[Rats] rats-concise-ta-stores (was Re: device attestation and ACME)
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 21 July 2022 00:55 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD184C13C533; Wed, 20 Jul 2022 17:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4td8IRtAkGnB; Wed, 20 Jul 2022 17:55:16 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D12C13C536; Wed, 20 Jul 2022 17:55:15 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [12.227.228.130]) by relay.sandelman.ca (Postfix) with ESMTPS id 625971F459; Thu, 21 Jul 2022 00:55:13 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id CEA491A0383; Wed, 20 Jul 2022 20:55:11 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Carl Wallace <carl@redhoundsoftware.com>, rats@ietf.org, acme@ietf.org
In-reply-to: <B950BEDF-DF18-4AF0-95A1-0EF3C0A9EA6A@redhoundsoftware.com>
References: <1680731.1658356904@dooku> <B950BEDF-DF18-4AF0-95A1-0EF3C0A9EA6A@redhoundsoftware.com>
Comments: In-reply-to Carl Wallace <carl@redhoundsoftware.com> message dated "Wed, 20 Jul 2022 19:07:32 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 20 Jul 2022 20:55:11 -0400
Message-ID: <1690546.1658364911@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/MPyApNCW0A2vBVHJCobzJaVA5xs>
Subject: [Rats] rats-concise-ta-stores (was Re: device attestation and ACME)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 00:55:17 -0000
Carl Wallace <carl@redhoundsoftware.com> wrote: > Distributing trust anchors to verify device attestations is one of the > aims of > https://datatracker.ietf.org/doc/html/draft-wallace-rats-concise-ta-stores-00. Note, > there's also a LAMPS draft that borrows the WebAuthn format approach > from this ACME device attestation draft but for use in extensions > suitable for CMP, EST, SCEP, etc. ah, okay. I read that document too now. } Any } public key that can be used to verify a certificate is assumed to } also support verification of revocation information, subject to } applicable constraints defined by the revocation mechanism. I feel as Geoff Houston does: revocation is useless security theatre. } An unsigned concise TA stores object is a list of one or more TA } stores, each represented below as a concise-ta-store-map element. Seems like maybe a word is missing here. Not really sure. It is really hard to read. Is: _unsigned concise TA stores object_ the name of a thing? I think so, but maybe it could be reworded. > Why does the Enterprise trust the attestation key? I'm unclear from a quick reading the document if there are signed TA stores. I think so based upon the examples. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Rats] device attestation and ACME Michael Richardson
- Re: [Rats] device attestation and ACME Carl Wallace
- [Rats] rats-concise-ta-stores (was Re: device att… Michael Richardson
- Re: [Rats] rats-concise-ta-stores (was Re: device… Carl Wallace
- Re: [Rats] [Acme] device attestation and ACME Brandon Weeks
- Re: [Rats] [Acme] device attestation and ACME Carl Wallace