Re: [Rats] Attestation Timing Definitions

Laurence Lundblade <lgl@island-resort.com> Tue, 10 March 2020 21:05 UTC

From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <CD539706-7F11-4FF1-8483-17F51329C014@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A93CD679-CFB8-4A21-B70A-23EC75DE6A4A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 10 Mar 2020 14:05:04 -0700
In-Reply-To: <BYAPR11MB31256F11BD86730AF9D21B6CA1FF0@BYAPR11MB3125.namprd11.prod.outlook.com>
Cc: "rats@ietf.org" <rats@ietf.org>
To: "Eric Voit (evoit)" <evoit=40cisco.com@dmarc.ietf.org>
References: <BYAPR11MB31256F11BD86730AF9D21B6CA1FF0@BYAPR11MB3125.namprd11.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/XzyJrbZk2WMJmciOvpaqRDZJtmM>
Subject: Re: [Rats] Attestation Timing Definitions
Precedence: list

> On Mar 10, 2020, at 1:09 PM, Eric Voit (evoit) <evoit=40cisco.com@dmarc.ietf.org> wrote:
> 
> 2. Nonce based Composite Evidence Passport.  
> This figure matches to the sequence diagram from Figure 3 of draft-voit-rats-trusted-path-routing
>    ..----------.                     ..----------.  .---------------.
>    | Attester |                     | Verifier |  | Relying Party |
>    '----------'                     '----------'  '---------------'
>       time(a)                             |               |
>       time(b)                             |               |
>         |                               time(c)           |
>         |<-----nonce--------------------time(d)           |
>       time(e)                             |               |
>         |------Evidence---------------->time(f)           |
>         |                               time(g){@time(h)} |
>         |<-----Attestation Result-------time(i)           |
>         |                                 |             time(c)
>         |<-----nonce------------------------------------time(d)
>       time(e)                             |               |
>       time(j)                             |               |
>       time(k)--Attestation Result---------------------->time(l)
>         |                                 |             time(h)

Something seems off here. By my understanding of the passport model, the Attestation Result is the passport and can only be created by a Verifier. This diagram seems to show the Attester creating there Attestation Result. 

Seems like one fix is to remove the second nonce and time(e) and say the the Attestation Result is exactly the same in both occurrences — classic passport where the attester just passes the result through.

The other fix is to have the Attester produce a second Attestation Evidence that includes the first Attestation Result, route that to a second verifier and then on to the RP. Then you have composition.

I don’t think Attesters can produce Attestation Results.

LL

[Rats] Attestation Timing Definitions Eric Voit (evoit)
Re: [Rats] Attestation Timing Definitions Laurence Lundblade
Re: [Rats] Attestation Timing Definitions Smith, Ned
Re: [Rats] Attestation Timing Definitions Eric Voit (evoit)
Re: [Rats] Attestation Timing Definitions Panwei (William)
Re: [Rats] Attestation Timing Definitions Panwei (William)
Re: [Rats] Attestation Timing Definitions Eric Voit (evoit)
Re: [Rats] Attestation Timing Definitions Eric Voit (evoit)
Re: [Rats] Attestation Timing Definitions Panwei (William)
Re: [Rats] Attestation Timing Definitions Eric Voit (evoit)
Re: [Rats] Attestation Timing Definitions Laurence Lundblade
Re: [Rats] Attestation Timing Definitions Panwei (William)
Re: [Rats] Attestation Timing Definitions Laurence Lundblade
Re: [Rats] Attestation Timing Definitions Eric Voit (evoit)
Re: [Rats] Attestation Timing Definitions Laurence Lundblade
Re: [Rats] Attestation Timing Definitions Smith, Ned
Re: [Rats] Attestation Timing Definitions Smith, Ned
Re: [Rats] Attestation Timing Definitions Eric Voit (evoit)
[Rats] EAT timestamps (was Re: Attestation Timing… Laurence Lundblade