IETF Logo Mail Archive

Re: [Rats] Comments on draft-birkholz-rats-architecture-01

Laurence Lundblade <lgl@island-resort.com> Mon, 15 July 2019 17:48 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73AFE1200FA for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 10:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elwzPe5uZsgL for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 10:48:00 -0700 (PDT)
Received: from p3plsmtpa06-03.prod.phx3.secureserver.net (p3plsmtpa06-03.prod.phx3.secureserver.net [173.201.192.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AFE21200A1 for <rats@ietf.org>; Mon, 15 Jul 2019 10:48:00 -0700 (PDT)
Received: from [192.168.0.107] ([67.237.247.208]) by :SMTPAUTH: with ESMTPSA id n54whGmJj4M67n54whBZia; Mon, 15 Jul 2019 10:47:59 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <2B42431B-D45D-4CCD-9A60-7BAFF763DFBA@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6DECDC2F-B84F-413A-BBF8-744CCDC28F12"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 15 Jul 2019 10:47:57 -0700
In-Reply-To: <E7299F99-54D4-47FA-A439-F1D8CB7D1353@intel.com>
Cc: Ira McDonald <blueroofmusic@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>, "henk.birkholz@sit.fraunhofer.de" <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>, Nicolae Paladi <nicolae.paladi@ri.se>, "monty.wiseman@ge.com" <monty.wiseman@ge.com>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, Thomas Hardjono <hardjono@mit.edu>
To: "Smith, Ned" <ned.smith@intel.com>
References: <0189ed44bcf749c18e9b6612b2728553@oc11expo23.exchange.mit.edu> <8C52026F-A4D1-4CA5-901A-C20CC2396DF5@ri.se> <20190713023817.GU16418@mit.edu> <CAN40gSuge3=-dKTtUz2bWVTzBDX0rqmr1sj=NT_-OVRH90o=9A@mail.gmail.com> <E7299F99-54D4-47FA-A439-F1D8CB7D1353@intel.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-CMAE-Envelope: MS4wfGs5Ne58uxp1xm0Wkmm/0Bo/SOjBLP7RvHhJLh4QlW6CyBytMRliM5Kha97z+fphG7o9OWkAjk76Z3iNcQgxQwUd9EUEWYpbyuncizrCMbBSu5Eys/iv ucdm6rHeVt1bYzz+4Ckm+QTU7o+WcpZbt0t/eO+XkTMLN/xEdYhoTWHxOTuNfPiMSf2jLECPoWpPhQ6tmCshUb5dRSuW4vnOu93kaEH9Sfj7em+ev2gnmZZT zjBcOi2+PWOe7pGa1+KmfsotIGg3cG3aVkujNxiN+1LGD/XlTu0i2tNa+6jubirqiLXaJjyvT+jSdBBSsjMFN4eLcR+ybnK/nzacHscRx7vEZGVjWuJVE16L 4i2Lo4rOU8v++DsMfBp/x4/QvJjwBtDcok64lO+4mIVvCRiuNnO3t5E+2t8SNCGLgqsxcuKUrzTb9/CK5Ugo6Lom963EpA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/eJO2yVbX4lj72p2S02KwYVJLVtk>
Subject: Re: [Rats] Comments on draft-birkholz-rats-architecture-01
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 17:48:03 -0000

> On Jul 15, 2019, at 7:07 AM, Smith, Ned <ned.smith@intel.com> wrote:
> 
> I think both perspectives are correct. If the context of evaluation is an access decision then trust is binary. If the context is analytics, logging or risk management then trust is (can be) probabilistic.
>  
> The relying party has the necessary context. The main objective for RATS is to define Attester-Verifier interactions.
>  
> I’m just wondering, for the purposes of RATS architecture, if we need to resolve this question now?


For the EAT claims document, I don’t think there is much of an issue with “trust”. It hardly uses the word.

However the architecture document has a lot of orientation around trusted or not. Here’s some example text from 4.1.3:

   o  Evaluates trustworthiness during manufacturing, supply chain and
      onboarding

   o  Produces trustworthiness assertions applicable to the Attestor
      role

I don’t think the architecture document should be adopted until we resolve how it treats trust.

My fundamental argument is that no notion of trusted/untrusted is possible in our documents. Only the relying party can decide that and they will decide that based on their individual and wildly varying requirements (payments large or small, enterprise access, web site access…).

Further, the notion that an individual implementation can be deemed trustworthy seems flawed. How many HW chip defenses does it require? What strength of cryptography? Is EAL 5 Common Criteria evaluation enough?

LL

v2.23.0 | Report a Bug | By Email