IETF Logo Mail Archive

[Rats] Partial Profiles (was Re: New Version Notification for draft-tschofenig-rats-psa-token-13.txt)

"lgl island-resort.com" <lgl@island-resort.com> Sun, 03 September 2023 18:50 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC01AC14CE53 for <rats@ietfa.amsl.com>; Sun, 3 Sep 2023 11:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m09SpQKcWUxA for <rats@ietfa.amsl.com>; Sun, 3 Sep 2023 11:50:06 -0700 (PDT)
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam02on2101.outbound.protection.outlook.com [40.107.95.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F6C6C14CE24 for <rats@ietf.org>; Sun, 3 Sep 2023 11:50:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Avfp1wQYDuD9OqWrcs/cCZ4K993T3uyO/fyTaIigbKY5hnFQ3y0EPk9m2pjFyrYpR/CkRnClzNU4/by5I73AQiL4aQGPUbeRT+/WmjQDG459Xu7cPFmlIz1MvrAIwcsgFp7gMSE/dZJVygtSn8aUT0e4eLnyC3z2ol1X2Bb+CFYEvyIaXg/KLBXwnU9OiVY0lajxiLVk4HoUuhwPOrCSJyhwlGFsm0xidpnKy2L4PM23ONb4bxVpjkYsXzv+kSemh618VXmBuwNfgb3RGh+CDK5BNOjotJphAxkCK+oSuSKZfCOWPR3tRytqtoMVhLeQfzQWEhzgplBHu944tA3w8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rGSaSN0eiOJmRSjHCfreCiqhAUNUyNBWSfidX4dP+O8=; b=Pos7cz9a+qYmK1DqYdNTbMGYHOAycYAD9KMc37vKeErIqWRns/wOA9vzsctixhAomaSniQuYjbvfl60AZvyv3E9j2UoX48zsLBmc0e4942Z4gJTTFN8VE/IeR7VrWAp81Pc5Stwp4Cy2HZy9gMxmAiXvVRVU65U2jJoNV6BooQb7Sc3+XXpGmon88mkueyq3K9b6vMcpnQfKnevX/cZ7ICRCqHWAd1mAJ41b2kqslPqT6cOsTFsxFGHB7DA2yDDw3usk2vbw1CORNqhd1rQ0fanUN+aI/bN4OfwoVoVFKOforB1XRwfDi6QN4JIV1KeAb+TBpFU0FuNvKzOUlZCgeg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by PH0PR22MB3244.namprd22.prod.outlook.com (2603:10b6:510:117::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.34; Sun, 3 Sep 2023 18:50:02 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934%3]) with mapi id 15.20.6745.030; Sun, 3 Sep 2023 18:50:02 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Thomas Fossati <thomas.fossati@linaro.org>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Partial Profiles (was Re: [Rats] New Version Notification for draft-tschofenig-rats-psa-token-13.txt)
Thread-Index: AQHZ3pdy8LPiEo1zJkuxKEXIMvN4zQ==
Date: Sun, 03 Sep 2023 18:50:02 +0000
Message-ID: <31907C23-3C21-4070-AB4D-6D045EEAB578@island-resort.com>
References: <169358319952.22584.5522382198109168002@ietfa.amsl.com> <CA+1=6yf4YmduV-V_9_tLKJtDV5erRKHW6JzZt1w4Y4kKw2A-Qg@mail.gmail.com>
In-Reply-To: <CA+1=6yf4YmduV-V_9_tLKJtDV5erRKHW6JzZt1w4Y4kKw2A-Qg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|PH0PR22MB3244:EE_
x-ms-office365-filtering-correlation-id: 2119ff61-90f3-451c-b12f-08dbacae94b5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0v7xY5admFPUVebegp5lP92FrtZE95wnG21UnPDtipd4Z+V6pRnMMMROxDhi1xCfvmoe75bCqNC5RULVl4Hlx/pAH4RIycaGQoTnUgSLToohKfDGJUDsrtR7Pvreu+Q9YeBrlM7DoKCmXIZ/6w9IJu0DfmXJ6ZIWqZgj2RaAmApREZdn8+vcUkeNfilM2VEaW/8gLug2wS8rB/5sMQ0B4dXMS52ST60hPpOvsgqPgpdxj1WMe7sFFCcfSTx3gNHKcq6VeMEE+WGyp1vlxqS8EQCi5vasfVlQex6lURqISZlkpmJkeVmKVmfUP51C6qvjuX0KhIX4AnKqzmG7gBScTzjEu5H0wyQBO1+rOKumnWhiCQKUT8FR/ntoro1AsxaiwVlRpEfKtcRIUIpOQBr+pXYtAtRS9xIKm9aQeU3ESCbjZ5kNOzucgCvVb8qA7sazSSVrxM+OzAVYuG0Xgzng9EIvENAOWFLxrj39zHnCBK0KXlLSawp5BbFZ3uj9sv5xd5NrA4nDSQ2qEwDcybmkFzCgFy14bp4LkGjn794kfiP3gqrHzqAG1L+UVpfw7yjrM1Opzj09AQCuecNAwyXHBGSw68a3MWkS0POO8CpyU69Fl3HM9jj6rux2y36cNcEQqL9sUJgFS5RMLcf5t7c/3Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(39830400003)(346002)(376002)(396003)(136003)(451199024)(1800799009)(186009)(66899024)(6506007)(71200400001)(53546011)(6486002)(2616005)(6512007)(66476007)(5660300002)(15650500001)(2906002)(6916009)(36756003)(4326008)(76116006)(64756008)(66446008)(8676002)(41300700001)(66946007)(38100700002)(86362001)(91956017)(66556008)(316002)(38070700005)(8936002)(33656002)(478600001)(122000001)(83380400001)(966005)(26005)(66574015)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UmTbA5YY4BRaQovcV3mcpLz55PYBO8L7XCWphDqJUitML8BD/xZjqkYHCyn0h5X0GP2hRBtReBbLD+qkKNJEgyq88FdLgkrJ5fAxejD4T5YYbiUp2HHunLUYIUgSCwpq49dqpY6geEy/+XDNv6OapJiVSAFDDxEesNU/i2qZ0ALjcwDxSxi4oMxCBi8UW+XbmqCxGs5YEQe7LWqo4CQIXcKs6jHlr91j5cguMwXlowgBC1CggeJKAwBRsAdY5eEg8rKPPFj6CvHp8k0pNlzzM/c+xDP+vuzbya8xw0ibYNHtrN1g2J61sXm6mch4lOlwNfcmDKKjJURB+msmtp7blGShnROmlnX9NI34nRvV4hFdTa9jA/oC+ZxjYo3274RxQRtJfZcf8sT7Y2MvtLp3pfpFjxaNoJOIx4LRAdP6DGqX6dE6rtmSZtRQlLUxaUUqO5QbYGy/3kZcUBomqLA5u48z17d03D1JSl0Oouk+9+SQJgAs2LAstTZgwGJTrroiIEQQ2UIqoUKq7cZQ8uE8Fg5HxUQ+3XGbXog/Bc4aXCQftoGSOO+Efl28Qjs6W6rPSzoQLK48KgD0p58iUOta5LhiFqDObxYEyjng6iYAg92+27fvvN9GB9hri8FQY3ONaUPBdRI5LYcQg9jhZACX/409/H7okleevVV/Hx0LQ67KW/2qG8HaFD9h0NIzsrDzdJH9z/EBUwllAEDfZi4KtaWVNHoTVUDXnEig6zxcDK1Le9cWDh+0PMmUZi4JaKVV+tdH8Ul5rpJVKNxsxh8rEZtXB7W9Ze1AtWSCe/J1wCemqdk4Ykeld6388PwQZoX9ZcLBezegCEBrx6ygq5GYoKyjVY4cwJGLCb6E6uqW3qDo213V3P8GbkeWP6lxDUfg9UHnv+z62mgg5OKSA0kFa7PasH/9awTiCA8HsR8kTjSWuzeKEW/f3keQMeMqjWhEOAgmCC2mCP1UOpmT3D2d7HeSYA/rkUZcTlIJCd6v960kVWGXexDE8MWWSdLruVXqlIfdzgkJFIEN+ir+4OiKtoQbIOg4SSNCuBRQHI48Dqoz3wBDFvHyu44Ga2+a7SeJ3aC68p2s42Qobxc1bwfXE3EeZYlt2KRJqBcld1TVi8lwwoIvsBpwdQiwn81tKcOLxZjH8e6xiOadvP2+7J4O+W2V8/moUx1CW1I7m62NBCZrzpBf8Yx9F+UT/Q3QR3qIYHMh5UxvCKEK5+AfvJsT7jWY5VWc23VG+cVZgjP4mpeVbbt0EkBSRkDj18svNyDRyImOcSdrDlB5hjCTAurRsZMx1TD7iqDPEMLf+6o0WnusCGylN2RCruawOhfDKCrtJxvV4lJK//4khbloWbv9uMexrU+EQVlFlW32teXsaHI5pJ+EuxfrTAIKinmDjhY5GTMj9Frs1V7EPPOwQkeJHvJiW1jDOMKID55WW6fKUyBgl2vj/Fn7ATej9imBfPeVlooqc2zm3Ah7RE5/Ejg0gAMCKtZ+kaqqu/+0v0B3/eWgU9WXN2hy8qnaofi26MpEj9yy/hUPVu0U4wb3hON/0jidcxmZTLIoDVjGgmj9JoFUQb0JxZDN7rS4aN6l04Z2Np0xmokeXw2hhJlnC4RGBA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <C41FEC83DBA1E040AF69F9693BF331B8@namprd22.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2119ff61-90f3-451c-b12f-08dbacae94b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2023 18:50:02.1910 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6Bfn6MvH8Gzd+xvaa1gY+l/wAj0RJcsVRXxj9KAZ8h8ZTnblwXgRljd9eWFStpcCLHHpYLUcK1WkcO2Yzv9ggQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR22MB3244
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/bD5G1ki9f4M31MIpLm0p-odCesc>
Subject: [Rats] Partial Profiles (was Re: New Version Notification for draft-tschofenig-rats-psa-token-13.txt)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Sep 2023 18:50:09 -0000

Hi Thomas, here’s my comments

1) Preferred encoding
There is no requirement of preferred serialization. Particularly integer and integer arguments do not have to be in the shortest form. I think it should probably require it like the EAT Constrained Device Standard Profile

2) Base on EAT Constrained Device Standard Profile?
When PSA token started there was no EAT Constrained Device Standard Profile. Now there is. You could rebase the document to be a variant of EAT Constrained Device Standard Profile. You’d just say “PSA Token is the same as the EAT Constrained Device Standard Profile with these differences”. The differences are 1) any algorithm can be use, 2) claims Client ID, Secure Lifecycle,… are added, 3) freshness model allows epoch handles. Just a thought.

3) Partial Profile
(I get beat up when I make comments like this, but here goes…) This is a partial profile. It doesn’t guarantee interoperability because it doesn’t lock down algorithms, key identification or freshness. The EAT Constrained Device Standard Profile is not a partial profile like this because it does lock these down. If you leave it as a partial profile, I think you have to call this out. You have to say “further profiling is needed for real client-server interoperation”. Also, if you leave it as is, I think the EAT profile identifier should be removed because it doesn’t identify anything useful. 

My suggestion to deal with the partial profile issue is to define one or more full profiles. Lock down the algorithms and key identification and such for one or more profiles. This doesn’t preclude a future PQ token and such. A PQ token is just a different profile to be defined in the future. It can be easily described as the PSA Token profile with PQ algs.

Basically, I’d like to discourage partial profiles that don’t interoperate. Maybe the EAT draft should be more clear on this. Maybe it should say that profiles with profile identifiers MUST NOT have any variability that would allow for non-interoperable implementations.

LL




> On Sep 1, 2023, at 8:52 AM, Thomas Fossati <thomas.fossati@linaro.org> wrote:
> 
> Hi folks,
> 
> We have just published -13 of the PSA token, which we reckon is really
> close to final.
> 
> So, given EAT is progressing towards publication, we are planning to
> submit the PSA draft to the ISE shortly.
> 
> Whilst we tried hard to tick all the boxes in §6 of EAT, we'd love to
> get some more eyeballs on it because it's one of the first EAT
> profiles and as such it might become a blueprint for others.
> Therefore it's quite critical that we make it as good as possible.
> 
> Thank you very much,
> cheers!
> 
> 
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Fri, 1 Sept 2023 at 17:46
> Subject: New Version Notification for draft-tschofenig-rats-psa-token-13.txt
> To: Adrian Shaw <adrianlshaw@acm.org>, Hannes Tschofenig
> <Hannes.Tschofenig@gmx.net>, Mathias Brossard
> <Mathias.Brossard@arm.com>, Mathias Brossard
> <mathias.brossard@arm.com>, Simon Frost <Simon.Frost@arm.com>, Simon
> Frost <simon.frost@arm.com>, Thomas Fossati
> <thomas.fossati@linaro.org>
> 
> 
> A new version of Internet-Draft draft-tschofenig-rats-psa-token-13.txt has
> been successfully submitted by Thomas Fossati and posted to the
> IETF repository.
> 
> Name:     draft-tschofenig-rats-psa-token
> Revision: 13
> Title:    Arm's Platform Security Architecture (PSA) Attestation Token
> Date:     2023-08-31
> Group:    Individual Submission
> Pages:    32
> URL:      https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-13.txt
> Status:   https://datatracker.ietf.org/doc/draft-tschofenig-rats-psa-token/
> HTML:     https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-13.html
> HTMLized: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token
> Diff:     https://author-tools.ietf.org/iddiff?url2=draft-tschofenig-rats-psa-token-13
> 
> Abstract:
> 
>   The Platform Security Architecture (PSA) is a family of hardware and
>   firmware security specifications, as well as open-source reference
>   implementations, to help device makers and chip manufacturers build
>   best-practice security into products.  Devices that are PSA compliant
>   are able to produce attestation tokens as described in this memo,
>   which are the basis for a number of different protocols, including
>   secure provisioning and network access control.  This document
>   specifies the PSA attestation token structure and semantics.
> 
>   The PSA attestation token is a profiled Entity Attestation Token
>   (EAT).
> 
>   This specification describes what claims are used in an attestation
>   token generated by PSA compliant systems, how these claims get
>   serialized to the wire, and how they are cryptographically protected.
> 
> 
> 
> The IETF Secretariat
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email