Re: [Rats] Comments on draft-birkholz-rats-architecture-01
Ira McDonald <blueroofmusic@gmail.com> Mon, 15 July 2019 11:33 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6896C120077 for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 04:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0HMAvZ2_KkiU for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 04:33:09 -0700 (PDT)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63DBC120018 for <rats@ietf.org>; Mon, 15 Jul 2019 04:33:09 -0700 (PDT)
Received: by mail-yb1-xb36.google.com with SMTP id x188so1424111yba.8 for <rats@ietf.org>; Mon, 15 Jul 2019 04:33:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vbN9p3c1Ng8QD98RylwGA3NF8wihI6S6LWBYhjyclT8=; b=YK/QorIrILa3yEDQjc4KHG5a/iVv3Mls/DUvwWA28rOkdcdVDkhk2udkTtfucE+IOM U5ODjjwmkCI9rq8/gSJyqGs3MPRr20sWd4STuG9nzlPWK+6usVS52/4cZa/u4fpjyNz+ 5PoYSlmK4+SZjjXuyocVhR8Mx+WLiewiRLSK7QX1lrFHTz9QGDJ6WULJotQ8UC0GTtQb BAg2tTDbk8M5K8WKY8WvvTmENxd9BNjubY4o3Puu71zHOFzFnmOzWflYmgIkVzDn9Uja vAvsl99FUl4CUCRu/ZzBu6LmS2PdG6bQiQK8a6LIGugko+8MTm4iAwyg1HyK+wFpm5fg YPxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vbN9p3c1Ng8QD98RylwGA3NF8wihI6S6LWBYhjyclT8=; b=ZUyWsN9DzhapqT4SKIjEFUfMKkch7aH/K3ZtVVoqhlxWkPpOAeKmPVQJj3F1jQB6bF WxgmqagY9e9gQXO6Am8txc62bYVcwCGPbZxxTTKz7uPC+uv/2eqJUqYA6SqwSV4d7h+V go49q1eQlb3yKjECHx8LqUtgkfd+vPBwrn4WScG1BKHzi1SqZiUNNhMCETleuJOTYSYF pLJAzWaaSd+laNs5+nZUQD8Lu1ieWqTbphQbjySsrGVaMMJ8Sqgxl/Y8mut1Wuzh3TyK fvLodL7FEEhFko5MtbKyYzHLGruHMphUvSsENYnNAMF3BdNLGHyDF9zsv38K/5lCNc63 ANNQ==
X-Gm-Message-State: APjAAAUd0kiAVe1iWO9euRB430k6UR589e67qME3OnzFqimqZ8Ck7oRa CObY6MUsLMGgmEd/oe/AqBWeuaJIUXfbtE4Lvro=
X-Google-Smtp-Source: APXvYqxD5SWEAsoDgDQ5KTbPOpNroVCNaqn24chZOYS024IxekPHiBYnlDwidOt/qJBtMaiKqp0H/uit3VDNa2Np7m4=
X-Received: by 2002:a25:d252:: with SMTP id j79mr17169099ybg.236.1563190388632; Mon, 15 Jul 2019 04:33:08 -0700 (PDT)
MIME-Version: 1.0
References: <0189ed44bcf749c18e9b6612b2728553@oc11expo23.exchange.mit.edu> <8C52026F-A4D1-4CA5-901A-C20CC2396DF5@ri.se> <20190713023817.GU16418@mit.edu> <CAN40gSuge3=-dKTtUz2bWVTzBDX0rqmr1sj=NT_-OVRH90o=9A@mail.gmail.com> <A5E5E10D-D423-4EA6-B99B-6BE925FB8DFD@island-resort.com> <445FA39B-2ABF-4FAF-B82D-903FCC8AF5AB@ri.se>
In-Reply-To: <445FA39B-2ABF-4FAF-B82D-903FCC8AF5AB@ri.se>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Mon, 15 Jul 2019 07:35:06 -0400
Message-ID: <CAN40gSszwsn2=anOha0PwCHwM4DZFSMvO+yPTxO8UV2La325jw@mail.gmail.com>
To: Nicolae Paladi <nicolae.paladi@ri.se>
Cc: Laurence Lundblade <lgl@island-resort.com>, Benjamin Kaduk <kaduk@mit.edu>, "Ned Smith (ned.smith@intel.com)" <ned.smith@intel.com>, "henk.birkholz@sit.fraunhofer.de" <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>, "monty.wiseman@ge.com" <monty.wiseman@ge.com>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, Thomas Hardjono <hardjono@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000d4afc6058db69f8b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/cZMIau4Ay4TsN3Uwzr0YpNUp9jU>
Subject: Re: [Rats] Comments on draft-birkholz-rats-architecture-01
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 11:33:13 -0000
Hi, I think that RFC 4949 definition of "trustworthy" is seriously flawed". For some of the nuances see the set of definitions of "trustworthiness" in the US NIST Online Glossary at: https://csrc.nist.gov/glossary/term/trustworthiness Certainly for dynamic systems (i.e., almost all systems in the real world), the idea of absolute "trustworthy" is a bad one to use in system designs and implementations. Cheers, - Ira Ira McDonald (Musician / Software Architect) Co-Chair - TCG Trusted Mobility Solutions WG Co-Chair - TCG Metadata Access Protocol SG Chair - Linux Foundation Open Printing WG Secretary - IEEE-ISTO Printer Working Group Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG IETF Designated Expert - IPP & Printer MIB Blue Roof Music / High North Inc http://sites.google.com/site/blueroofmusic http://sites.google.com/site/highnorthinc mailto: blueroofmusic@gmail.com PO Box 221 Grand Marais, MI 49839 906-494-2434 On Mon, Jul 15, 2019 at 7:14 AM Nicolae Paladi <nicolae.paladi@ri.se> wrote: > Hi and thank you for the feedback on the point about trustworthiness. > > I agree that in case of complex systems or decisions trustworthiness > depends on the context. > Indeed, in the finance industry, decisions about the trustworthiness of a > customer or transaction are often based on many inputs that together are > used to compute the likelihood of the transaction or customer being > acceptable or not. > > However, I was referring to the trustworthiness of a specific device as > defined in draft-birkholz-rats-architecture-01: > > A trustworthy system is a system "that not only is trusted, but also > warrants that trust because the system’s behavior can be validated in some > convincing way, such as through formal analysis or code review" [RFC4949]. > > > In my understanding, a formally verified component (hw or sw), considered > in a specific threat model is either trustworthy or not trustworthy, NOT “ > X % trustworthy " > > Note that I do not discuss whether it is “secure”, only whether it is > trustworthy in the sense of RFC4949 > > Nicolae > > > On 14 Jul 2019, at 21:39, Laurence Lundblade <lgl@island-resort.com> > wrote: > > My framing for this is not binary, in this day and age of risk engines and > machine learning. The relying party receiving the attestation is going to > take whatever data is attested in as part of a decision that will probably > involve other data such as transaction history and type. For example: > > - A payment might be allowed if it is tiny and the risk of losing the > customer is high even if the attestation seems wrong. Or vice-versa, the > payment is large and the customer expects best protection. I’m pretty sure > PayPal, VISA, Mastercard, Experian and such operate this way. > > - a biometric authentication may not be allowed even though the > attestation is excellent because the risk engine recognizes a pattern of > fraud based on other non-attested data. > > - A bad attestation from a router might be considered an isolated event > until more evidence is accumulated. No one is went to the wire closet. > > > I also consider the security technology used to protect the signing key > and attestation creation subsystem variable in security. And it needs to be > considered in relation to the capacity of the attacker. A TEE (little > defense against chip probing) might be consider quite good for small to > medium $ payments backed by a risk engine. An EAL 6 secure element may be > the only thing considered OK for access to a nuclear facility with no risk > engine back up. > > > I prefer to never characterize something as trustworthy or as secure in > any RFCs we create. CWT and JWT don’t seem to go down this path either. > > (Correct me if I’m wrong, but I think maybe TCG does use the > secure/non-secure framing. If so, I do NOT think we should bring it in > here.) > > LL > > > > On Jul 13, 2019, at 7:13 AM, Ira McDonald <blueroofmusic@gmail.com> wrote: > > Hi, > > About binary "trustworthy". > > This is a fundamental fallacy. Neither "trustworthy" > nor "secure" are *ever* binary. That's basic to the > security by design approach. > > Cheers, > - Ira > > Ira McDonald (Musician / Software Architect) > Co-Chair - TCG Trusted Mobility Solutions WG > Co-Chair - TCG Metadata Access Protocol SG > Chair - Linux Foundation Open Printing WG > Secretary - IEEE-ISTO Printer Working Group > Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG > IETF Designated Expert - IPP & Printer MIB > Blue Roof Music / High North Inc > http://sites.google.com/site/blueroofmusic > http://sites.google.com/site/highnorthinc > mailto: blueroofmusic@gmail.com > PO Box 221 Grand Marais, MI 49839 906-494-2434 > > > > On Fri, Jul 12, 2019 at 10:38 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > >> Cherry-picking one point... >> >> On Mon, Jul 08, 2019 at 02:44:56PM +0000, Nicolae Paladi wrote: >> > Hello, >> > >> > Some comments on draft-birkholz-rats-architecture-01< >> https://tools.ietf.org/html/draft-birkholz-rats-architecture-01> >> > >> [...] >> > 7.1.1< >> https://tools.ietf.org/html/draft-birkholz-rats-architecture-01#section-7.1.1>. >> How the RATS Architecture Addresses the Lying Endpoint Problem >> > >> > >> > >> > >> > >> > RATS imply the involvement of at least two players (roles) who seek >> > to overcome the lying endpoint problem. The Verifier wishes to >> > consume application data supplied by a Computing Context. But before >> > application data is consumed, the Verifier obtains Attestation >> > Evidence about the Computing Context to assess likelihood of poisoned >> > data due to endpoint compromise or failure. Remote Attestation >> > argues that a systems's integrity characteristics should not be >> > believed until rationale for believability is presented to the >> > relying party seeking to interact with the system. >> > >> > “Likelihood” implies a probabilistic approach to trustworthiness (e.g. >> 42% likelihood of poisoned data”). Is that really feasible? And if so, is >> it actually of any use? IMO trustworthiness is binary (“trustworthy or not >> trustworthy”), or binary and conditional/contextual (“trustworthy if used >> for certain actions”). >> >> My personal thinking here is along the lines of "this data makes me >> confident that only someone who was able to subvert my supply chain and >> surreptitiously replace the TPM chip in the sealed device delivered to me >> would be able to forge the attestation evidence; I don't think I'm the >> target of such an attack, so there's a low likeliyhood of endpoint >> compromise". Or, as James Mickens put it more glibly in >> https://www.usenix.org/system/files/1311_05-08_mickens.pdf there's a >> Mossad/not-Mossad distinction in the potential attackers, and if the >> Mossad >> is a threat, you're gonna be Mossad'ed upon no matter what you do. >> >> -Ben >> >> _______________________________________________ >> RATS mailing list >> RATS@ietf.org >> https://www.ietf.org/mailman/listinfo/rats >> > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats > > > >
- [Rats] Comments on draft-birkholz-rats-architectu… Thomas Hardjono
- Re: [Rats] Comments on draft-birkholz-rats-archit… Nicolae Paladi
- Re: [Rats] Comments on draft-birkholz-rats-archit… Benjamin Kaduk
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Laurence Lundblade
- Re: [Rats] Comments on draft-birkholz-rats-archit… Nicolae Paladi
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Smith, Ned
- Re: [Rats] Comments on draft-birkholz-rats-archit… Ira McDonald
- Re: [Rats] Comments on draft-birkholz-rats-archit… Adrian Shaw
- Re: [Rats] Comments on draft-birkholz-rats-archit… Laurence Lundblade