IETF Logo Mail Archive

Re: [Rats] Entity vs. role

Laurence Lundblade <lgl@island-resort.com> Tue, 22 March 2022 18:42 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 347453A102E for <rats@ietfa.amsl.com>; Tue, 22 Mar 2022 11:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gtL6_r40nTGl for <rats@ietfa.amsl.com>; Tue, 22 Mar 2022 11:42:37 -0700 (PDT)
Received: from p3plsmtpa11-10.prod.phx3.secureserver.net (p3plsmtpa11-10.prod.phx3.secureserver.net [68.178.252.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D35233A101D for <rats@ietf.org>; Tue, 22 Mar 2022 11:42:37 -0700 (PDT)
Received: from [192.168.8.106] ([213.225.36.78]) by :SMTPAUTH: with ESMTPSA id WjSknwumNDiWuWjSln3opf; Tue, 22 Mar 2022 11:42:35 -0700
X-CMAE-Analysis: v=2.4 cv=DoGTREz+ c=1 sm=1 tr=0 ts=623a189b a=73sqJBfw4EOcj9Wd6QYAcA==:117 a=73sqJBfw4EOcj9Wd6QYAcA==:17 a=IkcTkHD0fZMA:10 a=pGLkceISAAAA:8 a=QyXUC8HyAAAA:8 a=48vgC7mUAAAA:8 a=2GDJx6kZdA2npDI0M9EA:9 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <CAObGJnOxU0vfxzzZ9tv1J64KHDigxLcEMrgx0gDy97bE7NQJcA@mail.gmail.com>
Date: Tue, 22 Mar 2022 19:42:33 +0100
Cc: "Smith, Ned" <ned.smith@intel.com>, "rats@ietf.org" <rats@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E20F61DD-8775-4E68-8E56-E6EC92682A18@island-resort.com>
References: <3407CFB9-B713-4E13-BDA3-08EC7B5A905E@intel.com> <CAObGJnOxU0vfxzzZ9tv1J64KHDigxLcEMrgx0gDy97bE7NQJcA@mail.gmail.com>
To: Thomas Fossati <tho.ietf@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-CMAE-Envelope: MS4xfEe7bXg0Kp1hReVXd63I78uAOB/YVvhLLrv5ZmWcIZsPSot5IbwPkzEvdIB9ffmocedCzmbyBF7KMN3MXayx+GUuF6zHHfn13fO6W8EPjQU3LwR2ykjV pkYxJPiFL/h91wiNpFBSFdYklq8C1JABU4xd8NS1P48OGzG2LozPWFvGLpswY3zEr4ZMTtO2hdneCXipCCNIwxejocK2BPo+gXx43uOmsR5PY6krMDiTODTb mlJYDYiNQhGVmv+IpExiAw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/V1_Z9KljkVE_tMrLca-YTJTQH2w>
Subject: Re: [Rats] Entity vs. role
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 18:42:42 -0000

Agree entirely with what’s below, but it doesn’t quite address what I am on about.

RATS architecture clearly separates two polices:
   1) Appraisal Policy for Evidence
   2) Appraisal Policy for Results

The first one is used only by the Verifier role and never by the Relying Party role. It can only be use to process Attestation Evidence, never to process Attestation Results. In a chain of Verifiers all the intermediate results are Attestation Evidence, never Attestation Results.

When all the Verifiers are done, then you have Attestation Results.

Similarly, the Appraisal Policy for Results is used only by the Relying Part role, never by the Verifier role. It can never be applied to Attestation Evidence. 

Since we are talking roles not entities, here, the Relying Party can *never* by definition receive Attestation Evidence. Again, since we’re talking *roles* not entities, a Relying Party can *never* host a Verifier.

Said another way, the definition of the Verifier and Relying Party roles gives a hard one-way transition from Evidence to Results.


I think the Verifier and the Appraisal Policy for Evidence is all about the device/implementation/attester.
 - Who made the device?
 - Is it configured correctly?
 - Is it in the right state?
 - Does it have the right SW?
 - What certifications does it have?

This is represented in the Attestation Results, perhaps in summary or in detail.

Then the RP and the Appraisal Policy for Results is about the application-specific stuff:
  - Is this device OK for this dollar amount (the RP knows the $ amount, not the Verifier)
  - Can this content be played on this device — the RP knows which device and what characteristics it requires for the content
  - Is the sensor data accurate — the RP knows which sensors it can trust

I don’t see this separation as hard as long as we’re open and flexible about what is in Attestation Results. Seems we need to be a bit flexible about what is in Attestation Results because the roles of Verifier and RP are sharp and one-way.

LL





> On Mar 22, 2022, at 4:14 PM, Thomas Fossati <tho.ietf@gmail.com> wrote:
> 
> hi Ned
> 
> On Tue, Mar 22, 2022 at 1:13 PM Smith, Ned <ned.smith@intel.com> wrote:
>> 
>> (not as chair)
>> 
>> One of the topics discussed during RATS113 session I seemed to focus on architectural considerations for entities vs. roles. The architecture draft summarizes concisely:
>> 
>> “In essence, an entity that combines more than one role creates and consumes the corresponding conceptual messages as defined in this document.”
>> 
>> 
>> 
>> This is different from a distributed Verifier that operates on a portion of a conceptual message and (possibly) forwards a portion for some other Verifier to consume. The architecture didn’t attempt to name partially processed conceptual messages distributed across multiple entities.
> 
> I fully agree with this.
> 
>> It may be helpful for drafts to give names to partially processed conceptual messages
> 
> As you say, a Verifier implementation can fraction and distribute the
> appraisal box the way it wants.  It seems to me though that trying to
> name these intermediates equates to making the internal
> (implementation-specific) interfaces explicit, which is something we
> should really avoid at least until we decide it's time to revise the
> architecture to break down the Verifier box.
> 
>> but until processing is complete (and therefore becomes a different conceptual message) it should still be correct to refer to the partially processed conceptual message by it’s architectural name (e.g., Evidence that has been authenticated but not appraised would still be regarded as Evidence architecturally. Appraisal results that haven’t been authenticated to a Verifier might still be called Evidence up until all the requirements for being called Attestation Results are satisfied.)
> 
> I also fully agree with this.
> 
> -- 
> Thomas
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.37.1 | Report a Bug | By Email | System Status