IETF Logo Mail Archive

Re: [Rats] disposition of remaining pull requests to architecture document

"Smith, Ned" <ned.smith@intel.com> Wed, 16 September 2020 18:09 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 672F23A0907 for <rats@ietfa.amsl.com>; Wed, 16 Sep 2020 11:09:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=intel.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GkfM6UzV9XPa for <rats@ietfa.amsl.com>; Wed, 16 Sep 2020 11:09:03 -0700 (PDT)
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B1713A0902 for <rats@ietf.org>; Wed, 16 Sep 2020 11:09:03 -0700 (PDT)
IronPort-SDR: wZLhuQDlgDAE7qNfmFJkCpNCOUWmqDzSlWHMFVpRolrQbn3ZKZW1iGG2rjM+gFb/Sjt95CnTwp Ym4qyxw0NGXA==
X-IronPort-AV: E=McAfee;i="6000,8403,9746"; a="156923172"
X-IronPort-AV: E=Sophos;i="5.76,433,1592895600"; d="scan'208";a="156923172"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Sep 2020 11:09:02 -0700
IronPort-SDR: BMVU8PpoIURsR43iTLun7E5Ttw8BUgm/7XwTgJ/mimUwW7RTU1rLTIunIKeCGnPnOnNbNH3kKD UQDJ1jGtrHSw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.76,433,1592895600"; d="scan'208";a="288441017"
Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga008.fm.intel.com with ESMTP; 16 Sep 2020 11:09:02 -0700
Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 16 Sep 2020 11:09:02 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Wed, 16 Sep 2020 11:09:02 -0700
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.101) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Wed, 16 Sep 2020 11:09:02 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MjsKHz7sQxJTOforUrZpq8DufXPQJ0kQLwDWLuExQ9DEjzp+WAl+Oau2pxEGdtw2xx4xxZ+L5o3xLyjT9yudsd65NByfgylYqOCRvBYtJeyYjgyUGjYKJXUOF8sy21EZxoPp/WSdT0qPc6LN+yRVwNUxGTO+CKc3x02UT5UxLm6s9+P6cVqaBWKzB6Iz2nH0+jSIiG0ke3HCVrq2/EJuCXYQ7Y0nFJp/bD6yzvkpdPfZtEh0AZLQbVeAQ9xzEjiSdzHX902nP9zK24B2KibI2IaNX6rhUUbJEUuU+bucz7K4BgBujLbwIrGzr+qp8hwVjVfuj8dTswvQoyMlRn359g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i8VK8LXnJrwM4EoXU3xgmUvXjByQ3deSi7uKrhhoMHo=; b=cRRJiHD6bhJ+lGy/Qa01C/g+wZMNO6fGSQrJ68+wMuL/QYPwAAlKWpHd7fGjG3fxwAKKRQnOhbAvDpLH6xxclknpYOICKJ7Nd9gdIXck0yyElszGL2A4JyIGHlVt4qmwXXajHILaZ35Bc4cdxuA4zF99njkA7kSlv62VDFA+7fFoWzg4yNITi3SFzuliy+uB/s1ajxiMcMiYgnjKoBiE1necyXz+EuBHuixhnLeJjoDBhBtjM/0PzYa+CwETqrCQXy9Hxl0vyyfYkW2ckmrQQO4cLX40At6AD402AWUlLic8eqorI/qVAGkldmd3DH4hMO3t6k0R62G5QWghVh72hw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i8VK8LXnJrwM4EoXU3xgmUvXjByQ3deSi7uKrhhoMHo=; b=Uh/35PTD09t5UcdqVfwsVellf3iRkGIqKAWZ1PJYI0/IDGtK9fit1B1EgSRmycBaLXZ+6zGQUb4G2Q5jq3Pf/IPms2I7+22BS+g0RNs1b6k5qbNK0KN07v9iZFesyxQgwD2SPSZGZfJvexIFuGRJQfL0pF7UIfo8HpWpVcZsLac=
Received: from MWHPR11MB1439.namprd11.prod.outlook.com (2603:10b6:301:9::20) by MW3PR11MB4601.namprd11.prod.outlook.com (2603:10b6:303:59::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Wed, 16 Sep 2020 18:09:01 +0000
Received: from MWHPR11MB1439.namprd11.prod.outlook.com ([fe80::1fe:5ef0:8591:7fef]) by MWHPR11MB1439.namprd11.prod.outlook.com ([fe80::1fe:5ef0:8591:7fef%8]) with mapi id 15.20.3391.011; Wed, 16 Sep 2020 18:09:01 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Henk Berkholz <henk.birkholz@sit.fraunhofer.de>, Dave Thaler <dthaler@microsoft.com>, "Panwei (William)" <william.panwei@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] disposition of remaining pull requests to architecture document
Thread-Index: AQHWhfc3jIsWDC2L8UKsamGzPBS9BaljtzmAgAdwZwA=
Date: Wed, 16 Sep 2020 18:09:00 +0000
Message-ID: <B772B366-84E4-43A4-AEF7-FC881DABAA41@intel.com>
References: <5786.1599579936@localhost> <0B6B67BD-800C-4A42-9AD6-6F92E0663207@island-resort.com>
In-Reply-To: <0B6B67BD-800C-4A42-9AD6-6F92E0663207@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: island-resort.com; dkim=none (message not signed) header.d=none;island-resort.com; dmarc=none action=none header.from=intel.com;
x-originating-ip: [50.53.43.22]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1f4a8292-cd98-4db3-b0df-08d85a6b96cd
x-ms-traffictypediagnostic: MW3PR11MB4601:
x-microsoft-antispam-prvs: <MW3PR11MB460118D1742F0205F96EA80DE5210@MW3PR11MB4601.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Cyv4hd91D0q3l0/7EpzoDpERQRHeS4ezH8ndplHYBPBA83+Bo/9yYPvtfBeHuw00PAjeE0yhiSNcseJ6lu0ob+45H7NgJ0QmLDP0+9ey5ez5fVK0PgMQ2wzfhT6b1vYGSbWcMvvGS6XPCx0591kbkGc6Yiw2tiL0A3PhIjzsDZM2IItgbQzLmXBoYIKZcdA+t3M6ruIX2ubUlRl8yf2+3dBtlWYBjQIkiCShwXBJock6Y4Hs9MAWMCGJxmP6GqbIiknHw0M+kcxYXascfsDZik9ks0pyZkfGQ2IIIHdKURKOmQTzztyfz/8KR5o/oVNxUX6V3rcze0q8wceopaamKg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR11MB1439.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(366004)(346002)(396003)(376002)(316002)(8676002)(66476007)(36756003)(5660300002)(66446008)(2616005)(26005)(4326008)(64756008)(6486002)(478600001)(33656002)(66556008)(66946007)(8936002)(110136005)(71200400001)(2906002)(76116006)(6512007)(86362001)(186003)(83380400001)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 2daCLrqFbsqOubsLhV1w70Awb+MZ9eEjYEvGjgOApMt1yOyhd2y/6LVnvPLPWdUmEW5nRA5IscUArtQiwve0iHkzVW9pQlQ3ZDyhDHq8eQkst45Og/efKFWnWX+dOT1EWYrDpcOSwIS41f8KgHQohpat8h6ylE/iheua0hkEW8IvZ27Krfv5lz1Jt8YW00sadwnKpodLiHWrKaQEed923tpU0njYt5l6a7RAJhz+I3EGnA409sMzBTFQrwntQjWg+N2tJuL9SyBBdTdMO00TqPWKV2i0qiKJsziRlmLdUKqb7DvSssbq1DFRvpk3ngeoSOEqFawPrAEG1g0zUeYFvh0mbZO2MTdFzYl/4WbKUkvBcxxPaGVMwuv/Q5gOcEes0lyJgH4W2fQQJXLk+dW0JnFXuEFFTedt6yUn0pHiNW81Paa52TJJ2d7t3FemrVTg3mbBWQ7zfJNvLPUMZ+RHQtDrRS02XZ463ryg/9dyLuMJaDVB3574CDI2UoQiPheqfsyQI1J8FBNJR/kD3Rh4pk3pk5SxYRiw59hezAht80Urt53mWV92GRkhtHx9fDphUCtHDSWvk8PS/ilPc9jS9x7dq0Q/HvV2rsLQFqqBD+5DPA1Sru37X5kNGO2pWtY7jjuqxLLr8Cos04N8hltH7g==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <9889BE6473ECC14CB1EACADBCCEA17F0@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR11MB1439.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1f4a8292-cd98-4db3-b0df-08d85a6b96cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2020 18:09:00.9538 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CooFTYBC57R0O36EGYwkR5k6QdQon7XXn3bNx4AuGoVRslA0/vW0/6vWU0Swdj+6zGEn37aSU2U+kIkBF9KCOQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4601
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/W9xonMJcFBf3y1qlUUSOkr4qjS0>
Subject: Re: [Rats] disposition of remaining pull requests to architecture document
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 18:09:05 -0000

See my comments inline beginning with NMS>.

On 9/11/20, 10:33 AM, "RATS on behalf of Laurence Lundblade" <rats-bounces@ietf.org on behalf of lgl@island-resort.com> wrote:

    > 
    > Dear WG chairs, WGLC soon?

    I have two open issues against section 7 that I think are important. I generally think section 7 needs a fair bit of work. 

    One of the issues with it is intermingling primary trust flow vs the secondary trust flow. 

NNS> The objective of this section is to highlight the potential for trust semantics to occur in both directions. I think this is what your mean by 'primary' and 'secondary' trust flow? It isn't trying to exhaustively describe the various nuances of how a protocol or implementation might resolve the tension. 

	Primary trust flow is about the RP trusting the Attesters, the main point of attestation. Secondary is primarily about confidentiality while achieving the primary goal of attestation. I think every subsection of section 7 needs to address both and be clear which it is addressing when it does. 

NMS> I think it may not be possible to achieve full clarity outside the context of a particular protocol. So this may be a case where less is more. It already points out that confidentiality protection may be needed if attested values are privacy sensitive. That implies there is some basis for trusting confidentiality keys (which possibly already exists in a given context or protocol). The arch draft should be careful not to bias toward a particular confidentiality technique or technology IMO. 

	I think TLS is good enough for the confidentiality in the secondary trust flow; attestation can be used, but is not needed.

NMS> I don't think it is an intention of the architecture to identify or recommend any particular solution for confidentiality protection.

    The other issue with section 7 is that I think it needs to say that Verifier trust in an Attester is almost always about attestation keys and that is it transitive through the Endorser. The only case where it is not is when they are connected by trusted HW, for example on the same bus, and that is usually not the reason to deploy attestation.


NMS> Words like "almost always" and "usually" are problematic because future use can change from current use rendering the architecture document content qualified in this way to become biased against whatever becomes common practice. If these words are omitted, does the recommendation in the above two sentences still make sense? 

Unpacking this a bit more:
"Verifier trust in an Attester is about attestation keys"
This is correct but too narrow as attestation is also about claims related to the environments that process other functions and protect other objects besides keys.

"[attestation of keys] is transitive through the Endorser"
This may be true if certain conditions also exist such as whether or not the key existed at the time of manufacturing such that the Endorser is able to make a claim about it. However, some hardware doesn't allow the Endorser to know the key or keys are not yet created at the time the Endorser is in possession of the device. The claims the Endorser supplies will have semantics that reflects these nuanced differences.

"The only case where it is not is when they are connected by trusted HW, ..., not the reason to deploy attestation"
I disagree with this characterization - of when it is not appropriate to do attestation. 


    Also, I think the distinction between Attestation and TLS/HTTPS needs to be described in the document. Say why we need Attestation given we have TLS.

NMS> The architecture is trying not to endorse or specify a particular conveyance mechanism / protocol whether for moving around attestation messages or for providing confidentiality protections. This distinction seems to be clearly made in the sections on conveyance and messages. If we begin listing protocols that could be used for conveyance we have to ask when we should stop listing them and what it means if we happen to exclude one. 

If the assertion you're making is that TLS and protocols on top of it such as HTTPS are already implementing attestation conveyance then that seems incorrect as existing standards don't describe how Evidence is conveyed. There may be several ways to tunnel Evidence through TLS handshake or layer on top using extensions to HTTPS, or claims are conveyed as Endorsements / Reference values etc. but a draft explaining how to do this is warranted. It seems inappropriate for the arch draft to do it. 

-Ned

v2.23.0 | Report a Bug | By Email