[Rats] DLOAs claim (was Re: EAT Review Comments)

[Laurence Lundblade <lgl@island-resort.com>]

At this point I’m in favor of leaving the DLOAs claim in EAT.

- It doesn’t add a lot of complexity as it independent of all the other claims. Any EAT implementor can safely ignore it entirely.

- Certification is really important in trusted/confidential/… compute. It’s good that it has some presence in our attestation standards and brings attention to this existing standard.

- The design seems solid and correct, by carrying only a reference

- Could work with Arm PSA certified, FIDO certified, TCG certified, GP Certified. EMVCo, NIST, and the CC certifications...


I think it can come into play in many ways. Here’s a few scenarios, all of which are supported.
- The Attester passes the DLOAs claim to the Verifier which passes to the RP in AR who’s machine learning risk engine processes it
- The Verifier figures out which DLOA based on identify info in the Evidence and passes it to the the RP in AR
- The Attester passes the DLOAs claim to the Verifier. The Verifier evaluates it and does NOT pass it to the RP. They just give a thumbs up to the RP.
- The Attester passes the DLOAs claim directly to the RP because the RP is the Verifier

The line between Endorsement and Reference value is a bit hazy for me, but a DLOA is never THE endorsement. Maybe it is part of the Endorsement or maybe it fits better classified as a Reference value. It doesn’t seem critical to say precisely which.

In some cases the DLOAs claim is in Evidence and sometimes it is in AR and sometimes neither because it is an Endorsement process by the Verifier. It’s all good and OK.

LL


> On Dec 13, 2021, at 12:37 PM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote:
> 
> 
> On 13.12.21 21:31, Laurence Lundblade wrote:
>> On Dec 13, 2021, at 4:55 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
>>> 
>>> Hi Jeremy,
>>> Thanks for this additional information. That’s very helpful.
>>> To me it appears tricky to have the device provide this information. The problem I can see is that you cannot really rely on it. A compromised device would lie about its certificate level. Hence, whoever verifies this information has to keep to a copy around to check the received data against. This consequently makes the device-provided DLOA information of limited value.
> 
> This characterization sounds more like the use of endorsements to me than the use of evidence.
> 
>> The EAT claim is just for a pointer (a URL) to the certification info.
>> Also, DLOA is more intended for use in Attestation Results so it comes from the Verifier.
> 
> And while an Attester can "cache" its own endorsements, typically they can also be conveyed to a Verifier from an Endorser, correspondingly
> 
>> I actually think certification info is pretty important in characterizing security of something.
> 
> +1
> 
>> Just as important as the number of bits in an algorithm or the amount of side-channel defenses and such. Certification is where that all gets cross-checked into a coherent set of defenses and where effort is put into finding wholes and gaps. We don’t just say “use big I-beams” when building a sky scraper or bridge. We have a building department and inspector that makes sure they are used right.
>> LL