IETF Logo Mail Archive

Re: [Rats] Call for Adoption: EAT draft

Giridhar Mandyam <mandyam@qti.qualcomm.com> Tue, 28 May 2019 20:36 UTC

Return-Path: <mandyam@qti.qualcomm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ED7C1200BA for <rats@ietfa.amsl.com>; Tue, 28 May 2019 13:36:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nEaPVt3pM4K for <rats@ietfa.amsl.com>; Tue, 28 May 2019 13:36:52 -0700 (PDT)
Received: from alexa-out-sd-01.qualcomm.com (alexa-out-sd-01.qualcomm.com [199.106.114.38]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 379E8120019 for <rats@ietf.org>; Tue, 28 May 2019 13:36:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1559075812; x=1590611812; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=4LP6NqLxuWU+mpmfIjtPAR9uURgdmX5xhSIgXbUE1Qo=; b=YIoFzE8a8q7bbuX3py1ONVm16aSYH+fxHJCv/2te1nogYhu30PYZwIi+ JBIa5sZyXtraenDTkH5fmBKXCvXUhKqfTRvsU6VPYcXIoObAeyrAk8dgK CgVy32oVH/+Dg/A5IticY+ifn5nMC7huun565emdtIsu0PL+ITcWtfSGz M=;
Received: from unknown (HELO ironmsg04-sd.qualcomm.com) ([10.53.140.144]) by alexa-out-sd-01.qualcomm.com with ESMTP; 28 May 2019 13:36:50 -0700
X-IronPort-AV: E=McAfee;i="5900,7806,9271"; a="262057187"
Received: from nasanexm01d.na.qualcomm.com ([10.85.0.84]) by ironmsg04-sd.qualcomm.com with ESMTP/TLS/AES256-SHA; 28 May 2019 13:36:50 -0700
Received: from NASANEXM01C.na.qualcomm.com (10.85.0.83) by NASANEXM01D.na.qualcomm.com (10.85.0.84) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 28 May 2019 13:36:49 -0700
Received: from NASANEXM01C.na.qualcomm.com ([10.85.0.83]) by NASANEXM01C.na.qualcomm.com ([10.85.0.83]) with mapi id 15.00.1395.000; Tue, 28 May 2019 13:36:49 -0700
From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
To: Laurence Lundblade <lgl@island-resort.com>, "Eric Voit (evoit)" <evoit@cisco.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Call for Adoption: EAT draft
Thread-Index: AQHVB0IhN858RlA5d0a+EiarhvfPtaZ39T6AgAkvdwD//4yCcIAAuXCAgAAaP4D//5Q/QA==
Date: Tue, 28 May 2019 20:36:49 +0000
Message-ID: <82b0a75e5b5645d1a43d240373bca6dc@NASANEXM01C.na.qualcomm.com>
References: <CAHbuEH6Mdwp+neWbcecA-pMYZoXKiNda2A0EnMh-8WX=W9_edA@mail.gmail.com> <DM6PR11MB408991CBF9B50672E12A8F61A1000@DM6PR11MB4089.namprd11.prod.outlook.com> <DM6PR11MB4089818BBEF529569DC1250DA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <bdcaa9f2ca2344aa98287acd0b80d8f3@NASANEXM01C.na.qualcomm.com> <DM6PR11MB408939CC9EA79D479B76586DA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <E09EB1B2-ED56-4F1B-8D80-BF0D227199A3@island-resort.com>
In-Reply-To: <E09EB1B2-ED56-4F1B-8D80-BF0D227199A3@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.80.80.8]
Content-Type: multipart/alternative; boundary="_000_82b0a75e5b5645d1a43d240373bca6dcNASANEXM01Cnaqualcommco_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Lc5klF2RS95D-dBkbR43vTy2OLw>
Subject: Re: [Rats] Call for Adoption: EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 20:36:55 -0000

> There is a CWT claims registry, so if you want to be sure no one collides with your, register them. (Looks like EAT didn’t say this explicitly, but that is the intent. Anyone can add any claim. All claims are optional. This is just like CWT).


Clarification:  The EAT draft didn’t need to state the above, as EAT is making use of the existing CWT registry.  Each claim submitted to the CWT registry will undergo expert review – see https://tools.ietf.org/html/rfc8392#section-9.1.  The designated experts should verify that not only claim ID’s in a submitted registration are not overlapping with existing entries, but they should also determine “whether the proposed registration duplicates existing functionality”.



-Giri


From: Laurence Lundblade <lgl@island-resort.com>
Sent: Tuesday, May 28, 2019 12:54 PM
To: Eric Voit (evoit) <evoit@cisco.com>
Cc: Giridhar Mandyam <mandyam@qti.qualcomm.com>; rats@ietf.org
Subject: Re: [Rats] Call for Adoption: EAT draft


CAUTION: This email originated from outside of the organization.
Hi Eric,

CWT says it in the start of section 3 of RFC 8932: “…all claims that are not understood by implementations MUST be ignored.” So anyone can add any claims. There is a CWT claims registry, so if you want to be sure no one collides with your, register them. (Looks like EAT didn’t say this explicitly, but that is the intent. Anyone can add any claim. All claims are optional. This is just like CWT).

It quite the intention that a token can be generated on a general purpose CPU. However the idea is to mark it as such so the receiver knows. Of course, if a token in generated on a special security-oriented CPU, it will be signed there and the general purpose CPU will just be a middle man that can’t change it.

I foresee the work we do here as a general frame up for EAT including the definition of a lot of common and useful claims.  Then individual applications and use case and such will define profiles that say what claims are allowed or disallowed. The ARM PSA document is more-of-less an example of that. FIDO is interested in workin on a profile. I expect Global Platform to define a TEE-oriented profile.

LL





On May 28, 2019, at 11:19 AM, Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>> wrote:

Hi Giridhar,

I expect we will want to expand the claims over time.  Based on that, what are the limits to what can plausibly be populated as an EAT claim?

This is an important question at adoption time.  One of the things I like about Section 3 (everything but section 3.4) is that all the proposed claims are very specific/well defined.   And also importantly, each of these claims feel to be something which could plausibly be supported and signed within a hardware chip.  This is goodness.

However Section 3.4 defines "unrestricted" security environments which provide "no meaningful security assurances".    I can see why this might feel interesting: it provides flexibility for future use/applicability of EAT anywhere.  But a downside is that this could be read to mean that a general purpose CPU could add their own Claim types and then sign them.

Initially that seems like this flexibility would be ok.  But there are lots of protocols in the Internet.  And  I expect each of those protocols would want to maintain an explicit the list of attributes which might be passed on top.    So if those protocols are to someday carry EAT information, it would be good to define the universe of what might conceivably be carried within.  Without this, there could be unnecessary fights on who owns the purview of various nested protocol objects.

Eric

From: Giridhar Mandyam, May 28, 2019 10:24 AM
Sorry for the failure to respond.

Yes, your assessment is correct.  A custom claim can be created to carry the entire TPM attestation as a payload, similar to what is done in FIDO/Webauthn where the TPM relevant fields are included in a CBOR structure – see https://w3c.github.io/webauthn/#sctn-tpm-attestation.

Note that we would like to include claims into EAT that would cover measured boot.  There is no reason that entries in a PCR map couldn’t be represented as individual COSE structures (assuming the COSE algm. registry is consistent with the TPM specifications).  If so, then each measurement can nested within an EAT.

-Giri Mandyam

From: Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>>
Sent: Tuesday, May 28, 2019 7:09 AM
To: draft-mandyam-rats-eat@ietf.org<mailto:draft-mandyam-rats-eat@ietf.org>
Cc: rats@ietf.org<mailto:rats@ietf.org>
Subject: RE: [Rats] Call for Adoption: EAT draft

CAUTION: This email originated from outside of the organization.
Resending a question to the authors...   (It looks like it got skipped during the blizzard of emails on JWT/CWT)

Eric

From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> On Behalf Of Eric Voit (evoit)
Sent: Wednesday, May 22, 2019 1:53 PM
I like the draft, but there is one thing I would like to hear from the authors before answering the poll.

This YANG model is exposed by software on a networking device like a router.  The router can examine information from local cryptoprocessors such as a TPM.

In looking at the proposed YANG model (draft-birkholz-rats-basic-yang-module), the tpms-attest-result structure from this YANG model can contain the raw result from a TPM.  This to me seems to be a binary blob which could also carry CBOR encoded EAT claims.  Do you agree with this assessment?

Eric

From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> On Behalf Of Kathleen Moriarty
Sent: Friday, May 10, 2019 11:07 AM
To: rats@ietf.org<mailto:rats@ietf.org>
Subject: [Rats] Call for Adoption: EAT draft

Greetings!

At IETF 104, a poll was taken to determine interest in the RATS WG adopting:

The Entity Attestation Token (EAT)
https://datatracker.ietf.org/doc/draft-mandyam-rats-eat/

This begins a 2 week period to determine interest in adopting this draft as a working group item.  The poll will close on May 24th EOD PDT.

Minutes from IETF 104:
https://datatracker.ietf.org/doc/minutes-104-rats/
--

Best regards,
Kathleen
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email