IETF Logo Mail Archive

Re: [Rats] Entity vs. role

"Smith, Ned" <ned.smith@intel.com> Thu, 24 March 2022 18:07 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E4EE3A1245 for <rats@ietfa.amsl.com>; Thu, 24 Mar 2022 11:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WISHFGLLrl-8 for <rats@ietfa.amsl.com>; Thu, 24 Mar 2022 11:06:56 -0700 (PDT)
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB3A3A1239 for <rats@ietf.org>; Thu, 24 Mar 2022 11:06:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1648145216; x=1679681216; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=O4pGln7FiS3TtLd3ePaiOG65A37Ps1na5IiB9cOeOJw=; b=TEYzRvzz6B+3qvPCJimNKyBvr0tNrPEJ+mTq5NBI81i0xvxmxt2CpY39 oPDvAJd2dd/XJWoBMjTAbhSFgDqmz0rvsy9JIOmgppbjArIxpQ+KaMArI WXkSrlCFIp+KX5cg4JG7v8k4Mngl7GIy02loa8qZI/1zr0YSrteLRQ5YD IEzksFJjz+4n0USQiwZYUyVCMmvOsnCW8poxL/UEV4Ro4prGdUZKW3m0S eCpfBz7s/9vcc9ajaw6jJtLaXFDU1SjQE7fq/2qn0hjnjn0TTauprVy+G CCsIfIzFwxCdMO89FC8AJhYr+QJYUflE8VVxerEduFZmJlbZoqNR+CI9t g==;
X-IronPort-AV: E=McAfee;i="6200,9189,10296"; a="245927965"
X-IronPort-AV: E=Sophos;i="5.90,208,1643702400"; d="scan'208,217";a="245927965"
Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Mar 2022 11:06:51 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.90,208,1643702400"; d="scan'208,217";a="616860401"
Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19]) by fmsmga004.fm.intel.com with ESMTP; 24 Mar 2022 11:06:50 -0700
Received: from orsmsx605.amr.corp.intel.com (10.22.229.18) by ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Thu, 24 Mar 2022 11:06:49 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Thu, 24 Mar 2022 11:06:49 -0700
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.174) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.21; Thu, 24 Mar 2022 11:06:49 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mOi1mLyb2U7Ymo/RoSgbORxRO5NtLdCLxIBiRP6wk01bI8vDe9grpo7cnjnjsadar73VbixN1THqMnjxZ0yPPtwjMN/h9HT8cvZsUWwg+Q7Ff1+Iz0KgHoJIsJ+8MQJIkrVV+SPmIs99LN8yNObzMpG3u+XaE34K2AB/620H5nDQrRmMbLmVijDmLcadAY97Ucn4PCB7W1R6rjGnsXjahdFJ7XH7RbMNIwp0dt7B+PEcFS3IPkM6+dah8A5UdzIOu52Cu2Fv2rbh76fhfQNZnsyzNGuB549FP1NgIk7GGl5Muyw/KZpbBrcM9nWhK1na6mDeGqIvt847AvKHbHsccQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=O4pGln7FiS3TtLd3ePaiOG65A37Ps1na5IiB9cOeOJw=; b=hYFVR91y5qQOyseAJhRRvcLirdZVoHnosLHTPkUXzSRDajF1R/D8SPrPaFhPBO0ghxlcr5o+LvcRhFE3clezjD08NHBivUnYqRUxrhyHgAcjNqhkRqINbbYJbLWSm2z4A9KCJ/3LEBzvY1dXSeD6kf+TUwno+hj4rj0O5thJKBFKg6wE+GJvZiBS10zt+TAJ3eQ2vdAB5Q8coERR4inbKFfXmNEoN12De5dHTqgYrlvYSrFLyn4vGt1JedGy9qBMM23zEwvD2hnMs6Yo1Ue+YzfJus0d2/LsmO1UtQaefBYKSBOr5AWFXLwpklEfSiHeFbpXL7vWJTICJRQZrs2B+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by DM5PR11MB1546.namprd11.prod.outlook.com (2603:10b6:4:d::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.17; Thu, 24 Mar 2022 18:06:47 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::4818:ff2c:ac59:8bc4]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::4818:ff2c:ac59:8bc4%3]) with mapi id 15.20.5102.019; Thu, 24 Mar 2022 18:06:47 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>, Laurence Lundblade <lgl@island-resort.com>
CC: Thomas Fossati <tho.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Entity vs. role
Thread-Index: AQHYPe6PgQWbu8zDYE+F8zzrq4lIsazLg0QAgAA6DYCAABj+AIAABWwAgAASg4CAAK6tgIAAUWwAgAFuMYCAAB7wgIAACIuAgAABcYCAAGNLAA==
Date: Thu, 24 Mar 2022 18:06:47 +0000
Message-ID: <4A131D6A-F012-4B71-B5F7-A7129414D7E6@intel.com>
References: <3407CFB9-B713-4E13-BDA3-08EC7B5A905E@intel.com> <CAObGJnOxU0vfxzzZ9tv1J64KHDigxLcEMrgx0gDy97bE7NQJcA@mail.gmail.com> <E20F61DD-8775-4E68-8E56-E6EC92682A18@island-resort.com> <CAObGJnOv8ePE=R6vvdg5uib3Y9=WS8A5vcOdpWY0sREXA98aPQ@mail.gmail.com> <2BC14C43-80D0-4611-BEA0-9D9B9948BE0C@island-resort.com> <BYAPR11MB31255F64BDB773DB93A0C6CCA1179@BYAPR11MB3125.namprd11.prod.outlook.com> <9BFD1E45-569D-4E2F-BCD7-5DA6FF5A1BDF@island-resort.com> <SN6PR11MB3135EBAF7783D637C7BBA04AA1189@SN6PR11MB3135.namprd11.prod.outlook.com> <70179B54-6E99-4AD0-B28D-00284AA6BC86@island-resort.com> <86F9EC57-C752-407A-8E8E-C3C2C3A97F8A@intel.com> <716BA0A9-0EDE-425E-BE17-A072AF04832E@island-resort.com> <SN6PR11MB313507647DEB776A425ED124A1199@SN6PR11MB3135.namprd11.prod.outlook.com>
In-Reply-To: <SN6PR11MB313507647DEB776A425ED124A1199@SN6PR11MB3135.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.59.22031300
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a32e0bfb-dc50-4d04-1543-08da0dc11041
x-ms-traffictypediagnostic: DM5PR11MB1546:EE_
x-microsoft-antispam-prvs: <DM5PR11MB15460F2E9C5B2AF98E6610C9E5199@DM5PR11MB1546.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jfw2kNCdl1Yq6lae+F3KVPJF6zqL/L0PSXzXTjlS+Vp8C/cVN76JHaOae5yLj2sPYWv0JzL6XYeCLJ05OjXy8ur4PHmEokJCsxQas//WzZ9wR416nntIWLv9QyvbcFUzbM2Xn+fdMoYERyb1AyNdOzt+CoVC0Bv210eaBp3Vp7iAtoV6zpkkX84/GzVom4sf3Z+cQ+JpaY9eaBBuJmo2OEFvbOrXjGRG03QRWdpikgoHeWImw7rwLmKVTWvux41+8JQ5v2LMie3sqkCkOMr36XCP6eMFW9jQjWiPCTnSRriIVPzaga+Icu2JcHkxcS7d7bUxfN83yGbX/BvjUAQbm0t5hEE87HLfuct4fbeIerHgrQiWWm9oLXOFeraAHVherLmFbimqqu8ORlOPwNa+4MBjddfMdnYmxswjLticzOgnfR30HcoY1w8fycUrcqs8TtwPaPb3VzdIBfbLf9qT3aJFfZIBEsXzjLFzglylqCtzFt7hdiuHywCOoyzWBMGr2YvegB+Y93hbGnHFd1DAXHg0qPHj06mA4X1VdfGwaNCAmgQxvYxzSSyzHQfwcBPoxDtYLuxk4RURCFMmJQ8Hf+pmhpyEEdruWqAwBQr4L91p6bp2H465IyP5DGNp9uzmPfUngB6RoSag+m36ZrkYAGXkEtFJnvRiCU0y8ZrJXeeehnECadv5X2rBNEOfPOXRG+lFVfGBKsMzAnbkkc/DmpzOR15ZQJ3kI/SJEzcnIqR4q2uHzCxZ3iLua0J7eOdu
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(110136005)(54906003)(33656002)(2906002)(316002)(66476007)(66556008)(6486002)(508600001)(83380400001)(86362001)(38070700005)(71200400001)(6512007)(38100700002)(6506007)(53546011)(26005)(186003)(82960400001)(122000001)(2616005)(8936002)(66946007)(76116006)(36756003)(4326008)(8676002)(66446008)(5660300002)(91956017)(64756008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mXfHA0DTJ2zZWmpjxB/06tGNHiNA9Tjm/kl2DxL62Or5aCWaRkdWfw6DWeuhYSBEFDPhvZ1q0Yd4vLmLUCaZeMxZ4TDaB1bSfW5yuhQTTKJonehQG0op/oJhzUa5pfSbA55WekfkyXcWJtMthK+v/7Ms7BmsXRAeLzFwFp9j+pXjTvEzGxvpLzTBcolsoXU67rg6UMqex2dwt5mSGWhEDtFn4AN7/wh4cRaB34VYsW2DbDS2GVTH0nnFy8AOrzUuoBXQpCNGhfp8SmYUgRuXFTGXRvEHJKT26h9Kj4UpifQRSQxiFxFIvgy5VEatsOzxc66F5xfixVu9UbH23R7GRaDld66Z1bw0rPZ0itZ/9ChbZsTeDPpZ5AI8nKs89TbYBcYX/QyDN9vtXBjUmPIpnkF2gxEofE+HfpKUn0bcRAaFfsVlDQ49QP8BKGpMisnwg+sSCNT0rBV/XRtVuKvrdcRrvLFV431h5gW1FWKlv76qTDZ2lmrw+D02Yz6PbAnTf04IBimDrMiYXMZHI/vw5LnCj6fenYPhph9dyZqO19pBAMsC5h60+GRA3UGa8gFwTzCUh8ePKjPAgYlTz8gO5bpD+CKmubfdJNZP83jQ8N81YW4Vm6p2fSjglVI8zLt6ODVQIzNkp+7kVICoJ4fit0T8gxC31JeU7JIXXo3oJ3ESAkQP6oLsW6DyQUSYlx97g69TnNdPpm4iBRlTzoRwMgVO/47d3oofoMxy0dX3L7rWfJAEJ+AdzC9I3+YuuRF8LUHBHnQC7mb86EZ3GloGlJPhBnD9O5UyjatKNqs/0JTCcnCj+VPbRDwkltYBn7ydTBq2J0LNgxr6EiLi95DqcR+0DlBkP7glGsQJn9JtKbI7M3PZT1ZuhXXyk6TMjbFe4Tvh9Bqz0N/ZWP41ice+HevGTptXd593/3DeFZ6RKttvU1+OiWcSQVG/igMNnHEqNO8pBiH8RWQETKmruy3WcN9qLiJ57ZJEViFl9PH/3dATqTmppgTvDfpnEWCMvq7KEe+SEAg7DHn+XkhGZbQrZtADPJt4SoVCkw2dySeNDpD+JIfOyZc7J5R6AL1zZtm1SBnfkplV2ARadUDGz17qjIgbASxyzkKfsQZOm/mUCyo3NAPBn0A3rRNV2/X0tYlNpuIUHTCuE0GoQk3/VCpDlRANqOn9jk2+VaHYDww+krrWa1gcvwO+1wLOq4Bo3FIExFhgSdXILqYXID6dM8Uv/uKeumgEThq7owJn4iZ1olq+1pFlwS9xraoilA6RmAeofPLExmKGhsf7NEFUt2WAyezNdXIPrcs789gWKYwzy1Xp0PraGKybwOu18P0Pccpp2DgUkO5Uu9liJOwPU2+3V5KYFibaLq3Maee1bgZn7ZyspLZHXh7ZZllVFxBuX3SKBR74VSifSkSIs9mVZmMlkWF3dTkr/mJQrZNXmSX8hsDlaf/rpBepUI04loJaZ7LTLGV/EnvE80ukkKPegjU4zeFtXkyzoGLbsHqJITDNGqmpOS0LRQKF/lZmlUX3iKi+L6ERk2UudTDDiDVUMcLUJm2u2XHcfIyJHr7CQhIJ4fk5a2QRBTeJqgavmQK2ILoGhzGwMNkCFRyRzZh8caDJFXhqK7po651GVePwNJ0OkHiqUXmnpDizbOR9x7Ya6ngRZprx9zovls0NCAgDnaJD7I4Zz+br2nLoGSPj/uZ3Lx7CkI93e1OgMvuHVKaMeLIdeIGNGGIYXPAsc/EYyj98VIDx0bl5Zo8bRl33qEW5pOQ=
Content-Type: multipart/alternative; boundary="_000_4A131D6AF0124B71B5F7A7129414D7E6intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a32e0bfb-dc50-4d04-1543-08da0dc11041
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2022 18:06:47.8115 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zG1S8LeYSRjh9bLK8/A2YP3c6Ihr+5FWcRZFOqXtWPXQDra6PkI7BGUIpjVcq4PkueXzm8U1r6yY2G151yEtZg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1546
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/XDUaNxOI1L6YQKz_ijrcOB9-nnY>
Subject: Re: [Rats] Entity vs. role
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2022 18:07:02 -0000

Th Attesting Env is a component (entity) that implements an Attester role. Presumably, there is a Target Environment from which the AE collects claims. The TE isn’t implementing the Attester role (hence it isn’t an Attester). The Arch draft takes some liberties to improve readability for a wide audience at the expense of potentially confusing those who want to put a fine point on things.

BTW there are implied entities hosting Verifier A and RP / Verifier B. Otherwise, it wouldn’t be interesting to talk about the message exchange sequences (which are presumably signed by the entities behind the roles).
-N

From: "Eric Voit (evoit)" <evoit@cisco.com>
Date: Thursday, March 24, 2022 at 2:11 PM
To: Laurence Lundblade <lgl@island-resort.com>, "Smith, Ned" <ned.smith@intel.com>
Cc: Thomas Fossati <tho.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Subject: RE: [Rats] Entity vs. role

Yes, the four boxes on top enclose RATS architecture roles required for the ar4si "Below Zero Trust" use case.

Eric

From: Laurence Lundblade, March 24, 2022 9:06 AM
Isn’t everything in this diagram a role?  If not, shouldn’t it be?


     .----------------.

     | Attester       |

     | .-------------.|

     | | Attesting   ||             .----------.    .---------------.

     | | Environment ||             | Verifier |    | Relying Party |

     | '-------------'|             |     A    |    |  / Verifier B |

     '----------------'             '----------'    '---------------'

           time(VG)                       |                 |

             |<------Verifier PoF-------time(NS)            |

             |                            |                 |

    time(EG)(1)------Evidence------------>|                 |

             |                          time(RG)            |

             |<------Attestation Results-(2)                |

             ~                            ~                 ~

           time(VG')?                     |                 |

             ~                            ~                 ~

             |<------Relying Party PoF-----------------(3)time(NS')

             |                            |                 |

   time(EG')(4)------AR-augmented Evidence----------------->|

             |                            |   time(RG',RA')(5)

                                                           (6)

                                                            ~

                                                         time(RX')

LL




On Mar 24, 2022, at 12:35 PM, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:

Technically, the RATS Architecture is informational. Hence, no normative “requirements” but that doesn’t mean a I-D based on the architecture should assume conceptual messages can be routed to some other role or that some other role can produce a different conceptual message.

The main point of this thread is to highlight the difference between role and entity. And to try to avoid conflating them. But they are intimately related nevertheless. The examples I provided help illustrate how they relate but without conflation.
-Ned

From: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Date: Thursday, March 24, 2022 at 11:45 AM
To: "Eric Voit (evoit)" <evoit@cisco.com<mailto:evoit@cisco.com>>
Cc: Thomas Fossati <tho.ietf@gmail.com<mailto:tho.ietf@gmail.com>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, "Smith, Ned" <ned.smith@intel.com<mailto:ned.smith@intel.com>>
Subject: Re: [Rats] Entity vs. role

It seems to me now that we need to sort out some of these use cases a little better as Henk suggested in the room in Vienna.


On Mar 23, 2022, at 1:54 PM, Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>> wrote:

From: Laurence Lundblade, March 23, 2022 4:03 AM
...

Ironic in a way — I want to forward/passthrough Evidence in Results, you are forwarding/passingthrough Results in Evidence :-)

<eric> It is not me that puts Results in Evidence.  It is the definitions in the architecture document which requires it *must* be specified this way.

5.1 describing the passport model does not imply or require (or preclude) two verifiers.

Section 5.1 does not require that AR be embedded in a new AE message when sent from the device to the RP. It puts no requirements on that transmission. I don’t think it even Requires the Results be relayed by something that has security properties.

None of the examples in section 16 work this way.

I think the design is a fine and good, but I don’t see it in my read of the architecture document. (I searched for occurrences of “passport”). Apologies in advance if I’ve missed something in the architecture document.

LL

v2.23.0 | Report a Bug | By Email