Re: [Rats] Serialization formats for attestation results

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 07 March 2020 21:24 UTC

From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Laurence Lundblade <lgl@island-resort.com>
cc: "Smith, Ned" <ned.smith@intel.com>, "rats@ietf.org" <rats@ietf.org>
In-Reply-To: <F7ED01F8-31BF-4627-801D-BE0AE57CB61C@island-resort.com>
References: <41203417-EF88-4A43-8556-2665F2A6B09F@island-resort.com> <E0AE76F4-8AAE-427B-AF76-E5AB3CA66070@intel.com> <CAHbuEH5pr8Cw6pd-jzGZ281Dz8kibGMtSnCo4KpP6-3HesgKJQ@mail.gmail.com> <63304E99-E120-4025-A4FB-AAA326796300@island-resort.com> <19724.1583535153@localhost> <D7F44491-4D6A-4EA3-BC4A-615F11255968@intel.com> <F7ED01F8-31BF-4627-801D-BE0AE57CB61C@island-resort.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sat, 07 Mar 2020 16:24:47 -0500
Message-ID: <12503.1583616287@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/arE4rTOU40qJPGhfiz12tXR1Mws>
Subject: Re: [Rats] Serialization formats for attestation results
Precedence: list

Laurence Lundblade <lgl@island-resort.com> wrote:
    > Here’s how I’d expect a lot of the X.509 PKI’s to work.

    > 0) A root cert (a form / part of endorsement) is generated by the manufacturer / endorser and is given to the verifier.

    > 1) The manufacturer puts the private part of a key pair into the attester. It can be in any format including some raw format or some BER encoded format or even COSE format. It will just be used to sign evidence, so the best is probably some raw format. For ECDSA, best is probably just a 256-bit number.

    > 2) The manufacturer puts one or more X.509 certs into the attester including one with the corresponding public key.

    > 3) The attester signs evidence  with the private key

    > 4) The attester bundles the X.509 certs into the COSE headers. See
    > https://tools.ietf.org/html/draft-ietf-cose-x509-05

In draft-selander-ace-ake-authz we are looking at a way to pass the key by
reference rather than value, since bytes really count.

    > 5) The verifier walks the cert chain from the COSE headers up to the root

    > Net-net, the attester copies X.509 certs around, but never looks inside
    > so no BER code is needed.

We are in complete agreement.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc

[Rats] Serialization formats for attestation resu… Laurence Lundblade
Re: [Rats] Serialization formats for attestation … Smith, Ned
Re: [Rats] Serialization formats for attestation … Kathleen Moriarty
Re: [Rats] Serialization formats for attestation … Laurence Lundblade
Re: [Rats] Serialization formats for attestation … Thomas Fossati
Re: [Rats] Serialization formats for attestation … Smith, Ned
Re: [Rats] Serialization formats for attestation … Thomas Fossati
Re: [Rats] Serialization formats for attestation … Smith, Ned
Re: [Rats] Serialization formats for attestation … Michael Richardson
Re: [Rats] Serialization formats for attestation … Smith, Ned
Re: [Rats] Serialization formats for attestation … Laurence Lundblade
Re: [Rats] Serialization formats for attestation … Laurence Lundblade
Re: [Rats] Serialization formats for attestation … Michael Richardson
Re: [Rats] Serialization formats for attestation … Michael Richardson
Re: [Rats] Serialization formats for attestation … Salz, Rich
Re: [Rats] Serialization formats for attestation … Thomas Fossati
Re: [Rats] Serialization formats for attestation … Thomas Fossati
Re: [Rats] Serialization formats for attestation … Smith, Ned
Re: [Rats] Serialization formats for attestation … Smith, Ned
Re: [Rats] Serialization formats for attestation … Laurence Lundblade
Re: [Rats] Serialization formats for attestation … Michael Richardson
Re: [Rats] Serialization formats for attestation … Smith, Ned

Re: [Rats] Serialization formats for attestation results

Attachment: signature.asc