Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?
Ira McDonald <blueroofmusic@gmail.com> Wed, 08 July 2020 22:02 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71E53A0831 for <rats@ietfa.amsl.com>; Wed, 8 Jul 2020 15:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQzYGEMv2VPx for <rats@ietfa.amsl.com>; Wed, 8 Jul 2020 15:02:53 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F3B53A082E for <rats@ietf.org>; Wed, 8 Jul 2020 15:02:53 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id e15so15451vsc.7 for <rats@ietf.org>; Wed, 08 Jul 2020 15:02:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VjLLYgxtJJwiZ9s4+Ul2RvVgBHLao1Zc6T2b9v16I7o=; b=KRwEXFN82TKfiZPMf7oyIWafrdRzUVn85bharHqPh+SJe9ynvAwC0aLCCKTro2DU1A Tzwr9WjyFbNUn34eBCF1AF9nAJv1lsRdwVEeHpmzYsG92LaCPBVF/ayKoXBuxWaNDcYW tL//RTxPxrfed5vRrPmxL0rospvjGxPqaLfU4n22QJ36zUAuuPYGUIx+NajfRju+Mk6z L8XmKZLv2zl/jxiEDu/1iYOvShAiWiDWFyJNitl5pJgesDEA2hz99m7OdDefGpykmOwD IpeJskSWDa+0o/ygp8lyy4H9ZbvIBerBW+q4I7jmPVKM9c+ZYwRJXEgtG2/iBagz/yc7 CHSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VjLLYgxtJJwiZ9s4+Ul2RvVgBHLao1Zc6T2b9v16I7o=; b=tNZeky00u2HDBcgIQtc/lGE/lEGkc5ZH60XgfdhKrEG4X24eMJNIDgBh9KGiz482MO BQneQfKIzxtsc+u3h4q/+3FXX+SFtk9ke5RoEt9tgsuFWdj5XwMtl5LNo6s0V7qT9doF 58yB81uOQLLny44OYRSDo628PdKGDxZmUHRFPHvfSlxriE5A5Dooat5kefWWYs4HL5sj SbjlWb8RUiU20gRGAsQm8/IpryHf7clq8RrUP8qoLJus+efPV5G8Wvpp+TRqgkRUuuI7 wRS4TvP+5dpilgVKyDy2HHXvkLENYe+gj3BXdtO1zvolm9KEskvL1PNmF3K8pXG6+oge 5MPw==
X-Gm-Message-State: AOAM5336OzR2XebRLLXYLqZDyGFcQ4J459IsLrsNHDCrlyPGSaDB93sG kHAQstkOSgBf3qsCTcpOW7bTW2wKqQ/4L/euMnE=
X-Google-Smtp-Source: ABdhPJwQqGWVnqDzg7ip+rkHdN6uLuQ8wkXIRYo50xGJPp18bl9Pf4NA+IDSp7pIcLBLhbR8VmH89InCxXe70pCQiBM=
X-Received: by 2002:a05:6102:5dc:: with SMTP id v28mr44428779vsf.177.1594245772518; Wed, 08 Jul 2020 15:02:52 -0700 (PDT)
MIME-Version: 1.0
References: <ietf-rats-wg/architecture/issues/116@github.com> <28098.1593568476@localhost> <8AA2FB69-6E91-431A-BD57-354C65DAEE76@arm.com> <22564.1593904278@localhost> <74C3C9C3-F4A7-4577-B758-2FEAC06173E0@arm.com> <16696.1594054310@localhost> <0269E694-F006-4BC3-B8E6-13038C41FFD4@arm.com> <B45484F4-5B5F-49D3-BF2F-9AAADE496863@island-resort.com>
In-Reply-To: <B45484F4-5B5F-49D3-BF2F-9AAADE496863@island-resort.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Wed, 08 Jul 2020 18:02:38 -0400
Message-ID: <CAN40gSv-7VSBOfYFHqM=WHR7WMa8NSeRcn0VDp1d8SKCCnEfJw@mail.gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>, Ira McDonald <blueroofmusic@gmail.com>
Cc: Thomas Fossati <Thomas.Fossati@arm.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f4a9c505a9f544ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Ys7e-JIBcVyaWTag6obGpSRmFyQ>
Subject: Re: [Rats] should Evidence containers be explicit about Personally Identiable Information?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 22:02:56 -0000
Hi Laurence, +1 to your whole rationale and suggested text. Cheers, - Ira *Ira McDonald (Musician / Software Architect)Co-Chair - TCG Trusted Mobility Solutions WG* *Co-Chair - TCG Metadata Access Protocol SG* *Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF Designated Expert - IPP & Printer MIBBlue Roof Music / High North Inchttp://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic>http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc>mailto: blueroofmusic@gmail.com <blueroofmusic@gmail.com>(permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434* On Wed, Jul 8, 2020 at 3:38 PM Laurence Lundblade <lgl@island-resort.com> wrote: > What is PII and what is not PII is almost entirely dependent on the > end-end use case and who the relying party is. > > Illustrative example: The UEID (serial number) of a device is definitely > PII when using a web browser to access multiple web sites, but it is not > when a router is attesting to the network management center. Even the web > browser case is not clear cut. The UEID (serial number) might not be > considered PII when accessing a banks web site, because you’ve told the > bank to “remember this device” (and the bank knows everything about you > anyway). > > I don’t think we can have a flag indicating which data is PII in > Attestation Evidence/Results. I don’t think we can say that this particular > EAT claim is PII and that one is not in any absolute sense. > > We can’t assume that the Verifier will always be trusted with PII, because > sometimes it is run by the relying party. > > On the other hand, sometimes the Verifier will be a highly trusted privacy > proxy. It will receive claims that are not privacy-preserving and strip > them out or otherwise anonymize them before sending on to the relying party. > > I think at both the architecture and EAT levels, the best we can do is > write privacy considerations — things that should be considered for > particular deployments. Maybe future IETF standards that are very specific > to use cases will be able to be more specific, but that’s for later. > > Most of the text in section 11 of the -04 draft seems OK, but I think > additional text like this is needed and hopefully addresses Kathleen’s > comments. > > Every claim in Attestation Evidence and Attestation Results is potentially > PII (Personally Identifying Information) depending on the end-end use case > of the attestation. Each deployment of attestation must take into account > how each claim may or may not be used in a privacy violating manner by the > relying parties receiving the attestation. > > In cases where the device sending attestation is owned by the relying > party, little to no consideration for privacy is needed. In other cases, > such as when a mobile phone is used to access a large number of web sites, > apps and services, privacy must be considered very thoroughly. > > These are some strategies that can be used to address the privacy issue: > > * Determine that a particular claim is not privacy violating in the > limited context of use. For example, a router sending its serial number to > the network management center that owns the router violates no one’s > privacy. > > * Simply omit the claim. For example, omit the serial number from > attestations sent by a phone to web sites it connects to. > > * Prompt the user. For example, ask the user if it is OK for a particular > web site to access location data. > > * Use a privacy proxy service between the device and the relying party to > remove or anonymize the privacy violating claims. > > Other strategies than these may be used. The selection of strategy is > highly dependent on the relying party, end use case and governmental > regulation (e.g., GDPR). The selection of strategy may also vary > claim-by-claim in a single attestation. > > > > LL > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] should Evidence containers be explicit abo… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Thomas Fossati
- Re: [Rats] should Evidence containers be explicit… Ira McDonald
- Re: [Rats] should Evidence containers be explicit… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Thomas Fossati
- Re: [Rats] should Evidence containers be explicit… Michael Richardson
- Re: [Rats] should Evidence containers be explicit… Thomas Fossati
- Re: [Rats] should Evidence containers be explicit… Laurence Lundblade
- Re: [Rats] should Evidence containers be explicit… Ira McDonald