Re: [Rats] Comments on draft-birkholz-rats-architecture-01
Ira McDonald <blueroofmusic@gmail.com> Mon, 15 July 2019 15:07 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C3712021F for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 08:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjkYKK3bMlIA for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 08:07:32 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F36D1201F1 for <rats@ietf.org>; Mon, 15 Jul 2019 08:07:32 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id c202so4927864ybf.0 for <rats@ietf.org>; Mon, 15 Jul 2019 08:07:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qpu01AIuDxuoKSfmK9OTjd/EVl8/R4VJTndf9nQpPEI=; b=SCoMy9D4ZyA14oTc5gCFecPPndsHzPhdqCG5ujnPcLmrOtaN/nrK83ViXmzInnO+5t Q8GJqn44ZhND2WXozCfoOknKyAmQjddcLY9LB0UJ9mLfXZJcRIMmybpmDvgub/p3NKWZ PK1FtncVutrVbMTDJYnhQdq9qs+sYLjpcSu8emlxtpUkrJCvX/5e8nafMWoGyJRKKfKg b4BTi9BBAfo0rmuNAurUC3MUUllkMIE7q6PnmHAFw2tz859DdB1D6VggTe0IdCSV6nfq AzV2ZaPxWhrq+wmcuMSVYgpdsP08+XqXeQZle2wTzEqosYl5Te083otSgb1FIOg+prG6 CCpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qpu01AIuDxuoKSfmK9OTjd/EVl8/R4VJTndf9nQpPEI=; b=t5ohP+xf1pgyQQAJVzEr39cWC8G4yIFPJBKLOAgmJaOV78BFqPyKBBH1Cc28X1N0jo SZxzJCfcRoG8hps/7w6KDKWjN/+JDeccjTzO5NLSd7aKNg5TtC5z2Q4zZ1umdnSvb6yh hNtAv2mdyuCOp+GPCB3Tu3OlOtDCudsS90dHaUlHF5pl0zKZ6+BzdMwH/NC4mx74was3 YSakmQoR20ejIJt7AZo512O0IqLrWeAseFTIn8pwARIht1h5Q2ffeb23iwGXx1y04JCv gDQqUDt8tb1IO9RnvWk+64VwRyWrCw8L60DxICCjbRrTAHQqG77hO8YEGM5kGBo/O86v KG9w==
X-Gm-Message-State: APjAAAXK/PVuwTiOYSMvpSWc9FGfHp4GGHRFYohHvFK9Hq6oghecTIJg iJT7L6rH5ttu5EqNo/UkUq6Ou0E9562EMjP72Qw=
X-Google-Smtp-Source: APXvYqyXRktint7j4K4rTEkyYd5N/2AVvRoMN6+G4Q3okbNBlh/OcLN3xLUJE1lhGY3C0qWj75uM0fTaGPzqfdE9/zU=
X-Received: by 2002:a25:d252:: with SMTP id j79mr18000994ybg.236.1563203251374; Mon, 15 Jul 2019 08:07:31 -0700 (PDT)
MIME-Version: 1.0
References: <0189ed44bcf749c18e9b6612b2728553@oc11expo23.exchange.mit.edu> <8C52026F-A4D1-4CA5-901A-C20CC2396DF5@ri.se> <20190713023817.GU16418@mit.edu> <CAN40gSuge3=-dKTtUz2bWVTzBDX0rqmr1sj=NT_-OVRH90o=9A@mail.gmail.com> <E7299F99-54D4-47FA-A439-F1D8CB7D1353@intel.com>
In-Reply-To: <E7299F99-54D4-47FA-A439-F1D8CB7D1353@intel.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Mon, 15 Jul 2019 11:07:18 -0400
Message-ID: <CAN40gSskcq_RxXhD2Z3y+rJ7icW0EZg25VLsaUdVihC2nejViw@mail.gmail.com>
To: "Smith, Ned" <ned.smith@intel.com>, Ira McDonald <blueroofmusic@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Nicolae Paladi <nicolae.paladi@ri.se>, "henk.birkholz@sit.fraunhofer.de" <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>, Thomas Hardjono <hardjono@mit.edu>, "monty.wiseman@ge.com" <monty.wiseman@ge.com>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="000000000000828e2e058db99e7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/TC_4tyYbYiZ792htb-cni2d6E1M>
Subject: Re: [Rats] Comments on draft-birkholz-rats-architecture-01
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 15:07:36 -0000
Hi Ned, Perhaps in the RATS context we don't have to have this (side) discussion about the use/definition of the word trustworthy... For access at the datalink (device joining a network via an Access Point), perhaps you could consider "trustworthy" as binary. Although even later TCG TNC and IETF NEA didn't - they distinguished which logical subnet you got access to according to the quality of your posture information. For access to a service (e.g., financial or medical), certainly "trustworthy" is not binary. Service access and transaction authorization are dynamic contexts for "trustworthy" - banks and credit card companies make a new decision about relative degree of "trustworthiness" for every transaction. Cheers, - Ira Ira McDonald (Musician / Software Architect) Co-Chair - TCG Trusted Mobility Solutions WG Co-Chair - TCG Metadata Access Protocol SG Chair - Linux Foundation Open Printing WG Secretary - IEEE-ISTO Printer Working Group Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG IETF Designated Expert - IPP & Printer MIB Blue Roof Music / High North Inc http://sites.google.com/site/blueroofmusic http://sites.google.com/site/highnorthinc mailto: blueroofmusic@gmail.com PO Box 221 Grand Marais, MI 49839 906-494-2434 On Mon, Jul 15, 2019 at 10:07 AM Smith, Ned <ned.smith@intel.com> wrote: > I think both perspectives are correct. If the context of evaluation is an > access decision then trust is binary. If the context is analytics, logging > or risk management then trust is (can be) probabilistic. > > > > The relying party has the necessary context. The main objective for RATS > is to define Attester-Verifier interactions. > > > > I’m just wondering, for the purposes of RATS architecture, if we need to > resolve this question now? > > > > On 7/13/19, 7:11 AM, "Ira McDonald" <blueroofmusic@gmail.com> wrote: > > > > Hi, > > > > About binary "trustworthy". > > > > This is a fundamental fallacy. Neither "trustworthy" > > nor "secure" are *ever* binary. That's basic to the > > security by design approach. > > > > Cheers, > > - Ira > > > > Ira McDonald (Musician / Software Architect) > Co-Chair - TCG Trusted Mobility Solutions WG > > Co-Chair - TCG Metadata Access Protocol SG > > Chair - Linux Foundation Open Printing WG > Secretary - IEEE-ISTO Printer Working Group > Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG > IETF Designated Expert - IPP & Printer MIB > Blue Roof Music / High North Inc > http://sites.google.com/site/blueroofmusic > http://sites.google.com/site/highnorthinc > mailto: blueroofmusic@gmail.com > PO Box 221 Grand Marais, MI 49839 906-494-2434 > > > > > > On Fri, Jul 12, 2019 at 10:38 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > > Cherry-picking one point... > > On Mon, Jul 08, 2019 at 02:44:56PM +0000, Nicolae Paladi wrote: > > Hello, > > > > Some comments on draft-birkholz-rats-architecture-01< > https://tools.ietf.org/html/draft-birkholz-rats-architecture-01> > > > [...] > > 7.1.1< > https://tools.ietf.org/html/draft-birkholz-rats-architecture-01#section-7.1.1>. > How the RATS Architecture Addresses the Lying Endpoint Problem > > > > > > > > > > > > RATS imply the involvement of at least two players (roles) who seek > > to overcome the lying endpoint problem. The Verifier wishes to > > consume application data supplied by a Computing Context. But before > > application data is consumed, the Verifier obtains Attestation > > Evidence about the Computing Context to assess likelihood of poisoned > > data due to endpoint compromise or failure. Remote Attestation > > argues that a systems's integrity characteristics should not be > > believed until rationale for believability is presented to the > > relying party seeking to interact with the system. > > > > “Likelihood” implies a probabilistic approach to trustworthiness (e.g. > 42% likelihood of poisoned data”). Is that really feasible? And if so, is > it actually of any use? IMO trustworthiness is binary (“trustworthy or not > trustworthy”), or binary and conditional/contextual (“trustworthy if used > for certain actions”). > > My personal thinking here is along the lines of "this data makes me > confident that only someone who was able to subvert my supply chain and > surreptitiously replace the TPM chip in the sealed device delivered to me > would be able to forge the attestation evidence; I don't think I'm the > target of such an attack, so there's a low likeliyhood of endpoint > compromise". Or, as James Mickens put it more glibly in > https://www.usenix.org/system/files/1311_05-08_mickens.pdf there's a > Mossad/not-Mossad distinction in the potential attackers, and if the Mossad > is a threat, you're gonna be Mossad'ed upon no matter what you do. > > -Ben > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats > >
- [Rats] Comments on draft-birkholz-rats-architectu… Thomas Hardjono
- Re: [Rats] Comments on draft-birkholz-rats-archit… Nicolae Paladi
- Re: [Rats] Comments on draft-birkholz-rats-archit… Benjamin Kaduk
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Laurence Lundblade
- Re: [Rats] Comments on draft-birkholz-rats-archit… Nicolae Paladi
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Smith, Ned
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Adrian Shaw
- Re: [Rats] Comments on draft-birkholz-rats-archit… Laurence Lundblade