IETF Logo Mail Archive

Re: [Rats] draft-ounsworth-rats-x509-evidence-00

hannes.tschofenig@gmx.net Thu, 09 November 2023 14:40 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5CC8C14CE2C for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 06:40:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.606
X-Spam-Level:
X-Spam-Status: No, score=-1.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_ABOUTYOU=0.5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BK3mETT_thjs for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 06:40:32 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5F5BC15C2A1 for <rats@ietf.org>; Thu, 9 Nov 2023 06:40:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1699540818; x=1700145618; i=hannes.tschofenig@gmx.net; bh=WdkVvyRZd0coQ5ne+kdCIMDfjmgyxgz3lmmJNt4lmLw=; h=X-UI-Sender-Class:From:To:References:In-Reply-To:Subject:Date; b=JGn+OX3R4Dhfh7oJp3RWX6t+qZFAClLRJBM1fjfp69idf9V3ZxzW8aQPz8imQ0F3 vR7h5uItsbeyskm49zL847SdutF/iOkz3GOdczbPRMsHDV3J88zDG104w073mQros 5WxO6XJlf7jdsdgdCYQpAY+iOFsOafSc1ira3P4gyRHmQAuZv3vgwcc75Yn579pXu 4YwclpsIE5spSOb66adboEF+LBjFAW38lSK9XRcYaNfEACq+X58amL1LMcpIZRJfU 7KCKEkcTGi6GFfwzJEHLtH5TC4BW+Fu5h5mI6HotJIPzQ4sxIA/7u5kgAY1IqBE0z 9VwAf9yrnIlU/Z8gFA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from Surface ([31.133.136.139]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Mj8mV-1rdkL105Mj-00fBtn; Thu, 09 Nov 2023 15:40:18 +0100
From: hannes.tschofenig@gmx.net
To: 'Carl Wallace' <carl@redhoundsoftware.com>, 'Henk Birkholz' <henk.birkholz@sit.fraunhofer.de>, rats@ietf.org
References: <6FCC00F5-1FAE-4CCD-9ED2-DA2BA923E7F7@island-resort.com> <011801da130d$74579390$5d06bab0$@gmx.net> <66c6191b-c393-69da-a849-f44da369917a@sit.fraunhofer.de> <7DC2D9E1-F052-48A1-B5A8-978D52275EE5@redhoundsoftware.com>
In-Reply-To: <7DC2D9E1-F052-48A1-B5A8-978D52275EE5@redhoundsoftware.com>
Date: Thu, 09 Nov 2023 15:40:17 +0100
Message-ID: <01e001da131a$a8c7ba30$fa572e90$@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQF073de1km0LbdAYfC43hAeOS2kHgJK/6aEARobj2gBz2CMX7ESrDrA
Content-Language: de-at
X-Provags-ID: V03:K1:q3IezsISsD7a3BO9Q6uWm9R8J+3yTNRec15/00PDs1+VYrqcigW I3bVUB70GoGly6fdbB5XvZgI8i3X3aUa4enAX8woTU6lYbL7X7dCHhs+7ZA45q6xPcDy55O 4VW5N0Sb3Xst9TtMl9rD/Jv7YhA/2PY1RYIKR3G0avZQ5c4b6mrm0ORY8WTjFtBlW2BP1Jb DQvSI/kPAL4RRo+jKdnqA==
UI-OutboundReport: notjunk:1;M01:P0:NN5F/4hUdbU=;GMTQ2Gs0UFqU/pcIvlzPmuS++Q3 gMlLkvf7MkrBSibwwtYOPnZDMnVY9J1IJ2RLqL7O2s0kcQDIO45DvqmUEtFN6ATstKic5QZ2H 7UanY3ae0hN3DirCN70UZFeaI0IVnbp0TnJwK+V26YRlmvzn2YEMFMsPR2NzLkdyydYzUwDmK ww4ZPdwgreRLmt8drsmdh9aoEtTfd3cq2VZhd0WwKDiyLMr2mIS0vD0LdVeeSO+UunZTqXGP1 FJxqlFjLM3BXADodj+KPXDlYE+4G3nOtrFArSePTETOkW/LolgMkpNQC1ZgNCcy8J6uPVnqVw mqf+mV+iNxMMSWhXA1Z/0pOg1i/g1+nWI1d4mxoX4fo7zyLFtsH+TiP7hSRQGJhSln5FroSzH UwF8MPTP7X4H2OAx3wqxiaWlfJHQEeUmarLpywUTJ4X1ov15vwDbrwEaUVnjjSs+EbglEXEQS GdTINczds3MA/HHRTlxRmMDIZaEilOfSK6QjH2VOgSvFezTZ2ogGCzMdQWy9xtojckDgBrcXp uX8fUdfGA+2a22QkELPMIJuQEHfNZEOjm/CxP7XQmBVbISZtojeSRuKfu/vFnORmQ3G6dP7Qs Xc+u/6FcUffOk7nCHjTDACMz7fSol2TosYlEpXM7TGv0fZ3ilAIzeoiv649Re9uBGSsJ3j5S6 lw1CZZmZ/HJz6kHbXPUKmO9J+gx9o9bbGfONpLz4xRMezmIiZtpeuo/hMGPpBvM7om4WuKA7K EdsobIq5UycOnQ8Xd5W+NlVGEcbccdhmhFwxdAPSs+Fg9D0+3J18Zd9XgQCCQgLdT/T//A0XB aJAmv8eX0SUQR2WgkhMT3kvpxr80Alwg2JWZ+l6k/HqveWzFkeYtRypZQ0vCPbmlhb7obJHzX thFvB7Q6gjACYXpPSjHD8+ldXPYZybyy9h4H7+QJmzRy6BVhUNGoN9ytsuwfvTkIHRWuocg4g S4Sz/EDS8xXthhQ3BaFR6KcElCQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/WcTJ9nlw9g0enr0kwC0xSOaYQ7A>
Subject: Re: [Rats] draft-ounsworth-rats-x509-evidence-00
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 14:40:36 -0000

Hi Carl, 

A few responses below:

* The use of CBOR/COSE in SUIT: At the start of the SUIT working group the participants expressed a strong preference to use CBOR/COSE and didn't want to use ASN.1/CMS. Brendan and I had written a draft that used ASN.1, which was inspired by work Russ did. It happens that work being proposed does not align with the expectations of the group. I remember Henk and Carsten being vocal proponents of CBOR & COSE at that time. Was it a good idea to use CBOR/COSE instead of ASN.1/CMS? Now that the standardization and implementation work is almost finished it is a bit too late to ask this question again. 

* Do we want to provide claim definitions in ASN.1 format (as we do in the draft)? That was our understanding from the design team discussions.

* Should we keep the definition of the CBOR/COSE claim definitions in sync with the ASN.1 format? I believe there is value in doing so. There does not seem to be anything wrong with the semantics of the claims in EAT. We have received feedback already for better alignment since we have introduced a few bugs in the -00 submission.

* A question you did not ask was: Should all claims in EAT also be described in an ASN.1 format? Currently the draft only contains a subset of the claims. I have been asking myself the same question. It is somewhat likely that sooner or later all claims defined in EAT will need to be available in ASN.1 format.

Ciao
Hannes

-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of Carl Wallace
Sent: Donnerstag, 9. November 2023 14:45
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; rats@ietf.org
Subject: Re: [Rats] draft-ounsworth-rats-x509-evidence-00


On 11/9/23, 8:09 AM, "RATS on behalf of Henk Birkholz" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:


I think this discussion is mood as was pointed out in the meeting already. Please see:


https://www.rfc-editor.org/rfc/rfc9334.html#figure-9 <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9>

[CW] I don't think that diagram renders this discussion moot. X.509 certificate-based attestations have existed since before RATS (and before we called attestation evidence). There's not even much question about potential for including claims in an X.509 certificate within current RATS documents (see section C.3 of EAT). I think the questions are: 1) do we want to provide ASN.1 definitions for claims and 2) do we want to keep claim definitions (roughly) in sync across ASN.1/CBOR/JSON. Re: 1), there's seems to be general acceptance of defining claims in ASN.1 for the most part (though no one really answered Brendan's question regarding why ASN.1 was disallowed for SUIT but is allowed here). Question 2) needs some more discussion. There was an exchange between Mike and Laurence during the presentation yesterday that highlights a potential difference of opinion between I-D author(s) and participants in the working group that could impact the adoption question.

On 09.11.23 14:05, hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> wrote:
> Hi Laurence,
> 
> The charter says:
> 
> “
> 
> Standardize data models that implement and secure the defined 
> information model (e.g., CBOR Web Token structures [RFC8392 
> <https://datatracker.ietf.org/doc/rfc8392/> <https://datatracker.ietf.org/doc/rfc8392/&gt;>], JSON Web Token structures 
> [RFC7519 <https://datatracker.ietf.org/doc/rfc7519/> <https://datatracker.ietf.org/doc/rfc7519/&gt;>]).
> 
> “
> 
> CWT and JWT are mentioned as examples. The group already works on 
> another evidence format, namely the TPM-based stuff.
> 
> I would say that the document fits nicely within the scope of the charter.
> 
> Regarding the document split. I am open to discussions about your 
> suggestion, which assumes adoption in the group.
> 
> Ciao
> 
> Hannes
> 
> *From:*RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> *On Behalf Of *lgl island-resort.com
> *Sent:* Donnerstag, 9. November 2023 13:59
> *To:* rats <rats@ietf.org <mailto:rats@ietf.org>>
> *Subject:* [Rats] draft-ounsworth-rats-x509-evidence-00
> 
> I think it might be better to split this into two drafts.
> 
> First, define how to put CWT/JWT claims into ASN.1 and make an X.509
> attestation token.
> 
> Second, define the FIPS and CC status claims for CBOR, JSON and ASN.1.
> 
> I wish we didn’t have to do the first, but understand that we might. 
> Note that the RATS charter says we work on CBOR and JSON. There was a 
> little discussion about ASN.1 back in the early days and we certainly 
> put it off back then. There was also YANG discussion. Search the RATS 
> mail archive for ASN.1.
> 
> I’m much more interested in the FIPS and CC status claims. I would like 
> to define them for CBOR, JSON and ASN.1. If they are booleans this is 
> trivial. The would get registered in the CWT and JWT IANA registries.
> 
> One of the reasons I’d like to define them for CBOR and JSON is so 
> there’s a known and accepted way to translate their ASN.1 claims into JSON.
> 
> Also, the X.509 definition should be for Attestation Results as well as 
> Evidence. There’s no reason to restrict it and there’s no work to allow 
> use as Attestation Results.
> 
> LL
> 
> (sent incorrectly the first time only to the rats-chairs; meant it for 
> the list)
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>


_______________________________________________
RATS mailing list
RATS@ietf.org <mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>




_______________________________________________
RATS mailing list
RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email