IETF Logo Mail Archive

Re: [Rats] Minimizing the Attestation Results objects which can represent overall Attester trustworthiness

Laurence Lundblade <lgl@island-resort.com> Tue, 17 August 2021 05:28 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5923B3A0F49 for <rats@ietfa.amsl.com>; Mon, 16 Aug 2021 22:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxUoGqT8uLBt for <rats@ietfa.amsl.com>; Mon, 16 Aug 2021 22:28:29 -0700 (PDT)
Received: from p3plsmtpa07-04.prod.phx3.secureserver.net (p3plsmtpa07-04.prod.phx3.secureserver.net [173.201.192.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03BF03A0F44 for <rats@ietf.org>; Mon, 16 Aug 2021 22:28:28 -0700 (PDT)
Received: from [10.99.219.28] ([50.216.173.106]) by :SMTPAUTH: with ESMTPSA id FreFmyZKj80fFFreFmQCYW; Mon, 16 Aug 2021 22:28:28 -0700
X-CMAE-Analysis: v=2.4 cv=VNQYI/DX c=1 sm=1 tr=0 ts=611b48fc a=pX01E2C+njbCxFoXCGvH0g==:117 a=pX01E2C+njbCxFoXCGvH0g==:17 a=48vgC7mUAAAA:8 a=z81OdNvEBxn2ZmNIswoA:9 a=NuGXLAtLXqox617Z:21 a=uVWDXHZbT9azzapz:21 a=QEXdDO2ut3YA:10 a=J_YvXDT3Ikz4a6FtBGgA:9 a=e8TXBA7OigtPOT-i:21 a=49ZoKKIQ-xVkRPYu:21 a=52zfswgHsjZKWyzm:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <DD13B96B-B4CB-468B-BEC3-BFC11B1108B9@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C4A66DDE-21F4-48B1-89CF-ECB9095EA3F2"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Mon, 16 Aug 2021 22:28:26 -0700
In-Reply-To: <BL0PR11MB31227C3A0BC34E904B0C62FDA1F79@BL0PR11MB3122.namprd11.prod.outlook.com>
Cc: rats <rats@ietf.org>, "Scarlata, Vincent R" <vincent.r.scarlata@intel.com>, Thomas Hardjono <hardjono@mit.edu>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Thomas Fossati <Thomas.Fossati@arm.com>
To: "Eric Voit (evoit)" <evoit=40cisco.com@dmarc.ietf.org>
References: <BL0PR11MB31227C3A0BC34E904B0C62FDA1F79@BL0PR11MB3122.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-CMAE-Envelope: MS4xfPM5RTqHUuKuXYz+pDgZgC3or947WOQU1QC6m4+lXHx8uPGr2TbWyUtuIwj17+eRHJEuUaSfEYAhBJ1kOcB3Q0DqDJP6uyqL5Rss1HjTcAhgQtBCQy2Q f0GbADwIJdilE+Hj5F2+4pd50wJpiDejjFcHcKzVJH1c1GGyMYUXSc0OWdKVMcr41xnc1wvqc6wE4rfG0T5vi/rA7deNP5O/qT/PPVq7+aUskls65eBFYqdD CHS9bEFSruDI5MWtmogCh+o6X4pgQYybfBcorRrY3io43mEJnJ/34RekmVcVcHym1ITALug62RW0BJgN+VRTNz2HwETQ/3F39wSMrmFhN3abb36zPzhOXgj7 fKuCJxo1MYsyfM/9lU3MV/DYj+JJfw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/NywRVsm0MtkBSKjglv8cRjOZKck>
Subject: Re: [Rats] Minimizing the Attestation Results objects which can represent overall Attester trustworthiness
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2021 05:28:36 -0000

Hi Eric,

Really glad we’re having a discussion on attestation results now. Kind of a coincidence we both focused on it at 111.


> On Aug 10, 2021, at 2:00 PM, Eric Voit (evoit) <evoit=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hi Laurence,
>  
> During the RATS IETF 111 sessions, we both shared views of how to encode Attestation Results (AR).   From the perspective of draft-voit-rats-attestation-results, the AR in scope are Verifier generated claims* about trustworthiness of the Attester itself.   Some examples of such claims include:  
> the Verifier asserts that the Attester has only known good software loaded     
> the Verifier asserts Attester's configuration doesn't expose security holes
> We are now beginning to standardize these Verifier generated claims (and associated AR object definitions).   We need to do this with the stated objective of maximally simplifying the interworking of different types of Attesters, Verifiers, and Relying Parties.  That maximal simplification is essential as we diverse group of RATS roles and developers spanning different industries.  And to accomplish this, I suggest we adopt the following set of design principles: 
>  
> (1) We should only have a small number of Verifier trustworthiness claims standardized at this time.  Reason: a plethora of similar trustworthiness claims will result in divergent choices made between different Verifiers.  This would place a lot of complexity in the Relying Party as it would be up to the RP (and its policy language) to enable normalization across rich incompatible Verifier object definitions.
>  
> (2) Any objects from (1) which we do standardize should only include specific enumerated states that could viably result in a different action from the applied Policy for Attestation Results.   Reason: by explicitly disallowing the standardization of any enumerated states which cannot easily be connected to a use case, we avoid forcing implementers making incompatible guesses on what could happen.  This will eliminate many types of errors.
>  
> (3) Verifier and RP developers need explicit definitions of *each* state in order to accomplish the goals of (1) and (2).  Without such guidance, the Verifier will send plenty of raw info, as it relieves the Verifier of making the hard decisions.  Of course, this raw info will be mostly non-interpretable and therefore non-actionable by the RP.
>  
> (4) We do need extensibility for this type of Verifier generated claim.  But Verifier generated claims should be worked in the WG and managed via the RFC process, rather than being in a separately maintained Attester Claims list.  This will keep a tight lid on extensions which must be considered by the RP's policy language.

I assume these claims would be in the CWT and JWT registry like other claims and that they have no special status in those registries. We’re not creating a new registry for these, nor are we going to modify the CWT or JWT registries so they can have special status, right?

I also assume we should clarify that EAT profiles apply to attestation results and/or evidence and that is the mechanism used to keep a handle on the number of claims in attestation results.


I would like to add this important design principle:

(5) Cover the full range of use cases, device types and security levels. Use cases may include letting a device on the network, a financial transaction, a biometric authentication and more. Device types may include complex mobile phones, simple IoT sensors, laptops and network equipment. Security levels may range from EAL 5 certified secure element, to a TEE, to entirely simple minimal devices with no special security properties.


>  
> These design principles are important to keep the number of Verifier generated claims low, and to retain the complexity in the Verifier rather than the RP.   We followed these design principles in draft-voit-rats-attestation-results.   Consequently, the next version of draft-voit-rats-attestation-results will include a total of 9 Verifier generated Trustworthiness Claims supporting a total of 18 enumerated states.   18 enumerated states feels like an easily digestible number for the developers of RP policy language :-).  

I think there may be more than one model for constructing attestation results.  Your draft is one. Another might be based on machine learning, in which case the RP just wants every data item possible. I think a single  “trust me” boolean is OK for some use cases. Maybe the boolean is implied because attestation results were generated.

This also fans out by submodule for complex devices, even with draft-voit-rats-attestation-results (there is no inheritance with submodules).



> I am hoping we can connect this thinking to your swresult object from your IETF 111 slides.   Looking at your slide on the swresult claim, *each* software measurement could include a large array of results.  I believe this unbounds the complexity of the RP policy language.  Effectively, the Evidence to the Relying Party may often be richer than that originally sent by the Verifier.  In what scenarios do you see Relying Party applying such a rich language?   And at least from the perspective of deciding whether Attester itself is trustworthy, do you see ways for just a few Verifier generated claims to expose key trustworthiness attributes and states evaluated for the Attester?

Swresults was intended as a flexible way to report what ever SW measurement results need to be reported. It is intended to cover all possible cases. I would expect many use cases to use very little of it. Many, hopefully, most could be very simple using it.

Swresults also can be in attestation evidence when one subsystem like a TEE can measure and evaluate another subsystem.

I’m not sure the principles above should be applied to swresults as I think it is for a different model for reporting attestation results. Open to discussion on this.

Swresults is kind of a first proposal. Would appreciate lots of discussion around it. Seems to me that we’re just getting started on this topic.


>  
> I know this is a complex question which might only be worked in an upcoming interim. 

Probably more than just one interim :-)

LL




> But I figured I would start the dialog now.
>  
> Thanks,
> Eric
>  
> * Note from above: these Verifier generated claims are not the same thing as a Verifier ratifying specific claims generated within the Attester (such as UEID, location, software manifest, etc.)   Many of your AR definitions within the swresult appear aimed at this context.  So there might not be an explicit overlap between our drafts.  
>  
> Eric Voit 
> Principal Engineer
> .:|:.:|:. Cisco Systems, Inc.
>  
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email