IETF Logo Mail Archive

Re: [Rats] draft-ounsworth-rats-x509-evidence-00

hannes.tschofenig@gmx.net Thu, 09 November 2023 15:12 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E9EAC18773D for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 07:12:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.304
X-Spam-Level:
X-Spam-Status: No, score=-2.304 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qd5nIT5d8iLC for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 07:12:37 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DB12C18E552 for <rats@ietf.org>; Thu, 9 Nov 2023 07:12:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1699542743; x=1700147543; i=hannes.tschofenig@gmx.net; bh=0rGGrZv+rGeDPX+dZDJrsjyuxdayE8JJDtxK3xtKTNY=; h=X-UI-Sender-Class:From:To:References:In-Reply-To:Subject:Date; b=okxopGuyXCjmvzAIhOoaaQZ41NVOzKNBMlD+Lq+UnJqSPZ3zTe0KCN414djwI0Go ZuGU+bbRxKjQMA3dQ+KjSdPLKdwPg1ZORva80h4uOlsjNMRI8cqMMa7SY2G+6/JLX PaoZku2exKPwY1Ubnl+oBRLHZqtqoIZL8RYsVOFM+YLDdcM0/KJs2s1Xyun2L4V7N 5mrMyG87WfZyJA4tmFxKFYsTol36xF0lNvjKq/xt68r8aVtXGNmm98FRdjinbfa0H dp991CA2LL/3Qp6qP8UfcTMPIrlOnliVX8KemWK5aACEixo2fVoc6yJ5eIIbXt3Pw xfOyAx+CJu0y9VqjDw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from Surface ([31.133.136.139]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MdNcA-1raAPH0Vvs-00ZQRk; Thu, 09 Nov 2023 16:12:23 +0100
From: hannes.tschofenig@gmx.net
To: "'Smith, Ned'" <ned.smith@intel.com>, 'Henk Birkholz' <henk.birkholz@sit.fraunhofer.de>, 'Carl Wallace' <carl@redhoundsoftware.com>, rats@ietf.org
References: <6FCC00F5-1FAE-4CCD-9ED2-DA2BA923E7F7@island-resort.com> <011801da130d$74579390$5d06bab0$@gmx.net> <66c6191b-c393-69da-a849-f44da369917a@sit.fraunhofer.de> <7DC2D9E1-F052-48A1-B5A8-978D52275EE5@redhoundsoftware.com> <01e001da131a$a8c7ba30$fa572e90$@gmx.net> <9b8eb6e3-1b9b-7a0a-dffd-f8d0912a7bb6@sit.fraunhofer.de> <DEDCA7BD-D5E3-411E-8C33-EDCFAF016534@intel.com>
In-Reply-To: <DEDCA7BD-D5E3-411E-8C33-EDCFAF016534@intel.com>
Date: Thu, 09 Nov 2023 16:12:22 +0100
Message-ID: <01f101da131f$243ccfd0$6cb66f70$@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQF073de1km0LbdAYfC43hAeOS2kHgJK/6aEARobj2gBz2CMXwHVeRmUAinZUNwCLxoiU7DhRv6w
Content-Language: de-at
X-Provags-ID: V03:K1:VmJHvdj/tKSpq8g9Pb5FlMNM72RavOts3Si+R2M89K+wsbdu3Sn 8sWq/harvzsckkeaMOdU2bhq2pkdlFXHcx7EUz5IpAstFWALNpUGNP+wCzeZb2uoEhR8vem sLdlJ782jT9uAMbmtvkxuVyCXbfwHj4adP8JPZM3LiFyZVn0elxZq8TOSp7VBMLPu9uhzNG +wafxbQqcYuhFaF6HYBgg==
UI-OutboundReport: notjunk:1;M01:P0:HF61irFrACE=;fLKOYJsxSZdekI9jBptdYCE8wyC iWfHtq1PXrBAQs0EEQ95Xn50vT2sh918tq7FBSiQ+KK2vYgtkDHXEHxqc/oRy57V50Jn/Aajm YDnmjGVmXjzhg5LbouJw1pURvbyh5PlSLmo7iAzXfUYKfD/3vzgLoGlR76s9z4txenv3emIUw cxJ0Blu8qLa049NhnT7I1QzZlRAUwNHp7LGydFytWSYOJ6HR4Tbobya8UjEfipcgtMkCxww0m KvweGC2yGPrzJh65FJ/mgJSYmk9wuse1gSEFggxNUMV/CDFTTs12YALMCX3hJrxFoxBUGypXc pzppuLFBLF+O31HUZKPyLeN35BQsX9vqM2+3p0F/C/dwmly23NCg/Zv1Ov6FG80bEbbbF8/L4 pZctgJHtuo8Udk6PHmUv3sQXW+vHA2CQ2bEQjaVCyFwbnRd+uqAClbDGnDXD24u/4BXzscZ6R W2AN1pZCAi8PZhxI1Ryj8wrsFKpt6rKqDRTdxTFhcgTC4tFE4UBEnFXVdxFk/VTtwGMq0YU7z IeVQyQ1Msu0ogoAJBoeU1AbFY/F90cwX4iyf4BfFhoVdwlzt5BU9aCBhtJkXMKz4WKahudaQb yVFff2O0VblDtywrbyRWXsxQmSgBBv4y0zEuSrFL8C6WqlvOctvlkH4Hq8GxEEKnOWc+JPGC7 j5RfiZ98ovWuaxsfz9Q0wSDfxfihiiaI2igT3UCQNE6488RSqXxkhRtf8N560WsT2aSCxBL4s aBfI4sGhwiktNazRNuibF3iqHnBWzol213Yz+WpwsV8CPjpXzzKw9AQIVaVxshK/kqZbS36uQ Wq5GHkkbrhlFNlFPN+gVELuGCgn+nIEnAYp39cGv///LKWd/zd0YBlXpVZrBc96KaEUfnEF8k WCeLLxy5o/xIORhYtp6eSuXT/nLNS7+hp5uqWnenoGlUQX7Ys15SSbiyv2+GWgIN9yoDQBYUl 7SxPOKmT3jp35QHxHvNKElYaqPE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/bkJYiJorNPNTSgUfy3VZp48mINk>
Subject: Re: [Rats] draft-ounsworth-rats-x509-evidence-00
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 15:12:41 -0000

Hi Ned,

I agree with the profile argument below. The HSM community may not be interested in all claims. 

Maybe we should publish a document that defines the ASN.1-based version of the EAT claims and a second specification that defines a profile. The profile lists the claims the HSM community would use with the CSR spec in fulfillment of the CA/Browser Forum code signing requirements. As part of that profile, it would also describe what crypto is used to sign the evidence. Such a document would be very short.

Ciao
Hannes


-----Original Message-----
From: Smith, Ned <ned.smith@intel.com> 
Sent: Donnerstag, 9. November 2023 15:59
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; hannes.tschofenig@gmx.net; 'Carl Wallace' <carl@redhoundsoftware.com>; rats@ietf.org
Subject: Re: [Rats] draft-ounsworth-rats-x509-evidence-00

The draft set the expectation that it would define evidence and that it would also convey endorsements. There is a difference in what claims make sense as evidence vs. what claims make sense as endorsements / reference values. An AE can't tell the version of firmware but can tell what it's digest is. Similarly, and AE can tell whether a FIPS self-test ran, but can't tell what FIPS rating was assigned by a FIPS lab. 

EAT claims are defined in such a way that they could be incorporated into a profile that defines evidence / endorsements / reference values / attestation results. That doesn't mean it makes sense for all EAT claims to be asserted in every type of conceptual message. 

The X.509 Attestation Evidence draft could be viewed as a profile for the HSM community. There will be claims that don't make sense as evidence (e.g., I don't know of any HSMs that have a GPS receiver or can triangulate a location using wireless signals). There likely are other EAT claims that don't make sense as endorsements for HSMs also. 

The question of ASN.1 vs. CBOR vs. JSON isn't that interesting from a bow tie perspective (we'd like the industry to easily map between them), but it might not make sense from a HSM community profile, which necessarily constrains the set of claims to those that make the most sense for that community.

-Ned

On 11/9/23, 3:43 PM, "RATS on behalf of Henk Birkholz" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:


On 09.11.23 15:40, hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> wrote:
> Hi Carl,
> 
> A few responses below:
> 
> * The use of CBOR/COSE in SUIT: At the start of the SUIT working group the participants expressed a strong preference to use CBOR/COSE and didn't want to use ASN.1/CMS. Brendan and I had written a draft that used ASN.1, which was inspired by work Russ did. It happens that work being proposed does not align with the expectations of the group. I remember Henk and Carsten being vocal proponents of CBOR & COSE at that time. Was it a good idea to use CBOR/COSE instead of ASN.1/CMS? Now that the standardization and implementation work is almost finished it is a bit too late to ask this question again.
> 
> * Do we want to provide claim definitions in ASN.1 format (as we do in the draft)? That was our understanding from the design team discussions.
> 
> * Should we keep the definition of the CBOR/COSE claim definitions in sync with the ASN.1 format? I believe there is value in doing so. There does not seem to be anything wrong with the semantics of the claims in EAT. We have received feedback already for better alignment since we have introduced a few bugs in the -00 submission.
> 
> * A question you did not ask was: Should all claims in EAT also be described in an ASN.1 format? Currently the draft only contains a subset of the claims. I have been asking myself the same question. It is somewhat likely that sooner or later all claims defined in EAT will need to be available in ASN.1 format.


Had the same thought, did not dare to voice it. I can imagine Mike groaning (as he wants to move fast). Not sure, if this I-D is the one to do that. Mike?


> 
> Ciao
> Hannes
> 
> -----Original Message-----
> From: RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> On 
> Behalf Of Carl Wallace
> Sent: Donnerstag, 9. November 2023 14:45
> To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de 
> <mailto:henk.birkholz@sit.fraunhofer.de>>; rats@ietf.org 
> <mailto:rats@ietf.org>
> Subject: Re: [Rats] draft-ounsworth-rats-x509-evidence-00
> 
> 
> On 11/9/23, 8:09 AM, "RATS on behalf of Henk Birkholz" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> <mailto:rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> on behalf of henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de> <mailto:henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>> wrote:
> 
> 
> I think this discussion is mood as was pointed out in the meeting already. Please see:
> 
> 
> https://www.rfc-editor.org/rfc/rfc9334.html#figure-9 
> <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9> 
> <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9> 
> <https://www.rfc-editor.org/rfc/rfc9334.html#figure-9&gt;>
> 
> [CW] I don't think that diagram renders this discussion moot. X.509 certificate-based attestations have existed since before RATS (and before we called attestation evidence). There's not even much question about potential for including claims in an X.509 certificate within current RATS documents (see section C.3 of EAT). I think the questions are: 1) do we want to provide ASN.1 definitions for claims and 2) do we want to keep claim definitions (roughly) in sync across ASN.1/CBOR/JSON. Re: 1), there's seems to be general acceptance of defining claims in ASN.1 for the most part (though no one really answered Brendan's question regarding why ASN.1 was disallowed for SUIT but is allowed here). Question 2) needs some more discussion. There was an exchange between Mike and Laurence during the presentation yesterday that highlights a potential difference of opinion between I-D author(s) and participants in the working group that could impact the adoption question.
> 
> On 09.11.23 14:05, hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>> Hi Laurence,
>>
>> The charter says:
>>
>> “
>>
>> Standardize data models that implement and secure the defined 
>> information model (e.g., CBOR Web Token structures [RFC8392 
>> <https://datatracker.ietf.org/doc/rfc8392/> 
>> <https://datatracker.ietf.org/doc/rfc8392/&gt;> 
>> <https://datatracker.ietf.org/doc/rfc8392/&gt;> 
>> <https://datatracker.ietf.org/doc/rfc8392/&amp;gt;&gt;>], JSON Web 
>> Token structures
>> [RFC7519 <https://datatracker.ietf.org/doc/rfc7519/> <https://datatracker.ietf.org/doc/rfc7519/&gt;> <https://datatracker.ietf.org/doc/rfc7519/&gt;> <https://datatracker.ietf.org/doc/rfc7519/&amp;gt;&gt;>]).
>>
>> “
>>
>> CWT and JWT are mentioned as examples. The group already works on 
>> another evidence format, namely the TPM-based stuff.
>>
>> I would say that the document fits nicely within the scope of the charter.
>>
>> Regarding the document split. I am open to discussions about your 
>> suggestion, which assumes adoption in the group.
>>
>> Ciao
>>
>> Hannes
>>
>> *From:*RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> 
>> <mailto:rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>>> *On 
>> Behalf Of *lgl island-resort.com
>> *Sent:* Donnerstag, 9. November 2023 13:59
>> *To:* rats <rats@ietf.org <mailto:rats@ietf.org> 
>> <mailto:rats@ietf.org <mailto:rats@ietf.org>>>
>> *Subject:* [Rats] draft-ounsworth-rats-x509-evidence-00
>>
>> I think it might be better to split this into two drafts.
>>
>> First, define how to put CWT/JWT claims into ASN.1 and make an X.509 
>> attestation token.
>>
>> Second, define the FIPS and CC status claims for CBOR, JSON and ASN.1.
>>
>> I wish we didn’t have to do the first, but understand that we might.
>> Note that the RATS charter says we work on CBOR and JSON. There was a 
>> little discussion about ASN.1 back in the early days and we certainly 
>> put it off back then. There was also YANG discussion. Search the RATS 
>> mail archive for ASN.1.
>>
>> I’m much more interested in the FIPS and CC status claims. I would 
>> like to define them for CBOR, JSON and ASN.1. If they are booleans 
>> this is trivial. The would get registered in the CWT and JWT IANA registries.
>>
>> One of the reasons I’d like to define them for CBOR and JSON is so 
>> there’s a known and accepted way to translate their ASN.1 claims into JSON.
>>
>> Also, the X.509 definition should be for Attestation Results as well 
>> as Evidence. There’s no reason to restrict it and there’s no work to 
>> allow use as Attestation Results.
>>
>> LL
>>
>> (sent incorrectly the first time only to the rats-chairs; meant it 
>> for the list)
>>
>>
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org <mailto:RATS@ietf.org> <mailto:RATS@ietf.org 
>> <mailto:RATS@ietf.org>> https://www.ietf.org/mailman/listinfo/rats 
>> <https://www.ietf.org/mailman/listinfo/rats> 
>> <https://www.ietf.org/mailman/listinfo/rats> 
>> <https://www.ietf.org/mailman/listinfo/rats&gt;>
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org> <mailto:RATS@ietf.org 
> <mailto:RATS@ietf.org>> https://www.ietf.org/mailman/listinfo/rats 
> <https://www.ietf.org/mailman/listinfo/rats> 
> <https://www.ietf.org/mailman/listinfo/rats> 
> <https://www.ietf.org/mailman/listinfo/rats&gt;>
> 
> 
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats 
> <https://www.ietf.org/mailman/listinfo/rats>
> 


_______________________________________________
RATS mailing list
RATS@ietf.org <mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email