IETF Logo Mail Archive

Re: [Rats] Call for Adoption: EAT draft

"Eric Voit (evoit)" <evoit@cisco.com> Mon, 03 June 2019 15:01 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 833F61202D2 for <rats@ietfa.amsl.com>; Mon, 3 Jun 2019 08:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=RoK7BwRi; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=lQnTtk8Q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRZdPmXbat3K for <rats@ietfa.amsl.com>; Mon, 3 Jun 2019 08:01:05 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 256171202C2 for <rats@ietf.org>; Mon, 3 Jun 2019 08:01:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9870; q=dns/txt; s=iport; t=1559574061; x=1560783661; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=IS5Vsh7KUzmRhofkb564dzasjHU6u+ANRzEizVsn4VM=; b=RoK7BwRi4jRKOq8hAHNnKXhwcc/mJymQSxGVSnV7nUozefdJ3laQbSUN nzrisxRvFoNRqbGIAcKThmDjh4Bbj6w1d3du6FS4RktuYMmHhxeHJ8lbn kKyRATQiUYdpQDKX2xWaJ0JOwgd/L3STR6jNOnATcPVG4ZNgiD1aUHOok o=;
IronPort-PHdr: 9a23:6OQFxR8LRCk3DP9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bB7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcObDkznBPXrdCc9Ws9FUQwt8g==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B7AgD8NPVc/5pdJa1dCRwBAQEEAQEHBAEBgVQEAQELAYEOL1ADalUgBAsoCoQKg0cDjnKCV5JdhFKCUgNUCQEBAQwBASMKAgEBgUuCdQIXgnsjNwYOAQMBAQQBAQIBBG0cDIVKAQEBAQMSCwYKEwEBKQUJAQ8CAQgOBy0CAgIwJQIEAQ0NGoMBgR1NAx0BAgyeXgKBOIhfcYExgnkBAQWEehiCDwMGgTQBi1kXgUA/gVeCTD6CSIFSLCuCXTKCJostgm2EaJURagkCgg2TTZZujQCWHgIEAgQFAg4BAQWBZSKBWHAVO4Jsgg8MF4NNhRSFP3IBgSiPCwGBIAEB
X-IronPort-AV: E=Sophos;i="5.60,547,1549929600"; d="scan'208,217";a="282132063"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Jun 2019 15:00:59 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x53F0xsp001834 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 3 Jun 2019 15:00:59 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 3 Jun 2019 10:00:58 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 3 Jun 2019 10:00:57 -0500
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 3 Jun 2019 10:00:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IS5Vsh7KUzmRhofkb564dzasjHU6u+ANRzEizVsn4VM=; b=lQnTtk8Q4ueYAIJwGx678Hic4xa1B/1reU0CigAOQN3pNQXbsFvkIkqCPggBPMzSBr+p2B1H2Mbm4ktItHZo3f6Ym8FQHUxK5/IBjkJ+1WvqSaVpHdCMYx0n9qSJlZuqWOZ0vLAXQdopzRSIhE+JYUS9srB7DSuHcJQ7/TQe12w=
Received: from DM6PR11MB4089.namprd11.prod.outlook.com (20.176.126.30) by DM6PR11MB3785.namprd11.prod.outlook.com (20.179.16.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.18; Mon, 3 Jun 2019 15:00:56 +0000
Received: from DM6PR11MB4089.namprd11.prod.outlook.com ([fe80::d014:d7a3:270:e5a9]) by DM6PR11MB4089.namprd11.prod.outlook.com ([fe80::d014:d7a3:270:e5a9%3]) with mapi id 15.20.1943.018; Mon, 3 Jun 2019 15:00:56 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Laurence Lundblade <lgl@island-resort.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "rats@ietf.org" <rats@ietf.org>, Giridhar Mandyam <mandyam@qti.qualcomm.com>
Thread-Topic: [Rats] Call for Adoption: EAT draft
Thread-Index: AQHVB0JFcFAs6WTeOkGyPcUokje8h6Z3f+WAgAkvdwCAAAQPAIAAQeOAgAAaP4CAAAwUgIAADicAgAAZOwCAAAfHAIACt1gAgAAFvJCAAA1BIIAAVb6AgACS14CAAGj3AIAAkaWAgAJWZACAAc3CMA==
Date: Mon, 03 Jun 2019 15:00:56 +0000
Message-ID: <DM6PR11MB408961522D9B290A8BBEF3FBA1140@DM6PR11MB4089.namprd11.prod.outlook.com>
References: <CAHbuEH6Mdwp+neWbcecA-pMYZoXKiNda2A0EnMh-8WX=W9_edA@mail.gmail.com> <DM6PR11MB408939CC9EA79D479B76586DA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <E09EB1B2-ED56-4F1B-8D80-BF0D227199A3@island-resort.com> <82b0a75e5b5645d1a43d240373bca6dc@NASANEXM01C.na.qualcomm.com> <DM6PR11MB4089DAD248EEAAF9F92F2C0AA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <50ddca72a9074e229976ca88f78e340a@NASANEXM01C.na.qualcomm.com> <DM6PR11MB4089BF4C3F319894DAE8722AA11E0@DM6PR11MB4089.namprd11.prod.outlook.com> <175ea22d1a1948d48f8180424cc89ec0@NASANEXM01C.na.qualcomm.com> <VI1PR08MB5360CE8EFA93515A140D30F2FA180@VI1PR08MB5360.eurprd08.prod.outlook.com> <DM6PR11MB408967D6E5EF0A355CF0D60BA1180@DM6PR11MB4089.namprd11.prod.outlook.com> <D53ECF26-E2F5-4BD5-A81F-BBE1AEEB4541@island-resort.com> <VI1PR08MB5360919E4669734878D75F6EFA190@VI1PR08MB5360.eurprd08.prod.outlook.com> <VI1PR08MB53608BBD4BC156012237D3C6FA190@VI1PR08MB5360.eurprd08.prod.outlook.com> <a811aa42-edee-a3c1-0a73-284f088dca6a@sit.fraunhofer.de> <4A0EA92C-80B3-471A-B61D-D9433BE81346@island-resort.com>
In-Reply-To: <4A0EA92C-80B3-471A-B61D-D9433BE81346@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evoit@cisco.com;
x-originating-ip: [173.38.117.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cb34d12a-8f18-487c-824d-08d6e8344805
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DM6PR11MB3785;
x-ms-traffictypediagnostic: DM6PR11MB3785:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM6PR11MB378503183F53B5121FC0F33BA1140@DM6PR11MB3785.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4303;
x-forefront-prvs: 0057EE387C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(136003)(376002)(366004)(39860400002)(189003)(199004)(86362001)(52536014)(76176011)(186003)(25786009)(229853002)(102836004)(6506007)(6436002)(256004)(99286004)(4326008)(446003)(5660300002)(26005)(6246003)(71200400001)(71190400001)(790700001)(6116002)(316002)(7696005)(3846002)(66066001)(53936002)(76116006)(54896002)(486006)(9686003)(8936002)(11346002)(966005)(478600001)(2906002)(6306002)(68736007)(8676002)(236005)(33656002)(81166006)(81156014)(55016002)(66556008)(73956011)(476003)(66946007)(66476007)(66446008)(14454004)(7736002)(110136005)(54906003)(74316002)(606006)(64756008); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3785; H:DM6PR11MB4089.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: FqaELk+B3bxh3BK//EhwrHh6CckNOIRO4EPRljau7SDIhfAH5gpYsip6dqqWJJqDM7bA7udYsG/OtuBoYf+wUjwKaizJIxLF+d64PCFox5QjFZPtPjC6A7p2UnQI5z4hUVQcDaoC+u1Z8ix+FO2QMYTVn/8kktRTX0fXoGej+fjbGbYMfTZwbnz7xj/6ZioX5t7pFKcQ4oebOkmAAHY+GvG1D4j7NAyr5NybJmisOwsdLanyeu/vg2GXf/xHKcHRfIhTAOBXd9PJVhMIckf2Cs1mu3dfwfkqil3KMd/F+VhOceATJzVLe3YYzSqLKr3JKej0QNwxqU577qsr5/NKySHzQC9UAvsikfqI+bGfZD4SzCH4fiQREjrpOBeCkN0+VaCB4eJ6Xf3uXfdYgGry2a8MiEQnyAe9UKMAkmsBUdI=
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB408961522D9B290A8BBEF3FBA1140DM6PR11MB4089namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cb34d12a-8f18-487c-824d-08d6e8344805
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2019 15:00:56.2058 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: evoit@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3785
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/bfa70lP0Ug8xatt4kp6jyIlIic8>
Subject: Re: [Rats] Call for Adoption: EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 15:01:07 -0000

From: Laurence Lundblade, June 2, 2019 6:33 AM

I think it makes sense to separate into two:

1) New rules and advice for registering CWT/JWT claims
2) A basic set of attestation-related claims this WG will define

To go on about 1), it seems we are expanding CWT/JWT from just being auth tokens to also being attestation tokens and also identity certs (draft-birkholz-core-coid-01) and maybe X.509 replacements. This seems like mostly a good idea to me. It will be super cool that code can be shared by all of these for example. Lots of claims will overlap which is good too.

So I don’t think it makes sense to talk about "expert review of EAT claims". Rather we should talk about "expert review of CWT/JWT claims" and how it should be different than it is now.

<eric> One thing to consider is that claims from hardware are perceived as more trustworthy, with definitions changing less frequently than from software. (Whether this is true is of course debatable.)

If nothing else, if hardware and software generated claims are to be consolidated into common list(s), then a revised expert review process will need to reconcile the varying timescales and flexibilities of different implementers.

Eric

Also, if you haven’t looked at the register JWT claims, it’s worth checking out: https://www.iana.org/assignments/jwt/jwt.xhtml. Am also curious what people think of bringing them into CWT and especially how we avoid conflicting duplication between CWT and JWT.


To say more about 2), it seems we should really work to come up with a nice, well-thought-out, medium-sized, coherent set of claims for attestation and put them in an RFC. This is roughly what the EAT draft is.

LL

v2.23.0 | Report a Bug | By Email