IETF Logo Mail Archive

Re: [Rats] Interoperability ... RE: EAT Profiles

Thomas Fossati <tho.ietf@gmail.com> Thu, 22 September 2022 13:03 UTC

Return-Path: <tho.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5BF9C14F74B for <rats@ietfa.amsl.com>; Thu, 22 Sep 2022 06:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzVY7Y-MEntP for <rats@ietfa.amsl.com>; Thu, 22 Sep 2022 06:03:47 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64142C14F745 for <rats@ietf.org>; Thu, 22 Sep 2022 06:03:47 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id r3-20020a05600c35c300b003b4b5f6c6bdso1300683wmq.2 for <rats@ietf.org>; Thu, 22 Sep 2022 06:03:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=SJhbqZn2H5HMc1LN/701XT+QTsLfhYbbTr5ibUo9M+E=; b=I7uip3VWYSpArCa3gqpaFLCPr2vPhNktA90UAzZnYY60GN599iTVdfIz01ZcjR/PTi kz61k/1dEasqShgAP07JMZutzy3iUCB4hMOPu7ifebuTKnOFAOHAZ2meo40PRkxhFftO BnYg+CLkzWlvhJs8h6hTENrTxJf7Ka06jT1wCBZL2RCFzPsT5sx2r0EH4dcXcbPVu7xT W0OISU1LbvLiDUxMNOzgjtvARIvXmUyuAqTTMyuxeCV/04+1wy1l9cNv4vs0o/3g1Z3h TfS/xQqcBDJejDZBJiYCjgxF1p01pxRtYQHGgUSDAzH93TF5z+olYBywFQtsm+ywplrC CDkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=SJhbqZn2H5HMc1LN/701XT+QTsLfhYbbTr5ibUo9M+E=; b=X96ka92UfxU/a20OjeqTypTJuaapPyJPcer6otgn+ztRFFEtni0RCwil06z3E7B2Zq k2wpEP0no0x9brI+rV7n5Ik8+uNYGzXNFY+dc8DaBRTTnWxhXgyzA2XZBwhHE6aa4iAz g/TrM7LYMxgpx8efr5HjsJqkQK4xU+nVdgPaBrJ767GAKuvV3+uKmAiHsQgC+P0Vj+EZ JhMurMTg+ZOT9PKPViOL8vOvbQb97wW0omsoNTqVZB7xGobN2KrGgVCT/gSH4VbFcJE4 anVggT0YIDTME22q2fpDRVJot/7qBxQaoulDK/vIBR8mRBZhW1UKL7Gj4hdoTXFmAykf jdWA==
X-Gm-Message-State: ACrzQf0wwm9VyDZFv1wY71a+LcbsYWzlcQrrZMX00uIMBqoiykOfWMRA qhylbvx7zoBYogOe6MnxXR742vD/eRK0SxkH9l8=
X-Google-Smtp-Source: AMsMyM5vHNmUtIubR+RAdzGuP0F32tNQxFzVSinn1X5FrzoFOCnH5cKmSDi7upT6hlfESuodiMXcdYMnkVJ9tGxEHAU=
X-Received: by 2002:a05:600c:a07:b0:3ab:945:77c4 with SMTP id z7-20020a05600c0a0700b003ab094577c4mr9369985wmp.97.1663851824982; Thu, 22 Sep 2022 06:03:44 -0700 (PDT)
MIME-Version: 1.0
References: <AS8PR08MB5911E476356C4005F68D6D4CFA4D9@AS8PR08MB5911.eurprd08.prod.outlook.com> <6F9F204B-E01C-4C56-9FA3-0E5F88F8C225@island-resort.com> <EF696290-B899-482F-B41E-BA358D57C123@intel.com> <CAObGJnNZ7=-v=ue94C+1CyfmXX7eYMTDKvdLYaBQ8K2cje42DA@mail.gmail.com> <4554C994-57E6-4873-9B41-66352CEA2920@intel.com> <CAObGJnNp7DrCn4MfAzBTBog1niOY0u5auETJU-iR7kk-CivJSw@mail.gmail.com> <A20E8654-BD16-48DE-B0A3-71EC45E16FE9@intel.com>
In-Reply-To: <A20E8654-BD16-48DE-B0A3-71EC45E16FE9@intel.com>
From: Thomas Fossati <tho.ietf@gmail.com>
Date: Thu, 22 Sep 2022 14:03:33 +0100
Message-ID: <CAObGJnPPLcKpqnHYRnDbOJo-Um2WuQbq4tHOF7CLP8auh=i6=w@mail.gmail.com>
To: "Smith, Ned" <ned.smith@intel.com>
Cc: Laurence Lundblade <lgl@island-resort.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/cBMGOZd37ki4AnEbpOON6oWLlEg>
Subject: Re: [Rats] Interoperability ... RE: EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2022 13:03:47 -0000

hi Ned,

On Wed, Sep 21, 2022 at 5:51 PM Smith, Ned <ned.smith@intel.com> wrote:
> On 9/21/22, 1:55 AM, "RATS on behalf of Thomas Fossati" <rats-bounces@ietf.org on behalf of tho.ietf@gmail.com> wrote:
> > On Tue, Sep 20, 2022 at 8:55 PM Smith, Ned <ned.smith@intel.com> wrote:
> > > Profiles should extend standardized statements at a defined
> > > extension point; but existing seem to go beyond this in several
> > > ways.
> >
> > Can you point me to where that is happening?  Speaking for PSA,
> > we do not extend any standardised EAT statement.
>
> [nms]    aiss-token = {
>        aiss-nonce,
>        aiss-instance-id,
>        aiss-profile,
>        aiss-implementation-id,
>        aiss-lifecycle,
>        aiss-boot-odometer,
>        aiss-watermark,
>    }
>
> Aiss-token seems to be an extension of a CWT/JWT token (rather than an
> EAT token). However, this token does integrate with some claims found
> in the EAT draft such as nonce, profile, UEID, and hash-type. Hence,
> it is both a subset of EAT claims as well as a superset of an EAT
> token.

I am not sure I see a problem here.  An EAT can (and typically will)
be a CWT/JWT, so anything claiming to be an EAT "profile" can a)
inherit the CWT/JWT wrapping, b) extend the claims set using newly
registered CWT/JWT claims if the available EAT claims are not
sufficient.

> Philosophically, EAT claims could be incorporated into other container
> structures besides CWT/JWT tokens.

True, but.
In order to extend the top-level type one needs a "IETF standards
track document." (see §3), so it's not going to be cheap to do that.

> For example, an X.509 certificate
> could define an extension that contains UCCS expression of EAT claims

This X.509 extension would be wrapped in a UCCS which is a top-level
EAT (when it gets its RFC number), so this is not the right example of
"new bounding container", I think.

> or a protocol frame could do something similar.

If by "similar" you mean UCCS wrapping the EAT/CWT claims then there's
no need to define anything for the profile.  Just reference [UCCS].

> It seems reasonable that a profile could specify the bounding
> container for EAT defined claims.

yes, but in order to be called an EAT it needs to be defined in a STD
track document.

cheers,
-- 
Thomas

v2.23.0 | Report a Bug | By Email