Re: [Rats] WGLC for draft-ietf-rats-tpm-based-network-device-attest

Guy Fedorkow <gfedorkow@juniper.net> Mon, 12 October 2020 16:19 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 923B53A159B; Mon, 12 Oct 2020 09:19:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.196
X-Spam-Level:
X-Spam-Status: No, score=-3.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=rFnY6+Mk; dkim=pass (1024-bit key) header.d=juniper.net header.b=cjstm9ii
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7zItCxbRLYn; Mon, 12 Oct 2020 09:19:32 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A20F3A0EC5; Mon, 12 Oct 2020 09:19:32 -0700 (PDT)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 09CGHLkp012858; Mon, 12 Oct 2020 09:19:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=kqQPHxCNAuav+tgaVwO7W5xLmQx07snZEkiV5GMxYMU=; b=rFnY6+MkIyh+aOtKIEzuvMswY1d11CGWHbfkdZeT96WqI/3/9kXh8PeXc/8LNmB86CbJ 3t7yMzGJJChddIitzCGUXUGtes5EGjVo1c3/GennXMPXJtaXGhpf+ZkfKNgdpFn/aqcK 5WxXFSzWm9WwlpB8m9gKeG5wtoSw7/hGO/wy7lVCdhc8EDBQ6dC6mCpnzz/37O9ShT4y 7QLY7TeU+iSV0CGPvVMTERBsTXA2aLOSmhTijS7P9T4EdEOPn0smY1hOYl2V8O/xUkPm LQeUbJZokQeHA6VPcWwpmnykuRFG5BIp1HFVWce6Nw+E92s7KcNwcswFcO4VFIKDiFCP Sg==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2050.outbound.protection.outlook.com [104.47.37.50]) by mx0b-00273201.pphosted.com with ESMTP id 34386pjuwr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Oct 2020 09:19:20 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K0ytRnwVem14b2WQufBIn251Z7pgyQ48TLiiMDA2o3/ZEfmN7MATrExG81EHi8zIzPN6cSJcROV3MZ12z5jPENf5nbRVe8R8CarfluqDKZNLD8N9sP+tdPMpwZBUZ6J1BHVZFpNDd+bguFpFUHO1TOFruaM3rz0RyZ+T41zhFu17e9V8hPI6EBjzdBoreNLBf9d1OiMkMRJm7cjXY803nKbg+Apn5EMETPHW3/nYruFk9YdGTR0KU/iqFgFNt8A6MHeM3EAvBoUslhFTIzcB7oDIM+bPMWh00sZcJjgeIItQ8fgcaDuXF5LbVClg6o9Gnsi0ODY46N/Tk3k7JCBMXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kqQPHxCNAuav+tgaVwO7W5xLmQx07snZEkiV5GMxYMU=; b=Q/Uv5V8tb8FkTLjUypV7betVK4RgKU5X6OVXm4CDPX59QCwUUhFG7pvw9CjsfFzYlob1pFMC7YSAcEL8RnaYh69GFaHYmZzJNnKAtEMDItmZxY8GsF2+/kHGCV35gahPXE7i4no6n7TcU3CFuIFtootIzm0nwf2DY/1Z3UlEoMZEBLknvzGkjo8dyn5DkpOQtSUMeNoCnl4F1zOEJRoQl8N5w6mTHqtXYcFLxTHwNkAsAUS0/5p3UjxKEgit+WlLcczekBy31aFdUnpYbgA9EfnKNSxVFxnBixhKXjs41BdJB6GxDio/KGTVCo6bSOlyo/aZdn8lOBt6fagqx3Y+Bw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kqQPHxCNAuav+tgaVwO7W5xLmQx07snZEkiV5GMxYMU=; b=cjstm9ii5lQ87TjqvR/xRlRhLAHers5vk70oKGz7iICn4FOklYfzgz4bb7Io7mNXjSVuXbmn1LkU/S9ae8yFM3+bZJdjHyhUfWDTEO4LsZIN4vt7wP48ioSEJamQ+UVYSMUdbVw+Vi+RqoHrTgvx1c92VFdrcGFPCCZ5SwkxjxQ=
Received: from SJ0PR05MB7389.namprd05.prod.outlook.com (2603:10b6:a03:287::16) by BYAPR05MB5591.namprd05.prod.outlook.com (2603:10b6:a03:1c::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.11; Mon, 12 Oct 2020 16:19:18 +0000
Received: from SJ0PR05MB7389.namprd05.prod.outlook.com ([fe80::f45e:8652:c1aa:c980]) by SJ0PR05MB7389.namprd05.prod.outlook.com ([fe80::f45e:8652:c1aa:c980%8]) with mapi id 15.20.3477.018; Mon, 12 Oct 2020 16:19:18 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: "Panwei (William)" <william.panwei@huawei.com>, "draft-ietf-rats-tpm-based-network-device-attest@ietf.org" <draft-ietf-rats-tpm-based-network-device-attest@ietf.org>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: WGLC for draft-ietf-rats-tpm-based-network-device-attest
Thread-Index: AQHWj7vQmCquGJdJ8UCU7FSWkWcz36mULaRQgAAZZKA=
Date: Mon, 12 Oct 2020 16:19:18 +0000
Message-ID: <SJ0PR05MB73894514F4D3D9F777437012BA070@SJ0PR05MB7389.namprd05.prod.outlook.com>
References: <AF518CBE-A83F-45A2-8807-F08EC478C04E@cisco.com> <bbacd6e97a74452a9d3e08b7b834a078@huawei.com>
In-Reply-To: <bbacd6e97a74452a9d3e08b7b834a078@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-10-12T16:19:15Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=436ee4ea-47b4-4736-addc-4f534811fbdf; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [24.61.11.4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d8b09cf2-2cd3-4de5-010c-08d86eca91ed
x-ms-traffictypediagnostic: BYAPR05MB5591:
x-microsoft-antispam-prvs: <BYAPR05MB5591CE0F7521CECEF924B68DBA070@BYAPR05MB5591.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PvrHbxSv29sLLOqNJzpqXV5GKtu5GywvdD2aB4U2SGEme/VCpnv00Y6C3unTm61RMJGz2QDZi+KJnYrZ/OwVnalzQygox1mjWUmFVIWf1DsLjAi9d4q8gx/PmCr84mumTPtJd2qgjEjTvruyUcJc3zhPrhhxyqAIhliZnSyVbxYsa9e98rSQyOCFr+nEIUiH3XTkfT3P6lXwFnOzKd7PVFnQawTnBvnzAj7OhnLXCp7XBSyPyvXkTHkNoboLkVe7iCJl8JCzVoqx/t8tH2Q1Y22gUJHaRgnrMA1ZKaFVix4aBlk/m/rYrx9iTFiTajkRbCoJ9I5oyG1TQVo+yWptVmKYHFVQlmLnqFSmd3hnQ3k=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB7389.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(39860400002)(366004)(136003)(346002)(376002)(26005)(66476007)(66946007)(66446008)(186003)(64756008)(66556008)(4326008)(316002)(55016002)(9686003)(86362001)(52536014)(5660300002)(110136005)(33656002)(966005)(71200400001)(8676002)(83380400001)(166002)(8936002)(7696005)(2906002)(76116006)(53546011)(6506007)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: /0jrp1xVp10sNw1Uw/i3Mcih3PEpOdw9tEz0fPwk3eYsPGCJZ9+VbVW6WXPJLGjhvKOWpI6uK9fJ20kadRRrtatubAfPEMyEPnUcKmgyG2psCvESaWyXEt8l2l+2x0YyedGn326Qqvab2BfxGiH3ztB38vTk38iggeOyzkR/UPKfCR8GoPB2jRDC0FEtlRj6DYaJXARGxpimydmbAgQgV85MZisyHuKh+RTBLFZVSXQPpHKvUJIMqfvN8aXBOjSLxiJjUmWCPGjS+aEsDG+Ibz0OVl4Ll6Lajd5BzS8uujuFzBFxyfegL4fgQEDK8YU0Y84Ft6rRIHfSrVTJ9YyZ3f+4tdHor2TskEmUOTGsdGVRxG/Ydr8B7gqOagWDWNuHT5+4fRmAym2ZD9HD/qqOpqgS8Ex0tDFTTNjQvxMwg8Jz8QNsZ15FOWtN0W+Ubih67yvJUPyRdurEU8/e9jyIQ5CTazRtaRWH2P1jVmYnpJws+eozF1M9aDFDbRbCv2w05dQl7xveJXCuiZbFFedrQ7iOkpl/jWx/PC42vwU7xCd6mQvaK/jbQAn+bPG+tYytBfgj2L/aAnLGdyDThzBPJQAyPj6fI/peCINFK4gvH/nqzw93eM1KOiopWufXP+ERqJtRvFurCkKvUcks0iSyqA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR05MB73894514F4D3D9F777437012BA070SJ0PR05MB7389namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB7389.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d8b09cf2-2cd3-4de5-010c-08d86eca91ed
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2020 16:19:18.2099 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9LXFT2jjYMGHM9oP0HUmXsKwjuL2nHa/gjpgbiMkUX1BfNO7Coc3sgU1FoNBum96N900wvADwGvr3hytDTBosA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5591
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-10-12_12:2020-10-12, 2020-10-12 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 adultscore=0 impostorscore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 spamscore=0 priorityscore=1501 clxscore=1011 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010120127
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/NDdzJ1iHzm88Uo78GmNVyOWxsX4>
Subject: Re: [Rats] WGLC for draft-ietf-rats-tpm-based-network-device-attest
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 16:19:35 -0000

Wei Pan,
  I'll collect all the comments and start on a -05 draft, thanks
/guy




Juniper Business Use Only
From: Panwei (William) <william.panwei@huawei.com>
Sent: Monday, October 12, 2020 11:58 AM
To: draft-ietf-rats-tpm-based-network-device-attest@ietf.org
Cc: rats@ietf.org
Subject: RE: WGLC for draft-ietf-rats-tpm-based-network-device-attest

[External Email. Be cautious of content]

Hi authors,

I've reviewed the -04 doc and I have some comments which I wish to be resolved before forwarding the doc to IESG.


1.      About the terminology, some new terms are introduced into the architecture doc recently (please see github), including Reference Values and Reference Values Provider. And the term Endorser or Endorsement doesn't cover the concept of reference measurements any more. So this RIV doc may also need to update the use of terms correspondently.

2.      In section 1.4, it says:

   5.  Finally, Appraisal of Evidence occurs.  As the Verifier and

       Relying Party roles are often combined within RIV, this is the

       process of verifying the Evidence received by a Verifier from the

       Attesting device, and using an Appraisal Policy to develop an

       Attestation Result, used to inform decision making.  In practice,

       this means comparing the device measurements reported as Evidence

       with the Attester configuration expected by the Verifier.

       Subsequently the Appraisal Policy for Attestation Results might

       match what was found against Reference Integrity Measurements

       (aka Golden Measurements) which represent the intended configured

       state of the connected device.

In the sentence "Subsequently the Appraisal Policy for Attestation Results might match what was found against Reference Integrity Measurements", I think "the Appraisal Policy for Attestation Results" should be "the Appraisal Policy for Evidence".

3.      About the PCR assignment figure in Section 2.1.1, is this assignment a reference for the implementers? Or is this a normative rule that all implementers need to follow? If latter, I think it's more appropriate to standardize this assignment in TCG.

4.      In section 2.1.2, it says "It is important to recognize that PCR[0] is critical". By saying so, what's the real reason of why PCR[0] is critical? Is it critical because the position of the PCR (i.e., the PCR[0] is critical regardless of its usage), or because it is used to store the measurement of the Root of Trust for Measurement?

5.      In section 2.2, it says "In TPM application, the Attestation key MUST be protected by the TPM, and the DevID SHOULD be as well." Here says the DevID "SHOULD" be protected by the TPM, while other places use "MUST", like section 2.3 and section 3.1.1.

6.      There are two terms "Attestation Key (AK)" and "Attestation Identity Key (AIK)" used in different places, but I think they are the same thing. So I suggest only using one term.

7.      There are some asymmetrical brackets in the doc, e.g., the last paragraph of section 2.2, the brackets after "[EFI-TPM]" in section 2.3 and 2.4.2.

8.      The reference of [Platform-DevID-TPM-2.0] can be updated, I think its current name is "TPM 2.0 Keys for Device Identity and Attestation" and its link is https://trustedcomputinggroup.org/resource/tpm-2-0-keys-for-device-identity-and-attestation/<https://urldefense.com/v3/__https:/trustedcomputinggroup.org/resource/tpm-2-0-keys-for-device-identity-and-attestation/__;!!NEt6yMaO-gk!X8h586Jt1NpqY8Yv-S98CDqV5ai4hVZouPW4jz4a8WrBZ7HMqUc4iFtCLjPV9Beb02U$>U$>. Please correct me if I'm wrong.

Regards & Thanks!
Wei Pan

From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Nancy Cam-Winget (ncamwing)
Sent: Monday, September 21, 2020 10:06 AM
To: rats@ietf.org<mailto:rats@ietf.org>
Subject: [Rats] WGLC for draft-ietf-rats-tpm-based-network-device-attest

RATs participants,

This is a WGLC for draft-ietf-rats-tpm-based-network-device-attest, please provide comments and feedback by October 12, 2020.
The draft can be found in:
https://datatracker.ietf.org/doc/draft-ietf-rats-tpm-based-network-device-attest/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-rats-tpm-based-network-device-attest/__;!!NEt6yMaO-gk!X8h586Jt1NpqY8Yv-S98CDqV5ai4hVZouPW4jz4a8WrBZ7HMqUc4iFtCLjPVhjVevXE$>

Best, Nancy (on behalf of the RATs chairs)