Re: [Rats] comments on draft-birkholz-rats-uccs

[Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>]

Hi all,

Apologies for a very late response to some of the issues raised below.

Best regards

Jeremy

Jim Schaad <ietf@augustcellars.com> Mon, 17 August 2020 20:14 UTC

-----Original Message-----

From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>>

Sent: Monday, August 17, 2020 3:49 AM

To: Jessica Fitzgerald-McKay <jmfmckay@gmail.com<mailto:jmfmckay@gmail.com>>; rats@ietf.org<mailto:rats@ietf.org>

Cc: Jessica Fitzgerald-McKay <jmfitz2@cyber.nsa.gov<mailto:jmfitz2@cyber.nsa.gov>>; Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>; draft-birkholz-rats-uccs@ietf.org<mailto:draft-birkholz-rats-uccs@ietf.org>

Subject: Re: [Rats] comments on draft-birkholz-rats-uccs



Thanks Jess!



the discussion on where this is incubated was deliberately scoped down to provide:



* a finite and still useful set of Security/Privacy considerations, and

* relatively specific guidance and context on how prerequisites for usage look like.



The concept of an UCCS tag goes beyond RATS, of course. The usage of an UCCS tag alas requires some application-specific "rules".



That said, we will discuss this topic specifically asap. Also, Jim is now in CC (Hi Jim) and maybe he can weigh in on this topic?



With respect to your technical comments, please give us some time to come back with well-formed answers. I do not want to barge ahead with half-baked replies :-)



Viele Grüße,



Henk



On 07.08.20 16:01, Jessica Fitzgerald-McKay wrote:

> Hi, UCCS authors,

>

> Mike Jenkins and I reviewed the UCCS draft. Our comments are below.

> Happy to talk through any of them with the group.

>

> Thanks,

> Jess

>

> The intent of this draft is similar to the key concept of EST - use

> the authentication of the secure session connection. Most schemes

> build on this concept leave a lot of banana peels laying around, some

> of which we describe here. In general, this does not seem appropriate

> to the scope of RATS. We feel that COSE might be a more appropriate

> work group to think these issues through.





[JLS] To me COSE is exactly the wrong place to do this.  If it is not done in RATS then ACE would be the appropriate location.  Doing it in COSE would be something along the lines of "If you don't use the core technology of this group then you should?"



>

> - If you're using a static symmetric key for authentication (as one

> might with highly-constrained devices), you can only authenticate a

> net, not an entity. The receiver cannot differentiate between

> authenticating the sender and authenticating itself.



[JLS] I don't see this as being interesting for this document  The exact same set of problems exist if you use HMAC or symmetric encryption with COSE where a static symmetric key is used.  The thing that might be interesting would be to talk about correspondences of the secure channel security and the equivalent COSE objects.



[JOD] I prefer to focus on the security UCCS over a Secure Channel in comparison

To COSE as Jim suggested – this seems reasonable approach. Since

ID.ietf-cose-rfc8152bis-struct and ID.ietf-cose-rfc8152bis-algs have

extensive security considerations. I have proposed text modelled on the

structure used in I-D.ietf-cose-rfc8152bis-struct and

I-D.ietf-cose-rfc8152bis-algs.



>

> - The authentication happens at the secure channel termination, not in

> the channel-contents-using application. It's important how the

> termination process vouches the authentication to the application. (In

> EST, this question is how the EST server vouches the requestor's

> identity to the CA server.)

>

> - A TEE only helps if the TEE application can punch through the REE

> and set up the secure channel completely on its own. If the TEE relies

> on the REE to set up the secure channel, you might as well just

> operate in the REE.



[JOD] Given the many ways in which Secure Channels for UCCS can be implemented, I suggest

including text that indicates the need for the Secure Channel and Attester to exist within

a common security environment.



Text could read along the lines of:



“A Secure Channel established or maintained using weak cryptography, or that exists in a

different security context to the Attester, may not provide the assurance required by a

relying party of the authenticity and integrity of the UCCS.”



>

> - There is a comment at the end of the introduction (!) about

> transitioning back and forth between self-protected and

> channel-protected CWT, "in a well-defined scope". Define the security

> characteristics of that scope or get rid of the comment. You're

> handing someone an awful lot of rope there.



[JOD] This text has been deleted.



> - The claims set should be treated as ephemeral by the recipient. It

> shouldn't be stored, and can't be forwarded except as data originated

> by the recipient. As soon as it emerges from the secure channel, it's

> no more valid or meaningful than any other piece of unprotected data

> in the application environment.



[JOD] Proposed text:



“When UCCS emerge from the Secure Channel and into the Verifier, the security

properties of the Secure Channel no longer apply and UCCS have the same properties

as any other unprotected data in the Verifier environment.



If the Verifier subsequently forwards UCCS, they are treated as though they

originated within the Verifier.”



> _______________________________________________

> RATS mailing list

> RATS@ietf.org<mailto:RATS@ietf.org>

> https://www.ietf.org/mailman/listinfo/rats

>


--
Jeremy O’Donoghue
Director, Secure Systems Group, Farnborough, UK
jodonogh@qti.qualcomm.com