Re: [Rats] Composite Evidence

"Smith, Ned" <ned.smith@intel.com> Fri, 24 January 2020 21:04 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D3A1200A3 for <rats@ietfa.amsl.com>; Fri, 24 Jan 2020 13:04:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sl6m_SqgPlUM for <rats@ietfa.amsl.com>; Fri, 24 Jan 2020 13:04:38 -0800 (PST)
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B38D120052 for <rats@ietf.org>; Fri, 24 Jan 2020 13:04:37 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jan 2020 13:04:37 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,358,1574150400"; d="scan'208";a="400768753"
Received: from orsmsx109.amr.corp.intel.com ([10.22.240.7]) by orsmga005.jf.intel.com with ESMTP; 24 Jan 2020 13:04:36 -0800
Received: from orsmsx121.amr.corp.intel.com (10.22.225.226) by ORSMSX109.amr.corp.intel.com (10.22.240.7) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 24 Jan 2020 13:04:36 -0800
Received: from orsmsx109.amr.corp.intel.com ([169.254.11.6]) by ORSMSX121.amr.corp.intel.com ([169.254.10.34]) with mapi id 14.03.0439.000; Fri, 24 Jan 2020 13:04:36 -0800
From: "Smith, Ned" <ned.smith@intel.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Composite Evidence
Thread-Index: AdXRgB49sEcLGXWTRbyFhaWoEjRAwwAWWlWAAB2RpAD//6sSAIAAlNyA//+lU4CAAcbpAP//iMmAgACXmoD//4eZgA==
Date: Fri, 24 Jan 2020 21:04:35 +0000
Message-ID: <F6EFBC8A-C59B-4440-AD3E-34FC03BB7B0E@intel.com>
References: <BYAPR11MB2536867559E1A20682A1FC2BA10F0@BYAPR11MB2536.namprd11.prod.outlook.com> <25403.1579747229@localhost> <BYAPR11MB2536EEF62BD7B1C53EC59659A10F0@BYAPR11MB2536.namprd11.prod.outlook.com> <85492C6F-E854-448F-9507-BBAC25455392@intel.com> <14896.1579811757@localhost> <B7A7F7E5-EC09-44C4-AE02-C480E6D7F8D9@intel.com> <14740.1579889976@localhost> <F2E126B3-1399-43D0-AD25-BE9FAA1773F9@intel.com> <12261.1579896931@localhost>
In-Reply-To: <12261.1579896931@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.21.0.200113
x-originating-ip: [10.24.10.97]
Content-Type: text/plain; charset="utf-8"
Content-ID: <100FDA861AF42841BDE16260BAB085BE@intel.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/dPZh53CpcMbLFOYDrbv3JEQfGtI>
Subject: Re: [Rats] Composite Evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 21:04:40 -0000


On 1/24/20, 12:15 PM, "RATS on behalf of Michael Richardson" <rats-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:

    
    Smith, Ned <ned.smith@intel.com> wrote:
        > Smith, Ned <ned.smith@intel.com> wrote:
        mcr> [%] I think you are saying that rather than documenting that we
        mcr> forward a union of evidence and attestation results, that we
        mcr> document that will create a kind of evidence, which includes attestation results?
    
        Ned> Maybe. It really is a case of multiplexing several conversations
        Ned> over the same conveyance mechanism, but otherwise conversations
        Ned> could be de-multiplexed (without creating unnecessary
        Ned> cross-dependencies). For example in both Passport and BK-Check
        Ned> topology models, a message is simply relayed. The endpoints are
        Ned> still the way they're defined in the Roles Arch diagram.
    
        mcr> yes, I agree, we could send a list of evidence and a list of attestion
        mcr> results from components.  I don't really know what the list of potential
        mcr> *verification* protocols is.
    
        Nms> I don't know what a verification protocol is. I would describe the
        Nms> interaction between a Verifier and Relying Party as Attestation
        Nms> Results exchange over a conveyance protocol. This implies there is a
        Nms> protocol binding specification needed for each protocol that is used
        Nms> for conveyance.
    
 mcr>   I don't know what to call the Attester->Verifier connection.
 mcr>   Yes, it's a conveyance protocol.
nms> Maybe the architecture should give them names?
    
        mcr> I don't think this communication can ever be via certificate, while the final
        mcr> attestation results could be placed inside a certificate.
    
        nms> Both a certificate and token are examples of signed documents that
        nms> could include both Evidence or Attestation Results
    
   mcr>  A certificate (manufacturer signed IDevID...) could convey fresh evidence?
   mcr>  I find that hard to believe.
   nms>  Yes, it is possible for a trusted environment to issue a certificate for a key that is dynamically generated and used to attest. Sometimes these signed things aren't called certificates. For example, a TPM "quote" operation can "quote a key" which results in a signed structure that contains a public key. SGX can do something similar too. A JWT/CWT token can include a public key value which someone could say is a 'certificate' because it associates a key with another key (namely the issuer). Additionally, a DICE RoT can sign an X.509.v3 certificate called the "Alias Identity". 
nms> A use case that supports this practice is when a HW or SW module is added to a device after it ships. The module could become a new Target environment that the Attesting environment hashes to produce new Evidence. If the new module in turn supports adding another sub-module, then it may become the Attesting environment to the sub-module. The attestation key it uses may be dynamically generated. One of the claims is that the new key is trustworthy because it belongs to a Target environment that was attested by a trusted Attesting environment. I believe EAT submods claim supports this usage.
    --
    Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
     -= IPv6 IoT consulting =-