IETF Logo Mail Archive

Re: [Rats] Attestation Terminology

"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Wed, 20 September 2023 09:00 UTC

Return-Path: <hannes.tschofenig@siemens.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C245C1519B9 for <rats@ietfa.amsl.com>; Wed, 20 Sep 2023 02:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYLXI4_J4Fha for <rats@ietfa.amsl.com>; Wed, 20 Sep 2023 02:00:22 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2057.outbound.protection.outlook.com [40.107.22.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20FADC14CE44 for <rats@ietf.org>; Wed, 20 Sep 2023 02:00:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e41HGlmIAKBVjhg8m4OG1QMR7apONSKuHXetQ8VlhnXzdiQaUtv3zCslFKthI/4lfF016llfPWNzHnuRVUb3vOwgvRHBS3J4sfMXy4aOErIcjqj/oRA6gwuOfWZE27yAhejjZ5l8xHDryU4smeKV+SnLfGaGcnbk8rbdKWF9dKFmEsXaWo9AKWAynXasSPwyOjCqVpM3ZOVLmblJMbo/9lfbEfgLVi7UhQcT18cYCq4IIlznQQWx35Bwlchtx6o78EXD9ViYh076sIUaD5mK0Vx0iscPUKsKso9OqsODEs06mMpvdCdJGQDL9br5ha5I1nD2JjDtBXk0pFrG8aRBQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xxJKgl0ScfwkqtVuIUFeXk/LAnSSlrKacL7f0Taj6i0=; b=Rh8MphUMrsY2yBctEna1MKxklg/KAV700Q9eaq3F7bSVM+BbIpm6bMGVl+Qe1aFDGtrAk9qC9P97edt6ouY30AqKI+XIEDt44dq5CFILTyI+Aj2g/ATN/J4guzhOJ1TqLd2GkxNLFMeEPmzdyyKUp7T231RFX6z0X7vC6AzIP73h0ZTjaR/99w74hFB4ESZbh+6AkEB6uHZ7lCpraQGSIp8x4OJsQWhS8zl6gLLva6euKYS3ovMrp2nS8UDk+yz3ap6SpdzjNCIFsv7jukrmn+e48Z/yOqy+tc8ETLs7gztaUfcInIg2x4DhBAw/1GVzABHGhqimWlSTBnS1s/eF+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xxJKgl0ScfwkqtVuIUFeXk/LAnSSlrKacL7f0Taj6i0=; b=g3dyWKSTBpGzcGToqAoYhkT/Einhpo2WYzRMla02C4FgvLGTYpdYmX1K4jcZvztqoT1KBzkcYCC5g2RTs/oIBhUSMc+5WHpaOzlemNuwN/J4NoVWj1jQbylKKLtqEk2eY43Vid+4fxqvEdTHhBlag6Sm4Lah4SLXA+puX5x8aJHcJo0lov3LX8pwwB7dMJWam+HVngxXdLy7A47VzuSFRSuFCHphOCk1f28iq7GvVLBAvBN6FFRF9or3kf/HPiFEbe5SvQpdUmOAyql+Uj0Reb2dLyzCVb340OP5SQbmZ+ZhrEUtTJqC6XjPkqS19ZsnX2+YxtcZkx1jY4w7rbgBbw==
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5ab::22) by AM7PR10MB3717.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:13c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.19; Wed, 20 Sep 2023 09:00:18 +0000
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::ab86:5707:9f3c:87dd]) by AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::ab86:5707:9f3c:87dd%4]) with mapi id 15.20.6792.026; Wed, 20 Sep 2023 09:00:18 +0000
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Attestation Terminology
Thread-Index: AdnqydtfjPaMHIqxQYm7XOY/OvM+XQAJsxKAACkKstA=
Date: Wed, 20 Sep 2023 09:00:17 +0000
Message-ID: <AS8PR10MB74272E2A0BA72B343E55450FEEF9A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
References: <002e01d9eaca$65aa4010$30fec030$@gmx.net> <cfaf21a1-7294-fcb1-b16b-17280ff56704@sit.fraunhofer.de>
In-Reply-To: <cfaf21a1-7294-fcb1-b16b-17280ff56704@sit.fraunhofer.de>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=7c8603f7-11d0-4a12-917f-f3f1f33e3ffa; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-09-20T07:34:00Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR10MB7427:EE_|AM7PR10MB3717:EE_
x-ms-office365-filtering-correlation-id: abf916bb-7d93-4bf6-04c3-08dbb9b8031b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4JURBa1sZqDxoUfD2fDIRBCx1BlwbvP5fV85k3L3nHuggvfBjBKWntDFreqC0cLxoecP5x1U7YIDjWSGlFn107750NFpR1k9soRre5fneKZTdFmNr23nCRhZ+2R5N0M9ATF8jNCG82Ucbh5Jn0HAOLfXmDVVk+odKqlVNceXdOVPBfN3NGdMtyNbVFhzlGtBYPlCkoimEsE5LnJ5CKYSXOwS8dZvjSGan+JDtEgor3FDu6WugpXgDnz+KTqy7p10sPw0+koc/FfIb1Y/4ppTPbozu4x4QDEysN4PjeKAocqvkd+KTmpz3qSJexlvrYEXWexiqewRpUDjduSPyeZ2jVEVvIOCNrdjnVeaA7OfHhAUeXrrI+/o4F5Wgc8m6AfsYjaihjYO1aoMUJAgNCcUtpQYx7qNC7QlQDaVRkvQG5frK75FXPlzdU/Su09Z+g0QR5W7mrg97R02V7fnqtpwMVjdU8pOELmu8ZQ7uu8LQW+Rw9RdgabQnzMQuLFrrPPEprBDlsVAIiliUh0TwfqBq06XhCbZjaVo3vdMiIZqHYiR9io7UBS/S9AeOqrEEdoOlOZ/+sjArkzEf3GQJMkc3IeiAK0ure8z/GirVWflBPc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(136003)(346002)(39860400002)(366004)(396003)(186009)(451199024)(1800799009)(55016003)(5660300002)(66574015)(41300700001)(26005)(2906002)(122000001)(38100700002)(33656002)(82960400001)(86362001)(38070700005)(8936002)(52536014)(8676002)(83380400001)(45080400002)(53546011)(478600001)(6506007)(7696005)(9686003)(966005)(110136005)(316002)(66946007)(66556008)(66446008)(66476007)(76116006)(64756008)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CDq7xp22ppTuXki/JCMS40T9DQdr9OIhQUsZAS+hTF94RwhMnIFnZgz1cGq0Z8Vw/ETzxAwYzIGIyhsg7i2w9Y/MEIF0tqbc+XCOmAy2ONjPTQcaGSagsSS9k98Rv/nr9VaXLsb5SIbIKttI2vUJGfBQzKqtTjRFI3bxEd31oCYP+98bGjFVsmilZozbxlMR8llMe+9LSvV/PP+zL6knmuNQAbbiM0sCAiKONr2THPQGB+/4d0U6f8WbSJlRtFUX6M0/+sxNAlfEFudBt2tP4EPSB/RWGua3yOG6ePXgT5GT9y5BdXkZveLs4XDV5Iqc1xykro3cyWR3ovTBuR7vIayWKPXAHETTqEQHpyPDSJkV0eSSOEcRniPiyhq8gVWfbJwa5+Jq2U8+ymaqxbMBkT9qRb/DY/gI/jK9hS941jxhrzgzvsEVs54+8RX9qKIRS+DogPGIbCYYnju/4zlEO0SVHAQr3AV3iC12Sg3KQkliGOx1oUPZdS6M1dodQJHAX/cUXfCAs/LS5pveTOLYc954m+50PhhGsyJg5ujTozwd+FduchmQIyd8qi15oVwL7cMSGXP175yednXrsZwNKsuE+cqcC8lLgMFBlVZvqzILbvHdy4/YRUJI6dAIOaBO+jyYvGFp7UlILUuCFf31NYdw8hRe8wnIXfkR0yD+2pAgDx8u1opSYejiTFDIwSYDHk7NdYQgOQVGnL5flDRmQnhW6ByKfuKFyGFDoJtoAsNSdb8NYyR0pmaKIIl0QbGB6kgGe/WIzLHZHeg1XtqP328pi4+SgIWXdwaPiVYF3lgh6zXQ+HgQ+AzEASWT7oPhnQMolUBDwCpKzGWZyeE+j65WhqtpP4nokhpvM2qHaZL6p4HXFDmLav003jCOVEscw0X4uwJIp+W8giVBBger096PP+hA0176hf2z7U0bTPDKqnBVGJqjUqu40m1T/3QC1xG7hIhtNajLgTkUwa1Kh6QltlkjUmgftMQYpzWruWtxLU8HSvUREovO/sFHm/9m0R7JtctV+wiLmJ1g3Pez9i/thORRr5LN0IxwbebgWAo2yXpwP46VRRbkYtNizk0peMpXmFv8nQxf0JFDLB/lEeLz0WMcFVg5p0zrvlBHkHTiHJXblDowuToBr/5CY2A3nr99U/HO3+FEcQSk+t+LCaxxqrCW3JdRRpIsnovJgLhrhQORIN2Kl9/AtU6juMG6mqnQzhTQaE67PRnAGNwsiRmHRUeDpXeJvfAzBKkGfmUtclsLiMbXusHFgmAEOMDPF/pLGM7usxzlTMlDFtpdPuRE7e/8+JcJy6fUognUDxG6OAXaoMLnXsoCsmKayCqmYhA67H3mUhJIv9VnHQdxlnh0m6F7dCJp7y1DZLOFu7pvBkelcH2+sK3kLqwSts+V6ynnpGWtgnhJjAlZ3PkncUogt+SiQJ1khRvv+M7J4QD1XMaTh4sXRxv17sm7jEWToNsBWqMXcUrZGz6/ly0+YV7YBqUAdihVYjVgdIjtdKXe875j6rp20NRBwmuLv10lVlqZsDZSUtHdbLIG7gPHDSq8AFwl4HFU7n6Pl123dCfgAaGLVsPKiD/xSCieHPxPCTBEIkBHUJ2zIbyb3787CA==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: abf916bb-7d93-4bf6-04c3-08dbb9b8031b
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Sep 2023 09:00:17.9734 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mOsA/CjyF9hzZZxyXHqpiaYd/21YszN+CJtvh69HJBNkARMPGbB6efRT+KJg5UimbuBmOsMLr+vLzuzyjNdYQzes252hX5pkFpc8ldyW5VY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3717
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/i56oCh1DB3jm1eYwwvfu_4Yh2TI>
Subject: Re: [Rats] Attestation Terminology
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 09:00:26 -0000

Hi Henk,

as you can imagine, I am confused. You are saying that the RATS group couldn't agree on a term for "attestation" in the architecture document. But now the term is defined in another RATS document, namely <ietf-rats-tpm-based-network-device-attest>.
Is that because you finally found an agreement or just because nobody in the group wasn't paying attention?

Regarding key attestation: IMHO it is what we are providing with draft-ietf-lamps-csr-attestation where Evidence includes information about the private key being stored in a hardware security module. I don't have a good definition of the term myself and hence I was wondering whether there is some established terminology in TCG or elsewhere already. It cannot be the first time that this issue arises.

Ciao
Hannes

-----Ursprüngliche Nachricht-----
Von: RATS <rats-bounces@ietf.org> Im Auftrag von Henk Birkholz
Gesendet: Dienstag, 19. September 2023 13:59
An: hannes.tschofenig@gmx.net; rats@ietf.org
Betreff: Re: [Rats] Attestation Terminology

Hi Hannes,

w.r.t.: `attestation`

there is no satisfying answer to your question, I afraid. The RATS architecture was explicitly and carefully worded to avoid the word `attestation` as a stand alone term. As it causes confusion in the context of "activity vs. message" and is horribly overloaded, in general:

> https://csrc/
> .nist.gov%2Fglossary%2Fterm%2Fattestation&data=05%7C01%7Channes.tschof
> enig%40siemens.com%7C04d90290edb94ff2833508dbb907da4c%7C38ae3bcd95794f
> d4addab42e1495d55a%7C1%7C0%7C638307215597987825%7CUnknown%7CTWFpbGZsb3
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
> C3000%7C%7C%7C&sdata=wUKkQ85T%2BEDnoE2e7CENvC%2FGBvZLlCz8WtSdv%2F%2F%2
> FQ2Q%3D&reserved=0

(here NIST captures the confusion in a nutshell)

That is why RATS is about _remote attestation_, and corresponding activities, such as Evidence Generation, Conveyance, Appraisal, etc.

w.r.t.: `key attestation`

The RATS WG has not defined the more narrow term "key attestation"
today. As Denis pointed out, "OpenID for Verifiable Credential Issuance"
does, for example. Looking at that definition there are two essential
components:

1.) "a certificate including a certificate chain asserting that a particular key is managed, for example, by a hardware security module"

2.) "provide this data along with the proof of possession in the Credential Request"

In RATS (IETF/TCG) words, I think, openid is defining `key attestation` as as an Endorsement (according to 1.) of key material that is then combined with a PoP (according to 2.). That is not the same thing as remote attestation, as there is no Evidence about the trustworthiness of the Attester generated.

I am not entirely sure how useful it would be for the RATS WG to specify
  yet another meaning of the term `key attestation`. What I would see as useful in any case, however, would be writing up a definition (independent of any name). Maybe something along the lines of "Evidence about an endorsed key storage that is augmented with a PoP of a stored key" or something to that effect.

But that probably just reflects my half-baked understanding of "RATS key attestation"... what would you think `key attestation` means in the context of RATS, Hannes?


Viele Grüße,

Henk

On 19.09.23 09:24, hannes.tschofenig@gmx.net wrote:
> Hi all,
>
> I am wondering why the group has not defined the term "attestation" in
> the RATS architecture RFC. Instead, it is defined in a solution
> document <ietf-rats-tpm-based-network-device-attest> where nobody finds it.
>
> Ciao
> Hannes
>
> PS: Where is the term "key attestation" defined?
>
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www/.
> ietf.org%2Fmailman%2Flistinfo%2Frats&data=05%7C01%7Channes.tschofenig%
> 40siemens.com%7C04d90290edb94ff2833508dbb907da4c%7C38ae3bcd95794fd4add
> ab42e1495d55a%7C1%7C0%7C638307215597987825%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> %7C%7C%7C&sdata=eCDY%2F9fUK5Jo1UHtMPf6qz3pJWAwyk8xu0qTEkm6288%3D&reser
> ved=0

_______________________________________________
RATS mailing list
RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email