[Rats] Re: Iotdir early review of draft-ietf-rats-msg-wrap-04

"Smith, Ned" <ned.smith@intel.com> Thu, 30 May 2024 15:30 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3382AC1DA2F7 for <rats@ietfa.amsl.com>; Thu, 30 May 2024 08:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nChylSJLn-ML for <rats@ietfa.amsl.com>; Thu, 30 May 2024 08:30:11 -0700 (PDT)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50D1FC1DA2ED for <rats@ietf.org>; Thu, 30 May 2024 08:30:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1717083011; x=1748619011; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=GMejVZ7LhJXDhYVUa3N5hvnVFW6PCUVWwuBcn3sL6+Y=; b=E+n9YtPZwhOehzus07iZ5jBoLy3LPMbPGbtt/EdJh4hXwk30sUqTHiVv Wtl7uCeYiiRlnzxtfL5ZacVGTRS3bE6i0ohpnczAWxm89OnJmo8l2SsmD D5GbTW2byPoqCS6MXFfSxTJtbwuRxi0Ru59uBN2Bof0u8JDN+WMsKEvmq oxxy2V2+uFscuM9nrXksdGwY3iS5fEn7QQ1Eu3OcqFq7dQAhQlgCJ++YC hz0G1S7inplMdRJyzqt4gNiWkATGyNuDpr9IevyoaHg0/m+de30R48Brb xyRySPyDQg7O/BhFmiGlCPpYbQLpM6EYinbyLOph56mVJ6wbFZ3zyVrXG A==;
X-CSE-ConnectionGUID: xZevPDUmTgCdKPjmTQzFcg==
X-CSE-MsgGUID: inehQXC8TzuzjJlYhrKnNQ==
X-IronPort-AV: E=McAfee;i="6600,9927,11088"; a="17373598"
X-IronPort-AV: E=Sophos;i="6.08,201,1712646000"; d="scan'208";a="17373598"
Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by orvoesa107.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 May 2024 08:30:10 -0700
X-CSE-ConnectionGUID: TzQxuU4aSC2KVlv1SUqsVg==
X-CSE-MsgGUID: tnv9SCL2TWyWFscqT5xXrA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.08,201,1712646000"; d="scan'208";a="35838623"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmviesa008.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 30 May 2024 08:30:09 -0700
Received: from orsmsx602.amr.corp.intel.com (10.22.229.15) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Thu, 30 May 2024 08:30:09 -0700
Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39 via Frontend Transport; Thu, 30 May 2024 08:30:09 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.41) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Thu, 30 May 2024 08:30:09 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YEmVbKlIYPMQkD2De+mYrA16lbIGzSe/5kLXU638YFZealk026uGXXJ5Tza69d7Zk6F6NnvtiOy3ljAV45GXibgvCZs6CxSbo86BRiNnI9AHi1p9WV9I6za13sUorS/dOymDXOTSCgjD2+wZC44fembUK4llgtZQWWYkOKTjKcI0F1qO8EUuJHYS4Y2pKGtHDSrKaqm6cVaRPt2dS5fEIn8ZQzqc2a9Rpv7+qRIhQPeabgDWmGmGD9jwPmefr789rQQ/iZFfQbC4LkT7zsAXAYKsuR646T5QyjrkpYi/UpAa2abI1r9DWr5gyV6t8RqrYSQvXajNoCTNAMEZcEdEoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GMejVZ7LhJXDhYVUa3N5hvnVFW6PCUVWwuBcn3sL6+Y=; b=bbL+l5aVIFVp6yFnK7JWrR+ymBcvG46jZVP02aLKhaPocW25AhgXnaHMm5+6F/uAxebYyxejYoZzh2yvjdpit9Nq8v3RTk91rcYMmIigRtIXh4Ayz0jSEzJBlFnkz66QDNRQ6uSRr2SBIf4eLF+J3Qng60MFSeF8Rr43Lo7GHlFqYqTXaH9cinVr6ihXe45ifw/+2hmmOPmKDNlsk1vQ+tGKuu6uns62h9xkwnClpmUMnIK35hJc/Rg/OSQaY8XZxGTkgpVGOEk7zP9Dj7KdBskJzHiwwgblMpwVVOTCMIeqYhifpcDoY7drVNyTS4xZHa3nT+T/3tNi1ZAQIs1+dA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by DS0PR11MB6447.namprd11.prod.outlook.com (2603:10b6:8:c4::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.17; Thu, 30 May 2024 15:30:07 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::9bf0:5425:d055:42b7]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::9bf0:5425:d055:42b7%7]) with mapi id 15.20.7633.021; Thu, 30 May 2024 15:30:06 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Re: Iotdir early review of draft-ietf-rats-msg-wrap-04
Thread-Index: AQHasqRroNnDrc/YzUKk0JUpPJyw4Q==
Date: Thu, 30 May 2024 15:30:05 +0000
Message-ID: <CO1PR11MB5169BA9BCC6EE4E7D04F17B2E5F32@CO1PR11MB5169.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|DS0PR11MB6447:EE_
x-ms-office365-filtering-correlation-id: 9a3fac65-2842-423a-59cc-08dc80bd61ef
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|376005|1800799015|366007|38070700009;
x-microsoft-antispam-message-info: WL6qkR4VZ1luijwH7DQSKGt88T7hhlYGg5dLGOKk3OtLWVTrLtFYSQ1Rr5FVRYdgNWrpvohL05gi/Qq4pKx8KZtsjZrTwkzAQtIVXeD+bkbjRpGSti5CHwg+6Mp109xLd0CeaLe+KZNvQlMEVB1UEBhZGQj34+iH8kVn1ZliiEwQZANqmgu1/DErvA8ojwWDuo4HKoqF1bhrrrrdbwEqlGhk+WBO/m4y2RHkpr5jfF3DM/Z5pTYxHLDto8gGbNHCIebrdNU9/S7mwDF7TZA40ZlkSAK1NFJjP4gC3eTGkQLFOU+/RLmPhDjWLDtZKmGnAhmM9jr3Zstw7h6koT+z1TAVh3ao4gkmsNegNPEJJ/ZxJOWA5rOwdTey0/p1gBnNUWjoIo3gmdfE5pVmFlrzuwMtFrREEQBtnWNCc5TjS6E34Ip5rmnu3VohiTFGtRkFJ1mWnUdI8/3z0uLmxtKPUQg/i7ZdeHFcJQraJyISreBw1J5sRNoCkljUpAiVJ3+TnPfToDbomDcqjTcbVkHF+SOmYnysEf1DLNHSolicKp8zRiCxmlFAO++Pn0dBLDnEhHRUv5U84r0tG7rzGE6ozIzdy0nbMFO6F7pn6L7x7Xgj7X0+hPsT+6KEzOynzyaPAPL6SAgRh3xvZI4+nZJ+HYeeVdV4n/Z159C6eE2Fm8i+nMICX/w0rg8rl0VcfeKw9ndKrP4BZCYOXM1aw3xCUnupgJR9JGPVhmAkT7bwp0MVpR8LvFN5EAEheAwvssb8qPDXXGuIbT/iWB5R7MYpivGlct7/kDJvT358Tyh0QwOxJeja0IQ6+4kYsUK76VyyCc0Ts5ss0sJhMNcXWiKwEjqzyQsk2thSNb5HfIWRU3C7NTvPvNYnaWw/j2qLkBEvUVRRDxViIwA3ZQ74afEv4vzZMH2z9o6Xm5zcsfwUOJinfG3pLP4O3T9/8eJzB6xO7FAsDX4qBGOxNDHy3NCsfEeRWXt+0cA4abwAcJoN4a2G9K0fS8lcs4gktj0dy1utVgN7Z6sMBIp5GE4EhecrWE2b4zFHyrJs2zm+VBFdThnWlioHAGC59HtJkQ0fkt/LmQ84TfaVdWQvFNSu804c1QzfXWKX3ngGxMsJrLe7u+X5QDMpRNJfBBytuc04WiU0ZVkoEeNzNQQii6F/k1+iUl0WSewGP1TU/bkz8a7c9pCtmTslAc8IpmKIMe7kNRxyWOfeza5Ij2f2WHpzMKAQed13a6dM3FA3BwwjJLVccuiXXOpD70rmzkPV5tY8by24mDwXyRt22GIilp7GDSaVfKj209ugqdfkuSLYjiKmB/faKRKhJBG80bqsx66UxcacbFRN8aVlFrwZCEmzqcmL/w==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB5169.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TQhWO5Aci2S67YlrG5Ly9kkUiGtE1vGnJMOnntyk7h4dcr9/rBnJP0D7TLq2BetLF2rpxmPWfRc49Qu1na7uYqeAuCHEQrqWEDGzvPx+J/eVik2zwL04jIqpOg35whlQT4NV4iOT1/F8eqwp88w8FbAMuP+4ihWpOdzlItJ9K8OntLN6pQGQOT0JrkxTerUl1Kk9OKmM8lF3ruwvxWWcNuRvrNcS0LOgOtuYejk5B7aU/aIHtYN/Y3BfekdWVnOstAW+MgM7navno/6U/q17/ir9EhqhGiq0KSdgyLh8FY99fbSDOW1B5RrLROlMTqaE7Ky/aBUpQUybM3xBMg/t0R0+ngY228YdJ8ByIZOtmjOEFXa0RtsV6+RdeW/qUxRwW9CCaYjNGmLvyUboELWyD17k0SWojRhP28NXWOs0Y6hhMV+QCJWya8NSsSG9C1/uxL1BW/DvnRHvk9Vk7w5mW0qgEz5IVhR08+Ed3kaobUE6KQIUASdYN4YTP6GvhLfo0G7nLfQua7u77IPJ7fdOyPRuKp4d7B/97sGDp5SZS27SCVaDgN1Vrds/uSLhsWvYJN3FDUJGEtqwe8mqDpVxV34Pu6A0Kxp34ppikz9g0CA3kzq0n+a8kCtmoH8nSWpdRHC7/uAq4A4KD/IS1mGr0xnlmvIAoEdJ+Qfqw4F4nynNhNdX9SFRfZ8aaQFNBHVnVN7xJ67e2pHkwXGARlQzafQSZ1w2zncchhL68lHSwIFeDNGs32q160Lmq0EYG+zTJw7QQWP+ehs5RlBqGfO6FdmL7Khyp3PWN0tldFbEJ341eAaMLYoIsw3qM4WayzXlsvxMMi0XAHUc7EIpFpP+hduBuXrF7/CbVYuV1khw/0mkDTDv/QYP71RhsejbrYJqOhh1e+Zpl9ZnzgEC0AJJfwt208fc7G9xUZW4kJI12D0bSXqOQwdtqyQtjwT5FAE8E5b+ryn6ncSS2BxNYIzsbxA0hAtlUc6llKFOAth/0CUxC8bea+PJiX2hESgBe9gZilnNgQqpRIH3VdQTgdaBAFjhVdsqMlY4vX3JZQTuDiMcBVzNSrJbT6dQy8K8YacqBSMIOplClk2Db1OV2vTbIThgOPx58c36knOj6yfTSpV1oWc4M3XL6+hxaalhcOu3izDyZL1kov6cor9op6bDxUe0ClQxBrTBAttFIyEOXM3V+/UKG+vDLstUFzpTqi/db3zviqnl0qRtqONUAsVwgFuprg/bosSiWuLyAINztPUZKKYTvN2o6cPDkeAUSEEmK0ctHncuEaYDnB8I1ZxlOqtB5Gp28At0mXQPnMDi/7USpdmJnPNZ24lNC0SFtsdw5uiGBYRhA0IWnqcWK7/v5ncqRNsmzmQG6AcAGQZDbHkDHNPVrXJgelxpYNYIMOsATXlTNvvreP+mdmkQRfS3hCNslmwCVmnuHUIsefKfs6avB8vqiyM51bQoOWk9X8plWgP50CAoKN53AKaSJiBxyhC6ge269GIB3MI7YjiBoNWorsbW5cwv00fcsKCcrMfp45toQZdEdqWgJT6qR15RKz+e1BcpkD5xSg3P3nu2SlkTd6grND2U54Tf1Wc3UFhG
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a3fac65-2842-423a-59cc-08dc80bd61ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 May 2024 15:30:05.9492 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wOpXnFPe4Me3rqQ9BV4VVTAXNggHdVCHhPns4LQI/xdawme5EGDf6Ua5jYjuWBskndkph8C6oFo3GOP8t4j5IQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB6447
X-OriginatorOrg: intel.com
Message-ID-Hash: 357LE2SJI6ZDHPXLGNKJU2JREX5NKYRZ
X-Message-ID-Hash: 357LE2SJI6ZDHPXLGNKJU2JREX5NKYRZ
X-MailFrom: ned.smith@intel.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Iotdir early review of draft-ietf-rats-msg-wrap-04
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/XFxvxa5EOn5q-8nRQV4Ir4DBymI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

>> * Section 5.2: I wonder about the consequences of having two different CMW
>> specifications: one by the Trusted Computing Group (TCG) and the other in this
>> draft. I downloaded the TCG specification and found a reference to this draft.
>> Would it be possible for future versions of the TCG specification to reuse this
>> draft rather than creating a subset? Also, this draft states that the "CMW
>> extension" "MUST NOT be marked critical," whereas the TCG specification states
>> that the "tcg-dice-conceptual-message-wrapper extension criticality flag SHOULD
>> be marked critical." In summary, I wonder if these specifications can somehow
>> be synchronized.
>
>I think you are right, they should be fully aligned.
>Ned is the chair of the DICE WG in TCG, so he's the authoritative
>voice wrt this point.
Actually, I'm not the DICE WG chair.
The DICE WG was concerned with the potential for legacy X.509 parsers to grant access to resources even though the certificate extension contains attestation evidence, including evidence for layered DICE components (the components upon which the Target Environment depends for trustworthy operation). A non-DICE-aware parser's normal behavior is to succeed when ignoring noncritical extensions. Therefore, the CA issuing the cert can force a failure in legacy code that should be DICE aware (aka CMW aware) by marking it critical. 

A DICE-aware parser will already have logic that expects a DICE / CMW extension, hence, there's no need for the extension to be critical. The normative language allows for use of the criticality flag when it makes sense and to avoid using it when it makes sense also. Whether the two specs align on SHOULD or SHOULD NOT seems equivalent to achieving the goal.