IETF Logo Mail Archive

[Rats] draft-ietf-rats-architecture-12

Daniel Migault <mglt.ietf@gmail.com> Mon, 01 November 2021 20:59 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D02503A2F8A for <rats@ietfa.amsl.com>; Mon, 1 Nov 2021 13:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNcUofZt_THa for <rats@ietfa.amsl.com>; Mon, 1 Nov 2021 13:59:49 -0700 (PDT)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55FCF3A2F89 for <rats@ietf.org>; Mon, 1 Nov 2021 13:59:49 -0700 (PDT)
Received: by mail-ua1-x930.google.com with SMTP id b17so24076210uas.0 for <rats@ietf.org>; Mon, 01 Nov 2021 13:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=5Th1BCT5FHPhGqjGO/g4gfMYwSnWwPtIWNzUUSESV14=; b=nBRCr7T+335caL1/zgQqY8BNcWf1vaLYS8diHjM6aImfW474gxHIiZy92a8MUrp8NO c8gUYQbKf3P3c/UqTVEORV5v5UcnmCu6R7WQO4vgC/WvW0d7vApmUA3S8gDI7uKDSQUr jiigS0YmiJfnoUwda42TntOroF0Bz+PSncTRsi5UIiUxGxznl6Ccg8k/f9SXz5g0kxcB oEOpbuZmVp+93jZLh/g9wwHXaCUZ8PU+NrsvvC+IP9McExYqRIfrJjj0zUd8tzCxSxJl tNi0a1eWnX8Wkw1uUSl5XQt4pJEGbVgUDtsniaw/X4IHhR198hgWwEQTJ0g83kTyKG29 Nb9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=5Th1BCT5FHPhGqjGO/g4gfMYwSnWwPtIWNzUUSESV14=; b=5vYidRKwzKhkl8JCTnkgXhIEJRY0XkTYEwWRAsY+7V+e05I5uw0c7hwnCMxfgwOr/w tAfWa8XAcqzZYlwM17XJO+/UjRh5+jVRQ05515+40szC8iRwfKUT5d0tQargPOsbb5zj f0LV+be3l4A8PM4hagoTNqp3ey8k3rL5b6WQ/C3HRMWYBjXS2pT9asQiZYJfHbAyoux+ 96WiwnGGYD5rDdyqDbaex3Vyfa27tWeFEO86NkRGg+tnvept3nPYYGX+hdh9olhL5v8N Zao9Z02PX8n2L+WaIGjN+eEj/i2n55JFS08SI1kF2Lvw+t4Or7uklZ2+39SVvE2X/0iV c1ag==
X-Gm-Message-State: AOAM5304ROXCnzfMRxtCUdQVBz6hCsaaNsQYqnj5RO8Ggc1SXymbqkBa c8GbqOPanZpgSODfLuXZE6J64NY4wolmWYLshSlOde0IxfM=
X-Google-Smtp-Source: ABdhPJxb3XPOL2pHO5rdJnU2xsAfJFky8V8vFrD2dNYJaIbqv9J7iECFc93RqF5EhWxWzrm0oUXpjx4ZyfMQfR9JV8I=
X-Received: by 2002:a05:6102:392:: with SMTP id m18mr11514625vsq.56.1635800384602; Mon, 01 Nov 2021 13:59:44 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 01 Nov 2021 16:59:33 -0400
Message-ID: <CADZyTk=ZbSUYxywzVONYjo59JVf56r8kAhpKqtXgE2=k2uZ5uA@mail.gmail.com>
To: rats@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d905e505cfc074f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Hf1klBqNuKWanHxQWWuOFE_saPk>
Subject: [Rats] draft-ietf-rats-architecture-12
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2021 20:59:54 -0000

Hi,

I could not see the draft-ietf-rats-architecture in the dt and was
wondering what is its current status. I am providing a review of the
document and hope the document can progress. The document is in a nice
shape.

I suppose the comments are only clarifying my understanding.

Yours,
Daniel


I suppose there is an editorial nits there:

"""
See Section 8 for further discussion of the conceptual messages shown
   in Figure 1. ## Two Types of Environments of an Attester
"""

>From Figure 2.

The trust associated with the Evidence is related to the trust of the
Target Environment as well as the communication of the Claims from the
Target Environment to the Attestation Environment. I think some
clarification/explanation may be added. My current reading is that
Evidence are attested untrusted claims which is not so useful.

section 3.1

"""
 Normally, Claims are  not self-asserted,
"""

seems to me a bit unclear, more especially, when a claim contains a value
of a register, I see the register as part of the Target Environment and the
register provides its value. I tend to see the register as self asserting
its value. Assert in the text seems to be related to the trust associated
with the value of the claim. If so, that assertion (or trust) results both
in the trust of the Attesting Environment (system + attesting keys) as well
as the system that enables the communication of the Claims to
the Attesting Environment. Am I correct when I consider the system + keys
as the root of trust ? But back the beginning of my comment I think I do
not understand what self asserted means and what the problem might be.
Maybe also I am mis-interpreting asserting as I do not understand it with
something stronger than a statement.
https://www.merriam-webster.com/dictionary/assert

Claims about a root of trust typically are asserted by an Endorser.

So Figure 1 shows the Endorser interacting with the Verifier. Figure 2
shows the interaction within the Attester and shows Claims being exchanged
between the Target Environment and the Attesting Environment while
Attesting Environment and Verifier exchange Evidences.  I am wondering if
that Claims should be replaced by Evidence or if the intention is to say
that Evidence is carrying/generated Claims trusted by a root of trust -
which in this case is associated to the Target Environment and not the
Attesting Environment.

"""
 The
   final Evidence thus contains two sets of Claims: one set about the
   bootloader as measured and signed by the BIOS, plus a set of Claims
   about the kernel as measured and signed by the bootloader.
"""

I understand that the set of claims are combined together with for example
a hash function. In other words, Evidence is not (necessarily) a list of
claims that can easily be extracted from the Evidence.
If my understanding is correct, I would maybe clarify "contains". I also
have the impression cascading carries the notion of recurrence where one
level includes all levels below - but that is my own perception. Overall I
have the impression that [claims_a, claims_b] can have multiple
representations including claim_c = hash(  [claims_a, claims_b] ) or
claim_d = [claims_a, claims_b]. In both cases they represent the set of
claim_a and claim_b.

4.2

"""
Evidence:  A set of Claims generated by an Attester to be appraised
      by a Verifier.  Evidence may include configuration data,
      measurements, telemetry, or inferences.
"""

This is mostly what is just mentioned above. To me a set of claims is s = (
claim1, claim2, ..., claimn) and I have the possibility to take s[0], but I
have the impression that the set here is more abstract and is represented
by the hash(s). Myabe that worth clarifying how the set is represented.

section 7.4

  1.  The key material used to authenticate and integrity protect the
       conveyance channel is trusted by the Verifier to speak for the
       Attesting Environment(s) that collected Claims about the Target
       Environment(s).

The text does not mention the trust in the Claims. I have the impression
that it also conveys some trust in the claims.
In the case of the BIOS, we do put similar trust into the hardware to load
properly the BIOS stored into the ROM as we trust the attestation keys
stored into the hardware. This, in my view, makes the states provided by
the TPM trusted.

section 8.4

_Strength of Function_ this is a markdown notation I suspect.

By default, the Relying Party does not believe the Attester to be
   compliant.  Upon receipt of an authentic Attestation Result

I do not see any reason to perform attestation if the Attester is known to
be compliant. I am wondering if "by default" is appropriated or should be
instead replaced by something around Upon starting an attestation, the
Relying....

It is a bit unclear to me what authentic means, so I am checking if it
should not be replaced by trusted or simply being removed. Unless I am
missing it, I noticed authentic is widely being used across documents so it
might be worth defining it in the architecture document. At least I am
happy to be pointed to its definition.


Section 9:

9.  Claims Encoding Formats

The section is mostly focused on Evidence and Attestation Results, not so
much on Claims. That said, the discussion is a generic discussion over
which format to use and this can be extended to Claims as well, though in
some cases Claims may have proprietary formats.

What is unclear to me in the section is the relation between Claims and
Evidence, and I think that is related to previous comments. Here I am
reading Evidence as a set of Claims. So I am wondering if we expect
Evidence format to be a list of Claims in which Claims can be either built
from the Attesting Environment or provided by a Attesting Target. Typically
I do see measurements as new Claims generated by the Attesting Environment.
I agree that in both cases these are inside the Attester.

section 10.

All timekeeping methods seem to me to have an implicit period when the
information is valid - I am basically thinking of it as a TTL. Using Epoch
ID, I have the impression that a new ID indicates a new time slot, so I am
wondering if blocking the time distributor does not keep the device into
the past and makes possible replay attacks.

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email