[Rats] Re: Hint Discussion in CSR Attestation Draft

Thomas Fossati <tho.ietf@gmail.com> Fri, 21 June 2024 18:56 UTC

Return-Path: <tho.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53250C14F69C; Fri, 21 Jun 2024 11:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gBgRV5BAmGPq; Fri, 21 Jun 2024 11:56:29 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78B2CC14F6F3; Fri, 21 Jun 2024 11:56:29 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a6fbe639a76so382523066b.1; Fri, 21 Jun 2024 11:56:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718996187; x=1719600987; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=s12S/g19KUi03C3kL32Ha3oNUDr00TLyR+nagPdRsmo=; b=BguV8gA5HeNCdfiBRxeXkkJb+I+LA1Co+O1To4DelZIf5en06jKPrRwf+ONm0FKU1d uLrYmmITrZG9wz+vjt+kVgBS3vdvWfLl7iLQvJUm3u4CTZJ0H88nWcegavABOsC84LKi DjxHyj8tk62WLNspOdhRGJ4UGHLU//47rtjE4x0uLW3+sxNmGcw9AYqnO4C/U/n27E2B m07NccOvDAzdYqRmgNPtGkZ6lE1dytTIMBRAyYYHHvezomd8VDAIHBo697bfULOGzjip hHdlH2+u5AKm7V0RTTLTVX2RQNpXG68h3SW3Z0ASMfeJyv65YIM5yn+mvP+rLe64OUNr e8ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718996187; x=1719600987; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s12S/g19KUi03C3kL32Ha3oNUDr00TLyR+nagPdRsmo=; b=bNPEoCXMkUEyCSyqyu7I+rw4dvk5nHC46R/7lHh+lCZOJOf7xaqht6/ZyN4zjuIiUO GVKWly7EPAnkJVpFcPXrZE2OpuhyE5ZlkVXbGf/L84QYq+A3Ci6OSmF6g0kEAv2HjXQN B+FI5jerBiA2u9ZROmS5sZ9r9U9xI2QDA9wEEPISxX725i/x50w1M5clQLUClZc/C0rm Sru3GzFWXXpMX3r0YIpB7Vj3YqG+aU1rJss5LEtt2RggEoaaQn84fq5XXQ4nmOZ7gFDQ j0Ow9jv/d//DvFe00MYxUhzdgRVs2db4ZxCDNS1mu58AeyaJ/JBTgeOp3ubM5JIYmEXv E8Rw==
X-Forwarded-Encrypted: i=1; AJvYcCX17DY1SCZ0yXHugTGsqKPPa5CT6Mpen4iTEcx2edv1RwIAvIeOvR+eXqHdbcJZaH5y0uMSH66A+GD9AWHulUQU5gjRpfpLfVOEoqmW0g==
X-Gm-Message-State: AOJu0Yz7922x45kIfv+v1FNR9YtNtvwjB42gVGPVwD5SFjXlUu4cFxdH WBzxMKYPPDBSnf7iPbx14o4tUAQ5I8Gxaw32w5iQ5EHvwbW1TBoqr4a6aAFFo/p7pFrOOAdOnRu OmTZI9S/hD1Mo6t3zT904ZeI0Tdc=
X-Google-Smtp-Source: AGHT+IEMtj/sLaSs6jYjEUe2pVhSC2obr542ps/iO9PU7ykVwlq9jwjQX97dkOD+2JUKyEl3qDI4tF0F19M4diJtZQE=
X-Received: by 2002:a17:907:c78e:b0:a6f:718f:39a7 with SMTP id a640c23a62f3a-a6fdb67be76mr49867466b.16.1718996186702; Fri, 21 Jun 2024 11:56:26 -0700 (PDT)
MIME-Version: 1.0
References: <AS8PR10MB742727BFEC71CB78468FB0E7EECD2@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <0145e095-e684-d2ee-58d5-41aee54a4b3b@ietf.contact> <2627.1718830718@obiwan.sandelman.ca> <FB01F359-84F4-4AAD-82F7-1CF2356DCD4B@redhoundsoftware.com>
In-Reply-To: <FB01F359-84F4-4AAD-82F7-1CF2356DCD4B@redhoundsoftware.com>
From: Thomas Fossati <tho.ietf@gmail.com>
Date: Fri, 21 Jun 2024 20:56:15 +0200
Message-ID: <CAObGJnO6bn5xEpqPxc46HRh3v2BnmxbE0YXwfNv9BtQnNV9Mag@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: UMUOJ4BHV6QF3KAT3KJ6EHZEMJVW2VKZ
X-Message-ID-Hash: UMUOJ4BHV6QF3KAT3KJ6EHZEMJVW2VKZ
X-MailFrom: tho.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, Henk Birkholz <henk.birkholz@ietf.contact>, "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Hint Discussion in CSR Attestation Draft
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Ni4Nr5QqtK4QfyJN4Zh3QFvKFV4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Carl,

On Fri, Jun 21, 2024 at 8:24 PM Carl Wallace <carl@redhoundsoftware.com> wrote:
> On 6/19/24, 4:58 PM, "Michael Richardson" <mcr+ietf@sandelman.ca <mailto:mcr+ietf@sandelman.ca>> wrote:
> <large snip>
> ht> In the CSR attestation draft we suggested to use a hint,
> ht> i.e. information that helps the relying party to select a verifier
> ht> that can help process the evidence. Since this hint will not be used
> ht> in all deployments, for example in deployments that only have a single
> ht> verifier, this hint is optional. As such, those who do not want to use
> ht> the optional hint do not need to look at it. For the other use cases
> ht> it provides value. Hence, I don’t really understand the objections
> ht> and I don’t want to remove the hint!
>
> I guess I've lost track of who and why this is being objected to.
>
> [CW] As an attester, how would you populate the hint field?

That may be information that is injected at manufacturing time into
the device and updated via its device management infra.  An example
here [1].

[1] https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-22.html#section-4.5.1

> As a verifier, how would you consume the hint field?

You wouldn't.  The hint is a routing label that is used by the relying
party to decide which verifier to contact for handling this specific
piece of attestation evidence.  When evidence reaches the verifier the
hint is no more.

cheers!
-- 
Thomas