[Rats] Re: Security considerations of remote attestation (RFC9334)

Henk Birkholz <henk.birkholz@ietf.contact> Thu, 30 January 2025 11:52 UTC

Return-Path: <henk.birkholz@ietf.contact>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8B9C151084 for <rats@ietfa.amsl.com>; Thu, 30 Jan 2025 03:52:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.459
X-Spam-Level:
X-Spam-Status: No, score=-2.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.355, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ietf.contact
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M13e7JDTFIEY for <rats@ietfa.amsl.com>; Thu, 30 Jan 2025 03:52:06 -0800 (PST)
Received: from smtp06-ext.udag.de (smtp06-ext.udag.de [62.146.106.76]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2410C14F6A1 for <rats@ietf.org>; Thu, 30 Jan 2025 03:52:05 -0800 (PST)
Received: from [IPV6:2a01:599:411:47d2:106a:d8cb:3bdf:72d5] (tmo-100-55.customers.d1-online.com [80.187.100.55]) by smtp06-ext.udag.de (Postfix) with ESMTPA id 960B2E02B1; Thu, 30 Jan 2025 12:52:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ietf.contact; s=uddkim-202310; t=1738237924; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lRtMbAL9ZK6RPggu2nNxINwvNm7/6xH3v5kAxrOB1AQ=; b=wxgvflk1eYBqQbKs4xFXl5cBqAOa1DHuJfSBkCXmoXeWRISlUBFZkPQnjwUvd2Q/E0/ckm 2Alv3x3Jk/C3m8tR4/j/ruHNfvNl6x2ZQlGg7bQvKMVavzliAmyKQYgAHfO0vhtFs96JWW +HQyVK46hnkTespCAVG1rWrkStJKgYkCMQtKlc2auFoD34xLPDCJALCsuauzhDRf5HzWtP OWss8NnF4MkOxGPQdBSQOk5DC1tPprqlgSFMbvdI0XOtuG62VrJNUxf5xe9hjA+wgh98a3 Ye7L6n+4LtmtR6hCCHK88ngZoigVQJwjjLrE/9/nEAWjJARaX9is0r3SZrC09w==
Message-ID: <cc3990dd-f5ec-273f-abfd-dde3acd54c23@ietf.contact>
Date: Thu, 30 Jan 2025 12:52:03 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: "Smith, Ned" <ned.smith@intel.com>, Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <4ffdd034-05ec-4565-9cad-b40ff82f83fc@tu-dresden.de> <57ff8532-ffa7-4dfc-8f51-2bb8764e4a25@gmail.com> <0bf9fa63-3d3e-47fc-b757-d7f8c0d3fa9c@tu-dresden.de> <8f765ee8-08e4-4fd6-9362-aee70e0b09fc@gmail.com> <CO1PR11MB5169C33046305CE096FEA36DE51C2@CO1PR11MB5169.namprd11.prod.outlook.com> <003f6611-efd4-4b41-8bd8-a1e8d89dab8a@tu-dresden.de> <2753ea96e5c842e2832b68e762638760@huawei.com> <2ce75ea8-791b-4d42-be64-326309b70fbe@tu-dresden.de> <CO1PR11MB5169293FDD81C96F542A4D91E5E32@CO1PR11MB5169.namprd11.prod.outlook.com> <4fe69a8b-ff45-45c3-88f1-59bf22c4d185@tu-dresden.de> <CAHbuEH6+A9z2P2mK1mUJUMCkC5VbawU5B09k6s1pm0YwXJygEQ@mail.gmail.com> <775705ed-44d3-8c67-198d-1b6363892793@ietf.contact> <210cc843-b50c-4115-ac6e-c12e9f45461f@tu-dresden.de> <e4a7dc89-57d8-1817-5673-c44721a9d959@ietf.contact> <554d067d-7660-4c10-b98b-79921dec1326@tu-dresden.de> <c91a4168-680e-1932-60b8-3828be35ca34@ietf.contact> <CO1PR11MB5169B2854A7EA62D198C8FFCE5EE2@CO1PR11MB5169.namprd11.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@ietf.contact>
In-Reply-To: <CO1PR11MB5169B2854A7EA62D198C8FFCE5EE2@CO1PR11MB5169.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: smtp06-ext.udag.de; auth=pass smtp.auth=henk.birkholz@ietf.contact smtp.mailfrom=henk.birkholz@ietf.contact
Message-ID-Hash: WU3GR4UCSKKLAIY6X7OFTYGQTG5K7VXU
X-Message-ID-Hash: WU3GR4UCSKKLAIY6X7OFTYGQTG5K7VXU
X-MailFrom: henk.birkholz@ietf.contact
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Panwei (William)" <william.panwei@huawei.com>, John Kemp <stable.pseudonym@gmail.com>, "rats@ietf.org" <rats@ietf.org>, Dave Thaler <dthaler1968@googlemail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: Security considerations of remote attestation (RFC9334)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/UtJW06cvetg28rnXrCQVUAK1hjc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Kathleen,
hi Ned,

I'd like to start with a disclaimer that I am not trying to be 
difficult, but careful.

On 24.01.25 19:46, Kathleen Moriarty wrote:
> I think we can drop this unless we plan to include a statement about 
> authentication in association to attestation and there are plenty of 
> times where you will use both together and many where they will be 
> distinct.
> I am not certain how that statement aligns with:
> https://datatracker.ietf.org/liaison/1897/

In particular with the following quote from that IAB statement:> one 
particular concern is refusing access to open-source or
> customized software by web servers that otherwise don’t require any client
> authentication

I might be wrong, but as an individual I read this as an IAB concern 
that remote attestation without authentication poses certain risks. When 
I read your statement, then what I think you are saying is that remote 
attestation could be realized without authentication of the involved 
RATS roles and I am uncertain how that would work in practice or how 
that would align with the IAB statement.

Please let me highlight again that this might just be confusion on my 
part - but I'd feel better, if I understood why Dave's principle is 
dangerous taking into account the highlighted context.


Viele Grüße,

Henk

On 29.01.25 22:14, Smith, Ned wrote:
>> I am pretty sure that nobody intended to start an axiomatic proof
> 
> I think this is true.
> 
> I think Usama is trying to map the various hand-wavey statements (that 
> weren’t trying to be expressed in a way that makes sense for formal 
> methods) into something that is meaningful to formal methods. But maybe 
> Usama / others who are familiar with formal methods could show their 
> work so to speak and explain where the various statements fall apart, 
> but more importantly, what would a statement look like that is useful?
> 
> -Ned
> 
> On 1/27/25, 02:29, "Henk Birkholz" <henk.birkholz@ietf.contact> wrote:
> 
> Hi Usama,
> 
> of course I might be wrong, but I feel pretty confident saying that Dave
> and Ned meant:
> 
> "if you have an authentication procedure in Internet protocols, in
> principle you can augment that with remote attestation."
> 
> I am pretty sure that nobody intended to start an axiomatic proof with
> that. Dave and/or Ned, please tell me, if I am wrong.
> 
> 
> Viele Grüße,
> 
> Henk
> 
> On 24.01.25 20:03, Muhammad Usama Sardar wrote:
>> Sorry but mathematically the three statements are quite different. 
>> Please see inline.
>> 
>> On 24.01.25 18:38, Henk Birkholz wrote:
>>> Hi Usama,
>>>
>>> the text you quote is me paraphrasing Dave who was quoted by Ned 
>>> recently.
>>>
>>> As reference:
>>>
>>> A quote from Dave here (for quote attribution):
>>>> https://mailarchive.ietf.org/arch/msg/rats/5343t-tb2Fam-i663H1kh5oQuMk/ 
> <https://mailarchive.ietf.org/arch/msg/rats/5343t-tb2Fam-i663H1kh5oQuMk/>
>>>
>> Dave says "Every authentication use case is an attestation use case."
>>> A quote from Ned where he restated Dave:
>>>> https://mailarchive.ietf.org/arch/msg/rats/5UUvmi8lHLuyq4fthLK1MJO41YM 
> <https://mailarchive.ietf.org/arch/msg/rats/5UUvmi8lHLuyq4fthLK1MJO41YM>
>>>
>> 
>> Ned says: "Dave Thaler observed at the outset of RATS that every authentication use case is potentially also an attestation use case."
>> 
>> With "potentially", this is a much weaker statement than what Dave 
>> originally said. If you follow the responses, I already disagreed to 
>> that as well. [1]
>> 
>>> A quote from Kathleen where she disagreed with Dave's statement:
>>>> https://mailarchive.ietf.org/arch/msg/rats/pH77KM4gCHZ7_DENXPhoKWnL5NI 
> <https://mailarchive.ietf.org/arch/msg/rats/pH77KM4gCHZ7_DENXPhoKWnL5NI>
>>>
>> And your paraphrasing
>> 
>>  > "every authentication procedure can be augmented with a remote 
>> attestation procedure"
>> 
>> is yet quite different from above 2 statements, showing that the two 
>> procedures are kind of complementary rather than one being stronger than 
>> the other.
>> 
>> [1] https://mailarchive.ietf.org/arch/msg/rats/Hkajhpd4PI1y2l-VL6jgvBt4__g/ 
> <https://mailarchive.ietf.org/arch/msg/rats/Hkajhpd4PI1y2l-VL6jgvBt4__g/>
>> 
>> 
>> 
>> 
>> _______________________________________________
>> RATS mailing list -- rats@ietf.org
>> To unsubscribe send an email to rats-leave@ietf.org
> 
> _______________________________________________
> RATS mailing list -- rats@ietf.org
> To unsubscribe send an email to rats-leave@ietf.org
> 
> 
> _______________________________________________
> RATS mailing list -- rats@ietf.org
> To unsubscribe send an email to rats-leave@ietf.org