IETF Logo Mail Archive

[Rats] Re: [EXTERNAL] Re: draft-fv-rats-ear-05.html

Thomas Fossati <thomas.fossati@linaro.org> Wed, 12 February 2025 19:41 UTC

Return-Path: <thomas.fossati@linaro.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDBABC1DC800 for <rats@ietfa.amsl.com>; Wed, 12 Feb 2025 11:41:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sApcWFp6LHN5 for <rats@ietfa.amsl.com>; Wed, 12 Feb 2025 11:41:47 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F162CC1DC7F5 for <rats@ietf.org>; Wed, 12 Feb 2025 11:41:47 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id 2adb3069b0e04-545075ff6d5so5182e87.3 for <rats@ietf.org>; Wed, 12 Feb 2025 11:41:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1739389306; x=1739994106; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=kP0egAmSQhX4ZabLb5x6vROscM8TaGXixJpol9w3DHA=; b=smQ4D6V4VGgh6lJHQ3stoVIf6ZlrJ5QlnkCyFdcBUB1pvuLOQ51dYORpEB11XmyUvy qGekHf0ziL34xAfoev+YvEIl2OgRQfL9/2TmIJ3qoInzgDDY37N8sni3zpdtXoerWoVy DwTTO62jx0NyAOj8M7bTII7wtFkI4NvNfAw0ylOIQ5TsiSgx4YdbaFEFwAEh20gyu4mv h7F5TAIKG224YV2swLExCNOQNDBgcHbN/QDs57Lc1q1wQKQPosKzRVjhXSZ2p8kDbG/t Zs2UlXqQ3502S8ZXD+3qtNoAlF3rI4r4xoF+zIVjk+ytieYDRuEOypHiqGXcSl6VVBcc hCOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739389306; x=1739994106; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kP0egAmSQhX4ZabLb5x6vROscM8TaGXixJpol9w3DHA=; b=TIijseZ4aNUOnJTtSzjEjPXJDZm9Uk/qvyNqp4kHKls0us2yBSn/ZTXieW9BrePR11 z+ToUpzk8ftuJNZcR8KwbV+seMEgHaEKTbYcuUd/mf/BnVCMLY/KB8CrfMtY9uMahhuR 4xeXpo8bP0C8rCNQJQk66jFk9JRfP1rozMSZTJc1JBOhxzfE2mTgq5CQuht9kNt6MhIS mQ5Rwrny3v9/nIgMIDfqrNPHY/y4j7DO3nDqSxi9gyc7D0wAY2Tg3qZovJmAqwJjJi4z EvjnL/AsmKiG2tC7IwFdJ7QwgjG1/L6kimjfUaHJr4KwOeibjOWSH2yBYudJu/wELn9a w4Ag==
X-Forwarded-Encrypted: i=1; AJvYcCVCCnJnttLOFxgzP8w62A7elqeY28E0qwdAD+aEXs2mQ6bVkyJEWka6EmxJBginuCet2NUl@ietf.org
X-Gm-Message-State: AOJu0YzxdRF5CT7ivu2bTTFv+7J5H80YNiKrtDA8w0DD+e0mr54BTtHy R3KIqQXf7G/Kh42AsElFGL+nqNRtgo40QxZq0FDf06Px+hY3BjJgH0xwG/hjtvtBFYrWmG1ZuPo taEMYbA1TxcymSM1gTx1CuMS4WiFj7fk5psJKOw==
X-Gm-Gg: ASbGncu63ikKM+tHQqJxmzesl7VNWoQScMOJ9sh/COKtU7pAh9nL5lJCmNr0LKAamfs lzkUuC2ePnyj0+SR1y6GCjjMTJ6swyZ236GeEGE5+O0sjmgjcUdujLlAUscnOP1gY9Vwoc8zuLw ==
X-Google-Smtp-Source: AGHT+IG+Y+zlOIjcJ2ZwlxTMLojSmV0Odgdcdjor5mjAy+2X285bSo5EhmaMXGPxBe8kYTcOrRrYZwXtPN04uLbbUPM=
X-Received: by 2002:a05:6512:b08:b0:545:d27:e367 with SMTP id 2adb3069b0e04-545181770e0mr1362577e87.42.1739389306164; Wed, 12 Feb 2025 11:41:46 -0800 (PST)
MIME-Version: 1.0
References: <173885526190.594367.10991415485815689408@dt-datatracker-6f7f8bdd64-25rl2> <CA+1=6yfhZ59m5XxEujFtuH61=-TtEKMwZzP2TBjQBd4JAAuEmQ@mail.gmail.com> <867501.1739010799@dyas> <CO1PR11MB516924D1278EEB389A801DB4E5FD2@CO1PR11MB5169.namprd11.prod.outlook.com> <CA+1=6yfX1KdK4SvuKdctOFKMa6FqyGju++ubpKaUXLJeObf6=Q@mail.gmail.com> <IA3PR21MB427188154972BF1D1A521A25A8FC2@IA3PR21MB4271.namprd21.prod.outlook.com> <CA+1=6yc3Y7F4E-ModrUq3z8U7GCsdDGAV=Fyoby-XyEf3f0Vjw@mail.gmail.com> <IA3PR21MB4271F403A6D86FDC37B692D4A8FC2@IA3PR21MB4271.namprd21.prod.outlook.com>
In-Reply-To: <IA3PR21MB4271F403A6D86FDC37B692D4A8FC2@IA3PR21MB4271.namprd21.prod.outlook.com>
From: Thomas Fossati <thomas.fossati@linaro.org>
Date: Wed, 12 Feb 2025 20:41:29 +0100
X-Gm-Features: AWEUYZmyeHkS2ev78g-xp5PCEcTRbmviD-w-vuYDLWOz0YAb6DWDPtqgRkIQyD4
Message-ID: <CA+1=6ydDDWgjkd3r1CBu4c+sXjh2nG9xAG4XvJM1BGT-mnKEnA@mail.gmail.com>
To: Greg Kostal <gkostal@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: CMYPZC7DAA4YXI42NJH6XIUNVSTJJB76
X-Message-ID-Hash: CMYPZC7DAA4YXI42NJH6XIUNVSTJJB76
X-MailFrom: thomas.fossati@linaro.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Smith, Ned" <ned.smith@intel.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: [EXTERNAL] Re: draft-fv-rats-ear-05.html
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ed3T6lENuX22G_c8rUWQEz4lICk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Greg,

On Wed, 12 Feb 2025 at 20:15, Greg Kostal <gkostal@microsoft.com> wrote:
> This can be a big, potentially breaking burden on existing RP's which
> have implementation in place that cannot handle the logic to iterate
> and reason over all the appraisal claim-sets.  As an example, the
> Azure Key Vault service's "appraisal policy for attestation results "
> language grammar cannot reason over an arbitrary sized appraisal
> claim-set and reasoning over a known size N would be pretty painful
> (i.e., create duplicate policy for index 0, 1, ..., N) and potentially
> breaks internal size limits, etc.
>
> https://learn.microsoft.com/en-us/azure/key-vault/keys/policy-grammar

This is good to know, thanks. My (limited) experience is with OPA, which
is not limited in that respect.

> If EAR discussions aren't the right or best place to discuss details
> of an EAT format for composite attestation results, please ignore my
> distractions.  And hopefully point me somewhere else.  😊

On the contrary, EAR has composite attesters as first class.
Feel free to share and discuss your requirements with us :-)

cheers, t

v2.37.1 | Report a Bug | By Email | System Status