[Rats] Re: Hint Discussion in CSR Attestation Draft

Carl Wallace <carl@redhoundsoftware.com> Mon, 24 June 2024 15:05 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF5FCC14F70B for <rats@ietfa.amsl.com>; Mon, 24 Jun 2024 08:05:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAMn3EiSPC0r for <rats@ietfa.amsl.com>; Mon, 24 Jun 2024 08:05:42 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C295AC14F5EB for <rats@ietf.org>; Mon, 24 Jun 2024 08:05:42 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id af79cd13be357-795502843ccso242107785a.1 for <rats@ietf.org>; Mon, 24 Jun 2024 08:05:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; t=1719241541; x=1719846341; darn=ietf.org; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent:from:to:cc :subject:date:message-id:reply-to; bh=VhBnWTu7SFEjX549gCSR7Xr86WJPI+KR5Mc+dR2mWGs=; b=VklJ0trPe2l0jKDy2F504QDO0hBA1ozm8R81+N/PTYc+hFZQnVYVPgY3eF5YQ4pZ1E a9pvgSwbqsPN3NsAZqr5ga7g8P8VXQCvNegCozHSy146/JuAMDuC57D7UMGIs4Wuelf7 xPN6Z4TAF77o9/qKpRppXygG+7MiyQ07MpcR8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719241541; x=1719846341; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VhBnWTu7SFEjX549gCSR7Xr86WJPI+KR5Mc+dR2mWGs=; b=on4xL/u93mQ+/r7RCVU0TUD0WdXPAn/vjYbmNbazn2PhOX1GAnA+tyM6FlTsuTmc1O Xa0J+PWHdqBiEcUNpTOwr1pbzJk3nZPYNvjGfgvmWV1AwxeVD0Rl8YGiQp/6i6Y3ZSUs kW8TCRlW8R0ODwh1bNnxCh+AI+WUaxKt/XUG9ufPTxXKaT7WOxMqXa3e+znZ85DL6+8T pb7of09qe6M8D2UjOPnGd2afmiN5LWVRdB5DzSTLKg+yIY5B2b0cZIfDCezkO2G5Ufnw YFxSOqP5/FrKiDl8SucsIQWArBUiyR6I2wZDD3XLs3d9/Ko3J+M04Bu+v6IVfL7VlO++ Gxzw==
X-Forwarded-Encrypted: i=1; AJvYcCVc0akYJwxkoTSfOtBjda4y+76oRu3oA4SFrpC2Lq6Fjkpup0l6Xo4zmLQcXxx0qsgQUZ0LGqFcTX/T1RrR
X-Gm-Message-State: AOJu0YzBhRmkiccSn8sBJNqwTjCRhjbnWElZneBgE6syoZ4zUQPRJQz2 Of0uI73cjRZ5TpH7+XURFzzdmgLPASohkvKnYkHlFzRJ4ve2+bo7M1wPxyJLyqw=
X-Google-Smtp-Source: AGHT+IHUXs6YRb646FgVFgU+BORcH2+zWpyA3JZmfHqWG8qr9V16VcqdbydxYF+CsaLXiSZeK7zCBQ==
X-Received: by 2002:ad4:4593:0:b0:6b0:5aa6:9996 with SMTP id 6a1803df08f44-6b5363edb28mr52397916d6.24.1719241541296; Mon, 24 Jun 2024 08:05:41 -0700 (PDT)
Received: from [192.168.4.77] (pool-96-255-232-167.washdc.fios.verizon.net. [96.255.232.167]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6b52d28dba1sm24616986d6.88.2024.06.24.08.05.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Jun 2024 08:05:40 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.86.24061443
Date: Mon, 24 Jun 2024 11:05:39 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
Message-ID: <E731B8AD-99BA-47BD-8C5D-2752F89FC8FF@redhoundsoftware.com>
Thread-Topic: [Rats] Re: Hint Discussion in CSR Attestation Draft
References: <AS8PR10MB742727BFEC71CB78468FB0E7EECD2@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <0145e095-e684-d2ee-58d5-41aee54a4b3b@ietf.contact> <2627.1718830718@obiwan.sandelman.ca> <FB01F359-84F4-4AAD-82F7-1CF2356DCD4B@redhoundsoftware.com> <CAObGJnO6bn5xEpqPxc46HRh3v2BnmxbE0YXwfNv9BtQnNV9Mag@mail.gmail.com> <E7968891-2903-4A53-8A8C-060BFBE349AA@redhoundsoftware.com> <12592.1719171268@obiwan.sandelman.ca>
In-Reply-To: <12592.1719171268@obiwan.sandelman.ca>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Message-ID-Hash: LHXL4WXPJHIWB36B5RLQTXCYDAMVMSCV
X-Message-ID-Hash: LHXL4WXPJHIWB36B5RLQTXCYDAMVMSCV
X-MailFrom: carl@redhoundsoftware.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Hint Discussion in CSR Attestation Draft
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/UpsBiaus-kRqVOfOgCyfCsygaCI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Inline replying to MCR and Hannes' subsequent reply...

On 6/23/24, 3:34 PM, "Michael Richardson" <mcr+ietf@sandelman.ca <mailto:mcr+ietf@sandelman.ca>> wrote:




Thomas Fossati wrote:
ts> You wouldn't. The hint is a routing label that is used by the relying
ts> party to decide which verifier to contact for handling this specific
ts> piece of attestation evidence. When evidence reaches the verifier the
ts> hint is no more.


Carl Wallace <carl@redhoundsoftware.com <mailto:carl@redhoundsoftware.com>> wrote:


CW> OK, so relying party, not verifier. How would the relying party use a
CW> "free form" label to route anything?


I admit that I'm not keen about the free-form-ness of the hint.


I guess I'd rather it was specified as a URI, with ni:, or something like
that being the default string-like thing that one just strcmp() against a
configuration file. That way, once we figure out what we really want,
intepreting it as a URI will already be established.

[CW] This may or may not hold depending on how "what we really want" shakes out. This is why I suggested earlier just sticking an extensibility point here instead of the current hint field. Assuming the free-form aspect is eliminated, there needs to be some new text added to inform what state the generator is expected to have and what state the relying party is expected to have to work with this field (i.e., baked in values, configuration file, etc.).

(I see in the URI list, no uuid:, but also secondlife: ha)






--
Michael Richardson <mcr+IETF@sandelman.ca <mailto:mcr+IETF@sandelman.ca>> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide