IETF Logo Mail Archive

[Rats] Early AD Review of draft-ietf-rats-architecture-13

Roman Danyliw <rdd@cert.org> Fri, 12 November 2021 21:15 UTC

Return-Path: <rdd@cert.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99BD93A11EA for <rats@ietfa.amsl.com>; Fri, 12 Nov 2021 13:15:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZciRWwnHlqC for <rats@ietfa.amsl.com>; Fri, 12 Nov 2021 13:15:27 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0104.outbound.protection.office365.us [23.103.209.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A293A11E5 for <rats@ietf.org>; Fri, 12 Nov 2021 13:15:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=MK7E4A4tFvYDLisyVJs5hgonr6CE00jP5JWu95IY4DscY0xezvEvQr0QkkdUYkSaIW3vcCegje+KkBs0qIPSP3nf1KA+eGgvMMFUEdNUiSJvgDGci5hokBZPrGeO6Dx3M3UHghVlWA2C+kyLUcZ0bClptdYT6vjrEnSEKc2jzMCx8iRsLgkU56USiX4zZNJmcY1t+txBHhfP16p8lS1N+oQ5mgBoyDQA6ks1JWpwGNaTt+q5XCxVYjA3v/pWUW8JkPF2eOjVaQClb3zdqUFwOjWrZ2EYL2uqKO3xPZI3XPYux8hEyAeWyefz18C4P0J7Jv/PThKKsTjPCY0hU5Zy5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wta0sICto+symNN/IdOzyJMxYfiC4KOUOjSO0t6Ub5c=; b=XuHH/jRXxzdmJGd/ZNZITE44He9AGcHAib3mBrs1FXpOuVfZM+odvUfi6/wfWCNxtIlRQ+kI6o+HSixhbCFH+kNFUSrrDVvJtWV05VsF9uHWYMv7XybyTIogMyQdOvATEj6+NRRJcij+pMODCrTgFLwix6U2fo1tHCWEE6qElqJeYnvWtF4HQjjaOm/202Y6WAYSF2qCL0U3bxCEzyWYtw4ZQs6UmT4oq8PWPzQ5hXaK8r4s0zNecG/az2t29KOhNq0RUOESg43tust4iIT+naz9N/Gnzs/FBOIUIbsAVBTwLl1zVuW+EokRu9Z1JT/lVyi6rM40EtvQcrRgmhPrYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wta0sICto+symNN/IdOzyJMxYfiC4KOUOjSO0t6Ub5c=; b=EPnqJ7VH5zEBOVyFSFla7T0DnMJ7qkVY2vY4lnNpR+KLmdSdgGr9PzGlFSBnnViPHHT7zu3wv4/PYiqsbn5yjQE/YBeUHHJeFHhtiY9igeYRTbxW1GqzbxyKcNTNHbr3RJurxMCzkeSZqxgDXyEDU3Q7b2fM9/9FKn+1ptziiOQ=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0722.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:135::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Fri, 12 Nov 2021 21:15:18 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4649.017; Fri, 12 Nov 2021 21:15:18 +0000
From: Roman Danyliw <rdd@cert.org>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Early AD Review of draft-ietf-rats-architecture-13
Thread-Index: AdfYCZxMtFTuNirbSAybY3mQaaFnOg==
Date: Fri, 12 Nov 2021 21:15:18 +0000
Message-ID: <BN1P110MB093950BBE53B1AF523934E82DC959@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 58a0075d-6e4c-45b3-f7b6-08d9a6218737
x-ms-traffictypediagnostic: BN1P110MB0722:
x-microsoft-antispam-prvs: <BN1P110MB07226D8936C6D2A725AAD10FDC959@BN1P110MB0722.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zFKd+3fghfJ0yRM7/n1pjUSvF/Dvx19lh8Ec6wzLXSfyeE0j1WnS1n1CE1kYf1+KqCeEdQ4irN8WuTNb/Te6jG1NXnayEsgGjYTY0KUgFkUidmX4f73JVVFPZdc0SVllwV1d/3jJmqHc8+ue6peswFDkPaOJ9Ro4rEoatlNtU6TEW0uWhwQ5XXsluDjFCEPqzs80HAYSeDhlIcGgxXIgRYKNmSoCqVpVRi+enpmv4C1ziJ87BPcJsMij/0d85dJn0dhOYU59DuvY1r8J9hlLfDiZ2KHeVRjyHQjmQa85wXZUTur3AGgApnjkYALVOeXM2BM6Ns8rrXXm9ybhwZcKllQuDc7IzbYPQK6/PDWHWTRgy35PQInrFBf16t8zcBfauaAxMoXnvN3dGvUYpAtEdVCvfrGn0ZSfEV2ouosucTGBHqNjFj4s/KLAX80qTwa5cTTzFKpaztAWWhpcFirpl3qdrmMry7MN2xI+pMcV3x9l26RH3lXLdjOyuSuzcgJtD5f5Ja/QrIlrgfzcAM0Ym//6flhtj0divJ3HLza6siTxuuGtjtlchseh3eB780YFc9rwvNiAoEQOvYDyo7PggQ23BX8GGZyyeKX2qZtFhWgE2fmaEeOsKsdUS86yUIP6
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(30864003)(6506007)(52536014)(6916009)(86362001)(2906002)(26005)(66946007)(122000001)(186003)(9686003)(76116006)(83380400001)(5660300002)(38070700005)(55016002)(33656002)(66446008)(64756008)(82960400001)(38100700002)(8936002)(7696005)(66476007)(66556008)(8676002)(71200400001)(498600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LZdlx1oG3KIgHGBW0RoEWDUjIuH7S1LpBuZYSHLxf5SC2x+uGeWXn+HVXjs5jH5WJB9eBO5wbJ4POFFt658IWlN+syr/7vF4RBkyeIXGD2XbqcG0YXXDcl1I/1n917Dx08xpwQ8WeyRT9ZirCrNn9ZYxDkOL08eu3NrUq8nXn1MjcdP8aqXUSOGgnFxYn0M7RQzp+oUPzRTWHPRsWL/s+c9Hj/9sWtHWvg5tUoEdm5ry4BWvFzSBVwUB62mz8z6iHRtSCZ0prX+mrQA94G8qk2tQlALTIg6gYgABhNLDBMap/eZ249cEL6dFzVDvO+oIcQ6pIrhMx5HDktNM7JI9U93353q+4jPBwAmUCDLYGAveDox4RcP3q604sFP9JhAj6exkiBOX1n0RpC50iwC3h0mQTG89iL32ql06N6g7oT5X1iC3HpJM43CUMgOyhRJulml1krDePjQ441awqf97FF4H0fvzKH50kWIrD1FNjBVp0AsGUEFOmtO2u0WhT970kH42PvluwgZ5I4n4COhgbRyV1iNwWMuD+/k49vedRlQBUa1fVgT+bYfg489YbdNDw87xinrGKwTK2q8v9lXgr1Yt20Ynu1GAIrw8tmyzge8EszQZP3Uetg1O5uq2WS60CI9yxwzRoHZqAWGX7kG+Y+5lURRfjIvvdlzAcdNCmW8SEwqE7m/0OUUQ0yPXrqhdOjA7KkN4wkv0LRFzQ+JAkbofFUZwGw5WBSMPHvhV/IU=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 58a0075d-6e4c-45b3-f7b6-08d9a6218737
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2021 21:15:18.2039 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0722
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/V0tee4ohWoSzR6xGqu92GXuZneA>
Subject: [Rats] Early AD Review of draft-ietf-rats-architecture-13
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 21:15:30 -0000

Hi!

I was asked after IETF 111 to perform an early AD review of draft-ietf-rats-architecture-13.  I'm a little late, but below is my feedback:

** Section 1.  
   Conversely, systems that cannot be attested and verified to be in a
   good state can be taken out of service, or otherwise flagged for
   repair.

I was a bit surprised that the reduced trust/access motivation was not directly mentioned here given that it's the underlying use case of the two examples in the next paragraph and in Section 2.  I would have said something to the effect of:

NEW
Conversely, systems that cannot be attested and verified to be in a good state can be given reduced access or privileges, taken out of service, or otherwise flagged for repair.

** Section 2.1
   Network operators want a trustworthy report ... for purposes such as    inventory,
   audit, anomaly detection, record maintenance and/or trending reports
   (logging).

-- This seems like a list of unlike things - inventory and audit are activities.  Anomaly detection and trending reports are a technique for multiple purposes - is this better captured with a term like security operations?

-- What is "record maintenance"?  Isn't that the same as inventory or asset management?

** Section 2.7. Is the WG sure we need the last paragraph, "Other biometric authentication protocols ..." which cites various commercial services without citation.  Will that age well without references?  My recommendation would be to remove it.

** Section 3.1.  
   
There is no limit to or requirement on the types
   of hardware or software environments that can be used to implement an
   Attesting Environment, for example: Trusted Execution Environments
   (TEEs), embedded Secure Elements (eSEs), Trusted Platform Modules
   (TPMs) [TCGarch], or BIOS firmware.

To reinforce that software only solutions are acceptable too should 'software agent' or something to that effect be added to the following example list?

** Section 3.3.  Editorial. s/In consequence/Consequently,/

** Section 4.  The following terms appeared repeatedly in the document but were defined here: root of trust, target environment, and lead attester.  Should they be?

** Section 4.1. Relying Party.  Figure 1 says that the relying party also consume the "Appraisal Policy for Attestation Results" by that isn't noted here.

** Section 4.*.  Editorial.  
-- Section 4.1.  In the definition of relying party, what does the sentence fragment "Compare /relying party/ in [RFC4949]" mean?
-- Section 4.2.  Per the definition of "Claim", what does "Compare /claim/ in [RFC7519]" mean?
-- Section 4.3.  Per the definition of "Appraisal Policy for Attestation Results", what does "Compare /security policy/ in [RFC4949]" mean?

** Section 4.2.  Claim is the only definition that doesn't explicitly call out what "consumes" and "produces" it.

** Section 5. There is something foundational I am not following about this section.  The interactions described here do not conform behaviors described in the terminology in Section 4 or the high-level reference architecture of Figure 1.  I'm not sure how to reconcile this discrepancy.  

Minimally, these discrepancies are:

-- Figure 5.  Per Section 4, "Attestation Results" are not supposed to be consumed by the "Attester" and are supposed to come from the Verifier (not the Attester).

-- Figure 6, Evidence is being provided from the Attester to the Relying Party.  Relying part is providing evidence to the Verifier.

Additional sections in the document, e.g., Section 7.2, make use of this interactions too.

The introductory text states that "[t]he discussion that follows is for illustrative purposes only and does not constrain the interactions between RATS roles to the presented patterns."  I don't follow what is being illustrated in the context of RATS.  What is the takeaway for implementers or designers from this section?

** Section 5.1.
In this model, an Attester conveys Evidence to a Verifier, which
   compares the Evidence against its appraisal policy.  

Should the analogy be connected to the RATS architecture by saying the citizen is the Attester and the Evidence is ID (e.g., birth certificate) needed to present to get the passport issued.

** Section 5.1.  Per the paragraph, "Since the resource access protocol ...", I found this text an unexpected level of detail.  No earlier part of the document had previously discussed the existence of a serialization format or resource access protocol, let alone interoperability issues

** Section 7.1  I got a bit lost in the repeated use of the word trust as a verb, noun and adjective.  It seems like two properties should be described:
-
- (authenticity) Trusting that information came from a expected entity/role

-- (correctness) Having confidence in the veracity of the information being provided (e.g., the processes used by the verifier to process the evidence or compute ).

I'd recommend being clearer on what kind of trust is meant.

** Section 7.4.

   In a typical solution, a Verifier comes to trust an Attester
   indirectly by having an Endorser (such as a manufacturer) vouch for
   the Attester's ability to securely generate Evidence, in which case
   the Endorser's key material is stored in the Verifier's trust anchor
   store.

How does an Endorser "vouch" for something?

** Section 8.1
   Evidence is appraised by a Verifier to establish
   its relevance, compliance, and timeliness

What is meant by having to establish that evidence is relevant? Is the concern that the Attester would provide evidence that is not relevant?  Is than attack or attempt a subterfuge? 

** Section 8.1.
   Claims need to be
   collected in a manner that is reliable.

Can the intent of "reliable" be clarified here.

** Section 8.1.  In the spirit of inclusive terminology please use alternative phrasing for "man-in-the-middle attackers".

** Section 8.2.  This section is a subsection of Section 8 which seems to be scoped around "conceptual messages".  It isn't clear to me what "conceptual messages" or channel properties are being described here.

** Section 8.3.  It isn't clear to me what "conceptual messages" or channel properties are being described here.  This appears to be a restatement of the role of Reference Values already covered in Section 3.

** Section 8.4.

   Thus, Attestation Results often need to include detailed information
   about the Attester, for use by Relying Parties, much like physical
   passports and drivers licenses include personal information such as
   name and date of birth.  

I'm not convinced this analogy is helpful.  Yes, it conveys the need for detailed information but it also immediately suggests Attestation Results might include PII or privacy sensitive identifiers.

** Section 10.  I found the level of detail on this section on freshness out of place and inconsistent with the level of abstraction found in the rest of the test.  In most other section, generic interaction of roles, artifacts, their associated topologies, and high level security properties was noted.  This section delves into specific implementation choices.  In particular,  Is the WG sure that it needs all of the details of Section 10.3.  Even among all of the Section in 10.*, this stands out. It doesn't seem to provide enough detail to be create interoperability but goes beyond simply introducing the concept.  Section 12.3

** Section 11.  Is it possible for the Appraisal Policy for Evidence to also contain sensitive information?

** Section 11.
If
   confidentiality protection of the conceptual messages is omitted or
   unavailable, the protecting protocols that convey Evidence or
   Attestation Results are responsible for detailing what kinds of
   information are disclosed, and to whom they are exposed.

-- What is meant by "conceptional message" here?  


-- What does it mean that "the protecting protocols ... are responsible for detailing what kinds of information are disclosed?"
Is this text saying that if there isn't native object-level confidentiality protection in the Evidence and Attestation Results, the transport protocol should provide these protections?

-- Should the appraisal policies get similar protection?

** Section 11.  Typo. s/are disclosed/is disclosed/?

** Section 12.  I didn't come away from this section with a strong, consistent understanding of which interactions needs which security properties or what considerations are need for which roles.  Section 12.2 is at least clear on integrity, but it also makes vague allusions to other properties.  

-- Section 12.2  This section lists that there might be a need to support additional security properties and provides list (i.e., E2E encryption, DoS protection, authentication, etc.) .  What actionable guidance should be taken from this text?   How should one reason about those properties?

-- The overall Section 12 seems silent on:

o Endorsers and endorsements?
o Reference values?
o What is the implication of combining roles into a single entity as described in Section 3.4 and 6.  Does this lack of separation present any additional issues?
o Compositional devices per Section 3.3?

** Section 12.1.1
   An essential value-add provided by RATS is for the
   Relying Party to be able to trust the Attester even if the user or
   owner is not trusted.

Is it more accurate to say that an "A foundational security assumption of a RATS architecture is that a Relying Party is able to trust the Attester even if the user or owner is not trusted"

** Section 12.1.1.  Typo. s/Sometimes this is/Sometimes this/

** Section 12.1.2.  I didn't see any of the obvious text that regardless of whether the key is generated on or off device, high quality randomness is needed.

** Section 12.1.2.1.  Would it be more precise to say:

OLD
The degree of protection afforded to this key material can vary by
   device, based upon considerations as to a cost/benefit evaluation of
   the intended function of the device.  

NEW
The degree of protection afforded to this key material can vary by the intended function of the device and the specific practices of the device manufacturer or integrator.

** Section 12.1.2.1.  Editorial.

OLD
So, this is why, in general, ...

NEW
Commonly,

** Section 12.2.  Editorial.  The section title of "Integrity Protection" seems narrow given the content of this section.

** Section 12.2

Any solution that conveys information used for security purposes,
   whether such information is in the form of Evidence, Attestation
   Results, Endorsements, or appraisal policy ...

Should reference values be included?

** Section 12.2

   It is also important that the appraisal policy was itself obtained
   securely.  If an attacker can configure appraisal policies for a
   Relying Party or for a Verifier, then integrity of the process is
   compromised.

In addition to reconfiguration, wouldn't the ability to intercept either the appraisal policy for evidence or attestation results potentially provide the attacker insight into defensive mitigations?  This suggests that this policy might need confidentiality protection.

** Section 12.4.  Is there any read sensitivity for the trust anchor store?

** Section 12.4.  Since RFC5280 is being invoked here, is there an expectation that certificates in RATS would confirm to this profile?

Regards,
Roman

v2.23.0 | Report a Bug | By Email