Re: [Rats] Function of an endorsement relative to evidence
"Smith, Ned" <ned.smith@intel.com> Thu, 09 June 2022 16:02 UTC
Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43365C14F72F for <rats@ietfa.amsl.com>; Thu, 9 Jun 2022 09:02:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.849
X-Spam-Level:
X-Spam-Status: No, score=-7.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZKMAZHD1GQN for <rats@ietfa.amsl.com>; Thu, 9 Jun 2022 09:02:09 -0700 (PDT)
Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 398FDC15AE2E for <rats@ietf.org>; Thu, 9 Jun 2022 09:02:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1654790529; x=1686326529; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=lDmNq4hURohfCwm6cpPXJiPBaVUI+2OYBH0LZBAHFl8=; b=gNmIG7djTGV5enxCyxotVQRcWKRv3TKuvR8P1lcQlwABU39KxYi2QNtl j/0XCm6OczueeB+bOKgqjUVHX0zVX6OP4nV6V+sq0ZJL5x6zHg3LOaemw aIET6mG6YZminanwsRG/nWcvzdNq09U/pbbk85OR04JQ4cZhG9/lhfK6L 55vkUReVNowu2wflW18mvWQ6aFIrsG7bjOlE/pjv3egngywz3KLo60whZ pdXnr+GdplvVZLzg7eNk7NWuEeVqUEYUt8WXpy0VyJ24DmwJTRR4Z+fq6 jhqJLTLNV1yGT20/MFK42GqaPwcEWIY37dYNExIbFANrz0BnqxM95ASHg g==;
X-IronPort-AV: E=McAfee;i="6400,9594,10373"; a="339089052"
X-IronPort-AV: E=Sophos;i="5.91,287,1647327600"; d="scan'208";a="339089052"
Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jun 2022 09:01:48 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.91,287,1647327600"; d="scan'208";a="684035293"
Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19]) by fmsmga002.fm.intel.com with ESMTP; 09 Jun 2022 09:01:47 -0700
Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Thu, 9 Jun 2022 09:01:47 -0700
Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Thu, 9 Jun 2022 09:01:47 -0700
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.172) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Thu, 9 Jun 2022 09:01:46 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H73HuOERloui+zTchTn8T20DDvU52y38OsXZIlvKs7j492/5mKwypItWbNeXf91kfuKJnoKGCJyItc+VXc+t2ZXjN9f5oouc9CINTMkwW4m5LkeFzvA2vroQb70ubH3aiEd2NQhze1tZPGfPZt5dtu8MgT3rWRiw5MoQlGyUZ75SQfQzJQbvUvHBwUeKQNUWqJw1fBpNzc98YKK69648jXFotfscuw56C1V0RnjlBuU2FxTzW8EiWi13q6PlVJplskzaqPi4q0WNb5r2BF6c6+JnwWOXRE6UKXfF0mQOEfOGCTBwyg6rnvmEBe8sZuOeBb0OTTMYMtJRY5L91wNHrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lDmNq4hURohfCwm6cpPXJiPBaVUI+2OYBH0LZBAHFl8=; b=UrJbKz7rBZQDFPDNKE/2FjoDdp+c99OSN/nCKl1Ln1FTWnYRecu6QAlYSeGTO93EGE6Bhsqg3XcKmVXyPcvGdAjgmmbNmH/b+yyvxnWYqnr7bV9C0j7MRCke1TxxrGvjDUXJLsf1zw2h9D0CSfMPhbvE43w1zLLVCWVc/APU4nr8V9Vpxp9s3NalCXnIkWSW2nTlMJGAaJeGBsYds2VPG8QioCw1SPYgDHp1YadI7STZ4cZhU82KDnk3hI3v5bd3/lw0Xl8GMtGobFdds6RZtOas12P5DC0TweIrNi17IQIMNg49t0TRvC8CsOD4M7wj5Tdv98z+kKWD7RTnDrLDgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by BN6PR11MB4145.namprd11.prod.outlook.com (2603:10b6:405:7b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.12; Thu, 9 Jun 2022 16:01:45 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5dfe:31c7:a62a:d8b8]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5dfe:31c7:a62a:d8b8%3]) with mapi id 15.20.5332.013; Thu, 9 Jun 2022 16:01:45 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "Eric Voit (evoit)" <evoit=40cisco.com@dmarc.ietf.org>, rats <rats@ietf.org>
Thread-Topic: [Rats] Function of an endorsement relative to evidence
Thread-Index: AQHYeFhidL6A4/frnEeYUPzyIMnDtq1CmJqAgAAyfYCAArN5AIABmzKA//+0ogA=
Date: Thu, 09 Jun 2022 16:01:44 +0000
Message-ID: <FE9DEF95-E234-43A5-81E0-1361E1F86BFC@intel.com>
References: <6F919543-37BA-484B-AA7E-BAC3497EB125@island-resort.com> <ee639c74-b365-e127-b4ec-d6f9df0014e6@sit.fraunhofer.de> <3907E124-5080-442C-801C-C14F227687E6@island-resort.com> <BL0PR11MB3122F2DB02AAD9FCD0966E11A1A49@BL0PR11MB3122.namprd11.prod.outlook.com> <4799.1654781489@localhost>
In-Reply-To: <4799.1654781489@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d2bdb9de-1e3b-428e-89b5-08da4a3159fc
x-ms-traffictypediagnostic: BN6PR11MB4145:EE_
x-microsoft-antispam-prvs: <BN6PR11MB4145B06CAC870910EF5B159FE5A79@BN6PR11MB4145.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7FZNL7qb0A28XuRfqplixPz7tbTINSR6FeX8OckkHyLSQ9Qiy+suYTnjsaRyR2YTgNvBH48xfhNUAo/KEbyJ+BnwZEpjgVtXu6cDSWOhhi215TNfOch3SlBj/oFq9O80awj6OeyUdtuUprIpjTosLop/8wzNZS3zgiG8+8kLP9wkGbW+gpZkJUVgc8Gen7pYdbtQx/EhMgYRel6/HioemiXwA9ZXpBl9ouN7xQhVSgQgYgVSocqA3v/Lu0xZZozF6pXutC57mirXvshc4bJeyJEj7/XDdT1waZjmkYg2rzrICnuQXpViXk/cqj4uPRllTI2FHkol0VadipSDbiIq6NrZzVwA8mcaXsM4nnIWDkiH3Z4M/dGY0U9s3qijFeK3uzWKn121FJfrBwwIyVikdjXiCuJ4835jJMdZ8cGMN5Jv74zK2BVb2UP9WIXBdMkc5AwAxLIDMWpkiu6leY5S3Xa+kws1bdqQdDAxtx5z9JjHbmri+Q1AOnCOKQdH+YeivJmgG8U2jd/RoiHZupj6U7gjy3JYWLbFLNB8rboFYH8CoNDOkpGZIrUK9PR0Xzu3fbcvTJej3nJ9Mrbzv/HmOa5e12RxqDooKkLwhE8teyLIqpzGQn8a0rG0lWQJxwyheH6lGhk/ApOK5Lxs/zyOvhEI5XYM4suVQxjGEHLkLUX3zgctZUgYtEmaMHyu2mAvUbXRXJ9eDDM/eAMvcAympKD4gFnb8QVGqSkzSsdpT9mdAYCpi6pYFuHMVA3hqlteIy3oO6dDV49Vv8MDLmu38QHQiGUEjKR0+pwUfOkquruU9XEGHmXWUJGKfpcE/Xuk96xy+lAW7HjzjjF2PQ+GVZdzAZDo4BhxIux2rG6Ei1bzzUpafFw6IXpX7+1/1pSF
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(71200400001)(6506007)(82960400001)(2616005)(38070700005)(38100700002)(33656002)(66574015)(5660300002)(122000001)(8936002)(6512007)(6486002)(8676002)(110136005)(66556008)(66476007)(76116006)(36756003)(66446008)(64756008)(316002)(186003)(2906002)(83380400001)(86362001)(508600001)(26005)(66946007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: m+xLy4U6nwt8zfFdNaAHO+StydZIdC+h2J+4pQEQHp4vWtrfGR7G8ZvEMfgrjLP7al88MfnPgVE3SL3R6IfRKT03n859HfyPA/tRNWgFz6pIQwcnkyau6GqklpSqKmoQpi3SbuUhp1rteY1bx92l4cUu9NHW2rYkUwdsmioC+E4IG1B0T7pi7UAjdkX0AJb2KSAngIa2oS4UEbVsas/fb77aPV5DNGrRSIC6CasgCCTZ6oP9Z9onyNcfJw7++YV1e7NhId0XkhNMp0UDnsKOD8cZ2R96RbeR1v0mz6tiIA2AWJPEUHo+hBhbNImI3wRGgEAnBQ7h8gh34Qi5VwEEdDiIDB6G6irW/rKwDSmdOEjEEBRDgaz6nwDmpT+vs/1y7deJpFyFmDFUIHa0SqeYY4n3JGrtgxn0v/ocNO7lCebCRGVPQ04fKjntOaPTx5/ayhP2H986SDq8RxPZrjelqfmqmqnCUoKtpkNgiMq2kv//Xj4jwfkrtSP0HmoQciLfMI7UGDeONr9hEWaGg/4fbmpE+qGPOZDFLyAUMG6jCpagsxPQVs9IrGrcAnsTfXpL7iftnSyjnbH6wOr5cqKaO/twbOjVPgkLzOkBKBFoYBGfUDcWTBHFkZd+pDqzFcIeaMzkGeGagCWBcKhdCmG2cDjzlUyFVmhHsr3nlfTrZdfJEm8vXkC4baGcaOKe4K1/E/dCJ5agc0B3Nzg6sthjGtgkUHPYSAzx+UKRMMEc2/9Y//yGru5KG2W8B1jgzUbOrx1me40bgw4/d4QNAUB+QrE94iLcyX4czmNW7yfWr1O6k3jXoOLfDb2tX+BoZ0BMQifNWvjMuYA7mtMDkQTO8eBU4VGj2xsCtIINTmhWuBzqjx44XWZXGX0cYo8+ZteU7L3uNH6gkRmM5m794MEC1r1qzwy6V9ZdFbGBbibUCMivJlzoDHIXau9gmEP/vHewlSmvASMvWhnp+c1G1TQInlTD+00GWVvqMDMhgtXinfH7CuB4n2dx+7DsktOoGc+fdlc/dPBiRQTmZvrjQHFwMq9NjurYdD2mbbnQ0fciYhr4TiOrPYT5vAqP6OkZvQ9KBkkuXlYzPylhlQi3fZrbSUQ+SpaJNQforOV7QHyYcz9j/PG8XBJP50D4nVfKoK2lz5thgqWo20ZEw72wv94b8g7S/5om+ITlqqmKKoxZMByHt1FLjLXzsJo8tJLsxFZCeE/cLdPRhZ4nUHhs/5qvU2CnbO4KL88i8CHI8sQg/E8hfK4hSiwuIFo5FRGI/hbTPnV9rUrxyYfLsAfS8luWaNeX2QR6nsS+BoT0x948CnbYHOYQ3tU255KcNz1UmlcwhiAEoJ1qVagnD9P+ELsJ1XxFE9uM6NeppXc4wMwvuA6nd7FT7hbsVp3D1Q+PmGpMZAxm06iFe2U9TCEK4sxv3lnYYZo8bFGb11e7LZ6VftKc8QTSEUxGXrqGHVQreMa8BwXYUpWTmHq+5MVyzBTkRO25IEmPqMTd+zekn5PK3DKXX9Ke/OLx7LeZcOKo6VW6q3syKJTSYoIteaXvJMSew87eICJWgydIV279R+zckHuv5rGLyMKQmqA4X+GKMfI6wJUMA3wtpDFF3S+fuZieaMjKzDBFhzJ09dtd4DjYMO6JkZXQN2MpHia6sWHJKsoxq2SRoIaIL70rNA0JXWX/Qn4otLF1pXA0kdQOrOf345LfPgPZxsUiBBS5pVWi72Cgul1PyETxg/i4sKK8gxXCtA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <C8C700FF9C0CED4D8369DCA185C68E16@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d2bdb9de-1e3b-428e-89b5-08da4a3159fc
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2022 16:01:44.9296 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wXhq6VjilHK20+VGKA7v0DwLbSI61nZc+b1q02dc/JmZIYXPFchLknmMktQPizdW9iP/nxz250lfFMawiwwlpw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB4145
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/czX5rpbbE92yM075v5LVXoo2Swo>
Subject: Re: [Rats] Function of an endorsement relative to evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2022 16:02:14 -0000
To sumarize, a mfg'r issued DeviceID certificate is an Endorsement. Additional claims included in the certificate would be considered Endorsements. A DeviceID certificate endorses the Attester's key which may be used to assert claims. In theory, the Attester could assert the same claims that the mfg'r asserts. If the Endorser gives carte blanche authority to the Attester key to assert claims on behalf of the Endorser, is that desirable? The answer is it depends on the Relying Party and Verifier who decide which entity (Endorser or Attester) is best able to assert the claims. Determining this may require looking at each claim individually to see what makes the most sense. -Ned On 6/9/22, 6:31 AM, "RATS on behalf of Michael Richardson" <rats-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote: >>>>> Laurence <Lundblade, June 6, 2022 3:45 PM> writes: > Think about these static Attestation claims set by the Attester Manufacturer: > OEMID: Set once at manufacturer time and never changes; it is the same > for large numbers of devices > UEID: Set once at manufacturing and never changes; it is different for > each device > HW Version and Mode: Set once at manufacturing time and never changes; > large groups have the same ID > We’re fine with these being set and sent as claims. They don’t have to > be in an Endorsement, right? Some of them could be in an Endorsement, > but there is nothing wrong with them in Evidence. They can even go into an IDevID certificate. Then it's the manufacturer making a claim (an Endorsement) about the holder of the private key. In my world, the IDevID gets replaced by an LDevID for many things, so the contents are no longer quite as trustworthy, depending upon the relationship of the Verifier and the (Enterprise) owner. The SUEID could go into the LDevID though, with the Enterprise Registrar acting as RP for the initial onboarding. > Of course if they are sent in Evidence, then there has to be an > Endorsement that tells the Verifier they can believe these claims in > Evidence and the signature on Evidence has to be verified. One reason why one might want these as Evidence is if the Verifier wants proof of possession of private key. If a TLS connection with a client authentication is used to convey Evidence, then that might already be accomplished. If the the conveyance is something else, then there might be value. Of course, in that situation, a freshness nonce might also be included, so problem solved. > To me security-level (the static statement of designed security level; > see here <https://mailarchive.ietf.org/arch/browse/rats/?qdr=d> ) is > pretty much the same as the above claims in the way it is conveyed > securely. I agree. > <eric> The three claims listed above are focused on establishing > instance identity. A policy of the Relying Party needs to establish an > instance identity to understand the context of other claims. An > endorsed security level should be a known function of the instance > identity once that identity has been established. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Rats] Function of an endorsement relative to evi… Laurence Lundblade
- Re: [Rats] Function of an endorsement relative to… Ira McDonald
- Re: [Rats] Function of an endorsement relative to… Michael Richardson
- Re: [Rats] Function of an endorsement relative to… Laurence Lundblade
- Re: [Rats] Function of an endorsement relative to… Henk Birkholz
- Re: [Rats] Function of an endorsement relative to… Smith, Ned
- Re: [Rats] Function of an endorsement relative to… Laurence Lundblade
- Re: [Rats] Function of an endorsement relative to… Henk Birkholz
- Re: [Rats] Function of an endorsement relative to… Eric Voit (evoit)
- Re: [Rats] Function of an endorsement relative to… Michael Richardson
- Re: [Rats] Function of an endorsement relative to… Smith, Ned
- Re: [Rats] Function of an endorsement relative to… Laurence Lundblade