IETF Logo Mail Archive

Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?

Ira McDonald <blueroofmusic@gmail.com> Fri, 03 July 2020 18:33 UTC

Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C453A3A0D33 for <rats@ietfa.amsl.com>; Fri, 3 Jul 2020 11:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9eyLp55o06V for <rats@ietfa.amsl.com>; Fri, 3 Jul 2020 11:33:53 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACB333A0D32 for <rats@ietf.org>; Fri, 3 Jul 2020 11:33:53 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id o15so17527188vsp.12 for <rats@ietf.org>; Fri, 03 Jul 2020 11:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o5yM9wYKR+q5EirDe/7gHFFLT50Sd5DY0srDoSkRYTk=; b=RzPSvoCnf77nuiuw/L/NP5GkW5ExRXxUu5jTvvsaoAoiDbDYgK1QOoEFYG1nDz6eYx BoGJFc6pQMAinwdPkgcEOrplAj93xjJpL6O4GxmGhDigWTaxrS0o5DMAC7cYnYO9OVDn ACQu6Plxeh9LomYsPOQjs0WB9SDEVMSupwOGBnacEnFXOu1HEFKnub2JfxMmK7YfmX6w CnI3yYFVwvzDfKcnGSF7o1ymeUrYLYG/cdgU7ms8QMY1+/lD5cVXD9rEGDW8pjtP3kpB XHuVU6Naf8gZXiK1j/Tl2qyPBZF/s/n7UGayAo5IAFq6rxNoVEDnGuKjiKLkVL/KF6w0 BQcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o5yM9wYKR+q5EirDe/7gHFFLT50Sd5DY0srDoSkRYTk=; b=qnyfSJm87AooEeBPDCf+887KLJvZcrVu7+tm2vS++IoBvF6YKg8PuTaEAgYQgH9TGn JyBQu4vvN959ijWbHij+cRVarQMhUQYX+vIrUrKMbU0VukkegqaHlQQHvVmf5OlEgw+5 FgCq0eVWWoZiMejjb4wny1XBTRVD8Z2n/LkUiAHThL7y0x+ujWGg0vyM6+0i8HKRLaqF k66WUbumzH9b3XPCm013stJUkHttsFvbaEe7HfGI7/DICteYk2uKg4fYXD8QfN3iY4Fj 7WOjbNhHPSZ1/TQiE8DYFVKPbeJRqyv8+4J3w1voyiW6yphWHnxV9p8qQapAuzZU23SR paYQ==
X-Gm-Message-State: AOAM532w3n8Zp6cNNdfTdPera0iySt1YkgKJ4czH+wJcRERMp2TVtUyc 9uQRlm9LEAsLaPdnKM8RYxxjDNNg7cROnxjEnM0=
X-Google-Smtp-Source: ABdhPJwcOWhrca3EAmZeWdBUzhbe96MM9KupvC7d6yv3N9qX/ayI0HFLXWZLH4Tnb1qGijQN00TmtOq0iRrq4Ftpm7Q=
X-Received: by 2002:a67:f3cd:: with SMTP id j13mr25775195vsn.40.1593801232548; Fri, 03 Jul 2020 11:33:52 -0700 (PDT)
MIME-Version: 1.0
References: <ietf-rats-wg/architecture/issues/116@github.com> <28098.1593568476@localhost> <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com>
In-Reply-To: <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Fri, 03 Jul 2020 14:33:39 -0400
Message-ID: <CAN40gStqDh2wDWmJkp5kmk5RxVK8ftTOJczW26OECYVAQYZEjw@mail.gmail.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>, Ira McDonald <blueroofmusic@gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004f07e205a98dc48d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/TIdD5j0u2t-jhd-1cXUh313IcLA>
Subject: Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 18:33:56 -0000

Hi Thomas,

+1

Only the Attester (with advice from the real human owner/user and/or system
administrator) can decide what is actually PII.  Various standards and
regulations
have failed miserably to crisply define what is PII.

Cheers,
- Ira


*Ira McDonald (Musician / Software Architect)Co-Chair - TCG Trusted
Mobility Solutions WG*

*Co-Chair - TCG Metadata Access Protocol SG*








*Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer
Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF
Designated Expert - IPP & Printer MIBBlue Roof Music / High North
Inchttp://sites.google.com/site/blueroofmusic
<http://sites.google.com/site/blueroofmusic>http://sites.google.com/site/highnorthinc
<http://sites.google.com/site/highnorthinc>mailto: blueroofmusic@gmail.com
<blueroofmusic@gmail.com>(permanent) PO Box 221  Grand Marais, MI 49839
906-494-2434*


On Fri, Jul 3, 2020 at 5:21 AM Thomas Fossati <Thomas.Fossati@arm.com>
wrote:

> Hi Michael,
>
> Thanks for raising and articulating this point.
>
> On 01/07/2020, 02:54, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:
> > I had asked in my aside, if the *ARCHITECTURE* document should create
> > a requirement on Evidence (such as EAT) that it should *explicitly*
> > flag when it contains PII.
> >
> > [...]
> >
> > So part of my question was should we debate this now, and make this an
> > architectural requirement for all containers?
>
> Personally, I am not convinced that an in-band pii flag is needed.
>
> On the Attester side, the privacy problem can be addressed by an
> attestation API that allows the caller to selectively turn off claims
> that are PII -- either with per-claim switches, or by presenting
> pre-canned PII-revealing and PII-hiding interfaces to the Evidence
> generation service. We expect the attesting endpoint to make the right
> decision about what can be hidden and what needs to be revealed
> depending on context.
>
> On the Verifier side, I'd expect that the log/audit anonymisation and
> retention policies for Evidence are an integral part of the service
> configuration.  So, no need for an in-band signal about what is to be
> considered PII since the Verifier is going to be made aware of it by
> some out-of-band means.
>
> That leaves the RP, which I'm not fully sure about.  However, my gut
> feeling is that the Attester will have to trust the RP to do the right
> thing since no in-band pii flag will ever be able to restrict what a
> malicious RP can do with the obtained PII.
>
> Am I missing anything?
>
> cheers, t
>
> PS: Maybe there is a requirement for EAT profiles to specify in their
> privacy considerations what claims are PII and what is the expected
> treatment by actors in the attestation chain.  This is EAT's job, not at
> the architecture doc level though.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

v2.23.0 | Report a Bug | By Email