IETF Logo Mail Archive

Re: [Rats] Entity vs. role

"Eric Voit (evoit)" <evoit@cisco.com> Tue, 22 March 2022 21:37 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057593A0C49 for <rats@ietfa.amsl.com>; Tue, 22 Mar 2022 14:37:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.605
X-Spam-Level:
X-Spam-Status: No, score=-9.605 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=QdckE9IT; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=giMOPV6+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qI6SqbUj6f8K for <rats@ietfa.amsl.com>; Tue, 22 Mar 2022 14:37:49 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 893C73A0C4B for <rats@ietf.org>; Tue, 22 Mar 2022 14:37:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19845; q=dns/txt; s=iport; t=1647985063; x=1649194663; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=+hb2788C49wTb7iBo64KqhamRjg80ImuCUJkKOHUNeI=; b=QdckE9ITaF8fkosbai8EdGjGgPEaCwjzaX0KPS4hwH8GcIOMbSVOwhIe /ZhVxJJ5a5DQ/bKdwtWWf5lyJb9qXvFsRceSqPHOa9OvC9StEEoC/GBBH F7XT5ke3s9w9gvoK36UqO2PEJpNOgQ6aNnnYE32wkOewW9dJ55Aha8uUP s=;
X-Files: smime.p7s : 3975
IronPort-PHdr: A9a23:o9ATzBCMUXAq2fGdsvCZUyQVaBdPi9zP1kY95pkmjudIdaKut9TnMVfE7PpgxFnOQc3A6v1ChuaX1sKoWWEJ7Zub9nxXdptKWkwJjMwMlFkmB8iIQUTwMP/taXk8G8JPHF9o9n22Kw5bAsH7MlbTuXa1qzUVH0aXCA==
IronPort-Data: A9a23:+luetanb51PvdGmfhsUIB3no5gzVJ0RdPkR7XQ2eYbSJt16W5kVWjiJDADrXfqbVPH21IIo1b5D1rB1Y6NKQjINT/DAc7nRsSn8MsZXebTjyBk6vYCmfIpyZQk9t4ZxPYdOcdM5pQifV/xr8OOa+/Sl1jf3WHOWmVeSUZn8sTgQ0RXlx1U08weBl2tFjiNPnXV7lVb8ezSGIEAT0hGMcD1/4y55viTs14q6i4GxGtFI1O/0U5FXSyXUfBcwWLP3oc3KlE9FfFce3Fr3JpF2bEsw13PuM5utIGd8XS2VSKlLpFVXI2yI+t5SK2EAY/HRpiPxjb5LwVG8O49m3t4EpoDlyncTYpTcBZsUgqcxFO/VqO3gW0Z5uoNcrFUOCXfm7lCUqRZdDL8JGVynaNaVAkgp+7PonGfYwcFjhZTjb7w66LS7SdwViuigjBJGD0II3oHpsy3TSCuwrBM+FSKTR7tge1zA17ixMNa+BPIxCNnw+N1KZP0Yn1lQ/UPrSmM+lmH7+bxVTqUmeouw85G27IAlZgemzaIGPJoXSLSlStgPCzo7cxEz/Dx1cL9me1Tqt83Swi+uJliT+MKoIHaGj3v9nnFPVwXYcYDUKVVz9oPSlhGaxXtteLwof/S9Ghaw98GSqVd30WRH9unOfuQQAHdFXFoUHBKulokbPyxySCm5BRTlbZZl58sQ3XjctkFSOmrvU6fVUmOX9YRqgGn289Fte4RQoEFI=
IronPort-HdrOrdr: A9a23:3ya7raAmH0D5hyLlHegYsceALOsnbusQ8zAXPh9KJyC9I/b2qynxppgmPEfP+UossHFJo6HlBEDyewKiyXcV2/hcAV7GZmjbUQSTXflfBOfZsl/d8mjFh5NgPMRbAudD4b/LfCNHZK/BiWHSebtBsbq6GeKT9J3jJhxWPGZXgtRbnn5E43GgYytLrWd9dP8EPavZwvACiyureHwRYMj+LGICRfL/q9rCk4+jSQIaBjY8gTP+ww+A2frfKVy1zx0eWzRAzfMJ6m7eiTH04a2lrrWS1gLc7WnO9J5b8eGRi+erRfb8yvT9GA+cyDpAV74RHoFqewpF5N1H3Wxa0+UkZS1QePibpUmhOF1d6iGdpTUImAxemkMKj2Xo2EcKZafCNWkH4w0rv/MATvKR0TtRgPhslK1MxG6XrJxREFfJmzn8/cHBU1VwmlOzumdKq59Zs5Vza/pWVFZql/1WwKqVKuZ1IAvqrIQ8VOV+BsDV4/hbNVuccnDCp2FqhNihRG46EBuKSlUL/pX96UkaoFlpi08DgMAPlHYJ85wwD5FC+uTfK6xt0LVDVNUfY65xDPoIBcG3FmvOSxTRN3/6GyWsKIgXf3bW75Ln6rQ84++nPJQO0ZspgZzEFEhVsGYjEnief/FmHKc7hSwlbF/NLwgFkPsulKSRkoeMMYbWDQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AlCADEQDpi/49dJa1aHgEBCxIMgg8LgSExVgd3LC43RIRUg0oDhTmFEIMCA4sRiw6FFoEugSUDVAQHAQEBCgMBAUMEAQGFBwKERAIlNgcOAQIEAQEBEgEBBQEBAQIBBwSBCROFaA2GQgEBAQEDEhEEBhMBASgDDAEPAgEIDgQDKgMCAgIfERQDDgIEAQ0FCAYUgmOCDlcDHhABn2IBgToCgQ6JEXp/MoEBgggBAQYEBIULDQuCMAcJgTyBVIE9gwCBJQEBgR+FcxcQHIFJRIEVQ4JnPoIhgiY0gmQ3gi6XJhB4gkMuGx1akiWNdJ9AawqDSYE8hDKDIJBqhhkVqECWWyCQR5VyAgQCBAUCDgEBBoFoBi+BWXAVgyRRGQ+OIAwWg1CKXnU4AgYBCgEBAwmQUgEB
X-IronPort-AV: E=Sophos;i="5.90,202,1643673600"; d="p7s'?scan'208,217";a="996032410"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Mar 2022 21:37:41 +0000
Received: from mail.cisco.com (xfe-aln-005.cisco.com [173.37.135.125]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 22MLbfOv018762 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Tue, 22 Mar 2022 21:37:41 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Tue, 22 Mar 2022 16:37:41 -0500
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Tue, 22 Mar 2022 16:37:41 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UMz75lP0Hiyfuo+b3qR25k9Sg4aPy5SxA+f4GRq47HZugKIZre2MVAwAA8D2hjoE4zkYS0vTf7E2VeWBMvHVVXOG31ov96rnT+6mim6Fv06nomUhHQQzwivtHGzIAMdrtR0fnAJMih+KNtrChskqZeDvWXDmHLCNrIcBnRe0d6htRX9aVDJ22GaMhvQ3KFnsl7oU/tR0gujUEZrKAYsXE85WNpyFz84O+iwZeiFjjCxcnVYXC1c0E7FT8VO2HpYUwaLPDeYtfd066bkmXbgCEJGSCreep3P1QnAe5etOfrriW1d816UJXN3ffP5b1B07MnJ9SEE6gziAFZPW4gAWcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fQHg7pgR6vvefFLwUq17b/77OPNneCcSTi27CMKOtug=; b=Y4O9MCLzUfSe7CQKEh/fSUEzhDFsFkpg1GzQ0qGgcvOUT7RITlBtbpTc/vTw9oya0T6pGLDUxc0za8E1zdVBNA3tqWkJccOnvSK2oRuIOTh1HLQmW5J3yWjQowYrJL6BaQUlkIywC/sHyUB/m4QMzv6gFTpJ5+j+ZtXo4FQRwzoxWM/p2nEavY5ts39/uQylG76i3RyDAR7uuIMND8qfyiQP9Q7eUdGu+Iw0QSs8QXG2UxDiYkyHDSNOP0jyZFIJd2zXhX2Ny3hileze7ETUqBsPmI3vlFYACMJMDETWNQA03zBBALN7uMIk5SsursjOmGrhgDv8URDKb0AK2ywa4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fQHg7pgR6vvefFLwUq17b/77OPNneCcSTi27CMKOtug=; b=giMOPV6+P5AZgsxsMbrHbFL7vpAn99eOurwHGA1V18DUU9z3H0By82KzsoaOmPBrgxTbChDfbDBQiq+I7YmoYYPMA1SfU58P4+dt5GAjrzTFxnuChNvulK/hK4vf5hdxj9pjq5Sz97/ITwxU4W8gL2wXS3XW9AEFg/kMcd7oS4k=
Received: from BYAPR11MB3125.namprd11.prod.outlook.com (2603:10b6:a03:8e::32) by MWHPR1101MB2160.namprd11.prod.outlook.com (2603:10b6:301:5b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.16; Tue, 22 Mar 2022 21:37:39 +0000
Received: from BYAPR11MB3125.namprd11.prod.outlook.com ([fe80::49c3:aceb:5517:dbd4]) by BYAPR11MB3125.namprd11.prod.outlook.com ([fe80::49c3:aceb:5517:dbd4%6]) with mapi id 15.20.5081.022; Tue, 22 Mar 2022 21:37:39 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Laurence Lundblade <lgl@island-resort.com>, Thomas Fossati <tho.ietf@gmail.com>
CC: "rats@ietf.org" <rats@ietf.org>, "Smith, Ned" <ned.smith@intel.com>
Thread-Topic: [Rats] Entity vs. role
Thread-Index: AQHYPivMgQWbu8zDYE+F8zzrq4lIsazL5rMg
Date: Tue, 22 Mar 2022 21:37:39 +0000
Message-ID: <BYAPR11MB31255F64BDB773DB93A0C6CCA1179@BYAPR11MB3125.namprd11.prod.outlook.com>
References: <3407CFB9-B713-4E13-BDA3-08EC7B5A905E@intel.com> <CAObGJnOxU0vfxzzZ9tv1J64KHDigxLcEMrgx0gDy97bE7NQJcA@mail.gmail.com> <E20F61DD-8775-4E68-8E56-E6EC92682A18@island-resort.com> <CAObGJnOv8ePE=R6vvdg5uib3Y9=WS8A5vcOdpWY0sREXA98aPQ@mail.gmail.com> <2BC14C43-80D0-4611-BEA0-9D9B9948BE0C@island-resort.com>
In-Reply-To: <2BC14C43-80D0-4611-BEA0-9D9B9948BE0C@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8ec1ebbf-7a90-41df-7f88-08da0c4c304f
x-ms-traffictypediagnostic: MWHPR1101MB2160:EE_
x-microsoft-antispam-prvs: <MWHPR1101MB2160994F9A48BABB6A469A1FA1179@MWHPR1101MB2160.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NPJgqmU/QqyayLvlnCv48JoGwtjFghjiSj8IqIBkLmVAOWU9XB3/b2nWmycNPb6Or6OCevEpvdT7bOXfNmnMHbyIm4CAvCTtacmD6sxUsvtWkq4GVBnCeQuRekClbwUNHw4E3KBPfwLJREKIfyv3auGU5ozoGiLSdh7cKnfXZud+lwprdyJYmLmnl2DLLpqLdnZHfbbfUWnWySWXLloQntlnapuQajuggYcAt0/0E7UAKIGmoooS3+eV6s6n81qTvqA+kGXHTmKkFqJLYd8BodeXZTsgZ7iofzE8wHddyPjqKwmS64Nfr8IbGsp1GhkR4fDRZVSEcrlwvDhTq7iLf4NoAR9ED20hWsIXRkNZ/1qtaa8O7jIBW7thhSeSiTSvjHklRhUx/gRSqbPNfArtvZQm0/0TVIRtKKeCLXnwiPMLEFSBmzXhUuQL9dcrgwjIOpi/gGPmhW2uTCJuoGHMI2zxjGHJj/WKYll9KiSD7DVFUiOmthwlCo1eo1aRh5mGymYaOdA1kWNqY9jX05Qvn2E0AGHMUYK3bkXJ/B0nB9dNPTms8brRw/caQkKhL2ROvt8RrcsTj1uy7T/10+Zl6L7B8tE2TCCj0AzOShN4hObBRBe4cqpr/CSAVj0k2Uc6hkEOVwrKq9IlIm8O59P+PROjRP/lTMWvgCKDWfF6c+4G4XKWkCYgfsmnzahvN/leTp3d5rL3HjUQGUsVAr7D1A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3125.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(122000001)(110136005)(54906003)(316002)(52536014)(38100700002)(66556008)(66446008)(2906002)(66946007)(66476007)(64756008)(86362001)(76116006)(4326008)(8676002)(9326002)(99936003)(55016003)(5660300002)(38070700005)(8936002)(186003)(26005)(508600001)(33656002)(71200400001)(83380400001)(53546011)(7696005)(6506007)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +k2Z/wdeKZx898XUWYiOaJtC2ErTtU6LvnJZLR4TpBASH05xnwl8AnsIkWLbLOlL3C0Np8hgDAyBzJDtRE1v0sHZAlYQW5ACVKO1tkzinBLJG8GOzs9wt9WgAhU9M5i1kX6Fb+nG1vhChu0jDPIPs38N0BbID2d/9uJXnO/qJF3DfxJfXT1G/BM+SRNzPgUKSbw61um5ymFv2IuxAqew8CAyr8HvGPUtT5DtnvEHsZOCPV7H7OdKmyQQ0ZjFBKlRnJgh0pYgnBtHFKceNVHrZE5IrnExy3D1sLKbGSRb2JwLQXJzVRi3WA+dhLzM6TaxHofYS5Nn4XJomgNv1Mc+hsTg5J9Ybp5itVVd/lO5z1mrQJScwqNmeGr52mWZdSYJs5heiKMI0DGqN9+dgBiRVVUFUI5PJh+6Ov5Jo7AFEnFMqDrMVl4vY5fT3i+rmCZqQqwwP6ofE+EAsze7eScaY5GV9k83GmnUuzhFjPtT8LcNvgS632EOeCGwfOkFPXPlrvdWUWcbF8e8yilioD67UZWZdho91NXUPflpG0zSIPo7ixlsPqtkfP1+b9LXI6AV3lL9dlaDeWol+5kKwJ13p7qmModOBG6rabJ2XwtulS7CDpeHe4Me6PxsZJzffIDkoNEmjIiYhZtTF33YekceLzQKOsSZYouYocn/sRIiQdoE3g/fPtX/s+s8sIL5IfsiZ8Cnm6jVYv3TI51r8Ds2XzjjNWDcHbiR/LGFbnR7mswn3jhjcvP5lQ0zsGXgft6kaLACKMLJncYLkFNOCljAndosKvVT/ljxlWFmcS6ytSskmjrPvB1PjnaSd4b7eSfY8/aHoIXf84K7WUp23lvWmWKIM8upriyFswSDFY85sn1hPhGXfQRt28rRqpmoAoOlArLRSYiKZDHX7DFYewXgah6Y3rxgsOUn5dRpqcHT1KS2+Pd+9vstLVo66oR6TVhwBK4iVMkhBK8Hs05FVfxfzcRILxXY2F4YpQXCNv0UoCe4yqTjNBIQ5hfNAdvPXDiwQxiMyG6j3/ZTgt8NvWJ3DPck84KSM5IJuXgQhw647sghKvUVnbyY4K3BfZbNGjHiB7B1FCMya0RCgiNIdKgYzc/rmqLAnxRMUnkvkOGJH15IOhay9/ZexErnBkHmzo7x9kwi+d+0BHl9eLMtZ2gVWCKxvWhVSBQY4AMyE9sNmZamF0a6JY6nq3qqTGj5FWolfKVt0PzqCyDUNd2wPYm7RN/8juPU5MbEwk+/FpXQYDx3bhcQYaT4by9ipsFVMA6afLtxpgLjDCr3bkVbnuQhurqx2YhlInIbPhLZRdSUIS706avrr1f6ttQkzYCEATgjBMYOwnFQvm+g2IxW4pL+oKg8IniLz7HcyJ3MSEAudAAqnE4/kE78mbOzpY+W7WOl6FhhLsf19Xk/aRUK3j6rYxUZiQxWIeuqvwJuJAa7XGYoFeKba8ZLb5SIt82KLjBh
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0207_01D83E12.30CD1630"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3125.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8ec1ebbf-7a90-41df-7f88-08da0c4c304f
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2022 21:37:39.1879 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sTw0pAsDxY33fRLy58M3SdtwN+qJqNQXWv2mT6itVB6d0dGifHXLncYzqQg76ib+
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1101MB2160
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.125, xfe-aln-005.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/SB-DVptXsF4LhzhPxEpkHBp5vCE>
Subject: Re: [Rats] Entity vs. role
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 21:37:55 -0000

Hi Laurence,

 

From: Laurence Lundblade, March 22, 2022 4:31 PM



On Mar 22, 2022, at 9:12 PM, Thomas Fossati <tho.ietf@gmail.com <mailto:tho.ietf@gmail.com> > wrote:

 

On Tue, Mar 22, 2022 at 6:42 PM Laurence Lundblade
< <mailto:lgl@island-resort.com> lgl@island-resort.com> wrote:




Agree entirely with what’s below, but it doesn’t quite address what I am on about.

RATS architecture clearly separates two polices:
  1) Appraisal Policy for Evidence
  2) Appraisal Policy for Results

The first one is used only by the Verifier role and never by the Relying Party role. It can only be use to process Attestation Evidence, never to process Attestation Results. In a chain of Verifiers all the intermediate results are Attestation Evidence, never Attestation Results.

When all the Verifiers are done, then you have Attestation Results.

Similarly, the Appraisal Policy for Results is used only by the Relying Part role, never by the Verifier role. It can never be applied to Attestation Evidence.

Since we are talking roles not entities, here, the Relying Party can *never* by definition receive Attestation Evidence. Again, since we’re talking *roles* not entities, a Relying Party can *never* host a Verifier.

Said another way, the definition of the Verifier and Relying Party roles gives a hard one-way transition from Evidence to Results.


I think the Verifier and the Appraisal Policy for Evidence is all about the device/implementation/attester.
- Who made the device?
- Is it configured correctly?
- Is it in the right state?
- Does it have the right SW?
- What certifications does it have?

This is represented in the Attestation Results, perhaps in summary or in detail.

Then the RP and the Appraisal Policy for Results is about the application-specific stuff:
 - Is this device OK for this dollar amount (the RP knows the $ amount, not the Verifier)
 - Can this content be played on this device — the RP knows which device and what characteristics it requires for the content
 - Is the sensor data accurate — the RP knows which sensors it can trust


I think that the terminology choice made by the architecture is quite
precise: "AP for attestation results."

The appraisal logic you are describing above covers more ground than
just attestation results.  The way I picture myself the "complete"
appraisal process done by the RP looks more or less like:

         AP for AR
             |
      .------v-------.    .--------------------------------.
AR -> | AR appraisal | -> | Application-specific appraisal | -> [0..1]
 :    '--------------'    '--^--------^---------^----------'
 :                           :        |         |
 '- - - - - - - - - - - - - -'        other     application-
                                      input     specific
                                                policy

 

 

Yes, we can depict it like that conceptually, but in reality it could be one big machine learning engine or similar where you can’t separate it (you could even put unverified measurements in AR so they can be fed into a machine learning engine).

 

<eric> Ar4si uses the term "AR-Augmented Evidence" to show what flows into the unified Verifier + Relying Party roles.  Ar4si makes no assertions on what the full set of Evidence might include.

 

And RATS architecture doesn’t care about what’s in AP for AR and shouldn’t care about it. We’re only mentioning AP for AR for the sake of completeness. We’re not going to put any requirements on it or say anything more about it than it exists, right? Hope that right. 

 

<eric> The RATS architecture doesn't name specific objects.  But where AR flows between devices (e.g., in the passport model), this WG needs to understand how reusable Verifier generated objects/definitions might be consumed.  I.e., the ultimate consumer of RATS is the RP.

 

Eric

 

LL

v2.37.1 | Report a Bug | By Email | System Status