email