IETF Logo Mail Archive

Re: [Rats] Android comments on EAT draft

Mathias Brossard <Mathias.Brossard@arm.com> Mon, 20 May 2019 21:03 UTC

Return-Path: <Mathias.Brossard@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5EA5120058 for <rats@ietfa.amsl.com>; Mon, 20 May 2019 14:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ahERwZT_rsF6 for <rats@ietfa.amsl.com>; Mon, 20 May 2019 14:03:43 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50041.outbound.protection.outlook.com [40.107.5.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB8812004E for <rats@ietf.org>; Mon, 20 May 2019 14:03:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bqCcZNDq9vt9q/6LKogomsq0ueOveU9GMi0eu8QF3v0=; b=K7ul0Cg9ZXxGKCgCYltoCwEu4AsHdlZRopjEJsZjxcIqXk+kfhKppZlngtwaH1vVwFd7WNAb7OmMzQUwL26F0Ht5V6SRe34YVLo/qSm25amtsV8ddu8lPwih8BxXCVtd2N/N9zo/UQKashFjY525sJWZ1GDE2aW4SVWlz/Mkb2Q=
Received: from VI1PR08MB3486.eurprd08.prod.outlook.com (20.177.59.28) by VI1PR08MB4031.eurprd08.prod.outlook.com (20.178.126.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.16; Mon, 20 May 2019 21:03:38 +0000
Received: from VI1PR08MB3486.eurprd08.prod.outlook.com ([fe80::5577:824b:4260:bd45]) by VI1PR08MB3486.eurprd08.prod.outlook.com ([fe80::5577:824b:4260:bd45%6]) with mapi id 15.20.1900.020; Mon, 20 May 2019 21:03:38 +0000
From: Mathias Brossard <Mathias.Brossard@arm.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: Simon Frost <Simon.Frost@arm.com>, Shawn Willden <swillden=40google.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Android comments on EAT draft
Thread-Index: AQHVC4B6nxCMg/fQZEq9jJEGbvWfcqZtBoOAgACT9wCAAAQrgIACYtGAgAPEnQA=
Date: Mon, 20 May 2019 21:03:38 +0000
Message-ID: <B4E207B0-3367-4CDB-AF5D-AC539BD29852@arm.com>
References: <CAFyqnhVJ-ps4bdhsyQDOHdzHVZsXeK7_kCDXxUVUcuyDzWS3uA@mail.gmail.com> <35459D73-3D08-4E0B-814B-780AD60DD600@island-resort.com> <HE1PR0801MB1643AA2E129098E2C65F9163EF0A0@HE1PR0801MB1643.eurprd08.prod.outlook.com> <0B8DFC2F-9C35-4F72-A07F-E5258413F50F@arm.com> <7661893A-8EEC-475F-9FB2-CBB2915E2C95@island-resort.com>
In-Reply-To: <7661893A-8EEC-475F-9FB2-CBB2915E2C95@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mathias.Brossard@arm.com;
x-originating-ip: [217.140.111.135]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0c1efe2d-f5f1-4458-5f34-08d6dd66a198
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:VI1PR08MB4031;
x-ms-traffictypediagnostic: VI1PR08MB4031:
x-microsoft-antispam-prvs: <VI1PR08MB4031D8A2326F0FF8563A2F1A86060@VI1PR08MB4031.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5236;
x-forefront-prvs: 004395A01C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(366004)(346002)(396003)(376002)(40434004)(199004)(189003)(186003)(6436002)(86362001)(68736007)(26005)(91956017)(99286004)(6512007)(7736002)(66066001)(54896002)(236005)(6916009)(8676002)(53546011)(82746002)(6306002)(71200400001)(83716004)(6486002)(73956011)(9326002)(81156014)(6506007)(478600001)(66446008)(64756008)(71190400001)(76116006)(66476007)(66556008)(229853002)(2906002)(66946007)(54906003)(81166006)(72206003)(8936002)(5024004)(14454004)(4326008)(53936002)(6246003)(316002)(6116002)(256004)(14444005)(3846002)(25786009)(76176011)(446003)(36756003)(33656002)(5660300002)(486006)(102836004)(2616005)(11346002)(476003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB4031; H:VI1PR08MB3486.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: +paGp7Zr2Bwheyo678qHRmetrHGKm2MLHNpzt0QDYQsuPl279eYXNWxxdduZfocd5K5kw7AxhcQtKe2HAv9aqrcCsWZaWwS9wUEu7GCHEzcItGsMpG2i6jXVPYRrTBPcqLCgXaldYvmP88n2TOeqlo8yccGdsMU4nYxHzsrfpbDWbrjdwi2OAf47rDmktZwQPSaSSN/3PoJWjqwfM0jxR6DLpOEtJAGiPkxvzRrAtRqLDyzxtAxx0vLwVDfEb9qcsJOXkin2zlukGwTLD34isc3txUmrbpqfX28vyUuczVpRLiDOG5lZDiqYCBpX7RPOBvIQAh65XKUv5NkSSKgaehQUzejg6dyIsTOAq8tf8lEtEfXLkQf/C3eK79Uye7W7sJMX7JIq3vCsWoyjdZcmUA7d1fQ1/exNHyATJcNVGsc=
Content-Type: multipart/alternative; boundary="_000_B4E207B033674CDBAF5DAC539BD29852armcom_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c1efe2d-f5f1-4458-5f34-08d6dd66a198
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2019 21:03:38.5095 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB4031
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Lw4HqXyc91nfgP_HFHDf1jlY4oY>
Subject: Re: [Rats] Android comments on EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 21:03:47 -0000

Hi,

The idea is that a device might want to attest a key that would be used for other purposes than proof-of-possession (authentication). The attestation token would act as a form of certificate, essentially the link between a key to a device. We are thinking about integrity (signature) and encryption / key agreement. In many cases you could use TLS with PoP to provide the same kind of security properties. But in some cases there is no IP connectivity, the resources are too constrained or you want the security to be maintained end-to-end (rather than at the transport layer).

The protocol flow would not change for attestation.

Sincerely,
-- Mathias Brossard

From: Laurence Lundblade <lgl@island-resort.com>
Date: Friday, May 17, 2019 at 6:57 PM
To: Mathias Brossard <Mathias.Brossard@arm.com>
Cc: Simon Frost <Simon.Frost@arm.com>, Shawn Willden <swillden=40google.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] Android comments on EAT draft


On May 16, 2019, at 9:31 AM, Mathias Brossard <Mathias.Brossard@arm.com<mailto:Mathias.Brossard@arm.com>> wrote:

But even for the relatively simple use-case of putting a public key in a token, which it technically supports, I am worried that the semantics might be too constraining. It focuses on proof-of-possession (PoP), where we are thinking about additional functions (signature, encryption, key agreement, etc.).

Mathias, can you say more about the additional functions you are thinking about?

Would they change the protocol flow in a big way? Mostly what we are thinking is that the RP sends a nonce to the device and the device returns a token.

LL


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email