Re: [Rats] Robert Wilton's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT)
"lgl island-resort.com" <lgl@island-resort.com> Thu, 07 September 2023 16:46 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C6FC151538; Thu, 7 Sep 2023 09:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJT3V4kZvFkD; Thu, 7 Sep 2023 09:46:09 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2116.outbound.protection.outlook.com [40.107.93.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47290C15154A; Thu, 7 Sep 2023 09:46:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q0nm0qKhHrFI3ef+zD7QuUKh7ygFXveQ/rSAldmJiKs/Sh+G86BtoIxGv7c6eMiTrhNLw55gq+wqzR4SahRBfid5pePmd6se2eCGZDWpNhst/DsdFCCK0ufvuRETLx/r6ydomzH2C3bJaR1dllFZve38s0wNIXmOZ4eK26rLtOevx0ehVYuzgDnyvNcXhbZAVmdtEVMbtLZNzLinUgVfEg7PP6zkymtcyIMZieKsfjQ0xORSpVT+8iBsCYM4vT3ZJy1qjpo21s8f2iDLvTbmPb9sjEmRyhCebmIkE9pC7vwq3Zp5H71H/wJsAIJtczl4GXuFwMb2JqMHPs79+2c0hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mBqF5sow47qRBvzt7gCaEKgixjRrrq6CTuR8K68B23A=; b=ZMWsm51VfQ4QeYnsYKSltXd0eekMemNV95NRk+mViS+UsJm7Psnbh1QwjXcIbTROl68YLbp4FjptDewUbHvAER971ebXVy6kzbJUUo3JQlBY2QLB9qMVh/PacgUsylRike3CDgNfiFYvUs6NQ+HrnT99/feaIv1ULqe5UKf8253aWAXo5trtrFBjDuRAFZvb9lpDGJ0tiu7D7JthZczFGj27LVMIjWilpb6SGoWidX8LBxb7qYxD911tu2ezpPTK4D0Vc++9/9QSXnaQ2PVqJUos8msHweaktx3cXQnlbj2Ra+93vfwIBxwEcswIrWrhTKyM4qTo0sR+b6HTBRIlAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by CH2PR22MB1943.namprd22.prod.outlook.com (2603:10b6:610:5c::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.36; Thu, 7 Sep 2023 16:46:04 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::f317:e4d1:7e1e:3934%3]) with mapi id 15.20.6745.030; Thu, 7 Sep 2023 16:46:03 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Robert Wilton <rwilton@cisco.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-rats-eat@ietf.org" <draft-ietf-rats-eat@ietf.org>, rats-chairs <rats-chairs@ietf.org>, rats <rats@ietf.org>, "ned.smith@intel.com" <ned.smith@intel.com>
Thread-Topic: [Rats] Robert Wilton's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT)
Thread-Index: AQHZ4YycYhWhaV4FhkSXMddkknN58bAPkm6A
Date: Thu, 07 Sep 2023 16:46:03 +0000
Message-ID: <3CF411FF-CCE3-4CB2-8E30-010F7381E2F0@island-resort.com>
References: <169409219358.34717.10637003445246332249@ietfa.amsl.com>
In-Reply-To: <169409219358.34717.10637003445246332249@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|CH2PR22MB1943:EE_
x-ms-office365-filtering-correlation-id: 91b739df-eb51-4d42-f0a6-08dbafc1ecbf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FxTEaZ5PSTTTLRZ78Mw7qEF2nhvx8Qq0u2gGw586BaXD7x+lTWFlVDGeHq1j9ED5Wf4LX8hplA0KbwguobULEpdJAVgNxab9IXeWKmuOpxeZ3re5q15iH6Pcm6KJnxb49HpSqUZFtzQlrB99TV9zM6VSnmVl5qTnsqCg3r1JLSIVt758QG0UM2hbS01+gU+bhi42K2FTwkPRd/prZwAHbSDgJoDPRqFbKFf+MWiQIMKyCg1pY3Afw4N9AgqhGBDsrh2aWlcvK+uD6LPTdWlDfWlrtqAtYES4W7xwGoiwK4hPrJI6xkxY3o2Y1Hez71QL2O/Srd9by6RKlkto0ZDaU/3WNivpIbwbtSbN6/a6kKJfDN05KTRcuyuc8ZkEHpJOlxt9V47ULiA1wXtATPM6Kqr3vsN8WR8IvoY+V0HuwdeB/CeTRtTywiIQlGHUF6hzUw8QJRvJvdHJRNTV1lZ2LjByMmN6vkpRgF1qNMNBzEGwqwdhjjG+gvQBop2FemdtTTmnrGBfjnDHL4Sgja/mwRubxaG9RCexJkAHQZWZXGUVTb7hDqLcvW6lWKT9f/5Fg3EWjPXZRxQE05W0gXCypCFeLG2s95mZsbmUiZTP1JKlvrBrgfzD9da7BAb7VfP6Q9ppRCx7zbRzLzv5UppsYQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(39830400003)(136003)(346002)(376002)(366004)(186009)(451199024)(1800799009)(6512007)(26005)(38070700005)(38100700002)(478600001)(36756003)(966005)(122000001)(66556008)(66946007)(66446008)(76116006)(66476007)(316002)(6916009)(64756008)(41300700001)(54906003)(66574015)(166002)(53546011)(2616005)(83380400001)(6486002)(6506007)(71200400001)(8936002)(4326008)(8676002)(5660300002)(2906002)(86362001)(33656002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Nz5MsFkm0T6ccCfOhegN7/y86MBy5lb/Q2WNjR+pr1EmEi+5qhIwrRVV189caylIYheH2C1v/tgyqDWI2HZZ/GXu2hIEgerrLh2PXzdpFpW8z1aLNkftCFL37n3O1S7Tn/4uv4HdYY5ULizUy+6sJ1eDefYnUElM2PstEi1KP4RFbNfz8F0xDE/KBLFZtjgMCQXNhRjcj+s52LlBPqKvBYcx/UIsSkCme8chc4pPwiMlUHvjDdLFWpHVDWvHqF9umVG3u2k7zojoxitSYSmyqNfoWtqsgIFZB/IoWxnC4CKKZkL3W8ktpT9I0lXjrZx619MO5lhJxGzUyy0X1Hsf9mvePpL4Rdg+ZfLZ2rco/XNKgS5a06wnm8YUk381kYywHIl4m8HZhhutBahK8GeITUI7UBGJR0XSP7P4wlH+1YhTfvsKDtxEN/C8ctCxQpeQzMCOx2j4ml8kn/KxbMULUZpeU7kVgNw7UmAqMiE8XEkw6BhBluuvoM3yBzzLmxA38ewUc6teR5Wv6/TqYaJ1dD2JOMkpJ7jBq/B96ptZEHMnJz9Yr1FEuUdFbGU4HUXjgvzUnNaVx2NsVgIO1YM5g84ch7PC+QVeqUWLTP5H5C2G7U4ayZLfo/296/45And69jm2+G+eKjygWMNV6E8RgzExt46ECvXOqQPVhjuphd6mutwEak5wWqsUPGgQ41pP1QgCzNunmz1vP+McQGh8ToE5KkLexU9hVfPV1gzo72W8WZWkQBXOCjs8ZQcuY/WTCyPv26YfDjhhDyjxbTZIItRnV+q8bVJPkHE4IBCkoTSqap5uREPjRUk9glXcSnEmXP10PXwzFtJjTqExX/w/FHXLBMz/n9X0zNhU3RwQOyYV7B8sD6aCTKtONS7vubYyDpDAelHjWiLu4sdHjag1wIEtmeB9e42sBnWZMB5PQK6Vhpo+lXjZDGqe80KIkyHujt88Z2BJ2CRjb+INSrDr3Uvl4CmH/XaZbI3bXeD1S5F9xYR/fQISAwF/y+y9DbrNvjlE38EmQrxN+CvP76oyOGURerVgfBmfRFitHdcGJz/5XIdnTmhDwLHV8SpOzh+fRZrnrj/G/jRTx/Ux10E0zYizz421gAt4DFbGZJEy8bwFRClrLr177yNqrwdo+Dyrhp6ou1YmCVdys8S76liTzUzvQCRx8t2qXgAi1ZYaCgbgIdbWLnFEQd7H7yoqWq90NhY3aW+5graw52sQdOvNmy1kC3R+rzVq9sII2OltsmsdZMYg/SdvHiPiz1K08Z9DCSFXXnCy4AYwLTQgr/ph5T+HSb/I1BUyI1vKfz+JT+lCBfyLOVXkhylYZGbdcgBIJ9GpF+Y8/UldwlqiiL4UNpOUoQjLfTG9P+t8ho56/1vyoU3wgtMz6H3n4IAhW7cc7rdx7y5a9YzXuKj28Xz07AfcouZzSLnBn3KbFZO3XAm+xiyimjiP+3w3qmwxvbYfOMswwp3QMa5Q9XI0AsGiE+6k2W+1Ds0BrWWjrsvdF8Csicza+UK8ebp0bvskXcbsU1+wHliapkMXfol9f/i9D5o0nZke3EcDeeHhdiYDKS8Lzq0/3kJPwf0NFzjK1UEUUy258NVgvCkh2KRXDcnfxw==
Content-Type: multipart/alternative; boundary="_000_3CF411FFCCE34CB28E30010F7381E2F0islandresortcom_"
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 91b739df-eb51-4d42-f0a6-08dbafc1ecbf
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2023 16:46:03.8142 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EYzM8SDf8WzDl9jdqFXBu6oX5Pg2oBVF3BciB+LaN7aH80zpJ4Cf3gKMFnzh6S+kRH9dXSYhCGltIZVVE8cHWA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR22MB1943
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/hOWmfwJ2I5RmaWSG9CLk6wm1feA>
Subject: Re: [Rats] Robert Wilton's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 16:46:12 -0000
Hi Rob, Thanks of the review. Comments below LL On Sep 7, 2023, at 6:09 AM, Robert Wilton via Datatracker <noreply@ietf.org> wrote: ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Hi, Thanks for this document. Sorry, I didn't have time to review this document that closely. I have flagged one issue for discussion to change the reference to the architecture document to being a normative reference. This would mean a downref, but should otherwise be an easy change to make. The rest of my comments are non-blocking. (1) p 71, sec 11.2. Informative References [RATS.Architecture] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", Work in Progress, Internet-Draft, draft- ietf-rats-architecture-22, 28 September 2022, <https://datatracker.ietf.org/doc/html/draft-ietf-rats- architecture-22>. "From section 1.3, EAT follows the operational model described in Figure 1 in [RATS.Architecture].". This, along with other references indicates that the RATS architecture should be a normative reference. I’m fine with it either way. Maybe others could chime in with opinions. I’ve read RFC 3967 and friends, but am still not sure if I have to do anything in the EAT doc other than change the type of reference if the consensus is for normative. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (2) p 0, sec An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims. This is probably contentious, but given that this is a new spec, I wonder whether it wouldn't be better (i.e., encourage wider interop) if only CBOR, COSE and CWT were used/allowed. A few reasons I would give for JSON support: - JSON is much more widely used and understood than CBOR so we’ll get more adoption - EAT is good for attestation results (in addition to evidence) which is often B-to-B / server-to-server where JSON and JWT is widely used - Backend systems that operate on attestation evidence/results will often prefer JSON - It’s good that we went to all the trouble now to know how to embed JSON tokens in CBOR tokens and vice versa It would be a huge upheaval to change this now. Probably many that have come to expect JSON support over the years of work here would be unhappy. (3) p 20, sec 4.2.6. swname (Software Name) Claim The "swname" claim contains a very simple free-form text value for naming the software used by the entity. Intentionally, no general rules or structure are set. This will make it unsuitable for use cases that wish precise naming. I found it interesting, and slightly surprising, that the hardware model claim is opaque, but the software name claim is not. We could re order so swname is not next to hw-related claims. Move it down by manifests. Wouldn’t be as surprising then :-) I’m half serious because it is more related to manifests. Most of the answer here is that swname has a more formal alternative in the manifests claim and the HW identifiers don’t. The swname claim exists because the manifests claim is complicated and requires use of an external format not defined in EAT (e.g., CoSWID). (4) p 24, sec 4.2.11. uptime (Uptime) Claim The "uptime" claim MUST contain a value that represents the number of seconds that have elapsed since the entity or submodule was last booted. Relative to other claim descriptions, the MUST in this description seems strange. Perhaps better as just "The "uptime" claim contains a value ..." Thx. https://github.com/ietf-rats-wg/eat/pull/409 (5) p 88, sec Appendix B. UEID Design Rationale A UEID is not a UUID [RFC4122] by conscious choice for the following reasons. Note that the UUID spec is currently being updated (it is also on this week's telechat review), so some of the concerns being described here may no longer be valid. It is still only 128 bits though, and 6 bits are spent identifying UUID format and version. I have looked over uuidrev and don’t think it changes the design or appendix B. (6) p 89, sec Appendix B. UEID Design Rationale Note also that that a type 2 UEID (EUI/MAC) is only 7 bytes compared to 16 for a UUID. Note that the paragraph at the end of appendix B.1. states that UEIDs are a minumum of 128 bits ... Have clarified that appendix B.1 is only for type 1 UEIDs. The statement in B.2 is for type 2 UEIDs https://github.com/ietf-rats-wg/eat/pull/408<https://github.com/ietf-rats-wg/eat/pull/40>
- [Rats] Robert Wilton's Discuss on draft-ietf-rats… Robert Wilton via Datatracker
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… lgl island-resort.com
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Smith, Ned
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Roman Danyliw
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Roman Danyliw
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… lgl island-resort.com
- Re: [Rats] Robert Wilton's Discuss on draft-ietf-… Rob Wilton (rwilton)