Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Michael Richardson <> Sat, 23 November 2019 06:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 48BF0120833 for <>; Fri, 22 Nov 2019 22:33:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ya49dh1FUVgM for <>; Fri, 22 Nov 2019 22:33:38 -0800 (PST)
Received: from ( [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 23EA812022D for <>; Fri, 22 Nov 2019 22:33:37 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTPS id 1BE211F450 for <>; Sat, 23 Nov 2019 06:33:36 +0000 (UTC)
Received: by (Postfix, from userid 179) id D04467D4; Sat, 23 Nov 2019 14:33:38 +0800 (+08)
From: Michael Richardson <>
To: "rats\" <>
In-reply-to: <>
References: <> <> <> <> <> <> <> <> <> <> <>
Comments: In-reply-to Dave Thaler <> message dated "Fri, 15 Nov 2019 07:38:32 +0000."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Sat, 23 Nov 2019 14:33:38 +0800
Message-ID: <>
Archived-At: <>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Nov 2019 06:33:40 -0000

{why do people insist on CC people who are on the list?
Do you enjoy getting three copies of emails with different headers}

Dave Thaler <> wrote:
    > I have not yet seen a compelling reason to use a pull-based mechanism
    > instead of a push-based mechanism via another protocol the routers
    > already support.

I agree.

    > In order to know who to pull data from, the Verifier has to have some
    > indication from the Attester that triggers the attestation request
    > indicated as Step 1 in draft-fedorkow-rats-network-device-attestation.
    > So in reality, there has to be a step before step 1,
    > whereby the Attester does something that makes the Attester
    > discoverable by the Verifier.   That step could have included the EAT
    > or the TPM data

I have a todo item to write up:
  1) a use case for Attestation at BSKI onboarding time.
     (really this is a RIV sub-case, I think)

  2) a document explaining how to carry EAT in BRSKI voucher-requests and
     RFC8366 vouchers.

That works well for initial attestation before a device is accepted onto a
network, but does not manage the ongoing safety of the device.  An open item
in BRSKI is finding a way to signal that a device supports RESTCONF, and
should have it's configuration loaded in that way.
That signaling could very well indicate that attestation is available that
way; well actually I think that once RESTCONF is up, the controller can
discover that it supports our EAT-YANG-module.

Having said all of this, I was surprised that my question on Friday's meeting
about what claims would be in the EAT that be returned from
entity-attestation-token-challenge-response did not elicit more understanding
and aha.

I want to be clear: I object to including the EAT in the *TPM* module,
  1) it's mixing two different things and there is no reason a device
     that supports one should have to support the other.
  2) I believe that the use case is completely different.
  3) returning EATs is way too important to get it wrong like this.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]        |   ruby on rails    [

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-