Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?
Ira McDonald <blueroofmusic@gmail.com> Fri, 03 July 2020 18:33 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C453A3A0D33 for <rats@ietfa.amsl.com>; Fri, 3 Jul 2020 11:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9eyLp55o06V for <rats@ietfa.amsl.com>; Fri, 3 Jul 2020 11:33:53 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACB333A0D32 for <rats@ietf.org>; Fri, 3 Jul 2020 11:33:53 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id o15so17527188vsp.12 for <rats@ietf.org>; Fri, 03 Jul 2020 11:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o5yM9wYKR+q5EirDe/7gHFFLT50Sd5DY0srDoSkRYTk=; b=RzPSvoCnf77nuiuw/L/NP5GkW5ExRXxUu5jTvvsaoAoiDbDYgK1QOoEFYG1nDz6eYx BoGJFc6pQMAinwdPkgcEOrplAj93xjJpL6O4GxmGhDigWTaxrS0o5DMAC7cYnYO9OVDn ACQu6Plxeh9LomYsPOQjs0WB9SDEVMSupwOGBnacEnFXOu1HEFKnub2JfxMmK7YfmX6w CnI3yYFVwvzDfKcnGSF7o1ymeUrYLYG/cdgU7ms8QMY1+/lD5cVXD9rEGDW8pjtP3kpB XHuVU6Naf8gZXiK1j/Tl2qyPBZF/s/n7UGayAo5IAFq6rxNoVEDnGuKjiKLkVL/KF6w0 BQcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o5yM9wYKR+q5EirDe/7gHFFLT50Sd5DY0srDoSkRYTk=; b=qnyfSJm87AooEeBPDCf+887KLJvZcrVu7+tm2vS++IoBvF6YKg8PuTaEAgYQgH9TGn JyBQu4vvN959ijWbHij+cRVarQMhUQYX+vIrUrKMbU0VukkegqaHlQQHvVmf5OlEgw+5 FgCq0eVWWoZiMejjb4wny1XBTRVD8Z2n/LkUiAHThL7y0x+ujWGg0vyM6+0i8HKRLaqF k66WUbumzH9b3XPCm013stJUkHttsFvbaEe7HfGI7/DICteYk2uKg4fYXD8QfN3iY4Fj 7WOjbNhHPSZ1/TQiE8DYFVKPbeJRqyv8+4J3w1voyiW6yphWHnxV9p8qQapAuzZU23SR paYQ==
X-Gm-Message-State: AOAM532w3n8Zp6cNNdfTdPera0iySt1YkgKJ4czH+wJcRERMp2TVtUyc 9uQRlm9LEAsLaPdnKM8RYxxjDNNg7cROnxjEnM0=
X-Google-Smtp-Source: ABdhPJwcOWhrca3EAmZeWdBUzhbe96MM9KupvC7d6yv3N9qX/ayI0HFLXWZLH4Tnb1qGijQN00TmtOq0iRrq4Ftpm7Q=
X-Received: by 2002:a67:f3cd:: with SMTP id j13mr25775195vsn.40.1593801232548; Fri, 03 Jul 2020 11:33:52 -0700 (PDT)
MIME-Version: 1.0
References: <ietf-rats-wg/architecture/issues/116@github.com> <28098.1593568476@localhost> <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com>
In-Reply-To: <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Fri, 03 Jul 2020 14:33:39 -0400
Message-ID: <CAN40gStqDh2wDWmJkp5kmk5RxVK8ftTOJczW26OECYVAQYZEjw@mail.gmail.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>, Ira McDonald <blueroofmusic@gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004f07e205a98dc48d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/TIdD5j0u2t-jhd-1cXUh313IcLA>
Subject: Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 18:33:56 -0000
Hi Thomas, +1 Only the Attester (with advice from the real human owner/user and/or system administrator) can decide what is actually PII. Various standards and regulations have failed miserably to crisply define what is PII. Cheers, - Ira *Ira McDonald (Musician / Software Architect)Co-Chair - TCG Trusted Mobility Solutions WG* *Co-Chair - TCG Metadata Access Protocol SG* *Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF Designated Expert - IPP & Printer MIBBlue Roof Music / High North Inchttp://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic>http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc>mailto: blueroofmusic@gmail.com <blueroofmusic@gmail.com>(permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434* On Fri, Jul 3, 2020 at 5:21 AM Thomas Fossati <Thomas.Fossati@arm.com> wrote: > Hi Michael, > > Thanks for raising and articulating this point. > > On 01/07/2020, 02:54, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote: > > I had asked in my aside, if the *ARCHITECTURE* document should create > > a requirement on Evidence (such as EAT) that it should *explicitly* > > flag when it contains PII. > > > > [...] > > > > So part of my question was should we debate this now, and make this an > > architectural requirement for all containers? > > Personally, I am not convinced that an in-band pii flag is needed. > > On the Attester side, the privacy problem can be addressed by an > attestation API that allows the caller to selectively turn off claims > that are PII -- either with per-claim switches, or by presenting > pre-canned PII-revealing and PII-hiding interfaces to the Evidence > generation service. We expect the attesting endpoint to make the right > decision about what can be hidden and what needs to be revealed > depending on context. > > On the Verifier side, I'd expect that the log/audit anonymisation and > retention policies for Evidence are an integral part of the service > configuration. So, no need for an in-band signal about what is to be > considered PII since the Verifier is going to be made aware of it by > some out-of-band means. > > That leaves the RP, which I'm not fully sure about. However, my gut > feeling is that the Attester will have to trust the RP to do the right > thing since no in-band pii flag will ever be able to restrict what a > malicious RP can do with the obtained PII. > > Am I missing anything? > > cheers, t > > PS: Maybe there is a requirement for EAT profiles to specify in their > privacy considerations what claims are PII and what is the expected > treatment by actors in the attestation chain. This is EAT's job, not at > the architecture doc level though. > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] should Evidence containers be explicit abo… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Thomas Fossati
- Re: [Rats] should Evidence containers be explicit… Ira McDonald
- Re: [Rats] should Evidence containers be explicit… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Thomas Fossati
- Re: [Rats] should Evidence containers be explicit… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Thomas Fossati
- Re: [Rats] should Evidence containers be explicit… Laurence Lundblade
- Re: [Rats] should Evidence containers be explicit… Ira McDonald