Re: [Rats] Robert Wilton's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Thu, 07 September 2023 17:50 UTC
Return-Path: <rdd@cert.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79DB4C151555; Thu, 7 Sep 2023 10:50:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hAoQ1YgZ7pf; Thu, 7 Sep 2023 10:49:58 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0128.outbound.protection.office365.us [23.103.209.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E6E1C14F74A; Thu, 7 Sep 2023 10:49:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=QKBRQRLMtSkcW/HQJ37F7VPOTpB4puA8t1YS1/vTuaBUJ2mCNJn1XmLBhC/woCM8ZKD9AbV4ADbUK4sDshVoz0XW6U1tnmzfUBoV0attJofKB/zai+7ec9cUVMciJuG0NTg820K7P7riPBW1Km3qArkBxmZQ0Pp3w1j+IVnN6o5SuiHWyPilx188NfBpUBq7Us049ASw8VxUN+fazoo5O/GMf9TUkPKej5sDeBSZ7ii7SVDnCTJo1ARCGP2Ra5dZ1Y0J5dUEkQDtZIiYXchLX0/9+Kb8u+qXMpy4YJr9vO+CA9ijYq3NDI6swuDTdO2FVJDvU9yXWXPkorYszdLq5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bt1MmXuxiAdMuUnx4OuUZ6K5HWbKV3bRUklTSY2HcnU=; b=LvaRX1Sd7Rg6rr/YeaEAKTDk9Il3nzVKBZxXm9JSebt3jZPwCL0lwb63lAeMoX3ng+IMaNNRdmPncb561Eq98tExurGwmYjdO9rr64sOlp9boDyOniB48ilSc7STAl/AR5AONUbkfa5SIVtuQyusEFxV2h6oFoMVt2/Oit/Gx2n0mHwii83nBY6zGe9jEy3MDHoiA0990jWCVBfVpNnkK/chJsge1wL5v4C5y2qOJtA5yQNkv/xrWILyrXjUuMGhgDfYh+he/kCdeNt8PvUwXv2IgAnLoGpasND+YjmZQgXlnJYRfS2MNrmrVLYaDuC29ZuYjNwScVHsvMtimRy8gA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bt1MmXuxiAdMuUnx4OuUZ6K5HWbKV3bRUklTSY2HcnU=; b=EBoBb20tS3ZUTJ0A9S/onkNDL7yO3T7lOExT+kz3NAPMLlOPLJle2gc0o/zJu6AeYEW0Ddp00ifAbXLjHFDk/LNQ2mgD2Xfo4lu+sTL6W+zlZmtg5Swm6wvua5QNZHlJWOBk8xR3oHDlOYXBZzYTHpOA+5c+nJaA1SQVXtbZm2I=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1414.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17f::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.37; Thu, 7 Sep 2023 17:49:54 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::a75:1fb:d689:ea09]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::a75:1fb:d689:ea09%6]) with mapi id 15.20.6745.035; Thu, 7 Sep 2023 17:49:54 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Smith, Ned" <ned.smith@intel.com>, Robert Wilton <rwilton@cisco.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-rats-eat@ietf.org" <draft-ietf-rats-eat@ietf.org>, "rats-chairs@ietf.org" <rats-chairs@ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Robert Wilton's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT)
Thread-Index: AQHZ4Yyb6JQ79qA5C0KnMJSNT2LEFbAPnRiAgAADIBA=
Date: Thu, 07 Sep 2023 17:49:54 +0000
Message-ID: <BN2P110MB110707F866D4E418199B6437DCEEA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <169409219358.34717.10637003445246332249@ietfa.amsl.com> <0362104E-7D7D-4A22-B202-E147073D852D@intel.com>
In-Reply-To: <0362104E-7D7D-4A22-B202-E147073D852D@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1414:EE_
x-ms-office365-filtering-correlation-id: ff5234be-7914-4638-25ea-08dbafcad7f7
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: khpUZf7jFYtLQgg3Jx4UJx0COSj5h/0il0pzSv4leumjK2Re2Eqgt6XoygOhntD2kL/zCrsq1CGgpvM6QUIe+2lZ3HkybQHMPzPWiWFJHzRRMm90xwUpdcNcTFPYdZa1Nj860trt0tJR+UhmRY1eeE1y6858jrfNg0gYL7RMp6vtFx9vIb+1wBRZxF2TrE0p193ssftVCXc+Rzb3SPmLyiXdrENRilFz4wTZVDbbKAGyQqL5S485QckCO5fuNEZg14ISI9PgcTEtWcsKFus6XKV4e3nS7QrgIp2MJDanh3qK0QoQ0esZlhOkPDsg/4yZCaKKpDqT7aFDQ55bSQm0ya5FNruvqXeMAw52FAalkX77UgbpCKvU3knXmRQ+RTtNdqDFL6XhuGkZURD+W2u0SJPtFxE5cpcuMVZR7YHVSbi7Y7xcMPfOFXozIq9MgMkh1BjjBiQpC4lDXU4ZxoE/BZNdLUY277+hfE2mDMT0JFybmz+v6SV9S2rrbSymxg9iU+WkHoqjvbfrxRYTBmdpE3XpQrK3CARzyTuzB1O2ZsDlElPv0TzD2byYJbPjTQKzQgB+58QlTvBnnML1jNVxyCTwve6l+SK1ia7IcgUkT9g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366004)(39830400003)(136003)(396003)(451199024)(186009)(1800799009)(55016003)(86362001)(52536014)(5660300002)(4326008)(2906002)(41320700001)(8676002)(33656002)(966005)(122000001)(508600001)(8936002)(82960400001)(38070700005)(38100700002)(9686003)(26005)(7696005)(6506007)(53546011)(83380400001)(71200400001)(64756008)(76116006)(66946007)(54906003)(66556008)(66476007)(66446008)(110136005)(41300700001)(66574015); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qWB3nLi6C/+erDj+7u0pv9Hdji8tVoXBb0XJ1BCgMHeoU4NynFLJuhr2k7wE9ILSOG6ZwmT+UjFS6N5b0mnCKVS/UhyWbqMAf0v1sHJJ5J1EFIkXaNctSjx0j3BXzlJjJb1MRpvjEFTHrqrF5grmz1FQI7yK/zGtMRLGk0eO64ezvUqEcGs+yeltsxvqash+oB9mYs7F8SfAGGeY8aDf6sU9Kgh758n0P3Y5XFhNimv7/0EhJcX+LOwtkcxGyvZ7J/7a7VylWjXpBlRqXJkauTkoY1p8d2LCRbmWjqagaulqdsR0SfZqZPhefXDgSJR2vGXhh0wIE2XPNNRt0qLPBNvyo+SDs6z3EiUJZ377QiZGBPi052We1GUH3CbNRFidVtIs/dbeGehZ14rPYIuCtqElWVp3xkh9UeLhI5ac7LI=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ff5234be-7914-4638-25ea-08dbafcad7f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2023 17:49:54.4151 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1414
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/IkTRzg9tpy--dWE3QZjbpxuaUMI>
Subject: Re: [Rats] Robert Wilton's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 17:50:02 -0000
Hi! > -----Original Message----- > From: RATS <rats-bounces@ietf.org> On Behalf Of Smith, Ned > Sent: Thursday, September 7, 2023 1:24 PM > To: Robert Wilton <rwilton@cisco.com>; The IESG <iesg@ietf.org> > Cc: draft-ietf-rats-eat@ietf.org; rats-chairs@ietf.org; rats@ietf.org > Subject: Re: [Rats] Robert Wilton's Discuss on draft-ietf-rats-eat-21: (with > DISCUSS and COMMENT) > > BTW: [RATS.Architecture] is now RFC9334. Regardless of whether it is > informative or normative, the reference should be updated. Agreed. > I believe it is informative because RFC9334 is an informative RFC. The status of RFC9334 won't dictate whether it is normative or informative in this document. Referenced normatively in this document just makes RFC9334 a "DownRef" (i.e., a "higher status" proposed standard document referencing a "lower status" information document) Borrowing from https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/, the key question is whether [RATS.Architecture] is needed to implement this RFC. The text in Section 9.3 of this documents meets that threshold of being "required reading" by pointing this document to the security considerations in [RATS.Architecture]. ==[ snip ]== 9.3. Freshness All EAT use MUST provide a freshness mechanism to prevent replay and related attacks. The extensive discussions on freshness in [RATS.Architecture] including security considerations apply here. ==[ snip ]== Roman > On 9/7/23, 6:11 AM, "RATS on behalf of Robert Wilton via Datatracker" <rats- > bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of > noreply@ietf.org <mailto:noreply@ietf.org>> wrote: > > > Robert Wilton has entered the following ballot position for > draft-ietf-rats-eat-21: Discuss > > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling- > ballot-positions/ > <https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > positions/> > for more information about how to handle DISCUSS and COMMENT positions. > > > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-rats-eat/ > <https://datatracker.ietf.org/doc/draft-ietf-rats-eat/> > > > > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > > Hi, > > > Thanks for this document. Sorry, I didn't have time to review this document > that closely. I have flagged one issue for discussion to change the reference > to the architecture document to being a normative reference. This would mean > a > downref, but should otherwise be an easy change to make. The rest of my > comments are non-blocking. > > > (1) p 71, sec 11.2. Informative References > > > [RATS.Architecture] > Birkholz, H., Thaler, D., Richardson, M., Smith, N., and > W. Pan, "Remote ATtestation procedureS (RATS) > Architecture", Work in Progress, Internet-Draft, draft- > ietf-rats-architecture-22, 28 September 2022, > <https://datatracker.ietf.org/doc/html/draft-ietf-rats- > <https://datatracker.ietf.org/doc/html/draft-ietf-rats-> > architecture-22>. > > > "From section 1.3, EAT follows the operational model described in Figure 1 in > [RATS.Architecture].". This, along with other references indicates that the > RATS architecture should be a normative reference. > > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > (2) p 0, sec > > > An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with > attestation-oriented claims. > > > This is probably contentious, but given that this is a new spec, I wonder > whether it wouldn't be better (i.e., encourage wider interop) if only CBOR, > COSE and CWT were used/allowed. > > > (3) p 20, sec 4.2.6. swname (Software Name) Claim > > > The "swname" claim contains a very simple free-form text value for > naming the software used by the entity. Intentionally, no general > rules or structure are set. This will make it unsuitable for use > cases that wish precise naming. > > > I found it interesting, and slightly surprising, that the hardware model claim > is opaque, but the software name claim is not. > > > (4) p 24, sec 4.2.11. uptime (Uptime) Claim > > > The "uptime" claim MUST contain a value that represents the number of > seconds that have elapsed since the entity or submodule was last > booted. > > > Relative to other claim descriptions, the MUST in this description seems > strange. Perhaps better as just "The "uptime" claim contains a value ..." > > > (5) p 88, sec Appendix B. UEID Design Rationale > > > A UEID is not a UUID [RFC4122] by conscious choice for the following > reasons. > > > Note that the UUID spec is currently being updated (it is also on this week's > telechat review), so some of the concerns being described here may no longer > be > valid. It is still only 128 bits though, and 6 bits are spent identifying UUID > format and version. > > > (6) p 89, sec Appendix B. UEID Design Rationale > > > Note also that that a type 2 UEID (EUI/MAC) is only 7 bytes compared > to 16 for a UUID. > > > Note that the paragraph at the end of appendix B.1. states that UEIDs are a > minumum of 128 bits ... > > > Regards, > Rob > > > > > > > _______________________________________________ > RATS mailing list > RATS@ietf.org <mailto:RATS@ietf.org> > https://www.ietf.org/mailman/listinfo/rats > <https://www.ietf.org/mailman/listinfo/rats> > > > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats
- [Rats] Robert Wilton's Discuss on draft-ietf-rats… Robert Wilton via Datatracker
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… lgl island-resort.com
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Smith, Ned
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Roman Danyliw
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Roman Danyliw
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… lgl island-resort.com
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Rob Wilton (rwilton)