[Rats] Re: reworking draft-ietf-rats-ar4si (and EAR)

"ned.smith.ietf@gmail.com" <ned.smith.ietf@gmail.com> Wed, 03 December 2025 18:02 UTC

Return-Path: <ned.smith.ietf@gmail.com>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1A3E394BD550 for <rats@mail2.ietf.org>; Wed, 3 Dec 2025 10:02:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxSPK2vYyrZi for <rats@mail2.ietf.org>; Wed, 3 Dec 2025 10:02:42 -0800 (PST)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 758D394BD4BD for <rats@ietf.org>; Wed, 3 Dec 2025 10:02:13 -0800 (PST)
Received: by mail-ot1-x32b.google.com with SMTP id 46e09a7af769-7c6d699610cso23346a34.0 for <rats@ietf.org>; Wed, 03 Dec 2025 10:02:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764784927; x=1765389727; darn=ietf.org; h=content-transfer-encoding:cc:to:message-id:thread-topic:subject :from:date:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rKvpwyWDuJ37h/ghPqW62kkrZF0Re7JU5JTfJH8vb7w=; b=ildOp0TKzQgHrEnkOdnfFQz/4mRY4u2AinG5zsDADNygIyK6lezmLzfkBk5UrTcPNC laatvbfCwxULya4x70385+Xa4lpHx8oixlrWTzstE1Ip4K/OhX+M5OHpDidu2BKK5xUW csWpI/pzbex1+VNve8Msoesx8/+rin+RNOZtDSrh3Df9FH2RILJm40OEZi2/tbomL8E0 Eb3uMjmieNq0xQY0RUDyWZ+hgHbUg+Ym4EGHY2RJBMFWYjpuOSQJDKGvwNHkvX5Q6cJA R+Hi9Irg+0xN+uuG5miTkMncz9XNZ0/eHmNtYbry5M+DWI0MaPRAdq5/cUsaIGJm2gXG Mthw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764784927; x=1765389727; h=content-transfer-encoding:cc:to:message-id:thread-topic:subject :from:date:mime-version:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rKvpwyWDuJ37h/ghPqW62kkrZF0Re7JU5JTfJH8vb7w=; b=nVNFkm8xNYs1Ym4t6+QgTLxZhctvcfS+G1tzzQFsPJ51t2E0ghK5sqZEB3RWLd6cL9 NGi3mfPns4RHtA5ovi1IaMA5tt1fAkf7TUzh5WW4benhFLleJhvDo2LfNFwJHY5rnzQQ VKIOtHxmJRF01uizqTVqV7sgqgW1zaSgX8XY5vqAIGtgrpjvN6D5YcPL4eMY/k4i3u7o 8kUaHtWqx5hJtX3COAQ+CNuzW80Lb2/Bf6fLYWOBgJd3RVQyedqdkrSneY2zvwh+Rcf7 ceSFicp3EqBiiT/DL7nN+2sa/BHN1iJZ/muAHW3lhnqzncN5qRg0in+jCmYf8zmn4m9V IhNg==
X-Gm-Message-State: AOJu0YyF6nWv2pe4Z3W7nTWaaqUcJTNSu4yQDex/95cBOa98PbQ6KzgY AqrlQQncPwWd2AtLhL1JkKEk0AuS88TV1901fNqKfE1gQNnD4KOkBOv8zuTQzQ==
X-Gm-Gg: ASbGnctu68RH72oiDT+AY63vgHEYenUvPcc7aZyWImV0go2R1qiEgL82KK3WPtLnmQg avnc86ze+LJma286qLoNMjnpY1rvOX2XV6a6XG3SiuyRwN49gpRPSnwp44EjTJIidcsTKT3zTH3 cQ/bSAOgBheYsi3ca0tkcnVcQ5xGBL3Y80PKBdS4jZEGer3pJLUOkadDfITMeoyOhGf5O0cdl1J IhD8j3OTK+89/ovRxeb7RoxEB1qBr9LJqUavDBe30sPAaoL74mfvqBu/+CNuWEhNF36hWc9HiPW r7w1/N5hNA1gda4HJgZLFZsfk9pjGaTUHpEH6Gp1mrun+wQ6iXhW7zoszCni+cldUme8mUkxpuC 0czz+W9Oq506aaUT0ICzK8Kgt4KRVecIefzrukbverkRacxHQiGMAZ45yD/CGtyLLSTcD3rt4gx EeMAdx0GEcY4o0OOrKG5DoV4i5
X-Google-Smtp-Source: AGHT+IF6G9/UseWmFPQR7g91v6ax45VSljNbvR0e362xWWKIwOINpPgmMzaULSHfuPCQ/y6SD3D9lw==
X-Received: by 2002:a05:6830:2b0f:b0:7c5:3798:fa44 with SMTP id 46e09a7af769-7c94db40316mr1973486a34.12.1764784926529; Wed, 03 Dec 2025 10:02:06 -0800 (PST)
Received: from helix ([47.185.157.194]) by smtp.gmail.com with ESMTPSA id 006d021491bc7-659332cdb20sm6008596eaf.2.2025.12.03.10.02.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Dec 2025 10:02:05 -0800 (PST)
MIME-Version: 1.0
Date: Wed, 03 Dec 2025 12:02:04 -0600
From: "ned.smith.ietf@gmail.com" <ned.smith.ietf@gmail.com>
Thread-Topic: Re: [Rats] reworking draft-ietf-rats-ar4si (and EAR)
Message-ID: <E4F1447A-4A94-CD4F-89A5-D8432BB8C2E2@hxcore.ol>
To: "rats@ietf.org" <rats@ietf.org>
Content-Transfer-Encoding: base64
Content-Type: text/html; charset="utf-8"
Message-ID-Hash: B53QGNYOY2XVZTV4MRC7AALKSNIVGDNP
X-Message-ID-Hash: B53QGNYOY2XVZTV4MRC7AALKSNIVGDNP
X-MailFrom: ned.smith.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: reworking draft-ietf-rats-ar4si (and EAR)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/WLnIkq4084Z_Q9cct2SFlGhsAQw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

(not as chair)

 

On 11/27/25, 7:18PM, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:

 


When we wrote RFC9334 I think that we were trying to bring a diverse set of
existing and predicted/desired Remote Attestation architectures into a
smaller number of abstract patterns with some terminology that could be
mapped.   Yes, "xkcd 927" https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fxkcd.com%2F927%2F&data=05%7C02%7C%7C299a845a67fa44af5cde08de2e1c0df1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638998895203981170%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=aGAu1cyOsxPAPBJm4Qjan402L%2BSNS90a5eSWJANZhZU%3D&reserved=0" rel="nofollow">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fxkcd.com%2F927%2F&data=05%7C02%7C%7C299a845a67fa44af5cde08de2e1c0df1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638998895203981170%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=aGAu1cyOsxPAPBJm4Qjan402L%2BSNS90a5eSWJANZhZU%3D&reserved=0.
But, also, "Embrace and Extend"   (but, not extinguish!)
Also thus Figure 9, with 4+1 inputs and 4+1 outputs.
(And we are seeing this via "CSR-attestation" and pkix-evidence
documents. That's good.)

I felt sure that we (the IETF/RATS) would produce one or more protocols that
would be the extend part.  I view much of AR4SI with EAR as being that.
But, it seems like we are shy of actually doing that.

I point to RFC761: it defines the TCP header, and the concept of the window
but is almost completely mute about congestion control.  The word
"congestion" occurs only twice, and no algorithm is provided!!!
RFC896,2001(1997!), 2309,2581,2914,... tell one how to actually *do* TCP.
This is the model we want.   Okay, it's messy.  But, it survived over 40+ years.
I think that EAR should be our RFC761 (structures, meanings of bits).
I think that AR4SI should *A* "congestion control" document equivalent.


I’m not sure I get the analogy, but I think I get the idea.


I think it should stop trying to be general purpose, and instead it should be

It = AR4SI?


opinionated.   It should not cover every possible combination.
9334 did that already.  We need to do the opposite here.

It should be give three or four important use cases ("applicability") ONLY.
More can be added via new documents.
{I also note that TCP (congestion control) has had many updates often relating to
high bandwidth*delay situations, like window-scaling to deal with specific
situations like satellite links, etc.. }

Probably that means:
1. desktop/device trustworthiness for use with enterprise environments.
2. end-user desktop/mobile trustworthiness for use in Internet cases.
3. (critical) infrastructure uses cases like routers, power stations, traffic
   control systrems.
4. virtualized workload situations including VMs, containers (whether TEE or not)

Some of these categories can be pretty big, and we should take only **small bites**
Take *only* what you can eat right now ("running code"), and come back for
more, is what my mom probably told me at some point.

Within these categories I do *not* want to do Background Check *or* Passport mode.
PICK ONE.  Get the interactions right for that.  That means *A* freshness choice.
That might mean PKIX vs JWT vs CWT vs C509 for identities.

Perhaps this sounds like I'm asking to throw away this document and start
over.  Yes. No.  The text is all there, it's just not in the right order.
Like, section 2.3.1 "Design Principles" is well designed text, and the
reasoning is sane.

I would create a ToC like this:

   1.  Introduction
     1.1.  Requirements Notation
     1.2.  Terminology
   2.  Targetted Use Cases
     2.1.1 Enterprise Desktops
     2.1.1 Enterprise mobile devices
     2.2.1 Consumer Desktops
     2.2.2 Consumer mobile devices
     2.3.1 ISP critical infrastructure
     2.4.1 Virtualized Workloads

   3. Design Principles
      [numbers from section 2.3 go to EAR, but principles remain here]

   4. Common Prerequistes
      Much of section 2.2 (Non-repudiable Verifier Identity), but be SPECIFIC.
      I don't want stuff like:
        "When provided during this exchange, the identity may be communicated
        either implicitly or explicitly."

   5. Per-Use case

     I want it to say (a), "When working with ISP critical infrastructure, the
          use of vendor-specific background check verifiers requires that the
          Verifier's AR are directly tied to the Evidence provided by the Attester.
          The Evidence must therefore never be encrypted, and this is not a
          problem in closed ISP environments"

     Or (b): "When working with consumer mobile devices, the RP will often be
          interested in what jurisdiction the device currently is in, and possibly
          whether or not the end-user is of age.   However, the details of
          this are private to the device.  This is best done as a passport
          check, with an Attestation Result that makes use of Selective
          Disclosure mechanisms."

The use of SD / encryption as well as whether audit level information of Verifier’s internal state (which is supported by EAR) would be tied to an appropriate use case. Possibly, EAR profiles would need to be use case specific?


My goal is not to design any single interaction here, but very small classes
of specific ones.

For example, when selling to US Gov, it is common to have FIPS certifications and to know at what level a system was certified. However, AR4SI doesn’t comprehend FIPS claims and it isn’t a substitute for FIPS either. Hence, a use case context that requires FIPS as attestation results might need to be included with an AR4SI claim

 

. The same goes for whether a specific trust vector makes sense for a given use case. For example, in a web deployment context, instance identity might not be necessary or might be forbidden by privacy law.

 

But I’m not clear on how you plan to proceed with AR4SI on a small bytes first approach that is use case specific and still have it make progress toward RFC status as the next nibble will update it before it makes it all the way through the IETF process. (chair hat on) Is this a recipe for an eternally unfinished draft?



This requires that we make the engineering tradeoffs, and that we leave
as few options as possible for later on.  Yes, this is harder to do than
abstract frameworks because it requires that we involve people writing code,
systems and dealing real constraints.    We **already** did the abstractions.

{For instance, I suspect that (b) might be right for SEAT access to age-restricted
content.}

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide