IETF Logo Mail Archive

Re: [Rats] Review of draft-ietf-rats-eat-01

"Smith, Ned" <ned.smith@intel.com> Mon, 22 July 2019 18:05 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC80120159 for <rats@ietfa.amsl.com>; Mon, 22 Jul 2019 11:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSY7onFeVtg1 for <rats@ietfa.amsl.com>; Mon, 22 Jul 2019 11:05:04 -0700 (PDT)
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC99612032C for <rats@ietf.org>; Mon, 22 Jul 2019 11:05:04 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Jul 2019 10:55:49 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.64,295,1559545200"; d="scan'208,217";a="188653094"
Received: from orsmsx107.amr.corp.intel.com ([10.22.240.5]) by fmsmga001.fm.intel.com with ESMTP; 22 Jul 2019 10:55:48 -0700
Received: from orsmsx113.amr.corp.intel.com (10.22.240.9) by ORSMSX107.amr.corp.intel.com (10.22.240.5) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 22 Jul 2019 10:55:48 -0700
Received: from orsmsx109.amr.corp.intel.com ([169.254.11.25]) by ORSMSX113.amr.corp.intel.com ([169.254.9.128]) with mapi id 14.03.0439.000; Mon, 22 Jul 2019 10:55:48 -0700
From: "Smith, Ned" <ned.smith@intel.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Review of draft-ietf-rats-eat-01
Thread-Index: AQHVO1Sot1WITJZhTkGux2FA/JRehKbNFbwAgABnRACAAHq+gIAADdyAgAkjaIA=
Date: Mon, 22 Jul 2019 17:55:46 +0000
Message-ID: <87C82D04-59AD-4729-AFC7-68207CD91A35@intel.com>
References: <D95268DC.E2D3B%carl@redhoundsoftware.com> <5CBB3ED3-0CD6-443D-B80F-EE426F7905C3@island-resort.com> <D95316BE.E2E33%carl@redhoundsoftware.com> <D8B4A43F-8654-468F-8A93-9D8E44236784@island-resort.com> <D9538DB1.E2F9F%carl@redhoundsoftware.com>
In-Reply-To: <D9538DB1.E2F9F%carl@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
x-originating-ip: [10.251.7.178]
Content-Type: multipart/alternative; boundary="_000_87C82D0459AD4729AFC768207CD91A35intelcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/O4vh17LJybaJsuKCoRZrdVpvDFA>
Subject: Re: [Rats] Review of draft-ietf-rats-eat-01
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 18:05:07 -0000

Right now the scope of RATS focuses on Attester to Verifier and Verifier to Relying Party flows. Flows from Asserter (supply chain entity) to Verifier are out of scope currently. The use cases for counter signing and multiple signing may relate more to supply chain than Attester to Verifier.

Aggregation (if I’m not mistaken) is when a Verifier communicates to a Relying Party. A simple aggregation might be to “allow” or “deny” (or maybe I’m misunderstanding what is meant by aggregation).

On 7/16/19, 2:23 PM, "RATS on behalf of Carl Wallace" <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org> on behalf of carl@redhoundsoftware.com<mailto:carl@redhoundsoftware.com>> wrote:


<snip>
Should 3.11 be 'nested EATs' or 'aggregated EATs'. In other words, are
these really nested (like signed then encrypted or signed then
countersigned) or are they aggregated into an array then signed? Should
these be wrapped as a bstr (at least for CBOR)?

They really are nested. It says:


   The contents of the "eat" claim must be a fully signed, optionally

   encrypted, EAT token.

The nesting is really powerful as it allows multiple subsystems to make EAT tokens (a modern cell phone has lots of CPUs, often well isolated from each other) and for them to be combined and bound to each other.

I understand that nesting is powerful and that encryption or other signatures can be applied later. However, the language here reads like aggregation of EATs from various subsystems into a larger composition. Is nesting really what we want there (vs nesting where additional cryptographic services are applied)? Even if nesting is appropriate here, is aggregation something we also want in the toolbox?

I think we want both aggregation and nesting.

To be sure it is clear, nesting means you take a fully formed and signed EAT token and put it in another fully formed and signed EAT token. One of the reasons this might happen is that a device (e.g. a car) is assembled out of multiple components that can’t be modified by the end manufacturer. Subcomponents are capable of generating EATs. Some final component (controlled by the car maker) puts them all together in one token for the car the signature of which binds all the sub tokens together.

The submods claim is the proposed way to do aggregation of claims where the subcomponent set of claims is not separately signed.

So that leaves the question of aggregation of signed EATs. There's enough flexibility that can be added later if it's not viewed as necessary now but turns out to be useful later. The CMS ContentCollection is what I was thinking of.

<snip>

v2.23.0 | Report a Bug | By Email