IETF Logo Mail Archive

Re: [Rats] Call for adoption (after draft rename) for Yang module draft

"Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com> Mon, 11 November 2019 07:20 UTC

Return-Path: <ian.oliver@nokia-bell-labs.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E19B120814 for <rats@ietfa.amsl.com>; Sun, 10 Nov 2019 23:20:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1QMcti0cAcLE for <rats@ietfa.amsl.com>; Sun, 10 Nov 2019 23:20:40 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on0721.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::721]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 293EE1207FD for <rats@ietf.org>; Sun, 10 Nov 2019 23:20:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NUG2jrSjs3HdktDQRvlnbXOT6+UnJEu6H1Zk3Oq7nTv6Z+Yhku/tyhHR0yODwzJTFf8UXM77ByRtKmgmTDKzpAER16LP22OB0WFRhW80s4UPKFr+5fo3BJpKHUx6dBjIt1zxORH8dVj++8Vqifm0citKeXY9eLRmvG5UWrmqgSj6p0DTro0DsGdNpJ1buHQgMg+g8TJFHulG72I34S+48tblCgFEvZoG3Jn55Xbn9WgM5FK44rAKcdHoO5OKBLfI8FNqPXUo922jz4MsmEM8/+Ud7u6szBNJz2PvHy7BafdXvF6U82jLdfzVGPqc/noJCz3152/g2IuyKA2+aBGfsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q60LDRat4zvmBbx1y1drKXA4+WL34xOBEUlG/8GXxPA=; b=ENjwaiNhbbuJMIbiA6X+OHy1IH3fs4MR3qxP8VN46r75JjJSyxXSAQZ5WOEP0mrU/FzARRKb6R06jLhwTvbOFtkakGEunYkTUPbXvdPwtT0j7a4uaz3HizYuBRxXT50ffano3gj72sfNdPnhkGrlo2FIrPNhKZtYlwradsiXVYJ3i0OY0wxICcaNLXHcaq7TP6EUw6ZEeU6bceBC4Tj3r6WJHnh7+4jt1ONeugrfTf+e+VrTKQsKmiOIoTOM+afZuvs9A7s0n1Mm3hT9RY2W3ffFqMmOiHNJemcRXar2UyBW1xYO/Fc1n/PyNeIRdHSfxpMESJ+dRyTd6g8NP+yb+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia-bell-labs.com; dmarc=pass action=none header.from=nokia-bell-labs.com; dkim=pass header.d=nokia-bell-labs.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q60LDRat4zvmBbx1y1drKXA4+WL34xOBEUlG/8GXxPA=; b=F/E2amZxCvmiIOCDqfxxMIQxItWvQHjOSiVqep9BbCgeQplf0F5Qnkd7gApwZBORiwmKbHrNEXjbm9USlSh8vWXnPn6AaMo+hayaliVl1wDlMUoBezq/p8kMtp+Q7pI2C6Icorv1QWgjOr6VkWZ6P4gqb+n2dI8a2poQqDEwp1Y=
Received: from HE1PR0702MB3753.eurprd07.prod.outlook.com (10.167.126.155) by HE1PR0702MB3627.eurprd07.prod.outlook.com (10.167.126.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.20; Mon, 11 Nov 2019 07:20:37 +0000
Received: from HE1PR0702MB3753.eurprd07.prod.outlook.com ([fe80::5ec:cc84:1ba5:85aa]) by HE1PR0702MB3753.eurprd07.prod.outlook.com ([fe80::5ec:cc84:1ba5:85aa%7]) with mapi id 15.20.2451.018; Mon, 11 Nov 2019 07:20:37 +0000
From: "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>
To: Laurence Lundblade <lgl@island-resort.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
CC: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Call for adoption (after draft rename) for Yang module draft
Thread-Index: AQHVmCZhwkNjt4UVOEO6clkLOyiEfKeFkBjG
Date: Mon, 11 Nov 2019 07:20:37 +0000
Message-ID: <HE1PR0702MB375366C5F7FE5C497C35D73B8F740@HE1PR0702MB3753.eurprd07.prod.outlook.com>
References: <8B173958-FC2A-4D1D-A81C-F324AB632CD7@cisco.com> <147F9159-6055-4E55-ABDC-43DFE3498BF1@island-resort.com> <ce5f8206-74dc-36bb-0093-a93045d5c67f@sit.fraunhofer.de> <0A7E3A4F-8534-4E98-BCB7-1454E07699F4@island-resort.com> <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com>, <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com>
In-Reply-To: <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.oliver@nokia-bell-labs.com;
x-originating-ip: [131.228.2.25]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 542f2498-ef0f-4e21-fe5d-08d76677a650
x-ms-traffictypediagnostic: HE1PR0702MB3627:
x-microsoft-antispam-prvs: <HE1PR0702MB362711AF1A6FF702CC04B6358F740@HE1PR0702MB3627.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0218A015FA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(136003)(396003)(366004)(39860400002)(376002)(189003)(199004)(53546011)(229853002)(54896002)(9686003)(55016002)(6436002)(236005)(66066001)(7696005)(76176011)(102836004)(6506007)(2906002)(86362001)(71190400001)(71200400001)(3846002)(6116002)(186003)(486006)(11346002)(256004)(446003)(476003)(6246003)(66476007)(26005)(66446008)(64756008)(66556008)(4326008)(105004)(25786009)(54906003)(81156014)(76116006)(99286004)(74316002)(7736002)(8676002)(81166006)(5660300002)(14454004)(110136005)(52536014)(8936002)(478600001)(33656002)(316002)(66946007)(19627405001); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR0702MB3627; H:HE1PR0702MB3753.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: nokia-bell-labs.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kOv/+xTu0zJmgkVdsEZSq3eOt81Ch1ssQ8Q0gWBUUUkLiWaQ1r1Yuc7bFJV31umc7g8WHGgAEqUXCk76aeyBgnkGG+NXYXY8LGlziU9MeH3HXH1UDW02ZU/cuO78p84pJR1U/EiDd0RpNWi5VxRQAs9zpTPas4afV38X5h21IZxsOnTyzn8qJ+Le3Y+NK1SMK1+8ZGwsiIREa6hEQ9ZtkcWuwtWH8YuK2FuvKAoJU7N0XGH1izj1uYDutAnahEP9pfTE3fB+LlrvtRunwsLdzEB8lpntO34plWcxm7jafLaSfuFPpoQ4Z4cQ5fw4N5+vpysdBuDo230VUFQ0PcTxzuih5noKyNPFg9gSu0x708OxAviWBtdgaE21AHqE0b8tyVyz6kUFDmlnE1KNOzFO2KU2jjvZf5AVoK3nYVT7ybljmYdCXs+4iWdYLngeX9AS
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR0702MB375366C5F7FE5C497C35D73B8F740HE1PR0702MB3753_"
MIME-Version: 1.0
X-OriginatorOrg: nokia-bell-labs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 542f2498-ef0f-4e21-fe5d-08d76677a650
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2019 07:20:37.1582 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FVjlKnr51ixDe0GiIfYMxOK+RVjOsWqlVVd9sLkpFHBnMN3PCQZdsrHgQW6XIAJSkSOPkWnYs3IGrb8j6B7OhgoPRsxDkt8MXE7vjo22I8s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3627
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/PpTivuGgFcvmNWuYhQPbuFLrHmg>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 07:20:43 -0000

> Remote TPM attestations are useful and necessary the short run, but are of very limited capability. I believe that > EAT will replace TPM attestations in the long run (maybe decades) because they are far more expressive. I know > others believe that too.

I would disagree with the statement of "short run" ... TPM is practically the only existing standardised (hardware, software, firmware, measurement - x86 only etc) hardware root of trust in common use, ie: practically all x86 machines,  The attestation mechanisms provided are going to be around for a very long time.

>From telco experience, 30 years ago we said SS7 would only be around in the short term.

> Thus, I am opposed to adoption with the current TPM-only draft. I’d be OK with the current draft and a promise > to add EAT to it.

Agree

Ian


--

Dr. Ian Oliver

Cybersecurity Research

Distinguished Member of Technical Staff

Nokia Bell Labs

+358 50 483 6237

________________________________
From: Laurence Lundblade <lgl@island-resort.com>
Sent: 11 November 2019 00:44
To: Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>
Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; rats@ietf.org <rats@ietf.org>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft


On Nov 10, 2019, at 2:20 PM, Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com<mailto:ncamwing@cisco.com>> wrote:

So, Laurence, are you still OK with the adoption of the current draft with a rename for now?
Thanks, Nancy

I think the value add to the larger RATS effort of adding EAT support to this YANG protocol is really high. It a core thing to do that helps bring together the two attestation worlds and make the TPM and EAT work here less like ships in the night.

Remote TPM attestations are useful and necessary the short run, but are of very limited capability. I believe that EAT will replace TPM attestations in the long run (maybe decades) because they are far more expressive. I know others believe that too.

If we don’t include EAT in the YANG mode it is sort of like defining HTTP to only convey HTML to the exclusion of PDF. We’re defining an attestation protocol that can only move one kind of attestation even though we have consensus on what the other one looks like.

It seems relatively simple to add EAT support (or promise to add EAT support). Pretty sure I heard Henk agree to add it.

Thus, I am opposed to adoption with the current TPM-only draft. I’d be OK with the current draft and a promise to add EAT to it.

LL

v2.23.0 | Report a Bug | By Email