IETF Logo Mail Archive

Re: [Rats] draft-ounsworth-rats-x509-evidence-00

Carl Wallace <carl@redhoundsoftware.com> Thu, 09 November 2023 14:30 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B17DDC151079 for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 06:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.606
X-Spam-Level:
X-Spam-Status: No, score=-1.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_ABOUTYOU=0.5, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qXJJaoShDhhu for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 06:30:06 -0800 (PST)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59107C1705F3 for <rats@ietf.org>; Thu, 9 Nov 2023 06:29:32 -0800 (PST)
Received: by mail-oi1-x234.google.com with SMTP id 5614622812f47-3b56b618217so517230b6e.0 for <rats@ietf.org>; Thu, 09 Nov 2023 06:29:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; t=1699540171; x=1700144971; darn=ietf.org; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent:from:to:cc :subject:date:message-id:reply-to; bh=HarYr49sY6liSH+4zAhBFDW5jqWrVh66t7BlsZrxXgs=; b=agAxBQAaE658Qhpr8sS4CGBitsW94+Glgvetrbqs1xa0HrD9NK28OpuO4t0r37w60N 2rCQmk3MYYg6+tBpgrDJyQGkI8RgSSOC8LhVZYwy8sIZeeec8ocDJhUPPd+0Cz02/qyO GZloAhki5djzez3keZSWofC7Qqh2YjiBjPApM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699540171; x=1700144971; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HarYr49sY6liSH+4zAhBFDW5jqWrVh66t7BlsZrxXgs=; b=F4wHecs9K/BZ+M+m+SkOiPEuUwoiC9AvgBRZCEdQxOX/dWApZ4r6H8/ANSzfnk4cJQ JCTBdwg5WxTfD5+yvHkGBvCEqy/+5Kb9afvXbEXXrWf9ZPlM7VBOOlTB5PBxAOHaXuIF jCtws2Z9ojo5f9FKhrzJgozdZPycNdiWFo1c7oGTXlTi0mt3P5QxjKjBvMASwTt0YISN i9uLMO47KjHc2QOcZgRW2Bmqim7mZwH5rrqOywVXSl7ZAZ8u5g6Gn8n0K2OL6MexzFxR RaP/KpJxytsX7svTeaMKIZjPqVRp3Pv1gtD8TYAW740TqeKF9Y1wz6/UgcoUHQwVfEuZ /Law==
X-Gm-Message-State: AOJu0YxPGyne0vfoINBnvGTxwON63bZJDGvVwe0z7jKXtKHzjEQqrm4L ykZw2oRVsfv6MSKsosuqZPRQUVUdwxrr7SeGG2E=
X-Google-Smtp-Source: AGHT+IHKdwo/f1qnUDEwUjcH075NiNiJaeT/oggve70imq9Qhs6Fh0e+EqpIbT1Fqza2yMUr6E2OSQ==
X-Received: by 2002:a05:6358:9184:b0:168:d1bd:a3c5 with SMTP id j4-20020a056358918400b00168d1bda3c5mr5537442rwa.3.1699540171372; Thu, 09 Nov 2023 06:29:31 -0800 (PST)
Received: from [192.168.2.16] (pool-96-255-232-167.washdc.fios.verizon.net. [96.255.232.167]) by smtp.gmail.com with ESMTPSA id hh12-20020a05622a618c00b004181b41e793sm1976286qtb.50.2023.11.09.06.29.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 06:29:31 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.78.23102801
Date: Thu, 09 Nov 2023 09:29:30 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, rats@ietf.org
Message-ID: <3034C286-724B-4B69-95BB-0A8066790FCA@redhoundsoftware.com>
Thread-Topic: [Rats] draft-ounsworth-rats-x509-evidence-00
References: <6FCC00F5-1FAE-4CCD-9ED2-DA2BA923E7F7@island-resort.com> <011801da130d$74579390$5d06bab0$@gmx.net> <66c6191b-c393-69da-a849-f44da369917a@sit.fraunhofer.de> <7DC2D9E1-F052-48A1-B5A8-978D52275EE5@redhoundsoftware.com> <cbcc5d8c-31e6-a56d-3933-5462fbf8ffbc@sit.fraunhofer.de>
In-Reply-To: <cbcc5d8c-31e6-a56d-3933-5462fbf8ffbc@sit.fraunhofer.de>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/_cqNPmFM66ErYPWpgqu_8zMrfT0>
Subject: Re: [Rats] draft-ounsworth-rats-x509-evidence-00
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 14:30:10 -0000

Inline...

On 11/9/23, 9:05 AM, "Henk Birkholz" <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:


Hi Carl,


my individual opinion:


1.) I am obviously leaning towards one document and less text 
referencing/cloning. Splitting documents would just create a more 
confusing spread of documents, I think. The combined content will remain 
the same. If the WGs really want one document that does one half in 
LAMPS and one document that does the other half in RATS... okay.

[CW] One document seems fine to me as well.

2.) We most poselutely must sync semantics across any "bow-tie formats" 
(or documents split across WGs).

[CW] I agree with that.

> There was an exchange between Mike and Laurence during the presentation yesterday that highlights a potential difference of opinion between I-D author(s) and participants in the working group that could impact the adoption question.


What was that about again? Carl, could you help me here, please?

[CW] It was about syncing claims across formats: https://youtu.be/JEtscCiEcfQ?t=5804. Immediately before that point referenced in the link, Dave gave thumbs up to keeping claims sync'ed, which I think there will be broad agreement for in the WG. Understanding how a third format will be managed seems like an adoption consideration.



Viele Grüße,


Henk


p.s. to Brendan's point: SUIT is build as a modern set of building 
blocks that will work elegantly for years to come and is luckily is not 
burdened with the esoteric laden history that are X.509 extensions. 
Evidence Attributes for X.509 artifacts still make sense as it will take 
some time before these requirements go away.

[CW] I get that ASN.1 will be around for a while and that new ASN.1 is appropriate for intersection points. While I don't share the opinion that an OCTET STRING in an extension is such an intersection point, I am not objecting to providing ASN.1 definitions. 


On 09.11.23 14:45, Carl Wallace wrote:
> 
> On 11/9/23, 8:09 AM, "RATS on behalf of Henk Birkholz" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> <mailto:rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> on behalf of henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de> <mailto:henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>> wrote:
> 
> 
> I think this discussion is mood as was pointed out in the meeting
> already. Please see:
> 
> 
> https://www.rfc-editor.org/rfc/rfc9334.html#figure-9 <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9> <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9> <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9&gt;>
> 
> [CW] I don't think that diagram renders this discussion moot. X.509 certificate-based attestations have existed since before RATS (and before we called attestation evidence). There's not even much question about potential for including claims in an X.509 certificate within current RATS documents (see section C.3 of EAT). I think the questions are: 1) do we want to provide ASN.1 definitions for claims and 2) do we want to keep claim definitions (roughly) in sync across ASN.1/CBOR/JSON. Re: 1), there's seems to be general acceptance of defining claims in ASN.1 for the most part (though no one really answered Brendan's question regarding why ASN.1 was disallowed for SUIT but is allowed here). Question 2) needs some more discussion. There was an exchange between Mike and Laurence during the presentation yesterday that highlights a potential difference of opinion between I-D author(s) and participants in the working group that could impact the adoption question.
> 
> On 09.11.23 14:05, hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>> Hi Laurence,
>>
>> The charter says:
>>
>> “
>>
>> Standardize data models that implement and secure the defined
>> information model (e.g., CBOR Web Token structures [RFC8392
>> <https://datatracker.ietf.org/doc/rfc8392/> <https://datatracker.ietf.org/doc/rfc8392/&gt;> <https://datatracker.ietf.org/doc/rfc8392/&gt;> <https://datatracker.ietf.org/doc/rfc8392/&amp;gt;&gt;>], JSON Web Token structures
>> [RFC7519 <https://datatracker.ietf.org/doc/rfc7519/> <https://datatracker.ietf.org/doc/rfc7519/&gt;> <https://datatracker.ietf.org/doc/rfc7519/&gt;> <https://datatracker.ietf.org/doc/rfc7519/&amp;gt;&gt;>]).
>>
>> “
>>
>> CWT and JWT are mentioned as examples. The group already works on
>> another evidence format, namely the TPM-based stuff.
>>
>> I would say that the document fits nicely within the scope of the charter.
>>
>> Regarding the document split. I am open to discussions about your
>> suggestion, which assumes adoption in the group.
>>
>> Ciao
>>
>> Hannes
>>
>> *From:*RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> <mailto:rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>>> *On Behalf Of *lgl island-resort.com
>> *Sent:* Donnerstag, 9. November 2023 13:59
>> *To:* rats <rats@ietf.org <mailto:rats@ietf.org> <mailto:rats@ietf.org <mailto:rats@ietf.org>>>
>> *Subject:* [Rats] draft-ounsworth-rats-x509-evidence-00
>>
>> I think it might be better to split this into two drafts.
>>
>> First, define how to put CWT/JWT claims into ASN.1 and make an X.509
>> attestation token.
>>
>> Second, define the FIPS and CC status claims for CBOR, JSON and ASN.1.
>>
>> I wish we didn’t have to do the first, but understand that we might.
>> Note that the RATS charter says we work on CBOR and JSON. There was a
>> little discussion about ASN.1 back in the early days and we certainly
>> put it off back then. There was also YANG discussion. Search the RATS
>> mail archive for ASN.1.
>>
>> I’m much more interested in the FIPS and CC status claims. I would like
>> to define them for CBOR, JSON and ASN.1. If they are booleans this is
>> trivial. The would get registered in the CWT and JWT IANA registries.
>>
>> One of the reasons I’d like to define them for CBOR and JSON is so
>> there’s a known and accepted way to translate their ASN.1 claims into JSON.
>>
>> Also, the X.509 definition should be for Attestation Results as well as
>> Evidence. There’s no reason to restrict it and there’s no work to allow
>> use as Attestation Results.
>>
>> LL
>>
>> (sent incorrectly the first time only to the rats-chairs; meant it for
>> the list)
>>
>>
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org <mailto:RATS@ietf.org> <mailto:RATS@ietf.org <mailto:RATS@ietf.org>>
>> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats> <https://www.ietf.org/mailman/listinfo/rats> <https://www.ietf.org/mailman/listinfo/rats&gt;>
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org> <mailto:RATS@ietf.org <mailto:RATS@ietf.org>>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats> <https://www.ietf.org/mailman/listinfo/rats> <https://www.ietf.org/mailman/listinfo/rats&gt;>
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email