Re: [Rats] AD Review of draft-ietf-rats-architecture-15

Laurence Lundblade <lgl@island-resort.com> Sun, 24 July 2022 14:12 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBA63C16ECD6 for <rats@ietfa.amsl.com>; Sun, 24 Jul 2022 07:12:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAaGUAJeKRvF for <rats@ietfa.amsl.com>; Sun, 24 Jul 2022 07:12:35 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2100.outbound.protection.outlook.com [40.107.236.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3369C16ECD2 for <rats@ietf.org>; Sun, 24 Jul 2022 07:12:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CNbnhHUq/lzXb6l6TvF+mJqVKho3o7of1ndk8bEgCetIwqM/9ndXOByy4QTcUKNzmS5gC4VN3k/M577nOugM+8Tng3uAGClFpwrX7YMZ0CV42ojNkKuGG2IYioqxNpL3C78SOFqO8U4OJ67Lym01cbp0XoorxSZvzFX+jSd5jQ4oVBxSL0KID7QoznRQMHf/4dohJ5QWnxq9dFTK6BIp4qiRVGwBOCef2drfx/3HFBLbx1z/owCZVCHApXbIdcf5rsk4wVYeroE9lSNpXDt7ScG7Y0yUgXbt7yeSeZnuWbPScPwNKoyn5+RiiS9qrgZJG6u+Oy8qQhWsB5mvtv4CLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bhYhEWNdkii8hRpIFbIZDR3HeMvOYQuoHiMmButhe3U=; b=KVBxQH4U8vFGH7c204YQh023531TY8I3QPlC1BSwdyhZt6EqTEpD8bGYNTwwzm30MkeaEIgRHT/XaKHSUR2WU1+x14d60k9V5PkaPC7hz+t+gFrBdo//4/+ixpowB5epGW+yC5LBPZW0X6U4RC6kMV9xynaFqhYlMDzNUoEzTK4a4g4EoO0BISjTyhxtiELOPgppVgpsRHicVUqMLg/m8hYcOMy66U1ejdWtCNY3Iavk8rwpEuGK4OuskuRaqBP4gDBdlNC4iACUKoX2XF/EvDNM69hgdnth4Zh1lCbx5du6/vc/8S1jqs/mPcL1SckXriRCqk/YFXBVBm/uyBiUgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by SA0PR22MB2318.namprd22.prod.outlook.com (2603:10b6:806:89::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.24; Sun, 24 Jul 2022 14:12:30 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::ac41:5a17:42c0:16dd]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::ac41:5a17:42c0:16dd%8]) with mapi id 15.20.5458.020; Sun, 24 Jul 2022 14:12:30 +0000
Content-Type: text/plain; charset="us-ascii"
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <33343.1658604777@dooku>
Date: Sun, 24 Jul 2022 10:12:27 -0400
Cc: Roman Danyliw <rdd@cert.org>, "rats@ietf.org" <rats@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CED09092-13F6-4359-A782-CF39AE379E20@island-resort.com>
References: <BN2P110MB110748C2C81E515E5E7277C5DCC09@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <3256.1651680451@localhost> <dabb272d-1e69-8a0e-ba91-4d5d85cfb8ab@sandelman.ca> <BN2P110MB11077E3694C78ACBA39F2F3ADC919@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <33343.1658604777@dooku>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-ClientProxiedBy: BL1PR13CA0065.namprd13.prod.outlook.com (2603:10b6:208:2b8::10) To PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d79df56f-d01b-48b9-73f3-08da6d7e8b78
X-MS-TrafficTypeDiagnostic: SA0PR22MB2318:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: WiCqxmyuj/XAM+MBui3MSRWl2HBWq7DUfqqWdd1axz/znkA9OMSIjCejY4XnKtwpuKr2v6FoNpRPfGbORLM1Gswx0FenI305m6WJOdDnWWhn1H2fkagIbOxXU4mfTedd52msH90u2pWx+oKXonAjz0XahnAzmC7h4ZMHEE2IVg1s9/gEFZQ8ge1RPZtj6X9DbG9/fKyEtmPDjmfSfMUmNYZhTU/nhdJRgVNT6wkaeDHyoMc5Prmz+hOdDDyqH9QAnvZ2fB1PpwmfP6QVg2Ey1N6/Gk+6ciXSTe4b2fRKlS52sEm6DDbAcP3bv0uvoEoDAaA7wutGfzBG7HD+prPyaVjbPmAhwVe+00M6gU1Fv+Hn0uO/yf4Z7CLAqy8MDc7ggYbMIUP6CBesIBfEoieMq90rPQ8TG7+vmtPGF57eVKgcyhihY7bmwAaVTo7cZ7kRnWmkEPAWV96o7NEkNCkprfMuLAB1VFz9dETanogQCgxj7/f0S8SooOIWHr0xBaWplPO9twl/dOBHIn5Vf8va7ZCpNxnPninWT2rWd/PyFHAyMOrAzS0Yzh0exf0Iwgdj9RPt1CKvotRs7pll3782MzJkNjy7SpEY72hd0MR0kDFi9vEfjl4v1Fq/+DHS7/bSvgFF/YOiJY9PHgZMMwtk+w05Z1tqqGNJClxEE6vQ1w1y7OP9vGlYyC5LXAPMIXDtaL0i99xniGMXXpEvHOJFhZjHkQSh7rky4yNYZ3Lx6p63oQygrZ72Hzf8PcNh7YjMKK9eLZ1IQdFoW/gJzF1BOfD8JSu1fhM0XU3sJx8XW4/2x7gEcvyBqKFcHjGroIMU
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(39830400003)(376002)(366004)(396003)(346002)(136003)(38100700002)(54906003)(66946007)(66476007)(66556008)(4326008)(8676002)(316002)(36756003)(5660300002)(966005)(6486002)(478600001)(6512007)(8936002)(6666004)(33656002)(2906002)(41300700001)(83380400001)(52116002)(53546011)(6506007)(186003)(2616005)(86362001)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 66QhywovneHelMIYt4wk1nGdD9GbOdGcePpXLJg/PZb7epxMc+NDK39BBa2sdxM0DKsg10Rcz1ITGZngCQGe1gnkKtI+6JoHuma3gxpOV2LqpIyJz00u4z+d8dQLa2BFos1x96Scv3iX5/xaJJM6Bgke1Sis43x3l/8kU8efikbU1i4M/Jj1X5+2yP8VYDHGFt46U8Hrwp++vCXfc0Lytci215KfM4OMzLp98ezLw6S87eP/sKC1Qbx8AxcZfayw805efDo3wpkVtFtaplRU5YCI2UwvlGVEUN85TxpZHK6EU5tiQhMpfhx9yajkxOC6B9k8tD+sy9UYGHNlyHjbYgZgYWZchhEL1/6zQZOZkPaypepnyU0zCg9dyeA90JD5bvkSbFI2LpC/cFcb3ovSqH/zqDno5b5GzeqzSckSSerER2tcOlnNdVIblzr266J0qdtkdrWKYK6FeNR4VqLzWzhVhjqcRpfKFihRV7NB7/XHO9cv6CciGdIEoR7eaOoA1DAbPnQwU1/67Qg3cvg/+34GtVlnt79yIntpD9sDDnbdigE8zBwKFLnfQKERbwknEYBuY59h6CCbJUz0CyZCnH5G3ZK+jbncd1Ybhs7NUiHflrPzeNPlwImLApux33PX4+IL/4nnBmEID5V4lVyQNiCRWegMpk64L5q+7jz9xFoMpJSZIDLdOtELhb63IniYgMZKKb6cOYRodiXxxYE/lZVpqeWam4Rs6RgsTctnTKfXk9VvHm6YTjCyY5/ovJyg6YxDHJYa3fSMwmrAanOqF0f+nsfyhc5TEYViSdQZ19Ox/S72EjtiT1Oby9j+OIVwKT2rcSO42C9BeRfnqpF8yeygRB1U2h59QFa57W7q7HKcK58fP+0CvoT85B3c2cr4a8Ajf0XmmIKKrK7FEufvAiXUbTmrCKsZVjdUPrx6ZCCmrb9GVnveeLEphryO0psNZCP1cZzL6BP96axyjUJHCPVPsGiGz4yMUamhe3SI7lsRZRsKDcBQq1SwnJoF96cI7FLt8+w8sPo7VoBcEkYjp+9/XKN6Njkq4gD7b3xyjLc5EaWjnhbkso824NGt09OdLr+MxriuN6x2KpOr/RBDy2QG6oxwDjOBFVSNtZB2ev4K3AztVCWCOE13xsriSnSABehZoxdS+i2H88meMxLj5w0C5RrEoE0SU2Jb8Z03Juq2u76C+eVW7t613yvEY5M1RYw6WjbwXGUKBh0/nor+QVYzdCp/Rsx9F1i3+RymGib6OVhqmuyOOlGCNZp/gbem7jRHHiP4+dvNFGP9dPZwmplfu5coG+/bY5Rpkv95AZbghUCN4Dt6+fg64msgZSTNzn/OJwWg+RAPipCDH+4ztDmjakXRvI+y4ojwBQ+uIg/9gHemSxqVJuoRvYzKODHGz0ViiHaHPyMU+T/ih+UcG0XEP5m+l8Tvx+P9VD5tpMK2NcCQVp88ksup64T13j8uYdq3HBAUGGOoC4roZrSJpKQ+cHpqSc5u9RvIf0D/qNgIeLAXWvEX+mnWDOzzjv9qZ1iZg3s+dkvVfRUVt66vsWu1j1AJHdC3WC58cEgwDDwTgESYx8GeXkBD7QFui1kXfUKYWuQQYQbi/qqKkJWGpldweNBAVxxFtjGmOkJiALwOABz9fT8KWtifReORrJO1
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d79df56f-d01b-48b9-73f3-08da6d7e8b78
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jul 2022 14:12:30.0673 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: okpN9IqFT5Z5Z6MLcU9ayvQOh7DpmCXfNPoLRuOiy+SqjH0ZsiSjmVi/lZMG+xbhYbkYiCTuvI+brAVgEvmYFg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR22MB2318
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/gQeyHaKXg0NQTPuHl_B3YrydqoI>
Subject: Re: [Rats] AD Review of draft-ietf-rats-architecture-15
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2022 14:12:36 -0000

I never considered the concept of passport vs background all that critical. What seems important to me the meaning of the attestation token and how it is processed at the end points.

This came from seeing how some of the mobile / web app guys worked with their restful APIs. Their protocols have all sorts of flows. When you put attestation into those protocols, sometimes it is passport, sometimes it is background check, sometimes other. What matters is the flow of the existing application protocol into which that attestation messages get inserted.

LL


> On Jul 23, 2022, at 3:32 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
>    Roman> What I'm getting from this text is that there is "producing" and
>    Roman> "consuming" per Section 4.  I took those terms to be
>    Roman> describing/constraining information flow -- what information can
>    Roman> comes and go among the various architectural elements.  It appears
>    Roman> that Section 5 is introducing a new behavior which is "accepting"
>    Roman> (receiving but not processing) and "passing" (sending but not
>    Roman> processing).  There also appear to be element specific behavior of
>    Roman> "caching".
> 
>    Roman> I see no conflict with these four behaviors.  My concern is that
>    Roman> these nuances in behavior were not explicitly stated.  They should
>    Roman> be.  Furthermore, just as certain architectural elements are
>    Roman> defined by what they can produce or consume, I'm wondering if the
>    Roman> same is true for the "accepting"/"passing" behavior?
> 
> I'm having a lot of problems dealing with this comment.
> I've discussed this around the design team that is here at the hackathon, and
> we are really not sure what to do here.  In the terminology section, have a
> pattern like:
> 
>   Verifier:  A role performed ...
>      Consumes: Evidence, ...
>      Produces: Attestation ...
> 
> It isn't clear to me if you'd like us to add Passing:, Caching: and Accepting:
> to the terminology section.   I think that we don't really want to do that,
> because it really only applies in two cases (the RP when Background check),
> and the Attester in passport model.
> 
> I really don't think section 5 is that mysterious that it needs more introduction.
> I would really like some more opinions from the WG.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats