[Rats] rats-concise-ta-stores (was Re: device attestation and ACME)

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 21 July 2022 00:55 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DD184C13C533; Wed, 20 Jul 2022 17:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4td8IRtAkGnB; Wed, 20 Jul 2022 17:55:16 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D12C13C536; Wed, 20 Jul 2022 17:55:15 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown []) by relay.sandelman.ca (Postfix) with ESMTPS id 625971F459; Thu, 21 Jul 2022 00:55:13 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id CEA491A0383; Wed, 20 Jul 2022 20:55:11 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Carl Wallace <carl@redhoundsoftware.com>, rats@ietf.org, acme@ietf.org
In-reply-to: <B950BEDF-DF18-4AF0-95A1-0EF3C0A9EA6A@redhoundsoftware.com>
References: <1680731.1658356904@dooku> <B950BEDF-DF18-4AF0-95A1-0EF3C0A9EA6A@redhoundsoftware.com>
Comments: In-reply-to Carl Wallace <carl@redhoundsoftware.com> message dated "Wed, 20 Jul 2022 19:07:32 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 20 Jul 2022 20:55:11 -0400
Message-ID: <1690546.1658364911@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/MPyApNCW0A2vBVHJCobzJaVA5xs>
Subject: [Rats] rats-concise-ta-stores (was Re: device attestation and ACME)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 00:55:17 -0000

Carl Wallace <carl@redhoundsoftware.com> wrote:
    > Distributing trust anchors to verify device attestations is one of the
    > aims of
    > https://datatracker.ietf.org/doc/html/draft-wallace-rats-concise-ta-stores-00. Note,
    > there's also a LAMPS draft that borrows the WebAuthn format approach
    > from this ACME device attestation draft but for use in extensions
    > suitable for CMP, EST, SCEP, etc.

ah, okay.
I read that document too now.

}   Any
}   public key that can be used to verify a certificate is assumed to
}   also support verification of revocation information, subject to
}   applicable constraints defined by the revocation mechanism.

I feel as Geoff Houston does: revocation is useless security theatre.

} An unsigned concise TA stores object is a list of one or more TA
} stores, each represented below as a concise-ta-store-map element.

Seems like maybe a word is missing here.
Not really sure.  It is really hard to read.
Is: _unsigned concise TA stores object_ the name of a thing?
I think so, but maybe it could be reworded.

    >     Why does the Enterprise trust the attestation key?

I'm unclear from a quick reading the document if there are signed TA stores.
I think so based upon the examples.

Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-