Re: [Rats] [COSE] Working Group Last Call for UCCF draft
"lgl island-resort.com" <lgl@island-resort.com> Tue, 29 August 2023 19:09 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BB59C15257C; Tue, 29 Aug 2023 12:09:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E4PIeusdvlPL; Tue, 29 Aug 2023 12:09:52 -0700 (PDT)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2129.outbound.protection.outlook.com [40.107.101.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2C51C14CF1D; Tue, 29 Aug 2023 12:09:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TCEVJrWJt0YF1E9onvyJFYhCzMDS7SI0jFlprd6G9jdgJNnIfCy5DY0FgHxJU9DUU9onRe1XqgtTrBEuQcdG5f4IVLMP5rSTJacMK7FfMGqnLq3pCRB9F3j+qBDDRvNMwH4cDy9pJpkUqRw26UGmRYwsieNUcrTRtk+zY627IxRmIw6Wpkb2cJCoaTNcPEq9OpvBY6tRs6+hiITXZKC7fJvjT7lqSJ6DpAeSEWCCs3iAopfqGX2lJBw0tC/Mh1OawVqOtGLNbYUgc24ReiFPCBmwmLZITdWLQNxSZeDsYJrFPnmH5clytMcyyLXXwn+tCVcPDE8eyq0Xps/+YW9TjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UAVN0te+m3iGxbt5xpQTKnC4Xv2pWsPILMBXZu1N1Pc=; b=Jl3FDdJDLmyZ6scUBtiUGI2LJf2mTQMHYZblmGDJNLvs35Q9R8a9ctPFzRR8SGxeFhwcqqdaMC86YLKnng+y1MJjTVTpCb0uFVlhvnetA2zB57mrcn9HYACqXbxNVQkRJMDMT8uyWQmnXeVOuJT2GY7LnOi7WofryNf7M30ZWHpaYwWkExDlTyXDz6QQ+hcK7XZc2hJYvQhmtJ6bpFSsbh0hZL2zirA4Z5rhRE95A9S1qgHs+65BvNeU9jwJIzgG3x/bCjpQFjbz14LlE8OcZfOJGOcLbM1AxTbpvymmZY8G9dB2+O2mNL1llSrPXPz011u3Ittk2JHChHA1v2IkeA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by SA0PR22MB2173.namprd22.prod.outlook.com (2603:10b6:806:8f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.18; Tue, 29 Aug 2023 19:09:49 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934%3]) with mapi id 15.20.6745.015; Tue, 29 Aug 2023 19:09:49 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Thomas Fossati <tho.ietf@gmail.com>
CC: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, rats <rats@ietf.org>, cose <cose@ietf.org>
Thread-Topic: [COSE] [Rats] Working Group Last Call for UCCF draft
Thread-Index: AQHZ2BKrT/vA0ZuEB0SyTit0adBAl7ABiBOAgAAgiQA=
Date: Tue, 29 Aug 2023 19:09:49 +0000
Message-ID: <A4F220B0-FA44-45A2-9133-4D7F8A84065C@island-resort.com>
References: <CAHbuEH7Kj821CZJxbbs_5WW+XhK3xzePmWXjc878k=r2Gs=nJA@mail.gmail.com> <CAObGJnNCOGxZmWFHnM21jrDuXjWqm1rOcZUzMyJWQmFenuKSZA@mail.gmail.com>
In-Reply-To: <CAObGJnNCOGxZmWFHnM21jrDuXjWqm1rOcZUzMyJWQmFenuKSZA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|SA0PR22MB2173:EE_
x-ms-office365-filtering-correlation-id: d08d78ab-b20a-49c1-8c8d-08dba8c38422
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GL4U1gz5EpdaRQ5R9k01kFzuTaBC1IZf1nXuDZKUH0H3HmAy/DEHGICCxRfhs/rPgLmkgv8IaiFOaP/3YzEXBXwJJ/9xGOVvknzWVTFRM0ivsGe5sP4eeCn7U80xvnHcAzVXYc4b7RIlbJfEBqyb3505n/KgvQ+3qpV0+XHgWtwDHBfC/DywaFy/k+Dg4LfLH9fs9b58vP1HQP/qNEI9bxVRoUrwKar5+t1QZiVh5oSjsKPGGy/KRpcS46IEpU0PBOf7t4IfSHUfdLMecWzH6Vkkz6I+6+jtNPK13BY1n/mHYtDE+lpkPG5L1avUHtOTl+b4RwtQ+4rOhrrn1IttzAqRn6cxRAtjaGnYzKRNCKsAw17BM6cWtfTMWskPghlP3AVjCAAHjI4LCCA4QEY266ndacOxAVSi8yT1jGde9Gq5QJyVl5dOdnu+QGEGHHFHxVGQaVWqP5SxH94oU+z5hRLgBT7L3O07PLam359m92cIxUiP+Q8Cu7ZXTHA1rnBMFSLhXM0pMUtwZ/7fDpPGroFdBTAYk8pzKB0wov+VG0NOAH0F7GekI3uaauk6FsqHIqD9nX9XzXsJoDxAeAtQ3Tzd/eMia1733o9faUIIEXpjdtNdG+vbAcwz9G1F9fcIXaIMXDJQ4eyKTcPleTtqAg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(346002)(366004)(136003)(376002)(39830400003)(1800799009)(186009)(451199024)(8936002)(122000001)(53546011)(91956017)(478600001)(76116006)(6506007)(66556008)(71200400001)(64756008)(66446008)(66476007)(66946007)(54906003)(6486002)(966005)(6916009)(38070700005)(316002)(38100700002)(41300700001)(6512007)(36756003)(26005)(8676002)(5660300002)(83380400001)(2906002)(2616005)(86362001)(33656002)(4326008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9LCPS38fRAl6ct7ybWlcbKYIkIH/rlgpa3EaXJyiU1fweMsdmoZmRzY/PEhoXuvTfeuzlDUiHVnFqHhY37Qkk3BdVXwR4C97H/A7k8kItYqST02VGECmJDYVp+ukjmA2xgQUJAZHu0YW9VTFq65O07V3Ac1CHdGsUeOdgz1s7v/UZUOFg+skpzKQ5T2iyjJt+oaLjGtkDukWOgGMoWa3licE6bGU8XV9Wteep8QscRcNnSvspSy8v2Mhku6wYRPukwPIjWeFY8RRWdIdrrSfhEwoXKFE/Ygn4SggAyO+V7Juy4dVTuwBWQ60+PEz7NPBtkozVRZofUKKZFsOGSfwmMcBjuJT4DfBhgRsKxzV3VfArz04ouiYdtJe25JTRj3x1jHe5ESp25WDXU7Rjc+MnqJ9CXLuMR+eaMNL4ZDWyjoOaU1Iakpzp6qUZmgG7NbIqpcoN5UGMdsnRp0GxObwwq6crn/PnHSD30Lks+RGNzeXXqz+Hzw35KfU4NsdELiI+bW8UQn3ZbvFBhbjTvZhETSFWUW19R6o58GjB7+cRksFaxsBqhVMmn3xV2A/ehVbn6xqHnOiYukxl0WhhX1Kda6Jlbee+hBByY+PPOiVit3hooQdQIGir+VyV3CROxbeGJatBJnWySJcn72vy88HwIyS2tD/WkvAFX2/CU6xSRn8XeZ/xCuIDb1abY95tCgN4BIQkr4JtnRmwPoWESOT2YwpOrJmxwqOZZ9RMoo2DQGTwYwoMNZjSYpBdUJ2zJIH1NA9mUpkFHLQQIgN2HcHfYhZy3M2TxQbkFv8koJ6c5nj3YpPRdLudKc+UPbH22oRD+7KepJVfXNA1ZhoqYNPL7MOfjK6wZ+5YwRmM6/HT3HZo2ktnoqiv4Ldy79cSEdStfK05Hrb22JSGsqNP+sNJT8jIwIO4UGRB6aM++gmn9WTlBE5uY24EtdOilKWH86oY9maRhhCkMNelATagEWEr11muPKUhmrVFfczLU1c4uUaKAv1/8KV5oz+NjIT6aAdeE//LM6o8ESZQRB2VIt8s5MnRwYrNrh422Zi1WhDsUi+JgBCbmfsS9zMpZ2nNnc6Yk2B9D2GgGOZZgOtAXpaAsc0KAZ9e527Z/4FqmTDmxOdC7rcnasUFc15lbKlF1RAMH6TpjwBjLk7gHf3I41xfA/TYHJGvaKxxxQ/FDHYkcGXvkvIP9a7SIdom5YigYRsComTB/0TrHowO06D1IYWglJLgETaG8wpRyiM3nVs6esN+pfZylSMlJr9QiJ++3WKC94ROYmwRMdVByto8KK7E177hHW9kAZ+DBoZgq0rHVsAP9lMkgaOlYVzJDxKk5OWK2+928MBXUzEfDaL9/+hlqBhg5gB6yaYvikF51vDGfplmgGn5U1uOKY7I3dwdzyubKKjiOqCDSqsWtrQFhji1eW+0hZLa9xMK40B+3bKcXr5ac4+5hacOaYualf31DyqMBZ93anzROkIOU3lteasYITcLyDyGM1lPM7O+iV/AkVMTzjPPGHjAhBUgHbv01YnTZJh/8Zbtuaqire5CeyZU0ilOwIuk67whyW4kcMlm8yG9eAlVtOg7nqn8/euC/i7w56l7tPDT5JgmcHFcZ6vOQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <18BD5D3EACF1A0439DCC13BEAE11EA6C@namprd22.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d08d78ab-b20a-49c1-8c8d-08dba8c38422
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2023 19:09:49.1558 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8c4AD5uDpy4AWPRefgyJzDIrwXrtscn26HWAeLTA7Cd89zCLMegzmdHFQ2OpH1mk96O/Hz4GLUdm9FYA/5uKxg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR22MB2173
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/VzLTg6S8vVJ6bgHB6g9_Jqyf-_E>
Subject: Re: [Rats] [COSE] Working Group Last Call for UCCF draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2023 19:09:56 -0000
Hi Thomas, The EAT CDDL distinguishes between a detached claim set and a nested token. Since UCCS is defined as a token, it’s not a detached claims set. A detached claim set is entirely an internal EAT thing. Nested Tokens can be signed EATs (CBOR or JSON) or UCCS (or UJCS someday). A UCCS comes into EAT through the sockets $EAT-CBOR-Tagged-Token or $EAT-CBOR-Untagged-Token. EAT indirectly discusses the security of an externally defined nested token. It says it is bound into the surrounding token by being a nested token (section 4.2.18.3.) which is what applies here. It also says "i.e., it has keys distinct from the attester producing the surrounding token” which doesn’t apply here. I’m OK with it as is, but also open to changes in EAT or UCCS. LL > On Aug 29, 2023, at 10:13 AM, Thomas Fossati <tho.ietf@gmail.com> wrote: > > Hi UCCS authors, > > It looks that the assumption is that since UCCS drops the COSE > envelope there must be a semantically equivalent "secure channel" > provided via a transport / object security primitive that replaces > COSE's services. > > I'd like to point out another possible use of UCCS is to implement > what EAT calls a "detached claims-set". > > We are experimenting with that for confidential compute workload > attestation (see [1]). But the mechanism is generally applicable when > stacking claims-sets in hierarchical attesters. > > For example, we use UCCS as a "sidecar token" that is coupled (using > an EAT collection [2] rather than a DEB) to a "main," signed EAT that > contains the UCCS's digest in one of its claims. Note that this is > not in contradiction with EAT, in fact §4.2.18.2 of -21 has: > > [...] EAT, however, doesn't require use of a detached > EAT bundle. Any other protocols may be used to convey detached > claims sets and the EAT containing the corresponding detached > digests. > > It looks like this case is not discussed in the current draft. > So my question is: should it? Or should a different draft document > such practice? > > I read §3 of UCCS: > > [...] As UCCS were initially created for use in RATS Secure Channels, the > following section provides a discussion of their use in these > channels. Where other environments are intended to be used to convey > UCCS, similar considerations need to be documented before UCCS can be > used. > > to support the latter, and that's OK, but then I reckon we should be a > bit more precise in the scoping parts of the doc (abstract, intro, > title) to be explicit about this "pre-existing secure channel" > assumption. > > For example, this sentence in the abstract "[…] discusses conditions > for its proper use" could be "discusses its use over pre-established > secure channels". There are a few other places where this kind of > surgery could be made as well. > > Other than that, I think the document is in very good shape and ready to ship. > > cheers, thanks > > [1] https://github.com/CCC-Attestation/attested-tls-poc/blob/main/doc/parsec-evidence-cca.md > [2] https://datatracker.ietf.org/doc/draft-frost-rats-eat-collection/ > > On Sat, Aug 26, 2023 at 1:44 PM Kathleen Moriarty > <kathleen.moriarty.ietf@gmail.com> wrote: >> >> Greetings! >> >> The working group last call for https://datatracker.ietf.org/doc/draft-ietf-rats-uccs/ >> begins now and will run for 4 weeks per discussion at the IETF 117 meeting. Review requests are also requested from COSE working group members. Last call ends 9/23/2023. >> >> There are a few remaining questions that I need assistance from authors on prior to IETF last call. Could each author and others with knowledge of IPR please disclose any at this time as well. >> >> Thank you! >> >> -- >> >> Best regards, >> Kathleen >> _______________________________________________ >> RATS mailing list >> RATS@ietf.org >> https://www.ietf.org/mailman/listinfo/rats > > > > -- > Thomas > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose
- [Rats] Working Group Last Call for UCCF draft Kathleen Moriarty
- Re: [Rats] [COSE] Working Group Last Call for UCC… Carsten Bormann
- Re: [Rats] [COSE] Working Group Last Call for UCC… Henk Birkholz
- Re: [Rats] Working Group Last Call for UCCF draft Tschofenig, Hannes
- Re: [Rats] Working Group Last Call for UCCF draft Thomas Fossati
- Re: [Rats] Working Group Last Call for UCCF draft Smith, Ned
- Re: [Rats] [COSE] Working Group Last Call for UCC… lgl island-resort.com
- [Rats] Missing CDDL in UCCS (was Re: Working Grou… lgl island-resort.com
- Re: [Rats] [COSE] Working Group Last Call for UCC… Michael Richardson
- Re: [Rats] [COSE] Working Group Last Call for UCC… Thomas Fossati