IETF Logo Mail Archive

Re: [Rats] UEID where an instance is a group member

Simon Frost <Simon.Frost@arm.com> Wed, 25 March 2020 17:44 UTC

Return-Path: <Simon.Frost@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F31493A0747 for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 10:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2dcC5r1C; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2dcC5r1C
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbTp09_ogDNz for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 10:44:00 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03on0612.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0a::612]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F8033A0034 for <rats@ietf.org>; Wed, 25 Mar 2020 10:43:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NYgOlFY4zvPhUibKhMuFHM5z1+CYrADFMzJVZ5ch7iQ=; b=2dcC5r1CNvSmvsjlVbKk6Thf1/+wlYBnlt97I8QLbs1m0ZhG7bKaufQM+XzndA4oodF4dt3d3Ow5lgo+yIyUeQrP+N3MlANaBmTnnfN9tt5wE5ojvu/C90eEZlnWYv6QUwpDmcY9e85K4XqQSndJjXC9LCWk6+ZrC/P0NYAsSvI=
Received: from DB6PR0601CA0004.eurprd06.prod.outlook.com (2603:10a6:4:7b::14) by DB8PR08MB4137.eurprd08.prod.outlook.com (2603:10a6:10:a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.18; Wed, 25 Mar 2020 17:43:56 +0000
Received: from DB5EUR03FT062.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:7b:cafe::bd) by DB6PR0601CA0004.outlook.office365.com (2603:10a6:4:7b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.18 via Frontend Transport; Wed, 25 Mar 2020 17:43:56 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT062.mail.protection.outlook.com (10.152.20.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.17 via Frontend Transport; Wed, 25 Mar 2020 17:43:56 +0000
Received: ("Tessian outbound 60d769d68364:v48"); Wed, 25 Mar 2020 17:43:56 +0000
X-CR-MTA-TID: 64aa7808
Received: from e05eb6311dd5.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 896E7A1C-FB64-42FB-A9A0-35FF6ACFCC54.1; Wed, 25 Mar 2020 17:43:51 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e05eb6311dd5.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 25 Mar 2020 17:43:51 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UkD3shKqtDVKw8ooCLFPHCsTrrTuQCP5jaRTIH0MXdY5HGEjJKqTw0PUgn+Ivg3zc0Lw9FN3LPBTVPg0gMVL4Qzb9dZKOgFrHC2/60dhZZWZpstE/gl5rtgoUPygluY8ctWJ7dnC4bNWTsU4e2JkLtHnc3WPCxPJQbbzn+ikQbMrtjp6iblNyTWsH0QTeGIwOR3R7mZa1Xe9y/KUbiuMvJHXfGDkxDb2j8AnyFVQz2OIgL8SubaYwBIHczsBSlN9sc1cnjSSCERzMpTStDV7q4SCk/LOSOjnwUg/15CoB34ta4AO7M9pDd91G7vSPFpHyomzM/p26rmKUj4zq02xEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NYgOlFY4zvPhUibKhMuFHM5z1+CYrADFMzJVZ5ch7iQ=; b=XpsdzAVfj7LiQJ7CwJCWtNFOk4d5SDXpr0Mj27qgPeoDyJv1NnIje2aPWg4ijRBT2ZEhYxJzJatTVJvcwwZeOMQZ2OI6WW+uIjY866ul9ZTfYOGIenIHH29M5rlxxEsJ251UGDsThv0HMY3FzngWDcNPzLRYPlaxnC3qcYq6W8KtmyTtaXuu4kewlWzrn4ppPknr5URyMn9HQ4DyIbba7QJJ12EcxzybF1ZjtVJPMs+E1ihAKkUtzAX750IZjgySVjdpfvHd9GHngwRxNvPh2Jp5oIjwMTOXdzMTiBsiCI7kkrCRPqIra9K1FBwKzCxLmqFFg2iTcCsuLqYFO51w4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NYgOlFY4zvPhUibKhMuFHM5z1+CYrADFMzJVZ5ch7iQ=; b=2dcC5r1CNvSmvsjlVbKk6Thf1/+wlYBnlt97I8QLbs1m0ZhG7bKaufQM+XzndA4oodF4dt3d3Ow5lgo+yIyUeQrP+N3MlANaBmTnnfN9tt5wE5ojvu/C90eEZlnWYv6QUwpDmcY9e85K4XqQSndJjXC9LCWk6+ZrC/P0NYAsSvI=
Received: from DBBPR08MB4903.eurprd08.prod.outlook.com (10.255.78.17) by DBBPR08MB4775.eurprd08.prod.outlook.com (20.179.46.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.18; Wed, 25 Mar 2020 17:43:50 +0000
Received: from DBBPR08MB4903.eurprd08.prod.outlook.com ([fe80::4126:33a9:6bb6:9c0]) by DBBPR08MB4903.eurprd08.prod.outlook.com ([fe80::4126:33a9:6bb6:9c0%5]) with mapi id 15.20.2835.023; Wed, 25 Mar 2020 17:43:50 +0000
From: Simon Frost <Simon.Frost@arm.com>
To: Laurence Lundblade <lgl@island-resort.com>, "Smith, Ned" <ned.smith@intel.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] UEID where an instance is a group member
Thread-Index: AQHWAsKRdD+aXklc+0GMpNNrohEb06hZhGsAgAAORFA=
Date: Wed, 25 Mar 2020 17:43:50 +0000
Message-ID: <DBBPR08MB49036194FC808A06A9BBB54CEFCE0@DBBPR08MB4903.eurprd08.prod.outlook.com>
References: <C205FBA7-71A7-4987-AE82-DA855BF86B84@intel.com> <C3A707FF-4AF1-4E0A-BABB-8EE2F52A2D2B@island-resort.com>
In-Reply-To: <C3A707FF-4AF1-4E0A-BABB-8EE2F52A2D2B@island-resort.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 625f4254-2ade-45ee-a622-efb187cc6a18.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Simon.Frost@arm.com;
x-originating-ip: [212.69.61.73]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 2042389f-bfee-4b58-018a-08d7d0e417e0
x-ms-traffictypediagnostic: DBBPR08MB4775:|DB8PR08MB4137:
X-Microsoft-Antispam-PRVS: <DB8PR08MB4137D00AF4A0A32884F61B60EFCE0@DB8PR08MB4137.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:7219;OLM:7219;
x-forefront-prvs: 0353563E2B
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(346002)(39860400002)(366004)(136003)(71200400001)(76116006)(26005)(52536014)(66446008)(66476007)(186003)(5660300002)(66556008)(86362001)(64756008)(316002)(66946007)(4326008)(110136005)(81156014)(81166006)(9686003)(8936002)(478600001)(33656002)(55016002)(2906002)(7696005)(6506007)(8676002)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:DBBPR08MB4775; H:DBBPR08MB4903.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: HYH8Smv787sS+Z6yRtzodRUelXiSGm6WOMX81Al3dKPqZGnAvOLUuiQbHsk3MB+HOFKs7G0+mL0WxefgMlfTO6C6QLFy5YE/75yPu1SiLU6xy+iA+uLix8ZdGojKCJY4YtDE8hXHkv+tR7BiwpYoS/qpCp+QonKSEFWwa7PM7P5eMiJOYNXDhD2A0VqlydZb572OwGi2dB+TadT9AlChmhm2udfF4RGXo9b65LeOdOsudMZTaK68tFDII78GCcmL0uNRAneM4dCa9Sd/BueNkQNwMAc4cYk5Rf7jBZ34y/FhYNrJ1G+rj4gQmZ0RM0R3AM/ZxZhQsF9ljBvsn4do0uv+JnNXWoQ+j/a++4ReDnVsvxXO1Cpjku7Zp74ri+mT1xfkoHA5syiC6bRotgbhuSXDg29KwCwlxTmHoVTMrTla7VD6FHNWyxN1YLI6eTqUBv75zY68dnSBiQQYMOzrj6sL45nfFmQ4xK6uu7nJyKw=
x-ms-exchange-antispam-messagedata: Q6mD37Cd9fqZKC6S6CuVZF+oUxzsfW0sNwL/FAVXL4nhZ5TJi9tjaChaNS/eeod07Y2jnWADu0LdNO1s8Q+vddehZaSXTRS64u5BMH/EecgukoO4ZtxeFaBhC3NZSzw2gwK78RDd3FaetCzbiYGoiA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB49036194FC808A06A9BBB54CEFCE0DBBPR08MB4903eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4775
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Simon.Frost@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT062.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(39860400002)(136003)(396003)(46966005)(70586007)(356004)(81156014)(81166006)(9686003)(8676002)(55016002)(26005)(82740400003)(186003)(478600001)(336012)(26826003)(52536014)(33656002)(47076004)(5660300002)(70206006)(4326008)(33964004)(86362001)(8936002)(2906002)(110136005)(53546011)(6506007)(7696005)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB8PR08MB4137; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;
X-MS-Office365-Filtering-Correlation-Id-Prvs: dff06067-3033-4847-1706-08d7d0e413ed
X-Forefront-PRVS: 0353563E2B
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: GKN0oIWOqLIwyjSJVpZFVMgeUsCciI074QuqGYIPYSdvplKqqSO1V3YRBFPmFC7a2fc7aTaDM0gS29P5fZlGbtTQZc44L/3e0wgl2luTs8Z4JOp7Xv+Fxh3RYTwnCDi+q5JfdzV0BVJ/s+ZJ8vBdlIdti1fy3YYLNOc29QXzXVJMao/cyuVOwT22i43W7UIJO1g1rDgBmTSegI9nENQneH19Em3ybmBXsxPIB2KrmvIRhTxCuzaALul5jc7TQJOdLpavbCgtCG33urmRZcIlqN7zbTorM2uAvp1eLeLAa9jvTgJiHEnL+YNQkeCoByT8Mul7L1scqxAlOWhNcgtTRQ6Eoyo4flOsxFIgSlftcMAYqm1V/eLNQA9DPuwg9D47dmks2uTt1k+87xAniVeRyqBYEhVgsNBwywru3NmI/YiKbz6gFieyS8zD/OLGD2Bc2f6DC+004oKHpwb/9pluaipPytDj2N8HpDr2WBqx3F4//b+jmVyrrZFRPO25SAMm1p1xQsEDAEW1P4P6xWfHr5a3xipXVFBzHVCIC8CuKn0=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Mar 2020 17:43:56.7821 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 2042389f-bfee-4b58-018a-08d7d0e417e0
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4137
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/SbCMTAXB2z1f8B_-WuvuMMjiDtw>
Subject: Re: [Rats] UEID where an instance is a group member
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 17:44:06 -0000

The immediately obvious use for a verifier is in key identification but it need not be limited to that. Off the top of my head I could imagine that an RP could perhaps use a GEID to be able to identify a device type that receives some trustworthy stance.

I’m not sure we can or should predict all uses up front, but in terms of being a potentially useful data item that could be used in policy evaluation, having a consistent manner to establish identity seems useful

Cheers
Simon
From: Laurence Lundblade <lgl@island-resort.com>
Sent: 25 March 2020 16:47
To: Smith, Ned <ned.smith@intel.com>
Cc: Simon Frost <Simon.Frost@arm.com>; rats@ietf.org
Subject: Re: [Rats] UEID where an instance is a group member

A GEID of similar structure to a UEID  seems like a possibility, but what exactly is purpose of such a GEID? What does the RP do with it? What does the verifier do with it?

An RP will use the UEID to track the unique, specific device. That is its clearly stated purpose.

In some designs, a verifier may use the UEID to identify the verification key, but that is not the UEID’s purpose. It a useful side-effect.

If the purpose of a GEID is solely for the verifier to identify the verification key, then I don’t think it is should be a GEID. It should be key id.

So for me this kind of hinges on what a GEID will mean for the RP. What are the groupings it gives and how are they meaningful to an RP?

LL



On Mar 25, 2020, at 9:29 AM, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:

Is a GEID structurally different from a EUID? I think currently a EUID is either a 128-bit or 256-bit bstr. I assume the semantics of uniqueness differ.

From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> on behalf of Simon Frost <Simon.Frost@arm.com<mailto:Simon.Frost@arm.com>>
Date: Wednesday, March 25, 2020 at 8:47 AM
To: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>
Subject: [Rats] UEID where an instance is a group member

We had an internal discussion in response to some changes in PSA which have elaborated the definition of an Instance Attestation Key (IAK) so that it may either be “unique to each device or a collection of identical devices”. The definition of the Identity claim is now a value that identifies the IAK. This has been done to support entity grouping for (some) privacy scenarios.

While we have an EAT Profile for PSA that uses a full set of custom claims, our intent has always been to be to migrate as many claims as possible to the standard once the RATS work is complete. Previously, there has been a direct analogy between arm_psa_UEID and the standard UEID. With this change though, we would have to move away from this. The current description of UEID makes it clear that it must be device world unique. There is some discussion (https://ietf-rats-wg.github.io/eat/draft-ietf-rats-eat.html#name-ueid-privacy-considerations) of the group scenario, but the only statement about the claim situation is that “It will often be the case that tokens will not have a UEID for these reasons”.

In the privacy scenario, it is still desirable to have an entity identity claim, for use by a verifier or for general usage. The options seem to be:

a/ If the entity is unique, include an UEID claim, otherwise include a custom group claim. It seems a pity to encourage diversification between profiles.

b/ If the entity is unique, include an UEID claim, otherwise use a new standard GEID claim

c/ punt this problem out to the kid of the COSE wrapper. This would ignore any more general uses of group identities.

Of these, b/ (introduce a new standard GEID claim) seems to make the most sense and is the option we would propose to the WG.

Thoughts?

Thanks
Simon

Simon Frost
Senior Principal Systems Solution Architect, ATG, Arm
Mob: +44 7855 265691

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email