IETF Logo Mail Archive

Re: [Rats] Requesting a Nonce from a Verifier

"Smith, Ned" <ned.smith@intel.com> Wed, 06 March 2024 16:54 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95FA2C14F5FD for <rats@ietfa.amsl.com>; Wed, 6 Mar 2024 08:54:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46SQkOyPLiRg for <rats@ietfa.amsl.com>; Wed, 6 Mar 2024 08:54:13 -0800 (PST)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96592C14F5F6 for <rats@ietf.org>; Wed, 6 Mar 2024 08:54:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1709744054; x=1741280054; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=EX/7IK6dNj/DBd6jpTXbEkk/EmOzUE+n+ljwmTsB/0U=; b=fcNCj6d3zlq3nfFMIL0wf9w9B+XmoW1uOuL2FwgOVPk2Hwb0Xs2ZsEib NS3rsVkwWtA3jRSZm2q4o2Ql1hXtkebbboNtU0hiRLC18gBrL3urSBSJB kbwdSeUaJygHPzzmbBgQOL+fNTLoU3f3wmO8c3Gvu1X1BQW30wTveYv2B paD/HNs3Vxl2e6zkXuhz304b+CN3oD+wwx3Yi+/CLT9y1hQREw+V/veXZ Wjp5h9xdNqtTAfWr/+LD/05/TBVqe3dMjLWIQeP8smf5chFUekFzb14cA NSAwoaaUD+50zRKLlrfilUzxbkNVIZncLon5c06opBhPZ02/vQyccPpYM A==;
X-IronPort-AV: E=McAfee;i="6600,9927,11005"; a="21823309"
X-IronPort-AV: E=Sophos;i="6.06,208,1705392000"; d="scan'208";a="21823309"
Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Mar 2024 08:54:13 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.06,208,1705392000"; d="scan'208";a="14314878"
Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by fmviesa005.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 06 Mar 2024 08:54:12 -0800
Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 08:54:11 -0800
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Wed, 6 Mar 2024 08:54:11 -0800
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.169) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 6 Mar 2024 08:54:11 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K03iBNVGqtnyuD7CBh/px7ZE4dOezcRs3xiwtcwYcAufkyRoc54xr1ht/SGTJYi8ZBJAJPptrpuZOqvvrjrftEH4xj78vSyl+9o9J6c/7m3ujGd50Rc58gFKMnDFXfCqjggqpJWbFGnSMqEv/SMUtn6kkAXCalpz/tVhf5MvmS538a5GEk/fRkDsRtYzqxZl7ZuYsDLGFt+nXz4AjB0DYaDq/N9iXIFNqLMyMXic67RZmPRrj9IXt4ubS9d0O6RRfPzvwWjnQ8PxbDRLDrz+ksgfKM4/NOe9GHpbvB7icUEMXj11ER5FB6JaWarM8IqX6FQLh8olJA1vOXDMh792vA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EX/7IK6dNj/DBd6jpTXbEkk/EmOzUE+n+ljwmTsB/0U=; b=Zqo7JceDjPFODjp9dOCkBw1QXVHP0tdyGu4GZEUdipZrha0TB5L2WnzwJ4dQZO43cCNRh8OqvzIoWSxIVAmBWUSENMXD13LP9AhXxacVSk3KRPyrsx+zl/0abSj5A+FOPX4F9PwvWOdJBcgjG3SW38Uobp2ATMW9eoN8NJk8m2dlXMpvl69ndFEN630J3X8UU0oZRTxq0krQ0oghY0ETNyEOOvXeMLMFKFk/yeb9Lo85kKQZf5tMPoUb4idDRiCyoWmRIVDPw6bFB0a/y3AizByhO9NLT3xZ3sQnvAe5Yw1h/yo6hVnKpmB3j2b+H10a2X/+yYODXJI45tgVEEs4tQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by DS0PR11MB6518.namprd11.prod.outlook.com (2603:10b6:8:d2::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.24; Wed, 6 Mar 2024 16:54:09 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::2747:3470:9f2b:b835]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::2747:3470:9f2b:b835%5]) with mapi id 15.20.7362.024; Wed, 6 Mar 2024 16:54:09 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Henk Birkholz <henk.birkholz@ietf.contact>, "hannes.tschofenig=40gmx.net@dmarc.ietf.org" <hannes.tschofenig=40gmx.net@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Requesting a Nonce from a Verifier
Thread-Index: Adpph2/sCzoh1slqSSKBshTevR+ZrgAArLOAAPUvtwAAnTVbAP//oEQA
Date: Wed, 06 Mar 2024 16:54:08 +0000
Message-ID: <5E4A8C93-FC03-4780-9F41-F0CCA559B513@intel.com>
References: <02c501da6987$d2d64490$7882cdb0$@gmx.net> <ecf9ac86-82f2-80b7-160a-bdde42387ef0@ietf.contact> <011b01da6d5e$e30e4e90$a92aebb0$@gmx.net> <a69d9a50-68e6-80c2-e400-f565da746d79@ietf.contact>
In-Reply-To: <a69d9a50-68e6-80c2-e400-f565da746d79@ietf.contact>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.82.24021813
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|DS0PR11MB6518:EE_
x-ms-office365-filtering-correlation-id: 185388b7-4e16-4908-26b5-08dc3dfe0ab7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xvZ93M+FBNPFOPwBI0gaFEzqSg67BtVrnBEY8mQcP44LRA9vf1tTcn+XotUMii2+D1YCfhW2ieF4TS897dNyjuC6arKPBFq/eisfrqgnvFY3PL8eg8tPkjLBy1ZSSqPpwE0tWInE3A2aCGB0/rZtmJZWjBfE8H0mBy7QLW5zPI4FxqMtcVZw6DLdDUezUyIlBShhnEAovgZOnEqvuZY4QfKBcmYHiE7F9FWLy+TkNxeXEN9qSXkrVhh2RtYA/AIDQu7DgM8kxPouhiqgvLzDNav7EmWcU/N0ErH6GlDOhKPDcTLBryIPMhLfgqiQG0iuLL7nMLREKwcH+8NuG/ZOZMh/gliuq1XsRrCGPEsU/KvDzRv7TAJ/MDRYaMOx8+GeZ6WHeuZcbkRGfyu5vjo2dxUWI1YxNBc+VEPFFoYrIMOFlYXPRXH9EMo/31HZCpKi+SlLmAkSvbeMledMYcqz2ckwhjdOE4DV7Gdn8h85KrgdcKgTvWLaT9gmxJa+hBMrAxeGCBmrPvbNgIJHkLZX0VK/cWIq7eL+eygMDPGKjrq7bKkbTUnQqFJXvgra1OLlnGQfkSX58qg4z/Y27QMPkIaWQv5mK5HxwDr1Y72QV3kuicBNvwm5KUD2uZp9f+JlxFXKAV0+NyPPrSyqw+Y+X3w/otcj4bHP+rt4iU9+mLbyeZttUKe4lo+2g0Q8sFJEzmdORdgxXsvqSEjccC2ALZ6N3a5kaRYwx7DmSskvFGs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zYkScWQ3okmxrvUUtP5rYowpk78UN0b33WaLWiW0isprqELS3aZMvhwmEKQvxAQmNNwTDvNs+gagMgAHrPWNn3bTlB0Fk70kT6wtCpaK+QH3jfCA5zgy9+MxDDPNbiajvU2icoFufX5fZfnzDk4t1rAH0U3DLUCUSVeQkh1SBhDYh/KJcF6EQXi7h2UUQwSQbj3+VVBJQ35n6YycjgIfV9PQUW8/SQR6iAjbWvcrFFHYHSPLkvFNFLEiwNFdSzUj2E3UmSq8dQmJyabPaRSYTW6lMJFMCAYwmn4+nthlDfb4JGNG4O28JWEdxNLBfjO7Nh7eQYicrtLl2ZyoVpDqSAAH2b3YF3zkZ9RsEOBQeDuJddO9QrY9UIaZfh9I2nOiJjl3y7ik3Rz19HZ24vwMS+ViQGseAOsOKrzq0eJH4lQXWl3efPxIOAZq3mOT2AEUQIhzf4R5z25No55S/XziNqLvv8SiDhSb1wsYkk6SGQUyR0kjkUm7yczFc43E901+BPpl1YXpbLP7+9akCA5/zt4wIo1EfmHq6X9RXMoKqiQ40C+u/Xqb3/hWOIAYePI+uc7n6cDVS7fWQqSBrHlCgsDjZFlkj0qed9W/kc16lW/sNS4qm14+YyQLBVRynJZfP7nHsgMqS2MtV0PZd5KaijWjncfXxciGfIu0XhAVA+mwSvuc8hfda3XY5iXM2aj4zApiav3WIc0hE05xXktGxdCsEyQFV/rGgQYA+ae14COegrJgienvV6XWkM5xAJ/rNcax7Q5dP0LgckBfA7YbPgX8/mIYBfKN1HHXXVLB+XfmK9SmXCrILi1Z3NVhX762Zb5X19NOrQVYFXxH5mz4W57/kH1UtbM7Me+ZEs5AM6f68qH+EDZ3WzFlSEMOrsKNYWLjOUU0+UUZUiCFQLAA8ZjjkO2uiq+T0zyDEo4LD74OoV3F1uS68K+l8EMhaadMHwBrCLVMryQLo/40Ei4h24X/vQNm95kuxKgly2ngKl+aRgUmYo0r43Csdnp50hphrJwCd/BrnKveS4IYuVuLzbFhIMeaKkgI6xTKcL4eAN6AMN/P4PNQ9HkQwZrjbJVuiq1s5cgIM+1SufGjws/qQCD8+3U4QAKRnLIwK6x7y4g5BroTtTDYzP/JUActykt0GzdYYOsEelku++AN8ezT7Fn/xyrvmVl/1nQPM3uXak/5QTXQyO8mMW1T9uBdJycvW0yXVY+uaNjCH2411yHnv/SYu7CwoOnsrXXa8sxNAk9Cosx6TQ3tF5/aIRtaofLemiDcjCyDX1S/BFo+BaFdAdaY04MyD//776ASs10ZOG0v8by01KXkvJKDpAIbDDdGKsAep7eyW+WpOrQTjtUM2fGpNtqIoctGPdx7CAHtBrhxMZsCEfjB1KTWxaYoucf8IOfNv5H54jtqISqjfm0fp3r5UgQ8pGt9ZLIQAg8X/eTAAaWKMh7MlFT/xX7m7B+8h6HrTDEp+6Aj4BL8ELgBHyXv9g6aTpy9W+5rqnH97wfbvZrYRSRdGE806WBjzyKQ7H++D83vJvNaOAZw8ejJ6gu30nCd8qM1zl43Mx7sg9cf4k7pTT2AJUvZxH3Mkz9G
Content-Type: text/plain; charset="utf-8"
Content-ID: <AA4C0D1EAB4429498A950B443F65A7BB@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 185388b7-4e16-4908-26b5-08dc3dfe0ab7
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2024 16:54:08.9988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ly1cDBHZi++5IsQIW30GKAtCfbqUPHsvhTyTy4eXuHenhK6KfEXP8BHj+0QVkWodMvFnhxHE06SBJrMiid51dg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB6518
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ReSUwv1HidQMEtGBheMAUnEYta4>
Subject: Re: [Rats] Requesting a Nonce from a Verifier
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 16:54:17 -0000

>> [Hannes] How do you solve the following problem: Image a device wants to transmit a CSR with attestation evidence to the CA. The device needs a nonce to demonstrate freshness. There is more than one Verifier.
>>
>> How does the exchange look like such that a Verifier is selected, which fulfills two properties:
>> * it needs to support the attestation technology of the attester, and
>> * the attester's signing key of the evidence is trusted by the verifier.
>
>Well, Epoch Markers are one solution to the scenario, of course. In that case, if you trust an Epoch Bell, you would not have to worry about the number of Verifiers.
>
>In your scenario of Verifier and Capability Detection/Negotiation, MUD, for example, could help you with that. Minimally, MUD could help you to identify Verifiers, but it could also help you to identify Capabilities.
>
>Establishing trust in the Attester's Identity Document is not the Attester's duty, IMHO. You can burden it with that duty and can compose a very specific system of solutions here. But how do you imagine to enable evolution this very specific setup that would scale and retain interoperability?

I'm not sure I understand Hanne's use case. Is the CA doubling as the RATS Verifier? If so, why would there be multiple CAs sharing the same CSR? If not, why does one CA need attestation results from multiple Verifiers (would their responses be different)?

Specific to ">> * the attester's signing key of the evidence is trusted by the verifier." - A RATS Verifier doesn't trust the Attester's signing key. Rather, it trusts the CA key that issued the Attester's signing key. Trust in the Attester's signing key might be established with a Relying Party after evaluating Attestation Results. The Verifier trusts the Attester's CA using a Trust Anchor policy (presumably provisioned by the Verifier Owner). 

BTW: I'm not sure how the above question ties back to the discussion on freshness / recentness.

-Ned

v2.23.0 | Report a Bug | By Email