Re: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT

Giridhar Mandyam <mandyam@qti.qualcomm.com> Thu, 10 December 2020 18:16 UTC

Return-Path: <mandyam@qti.qualcomm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3783A11A8 for <rats@ietfa.amsl.com>; Thu, 10 Dec 2020 10:16:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com header.b=XYCaMT0x; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=qualcomm.onmicrosoft.com header.b=DUhXsY3Y
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ghWzX6HS28Go for <rats@ietfa.amsl.com>; Thu, 10 Dec 2020 10:16:38 -0800 (PST)
Received: from alexa-out-sd-01.qualcomm.com (alexa-out-sd-01.qualcomm.com [199.106.114.38]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A2103A11AD for <rats@ietf.org>; Thu, 10 Dec 2020 10:16:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1607624198; x=1639160198; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=T2j0+u4CQ03/hNiPEaljogufh7e+dALZTZth5Hw5nXs=; b=XYCaMT0xwbV9TcIIdQI8PCqgMJzlUiH/8HqdHqocvsepTNMibQnGxEuw a9oseX1amA3Fje5WiHXDZcxTBjTR4eFK7nqMSM6OSgHcaCnnYKNpwZm3R C9b9YBND6XVgOIfSq24sT6223STg0rFh0Q98ygNcVkeljRCpHbrhI2kOm c=;
Received: from unknown (HELO ironmsg03-sd.qualcomm.com) ([10.53.140.143]) by alexa-out-sd-01.qualcomm.com with ESMTP; 10 Dec 2020 10:16:37 -0800
X-QCInternal: smtphost
Received: from nasanexm03e.na.qualcomm.com ([10.85.0.48]) by ironmsg03-sd.qualcomm.com with ESMTP/TLS/AES256-SHA; 10 Dec 2020 10:16:37 -0800
Received: from nasanexm03d.na.qualcomm.com (10.85.0.91) by nasanexm03e.na.qualcomm.com (10.85.0.48) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 10 Dec 2020 10:16:37 -0800
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (199.106.107.6) by nasanexm03d.na.qualcomm.com (10.85.0.91) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 10 Dec 2020 10:16:37 -0800
Received: from BYAPR02MB4422.namprd02.prod.outlook.com (2603:10b6:a03:5c::31) by BYAPR02MB4776.namprd02.prod.outlook.com (2603:10b6:a03:52::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17; Thu, 10 Dec 2020 18:16:31 +0000
Received: from BYAPR02MB4422.namprd02.prod.outlook.com ([fe80::cc14:70ac:645b:b008]) by BYAPR02MB4422.namprd02.prod.outlook.com ([fe80::cc14:70ac:645b:b008%7]) with mapi id 15.20.3654.015; Thu, 10 Dec 2020 18:16:31 +0000
From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT
Thread-Index: AQHWxozL7MRUg5i620K+eJD3CsX2mKng7NuAgAAC9oCAAAHCAIAACcAAgAAo1wCAACyKgIAGEXYAgAlQcYCAAAECgA==
Date: Thu, 10 Dec 2020 18:16:31 +0000
Message-ID: <BYAPR02MB4422D96201E38C04735957D081CB0@BYAPR02MB4422.namprd02.prod.outlook.com>
References: <24519.1606681083@localhost> <BL0PR11MB312296BEFD428C6D9CE9A5DEA1F50@BL0PR11MB3122.namprd11.prod.outlook.com> <AM0PR08MB371606D3753BED36E71A5754FAF50@AM0PR08MB3716.eurprd08.prod.outlook.com> <BL0PR11MB3122D35683FD909A3C80E4DEA1F50@BL0PR11MB3122.namprd11.prod.outlook.com> <3849.1606759884@localhost> <B9175A1C-C024-463F-B438-36C7DDEBD1A8@island-resort.com> <24158.1606778219@localhost> <AD1F4237-A5AC-4DF5-B48A-D0C5CD1DF9A1@island-resort.com> <AM6PR08MB34297B962E5283C5953BE72DEFCB0@AM6PR08MB3429.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB34297B962E5283C5953BE72DEFCB0@AM6PR08MB3429.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=qti.qualcomm.com;
x-originating-ip: [70.95.185.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 98504f72-b296-49a1-ae65-08d89d37b8a1
x-ms-traffictypediagnostic: BYAPR02MB4776:
x-microsoft-antispam-prvs: <BYAPR02MB4776CA4BADE9777EC112E68281CB0@BYAPR02MB4776.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3276;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: z2+qI8WKNiEQ9pj4Ak5aT5xYO7RVr/F54czoUFrURVR2YQgkx3pmwnZe3PBPt5xLB1R/CNLucNbyqi6mrmwYxdj6D6u5bfNAzIAeSVmEeaNQi07bZRbIj5sEnKcpGBrFC9sKMGrZqbPXmrJvEek28OqovqxL3yaRmNAofcbdcDU74iZJMHBqz/UB2lr5zWnvWiG4OM3cQ+XXfuGYNc4hONdEyanA5I1NuYNtl9NDj/a3qq06/Sa3fOFTO6L736kwlPShScOltHDmqICbZDsoJgFc4Mc0RAfSGxc1qE/fYnTGjjdLnpM8PY93KyzvJiELOgxKQyoxPhessaKx8QYjtQzUsmG1aw4VnhUQ9hlkXU0YNXeSLF0FMQ3XxOBzAMk8nf8CCdG9yzKpHsTzHCrqYg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR02MB4422.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(366004)(76116006)(83380400001)(71200400001)(8676002)(2906002)(7696005)(8936002)(26005)(53546011)(508600001)(33656002)(55016002)(966005)(9686003)(66946007)(64756008)(66476007)(6916009)(6506007)(66446008)(66556008)(86362001)(166002)(186003)(52536014)(66574015)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?bG9FWGdHbi92Q3N1TzBkSDNSdTRCajlqTk44aUNWRXBLMDNwSkRVSGJ3SUhS?= =?utf-8?B?TUduTzJyRHNzYXVRejdPNTJyeWhpaWYzQXVXQldtQ3c4NGtuMW41eEU1enow?= =?utf-8?B?d2JBTkFvQUtLc01oUDZUUlpxbXJmTjZDUDRBQ1JwN0Qwb1RYWEs3ZndFZnFU?= =?utf-8?B?bzBjenpXRVpEbkRTaUV2eUdFWHdXbk5tYUJ5Z214UW8vQnVGS0dWMnJtajgv?= =?utf-8?B?dXdXMjJlSk04N3RtSnFDQzQwSWVuUUtWdzRnWGVmUWtwaHhYWUVPRmxCMlNL?= =?utf-8?B?ejZsamxjYTRBdHk1cU84MXVicGw5MGl1eXRFNkg1VDB6NDdmMmgxbWtZRDdY?= =?utf-8?B?Zit5TDRXMVFZM0piczMvcEdWQ0dwUFZ0cHFNaUFWeVozV1B1YmhGcFY3SmRS?= =?utf-8?B?d3BqOHZDVTZyOGFmK21XMFJSTTdtbmVNTzRQWFZpNmpDVTB2NkxpTHA5RThI?= =?utf-8?B?WUtWM1J0N0hVbjJQY2N3cEdVL0I4cUVvYzB6RlN0U2plMGJaaXV4RjBNTkQ5?= =?utf-8?B?TmplS20ybDFJbm9MbC8xZzJ2Uk1ya0IyclZNYnl2bkJUNXoxNm5LMUhYWmQ4?= =?utf-8?B?eGVEMWsvYXVWUE03dVVuY3k2QUQraENEVWRoeFVSTWx0RytaVU5wQ2tuVGwz?= =?utf-8?B?dmdhTEE5VFJVSlJLSkR5L0dWU2RCSTdzbEZQQktOeld0YVV6NnlWaUpkWnpM?= =?utf-8?B?Q3lTekE5Nk0wQjc0N2tTQWhZVnZweVhJZTNJUjRjUG1Uby9DRThkaEgxZUxB?= =?utf-8?B?dDJjMDV0VVpyOU1ONHBYOWk3dDhocDB4YWsrbkdnbWpTOUZWL1NveHNGVEpQ?= =?utf-8?B?L1c5c0R3S21aUEc5cjNiR01tWVRvWS9udGtEQS96cTZqK0xoQVBFdjVPS3p5?= =?utf-8?B?Q3FWdFkrRTgxY0Z3ZzF2UGtuWERJSjh4RWFWclFKczhPcVdCdGFMZFZ0Ynhm?= =?utf-8?B?bkI5TTliUGRxOVBEZTFRMGpxa3c3aUYvNThETExXdVN2dE9ockhiVWRSTGYv?= =?utf-8?B?ODF3VWVQMDlyZjN2ZHJVbzQweERVRkRQVHlld2lLNXpxaGZkMGpYSDVRMTdJ?= =?utf-8?B?cDZSMmNMVUlWMkxjbmZRZi9XUDFjMC9lL2ltVHdnQWdpNWx5aHpXRTd3WU1u?= =?utf-8?B?VWQ1Uzl4dlpYMnMwTGVPeWkwNGcxbmdVQUhvbkJpZGlmd2JEc2VYMEE0d2NW?= =?utf-8?B?NGNLV2QzVTROd2NiNUZxdVB0dDAyMW9hVjFJV1BiZEc0Y3NzejdZRVpBbnhD?= =?utf-8?B?ajRxTEwyQ3pZR1NsYnFpcjdBQTVHdzNPbmxXZ0FabGlxVzZpL3p2N1djL2ky?= =?utf-8?Q?Y8ZdRurX4u4Rs=3D?=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dbP4Fw99Zic9s/sfvDD22IX+t8DoCJy69b4RygwVvRG9aR9ZG61jOs/rlvXv+LSNuGfOQM7a10ruUzwOKG8qyWCW1oKVOMC47p+MqQB5fIIcmqAs/fPZXfSRaVaz3gmP7gimmPZM20cbqw3KRUrmmn14Yrs6pEVbI7Yu0jt30xkMz8embj9rRyj/xrKUkfw71WZFAfgkA1yCzX2EheOU3uAHhkPaS0HKbAs5LS9djzMYucU5XUs6JHiXPI1MlHM4NuisvTc886qqhnl8z9zn0QMVG1ZCe18+dBuDmT5Y2Z3abGHw1Sj7RyvFnLOT+LWJtfrwpRN+JZCtazJcHtuFJA==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lljzNAZ4yxDSIlO+4mLV9NAN3J8GOyQPXKPKCf3vJ1I=; b=XAwRhCuqPQSJF3SO9EP+YHw9zXD8hzunrsY58oLkCksJCBq9aT0GeIXjvKFrt/n7pXrOyH2u384HBfJJx8VuU+/iOkXICLuBdJlM/qQ88QsPahr3NT2DerLaaXRFSZhPsALK6OR3TOhblrVhhtbueugSriyrpf7RW1N4Pg4yNayd8+wK9oBybTsh3kV9zOI/BQdjGS6yIrtVe+wIE2H+JQgLc+nsRO6TzFnCL5mQ1qbps5U4CRQgFHo6BwUAPPGxu53rJa0DeXqB3GFLWQNnR+YSQPdqSo2746NcPp7F2w9EggS7iiFoaM75071fUAtoha4lvE9vKAt87RaTcWTzGg==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=qti.qualcomm.com; dmarc=pass action=none header.from=qti.qualcomm.com; dkim=pass header.d=qti.qualcomm.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.onmicrosoft.com; s=selector1-qualcomm-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lljzNAZ4yxDSIlO+4mLV9NAN3J8GOyQPXKPKCf3vJ1I=; b=DUhXsY3YGG6Salt/uoXS8scn+ONsedW8xGU4VvtyWVSUBdGIUTop0t1nKNNEjkbIWXkihRVBURUaI1lyqFnr83Yv33Sla49RkwJ+CUI81tE3mU5UB/5HeQ8CG/+KjMwb6SjzF2kWRx1/6OXMKvEVoM1ZUZtxEX8qD26MaYwk/N8=
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: BYAPR02MB4422.namprd02.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: 98504f72-b296-49a1-ae65-08d89d37b8a1
x-ms-exchange-crosstenant-originalarrivaltime: 10 Dec 2020 18:16:31.8171 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 98e9ba89-e1a1-4e38-9007-8bdabc25de1d
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: a4Nqd6GCM++8mWSsyC12Sys/ekC2WwbeoUupXFgEkQvn2KifZeg9iMkVdx49N//lbULeD0iSX6JQ88E9eS6Hw5RaNjgwhw5Yl9C5HZS8mU0=
x-ms-exchange-transport-crosstenantheadersstamped: BYAPR02MB4776
x-originatororg: qti.qualcomm.com
Content-Type: multipart/alternative; boundary="_000_BYAPR02MB4422D96201E38C04735957D081CB0BYAPR02MB4422namp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/a6Fz1F88Kg0a7Fr33QcCP3ZS7NU>
Subject: Re: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 18:16:48 -0000

Thanks Michael/Hannes for moving this discussion along, and to Laurence for the solid proposal.  I can confirm that from a FIDO perspective, this proposal is acceptable.

-Giri Mandyam

From: RATS <rats-bounces@ietf.org> On Behalf Of Simon Frost
Sent: Thursday, December 10, 2020 10:11 AM
To: Laurence Lundblade <lgl@island-resort.com>om>; Michael Richardson <mcr+ietf@sandelman.ca>ca>; Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org>rg>; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>om>; Smith, Ned <ned.smith@intel.com>
Cc: rats@ietf.org
Subject: Re: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT

I can confirm approval from the Arm team to register these standard claims.

Thanks
Simon

From: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Sent: 04 December 2020 19:57
To: Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>>; Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org<mailto:ncamwing=40cisco.com@dmarc.ietf.org>>; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>>; Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>>
Cc: rats@ietf.org<mailto:rats@ietf.org>
Subject: Re: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT

So I read RFC 7120 which is super clear and exactly what is needed. It lines up with my third proposal. We will ask IANA to pre-register claims in the Standards Action space of the CWT registry and also in the JWT registry. Or rather per the 7120, the WG chairs determine consensus here, then will ask the AD(s) and then ask IANA.

Is there consensus on pre-registration of these?

Name      Description         CWT     JWT                     Type
nonce     Nonce               10      <already registered>    byte string
ueid      Universal Entity ID 11      ueid                    byte string
oemid     OEM ID              13      oemid                   byte string
seclevel  Security Level      14      seclevel                integer
secboot   Secure boot         15      secboot                 integer
dbgstat   Debug status        16      dbgstat                 integer
location  Location            17      location                map
submods   Submodules Section  20      submods                 map

These have all been in the EAT document for a long time and are described well in draft-ietf-rats-eat-06. They are fairly well understood and have either no open issues or only small open issues in GitHub against them. They include the most essential claims (nonce, ueid, oemid & submods) to implement an EAT.

I have chosen not to ask for the others because I don’t think they are as essential or as well understood yet and thus don’t meet the criteria in RFC 7120.

CWT numbers aren’t contiguous so as to line up with examples that have been in the EAT draft for a while. I’ve shortened the JWT claims keys to less than 8 per RFC 7519.

If approved and registered, we’ll quickly publish a new EAT draft.

LL





On Nov 30, 2020, at 3:16 PM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:


Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:
The trouble is that I think many claims should be in the Standards
Action range (-255 to 255).  For example, nonce, ueid, submods section,
location, CoSWID and probably a few others should be in the standard
space. If I were IANA I would hesitate to register these in the
Standards Action range until the EAT document is further along.

The WG can ask for Early Allocation.
It should do it immediately, so that the Expert will provided feedback immediately.

It also seems poor practice to unilaterally pre-assign Standards Action
range claims in an EAT draft and then use them in a bunch of
implementations. Those numbers could be assigned to some one else
before EAT is an RFC.

You can do that if a registry you are just creating.
But, yes, you can't do that if you are using CWT.

Register them in the Specification Required space (255 to 65535) once
and for all. That will result in 3-byte map labels rather than 1-byte
map labels, but there’s no transition.

Finally, a third proposal:

Maybe we can convince IANA to pre-register a small clear set in the
standard space? Perhaps just nonce and UEID.

Please go read RFC7120.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca<mailto:mcr@sandelman.ca>  http://www.sandelman.ca/        |   ruby on rails    [

_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.