IETF Logo Mail Archive

Re: [Rats] About (E)UID's

Laurence Lundblade <lgl@island-resort.com> Fri, 07 February 2020 12:14 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E03EA120844 for <rats@ietfa.amsl.com>; Fri, 7 Feb 2020 04:14:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3OvtKcYJlmF for <rats@ietfa.amsl.com>; Fri, 7 Feb 2020 04:14:15 -0800 (PST)
Received: from p3plsmtpa11-08.prod.phx3.secureserver.net (p3plsmtpa11-08.prod.phx3.secureserver.net [68.178.252.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E735312083F for <rats@ietf.org>; Fri, 7 Feb 2020 04:14:14 -0800 (PST)
Received: from dii-102208.home ([79.168.9.213]) by :SMTPAUTH: with ESMTPA id 02WQjgz8ofcRI02WTj43rt; Fri, 07 Feb 2020 05:14:14 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <1C16DAA0-D03B-417C-894A-30C4015AEED7@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_13C9CEA7-6ECB-41AD-B631-22F91C2BB99A"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 07 Feb 2020 12:14:09 +0000
In-Reply-To: <8BDAAE2E-9803-4048-AD5B-59233708E6FB@akamai.com>
Cc: "rats@ietf.org" <rats@ietf.org>
To: "Salz, Rich" <rsalz@akamai.com>
References: <8BDAAE2E-9803-4048-AD5B-59233708E6FB@akamai.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-CMAE-Envelope: MS4wfDxi3WCL71lQcbimv6gwO5SP27hfRgRpj507MCIPMkyobBdnjs2PS4OEz4Kxg9cvwGN3lQzsgJPMkdh09Z6h2APCeNm3evE52ll/uz+PyhahIwiHj6h/ FRYU2f0Jbw9h0Vw7LIgPoYdtpBbJeeLunjWVyp/HvE5wCI4qCKqZEZQCRdiMxTFUm2Z9vt6ZJ8Hn4g==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/To2BNpSCE2_jKF9Un32pfYKL2P0>
Subject: Re: [Rats] About (E)UID's
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2020 12:14:17 -0000

While not stated overtly in the draft, UEIDs are intended to be the sole identifier needed to universally identify a device. This is to make life easiest for the relying party. They do not have to combine it with any other claims to uniquely identify a device. (Maybe I should add text explaining this)

This makes life simpler for the device maker and for us, as we don’t have to specify any rules that say what combination of claims must be used to get proper global uniqueness and device maker doesn’t have to figure how some system for uniqueness.

Generally, interdependency between claims seems like something to avoid for the sake of simplicity.

I’m reluctant to rely on public keys for anything but signature verification because I think we must support a variety of signing schemes some of which don’t have a typical public key. One of these will be HMAC for which there is no pubic key. Another is likely to be ECDAA or such where the verification key material is a bit more complex than a public key.

The vendor is also allowed to change signing schemes and the means of creating UEIDs in their manufacturing process.


Also, as described in the draft, the UEID as defined is very permanent. It never changes over the life of the device. Some of the UEID options are based on identifiers that are specifically not to change with owner, IMEI for example.

LL




> On Feb 6, 2020, at 4:34 PM, Salz, Rich <rsalz@akamai.com> wrote:
> 
> I made a proposal during yesterday’s interim about EUID’s and I want to explain it here in more detail to the whole WG. I have made some clarifications.
>  
> We need ID’s.  Laurence has done a lot of good analysis on how many bits an ID needs to be to accommodate various users, devices, etc.  The TL;DR is that 128bits seems good for the size for now and at least the short-term future.
>  
> I suggest that the UID stays at 128bits. But in order to compare UID’s, relying parties should consider an “expanded” UID, which includes the SHA2 signature of the public signing key. For most cases, the “small” UID of 128 bits is sufficient to put into data structures, transport on the wire, and so on. Applications which present “unsigned” UID’s should either include a “key context” element, containing the hash. If not present, receiving applications should consider treat the key-id part as the SHA2 hash of the single zero byte.
>  
> One feature of this, as pointed out on the call, is that when a device gets a new owner, the expanded UID changes.
>  
> Hope this is useful.
>  
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email