IETF Logo Mail Archive

Re: [Rats] About (E)UID's

Simon Frost <Simon.Frost@arm.com> Wed, 12 February 2020 14:02 UTC

Return-Path: <Simon.Frost@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567D712001E for <rats@ietfa.amsl.com>; Wed, 12 Feb 2020 06:02:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2qskWhuH; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2qskWhuH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m15KeBaWrTLR for <rats@ietfa.amsl.com>; Wed, 12 Feb 2020 06:02:50 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80050.outbound.protection.outlook.com [40.107.8.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB5712001A for <rats@ietf.org>; Wed, 12 Feb 2020 06:02:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cjecn+fUTq12pn2AciS74Sb4mW1cn1c+/QQ8hFGEdMQ=; b=2qskWhuHfW4nIx919V0biybATKV6W4WvhgUJh2PxVFZGwWdWtIALRaf78RO35aw+f8cFJcINLARSR5z1BtbkJLM/cGTeYBB9jrEvWosX9VhwF4fS4jej5c2x0gqTeVzhYdJm5jgRAeCV05MZaeCVsRCySTdklu/tPk4Usf6mzwk=
Received: from AM6PR08CA0005.eurprd08.prod.outlook.com (2603:10a6:20b:b2::17) by AM4PR0802MB2372.eurprd08.prod.outlook.com (2603:10a6:200:60::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.22; Wed, 12 Feb 2020 14:02:46 +0000
Received: from VE1EUR03FT034.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::205) by AM6PR08CA0005.outlook.office365.com (2603:10a6:20b:b2::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.23 via Frontend Transport; Wed, 12 Feb 2020 14:02:45 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT034.mail.protection.outlook.com (10.152.18.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.18 via Frontend Transport; Wed, 12 Feb 2020 14:02:44 +0000
Received: ("Tessian outbound 3a0cbd311638:v42"); Wed, 12 Feb 2020 14:02:44 +0000
X-CR-MTA-TID: 64aa7808
Received: from 642995db060c.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id CF9C5B3B-F439-48A6-A670-599686FA7D91.1; Wed, 12 Feb 2020 14:02:39 +0000
Received: from EUR01-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 642995db060c.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 12 Feb 2020 14:02:39 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hwFjHJYhxn0hOsiDrdzt127tUECAmLAZTRoDGhioXSBzp8GWV4xpBIoxDVgTMY1KnayU6GjU5JTatSSkENdmtpAO+0o9ZkaDCXAmrMRAgpxTWrRwnu2iuxmbcfC/r+IyAhXr0zWCAZihiSXgJa+Qvei8jIsg5AeVww50puu26PNYBbBNLqU6L9decZKgnhWK6K6Gop0WCdx8qnP+up2A2HaGZwUwMDyVILl7+6j78Wrv/MUBa0Gse4PMPsB/bK1vYflP/iFNS75uJmDO3Ah6HYCcX0mlrG6RJ54yDj5IueJzGZm0/FJwuuUf/+Z3bxks5y+WC2avPdrAxMxpG5g57Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cjecn+fUTq12pn2AciS74Sb4mW1cn1c+/QQ8hFGEdMQ=; b=ghvzLmI+Maej7tV1tZIaww4+c6BFZ+LjR8AffOrF40RgDNkC6HrtXkDTv9G6mooVxMDJ9i4qDHNUTJUhJuUi5MmVHPB02MCJruw8U4MhUjBZlVRRP3zkE85keIIuqAfUSu14kPFdy5VOMengP6t41ptGJZL8pQTJS0ceRTet1dBhkCuRJHf4Oeh57DcY/LvEouSpt/yT65OdOIqROyVz1eH24gFO4YhunG+/urEL8VqcSfbnywsHxlIw3TrBY6tCWcuK0bw6ljRQUIXp2e1NGVbllW6Mra2uw2HaGFugGQ4IT6PYT0t5kHNz9WWYYjU3TraD10jwqaofGU//1U2pQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cjecn+fUTq12pn2AciS74Sb4mW1cn1c+/QQ8hFGEdMQ=; b=2qskWhuHfW4nIx919V0biybATKV6W4WvhgUJh2PxVFZGwWdWtIALRaf78RO35aw+f8cFJcINLARSR5z1BtbkJLM/cGTeYBB9jrEvWosX9VhwF4fS4jej5c2x0gqTeVzhYdJm5jgRAeCV05MZaeCVsRCySTdklu/tPk4Usf6mzwk=
Received: from DBBPR08MB4903.eurprd08.prod.outlook.com (10.255.78.17) by DBBPR08MB4903.eurprd08.prod.outlook.com (10.255.78.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.22; Wed, 12 Feb 2020 14:02:38 +0000
Received: from DBBPR08MB4903.eurprd08.prod.outlook.com ([fe80::880d:db9f:7e7c:a934]) by DBBPR08MB4903.eurprd08.prod.outlook.com ([fe80::880d:db9f:7e7c:a934%7]) with mapi id 15.20.2729.021; Wed, 12 Feb 2020 14:02:38 +0000
From: Simon Frost <Simon.Frost@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] About (E)UID's
Thread-Index: AQHV3bXmW6h++AX9GUeMvr4rBHsANKgXl29Q
Date: Wed, 12 Feb 2020 14:02:37 +0000
Message-ID: <DBBPR08MB490314C93C12FB98EC0945C1EF1B0@DBBPR08MB4903.eurprd08.prod.outlook.com>
References: <8BDAAE2E-9803-4048-AD5B-59233708E6FB@akamai.com> <1C16DAA0-D03B-417C-894A-30C4015AEED7@island-resort.com> <DBBPR08MB49031E717F69E4CF58CF67A1EF1C0@DBBPR08MB4903.eurprd08.prod.outlook.com> <509C8229-20DC-4888-BE1D-9109733A9E2D@intel.com> <5B9516E6-1441-462E-86D2-B630B32CE1C7@island-resort.com> <DBBPR08MB4903356ED09601AA7A6006FAEF180@DBBPR08MB4903.eurprd08.prod.outlook.com> <3503.1581456157@dooku>
In-Reply-To: <3503.1581456157@dooku>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 1d5b4014-0fba-4876-9d06-c3a93a31ecae.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Simon.Frost@arm.com;
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: d54f29e6-f9f9-48ba-cc68-08d7afc43bf6
X-MS-TrafficTypeDiagnostic: DBBPR08MB4903:|AM4PR0802MB2372:
X-Microsoft-Antispam-PRVS: <AM4PR0802MB23727EDE4BC45BFE85E4B2F9EF1B0@AM4PR0802MB2372.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:6108;OLM:8273;
x-forefront-prvs: 0311124FA9
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(376002)(366004)(396003)(346002)(39860400002)(136003)(189003)(199004)(76116006)(66556008)(64756008)(66446008)(5660300002)(66476007)(33656002)(52536014)(8676002)(81166006)(9686003)(8936002)(66946007)(81156014)(71200400001)(316002)(55016002)(966005)(110136005)(86362001)(478600001)(53546011)(2906002)(26005)(6506007)(186003)(7696005); DIR:OUT; SFP:1101; SCL:1; SRVR:DBBPR08MB4903; H:DBBPR08MB4903.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: +6uBUYyIewXCPRI99xgfPRiUV1+sKCO8QfYzWpyxfI+VkE2t3igC/Ku8pTnBtRQdFEe7jybxVTfd3LWIHTgLNxC8hb8NS1Kqa1PH7CkMCLBwP3kWEfnbmdXYNBm4hze/OP6duEnzcT6R/S9qwQsilhJGEKiTkwnDGw4ojw27ss6FQDrPzRRBYfnMNF5ILCNbduOSfkyZPvBHAwGAHLnnW4WvDdqvFaWRUUbjfxrvIdayVLp46X6Uca3CjVHbTqvfQNoGoc0tDbWMY14TSCx5RR4EYFTUXHjYQABG7XC7UQsTGb7YLK89sDt62msxfV004+SztstVduPJEWwQF7w5R1KYnZPzOugADgfEaerVgnPXgVxgSV8cSbQMclp2bbueHH3Bzh7FNJthlo1ZJR5Ib9UmQ97jIJuaoQsHjMfL4TwHubluAIilKIGuisD68sx/LUj4gwdkbDaQ5gMIScG43jYozUcu/S7fgVQW2MLCymwU+wRWn02/6NNh4WuYwvo6vwSxnJQlXWKCo5tq311Bnw==
x-ms-exchange-antispam-messagedata: m9vy+/7UdwvchlIjZz9ibSwlz0QXxNb7sy2Eu3zNpfpQvhRKY6bdNraCO5l58E7++/bzLdXc7ZfLVCSSwXFamsqG4O6UU1roGgral6lge3TnKhKxVZCLLaYPzInyhZpoU4M+QwZV2YXZD7oU6UW6oQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4903
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Simon.Frost@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT034.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(39860400002)(136003)(396003)(199004)(189003)(8936002)(8676002)(33656002)(81166006)(81156014)(36906005)(110136005)(52536014)(7696005)(316002)(5660300002)(9686003)(55016002)(70206006)(70586007)(86362001)(478600001)(6506007)(53546011)(966005)(2906002)(356004)(186003)(26826003)(26005)(336012); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0802MB2372; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: cdbf8ac8-c6f4-4ace-8c99-08d7afc437d0
X-Forefront-PRVS: 0311124FA9
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: T8+iT5dzh4yQt8/0JVRf6Gxb9IBZOzL8D1QQ7PENvjRQOlNzDPFIRsgOaJSqnyjxjuDTcEFxcr3zd9G8oUPgLciJDEnNkq+UI5d5WL8klUOyCr+E8KXGcFrBoHHHxOoDx053u9fDLeXEZMz8Muq+uk24AITk9OJKUkXwVY6Lzd7v69aDNkTJxeGpyBSF1fnm+IBcNpKeE+VlAdaF1joXqQr5DV5hgvZNPsI02BNrMQj1A+FuP9BXjJMENrQaMwBLkC/aQQMzAukEjnyM4Zp1DtHLW5qV1/dBmXc2MS6y8wZZATnKH56l3icZ5htoyI5k7lLlYofk3AKbX5+MJK+V9XZlU9WKHEJmWtLxvvsbrN2mhmL2FbT3yqIRnPzi1DS7d9K9SaVFyHdwJSKT+0yMWeIGu++MS74WS8zfhjDQ46SCR6uSKd1aWiO57n9rwQOr3gjcbB8DnECBzzMLbZ+kI3MwcoGWG18gXr+hdWuxJut90ZGoLB8mJ5+2xfwKKskra8EgRzDklqIRXDYT0czUbg==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Feb 2020 14:02:44.9614 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d54f29e6-f9f9-48ba-cc68-08d7afc43bf6
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0802MB2372
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/HohCKU9MvVpXL8f7oVxKgACwe2M>
Subject: Re: [Rats] About (E)UID's
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2020 14:02:54 -0000

I wasn't suggesting that the UEID claim be structured, rather that the description be changed to describe a value unique within the target context. This makes the standard claim more useful for any implementation that doesn't fit a global viewpoint, rather than that automatically needing a custom claim.

The assumption here is that a given implementation of Remote Attestation based on the standard will be prepared such that the policies applied by the verifier and the relying party take into account the locus to which that implementation is targeted. Within that, they can follow a standard definition for an (opaque) UEID claim as identifying a unique instance. However, it can be specific to that implementation context whether other claims, standard or custom, may be required to apply the policy. For example: if an implementation is built for a closed ecosystem with a dedicated single supplier then evidence appraisal may need only consider the UEID claim. Alternatively, if it is known there may be multiple suppliers then evidence appraisal could also consider, say, OEMID or Origination claims along with the UEID claim.

Going back to PSA Security Model, the InstanceID uniquely identifies the Attestation Key and which in turn must be unique to an Implementation of the PSA RoT, hence to establish locus the (custom) ImplementationID claim is also required.

On a related note, the PSA token proposes a 'Profile' claim to be included in the token, being a reference to a document that defines the set of claims used and any semantic details.  This wouldn't be required to satisfy the above but could be used to remove any ambiguity for the verifier implementer / policy writer. This proposed claim is captured as part of the EAT issues: https://github.com/ietf-rats-wg/eat/issues/32

HTH
Simon


-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca>
Sent: 11 February 2020 21:23
To: rats@ietf.org
Subject: Re: [Rats] About (E)UID's


Simon Frost <Simon.Frost@arm.com> wrote:
    > I agree that there should have a UEID claim within the standard and
    > also with the proposed bitlength representations.

    > I suggest we should change the description of the UEID claim to allow
    > the standard to support more interpretations of what the locus of
    > uniqueness might be to an implementation.

What are the implications to the Verifier and Relying Party of these differences?

If you intend there to be code path differences based upon the locus of uniqueness, then I would prefer that value of the UEID claim be opaque, and if we need to have semantic differences, that we register multiple UEID key values.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email