IETF Logo Mail Archive

Re: [Rats] IAB Statement on the Risks of Attestation of Software and Hardware on the Open Internet

"lgl island-resort.com" <lgl@island-resort.com> Wed, 04 October 2023 17:52 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B6BC1519B8 for <rats@ietfa.amsl.com>; Wed, 4 Oct 2023 10:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQZVRe_LG9jy for <rats@ietfa.amsl.com>; Wed, 4 Oct 2023 10:52:36 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2130.outbound.protection.outlook.com [40.107.92.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9FFFC14CE29 for <rats@ietf.org>; Wed, 4 Oct 2023 10:52:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h0IS7mS+2cG5SbR4MxTfcRKJW7vAM1+sNNK9LHB6vycn1II/FTY+2Bfvm+EKgjPF6mlKYSPWGMTd1JkHGpWKYY/Q+UYO4160ddEFJgrbKV19AebAjNmcvo05jXmB/Elkq3UqEV1gspCqi6MDT1ff3KmAo9/eYz+Y1lFGF6SkBen1AHu/P0uYxZTt89giw2znl2D8Gqz3HjSXyRcJoVwEhLWLn6LFsxCpZRt393VxyL1nWrTfv362Pnku8Y8fZDI+1fvdPm9uNj8y/q4RhnD2W601tukBwIUBDrnE47Uow4A6Vi586UIZn81pJRvWkQKCkreLud9GNoR4l8ZXgRDvCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=G5dr0IxWxMwXmL6Bn3/uY9baGiYEBhNEDL6ecVaI/1c=; b=HCMCr1SD2INW+MuVdr8p85dAR93wwfY6CZJ1YJ8eNWpknf3XuEgY7H0OXljRPVObmaQlQsSPzgxp1UVOTeB6Or3QcbNCOPJqDewOasSvHmff49kO0MVWj33k7eVhC1cgnUq3Tx+zjI2mD7YrJHKXZgnZPKDScyoAw7k4pj3aEGcuLJ8IQ5LA3HzHKMfFtBlXPKZX4tpoqkLdR1A2u09Cl1MZDmTO2ziL4JvR5lxx426eubP9LDZrIED18FDbSVx6NmpuXHJoTy69phUaEmsPxkVeLX/J4ZZ6mV5qqMo0L2gpfRtOPhtR5Qu0VUIPdCuljCkfNHiUVe2GEgePrkxqOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by SA1PR22MB4928.namprd22.prod.outlook.com (2603:10b6:806:3ad::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.28; Wed, 4 Oct 2023 17:52:32 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934%3]) with mapi id 15.20.6838.033; Wed, 4 Oct 2023 17:52:31 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: "dthaler1968=40googlemail.com@dmarc.ietf.org" <dthaler1968=40googlemail.com@dmarc.ietf.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "iab@iab.org" <iab@iab.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] IAB Statement on the Risks of Attestation of Software and Hardware on the Open Internet
Thread-Index: AQHZ9Z+fDqV5ENOyzki94IR1XMKe3LA4fhaAgAFttQA=
Date: Wed, 04 Oct 2023 17:52:31 +0000
Message-ID: <4DA794FF-8835-4030-86E7-7E4D6C8A71BB@island-resort.com>
References: <169627945480.62917.5309122275327869344@ietfa.amsl.com> <16966.1696299372@localhost> <12f601d9f634$abe84ac0$03b8e040$@gmail.com>
In-Reply-To: <12f601d9f634$abe84ac0$03b8e040$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|SA1PR22MB4928:EE_
x-ms-office365-filtering-correlation-id: fd83a88c-bfd8-40f7-b4d0-08dbc502aec9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0DQR9EuiUkLXeojOu/NtOHvKTw2F9SB26dpV1LlDiecKZKkjDK5LrWp7+SCtih+w+lrvQZSOI3Ja4V6MbBM2m2jwg0TmUBPdNA6SHURcespE9RiyA9pMr/ryhjItxuGwYvBJDqqJDJPxNU+CS/TKA3/o0I9UjJJxFP5P3mpfCrcLA1m/ESB+RTbseIh8WhU2i4iHFTn60bUobgSvkSY5XeUV2MlYKuAKLblrRt4RObObRWfrRun/SC2ZqCK2GlDko6GyCkjOdc1xx8mlEnBqiVwQcqmWQZjw5m6sueSRgumb0DP1mFFZApU7FLQbANdpwfKvPZrhkXketP4m1Q7FUjH2EVrQJtcrA+XsXP20sQsEPuthOQrSI65RK6Fu/Fh690ovj3t+0j5BwSGXbdgoVG8Zt63bepUEdFTAgBQDApYwqyP1XHgqTvpPQBD/iGTQlTWnVtByAiBInU5fJkU3IqcA6R1yVs9MzfcJIGrxbUX4H0UkTdwDuUdSFCJbzKTW0p/vJ2w3Bzqha+2zqoO2qZ2E5/ooHE++mh5NMCy0hyV/fjGNkESqbIpkQcc8149aINjWOKmj9JstAYsWwWEEiAM5yqc4jXOee/ZVfxvOvAlxjTGSqbBuDJJQD/OXhrQmQSDcCkpRvOm1nwFHZUyDkQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(396003)(136003)(376002)(39830400003)(366004)(230922051799003)(451199024)(1800799009)(186009)(64100799003)(71200400001)(6512007)(6506007)(6486002)(66899024)(53546011)(122000001)(33656002)(86362001)(38100700002)(38070700005)(36756003)(26005)(2616005)(83380400001)(66574015)(64756008)(76116006)(66946007)(66556008)(66476007)(66446008)(54906003)(41300700001)(2906002)(5660300002)(8936002)(8676002)(4326008)(316002)(966005)(478600001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3whpPY9v6A2GXM3ugRPdRU/n4vNJ3JyJY9bnL+zEzmbVq+sswnH174pu8GXoHqUTqNEl/gGAXaioN34HpTUdD8Pwdi5v0pxkMWWgs8o2RZqfdGBHB/9qqZMKMVATHQd7KFslCRUXB9nd9DJJ9v7XxqJkkUWKCiDWye4UNBkVm3ZkjY5Dvi4uHvXK95Y2zQU5BbbWC96MKl+A+W1ucalry84F3j7wVIm0j1/KKP5HvjbvO76bqT6baLW6OUJ3MRzjAFnHUpRkcdRMH0jVYO4QapCTNPQ/NsqkaOkGx0si619ibWseV5273j0OwXsHppVUb3Vo9+Llvd065xMNTIMmivggXEq/TV2ZRhxiEex+Ch2rBiQDdCl6q9ogRe0wrALr4DZkMAyLOFVphZCIsd/ynBJHN3xNFlLX68DIfu0VHSkKJLiayF9yE0m8JAYX9Tr6BhDdWB03r+KND+xQG7fRYGkxKUuCDu5B7PnUXIVFFbV5aKvmT2Y8Gky4DVZyre+svy4Iqf7GqQofEx5ISAtfV1RGbxHdQv7nS916hnu+R5j8rjUKzUCWiJ5Sd243EqrKJTkTPEOV8fwgDaoQAq5bN7CdWg/BWnpArMRvW/zfDtEaoza6E8CqwCxCBuEPPjrB0VX4oYXvX6HBel2G1k8szCeeKd/8mcqomdrB9H8XuFS7QmqJY/nAyhdK9fR6v9VD1YTkVd2+WJd1wN4JgAa4oxTRF0Ji76xcKkARO2TYLIc/G7peUlcb25wjUAoKjefEG85OLBn/J+YmeVdVgsPXn1PFne97J0K4Vm1ClWf8x6oijh58mYKkRK+ELch5Ch3JuP0++6SPlYQwKgvpewqBPG2O0l6/7jHdK21vTmhDNp86Xrtv6tV0BGWoVgY51u0txmIUHbtaccHU7iKqaW03oB0lPlBXp5gOogFNqcvIn1y5/wiZffhT41FOvI/2COXuY/ytrAKFMdEY266PYUIaTYQmh6JGnX36NoQKo/cv8YLtXaKyLbl9kiXORP4FgjLKGSd1aua2NWcvecJCLdib9/lZ/SPJ79cTU7W+6GXmVhl6IqelXKTSg2cQSVYkUCuS27/vgvEJaQYgzK+1BWWrHx6TO0Su9750rzV/siNB3BvfswbKyrZdWpqEj+lNBMDRMUMe74KIkFppaNetp8oa9ykyEP3A0fdfBUjFoyLIsVa4zqucyfgj+aTpfoq1v7NgVaGfQwRVNOPBb1K2jXtrKKjR4vGD06oE5JBAZFXhiTogtLjy/CUjSaaVUL+06raZ7UVOB2OZWz4E9vRVlkFGPpybsnSKx9qury+vtBZyvHeCti03AwErUNcYlr30RbBGfOpN4p1jFXwlgf3/I2yzEDyFV74BuekyOvcgXC77sQkx3hGLWsoqNvKcKMYqhYg7lwpUwyYciqdzFBe6eQx9bl5hpF6eqTdQAC/fRcsnDO922YcKd3jmNgrZjrY9dbLcGd7Oz4SoNHwMv5WGFZWgLbg/Tg8c/iUgNd81oiPirwRmdUOJlk811n2xG/lWpbIEBLUbgjEOI6TB4b0TqBu2VyO+eHmW3okreKJ4KwyHKgoCcKVQRJt6FfqX2li5iSo+kgPWmaZk39d5hQaEgc0knQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <2C9EBEE548C39A49A7A89B070CD632D6@namprd22.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fd83a88c-bfd8-40f7-b4d0-08dbc502aec9
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2023 17:52:31.5645 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aMKPGeTToJoX7oqCZwJ7B+sSfmnpOdIFw56IDS7hPFMWQMumiJPbSC36CkitRi2IlKrLYMGcYIx/L3A2EOmUDQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR22MB4928
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/WOewQjqrcurFwY3Tc97t41hecE0>
Subject: Re: [Rats] IAB Statement on the Risks of Attestation of Software and Hardware on the Open Internet
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2023 17:52:38 -0000

+1 to Dave’s points.

It’s not right to generally discourage use of attestation without consideration of security requirements for use cases.

LL

(and glad to see attestation is getting attention, and appreciate the clear wording in the statement :-)


> On Oct 3, 2023, at 1:03 PM, dthaler1968=40googlemail.com@dmarc.ietf.org wrote:
> 
> Michael Richardson writes: 
>> IAB Executive Administrative Manager <execd@iab.org> wrote:
>>> On 25 September 2023, the Internet Architecture Board (IAB) posted a
>>> new IAB Statement on the Risks of Attestation of Software and Hardware
>>> on the Open Internet[1].
>> 
>>> [1]
>>> https://datatracker.ietf.org/doc/statement-iab-statement-on-the-risks-of-
>> attestation-of-software-and-hardware-on-the-open-internet/
>> 
>> It's an interesting statement, and I suspect that I agree with the intent.
>> As written, it fails to inform: you need to know what the treacherous uses of
>> remote attestation are (and then take two steps not detailed in this
>> statement) in order to understand the statement.
>> I think that this should be revised, and it shouldn't be so timid.
>> 
>> As an author of RFC9334, I'm rather surprised that this statement was issued
>> without any consultation with us.
>> 
>> As written, I find this statement useless.
>> I would be happy to work with the IAB to craft a better statement.
> 
> I have to say I 100% agree with Michael here.  I admit I too had a fairly strong negative emotional
> reaction reading the IAB statement, very similar to early drafts of draft-iab-protocol-maintenance
> which I provided feedback about it being potentially harmful as worded, and we worked to
> improve it to become a much better document RFC 9413.   I had provided feedback saying
> that I agreed with much of the intent, but the way it was worded could be taken to promote
> harmful principles that were not intended.   I have exactly the same feedback on this IAB
> statement.
> 
> Some specific feedback follows.
> 
>> the use of such attestation as a barrier to access otherwise open protocols and services
>> would negatively impact the evolution of the Internet as a whole
> 
> Analogy: disallowing access to those who cannot attest is in many ways analogous to
> disallowing access to those who cannot use encryption.   Thus, by extension the IAB could equally say
> "the requirement to use encryption everywhere as a barrier to access otherwise open services
> would negatively impact the evolution of the Internet as a whole".   I, and I suspect many others,
> would disagree with that principle, that encrypting everywhere is important to secure the
> Internet and allow open services to continue being open and viable.   I would argue that
> a comparison between attest-everywhere and encrypt-everywhere is valid.
> (Full disclosure: I am the author of the statement "Every authentication use case is an
> attestation use case." and my response here is consistent with that.)
> 
>> Adding client attestation into otherwise open systems can significantly reduce openness for the Internet broadly.
> 
> I think this is a red herring / mischaracterization.  The use of attestation does not reduce openness any more
> than the use of authentication or encryption do.   You might argue that authentication and encryption both
> DO reduce openness, and you might have a valid point there.   But in all three cases, I argue it's not the addition
> of the technology itself that reduces openness, it's specific POLICIES that one can apply.   And those policies
> could be done with authentication (e.g., restricting what type of identity, or what domain you connect from,
> what IP address range you connect from, etc.) too.   In my view, the IAB would be better replacing the statement
> about attestation with a statement about policy restrictions regardless of whether we're talking about authentication
> or attestation.
> 
>> Attestation of client software and hardware is distinct from user authentication. User authentication verifies
>> the identity of a user or a credential associated with a user, and is compatible with any implementation that
>> supports the correct form of authentication.
> 
> I appreciate the IAB trying to do a compare/contrast here.  But I think the IAB misses a number of key points here.
> User authentication does not mean the request actually originated from that user nor that the user consented to it,
> and so is weak security without attestation.  Only authentication with attestation can ensure that it was not
> compromised by malware subverting the user's intent, and so the IAB statement can be misread as an argument
> against security, much like arguing against encrypting everywhere would.
> More on "is compatible with any implementation" below.
> 
>> In contrast, attestation of client software and hardware places explicit restrictions on the implementations
>> that are allowed to participate in the protocol.
> 
> Again, only in the same sense as requiring encryption does.  Specific POLICY can place restrictions on implementations,
> but that's the policy not the existence of attestation itself.
> 
>> Restricting access via attestation of software or hardware would limit the development of new protocols and
>> extensions to existing protocols, lock users into a limited ecosystem of applications, and hamper the ability
>> to audit implementations, conduct measurements, or perform essential security research.
> 
> One could make the same statement about "Restricting access via requiring encryption would limit ..." or
> "Restricting access via POLICIES around user authentication would limit...".  And I suspect there would be
> lots of interesting discussion around those two claims too.   Calling out attestation here specifically seems
> to me to more confuse the issue than help.
> 
>> The IAB invites those in the industry and standards community working on client attestation in open services
>> to engage with the relevant IETF working groups (in particular, Privacy Pass and RATS)
> 
> To echo Michael's comment, I think those of us in the IETF RATS WG would invite those in the IAB to engage
> with the WG to revise the IAB statement.
> 
> Thanks for listening,
> Dave Thaler
> 
> 
> 
> 
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email