IETF Logo Mail Archive

Re: [Rats] New RATS Architecture document

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Tue, 17 September 2019 09:12 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A18B31200EF for <rats@ietfa.amsl.com>; Tue, 17 Sep 2019 02:12:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTwNOCDCqi6U for <rats@ietfa.amsl.com>; Tue, 17 Sep 2019 02:12:53 -0700 (PDT)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D7AA120104 for <rats@ietf.org>; Tue, 17 Sep 2019 02:12:51 -0700 (PDT)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id x8H9CjA3004843 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Tue, 17 Sep 2019 11:12:47 +0200
Received: from [134.102.164.113] (134.102.164.113) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Tue, 17 Sep 2019 11:12:40 +0200
To: Simon Frost <Simon.Frost@arm.com>, "rats@ietf.org" <rats@ietf.org>
References: <471c785f-1cd8-62ff-431a-075ce9c35058@sit.fraunhofer.de> <DB7PR08MB3642E058C598DFB92020CBB1EF8C0@DB7PR08MB3642.eurprd08.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <be414d41-bed4-e97e-0d70-c150dda7b36b@sit.fraunhofer.de>
Date: Tue, 17 Sep 2019 11:12:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <DB7PR08MB3642E058C598DFB92020CBB1EF8C0@DB7PR08MB3642.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.164.113]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/NmoL5MaM6urrz21Z3DvQH9ileW8>
Subject: Re: [Rats] New RATS Architecture document
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 09:12:57 -0000

Hello Simon,

TL;DR
It's just a simplified first example diagram. There is no intent to 
artificially exclude compositions, such as the 'background check' 
composition. Corresponding diagrams will be added again.


We simplified the initial figure to... reduce the risk to overwhelm the 
reader with all the potential composition option and called it "base" 
interaction model diagram.

That said, we will "reintroduce" other and also more complex 
compositions again in future versions - especially the 'background 
model' and the 'multiple relying parties' variant. This is not intended 
to become an artificial exclusion.

The "upper level bureaucracy" in this model (Asserter & Verifier) are 
intended to be "1..n" as depicted in the meeting slide decks about the 
architecture. This was also not included in the base diagram to keep it 
simple, but maybe we should highlight that there are a lot of other ways 
to compose the roles - when we add other composition diagrams.

The goal of this refactoring of the RATS Arch I-D was to clean it up & 
out, so we have an uncluttered starting point to add content via a 
structured process.

The authors will try to update the I-D with additional role composition 
diagrams before the next virtual interim (again, the obvious ones align 
with teep).

Viele Grüße,

Henk


On 16.09.19 19:08, Simon Frost wrote:
> At a first pass through this, I'm concerned that the interaction model (Fig 1 etc) has been restricted to a single pattern, the 'passport' model to use the terminology from the TEEP/RATS  slides. I don't recall this restriction being discussed. Also allowing the 'background check' model allows the relying party to have much greater flexibility on selecting an appropriate verifier. While the origins of Attester and Known Good Values are going to have close alignment, multiple verifiers may exist. A relying party may choose an alternative verifier based upon the approach to appraisal, to the form that the attestation results are presented or due to business model.
> 
> Thanks
> Simon
> 
> -----Original Message-----
> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
> Sent: 10 September 2019 14:13
> To: rats@ietf.org
> Subject: [Rats] New RATS Architecture document
> 
> Hi all,
> 
> we created a fully revised architecture document that maps and represents the state of the current discussion and the material presented at the last IETF meeting.
> 
> The current Editor's version can be found here:
> 
>> https://ietf-rats.github.io/draft-birkholz-rats-architecture/draft-bir
>> kholz-rats-architecture.html
> 
> We will submit a new version the day after the RATS virtual interim.
> 
> TL;DR
> Below you can find a list of essential changes & a list of action items still to be addressed.
> 
> 
> This version of the RATS Architecture document:
> 
> * does not define or uses the terms "root(s) of trust" (RoT) or "Trust
> Anchor" (TA) at the moment. (Note: It is a fact that the Asserter Role
> _is_ a TA for the Verifier Role and that an Attester Role _could_ rely
> on RoTs. But - this content will not go into the main body of this
> document),
> 
> * does define RATS Roles, Messages, and Principals formerly known as
> "Actors" (borrowing heavily from ABLP),
> 
> * provides an even more "base" interaction model diagram for the RATS
> Roles than presented in the last IETF meeting slide deck:
> 
>> https://datatracker.ietf.org/meeting/105/materials/slides-105-rats-sessb-rats-architecture-interaction-model-challange-response-yang-module-information-module-00.pdf
> 
> * introduces a framework for "level of confidence" in the
> trustworthiness of an Attester and the endorsement of the protection
> characteristics of its "Attesting Computing Context", allowing for other
> entities to use this framework and fill it with, e.g., openly defined
> levels of confidence metrics,
> 
> * is not based on the primitive of "trust" but the concept of
> "trustworthiness" as illustrated by the RATS charter,
> 
> * simplifies the definitions of Attester and Verifier that seemed to
> have caused some unfortunate confusion following the proposal of Giri
> and starting with commonly-accepted definitions and then justify why
> they may need to be modified,
> 
> * differentiates between the Attesting Computing Environment and the
> Attested Computing Environment better, which both are components of an
> Attester,
> 
> * uses the "Claim" concept as a building block to compose Evidence,
> Known-Good-Values and Endorsements. Conversely, the "Assertion" concept
> is dropped in this proposal (as initially suggested by Laurence, IIRC?).
> (Note: this was done to simplify the discussion about the information
> model. Please also note: Due to the {J|C}WT definition of "Claim", a
> key/value pair is implied, which is already a data model decision and
> not mandated by an information model), and
> 
> * analogously, now uses the term Known-Good-Values instead of
> Attestation Assertions.
> 
> 
> For future versions the authors intent:
> 
> * to elaborate on the use of RATS Principals, including more exemplary
> diagrams of RATS Role composition and interaction between RATS
> Principals based on the use case document (and by that address a unified
> mapping to TEEP, RIV, and models that use EAT),
> 
> * to shift some of the focus on technical-trust as proposed by Thomas.
> (the Endorsements provided by an Asserter are a first step into that
> direction),
> 
> * still not to define the roots of trust terms nor invent new words for
> them :) But - start to reference them on a minimal level and define a
> base set of primitives they can provide in order to describe what they
> actually are and can do in the context of RATS as proposed by Ira, Simon
> and Thomas,
> 
> * to introduce and define a concise scope for layered attestation,
> addressing, e.g., the staging of Computing Environments and the
> (un-)availability of an Attesting Computing Environment at certain
> points of time, or, another example given, addressing the
> differentiation of an attested boot sequence of an Attester and an
> Attester running TEEs or rich systems for years,
> 
> * to address the change of Roles of a Principal over time as proposed by
> Ian,
> 
> * to move the remaining architectural sections in the EAT draft into the
> RATS Architecture draft, and
> 
> * to shift some of the focus on the out-of-band trust establishment in
> order to illustrate a coherent RATS ecosystem (e.g. the provisioning of
> key material is not include in the "base diagram" anymore for now - this
> will be more elaborated on in future section of the architecture).
> 
> 
> Viele Grüße,
> 
> Henk
> 
> 
> 
> 
> 
> 
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email