Re: [Rats] Fwd: New Version Notification for draft-moriarty-attestationsets-01.txt

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 05 April 2021 14:54 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CEA63A1BD1 for <rats@ietfa.amsl.com>; Mon, 5 Apr 2021 07:54:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxRiSYfg56mk for <rats@ietfa.amsl.com>; Mon, 5 Apr 2021 07:54:42 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3B923A1BD0 for <rats@ietf.org>; Mon, 5 Apr 2021 07:54:42 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id t12so6144982vsj.11 for <rats@ietf.org>; Mon, 05 Apr 2021 07:54:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OOfQ9bTP7vT176ibn1wa0RuxVL2VLrDGl04LnjuJ4rU=; b=fq05Wx9eErhbDqNPNpHiT8Rcok22PaYhVCg0bBZwLjYjbDgNoTRD8Dwgz6qnlPr4h8 Hjwg3/7YMW+49+w0qDQYE7ZuFcfZ6/LYFvXKbuqrVznWQiLo3IohwJjUUj7oC34/3esI peRx4I3hT5aIsf5P6G3vTq0skken34lLYT0F+wjJWvApKArx0qAcnPeSXaJ7IgUf5G2H 1L1DelHN+sGOKJwsmmT9Oh4E1qxpMZvFUk04G0qLo21YidvL2Xy7j2Kj2Ar4Uyjfnh+8 6dLCLqSKmgU95Gc5F8+5jHtmZ8K4QH0pH71DjJoZfq1hjT6YzX9wyMhWqZaYFH/2fzqz 3K6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OOfQ9bTP7vT176ibn1wa0RuxVL2VLrDGl04LnjuJ4rU=; b=nIbbIkwutIIPcXsqq8hC9/2M/If6fQFefW2xQO79YP+KlfkFyCYrBeAG9PqfCo4v/p uzVsoAvYtop044Q2yztiAdRXwLIxkNt8aWAYflR4vu3CFAw1y61QoaB2YWJx/hxYIArQ TVy3cjPMqRjHukul7c12XMryI9zv8Nb0LTo7llsqNBEjTBzHtOYiTxBjf59m4fUcXqAE FA9M/mF62MgBWxeEXCRj8cHKjkKcHiipeQL2VmoKZuobpcDW+7ur/uiZ4NcPSlJlQSox uDGExuxQZYfD7pZD4rYGnwhms3XSDi4yleQxgIybwLnrvK8SG/6OTcdgU8YyN95ID5Rt OLAQ==
X-Gm-Message-State: AOAM533LVwOAmCQ9h048vpvgithdZH7NBUBaoFDfs0vi5yr106uknMWu CveWQbr4eJ0P0d3ZOwG6l8AffL2gObbmzEvf3fc=
X-Google-Smtp-Source: ABdhPJyN3TVS+Q5UxJL6SN2IGzpEblPSARc7eJ9e8okCmc4Bpy7RU8BRXNouYcP1+mCas8HyiuujroGa+k9S9FXqNAU=
X-Received: by 2002:a67:df8c:: with SMTP id x12mr11608880vsk.12.1617634480151; Mon, 05 Apr 2021 07:54:40 -0700 (PDT)
MIME-Version: 1.0
References: <161739248175.10041.2045836815726386513@ietfa.amsl.com> <CAHbuEH62hfV5PPTW16V+nmoaT-FCiFk21+Z-GdSzTkiRBtQEpA@mail.gmail.com> <10495.1617486762@localhost>
In-Reply-To: <10495.1617486762@localhost>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Mon, 5 Apr 2021 10:54:04 -0400
Message-ID: <CAHbuEH43hREpvwQaP0YO-gesQYK32MZh8RU+KaE-9905EZpjJA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: rats@ietf.org
Content-Type: multipart/alternative; boundary="00000000000091159805bf3ae0dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/IBRBjca-ZLMOOuIgpMavogXgtNo>
Subject: Re: [Rats] Fwd: New Version Notification for draft-moriarty-attestationsets-01.txt
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2021 14:54:47 -0000

Hey Michael,

Thank you for reading the document.

On Sat, Apr 3, 2021 at 5:52 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Hi, I tried to the read the document.
>
> I found the Introduction to be very harsh, just peppering me with what seem
> to be unrelated facts.
>
I'd like to understand what you see as harsh, was it the following:
"Posture assessment has long been desired, but has been difficult to
achieve due to complexities of customization requirements at each
organization."

I do see the rest as related, but could improve how it's written to better
demonstrate the relationship if helpful.  The aim is to provide motivation
for a switch and a push to the vendor instead of third parties for posture
assessment.  Security being built in and verified by the providing vendor
would reduce the number of engineers needed overall rather than having
posture assessment continue as a distributed function.


> I think the first paragraph could perhaps just be deleted.
> The second paragraph starts better, but then veers off as well.
>

The point of this was to demonstrate a case where attestations are centered
around an established set of controls is in place today (NIST 800-193 &
TCG's Reference Integrity Measurements).  Being able to attest the result
of all the attestations and verifications that happen on the system would
then be a remote attestation.  Is an example of where this is working
helpful or not helpful?


> I understand that this document aims to register a standard set of claims.
>
> I get the impression that from what I understood from the introduction that
> these claims are similar to work that has occured in the past in other
> fora,
> but which did not really work out the way people had hoped.
>
> I suggest that the WG adopt this document and work on it.
>

Thank you.  I'm happy to revise as needed.  Getting the basic concept out
there, and providing the capability that should simplify at least some of
posture assessment is really the goal.

Best regards,
Kathleen

>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>


-- 

Best regards,
Kathleen