IETF Logo Mail Archive

Re: [Rats] Call for Adoption: EAT draft

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 31 May 2019 07:54 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCBEF120019 for <rats@ietfa.amsl.com>; Fri, 31 May 2019 00:54:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1Qj-Ut_3Uva for <rats@ietfa.amsl.com>; Fri, 31 May 2019 00:54:51 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10068.outbound.protection.outlook.com [40.107.1.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9147D1200B7 for <rats@ietf.org>; Fri, 31 May 2019 00:54:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CgERyjtoRLzACafHliCeu8IbB7pd0YbJaA19RpPwft0=; b=JRU1FOxF7cCgIeUsWgW/a0LTwvykw7DpoKJss3Mql7NWOrRMaq89sthU/aH213zfFWuvNtkMw71+xCGR8jeIG681JASAhWGHVslsqNPgnJB3B+zdD7vKFEe9Cqg3GViyw3Xdn2IUCWfIMBHNSaL+rKVrpKIooVThX7kf1SLnUkE=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.244.88) by VI1PR08MB5296.eurprd08.prod.outlook.com (20.178.126.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.20; Fri, 31 May 2019 07:54:45 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::f426:1919:2252:5df5]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::f426:1919:2252:5df5%5]) with mapi id 15.20.1922.024; Fri, 31 May 2019 07:54:45 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Laurence Lundblade <lgl@island-resort.com>, "Eric Voit (evoit)" <evoit@cisco.com>
CC: "rats@ietf.org" <rats@ietf.org>, Giridhar Mandyam <mandyam@qti.qualcomm.com>
Thread-Topic: [Rats] Call for Adoption: EAT draft
Thread-Index: AQHVB0Ih4Xja5WRZnUanrv/uEd79H6Z3f+WAgAkvdwCAAAQPAIAAQeOAgAAaP4CAAAwUgIAADicAgAAZOwCAAAfHAIACt1gAgAAFvJCAACLdgIAAQCKAgACNrwA=
Date: Fri, 31 May 2019 07:54:45 +0000
Message-ID: <VI1PR08MB5360919E4669734878D75F6EFA190@VI1PR08MB5360.eurprd08.prod.outlook.com>
References: <CAHbuEH6Mdwp+neWbcecA-pMYZoXKiNda2A0EnMh-8WX=W9_edA@mail.gmail.com> <DM6PR11MB408991CBF9B50672E12A8F61A1000@DM6PR11MB4089.namprd11.prod.outlook.com> <DM6PR11MB4089818BBEF529569DC1250DA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <bdcaa9f2ca2344aa98287acd0b80d8f3@NASANEXM01C.na.qualcomm.com> <DM6PR11MB408939CC9EA79D479B76586DA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <E09EB1B2-ED56-4F1B-8D80-BF0D227199A3@island-resort.com> <82b0a75e5b5645d1a43d240373bca6dc@NASANEXM01C.na.qualcomm.com> <DM6PR11MB4089DAD248EEAAF9F92F2C0AA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <50ddca72a9074e229976ca88f78e340a@NASANEXM01C.na.qualcomm.com> <DM6PR11MB4089BF4C3F319894DAE8722AA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <175ea22d1a1948d48f8180424cc89ec0@NASANEXM01C.na.qualcomm.com> <VI1PR08MB5360CE8EFA93515A140D30F2FA180@VI1PR08MB5360.eurprd08.prod.outlook.com> <DM6PR11MB408967D6E5EF0A355CF0D60BA1180@DM6PR11MB4089.namprd11.prod.outlook.com> <D53ECF26-E2F5-4BD5-A81F-BBE1AEEB4541@island-resort.com>
In-Reply-To: <D53ECF26-E2F5-4BD5-A81F-BBE1AEEB4541@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 46f4ff3a-f92a-488a-bfbb-eff32e6caf47.1
x-checkrecipientchecked: true
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.119]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 45231ea4-c08c-48f3-5086-08d6e59d3f65
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR08MB5296;
x-ms-traffictypediagnostic: VI1PR08MB5296:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <VI1PR08MB529668569B0E113050BB25D6FA190@VI1PR08MB5296.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 00540983E2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(39860400002)(376002)(136003)(346002)(199004)(189003)(40434004)(7696005)(76176011)(99286004)(25786009)(53546011)(6506007)(102836004)(74316002)(2906002)(52536014)(33656002)(5660300002)(478600001)(966005)(72206003)(54906003)(6116002)(3846002)(561944003)(14454004)(66066001)(110136005)(316002)(81156014)(8676002)(256004)(81166006)(5024004)(14444005)(9686003)(6306002)(55016002)(446003)(53936002)(66446008)(64756008)(66556008)(186003)(66476007)(8936002)(66946007)(73956011)(476003)(76116006)(11346002)(7736002)(486006)(305945005)(229853002)(26005)(6246003)(68736007)(4326008)(71190400001)(71200400001)(6436002)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB5296; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: a2lF6EnBQMDQGMWxMgIAN07BS6G46DdsjXZ6sTigx+/kn/ObP3n+xjryFQyF4iiCe1XvmFGaL0Ahpcw0yQbgUy5rDAr68FcTga8G2Zu6msJKnuIdc9zE+7I/6CCS1A6Lhy2EkrbGcpqPgLkBy0EiR29i0hL4cmm9+XbyeqP4IS3eRBXYaJpb0Rs6SPwS6neJMvTr6UkIlbhsW+OupLB7yxOW38BM5ypSB3QIHNx3yQ+I53RSXUMf/V71shjFY2v8jaqNnlOAyuklYKam3HXeAdwfbvbeC2ZLyzF7pn+9yanCdis029we2pWJBp7AYBvC2TzPLXPK1IAIZ6NEdl/ak26r0v1Ek2C4a0+ALupOybKWq/ceFbCcTWHvpmU2Iz/0nOShJjdaCe4lIDVJuPZ88w0l6/CugFsQw/d8vfb7dPU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 45231ea4-c08c-48f3-5086-08d6e59d3f65
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 May 2019 07:54:45.4673 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Hannes.Tschofenig@arm.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5296
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/EvliXpoVL0EkSR17Pz_NKXcBmSY>
Subject: Re: [Rats] Call for Adoption: EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 07:54:55 -0000

Hi Laurence, Hi Eric,

> So if an EAT is a CWT, then the proposal is to change the IANA registry rules for CWT in the EAT draft. Is that allowed? This is really a change to CWT and even JWT. Seems like it is saying that if a YANG-defined claim exists for a possible CWT or JWT claim, the YANG-based claim MUST be used.

IMHO everything can be changed.

> I think Eric’s thought about harmonizing is a good one. Learn from past efforts. Improve interop.

Learning from past efforts sounds always good. Let me pick on the example from below about draft-ietf-netmod-geo-location-01. It appears to me that the netmod group has either not looked at the work from the IETF GEOPRIV working group or ignored it. (I have not been involved in the netmod group and so I cannot say.) GEOPRIV published a number of RFCs that provide details about how to encode different geodetic location shapes (based on a mapping from GML), civic location, relative location, talks about uncertainty and confidence, how to encode moving objects, etc. While there is no need to use the info 1:1 there is a lot that can be learned from the work in that group. Of course, the content for the location encoding in draft-mandyam-eat-01 isn't much better.

For me the biggest question is whether location is actually a good source of information conveyed in an EAT token.

Eric, I understand that you do not want to duplicate information. I don’t want to do that either. I have been wondering about this aspect myself (particularly when I read the location claim). For example, in the LwM2M context we have a (pretty naive) location object as part of the data model as well. The data model we use with LwM2M is different to how data is modelled in the EAT token. Is this unavoidable? In some sense the situation is similar to the Yang-defined data model. The source of information comes from a different part of the system and is conveyed differently. Maybe you could call it a different layering where a device with Yang objects has to treat the EAT token as opaque (particularly since it is digitally signed and potentially encrypted). I am currently leaning towards seeing it that way from a LwM2M perspective.

Ciao
Hannes

~ snip ~

However, IANA registry rules revising aside, making it a MUST seems too much. I think the YANG-defined claims should be very much seriously considered, just like any other previous data structure definition, but that there be no blanket requirement.

To go a little further and to be clear. When a YANG-defined claim is used the CBOR encoding of it will be used with CWT and the JSON encoding of it will be used with JWT. This hinges on draft-ietf-core-yang-cbor-10 producing satisfying, compact and sensible CBOR encodings (binary data is really CBOR binary, claim keys are small integers…).

LL


> On May 30, 2019, at 12:19 PM, Eric Voit (evoit) <evoit@cisco.com> wrote:
>
> Hi Hannes,
>
> I do like EAT.  I am hoping that it gets adopted.
>
> At the same time, I am trying to avoid unnecessary mapping of claims from a chipmakers domain into system integrator /network operator domains.  I believe much pain can be avoided with a little planning up front.  That is what I am trying to facilitate with this discussion.
>
> Specific details/examples in-line...
>
>> From: Hannes Tschofenig, May 30, 2019 1:18 PM
>>
>> Hi Giri, Hi Eric,
>>
>> (a) some principles/guidance to CWT claims registry people on avoiding the mass registration of lightly-used or unused claims
>>
>> Why is this a requirement? When a claim is registered then it is most likely done with the anticipation that it will be used. I have not seen other IETF registries that have raised the bar to a similar level, at least the JWT claims registry does not work that way. Furthermore, what is the harm in registering claims that later turn out to be less frequently used?
>
> Let me provide a *best* case example.  In the NETMOD WG, there is a draft-ietf-netmod-geo-location.  Both that draft and this have definitions of latitude, longitude, altitude, accuracy, etc.   The *good* news is that both drafts are based on WGS84.  So at least our experts have lucked in to using a consistent resource.  But are these the same objects?  How does a reader know?   In one of the documents the latitude/longitude attributes are "FloatOrNumber", in the other they are "decimal64 {fraction-digits 16}".
>
> It of course gets harder for other objects.   The velocity objects in draft-mandyam-rats-eat are "heading" and "speed".  And draft-ietf-netmod-geo-location has this information "v-north", " v-east", and " v-up".  Here we have different formats, the first of which cannot be easily upgraded to serve three dimensions.
>
> And then we get into other harder objects where we will have timestamping, explicit domains of allowed entries, etc.  And is there is no boundaries on what might be claimed as an EAT, in theory we could create a parallel domain of objects without description on how to map between the two, placing the heavy lifting onto the implementer.
>
> Now I am not trying to solve world hunger in this thread.  I am just trying to have the draft consider minimizing inter-ecosystem friction where we can see it coming.  I believe with a little foresight we can ensure a consistent population and data typing for a subset of claims.   Without foresight, I see that people will create new CWT to avoid some later mapping.  And more/redundant CWT tags will harm interoperability.
>
>> (b) a requirement to map claims to existing YANG objects, if these YANG objects exist
>>
>> I also don’t understand this requirement. Is there some design rational why this would be needed/useful?
>
> Per above, EAT claim instances need to be integrated with other work/ecosystems in the IETF after the information comes off of a hardware chip.  A claim registry shouldn't create redundant info/formats to other work/ecosystems when it can be avoided, at least without broad discussion and consensus.   (I.e., lets avoid unconscious object definition and object domain overlaps wherever possible.)
>
> Eric
>
>> Cia
>> Hannes
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email