[Rats] SUIT device identifier (was Re: 802.1AR device identity)

Laurence Lundblade <lgl@island-resort.com> Fri, 23 April 2021 18:25 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E48E93A196C for <rats@ietfa.amsl.com>; Fri, 23 Apr 2021 11:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3Pf7nU-o8lVf for <rats@ietfa.amsl.com>; Fri, 23 Apr 2021 11:25:40 -0700 (PDT)
Received: from p3plsmtpa06-05.prod.phx3.secureserver.net (p3plsmtpa06-05.prod.phx3.secureserver.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84F323A195D for <rats@ietf.org>; Fri, 23 Apr 2021 11:25:34 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id a0UelcBjrJOFra0UflMjsC; Fri, 23 Apr 2021 11:25:34 -0700
X-CMAE-Analysis: v=2.4 cv=BYkdbph2 c=1 sm=1 tr=0 ts=6083111e a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=48vgC7mUAAAA:8 a=K6EGIJCdAAAA:8 a=QyXUC8HyAAAA:8 a=tGX7uwomAAAA:8 a=OUXY8nFuAAAA:8 a=pGLkceISAAAA:8 a=XkE9mDRChnFo0TuJXdcA:9 a=QEXdDO2ut3YA:10 a=oFKmhllnjRHI4DwAK-gA:9 a=wGtt-9eU49lps_NA:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=L6pVIi0Kn1GYQfi8-iRI:22 a=ZFOOzkjxzLGrPE5HuMia:22 a=cAcMbU7R10T-QSRYIcO_:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <2CF19676-0CC1-4DB3-856F-3E0513218CC0@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E4432E82-ABCE-474C-909E-B97ACAD3001A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Fri, 23 Apr 2021 11:25:32 -0700
In-Reply-To: <4A3F3EEE-23C2-4D3A-A503-C946ED772DB1@island-resort.com>
Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "iotops@ietf.org" <iotops@ietf.org>, "rats@ietf.org" <rats@ietf.org>, Russ Housley <housley@vigilsec.com>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Ira McDonald <blueroofmusic@gmail.com>, Guy Fedorkow <gfedorkow@juniper.net>
To: "Smith, Ned" <ned.smith@intel.com>
References: <D197C29D-95C4-4696-BE22-703E14DFFE35@intel.com> <E0971364-E3AD-40C6-A08A-A0BA7E64D18F@cisco.com> <0C1A8AE6-E6C3-4AF9-9E4F-5841FB450BE3@intel.com> <957A467D-4FE4-4031-98D2-6936D014A37C@cisco.com> <62FFA122-047E-468C-A2DD-5A0E4E8EAF74@intel.com> <9EE53DF3-17AD-495D-9BE7-C15B92EF6B99@island-resort.com> <CAN40gSsCbjpVuCQwsWWjGwfL=cARHcAa0ZPsm+sk8H=9_otZUw@mail.gmail.com> <3593A760-335F-40AF-AC43-7E2D7A1EFF7B@island-resort.com> <BLAPR05MB7378A9F73457513AC951F82FBA7A9@BLAPR05MB7378.namprd05.prod.outlook.com> <07EAF7BF-1595-448D-9164-3903E15C5A50@cisco.com> <92EF6820-3234-4458-B66A-7B7E6693CB76@vigilsec.com> <2118D1F3-849F-4238-A2AE-054FF67144FF@intel.com> <4A3F3EEE-23C2-4D3A-A503-C946ED772DB1@island-resort.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfCLWFgSxuG72k0gZJAiHfPfxLjemzWQBG35ggQKRVWiL84HHxRanPZmqf65LgcwnRHgdMSHfMMjMVDXJQpRQtkqt36/nRu9PW23Bdn/hMIz7s/4tFnW/ fdE+ZjInKnRmqDip6US3t+rtojdmuSWmy+qGnRf6Mj4l6kB7a8iwsAxklr6+Ds75KqiR2R+b/bimJKXihmCUvxIAm7IOjplfgZF3IdRDX+I/qtG5ghzZAoaS ycP504YlyklOyeVCcLqJfZjoIKuVa5HqWybtAfRerCCX89R/Hp01mW5Wra515SUTbyQAHjkJ4/vxlb3+ScoU/sOtKSuoL8AMk1FAaJhRhFMX0DwZkxgjX3ho m0zJo0FKa/ujbBiSFpw5xXHk2hfxOv/pzJylQdS4hbBggwx/CHBd5rW0n/TbqhiZMGw4WY1xxiI7+2p0fzUGOPfKzWSbVA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/GoG7dJ-Wh8W7kCUz1PiEF74W8eE>
Subject: [Rats] SUIT device identifier (was Re: 802.1AR device identity)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2021 18:25:46 -0000

In the spirit of trying to understand use cases for UEID and SUEID I looked at SUIT device identifiers.

I also think we should consider SUIT’s device identifier here. It seems like a UEID or an SUEID could be used as the SUIT device-identifier or to derive the SUIT device-identifier. The description of SUIT’s device identifier is short, but I think all the EAT UEID types fulfills SUITs semantic requirements — uniquely identifying the device.

However, they differ in syntax and mechanics.

I consider UUID’s obsolete for many of the use cases they are applied to. These reasons are carefully described in Appendix B of EAT <https://tools.ietf.org/html/draft-ietf-rats-eat-09#appendix-B.2>. Basically with the wide availability of good crypto-quality RNG’s, the techniques UUID specifies are unnecessary and a burden.  I think SUIT device identifier is one of the use cases.

Also, UUID’s are confusing because not all types can be used for all use cases.

My suggestion to solve this would be to make SUIT device identifiers just byte strings that can be 128, 192 or 256 bits long. SUIT removes the UUID format requirement for device identifiers.

Then a type 1 UEID could just be used as is for a SUIT device identifier. 

Type 2 (MAC) and type 3 (IMEI) UEIDs could be run through a hash to make a SUIT device identifier.

If EAT were further along as a standard, I’d suggest SUIT just used UEID, but I don’t think we want SUIT to become dependent on EAT. What I’m proposing here gives a soft coupling.


> On Apr 23, 2021, at 11:16 AM, Laurence Lundblade <lgl@island-resort.com> wrote:
> Thanks for all the helpful responses and info here. 
> I believe the discussion and comments received validate the EAT design of a UEID and an SUEID.
> - Permanent. Set by device or chip manufacturer.
> - Can’t be changed by subsequent owners or any in down-stream supply chain
> - Akin to IDevID
> - Semi-permanent. Can be set by new owners of the device, down stream entities in the supply chain and so on
> - Changed on major device lifecycle events
> - Akin to LDevID
> The current SUIED PR doesn’t allow multiple SUIED’s the way you can have multiple LDevIDs. I think EAT needs to allow multiple SUIEDs.
> Option 1 — A simple array of SUEIDs. You can’t really tell one from another or who assigned them.
> Option 2 — Each SUEID is a pair of the SUEID plus a string naming the entity that created it or naming a type of SEUID.
> Option 3 ?
> My understanding is that one LDevID is distinguished from another by the issuer in the LDevID certificate. EAT doesn’t have these separate certificates.
> EAT can use the same attestation key to sign one UEID and many SUEIDs. EAT can also have separate attestation keys for each SUEID. It can be used to implement the IDevID/LDevID model and/or other models.
> LL
>> On Apr 21, 2021, at 4:19 PM, Smith, Ned <ned.smith@intel.com <mailto:ned.smith@intel.com>> wrote:
>> It is reasonable, in the context of onboarding, where the owner isn’t a supply chain entity, but the network owner who is going to deploy / manage the device. Onboarding might involve separately evaluating the supply chain risk and any ‘owner’ that might be a supplier from onboarding processes that take a clean room approach that wipe clean / reset to mfg defaults.
>> An mfg IDevID design might be such that tampering by supply chain ‘owners’ would be detected and hence trusting them isn’t really necessary. The end user / customer as ‘owner’ might only care about trusting the IDevID mfg or only trusting him/her self. 
>> From: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
>> Date: Sunday, April 18, 2021 at 10:31 AM
>> To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org <mailto:lear=40cisco.com@dmarc.ietf.org>>
>> Cc: Guy Fedorkow <gfedorkow@juniper.net <mailto:gfedorkow@juniper.net>>, "Smith, Ned" <ned.smith@intel.com <mailto:ned.smith@intel.com>>, Henk Berkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>, "iotops@ietf.org <mailto:iotops@ietf.org>" <iotops@ietf.org <mailto:iotops@ietf.org>>, "rats@ietf.org <mailto:rats@ietf.org>" <rats@ietf.org <mailto:rats@ietf.org>>, Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>>, Ira McDonald <blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com>>
>> Subject: Re: [Rats] 802.1AR device identity
>>> On Apr 18, 2021, at 9:51 AM, Eliot Lear <lear=40cisco.com@dmarc.ietf.org <mailto:lear=40cisco.com@dmarc.ietf.org>> wrote:
>>> Signed PGP part
>>> Sorry for the delayed response:
>>>> On 2 Apr 2021, at 19:05, Guy Fedorkow <gfedorkow@juniper.net <mailto:gfedorkow@juniper.net>> wrote:
>>>> Hi Laurence,
>>>>   I agree that IDevID is intended to persist through the device’s lifetime, while LDevID is meant to represent the current owner.
>>> Yes, that was the original intent, and even the current intent.  And while that is necessary, it may not be sufficient for long supply chains where ownership passes from one to another.  The LDevID is an owner-assigned name, and so the question is this: when an owner goes to transfer, does it need to use the IDevID again or should it use the LDevID?  There are benefits and drawbacks to both, but if the LDevID is used, then it is used as the IDevID would have been as part of that transfer.  The nice thing about FDO is that it keeps an entire record of these sorts of transfers.
>> I think it depends on whether the new owner trusts the issuer of the LDevID.  If so, then leveraging the existing LDevID may be straightforward.  If the new owner does not trust the issuer of the LDevID, then resetting the device to the factory default settings, which would include the IDevID, makes a lot of sense.
>> Russ
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org <mailto:RATS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats