IETF Logo Mail Archive

Re: [Rats] Android comments on EAT draft

Laurence Lundblade <lgl@island-resort.com> Tue, 21 May 2019 15:40 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01F2E120169 for <rats@ietfa.amsl.com>; Tue, 21 May 2019 08:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Nev90sDVT4o for <rats@ietfa.amsl.com>; Tue, 21 May 2019 08:40:16 -0700 (PDT)
Received: from p3plsmtpa09-03.prod.phx3.secureserver.net (p3plsmtpa09-03.prod.phx3.secureserver.net [173.201.193.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E701120059 for <rats@ietf.org>; Tue, 21 May 2019 08:40:16 -0700 (PDT)
Received: from [10.0.1.128] ([88.208.89.189]) by :SMTPAUTH: with ESMTPSA id T6s8hano6neDcT6s9hy3r0; Tue, 21 May 2019 08:40:15 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <3EF5D8DB-B79F-4564-A521-28FCAFC75698@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A8C8704F-BBB7-4F90-9645-0D08A0CC0DE4"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 21 May 2019 17:40:12 +0200
In-Reply-To: <B4E207B0-3367-4CDB-AF5D-AC539BD29852@arm.com>
Cc: Simon Frost <Simon.Frost@arm.com>, Shawn Willden <swillden=40google.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>
To: Mathias Brossard <Mathias.Brossard@arm.com>
References: <CAFyqnhVJ-ps4bdhsyQDOHdzHVZsXeK7_kCDXxUVUcuyDzWS3uA@mail.gmail.com> <35459D73-3D08-4E0B-814B-780AD60DD600@island-resort.com> <HE1PR0801MB1643AA2E129098E2C65F9163EF0A0@HE1PR0801MB1643.eurprd08.prod.outlook.com> <0B8DFC2F-9C35-4F72-A07F-E5258413F50F@arm.com> <7661893A-8EEC-475F-9FB2-CBB2915E2C95@island-resort.com> <B4E207B0-3367-4CDB-AF5D-AC539BD29852@arm.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-CMAE-Envelope: MS4wfCF/fu8fPB0GFAcm21Ch9fJGFQxF/5yXrwLS7XcpFXqZWe8UXUbfL6VAGhS++1Jpjtn09EZNhJt1ngsxunkuRJrPch3VJiR9dVPpKSG98wgni4Pros36 +/CVaudzTe4IRAHFQrHBCPCKnXKflS4HR33xMeCxidKPvHoVzJFFTlitKlrpKVzYXF3tqvDpScXawnv11IG/2BStMELyf87b4IsVmq0wn6nPZ+KGAa3hSJ5Q A7vul0WEe7lLoaXlYXpJtKh1xq/Rk+ggPwOsh1wuaBGVJlfT2EreKLmdcV2JqWXi
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/W-RLxSjzefVRoa3GvhiF-pH1y1A>
Subject: Re: [Rats] Android comments on EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2019 15:40:19 -0000

Seems like we can define the inclusion of a public key in an attestation token to mean whatever we want. We don’t have to restrict ourselves to the semantics implied by draft-ietf-ace-cwt-proof-of-possession-06 (and usage for authentication only seems implied). 

Maybe there is optional key usage associated with the key. If the key usage is absent, then there is no restriction. The key usage would look something like X.509 Extended Key Use <https://tools.ietf.org/html/rfc5280#section-4.2.1.12>.

(Is proof-of-possesion a term defined somewhere that I don’t know about to mean something very specific? If so where is this definition?)

LL


> On May 20, 2019, at 11:03 PM, Mathias Brossard <Mathias.Brossard@arm.com> wrote:
> 
> Hi,
>  
> The idea is that a device might want to attest a key that would be used for other purposes than proof-of-possession (authentication). The attestation token would act as a form of certificate, essentially the link between a key to a device. We are thinking about integrity (signature) and encryption / key agreement. In many cases you could use TLS with PoP to provide the same kind of security properties. But in some cases there is no IP connectivity, the resources are too constrained or you want the security to be maintained end-to-end (rather than at the transport layer).
>  
> The protocol flow would not change for attestation.
>  
> Sincerely,
> -- Mathias Brossard
>  
> From: Laurence Lundblade <lgl@island-resort.com>
> Date: Friday, May 17, 2019 at 6:57 PM
> To: Mathias Brossard <Mathias.Brossard@arm.com>
> Cc: Simon Frost <Simon.Frost@arm.com>, Shawn Willden <swillden=40google.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>
> Subject: Re: [Rats] Android comments on EAT draft
>  
>  
> On May 16, 2019, at 9:31 AM, Mathias Brossard <Mathias.Brossard@arm.com <mailto:Mathias.Brossard@arm.com>> wrote:
>  
> But even for the relatively simple use-case of putting a public key in a token, which it technically supports, I am worried that the semantics might be too constraining. It focuses on proof-of-possession (PoP), where we are thinking about additional functions (signature, encryption, key agreement, etc.).
>  
> Mathias, can you say more about the additional functions you are thinking about? 
>  
> Would they change the protocol flow in a big way? Mostly what we are thinking is that the RP sends a nonce to the device and the device returns a token. 
>  
> LL
>  
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email