[Rats] Re: Iotdir early review of draft-ietf-rats-msg-wrap-04

Thomas Fossati <thomas.fossati@linaro.org> Sun, 26 May 2024 20:10 UTC

Return-Path: <thomas.fossati@linaro.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 601D6C14F6BF for <rats@ietfa.amsl.com>; Sun, 26 May 2024 13:10:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3fVhtLfwkMG2 for <rats@ietfa.amsl.com>; Sun, 26 May 2024 13:10:27 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32B00C14F5FB for <rats@ietf.org>; Sun, 26 May 2024 13:10:27 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2e716e302bdso90492691fa.1 for <rats@ietf.org>; Sun, 26 May 2024 13:10:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1716754225; x=1717359025; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9YIiTcGZMlJk28epUN8YzVrmndqIiBB2z4StKPlpKmg=; b=BN1rSFKjKdcsTj5nneImh97QAL27/bNw2PGqXrdi4pLmeCSaeAQvCpjEkuLzARhTj0 38Bd4Yl0txUhDKzhQyq2nl/3ty4gbMt5Qb26nXIJ9Dbu6kINGLNeoe0MftRngZxcaEoS kh5OXYmcWRz/MWiKVi5OGyEzruqn3FV8OfsCNP1VpJDOZU15UGYvT3PtUGG9AZBDZWDh RLMw3UkqR+xZkLQT1msPlTXyFl4ClkBLb+dbPOOIMwNRj2x2R9AvANfadufVoi9Legcf nQbWi2Vtmee4BHjIZ4UIiJxzjXy4fsqlSy7WStU+Dun8KwCiQA5L/rDsu+Nh9B3rO6UY GPqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716754225; x=1717359025; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9YIiTcGZMlJk28epUN8YzVrmndqIiBB2z4StKPlpKmg=; b=b5yBXHmWicat7sMnZBfOIeS2pdqEcBICqoZV9jbNvq6jFdTcxeelKsQKOi47nVU7tu ZBEKITP/C3+s/Rlg6zIbGcdMoo4B/FOpIrJpafkKMdvgTAw+2WY9bqbU7Ol3Rnv1uDRT tZ18eNy1+m/RUMnvG/Gmv6yrnsRBFdYp5iOx+CrIZOgpmCcYvzKyO+DMEjro2NmfF7R7 H9/utNd8PzlNeem/cbF+wDDv7NeKqt0VSIXLE5K86OwnZZWOviDoVjwsUaaAo7mG0i4n B4UFgKEMucUdVSCNg9fWFFXxXoPejcFwA5Wr61pw2vIXcyIkYIhDX632V9JRpSJVVg3q bLpw==
X-Forwarded-Encrypted: i=1; AJvYcCVyFcFus31MomK3JLxwAHoYeqpyXHohXPiF+ZQ/At3FxC0UY6JV0xWQH8E3NNt4ZA/aMuEGq03mx1kqwAJB
X-Gm-Message-State: AOJu0YyngGWKioYTv4G+PRixHXSb5/WCxRZ2KwkfUwA7eWnpFuDrZHvY XxKk1zLqFVh0RqyhknUSyQh15kUTs6mWn9GyRm+0B/GwtbAvgRxdnmiqBMYPfyjkOFXu5uqsWnR tOUabXr+8ZxnGna+NwfxvRM63IW6srr3wmF8VLQ==
X-Google-Smtp-Source: AGHT+IFclrkaxqBWZ5MQcfDr++711OnogpTRJKtif8q2/p7/9g0Afjq15Rd0UX5guaxKrjEo08yzP06VjAOKIkX4S9c=
X-Received: by 2002:a2e:a7ca:0:b0:2e1:a15b:b504 with SMTP id 38308e7fff4ca-2e95b2564fbmr51828771fa.37.1716754224719; Sun, 26 May 2024 13:10:24 -0700 (PDT)
MIME-Version: 1.0
References: <171672152590.50074.8948628412360950443@ietfa.amsl.com>
In-Reply-To: <171672152590.50074.8948628412360950443@ietfa.amsl.com>
From: Thomas Fossati <thomas.fossati@linaro.org>
Date: Sun, 26 May 2024 22:10:07 +0200
Message-ID: <CA+1=6yeT23oRgjdx+6e-+xTrszEFWpuCFwFyvwx1S9urU2QSXA@mail.gmail.com>
To: Mohit Sethi <mohit@iki.fi>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: NZ765SU6IHJ7TWSNANID4WW2R2WIFENG
X-Message-ID-Hash: NZ765SU6IHJ7TWSNANID4WW2R2WIFENG
X-MailFrom: thomas.fossati@linaro.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: iot-directorate@ietf.org, draft-ietf-rats-msg-wrap.all@ietf.org, rats@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Iotdir early review of draft-ietf-rats-msg-wrap-04
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/PVqYPH7j9PQVxQ3lvOXc_z1ynqI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Mohit,

Thanks a lot for your comments.

On Sun, 26 May 2024 at 13:05, Mohit Sethi via Datatracker
<noreply@ietf.org> wrote:
> * Section 4: Perhaps expand what is CoRIM and add a reference to
> https://datatracker.ietf.org/doc/html/draft-ietf-rats-corim-04

ack, done.

> * Section 5 and 5.1: It would be helpful for readers if a short use-case
> explaining when CMW would be transported in CRLs could be provided. While I can
> guess why a CMW would be in a CSR, I could not immediately understand when a
> CMW would be part of a CRL.

In the typical case, CMWs found in certs (and CSRs) carry evidence
about a target environment associated with the (to be) certified
keypair.
In CRLs, CMWs can be used to describe "known-bad values" associated
with the revoked DICE cert - sort of "anti" reference-values :-)

> Similarly, it would be helpful to explain where and
> how the ASN.1 module will be used. I assume it is relevant for cases where a
> certificate containing a CMW extension is passed around?

The motivating use cases are explained in Section 6.1 of DICE
Attestation Architecture [1] and in the CSR-attestation document.  My
preference would be to provide clear references to those two docs
rather than restating the content here.  In that sense I reckon the
first paragraph of Section 5 can be improved a bit.

[1] https://trustedcomputinggroup.org/wp-content/uploads/DICE-Attestation-Architecture-Version-1.1-Revision-17_1August2023.pdf

> * Section 5.2: I wonder about the consequences of having two different CMW
> specifications: one by the Trusted Computing Group (TCG) and the other in this
> draft. I downloaded the TCG specification and found a reference to this draft.
> Would it be possible for future versions of the TCG specification to reuse this
> draft rather than creating a subset? Also, this draft states that the "CMW
> extension" "MUST NOT be marked critical," whereas the TCG specification states
> that the "tcg-dice-conceptual-message-wrapper extension criticality flag SHOULD
> be marked critical." In summary, I wonder if these specifications can somehow
> be synchronized.

I think you are right, they should be fully aligned.
Ned is the chair of the DICE WG in TCG, so he's the authoritative
voice wrt this point.

> Section 7: Please expand UCCS on first use: unprotected CWT Claims Sets (UCCS).

done

> Note: I haven't verified the CDDL, CBOR, and JSON for correctness via tooling,
> but they looked fine while reading.

I have just run "make -C cddl" and everything seems in order.

Thanks again, cheers!