[Rats] AD follow-up review of draft-ietf-rats-uccs-09
Roman Danyliw <rdd@cert.org> Mon, 18 March 2024 23:49 UTC
Return-Path: <rdd@cert.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD03EC151072 for <rats@ietfa.amsl.com>; Mon, 18 Mar 2024 16:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2Ab731aCrzK for <rats@ietfa.amsl.com>; Mon, 18 Mar 2024 16:49:08 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0080.outbound.protection.office365.us [23.103.209.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17BD9C14F6BD for <rats@ietf.org>; Mon, 18 Mar 2024 16:49:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=LvRdgBRRo4wJG2G7tXHfgqEeo5xjUEwsgg1IbxoYyp0b2q5sg61+OQs6GSpmXAuSkWi5ByjMkWoZK21sfJqsJdvLDHoW3iui0eDcKSox+BPyvTcrypa+1+UkH6e0iEAkQn82yP/fyYv3kaLCrvMZSepHVEWYuB3+56yXD2NwsAjov3FIBzZvo/kOK94ROHkcN/hZeVajj5wZ4wXh98beEauYO/Fz2uoc1q16x6AipuDNNxI5mLlbFD8C/KMpv7LrQomCXzB8NQsief1CXix1/PK+mHx+12yuRRfcRbTj9i2EcQkQ9OjuJtNN62BsQ1ChMV0f8fmbdjHByJsr7DjEnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LlVom8Twn18Tr+n1JaBcVHDf2o6x2W9Wru/JBQ/d99E=; b=FusRya/3BFr6XvqX2Y5q9V4Q9Nsf2KOBQ5SYuOwm/0EOI/lOldEBsUclz91WAz6dK0T1yFhIpiR24dvkGAaRHKjhuPtG1dmb5BpX6hECFt4Ba9QNYu+Bld4kE2LuBUrZM3t5IepMvj+mNxHRWHnyWUOOrhhRWOlLsS1fT39afP+lD4mzYXEiGT3jieEMSUE61KKsGw4uDq7colRzywqntaMfxuP0x+fb1q6+FTALAjc8lJZoI+opsEqKHzJqwHvgoK7NSPj+BwtMH8tVUj58vz184TCJkpSZTLKgmgYVKVvE5g6qpoAXr38x3zocMQL8jFaNMBMp/WcDXVAqGAPRLQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LlVom8Twn18Tr+n1JaBcVHDf2o6x2W9Wru/JBQ/d99E=; b=PXmJwPgMGlbfZXyIF6aVV0+Oo2sxBfpRUylgVvVUtaIsfQm7XyCkZW8laoCEK1wzMeqW6Tx0vIvpizkk6TOopwSWljH/ltpYF739G3MSszK09xVPf9gS3Kh5w6mzi49MZjEVEQooMYe2zNJC0SaRsIUQWHkrCWkePSwLuoIYBS0=
Received: from PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:174::12) by PH1P110MB1700.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:18e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.26; Mon, 18 Mar 2024 23:49:04 +0000
Received: from PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM ([fe80::7b41:d146:d796:e84a]) by PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM ([fe80::7b41:d146:d796:e84a%3]) with mapi id 15.20.7386.025; Mon, 18 Mar 2024 23:49:04 +0000
From: Roman Danyliw <rdd@cert.org>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: AD follow-up review of draft-ietf-rats-uccs-09
Thread-Index: Adp5jkX5AQoUr3B8Rl2nuXqvV7p7Qg==
Date: Mon, 18 Mar 2024 23:49:03 +0000
Message-ID: <PH1P110MB1116C5BE031039613AA69302DC2DA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH1P110MB1116:EE_|PH1P110MB1700:EE_
x-ms-office365-filtering-correlation-id: d4aa6345-2457-4386-3f6a-08dc47a5fe33
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w93ZXiaDJRSVMu3upxjRG6Nyk/nT6QYvldMQVUD4yKf2StnhWdmq9DmKwZ8yUNWyAqEQGihwYszbjwLYVeyqFnac+ZDAiXB3YpNAgubOaOkZ+wybdN43YFxlxhFEJH/2nXOVDA6159EiSd+UjSyl6BVf5h+w+8IILPpe9CLI9/M6WswoDcq9Mi1cE1hD29k2MbFbg/RptK9ohm4BZfE54qpoaKlp9r6VEjo6FB+xpKSs6+BtIUp78g4AQMxf83vz+Yyvk/YiJNyq4nN4SMzGHjUF3GabljoKSSSIOAA1Nl/ArZQzcFuDPriowPpZORnjhpaYDHJOcHJ3sNEeMeIfDemLBByA8HRJKaeg8vCwXZ4jCx//mIxbdnIHSKSnU2ypgQNQBh9QsIQxUEFUjGcQJJHwyhn2fFKDzUL6UmdJ9+u1PyWivRKm5HjxxAw58fIM9GtFKzQrdFZTlacVcuY5Y7iaNeLNdmaSZjF31KBMD3a+uYm6QBWxNx6prcNPudVz2Ti+xTtX+aB1tOl5mJ2+uuVOF1MnotjT+DpoBgLSrGKQJWPKvOUJu4xc//BHFeVMr1M5dhJfmLsWEhQIdX7gZEBLcCjLFPSjg4RKxL+eU00Gj9b8fMRAWtTQnoDyLOGfWp51c++pOKRFnBUmPJsjQu01CaVq7ucwL9u8nXZRIeM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(41320700004)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BnlOwbmlREBpidkAeb4xz7Or3/giUxGZpqHuM9z2TB6H9JE30dJNJD8yh0heOmmn2sLzX3rGvcNWqaXe6cdp8TtmEM5EM3w/xvixJGuXWGhTwW18OpXLj9dQrJLN1Hm+AsxVm7GEc+0n3PULSmNNhu++/asE8ImzRkFoyBlSUpX7l0rSTsVHKD9mXmGbhnZAliow6306bunt2mbjaXLHUxluSTtd0lIv0ZpbukNzbeuTVut/dzJKwB2OICCvEUSnQ5f+Uby2UZZOqDLhxnj31ETRSOedM/Iz2xzUUk1hb578gdDuCJFA2Sa+C90jIzB4g2i7lX4nOJkuYYMD8zS9u30GZy5BR7REWQY9iGccQQomZYqI0XORcxCu8ykvrThKYqHD9nC7+oNSSMyWRMF0upsPG3uNE3V1xXw118R+ghQVX3IF1tyA9ItmfTLWjq9aZCUr3CI/TBF+MAbUTpDNG1QZyCMWGHamt7enbkBYKRwNdk19yTurzvyZDbnBOWUN4/gBAkngPUIMJQQIHYeObWPArDkMw1UWgDD9Z2VDN9uII5P4ONoe9rlTUcbW07TXT/Ohwig7wvdMEk196Q2sLgTZrAlGpanxhdwZRwqRpN9TeM540RRZVoPxwkwqPbjGH/DU7qDYTDA9Qoi5IG/iKaqmsAHmItB3b/I2Wa1C7TlPvMfM4xDO0mjIa16tx5UTNQnwJENs7uHnUw4YLWKGk3zrYUNxH2ErPgLczes7aA/p/hLgRwk3PCBW2cqwRtIPOqY9TgjCrgme+g4vON2k6Ln7+c5mJUzF6R6b20B7zINrCYd5faoiAKwpDHOdBZVlrwo3ZNIINERXFQgb/RkvhDQQnbq+g/ShdsNLKeHeNbkv3rHu3NzQV1pzGxEzPGPskdsGmZSIwGoJxM7iuzVubuLx0Sv4QxnZh7thWAMCzfeMaCV8zS1bve/slyhDjubAk41EFcRBPyljINq3J6gkNv4uQmYyYs52jLaHRIKbpFv8GG4FhlkT4yDNmC27x/xgRk0NNM1/rVHkvAUaR0eYj4gEgWL7QWeJZkEMLR8dRK60UQXYiydiSgPs0hYXb+lB6i9HJQ10UrtQLUCZm6Y2IbJxDOsRe8PFKO71k/sqXwUl4z0qfJkDJVJ7Qcgcvf7YBZZNomi+HZX+yZHcTOCF38q+VLzZN32HsA6H3h9Uz3GrLeCjqATxTCGD4F2ZHAwzySFJz4xaxr8ycbc00qxYKzFsr5Oq0Bxn+CzayHOvXn86QKxk2UvHNdRQuybiAIfhdrnkvX/AG7ocvslt80rLBRnVjvj1Fuazrcqn816NLl3eaImgiNwUeOX3B7B06y5tlCBvKST3K/JVlJ6CMNGKWb3bZtPAjmjWjCNvvFLcWntHprLLlhI6v9khrhpNHsf2TXCramyFKHRmIp4/IDDIGEomJ7Q2M2vHFBE2FrvVUpZo3njRDcAq3hsrX6Noo4fbh9VCkECy17v/dJqWhdYLPMlCDSitKBNkdOTPCUW0D3A=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d4aa6345-2457-4386-3f6a-08dc47a5fe33
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2024 23:49:03.9691 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH1P110MB1700
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/VFMB11oiqsTwZPkoOS83eD7I0cs>
Subject: [Rats] AD follow-up review of draft-ietf-rats-uccs-09
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 23:49:12 -0000
Hi! I previously performed an AD review on draft-ietf-rats-uccs-08. See https://mailarchive.ietf.org/arch/msg/rats/HU2eIC7AevBSBHGk5tqXSR8wMco/. Thanks for -09. For ease of tracking issues, this new email summaries the remaining issues from AD Review. ** Section 6. The security considerations of [RFC8392] need to be applied analogously, replacing the function of COSE with that of the Secure Channel. [per -08] If all of the Security Considerations of RFC8392 apply, then there is an authenticity requirement for the Secure Channel. RFC8392 says “it is not only important to protect the CWT in transit but also to ensure that the recipient can authenticate the party that assembled the claims and created the CWT.” [per -08] the Privacy Preserving channel of Section 4.3 (Section 5.3 in -09) seems to explicitly suggest that there “receiver cannot correlate the message with the senders of other received UCCS messages “ which seems to be the opposite of authenticity. [response] > The objective of 4.3 (now 5.2) is to discuss how authenticity does not > necessarily lead to linkability. > It does not relax the authenticity requirement. > (E.g., DAA replaces the attester key with a group key, and something > similar could be a use case for secure channels as well.) [Roman] Can this nuance please be explained in the prose. This seems to be a very different situation than authenticity in the CWT sense. ** Appendix A. Excuse my rough understanding of CDDL. -- [per -08] My read of this CDDL is that there is JSON hooks included with the JC<> construct. This JSON binding isn’t explained any place else. > Yes. > Parts about JSON bindings do not use normative language, > because UCCS is > about CBOR claim sets. > This CDDL is designed to be useful in a mixed environment, based on > requirements from EAT. I don’t understand. This CDDL in Appendix A is normative, and so is the flexibility in its design to support JSON. Otherwise, it would be “C< ...>” and not “JC<...>”. I don’t take exception with providing a JSON binding but please explain this in the prose and in the introduction.. Roman
- [Rats] AD follow-up review of draft-ietf-rats-ucc… Roman Danyliw