IETF Logo Mail Archive

Re: [Rats] my comments on the mic line

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 09 November 2023 13:52 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1ADAC17C53D for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 05:52:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.104
X-Spam-Level:
X-Spam-Status: No, score=-1.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_AFFORDABLE=1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3D_03JflE5pL for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 05:52:04 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0ED4C198460 for <rats@ietf.org>; Thu, 9 Nov 2023 05:46:34 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5409bc907edso1347509a12.0 for <rats@ietf.org>; Thu, 09 Nov 2023 05:46:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699537593; x=1700142393; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rmLrTOowj4jb+o4CaHEutZAhiyN4kV8EEH71YU01YNQ=; b=XnDTQ60A3RxkJXaMR7Nj+kJlkSAYG0oJcx+GGclL90Fx6L5MZYpw1BVQWZaCghca81 RTI8jIXPX+sWnnvLMia3QOvIKIlGX7YnfRS0xjupXRPB/ackk1LiH4/Meg5nGJLWVaUg iIqxa3viBeuszDqd0BLoKLXBhzW13Ccnu2nPJEGpP9RQJkTz39UaQVwuWds7w01evuoT S+pEveDWoFNxCfNVEj1bO+gOxl9M0xl15XgC1G8w3FIk7R1IkzoRQ1HvxmyUuFnU1oAz +syQHnR2gtQK7SBoyn8lLcSXXNykRlCmrg3YSGWYLZOHqgvwZdoJhZtyHobHY6pa+dOZ WPrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699537593; x=1700142393; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rmLrTOowj4jb+o4CaHEutZAhiyN4kV8EEH71YU01YNQ=; b=EBb1l2OE47KnECE4mElA0PXtscyX0//SBS2cXHFoViBSkxk/uu+icCGb0zHebGMHcs HUUTWcBx1lKC/+tOuwO/UBPxKpOU7k/nOL0sOWw26LMzjFTqSqCxnNkuVZfzSiq+hQdI xhWk+Bls08QhemuLaN/Xac7yur0lSHXKWh73HJfzxmaXk9UyHfuGuG3GJswU+Y4YFaxB ECe1Uhf/oe1s3F9OT+jW9WWdqC2V4jPABUTSFsc435MbCPdh1W5wfiYIDdzArEYjlQxG nzj8mw05kI5BOhDcQVAYiduRtvdqILvyFiEICs2woZTaFwfWCnwSYP+1MZcDtWISRJSZ WGrQ==
X-Gm-Message-State: AOJu0YxPgEOv+FO7NLk/Z2V4MTX0f3M4NOKOeJ4s/7QSvj4pEVzTlzMy DeskUl2YBKYXqIwJokSkSUQ+Gi7ya/H7Siw9STZDkTCZ
X-Google-Smtp-Source: AGHT+IH/rFNlbVyOn8hqgCfwNtsRDZz1UOWG2lz2r0T2rTpE7o2rnoloF//jzp+JFeaeb2pqng1j+jESoG5LgqhwapQ=
X-Received: by 2002:a50:d583:0:b0:53e:468d:64a9 with SMTP id v3-20020a50d583000000b0053e468d64a9mr4378393edi.21.1699537592391; Thu, 09 Nov 2023 05:46:32 -0800 (PST)
MIME-Version: 1.0
References: <CA+1=6ycTGM+dPLWGnFLnF2njAtdO6f3PEEwvgs1RLQh+N6eBjQ@mail.gmail.com> <CAHbuEH6a76RqLyBSXA6n0n9=RWnHpN5oBWndLJuqnhzf=PuEWw@mail.gmail.com> <CAK2Cwb66Xn4ENMeBJUj7URuaHfhhMoWh57gWWQfT4JCbkFhgGQ@mail.gmail.com>
In-Reply-To: <CAK2Cwb66Xn4ENMeBJUj7URuaHfhhMoWh57gWWQfT4JCbkFhgGQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 09 Nov 2023 08:45:55 -0500
Message-ID: <CAHbuEH4Pkv5-FHRqHyP4oN-AV2VuYU=6myzYRycbE67DeLg+hA@mail.gmail.com>
To: Tom Jones <thomasclinganjones@gmail.com>
Cc: Thomas Fossati <thomas.fossati@linaro.org>, rats <rats@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007a1c260609b86e79"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/alTop8DDkFuC7JwowN9_NG36698>
Subject: Re: [Rats] my comments on the mic line
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 13:52:07 -0000

Greetings!

I'll start here and work backwards as not to address something twice.

I appreciate the feedback and consideration and welcome more after an
update that addresses the relevant comments and incorporates thoughts of
new co-authors.

On Wed, Nov 8, 2023 at 1:56 PM Tom Jones <thomasclinganjones@gmail.com>
wrote:

> This area seems out of scope for standardization at all. It is internal
> enterprise decision. It could be included in a best practice for a specific
> industry or use case. It would never be possible IMO for general use.
>

The IETF typically works on what is required for interoperability on the
wire (as a former IETF Security area director). The draft is specifically
limited to that goal. This is also why Dave said his draft was architecture
and will be categorized as informational (it won't be passed on the wire
and there may be multiple ways to accomplish what has been put forth in
that draft.)

Let's say a container orchestration system like vSphere or OpenShift
perform an assessment to see if an operating system meets the controls that
are expected by a predefined policy. The result of this will need to be
communicated to a system that gathers that type of result of all the
systems, containers, applications in an administrative domain. The summary
statement needs to be consistent so the container orchestration system can
summarize the result in an attestation that essentially is to say the
policy was met (or not) to that GRC system. The collection system of these
results might be a traditional GRC system, and could also be a Container
Security Posture Management (CSPM) or a CNAPP management system.

The policy might be a vendor specific policy, called either a Benchmark or
a hardening guide. The name of the guide and the level the policy is met or
not needs to be conveyed to create the larger picture for the
administrative domain.



> I would much prefer that someone focus on a policy language to be sure
> that an unambiguous policy is possible. I have worked on one of those and
> found it to be missing any kind of rigor.
>

I'd put a policy language definition out-of-scope for the IETF. It does not
need to be consistent on the wire, but the result that settings and
measurements met (or didn't) expected values needs to be conveyed. Having
been involved in many of these types of projects over the years, they have
value, but take up lots of unnecessary cycles and funding. OVAL was one of
the standards for this purpose on traditional systems, but it is not a good
fit for virtualized or container systems. The path industry has taken in
recent years (and my team has data on this after studying the full product
market and profiling what is used where) is to shift from OVAL to vendor
specific APIs or SSH into systems (e.g. ansible, puppet).

What we all care about is a level of assessment to a specified set of
Benchmarks at a specified level. This draft is not complete on purpose to
get input and to work collaboratively. Its intent is to establish a
registry where you can convey which Benchmark, policy standard, or
hardening guide was used, what level (defined for each) was met, and a way
to convey any issues with meeting configuration settings or measurements.

I hope this bigger picture helps with a better understanding of the goals
and the importance as it was specifically limited to what was needed to be
conveyed on the wire to facilitate interoperability while allowing vendors
an ability to quickly evolve their policy language. Ideally, the Benchmarks
and each level would be available for customer use as a selection to assure
compliance within the container orchestration system. It's not practical to
share evidence on the wire when assessing each value as that would be too
much data, hence the local or "implicit" attestation recommendation for
policy verification to the Benchmark.

Perhaps Benchmark is a new term to some and I can help with that if needed.
Hardening guides and loosening guides are the other names, but Benchmark
conveys better the goal of setting the Benchmark to be met with levels
possible depending on risk tolerance.

Best regards,
Kathleen

>
> thx ..Tom (mobile)
>
> On Wed, Nov 8, 2023, 7:11 AM Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
>> Thank you, Thomas!
>>
>> I also appreciate the introduction you provided and will sync with Marc
>> and the GRC team at Confidential Computing.
>>
>> Monty had also offered to engage. I'd like to sync with Monty and work
>> together to update terms to better align with the terms being used now. We
>> will also work with the GRC group and perhaps pull both Monty (if willing)
>> and Marc in as co-authors to get a good solution in place that will meet
>> industry needs. I'm open to co-authors and very happy to have collaborators.
>>
>> A.J. also offered that he'd like to contribute and that's welcome!
>>
>> My main objective is to get a good format and registry started with the
>> right set of claims to convey when a set of policies and measurements
>> (claim set) has been met (or has not) to convey compliance information to a
>> management system. This is a gap that needs filling or we will wind up with
>> compliance systems that operate in multiple ways with competing products.
>> (I do have that set of possibilities mapped out and it would confuse the
>> discussion here to bring it up. I'm happy to chat offline on those 3
>> areas.) I'd like to see an affordable method to assure OS and applications
>> that are as built-in as possible, hence this proposal that ties to Dave's
>> endorsements draft.
>>
>> Best regards,
>> Kathleen
>>
>> On Wed, Nov 8, 2023 at 7:12 AM Thomas Fossati <thomas.fossati@linaro.org>
>> wrote:
>>
>>> Hi Kathleen,
>>>
>>> sorry you didn't feel good, I hope you'll recover soon!
>>>
>>> This is a copy of the comments I made on the mic line, feel free to
>>> address them whenever you feel better.
>>>
>>> First of all, for me, it is important to get a grasp of the system
>>> architecture you have in mind to understand whether this work is in
>>> the scope of RATS.
>>>
>>> IIUC, you have a composite device that produces complex, multi-layered
>>> evidence.  Then a (local) verifier appraises the evidence and produces
>>> an attestation result.  Then a relying party (i.e., some kind of
>>> governance/risk-compliance application) uses its application-specific
>>> appraisal policy to process the attestation result and create an
>>> “attestation” (= NIST definition #2, see [1]) using the claims you
>>> want to define/register.
>>>
>>> If that is the case, it'd seem to me that the claims set is outside of
>>> the RATS picture - they'd be a message coming out of the RP box in the
>>> bottom right-hand corner of the architecture picture.
>>>
>>> If that is not the case - apologies if I misconstrued your design :-)
>>> - and the claims set is part of the attestation result coming out of
>>> the verifier, then it's good to go for me because this would be
>>> semantics encoded in one of the RATS conceptual messages.
>>>
>>> In any case, RATS or not, this is very relevant work.
>>>
>>> cheers, thanks!
>>>
>>> [1] https://csrc.nist.gov/glossary/term/attestation
>>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
>>
>

-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email