IETF Logo Mail Archive

Re: [Rats] Attestation Timing Definitions

"Eric Voit (evoit)" <evoit@cisco.com> Fri, 13 March 2020 21:34 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3473A1095 for <rats@ietfa.amsl.com>; Fri, 13 Mar 2020 14:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=GtkAQTZA; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=BDE/E2O9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cp8u38DJFD90 for <rats@ietfa.amsl.com>; Fri, 13 Mar 2020 14:34:05 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B09903A1066 for <rats@ietf.org>; Fri, 13 Mar 2020 14:34:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=69553; q=dns/txt; s=iport; t=1584135241; x=1585344841; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zMJPwMaMSjzNtB4zlULWWvW3p3JNyPVSJ3pSYSWa9uQ=; b=GtkAQTZAJkRpA9nMdHbwCqK+JSwRTbqhLIglF7OlFchuii1KgVIFtkLk CH/oEk/+UxUKegQFc769BKLDSkkYT6DjzvXFNxrGSl90YzeWi8isF7M0R RlwdP30MDqHJ7C5vSMA+l/L60KqYqG4WwUimxovI3sSSw0BtEMhFQrE+r s=;
X-Files: smime.p7s : 3975
IronPort-PHdr: 9a23:qFUYUhJRQYgRN8oFR9mcpTVXNCE6p7X5OBIU4ZM7irVIN76u5InmIFeCtad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUgMdz8AfngguGsmAXEDlK//2Ryc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AkAwA++2te/5JdJa1mGwEBAQEBAQEFAQEBEQEBAwMBAQGBe4ElLyQFJwVsKy0gBAsqCoQLYYJkA4pwgl+YGIFCgRADVAIHAQEBCQMBAS0CBAEBhEMCgh0kOBMCAwEBCwEBBQEBAQIBBQRthVYMhWMBAQEBAxIICQQGEwEBKwUHAQ8CAQYCEQECAQEBIQEGAwICAjAUAwYIAgQBDQUIBhSCOUyBfU0DHw8BkUWQZwKBOYhidX8zgn8BAQWFNBiCBQcJgTiBU4pMDxqBQT+BEUeBT34+gmQEgS4BEgEjHhaCWzKCLItbgh0ygkWeWHYKgjyDcoI8kF6bQY8Cm1sCBAIEBQIOAQEFgWkiZ3FwFYMnUBgNjh0MF4NQilV0AoEnjBkBgQ8BAQ
X-IronPort-AV: E=Sophos;i="5.70,550,1574121600"; d="p7s'?scan'208,217";a="446947234"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Mar 2020 21:34:00 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 02DLY0Fk025595 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 13 Mar 2020 21:34:00 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 13 Mar 2020 16:34:00 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 13 Mar 2020 16:33:59 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 13 Mar 2020 17:33:58 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GZItLLh2qPfgGBvgwOOWAQqbTq5RjxEx7899PXG9HkLz9JS641g1Gii3zkpvkJ2kl1GhgEbn8IJPYe7X40+HSkYQv7ry/hFB7AuQKacFwWfsYIzeG+LsE4yRsJsZ9mKIXKm2VLgnL6mS0KTiVWfHvFboFVWamxL3u//E169p3PnTjhfJnHx1epgWQqrTUQygsCCuZm5uZBgU/8ZVB0sGOZJjCtAc7CYvsO30NB5glU8crgMqi0FGY9iuhuPmp8EPKtLj1MkQOeTJlNWrCGesxylo/WOT5XRvIusHlmCz2CROZ0FHIheJxctVXL5VgnIkBPIfW6+PoN88VfF/eUzukg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=VCbi7OuPp1fytIPe40Ecfw9FEb52Hy7iQx+28Q7rjs4=; b=nnZYoz2CIWlvblMjuJmORgstw74NbncvstNk6AXFr2n05rtWcMQsOglg/HyPYpsJwN2Q8wNHPhNd64rut3gUhiJNSCw0BXm3r30ZEyaJyPQ2zjCZUN6jhx7xWESGhAZXydwRy1ETOR/zh5Wpq9H4WMtzsFmskSvpNR1ACkJ2kCTsj9n69qD4sIpzM1DYGV320vc/Sl6LKjGeMiCJdEQj2KoaIutM+qdTT59IsEFiF1iTSovUn9sJr5eNr5xqYKYnbe1wMaDerTAPCdrDplnaC2uShSbSVcaZM6WsFJ7akuuOwnEdoJzWCZHBUhUbq8xM1pmaUxpqgHCx92OHz0mHPA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VCbi7OuPp1fytIPe40Ecfw9FEb52Hy7iQx+28Q7rjs4=; b=BDE/E2O9v+Y4TySyWXjyYJDncNfdoBSb2sWBYVNgbe6O8OpjFWPihYlI62ILDJf9b26X3rJ9sKQtFiozdfbRar8AnTKXb/E1LDhXCU6xfELnxfGegvZGbWW/uZXosQ8UB2iSJNT5Ak7cpE9gFzSAtoiRRy5OgSVihNVBf5XkRgw=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL0PR11MB3268.namprd11.prod.outlook.com (2603:10b6:208:67::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.14; Fri, 13 Mar 2020 21:33:57 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::ec9a:6707:d1ba:ce30]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::ec9a:6707:d1ba:ce30%7]) with mapi id 15.20.2793.021; Fri, 13 Mar 2020 21:33:57 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Smith, Ned" <ned.smith@intel.com>, Laurence Lundblade <lgl@island-resort.com>, "Panwei (William)" <william.panwei@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Attestation Timing Definitions
Thread-Index: AdX3Ey664zQelNNbRnODHHrrt7v6IwADGMYAAAF6neAAC58LAABPHGY3AAJ4+XAAMhlggAAFJmwg
Date: Fri, 13 Mar 2020 21:33:57 +0000
Message-ID: <BL0PR11MB31229027B882276F08FA0BB2A1FA0@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <BYAPR11MB31256F11BD86730AF9D21B6CA1FF0@BYAPR11MB3125.namprd11.prod.outlook.com><CD539706-7F11-4FF1-8483-17F51329C014@island-resort.com> <BYAPR11MB312543840E706D6A0DBC8013A1FF0@BYAPR11MB3125.namprd11.prod.outlook.com> <817d60e7ab6b41d5bad81b7702002397@huawei.com> <870488EF-4981-44CA-A6B9-65E176D380FF@island-resort.com> <1aa8a5c4038144f89ccf9d88a514fb6e@huawei.com> <52200DF9-4B74-4408-A209-18B42DB48ACF@island-resort.com> <BL0PR11MB312205B217AECC141105F685A1FD0@BL0PR11MB3122.namprd11.prod.outlook.com> <666BE797-9C1A-4D04-BD4A-7359C39FC903@intel.com>
In-Reply-To: <666BE797-9C1A-4D04-BD4A-7359C39FC903@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evoit@cisco.com;
x-originating-ip: [173.38.117.73]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b2bafc8b-4ceb-4f44-cac7-08d7c7963cba
x-ms-traffictypediagnostic: BL0PR11MB3268:
x-microsoft-antispam-prvs: <BL0PR11MB3268DA25B619D716B8A2BCB7A1FA0@BL0PR11MB3268.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 034119E4F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(136003)(396003)(366004)(376002)(199004)(9326002)(316002)(81166006)(2906002)(52536014)(110136005)(4326008)(81156014)(5660300002)(7696005)(8936002)(53546011)(6506007)(9686003)(55016002)(86362001)(33656002)(478600001)(26005)(66556008)(66616009)(76116006)(64756008)(66946007)(66476007)(66446008)(8676002)(186003)(30864003)(71200400001)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:BL0PR11MB3268; H:BL0PR11MB3122.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kAp6DuHMN3vtlTJPANjDhvGS5CkdydfrVZVkfFUpQxLsspGsM5i2sRzSPDEAtvT0+tgGgTTMezfjrz06sEWezx9uIclMPSVoTHftMU3lZMTKtDj6T/uIfUSs0IY/j39w28JTrwCYVuwbQHYS40W9bxhbQ5ve1gbMONRg7Ott0zPO4e0BfoQp+S72OCTyihRKRSbCnqiUugYVguN/IQfXBjKKTgN0IlQEmdi6M4NIQrcjjzacK8d7dYiE/gKpyl053cAOGKf+VS3ZwZgl9C+7fjDyHdhgI1TENhnDjpSue+qSkD3RI9TZ0QAmVYPaPyvjMZDpwMYbAiVcwxIvMIAUtD0gvpi3ZYAFsOggWB8Lt2Q3Ckx0d9GiZ8TefbtNvdQ+3r6yDUIg9ZTNwawoIT6h95yzGNZcFDdjk6hh+cWZe3SOpW++p3uHiHfTglp/bHYe
x-ms-exchange-antispam-messagedata: Q5Ok+tfBnDhzCzJHhP7NcjamDzocJqE9yA9Y4SmJsGhW/hwaztlNL3rcnGSy+KIiEtOyNQoDWIiIbsLk1CNJWuk++fblCHHhOx7ItwOkU5tZyoifD19mvvD2PaRcB7ERCecRKWQZ9Y1rbATEw4vPaA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; boundary="----=_NextPart_000_0343_01D5F95D.8D38C3C0"; protocol="application/x-pkcs7-signature"; micalg="SHA1"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b2bafc8b-4ceb-4f44-cac7-08d7c7963cba
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2020 21:33:57.1972 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +92XCVG1YU0vb4HxIxrkp0PS1lLn7yfRiyF7l7D0J3TAAmP+J+Qg7sT47jWlU38T
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3268
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/XisxU4cL5xfIr87MGtQR00pCn8M>
Subject: Re: [Rats] Attestation Timing Definitions
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2020 21:34:26 -0000

Hi Ned,

 

I fully agree that there are similarities between "Stamped Passport Model" and "Composite Device".  For both, a Verifier needs to understand the implicit trust relationships between the various signed claims.

 

The way I internalize your thinking below is that we need glue that can express relationships between independently signed claims.  And beyond the 'transited Attestation Result' claim, I also believe there will be a 'sequence of claim creation' (i.e., a 'provable relative timing') claim.

 

Thinking of some possible future RATS drafts, I suspect that some claim language could be adopted to express these compositions.  With such a claim language, even structures paralleling those of DICE are conceivable.  Also conceivable are needs for the trusted discovery of valid Attester + Verifier structures by Relying Parties.  

 

In the short term, I don't think these complexities need to be included in the architecture document.  To make progress, I am simply asking that the terminology of the architecture document doesn't marginalize or make harder to describe the types of end-to-end architectures being explored with "Composite Device" and "Stamped Passport".

 

Per your note below on codifying the term "Passport".  You are right that the architecture now just describes the "Passport Model".   As long as somebody doesn't later try to define a "Passport", and then claim that a "Stamped Passport" is not really a  valid type of "Passport", I am good.

 

Eric

 

 

From: Smith, Ned, March 13, 2020 2:11 PM



The “Extended|stamped Passport Model” is a similar pattern to the “Composite Device” scenario where Evidence isn’t simply forwarded by a lead Attester but the lead Attester supplies a ‘transited evidence’ claim as part of the additional Evidence it supplies. 

 

I’m not sure RATS arch intended for the various ‘models’ to codify data structures e.g. a ‘Passport’ or if the intent is merely to observe the flow of Evidence and Attestation Results according to the named model. Maybe there is a similar need for a special type of claim that reinforces an expected flow or sequencing between roles? If in the Passport Model the Verifier supplies Attestation Results to the Entity that hosts the originating Attester role, then should the Verifier or Attester do something in the Attestation Results or in newly minted Evidence to acknowledge this? 

 

For example, the Attester could create new Evidence with a ‘transited attestation result’ claim. The entity hosting the Relying Party might then host a Verifier role that specializes in checking for Passport Model compliance by verifying the ‘transited Attestation Results’ claim.  Possibly, the Relying Party has a policy that allows/disallows use of a Passport model (or a hybrid). Simply defining a ‘transited attestation results’ claim seems to address all possible models whether Passport, Background Check or some hybrid we haven’t though of yet. 

 

Does anyone disagree?

 

-Ned

 

Copied text from below:

“It seems pretty clear to me in the Rats architecture doc that in the Passport model that the Attester just passes Attestation Results through without further signing. I don’t think it should be called Passport if there is additional signing in the Attester.

<eric>  In the case Wei is showing,  the Attester would take the signature from the Attestation Results time(i) and nonce from time(d') and sign these within a TPM.  This becomes a standalone element delivered parallel with the original Attestation Results from time(i).  

 

If simply reusing "Passport" is confusing, the wording in the RATS Architecture document need to be updated to cover cases where the passport is enhanced like above.   Do we want to call this an "Extended Passport Model", a "Stamped Passport Model", something else?  “

 

 

From: RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> > on behalf of "Eric Voit (evoit)" <evoit=40cisco.com@dmarc.ietf.org <mailto:evoit=40cisco.com@dmarc.ietf.org> >
Date: Thursday, March 12, 2020 at 11:49 AM
To: Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com> >, "Panwei (William)" <william.panwei@huawei.com <mailto:william.panwei@huawei.com> >
Cc: "rats@ietf.org <mailto:rats@ietf.org> " <rats@ietf.org <mailto:rats@ietf.org> >
Subject: Re: [Rats] Attestation Timing Definitions

 

Hi Laurence,

 

From: Laurence Lundblade, March 12, 2020 1:05 PM



Hi Wei,

 

below...





On Mar 11, 2020, at 7:24 PM, Panwei (William) <william.panwei@huawei.com <mailto:william.panwei@huawei.com> > wrote:

 

 

 

Regards & Thanks!

潘伟 Wei Pan

华为技术有限公司 Huawei Technologies Co., Ltd.

 

From: Laurence Lundblade [ <mailto:lgl@island-resort.com> mailto:lgl@island-resort.com] 
Sent: Thursday, March 12, 2020 1:33 AM
To: Panwei (William) < <mailto:william.panwei@huawei.com> william.panwei@huawei.com>
Cc: Eric Voit (evoit) < <mailto:evoit=40cisco.com@dmarc.ietf.org> evoit=40cisco.com@dmarc.ietf.org>;  <mailto:rats@ietf.org> rats@ietf.org
Subject: Re: [Rats] Attestation Timing Definitions

 

 






On Mar 10, 2020, at 8:20 PM, Panwei (William) < <mailto:william.panwei@huawei.com> william.panwei@huawei.com> wrote:

 

I think Ned’s email also has detailedly explained that the entity of Relying Party can also take on the role of Verifier, and in this case the Attester sends Evidence + previous Attestation Result to that entity, within that entity the Verifier role processes the Evidence and the Relying Party role consumes the two Attestation Results.

 

So, for a simple nonce-based Passport Model, the Attester just sends Attestation Result produced by the Verifier to the Relying Party, and the passport is simply the Attestation Result. 

   ..----------.                     ..----------.  .---------------.

   | Attester |                     | Verifier |  | Relying Party |

   '----------'                     '----------'  '---------------'

      time(a)                             |               |

      time(b)                             |               |

        |                               time(c)           |

        |<-----nonce 1------------------time(d)           |

      time(e)                             |               |

        |------Evidence---------------->time(f)           |

        |                               time(g){@time(h)} |

        |<-----Attestation Result-------time(i)           |

        |                                 |             time(c’)

        |<-----nonce 2----------------------------------time(d’)

      time(e’)                            |               |

        |------Attestation Result---------------------->time(l)

        |                                 |             time(h)

 

 

This still doesn’t seem right. time(e’) indicates the Attester is signing and creating Evidence because of the definition of a time id label (e). Additionally, the only way to securely include nonce2 is if the Attester is signing which implies it is creating Evidence.

[Wei] The Attester sends messages to the RP, can it sign the whole message whose payload contains a ‘nonce’ field and a ‘Attestation Result’ field? Must it only be creating Evidence when the Attester is signing?

 

 

The main purpose of this diagram is to label points in time and time(e) is defined as an Attester signing Evidence, so choose another letter if it is not signing Evidence. 

<eric> time(e) may have a signing event.  E.g., a nonce may be combined evidence in a TPM proves the evidence was available on specific attester no later that time(e).   This possible action of signing has been included within the originally proposed definition.

 

I am working on mapping the time(*)’s into the time values in EAT so we know if we have the necessary claims defined in EAT to cover all the flows. 

 

 

If this is to be a Rats architecture diagram, then it’s about more than labeling points in time and should start talking about formats and names for that Attester signing that is not Evidence. 

<eric> The original purpose of the thread was the proper naming of time points.  The sequence diagrams are shown to help demonstrate how the times might be used.    

 

Or maybe call it proprietary format or a TBD format. It also begs the question of the signing keys get set up and distributed, which is complicated stuff.

<eric> I absolutely agree that all the signing, etc. needs to be addressed.  This is why drafts like draft-fedorkow-rats-network-device-attestation and  draft-voit-rats-trusted-path-routing exist.   Such discussions are best made in those deployment contexts, rather than in the architecture draft.  That is unless we are looking to significantly increase the complexity of draft-ietf-rats-architecture.  

 

It seems pretty clear to me in the Rats architecture doc that in the Passport model that the Attester just passes Attestation Results through without further signing. I don’t think it should be called Passport if there is additional signing in the Attester.

<eric>  In the case Wei is showing,  the Attester would take the signature from the Attestation Results time(i) and nonce from time(d') and sign these within a TPM.  This becomes a standalone element delivered parallel with the original Attestation Results from time(i).  

 

If simply reusing "Passport" is confusing, the wording in the RATS Architecture document need to be updated to cover cases where the passport is enhanced like above.   Do we want to call this an "Extended Passport Model", a "Stamped Passport Model", something else?   





 

By my understanding in simple passport all the attester is doing is convey the exact bits it got from the Verifier to the RP. It can’t incorporate nonce2 in any meaningful way.

 

The only way to use nonce2 in the simple passport model is for it to go along side of nonce1 and arrive before time(e) to be part of Evidence. It could go direct to the Attester from the RP or it could go through the Verifier to the RP.

[Wei] I think this is also a reasonable case that the Evidence should include nonce from the RP and this may bring different considerations of timeliness.

 

Note that the latest EAT draft has an array of nonces rather than just one to accommodate this.

 






 

 

And for a complex model, which is the diagram 2 that Eric drew, the Attester will produce another Evidence to be sent together with the Attestation Result to the entity of Relying Party and Verifier.

For example, in the case of Eric’s draft (draft-voit-rats-trusted-path-routing), Evidence 1 is about the PCR value information, Attestation Result 1 says ‘boot processes have been verified successfully’, Evidence 2 is about time and changes since the Attester was last verified, Attestation Result 2 says ’time and changes are acceptable because only 5 minutes have passed since last verification and no changes happened’, then the Relying Party consumes these two Attestation Results to establish trust on the Attester.

   ...----------.                     ...------------.      ...------------------------------------.

   | Attester |                     | Verifier 1 |      | Verifier 2     |     Relying Party |

   '----------'                     '------------'      '------------------------------------'

      time(a)                             |                   |                      |

      time(b)                             |                   |                      |

        |                               time(c)               |                      |

        |<-----nonce 1------------------time(d)               |                      |

      time(e)                             |                   |                      |

        |------Evidence 1-------------->time(f)               |                      |

        |                               time(g){@time(h)}     |                      |

        |<-----Attestation Result 1-----time(i)               |                      |

        |                                 |                   |                      |

      time(a’)                            |                   |                      |

      time(b’)                            |                   |                      |

        |                                 |                 time(c’)                 |

        |<-----nonce 2--------------------------------------time(d’)                 |

      time(e’)                            |                   |                      |

        |------Attestation Result 1 + Evidence 2----------->time(f')               time(l)

        |                                 |                 time(g’){@time(h’)}      |

        |                                 |                 time(i')-----AR 2----->time(l’)

        |                                 |                   |                    time(h)

        |                                 |                   |                    time(h’)

 

The flow seems technically correct, but a few comments:

 

- Seems like an awful lot of trouble just to add a nonce from the RP. If nonce2 can be made to arrive before time(e) either directly from the RP to the Attester or via Verifier 1 you get the same effect (I think) with much less trouble.

[Wei] Same as the previous one, nonce 2 arriving before time(e) is a reasonable case that should be considered.

Or maybe it is the job of Verifier 1 to check the PCRs and the job of Verifier 2 to impose the policy related to the age of Evidence 1? Maybe even Verifier 2 is a machine learning system run by a 3rd party while Verifier 1 is a dumber system that just knows about valid PCRs operated by the HW vendor.

[Wei] Yes, between the Attester and the RP there may be multiple Verifiers for different purposes.

 

- If using dual verifiers and using EAT, then Evidence 2 has three claims: nonce 2, issued at time and Attestation Result 1 as a submodule, right? Attestation Result 1 might be TPM format which implies EAT submods have to allow for TPM format attestations.

[Wei] I think it’s not appropriate to say Evidence contains Attestation Result, they may be transited in the same message, but they are semantically different. So the message sent by the Attester to the RP has three claims, of which the first two being seen as Evidence and the last one being seen as Attestation Result.

 

Generally speaking, it seems OK to have an Attestation Result as a claim in Evidence. It means that some other Verifier did some of the work. The second Verifier would need some means to trust the first Verifier. I think my example of the first Verifier checking PCRs and HW measurements and the second one being an ML-based system fits here. I suspect we’re going to see all sorts of things in claims over the years, some wonderful, some horrible.

 

But, maybe that is not what is needed in this case, if you define the second signing to not be Evidence.

<eric> I think it is Evidence

 

 

Anyway, the main thought is to change that time(e) to time (n) if it is not an Attester signing Evidence.

<eric> It is an Attester signing Evidence.


Eric

 

 

LL

v2.23.0 | Report a Bug | By Email