Re: [Rats] IANA pre-RFC code points

Laurence Lundblade <> Tue, 16 February 2021 17:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B8C353A0D27 for <>; Tue, 16 Feb 2021 09:43:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 02bgX9hEwNvi for <>; Tue, 16 Feb 2021 09:43:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 16D063A0D25 for <>; Tue, 16 Feb 2021 09:43:01 -0800 (PST)
Received: from ([]) by :SMTPAUTH: with ESMTPSA id C4NHljujy0AU2C4NHlySc3; Tue, 16 Feb 2021 10:43:00 -0700
X-CMAE-Analysis: v=2.4 cv=NJMQR22g c=1 sm=1 tr=0 ts=602c0424 a=4DuQCvq92BI7+Z+mmVs66w==:117 a=4DuQCvq92BI7+Z+mmVs66w==:17 a=QyXUC8HyAAAA:8 a=K6EGIJCdAAAA:8 a=7CQSdrXTAAAA:8 a=48vgC7mUAAAA:8 a=3K5xN4CiOVvbNonium0A:9 a=H6gfia2e7GwCNAvE:21 a=TNtgZ6NaB4FRFiK4:21 a=QEXdDO2ut3YA:10 a=1FfA-cBo8-BrtGpqnDIA:9 a=GPIAeTXWBVt6dRoI:21 a=WygTtV8YsGhmx-kO:21 a=UN9Ol_N_9_UiCIZY:21 a=_W_S_7VecoQA:10 a=L6pVIi0Kn1GYQfi8-iRI:22 a=a-qgeE7W1pNrGK8U0ZQC:22 a=w1C3t2QeGrPiZgrLijVG:22
From: Laurence Lundblade <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B0D16259-6E2E-463C-9CB2-B1BC63FE481F"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Tue, 16 Feb 2021 10:42:58 -0700
In-Reply-To: <>
Cc: Adrian Shaw <>, "" <>, Hannes Tschofenig <>, Simon Frost <>, Thomas Fossati <>
To: "Smith, Ned" <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
X-CMAE-Envelope: MS4xfKjpQIywzwQLd0NtS2GyHUVB+CJNgtbhFkyfKL2RqlIkXkBnKXq+DJUST2FX/r6dI37A9eRUJfb24TG27OO1AotaBhCtIw8vbdorct2bZSzcArozA5dY GOSdRnS8pVBd2IazHoLCVW/0j9DcPAJLibaqnhLErQ8BS2l/LCxVwWyQICSuXfbTkSPB9zZ+lOWFMrxcPBrpJta5Xbelp3UD/qqrm572VjKbV+BPN0Y1A05g SMFmzwURt+P7eVFyn3cr1N9YCVpPWFrhg+TJJeFUzGy7jOLo7VRv1QTvXraAlsmfNbzUop2YSu92S+hVOGkHaHcyalSfQRsb0IgvcEj3TS7xC75FABcTuGhN jpmNBdVimtd0lpzlOHTe/hwp4GaS7A==
Archived-At: <>
Subject: Re: [Rats] IANA pre-RFC code points
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Feb 2021 17:43:08 -0000

I was expecting at least a few profiles to be standards track RFCs. Other’s will be authored by other standard’s orgs (e.g., FIDO, GP). Other’s by companies.

I expect profiles to be focused on domains. Here’s some examples: consumer IoT, phone key store attestation, automotive, user authentication, routers in closets.

In many scenarios a machine readable format will have no use. For example, in a constrained environment you only want to implement one crypto algorithm and the smallest and most efficient options for serialization.

So, no, not machine readable. 

I think profiles are important for EAT interoperability:
- COSE and JOSE algorithm support is open-ended and there is no negotiation like TLS
- Many serialization formats and variants (EAT defines 2, EAT architecture suggests even more)
- - CBOR has it’s own variants in serialization formats and in tagging
- Varying problem domains

If we can agree that profiles are necessary and that a simple text string is good enough to name a profile, then we can put in in the pre-allocation. We don’t have to agree on the mechanism for defining profiles, just for naming them.

I hope we don’t delay the pre allocation much longer. It’s been over 2 months since I made the first clear formal request.


> On Feb 16, 2021, at 9:44 AM, Smith, Ned <> wrote:
> Is it the intent of this spec to define a machine readable format for stating the 12 ‘things’ the profile should specify?
> What if any convention addresses profile name collisions? If vendor-A uses profile name is “A” and vendor-B also uses “A”, is that considered either a security problem or an interoperability problem?
> -Ned
> From: Laurence Lundblade <>
> Date: Monday, February 15, 2021 at 12:36 PM
> To: "Smith, Ned" <>
> Cc: Thomas Fossati <>, "" <>, Adrian Shaw <>, Hannes Tschofenig <>, Simon Frost <>
> Subject: Re: [Rats] IANA pre-RFC code points
> They are largely complementary mechanisms.  Maybe you could call the IANA claims registry the palette of colors and a profile the painting.
> The IANA claims registry describes lots of different claims. Some implementations will use one set of them, other implementations will use others. Some will use proprietary claims that are not in the registry. This however doesn’t give much guarantee of interoperability between an Attester and Verifier.
> A profile says which claims are in use for a give use case. It says which claims are prohibited, which are required and which are optional. It should be complete enough to give full interoperability for a use case.
> A profile also says which crypto, which serialization format and such to use so that interoperability can be achieved.  There are 12 separate things that a profile should specify (e.g., required claims, prohibited claims, JSON/CBOR, algorithms, CBOR serialization, endorsement identification…). Take a look at the text here <>.
> LL
>> On Feb 15, 2021, at 12:36 PM, Smith, Ned < <>> wrote:
>> The topic of how vendor specific data should be handled has been brought up in the past. The conversation seemed to reach consensus by using the CWT/JWT existing mechanisms for vendor specific tags. Maybe someone should summarize how the profile mechanism compares to CWT/JWT vendor specific mechanisms?
>> Ned Smith - Intel - <>
>> ________________________________________
>> From: Laurence Lundblade < <>>
>> Sent: Saturday, February 13, 2021 3:00 PM
>> To: Thomas Fossati
>> Cc: Smith, Ned; <>; Adrian Shaw; Hannes Tschofenig; Simon Frost
>> Subject: Re: [Rats] IANA pre-RFC code points
>> Profiles and are only in EAT drafts from the last month so they haven’t had much review or discussion. That makes them different from the other claims for which pre-assignment is requested.  I don’t think I have even presented them in detail in any meetings. So personally I am kind of on the fence about this.
>> A thorough reading and commenting by folks other than Arm would get me off the fence.
>> Happy to hear what the chairs think too.
>> LL
>> On Feb 12, 2021, at 11:14 AM, Thomas Fossati < <>< <>>> wrote:
>> It'd be extremely useful to us if the "profile" claim could be added to
>> the list early assignments.
>> That way the PSA token would just use the standard code point assigned
>> to "profile" to create the context to interpret the rest of the private
>> PSA claims - which means we would not need to make any further request
>> to IANA.
>> Hopefully it is not too late to ask :-)
>> Cheers!
> _______________________________________________
> RATS mailing list
> <>
> <>