IETF Logo Mail Archive

[Rats] Re: AD follow-up review of draft-ietf-rats-uccs-09

Roman Danyliw <rdd@cert.org> Thu, 23 May 2024 12:54 UTC

Return-Path: <rdd@cert.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00192C151981 for <rats@ietfa.amsl.com>; Thu, 23 May 2024 05:54:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tcbs3z66n2Rl for <rats@ietfa.amsl.com>; Thu, 23 May 2024 05:53:58 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0076.outbound.protection.office365.us [23.103.209.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D51A0C151547 for <rats@ietf.org>; Thu, 23 May 2024 05:53:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=tWbV5tFbetHvv6arADphtrfq2gqcKpzxBF0LiAaDr1jdZOMNZ5Ju951NYmbf20KrAmqKRj7j1HwA3FnqigN16lQQbezUCBaH/aA1AFDIa9Z6OD0VaLS7+R7qR1cE7+rkfCuwZAubk9lDYjmM7uKMcBSXmeHjbcfAv9OBK4P9e43a/qgWhZwgw44OLLWkK/0/BzjBNT4qCIgWH9oiqpQ0E3nwfKvtDYOuBUL36PoM7yNfpqPeF8SwDYVScVfPOeQ8ZHg86CCKw5nv3fyE0ugKLPdlCRiDQdGJbmvaIh8Z2IByeabkuke2uLyS2mbdBii9Ly/fQyyjAoiT42sj8yNAnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gDnlfozt/hyhEAaHi+sAqJu0kUY/PHWOWMvGIKDrOVs=; b=zVjTMBOVSIQW7YznTzRQvrcGZUZFMZF9weINZIaRrH+K6ntgneNTKyh168Dh0KgQLgPhf/++JxsTws9TPEO/dqfTHLuCMNYqst51UJKfc7dVctDTtpHnvVdVN/HjXUYxoyI4lH2PXcPgyGAItcBrw6Ja9yfCKq7+N991FfeOpsB4HpPre/a95wiztzPGtKoXGa4dEoN0Y3v7937h24h8o5RAbr9N9jUW4Fo4631ZAz/G64xESp3ReqSfueaQhlujX/G5df4hvvl5zOnv6fKOFfbL8+z5TaW8trT0yzDVBsN0c6oI6XMJmWriqxwtNkXFLTa4XWBO7Gpz0aJarCt80w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gDnlfozt/hyhEAaHi+sAqJu0kUY/PHWOWMvGIKDrOVs=; b=mhAYWWun0XNU8lCbxEIlQKqdBCXRtwqmHrcWNGFFEBAgMoeag8Ea+xVoaIod72hVGZyuIcNXFHdZ007bk8EwNcdoh2qwFiL6s6wnf32NMLGy/QIYOodTiiVUYFOlUbR1Ome+R7y4xPQGDmelWrTpxhCR2j+ATqiG6dW9hw4xzYU=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1688.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17e::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7587.37; Thu, 23 May 2024 12:53:56 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::3d9a:4c4c:9fe9:1fc3]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::3d9a:4c4c:9fe9:1fc3%4]) with mapi id 15.20.7587.037; Thu, 23 May 2024 12:53:56 +0000
From: Roman Danyliw <rdd@cert.org>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: AD follow-up review of draft-ietf-rats-uccs-09
Thread-Index: Adp5jkX5AQoUr3B8Rl2nuXqvV7p7QgzgdnqQ
Date: Thu, 23 May 2024 12:53:56 +0000
Message-ID: <BN2P110MB1107A8114018462D5FD275A8DCF4A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <PH1P110MB1116C5BE031039613AA69302DC2DA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <PH1P110MB1116C5BE031039613AA69302DC2DA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1688:EE_
x-ms-office365-filtering-correlation-id: 6471c41f-1021-47c4-3255-08dc7b276852
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230031|1800799015|366007|41320700004|38070700009;
x-microsoft-antispam-message-info: vsO3SBk9z8nBALeLORFt4ZQnr19Lc5yNot/SuY2FkOJyWJlBqi8ZKarK2kqRyfQnoKEZ09n3WbxrL5OLQNx/g9Rx6C6vNKoKwJAAPTUnUAVIrnlOdXE5ws+v1EQzxv7OyB/w4mj3kXb+ECe+m7S9cH7AIYqDREUfvl+HWpz5DEEvR1KrkPn1t08779wooH6wq7mXyQUer7CEqMOi+qliidqG7wm3Ngt27oTowUUqfN2CBnA6E86Ai3WY4vzsbZGB1tFIXDXsZ86vxNF35QHDdnlQ4dL5nYxSzmhVCzOoTwvptitC0QzT40H/j5Q2vuxae9+twUb6+s4AKWDUiScIXECxcTM6BPpJjZyWH6Gg9s0AlEtNmR+4qK6zMaKRHKRwYGtrShqoJM26GYUvFBVNcBm2pCdUUlq0ULjAcNp0tD+Ryd8LaadpWrWkAzyelngUc6KHo3fbZ43eHtvb38xahOkvKtU4+whcM1HKWQhj7MWaWNNufFqbd2zEYA2g4J0N8APW5qXHR1fPP80Oym6txmSUeyAa8npiL0Lho7Hab4iXHi70bQJQUXEL+wRSRW3b9nOSj8vuHZRG8hdo3bSbHittiiFy/BU1wQo85PiJ4eq6likpzWzSRIw8A3gW9P3+q/z8NyZ9Yzf9/nNpyUtNw4Idz0PLub2b24LT3uprrjYVLgcM3mf1kX6OkHH6tV10bsiZowDp8TKQGb0kI7uGDudmqifVvok0j59qNt5wEKNPFh78DW2eQzOD6hZpMSPJK6hSEFoqKJhXUtq09HARwyVoYw7ecjy0uNDlJ7vtmoUwaDl62B7z6h3Y+mLsm4C8RreQJthPAEss+jZiH366HkHI86GMIQllAYTn7r2IS2GQIAEqiic1jTpZHeJ8UU/mFw2MIYvmsC/4qvyXRvR/lDsW3Rpz7LtfAr0BwGtcofY0ykIT/N7AtmiyOvRfn1haSo6xLyY0wJbJrVBCwUSi0qJDzZ1G/8ZmibxpKd76lNiM+g5Ya92nA8hwhEWM3ATl9yGsi0qgKA2e9LYUu4O39L4Fl2v7OnOxQDe6iBdUZ009077taCNz8IYOgsd08ACoRJEwXrBWHivKOuynTrIrWEsw/JIp21bib0y7RkQktxys3MyNqtfMbrQMNCsENz3qv6B2OsgDPGIQ28wBBW6rf5C9zSnFwAREAbPpyGJwTDMndxiduISrujzm9hgsBmeBLa/J5bIcm4i2IjvcF03sD2A75YOui0qYJ+tUomy+EiPF66Jz99hbYKLa/1E34r+AgpJ//McmFh9aDftDKAyEYQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(366007)(41320700004)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2Tn3NYmyI7E9zE3vd5h6QozZHYUJD46B/aAKdTDkbcVDbxkZ9NeEouMbvnw1KCOuIgfbo5KiZkKWtdlITxkTxCz7444/aMqv0h5mdD0lkabTcmIU/dPnQvHRi5cGeeCoU5pdbnp8ZN/ZjvIXfSjdhO2/aJtMb2TuVutchUCganfGq8qpsiaAVSNAQdvSK1xVPeaZJWXXEqahJtFe3qWSRvznhuYO6SjMdTKhmru0hOYDW5ViBp90jKZuU2sFhMfqt9SikM30flwWTxUwdhC+CGE1LvCH57E51MmGhX9OH6PVwlYhNWNYLJBzW/SB0A1Km5przZDn2e3+0FGBbeOp2vIdB0KE43dFRuYgZFRROlhS3raWDLG0CxFPpcRQ9jAuqM1bAbuhkGqbvfSfwMr+vlyJ5TcXB/1MeXlRJgcvNPNDyZ8zHYfmF7S8H1FV3Dh5ac8O0gxJRmEuYBDHHZ6mXisvUDV5fQ4oWKgWtH5VR0MUwErZTsNdWKuBm9faWtyAeSfOsoctUpmPQXIccg/v8KzfZcDEuDndLaRCeKfbcfmLtKmLF1iZ08D0bbnS+pIR6jhBRLTfGYE2f774T4BTAPO1Em7bMKKCA+18noo6htCcBCzZqu+/hfRmHoKR6urR1oZ5VLL1z05qh7m1H8eV9kjskTZBsEs9Mom3A4whKYYa4L7WQ4BRHyx2R2VB1WeRRJrDHi8dSp5x4gxfzkEttMkYRvq8Jp40fg41eU1/gV98Ex2dsOnC7N7iS9QMIV5IPxDfG1nPmKfS3Jx+IHCKEkOj3HP6EbhU8i28YzY7oQmiA3YVe8EbacRKxQC3R79guI53EH/G/iWeZgeQxbeSHg0AlpEmbi/KM8/llBQiykjxe3QnnjLp32EnLwA7MyWwHIFNhVcKmoE9ob22yGs7CVEv5KONJmGLEcW7w+n1LV3kVs7zEIM6sk6BisdQEQz+tujBtHuA4htRQbi2SWc9DvwrKHfPbogX8STJOY1DpV+ytN/Q3Im/LHE0oTpUTJ0Nyed0nZgjVGnW7KvkxabDh7WmbXcT+7sm+aPky6NtcgQ2ktL5W0GWXbA/J1bNTo7qAJMm0WDkInS2srxzgurbVb0CnjU2719BfJQi4mTiXq2Vima8GLBsBuJh6nU0XTJML1WqmAIeI3QMuaLBqE78mNhioXNpJOrXDIfsEeiwaW+U/e99Le+KhZ8Kj8NGwZhtCICKnHs7h6k3x/GnwXBIFoxTNmLIoTQkPRcXSqKnRN3fxemkVbVea1zs0NwTyoiSb0jn2KKKDlY1ryTfKlO4PTqjO/x8j2E9lZ9uaaljyinR5NX5lwyZxXkqNu1T+mKwuYONFqUGrs8b02jow0YxXelwq2ke//jqAtz5GwQxTySMK5CbWxpdqjU+mfPOgy6z6psuU0wsdoLXyTK+StYt4Ust68CowFtrgGEDGP7NG2FOzCqGTBKnbCi1ikR50FyB71ChtkGlADmSmRZ0XeY4X4SKZ0x1CtO3yMYiBj9hQ/M=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6471c41f-1021-47c4-3255-08dc7b276852
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2024 12:53:56.3391 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1688
Message-ID-Hash: RL4A7LL65LQNZKHTUI3ONX2ETSAEIHJR
X-Message-ID-Hash: RL4A7LL65LQNZKHTUI3ONX2ETSAEIHJR
X-MailFrom: rdd@cert.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: AD follow-up review of draft-ietf-rats-uccs-09
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi!

I'm checking on the next steps on draft-ietf-rats-uccs.  Could the feedback below please be addressed.

Roman

> -----Original Message-----
> From: Roman Danyliw
> Sent: Monday, March 18, 2024 7:49 PM
> To: rats@ietf.org
> Subject: AD follow-up review of draft-ietf-rats-uccs-09
> 
> Hi!
> 
> I previously performed an AD review on draft-ietf-rats-uccs-08.  See
> https://mailarchive.ietf.org/arch/msg/rats/HU2eIC7AevBSBHGk5tqXSR8wMco/.
> Thanks for -09.  For ease of tracking issues, this new email summaries the
> remaining issues from AD Review.
> 
> 
> ** Section 6.
>    The security
>    considerations of [RFC8392] need to be applied analogously, replacing
>    the function of COSE with that of the Secure Channel.
> 
> [per -08]
> If all of the Security Considerations of RFC8392 apply, then there is an
> authenticity requirement for the Secure Channel.  RFC8392 says “it is not only
> important to protect the CWT in transit but also to ensure that the recipient
> can authenticate the party that assembled the claims and created the CWT.”
> 
> [per -08] the Privacy Preserving channel of Section 4.3 (Section 5.3 in -09)
> seems to explicitly suggest that there “receiver cannot correlate the message
> with the senders of other received UCCS messages “ which seems to be the
> opposite of authenticity.
> 
> [response]
> > The objective of 4.3 (now 5.2) is to discuss how authenticity does not
> > necessarily lead to linkability.
> > It does not relax the authenticity requirement.
> > (E.g., DAA replaces the attester key with a group key, and something
> > similar could be a use case for secure channels as well.)
> 
> [Roman] Can this nuance please be explained in the prose.  This seems to be a
> very different situation than authenticity in the CWT sense.
> 
> 
> ** Appendix A.  Excuse my rough understanding of CDDL.
> 
> -- [per -08] My read of this CDDL is that there is JSON hooks included with the
> JC<> construct.  This JSON binding isn’t explained any place else.
> 
> > Yes.
> > Parts about JSON bindings do not use normative language, because UCCS
> > is about CBOR claim sets.
> > This CDDL is designed to be useful in a mixed environment, based on
> > requirements from EAT.
> 
> I don’t understand.  This CDDL in Appendix A is normative, and so is the
> flexibility in its design to support JSON.  Otherwise, it would be “C< ...>” and
> not “JC<...>”.  I don’t take exception with providing a JSON binding but please
> explain this in the prose and in the introduction..
> 
> Roman

v2.35.0 | Report a Bug | By Email | System Status