IETF Logo Mail Archive

Re: [Rats] name of identity key

Guy Fedorkow <gfedorkow@juniper.net> Mon, 02 December 2019 21:27 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEBB212004D for <rats@ietfa.amsl.com>; Mon, 2 Dec 2019 13:27:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=OO5rpCBL; dkim=pass (1024-bit key) header.d=juniper.net header.b=WlRZ71rH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYgKLPVoA0kD for <rats@ietfa.amsl.com>; Mon, 2 Dec 2019 13:27:54 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16B81120018 for <rats@ietf.org>; Mon, 2 Dec 2019 13:27:53 -0800 (PST)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB2LQqc1011669; Mon, 2 Dec 2019 13:27:51 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=0ccpGhxCxmcIgZS7iy3/MRZqpneoqHwphOOsf1f2ot4=; b=OO5rpCBLQ/jS/Bcv947EWYEf7L91gds3zlduQIeHtZr9ZIysyhUUadn5vem6p4C4mdgP QDQOyIe1VgswFKKXzKASfyj7UVQHXFz4FUK4AgrAJ2ddWUU5XACGWebsdRoFJJTfB2zi AhyOELRh7xCM/NikeSvEr3CXZw/NuorhqfZAVm/GytwbPbyS2ULAUeOl/BkzUh9wDiI2 /rJkqrsP51dDZbQ0ZD8oFi79RDTFGj6JfRf1r01d/+PnD6pgPFuFO1qBqtbjWgmTQs77 AedgtuZHxV5VxJzNZdC4JYZzZwJREvQAi1qHYGqQtckd9eu0ZKDruEv062X3ILCMXEHz 9Q==
Received: from nam03-dm3-obe.outbound.protection.outlook.com (mail-dm3nam03lp2055.outbound.protection.outlook.com [104.47.41.55]) by mx0b-00273201.pphosted.com with ESMTP id 2wkmhsumy2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 02 Dec 2019 13:27:51 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zu+GLpq7pVNEU64UcNKiU3u1cHE74ErD9DSf5NFdFTnc1eLYVzYSl6dHCTMK0+TEyQ1GVCoCMjqr50Ouu+6kNovUfYzpNsptpGyfgUoQB5O/e124kY5Ycw1B01gwKVtdhSL+TQgShGvSjmWFyh3M2QLUbUh5pAUsDplQ+Ajsd4oAVB9DcaN6r+WaIHbwCLLpDLX2F2zzppt/G5//jsweQ2MjoVNnI59SWzEVl9Fa/4YRV3nDYiGUzGCNnsAJNlqe+5xbhUrUZPoCY9P8S3Ao4aW1E87fqMltqNRb6tjZoS5qiJ09E4nYGEqPQxPwXRa8KxCDgkp6IEY4aZtEPU2ZQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0ccpGhxCxmcIgZS7iy3/MRZqpneoqHwphOOsf1f2ot4=; b=Q7rXl+BCA2xxxSLpcjzlFxz9/XCx0kNFzSFeIw0EVnax+FMxi++0Y9i3vMWu2o5cCVnGkCMrOKtNKnubpHiz4aDUuck4tMbdnuVQMIkyO2KcBw/6Zgq0mV6LS4DJeqwWdNtJBC9QGdJurvDKwYBK6A1Pm06qVX8hF2bSshSlypJvB5meL46Nts7T+Ae6ZN0QrKctAZytrSpeoMJ0JZgCuBfvDBqMZV+vXYlOMMIxe5Ix81AvJQWykRMo6CwzHZYdevmzaqDeF7xCE3Jxx8dSfckhxlUaJ9HN8y/Vse7K+S1ZGy8KnX5kLxHtNjxJRoSCYqhwTVi+O46L+Q9rDc05xQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0ccpGhxCxmcIgZS7iy3/MRZqpneoqHwphOOsf1f2ot4=; b=WlRZ71rH8eBkWlsQ+T1KlY89dIXiEhmO3pJ3+y+ZzvAON8cw/8jT7h9dC+ugQZHrRmt/GAsjKmwxeMlw0xFCxT3sNHPV7nereViOY1sdbFo9KGrjSxTPjITbos2/hIJztGDavrh/S/mu9b+XaIXepypvSDynW+apw2zSQ3LluR4=
Received: from BYAPR05MB4248.namprd05.prod.outlook.com (20.176.251.147) by BYAPR05MB5077.namprd05.prod.outlook.com (20.178.0.225) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.4; Mon, 2 Dec 2019 21:27:49 +0000
Received: from BYAPR05MB4248.namprd05.prod.outlook.com ([fe80::457d:474a:1f33:9a2b]) by BYAPR05MB4248.namprd05.prod.outlook.com ([fe80::457d:474a:1f33:9a2b%4]) with mapi id 15.20.2516.003; Mon, 2 Dec 2019 21:27:49 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: "Smith, Ned" <ned.smith@intel.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
CC: "pritikin@cisco.com" <pritikin@cisco.com>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, Henk Berkholz <henk.birkholz@sit.fraunhofer.de>, William Bellingrath <wbellingrath@juniper.net>
Thread-Topic: name of identity key
Thread-Index: AdWg4nF8kDHIJtSESNGSE2qU3LjHXACg2v8AACKO0QAARiTMAAATeXuAABmKCIAA45XBgAACoLxg
Content-Class:
Date: Mon, 02 Dec 2019 21:27:48 +0000
Message-ID: <BYAPR05MB4248D75B0F2F570126A19288BA430@BYAPR05MB4248.namprd05.prod.outlook.com>
References: <BYAPR05MB4248D3AE10BAA7E74D588E76BA490@BYAPR05MB4248.namprd05.prod.outlook.com> <32083.1574668598@dooku.sandelman.ca> <1E5F7794-BA58-4D6D-928A-4B0E9C227B69@intel.com> <11202.1574848474@dooku.sandelman.ca> <A52561C0-95BD-4D16-98B9-25A375C41F16@intel.com> <16604.1574925807@dooku.sandelman.ca> <C4E5F9D5-3E15-4366-8848-199D4E50A334@intel.com>
In-Reply-To: <C4E5F9D5-3E15-4366-8848-199D4E50A334@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2019-12-02T21:27:45.8461644Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=4c9df93c-b64b-4a12-b7ab-9add6c6ab99b; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
x-originating-ip: [73.89.130.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c11cb20b-7212-49d0-4f76-08d7776e7b0a
x-ms-traffictypediagnostic: BYAPR05MB5077:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR05MB5077C855BCBA55510E89B812BA430@BYAPR05MB5077.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39860400002)(346002)(136003)(376002)(40224003)(189003)(199004)(13464003)(51444003)(6116002)(81166006)(2906002)(8936002)(81156014)(446003)(11346002)(8676002)(305945005)(102836004)(478600001)(66946007)(52536014)(5660300002)(7736002)(66446008)(64756008)(66556008)(66476007)(66066001)(54906003)(2501003)(110136005)(316002)(76116006)(14454004)(14444005)(3480700005)(256004)(33656002)(26005)(25786009)(71190400001)(71200400001)(99286004)(186003)(55016002)(86362001)(9686003)(4326008)(107886003)(6246003)(7696005)(74316002)(6506007)(53546011)(3846002)(76176011)(6436002)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB5077; H:BYAPR05MB4248.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KJFPFYoRz0O0osBO/oi1mSearjP1x0VZW6/Sv9h+h69zkRTTvewFQQdClCpSYQ6CBURIOs5l52kBJQo29oRlM7GhIyn1P9DrhGZqJcsAzPeMoxw52spOvAOZtKxe3wC/dfqwHUZX9JlxQEWcmyOCMW55LSmjfkfSN6bHDLvCmAB7HBHlXXe/KYFrDBnyASqJ1+8u7id78Swih50SxMX50TL7DGD9wYqIM23+GETI9mM9ibVn4VULmgrOCjlb0PyTpHTM97GASFx/ljmOx65CPM9FhfxX95xjPA/RaU6mJ14rAwpMmRVE+H0oJ/krB/vlI2O9AQPjH3eUQQyn79s7U2p+MyJZc7I3b7TnTahQS92ju/3sig1GDzvrouPCqyF+COP5YgOe7u5uLCxnD2zjKW94BGreY2MTancj9EGHj+tYIT3fKdgyvYU7Qj3gXAQF
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: c11cb20b-7212-49d0-4f76-08d7776e7b0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2019 21:27:48.9016 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sj2Y1yGWhCC8q31YZxERO3QKgvSn1oCyBxihS+SiwU6TXFMACXTGjRvAMxdRsO0Mp3UaJRIqZetX0BuoDDI59w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5077
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-12-02_06:2019-11-29,2019-12-02 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 phishscore=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 spamscore=0 clxscore=1015 adultscore=0 impostorscore=0 mlxscore=0 suspectscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912020182
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/htX_ZPTCPZSuA_lpoCFbzp2vnVo>
Subject: Re: [Rats] name of identity key
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 21:27:56 -0000

Hi Michael,
  The reason I've stuck with DevID is that the spec says pretty clearly where the serial number needed for on-boarding is to be put.  That doesn't mean that the text couldn't be relaxed in some way to allow keys that identify a box for onboarding using other formats than 802.1AR.  But it might be tough to get multiple methods to be interoperable.
  The confusion you might be thinking of is that a key in the TPM is identified by a handle, not a friendly name.  So when someone wants a DevID key that desire must be translated to a TPM handle.
  I think those have been spec'd now by TCG, at least for TPM2.  But for an embedded system, I think the question is moot; the manufacturer is going to put the key into the TPM in a way that they know how to find it when their own onboarding software wants to use it.
  If you want software from Vendor A to run on a platform (with identity keys) supplied by Vendor B, (perhaps as in the PC world) then the handles need to be spec'd.  But that seems more like a TCG problem.

  One reason (IMHO) onboarding specs should ask for "the DevID key", but not for the IDevID or LDevID or for a specific handle, is that the administrator could well pre-provision the device to use a variety of different keys, all with DevID format, but with different security properties known only to the admin...

  Just my guess...  I see Max on the cc; he's the expert at this!
/guy



Juniper Business Use Only

-----Original Message-----
From: Smith, Ned <ned.smith@intel.com> 
Sent: Monday, December 2, 2019 3:00 PM
To: Michael Richardson <mcr+ietf@sandelman.ca>; rats@ietf.org
Cc: Guy Fedorkow <gfedorkow@juniper.net>; pritikin@cisco.com; Jessica Fitzgerald-McKay <jmfmckay@gmail.com>; Henk Berkholz <henk.birkholz@sit.fraunhofer.de>; William Bellingrath <wbellingrath@juniper.net>
Subject: Re: name of identity key



On 11/27/19, 11:37 PM, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:

        nms> Maybe it makes sense to talk about how the keys are used rather than trying to name them?
    
    Well, I think that having it named "the key we use for Onboarding" is the
    same as saying, "Onboarding Key", right?
[nms] Right. I thought you were looking for names such as "IDevID". It could be the IDevID is the onboarding key or that the attestation key is the onboarding key. Somehow the onboarding protocol selects which key is used if both are available.
    
    I don't know how the manufacturing process that involves a TPM with a TPM
    attestation key works.  I just know that when doing BRSKI, that there were
    issues with being confused between various TPM keys, and we originally wrote
    text saying that the device Serial Number might be in weird places.  We later
    ripped that text out, as time had changed things, and I'm worried that this
    issue is not really dead.
[nms] There is still a possibility for a bootstrapping sequence post factory shipment where "the onboarding key" doesn't yet exist. Therefore, pre-onboarding is required to provision the onboarding key. This may be what you describe as "the device Serial Number might be in weird places".

v2.23.0 | Report a Bug | By Email