IETF Logo Mail Archive

Re: [Rats] use case document updates on Roots of Trust

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Fri, 13 September 2019 19:52 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F50F12011D for <rats@ietfa.amsl.com>; Fri, 13 Sep 2019 12:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HJxhA5QG8e68 for <rats@ietfa.amsl.com>; Fri, 13 Sep 2019 12:52:15 -0700 (PDT)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88FA2120116 for <rats@ietf.org>; Fri, 13 Sep 2019 12:52:14 -0700 (PDT)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id x8DJq9GA019866 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT) for <rats@ietf.org>; Fri, 13 Sep 2019 21:52:11 +0200
Received: from [192.168.16.50] (79.206.150.82) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Fri, 13 Sep 2019 21:52:04 +0200
To: rats@ietf.org
References: <4155.1567948986@dooku.sandelman.ca> <64BD12AA-951A-468A-9F08-D442054605AD@island-resort.com> <de6ff852-062d-805d-3eed-10aca60502b2@sit.fraunhofer.de> <CAN40gStH5jUCJeVggREr3ABoFw7K97F=KtoJOSR_X+LWNLB+JA@mail.gmail.com> <CAN40gSu13DKkyahHA3_Cbt5j7Gsh=uGh5ic7fS3AvDGP3K1cug@mail.gmail.com> <5276.1568315351@dooku.sandelman.ca> <92137679-7DEA-42AD-B8D1-F3B909C77459@akamai.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <5ea250a8-021c-379c-7479-fcdaa9c1d482@sit.fraunhofer.de>
Date: Fri, 13 Sep 2019 21:52:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <92137679-7DEA-42AD-B8D1-F3B909C77459@akamai.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.206.150.82]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/QjVV3ZJLAsvK5YHIYPNpFfNEaoA>
Subject: Re: [Rats] use case document updates on Roots of Trust
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 19:52:18 -0000

I don't know what a trust root is, but a trust anchor does not reside on 
the Attester (with respect to the evidence that is created) while a root 
of trust does. That is kind of one of the primitives why they are 
differentiated. Specific comments in-line:

On 13.09.19 00:31, Salz, Rich wrote:
> I do not see a meaningful difference between "trust anchor" and "trust root" and "root(s) of trust."  All of them:
> 	- Are pieces of data (certificate or key is not meaningful

Well, if the entities certificates and the entities openssl software 
components are the same thing (because they both are pieces of data), 
then I think I would agree here. If it is relevant to the workflow that 
one is an executable that resides somewhere and one is a document that 
can be presented, I am more inclined to differentiate the entities TA 
from the entity ROT, too. I am aware that the analogy is a bit clunky 
and someone can surely can come up with a better one.

> 	- Used to verify something such as a certificate or signature

Some roots of trusts do that, other roots of trust don't do that (e.g. 
doing the opposite: an RTR for creating the signatures, digests, or 
evidence). So that cannot be a common denominator either, I think.

> 	- Are trusted by the application, based on actions that are "out of band" of the application itself

That in fact is indisputable and probably the reason why both trust 
anchor and root of trust include the term "trust" :)


In essence, I simply think it is just not that simple - to say "they are 
the same" and then only focus on similarities to bolster that argument.

Viele Grüße,

Henk


>   
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

v2.23.0 | Report a Bug | By Email