Re: [Rats] Android comments on EAT draft

Thomas Fossati <Thomas.Fossati@arm.com> Fri, 17 May 2019 09:08 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64EDA120353 for <rats@ietfa.amsl.com>; Fri, 17 May 2019 02:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQ8xHx3YwvKj for <rats@ietfa.amsl.com>; Fri, 17 May 2019 02:08:33 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00052.outbound.protection.outlook.com [40.107.0.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3159120147 for <rats@ietf.org>; Fri, 17 May 2019 02:08:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7YPFipa4oVb/j482ePmV1F6alWgbcqBrbjqucQEOUGc=; b=t4GmIiWYj6E79zEbNexez0tO747cX1Zr/Uomg1mMPZzCS3pwi6z1yMvPQlbAS9wOnxeAV7ZmPq6QLSEDGYLJSAkatfibGL+YVOmVI+vbrEQBzN/ToNtvs3LvbeIgX+3MeypPHQaL1TMMNwG+o/TtCkB6oX50OSVqZCp1L2ZXJUI=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.4.202) by AM6PR08MB3446.eurprd08.prod.outlook.com (20.177.113.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.18; Fri, 17 May 2019 09:08:28 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::d841:9c65:9c2b:5393]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::d841:9c65:9c2b:5393%6]) with mapi id 15.20.1900.010; Fri, 17 May 2019 09:08:28 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>, Shawn Willden <swillden=40google.com@dmarc.ietf.org>
CC: "rats@ietf.org" <rats@ietf.org>, Laurence Lundblade <lgl@island-resort.com>, Simon Frost <Simon.Frost@arm.com>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Rats] Android comments on EAT draft
Thread-Index: AQHVC4B6mj3GlLUuMkW80Rw8v6HzmqZtBoOAgACT9wCAAKZ4gIAAAOWAgACyVICAACXDAA==
Date: Fri, 17 May 2019 09:08:28 +0000
Message-ID: <EAEFEF91-D04A-474C-9048-C9DA5B98EC9C@arm.com>
References: <CAFyqnhVJ-ps4bdhsyQDOHdzHVZsXeK7_kCDXxUVUcuyDzWS3uA@mail.gmail.com> <35459D73-3D08-4E0B-814B-780AD60DD600@island-resort.com> <HE1PR0801MB1643AA2E129098E2C65F9163EF0A0@HE1PR0801MB1643.eurprd08.prod.outlook.com> <CAFyqnhX9f5s21roZvz_VcfR+sd3E89SYmunZKX-2JMC4Rqy_cw@mail.gmail.com> <CAFyqnhXzoo9+2pu1qboPSiHr7YTzfRjOcJj3oEpOX_uFWbRyKA@mail.gmail.com> <E5AEF90D-D0A4-4F64-AA60-090167A31725@qti.qualcomm.com>
In-Reply-To: <E5AEF90D-D0A4-4F64-AA60-090167A31725@qti.qualcomm.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.55]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a2592afa-a3d7-4359-298a-08d6daa73a18
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:AM6PR08MB3446;
x-ms-traffictypediagnostic: AM6PR08MB3446:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <AM6PR08MB3446F93E0620810DC2ADEDD09C0B0@AM6PR08MB3446.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0040126723
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(39860400002)(136003)(346002)(376002)(189003)(199004)(51914003)(40434004)(86362001)(305945005)(7736002)(316002)(76176011)(53546011)(6506007)(83716004)(71200400001)(71190400001)(99286004)(33656002)(8936002)(81166006)(81156014)(8676002)(2906002)(82746002)(5660300002)(476003)(6116002)(3846002)(102836004)(110136005)(54906003)(256004)(5024004)(14444005)(6436002)(229853002)(64756008)(66556008)(66066001)(966005)(25786009)(6486002)(72206003)(6306002)(26005)(66446008)(4326008)(36756003)(478600001)(76116006)(53936002)(68736007)(6512007)(91956017)(486006)(186003)(73956011)(66476007)(66946007)(11346002)(446003)(2616005)(14454004)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3446; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 3xmAquFHmPDhS4qT2I7XFRkd4TC/m4zus+kaXfdAdWawBuhtqMHdubmhQWUNnbXgNi9kv/1M+Pc1R/9mLwlE1OD823XBsDrG+KkiQWpIuaeEq1Qzr4yBZf5aHNVWDpYK+jih2tikqS2gdmlhX7uHqzXU8HSZlh7XDid2m/9u1BYfvFEjXwryaEreZ3jgqpblh330iwmvG5IuoISXJLwJh6A7V/cq07llrAkbwrVvmx3VZSHPDrLmdJWpXKxrfbOmq4CeGLuV2o2krkhFt6n2nu/Agsdzvd5PBPPuu0G2zY8WX1+/lhNNvcZfINmjVOA9vMwHM+JhX2dBTaHRW6HnkJXnMqGpGZDxhPmX0DrCs7mscwNvJGbRU8ebqKk1/xuO37VurM7/rWx7+sbqhdviXgj1e/aKO8DtNP5I+DYqr1E=
Content-Type: text/plain; charset="utf-8"
Content-ID: <E44C06BDAD36384AB0675F43F695413D@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a2592afa-a3d7-4359-298a-08d6daa73a18
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2019 09:08:28.7570 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3446
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/fipip3j7bHU0CHZ4mrwt7f4-YG0>
Subject: Re: [Rats] Android comments on EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2019 09:08:47 -0000

Hi Jeremy,

Thanks for the insights into GlobalPlatform.

I have a few questions inline.

On 17/05/2019, 08:53, Jeremy O'Donoghue wrote:
> This specific point is one for which GlobalPlatform has a solution in
> our TEE/SE related claim definitions. It is possible that this
> solution may be more general, although it had not previously occurred
> to me that this could be the case.
>
> [...]
>
> The Digital Letter of Approval is a published specification, available
> for free (of charge) download behind a click-through license at
> https://globalplatform.org/specs-library/?filter-committee=tps.  I am
> aware that some RATS participants may be unable/unwilling to access
> this document, so I paste the outline DLOA format information below:
>
> The Digital Letter of Approval (DLOA) is an XML file containing the
> minimum fields required to:
>
> * Identify the platform – the combination of the application and the
>   platform – this DLOA corresponds to

It is not completely clear to me what is meant by platform in this
context?  Is it the TEE/SE only or is it the whole device or something
else?

Also when you mention the "platform identifier" a few paragraphs below,
what kind of identifier is this?  And who has authority to mint these
IDs?

> * Identify the Authority that issued the corresponding Letter of
>   Approval
>
> * Provide the expiration date of the corresponding Letter of
>   Approval
>
> * Identify the Letter of Approval from which this DLOA has been
>   generated (i.e. include the identifier of the Letter of Approval
>   issued by the Authority)
>
> * Ensure authenticity and integrity of the DLOA thanks to a digital
>   signature computed by the Authority
>
> * Provide additional information such as the date of issuance of the
>   corresponding Letter of Approval or a URL where the original Letter of
>   Approval can be retrieved
>
> The work to incorporate this in an EAT is ongoing, and will be shared
> at Public Review time, but basically you need two claims: one is a
> platform identifier and the second is the URL of a web service where
> certification details can be retrieved.
>
> The web service is generally operated by a Certification Body
> (GlobalPlatform in the case of GlobalPlatform compliance secretariat)
> and allows retrieval of complete certification information which is
> valid at the time of retrieval.
>
> If an approach based on an external registrar service is of more
> general interest, I can arrange a more detailed explanation.

That would be fantastic.

Cheers, t


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.