IETF Logo Mail Archive

Re: [Rats] Review of draft-birkholz-rats-daa

Christopher Newton <c.newton@surrey.ac.uk> Sun, 06 June 2021 20:12 UTC

Return-Path: <c.newton@surrey.ac.uk>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D16333A26D0; Sun, 6 Jun 2021 13:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=surrey.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3wYYK7NYOeX; Sun, 6 Jun 2021 13:12:48 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2132.outbound.protection.outlook.com [40.107.21.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65E33A26D2; Sun, 6 Jun 2021 13:12:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n8lLZGfdAatak+ceIfg1oU67COIgzRAhVw4Kz3vuaj5ttQcMDircf9Sd+52kkU3Otzc2mGX9G2qMi23pH6UprmJnku7N7EOQg8kWdPDdDFJHOODK9XdKZBKGp4XIsmLb8LI0tH8KT0gB6jVtbAQo/LEiFo4czwTm5LQc0FTILMsZ4Wyvwq/Q1PtjjHXvw36vPs2mv337fLkxu+pqoCFO91RoICy3qRAtYA0Cek318wM3o7v9oRTRMgIuwdMG7bqfYr+efDkhXLypUGS6UflCsj4cXRw7+K7fgGp+1ucOPp9qO6SplHQ8VSgiknFoHWVS1CRceTYRdsVGrDJ1tez/pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/8xTE2fzeGwaLqMaAxxJsgs1uEZLbGaDxbEvO7LTZhU=; b=FunmnojYemhB9t50Nve9ixA85u5QSG5ddPcF/umML3pBoI12rRT68oZxVwSOh6jBiIJlgzeliFjShW0LWJ13mLKxbq4NbJejXKm9Cza9Dkb5Yq+fFjY0xuveP1tqiQXA6u4JVBclH/T+3otDwJXoCZMV2rHApr3ULLfZSo4t2HIj+51gf+uoO0dCJ73+3fA5SEOTkcGbqDGAE8wU2bRJ1/rQfRLTzY446FmN+wWgw5m78ip58ot4RY93+iasvAb9k61Lqi6rZuOmjGCIprT3PCxQdCliAJSZCE8gFJUotIhFOMvnx1CpysOg/Vy+lLnlR2kPHaBHvQQpC4WNn869cA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surrey.ac.uk; dmarc=pass action=none header.from=surrey.ac.uk; dkim=pass header.d=surrey.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=surrey.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/8xTE2fzeGwaLqMaAxxJsgs1uEZLbGaDxbEvO7LTZhU=; b=sd+2Dk2VJD5Gv35idL2+KU1vplEPioCrr0j3tOKMOQBGJQyVz360lD6Jehue/yH1566y6hSZk6rny+ZQqs4XET6b5tE0LsVZ5zQx+EDK1g2HsNXFvmsvaGBpSWI0IiZQv0GcKgTTlSI5ysPJBVShnnL6+zBK/xL+wpqwTeYIkKM=
Received: from AM8PR06MB7441.eurprd06.prod.outlook.com (2603:10a6:20b:366::19) by AM0PR06MB5106.eurprd06.prod.outlook.com (2603:10a6:208:ed::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.20; Sun, 6 Jun 2021 20:12:37 +0000
Received: from AM8PR06MB7441.eurprd06.prod.outlook.com ([fe80::30a7:625:2be3:2b98]) by AM8PR06MB7441.eurprd06.prod.outlook.com ([fe80::30a7:625:2be3:2b98%7]) with mapi id 15.20.4195.030; Sun, 6 Jun 2021 20:12:37 +0000
From: Christopher Newton <c.newton@surrey.ac.uk>
To: Thomas Fossati <Thomas.Fossati@arm.com>, "draft-birkholz-rats-daa@ietf.org" <draft-birkholz-rats-daa@ietf.org>
CC: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>, Liqun Chen <liqun.chen@surrey.ac.uk>, Christopher Newton <c.newton@surrey.ac.uk>
Thread-Topic: Review of draft-birkholz-rats-daa
Thread-Index: AQHXUicvJq5JZhB/2Euw8worVT3R7qsHctdg
Date: Sun, 06 Jun 2021 20:12:37 +0000
Message-ID: <AM8PR06MB7441A92117EF3AB44B82DD65B8399@AM8PR06MB7441.eurprd06.prod.outlook.com>
References: <2AC24A3A-C295-4BAC-8007-4D0B75C6C60B@arm.com>
In-Reply-To: <2AC24A3A-C295-4BAC-8007-4D0B75C6C60B@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=surrey.ac.uk;
x-originating-ip: [150.143.110.107]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 77383a7e-6510-441b-5fcc-08d929276e25
x-ms-traffictypediagnostic: AM0PR06MB5106:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM0PR06MB5106B37848A61DA6330BD9F1B8399@AM0PR06MB5106.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WO/6A+ZWDkVl+m0FQGkdPhBRdi7HTL+tUbXQFPMsjZgLaA7hUI6viq/z12j2rnxq11JcNXn6/HJCULYo1Yl582Eksh/iLKzeOjmHDcwMai/c1yFkQ7W5zoL4eEfJSsXObNBZ1zqIap40WpydPegPRLVY8D2/JDsB8DsZBE/AwKZE/SXeuOFzqeUe+nnHrq6wxpgPtUTNhV8WkO5+2bUD/iXGsG1/W/2Zq/txvvnoquy70Qoa/0HDrq6YfTQB7/BlPRAnSG/Yq2EnDzQBVvmPHFcueLnTPHTVUIbqyBISbXO1XO6WenrHRgXbCDV/gE09leUSULxql2XGRLaZkXxiVPZeWO+IdiqiOwq0DJsuEth2Iqwf4mvAwceU3V2mOqhrR96zxP4OMUdKDPl/fAvtHIH7mvWojssKIhqKv9gTeD2KgppI9aIYkcdlDv58vsTJDIgzf1uCYdRDMGm+bkG2cPLrXnD5Cve1cVsz1qs5C5A/lvh8+4sXrJabFRU2MtY3VdYpRaLWiN5B0qg540eZxkX/EuTVxHR2KfZgIFE/Xx0Yz/NrifM2ekSVarDc6Ig98GjdNp8p0wEzIym/fqa9JPI3oMP8ZAmTK9zBcfYrLK4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR06MB7441.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(39860400002)(396003)(376002)(136003)(33656002)(6506007)(66476007)(54906003)(66946007)(786003)(86362001)(316002)(76116006)(110136005)(9686003)(53546011)(71200400001)(186003)(2906002)(7696005)(55016002)(8676002)(83380400001)(8936002)(122000001)(26005)(4326008)(66446008)(64756008)(52536014)(107886003)(478600001)(5660300002)(66556008)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: g4Q/zjpPds8IemxOjN1Q29dj/22Po1fdXqrv2x/cWC5zcfJPljSXn1lFKpdvHJp9nTrMCnRkmyiyfP3exilbW3z9CHRgy8Gl5jzUb116ElQwKaz9ixs8TdhxnKsUeV6N5ivMuabar0t9aHxcNjQ3DYt3T9QmwIp1o/ZGxGPnDXIBzSoePk23VAOPCmAkUtlTJ9EQ6n5lBVZ7P+hpXcdhcaiieXScD5mpaNmO4XpjiONmmwNhLx+li30Fd1IEBb5SR6Ths1AV7+asE+onb4T2vQoIlJNJ2M3lXjFqE6+bkUiXxqNvn+hxygFhKufvtb9lPZkrjaPU0q9UBoFCDY+ZF8ZErjvQshlXW5BpLTJdW8ngdENOAUq9hJE397zT+tK0IPaQaD1KflayLaOSVlSx8qO8TMO3A8PsS9WW0xHztZy6J9ejW5bSi82YM6o3K9HhULMrcF9+nJ4lquda5Im9smO3OtQSqev149MPoTkVd569o2EvtvjsE7ATZlTWjf41ygqmvcHL4oV848ZwdAneXk7BdpfCnC4boTZgHrgT28MaGmIz38zJBbGh6nQ98u7+GXPpIam2AaWwKqvc5KNPKUt/VanDk59KMa79GPVU5GsfYcclYCzE0HhpbT+gVkbkX4liPaHkgIsziPUovK/NtmN6MYbMltEnjnrV+T3JW5MWntLodJLKHZXPjl3TVru0FRhnM3UMAgS6MHtmsXWBZoWPS31lVaLXyic5gx6KzdPmhjfcvVuqLRYySnjOGR1TiFWSzGcZaEVRpNixzwBydPjM7YL48qlPWMWPPadP9HiOhNZGCpeuMIB0G4ei7DpsiXYFp2i7X11GyYJVgb3LB5EPKwTsUzzG+wPaqvMZ78F2gjhYiAIM58XTkMj65aLou2GbXES5LdGwU7cVXJthItg8UACyGrY7PSzZ258fG+XoXhEUYQqh2etGpzW88xJ1OjR7g2gBnOypfw98Vl6vAXp/9CVnaCd16rIjmegHu9oSUVFRPdSNMNam8HVaWMt91skX0Rv+HEmCzhpu/J4beB7XiTsVCWMKXTNKfk5MZEHdKpp85/q1DW+iJpgaUGmxdzqpOvIaMC+MVBJqS2Y75fl+ZSStdlxKJNGMCZcqzIrEcUeM4i8Vso4rgmzOTtZRfAjgcQdJCaoNdXQun9AMAawluBweWKOxERouuyEvibnSicsDi6plEgysPLhZGXhN56Wh52pdclrZlN2BddOUarDDX+Oggi2xBWZ/REa6xhM2Tg/FxrT2E47Ozny5UDtFrD81E3MAO3yCPpBO9KUVtvaErDDbRSxHR3mzfvOE2CD1yERfxxUgIud7XI8fDaru
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: surrey.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8PR06MB7441.eurprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 77383a7e-6510-441b-5fcc-08d929276e25
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jun 2021 20:12:37.6767 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6b902693-1074-40aa-9e21-d89446a2ebb5
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ha2QCyXtMWY3WSuXfXkneIMVXwCjjKmk/GNEijlMDfEwrVHq6z57xlBgFg1bUiIsxVuZABu0uemMKTLWcqD82A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR06MB5106
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/NTcwWo8qhtTVAMEfoPnt3vrTEYo>
X-Mailman-Approved-At: Sun, 06 Jun 2021 13:39:51 -0700
Subject: Re: [Rats] Review of draft-birkholz-rats-daa
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jun 2021 20:36:30 -0000

Hi Thomas,

Thank you for your comments.

> Is it really necessary to introduce the new "DAA Issuer" role?
> 
> It seems to me that if the JOIN and SIGN phases are considered as two separate attestation protocols, the Issuer could be mapped to a couple of well-known RATS roles depending on the phase it is involved in:
> * Verifier for JOIN - plus an authorisation RP on top that grants the group credentials to the authenticated Attester;
> * Endorser for SIGN.

Yes, the DAA Issuer is a separate role. it is effectively a Certificate Authority for the DAA keys. The difference from a PKI CA is that the Verifier uses the public key of the DAA Issuer to directly verify the DAA signature. The signer's public key is not available to the verifier.

For a TPM, the Endorser is the chip manufacturer who provides a PKI certificate for the TPM's endorsement key. However, the endorsement key cannot be used as a DAA key as it is an encryption key. it is only used to enable the DAA Issuer to authenticate the TPM in a deniable way. After the Issuer authenticates the TPM it provides a DAA credential to the DAA signing key. The Endorser can take on the role of the DAA Issuer, but this is not a requirement. 

We hope that this makes things a little clearer, we could add more detail in the RATS DAA document if this would help.

Regards,

Chris and Liqun.


--
Dr Christopher Newton
Surrey Centre for Cyber Security
Department of Computer Science
University of Surrey
Guildford, Surrey, GU2 7XH, UK
--

-----Original Message-----
From: Thomas Fossati <Thomas.Fossati@arm.com> 
Sent: 26 May 2021 13:04
To: draft-birkholz-rats-daa@ietf.org
Cc: rats@ietf.org; Thomas Fossati <Thomas.Fossati@arm.com>
Subject: Review of draft-birkholz-rats-daa

Hi RATS-DAA authors,

I have reviewed draft-birkholz-rats-daa-00 and I think this is a useful document, plus it is short and sweet.

I may have a few editorial suggestions, but I'd like to ask one meta question first - apologies if this was brought up in previous
conversations:

Is it really necessary to introduce the new "DAA Issuer" role?

It seems to me that if the JOIN and SIGN phases are considered as two separate attestation protocols, the Issuer could be mapped to a couple of well-known RATS roles depending on the phase it is involved in:
* Verifier for JOIN - plus an authorisation RP on top that grants
  the group credentials to the authenticated Attester;
* Endorser for SIGN.

Cheers, thank you.

t








IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email