Re: [Rats] Nonce-based freshness for CMP/EST

"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Mon, 29 April 2024 10:12 UTC

Return-Path: <hannes.tschofenig@siemens.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B4B6C16941A; Mon, 29 Apr 2024 03:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2iChDk5Xvk6; Mon, 29 Apr 2024 03:12:41 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2081.outbound.protection.outlook.com [40.107.22.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02E60C169415; Mon, 29 Apr 2024 03:12:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d9V+EeIjFykzTPcAq+U0JcLKieQbPJcWixJvBBrcbI/b70eyQMGjskDfXKCRILF8MR1bc27HzaXFi9Rw25AGT/dbjTVyOrL9fxxExJPtSaRcLafrbbdXEgWZoa5jKft4iI3j2/bpP6tFqqYO4jXMYawCgUiyGWViolFIVe44ix9nnjDFGC2l7crRKapBmVz9lhIXxpy0Zs96T9tt3t8PSph5XvE1g0MnEVpaWY/+yKTKsy6QjEdqCoLIuDYUUA80wSZfqvGak7ZB6lefJQB9AeuGQm3udm26da96oQWVDA43Cp9J7KxyS4xEhNFFLaDRQZfqXImEebQn5g0YASVYRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0ot9NVmkN97yjL4esfM2gs/ynKB4QpJ/IPAlLO0Cs+g=; b=AbqLoom2Nf9Fjq/R4smoN+LuBMDS4tlJ0MYJ5KMR1bNQlBtrGJ8UsthgU9PqnBpE83Tkwg54i21h9/6COhsgW0kPaTqXFnZcbhJJPTCr/qcjSajJ+F1Ft2Nz53LRfuLkB7Wkbbsh73uEEyLgYJveottexqtKBlNgX1LxFTjbcx+o3I7HXQ40tK2OQgipx7Axb4AJ7KdvYVUFdCixbVVRY0h3V2dAE3auHUgFWqogYgfx7ldgAPD5Cd51gciMVonondeJkUeXoPByOt191+UC+eEA/Oq5+45nXRvyTmzSIwrsjlMK8IQR3g1tE38AZCNO5KIDFRiGukvkYdw3xo+AiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0ot9NVmkN97yjL4esfM2gs/ynKB4QpJ/IPAlLO0Cs+g=; b=rcFjpw7jqV5vHbGUnO3kI4dU4CMYicwf3Zkhdg3B6yXVWtvKEuJCr6QRfH0W/J3zAO4BpS6ghmXCpVcpaHQDH2uT4Zk65ZzcjUE8ZS5MI8ns0Y8IN0GswS+JHkU2zD67GzrA1JKYkYiwIIJhtTicb6GiSsuNfAZQNYaTt6k+NCnMIXJxHPpPNJ/9HaNSHtFB/p+F+G9p2u08aETjvU9pGYmaBS5Aiy9/YsYX0ZJelTARuCAHE1DQJcSZRvt/DfucBJFfPOTKk5Dl0d2aaKxhMj9cpFwAoLmqOUrT0wLZrzvuHdmi+tB9pt4zbv6Z51EfrkPQ+ICe6uCvaxgj1D3Ytg==
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5ab::22) by GVXPR10MB9106.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:1e1::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7519.32; Mon, 29 Apr 2024 10:12:36 +0000
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::9172:20d1:3f36:a3d]) by AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::9172:20d1:3f36:a3d%3]) with mapi id 15.20.7519.031; Mon, 29 Apr 2024 10:12:36 +0000
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: Carl Wallace <carl@redhoundsoftware.com>, "hannes.tschofenig=40gmx.net@dmarc.ietf.org" <hannes.tschofenig=40gmx.net@dmarc.ietf.org>, 'rats' <rats@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [Rats] Nonce-based freshness for CMP/EST
Thread-Index: AdptZIPbX6wkdfrRShCVY+EluN0X0wAxRGIACvy33sA=
Date: Mon, 29 Apr 2024 10:12:36 +0000
Message-ID: <AS8PR10MB74275EFF5121BCA565468092EE1B2@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
References: <023701da6d65$9e9c0340$dbd409c0$@gmx.net> <8CE151EC-3EA3-41C5-823F-2A5D9592C713@redhoundsoftware.com>
In-Reply-To: <8CE151EC-3EA3-41C5-823F-2A5D9592C713@redhoundsoftware.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=6cf69f2d-cfcb-4948-acc2-abc96bc5cdbe; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-04-29T10:03:17Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR10MB7427:EE_|GVXPR10MB9106:EE_
x-ms-office365-filtering-correlation-id: 6ac4bb67-c051-409d-c374-08dc6834e489
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0; ARA:13230031|1800799015|376005|366007|38070700009;
x-microsoft-antispam-message-info: 2n+05NWa0NVfJ6L78FFInSNxKzX0U5KJ5OlMa5jO0wcvXgW1PDptmnoFSUoS1dhniissEHdIc3lBqF2kTDXWbVeBjCl9cnPr3qp0TTPWfVwKblHIJjitg9B8VCw/HbG66BbFJC78BOUMFDHlJlXEuuOYDKRnqLR6GtxOdiF/U6C9bPiewshk5ox5NLG+dzIQv84TW4wYWP4VnJM1ogJBI1WwDRwKAfr94wRXhuzDZyV22QMwQSsshlAG45GH7Wva5KABSZj0BB/vWvn/JidaVwlydHRV8gKVMFkmPwKfSCDOQKfZ3mCHGFlqkQRw0D3c9rv030eNv6mkCGoBEc+zlvVhHOCOKMF9tq6VUR5ql4/IGhvjoft2U84Kh/j1hAZQYk35F8XC9XNgyL7mmt1mhUKyn3vov31rkQfcC67YR0KWz4X311okbmUKuSLqxAFp8JAt5g2aKqb7GuVUVNOk1pWjAxCmRYghQfbPYcUtaOItKTfseez5s1a2SWJUmqfhjDn5KfEnk0tFSfTxC9VaRpDKGmmGKz51zU1cXocTv/8qlkHQuan2kPalOC1VHjyBslX0S2fnUGU8vVLxFdWK9vpaG69JWBAGpdVsdh6XaZ1C+ZBKY0B0IzBX//NPIZnLj8jiO81G3jBh3wI+MOclL9K/gTRj6iGiepXRATUoYuJspsrPpYrFwWZBCZ/EJSsGTPW3wh8vLumk36s6ObnZyqJO8uzjEPXyJG3P4Hbe8XgJNtNsukHMZMKzUU1tXHHDiCnR79Meo+s+24mE1UYzfEsllLIV1E2DOL3WbowuBM1ns7728KrCqL+AOvRxzITTatpqrWsZwtFhSylD4T9wvj0RpOTC8mTHqZsBFSLU8yIpy3JXuYggSloMvrFUsFRRntzWbvACNyGSMPYI75QYMEg3mDty1ZN3u2CzeebWd5eBejIp6c6ETsJHSnAaMKnDZLHoxf9/+CZ8vZSqhzmuvgRp5pGftZti5+WSibsHYZ+3nVmQBBvlDKOcNQlU2byXmQ9HAX69ozwdqGkIR7O+9FzEZAnQXWwHamIhsEEPJE6N/DjPQgi7r7PS3R/EPaIi9lle0CW2PCvpnTD2EzRG9NDUCVvCBmRVDBKpDXZeOHe1YHDUIc2Kvk1/eERrWD2fM4vIVmBLSplo1vL/XWOmH7P0sPU46Rwde+tuK0Fxae8R5xQ/735IbI57fmC9hc0S4VnOcR33NerTQvxCU7T7v8E7FAJ9ZWle4/EK5H1xjRhps1WvYMm1LuodX6km44uwdQZMGu/BpqU/FAKstwtG7C1fN2PlAOLWUuu2dw4czftLz6jVxXc2u3uzm6KUB9qmyP8wb17a4Tck//YY7Wk5Kw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XyQfJXv9nFfvScVVaoCGUCzVIwfHpV8I5ZeCrcxUP729Mhg3wuraDCrG+WuMq8iqd2I6G2w8W0JlSAcEB3aEu5xT1d4Wnh6zW850QOU2pYjQeKMLo/IhnR8qbgtO91qEVG7ifg8IWRrx35xPGbSDMIclnkd5BVVtoA7uDufsjM+U67u7d7wKFVjOVdPxlxscsPpG65WLRDnfdhDADJhxyw4alVqQ5nlQASVDurmwku6TgDp+zeeUW7t/r6likYlyJn+JGHpojunwBxq+QtO+IrZLR9fkJlfHsxDmCGa1U+Uj2DBoU7UpuRfZnDGgoNf8aWLSUA5RAKpmXufq35CkNhoGFBUCeMCT1sS1ijj73qj9L6GUcLbxrR2svZOzdMgV0zDSbcbhVMrCKZE0mm1i1foPni9le8YeZKD5G5RP7hS0bMhmSTlXfCyvhh/gXf1zom8slzXmcJ+NP0XS2AImVDIH31+dNE+G0I/IiB5c3STAOFEb8RnCpIt7scS87L3M9Fq8ipGOsX1ZNrAA58xnOsTTklnCkViVpR+R2HkfEqTqy2ERNNRR0yTJsUv8T1G9UzX3UpxGsMMDwkPcvlFceCbcZNUjQ58ERZNhaJlBubq51i49Oim2hDdOtnN6hfYPn0MJOHMYQxbh67Z2BNAitIVaKO8VRdj2VqgpzUKPSmVCTBItQKU0iS4s9rLwBLe/CnMjcJlMkmc3fKWe9R9jXJ5U4Bp/a6oIpmQU/PB/33ukiIJHV28E7pcd7sdSYAgV/W9GCtrvcaN1sJtD9nqBL9Z/LjB4LkR1/ZGumXzNvjnPZXrL2DqZc+yu175AB4zaV+LrMRAv6BjDdUZPKphXqjKhYKh6TbE/bzFWz2JOGtRReAB/t4Iumkq96rrrOQJw/q4ntwSM5jfRE/DVV2z4IAud3K89zq4YxxS4DFZXo4ja9MeVubpFlp8llGpCQfGUP5yjKUnotrgMt3zZqsNk/ozZRxW04It4UhlsRZFASk5Rdquf7gEy7UxBRW5VRpsiD75lw66bdXPqL6iTbhkWou0iWHMWrHB+oXjp8m3/a86W3ZA+rpQWt16rnfplQP31idE8gmW4c2jBUlXAVSEbIDcZH6Wu8+YUmQEQrq1l5vbkOskLyCx1/VSBmNKvTu04FAY1XRmcSgphHUD48/21+XuPXXUPxT9i5I7+ktxSExEZ031NuX5nG5vaDZNGCJzY59hv641m8CzdYBCHYDevaY2Wj8qyIZiEcGihsCPHjFAXXy07Yh1lDUi59eMl81rCVtXn67T/DWCieaywtPSvVP73kceQ3LMMmdzIc2SgMo+qJxnTSuIs/scjJ98V9PuPPX3WxvHqmyYy5nGpzvMqYS8qjAxzlHNH/NCNTDBKXwATchWVSY2vo1II23vmn9q+IBuCcVJ1UtTljhh88Pz7UVi/JuKUiyDETTEjz8Pzj4/2ES+FFYpQcQyhKDFIopJ3DSrlkNS5XaYMNHobsCt3kJJwk0wATN+mZL/oUsz20jIzidQ5uEiqxbL1spvogQ+RhSRVpOpdmrFyLhthlo7D4c4evhM7Uk4J6sa+4L8BuXiAqsjuVHDqmdolMVIcCx9lP9zXfFFgdjGLAPhnWKoIBw==
Content-Type: multipart/alternative; boundary="_000_AS8PR10MB74275EFF5121BCA565468092EE1B2AS8PR10MB7427EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ac4bb67-c051-409d-c374-08dc6834e489
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2024 10:12:36.0975 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xt6X/RgxTIpFldhkyGDdMdPqGoPSNUSquCkYT7PiK76EUe5RvQ0dCKnoSTd6scwiyuvCYc2hAxRPdWjLHnxJ3VWunXj5dHbZvRl2PIf+ruE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR10MB9106
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/k_ZCHb2xKHZdYZSagvukpXaGB_E>
Subject: Re: [Rats] Nonce-based freshness for CMP/EST
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2024 10:12:45 -0000

Hi Carl,

thanks for your feedback. Please see my comments below.

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Carl Wallace
Sent: Monday, March 4, 2024 12:46 PM
To: hannes.tschofenig=40gmx.net@dmarc.ietf.org; 'rats' <rats@ietf.org>; spasm@ietf.org
Subject: Re: [lamps] [Rats] Nonce-based freshness for CMP/EST

I reviewed the diff for the new draft and had a couple of questions/comments. Added LAMPS since this originates there.


  1.  How are non-ASCII values intended to be handled in the various EvidenceHint options?

The plan is to align this document with the CSR attestation draft. In the CSR attestation draft we are planning to simplify the hint structure by referring only to UTF-8. Here is the PR with the details: Flattened the hint. Closes #108. Closes #110 by ounsworth · Pull Request #112 · lamps-wg/csr-attestation · GitHub<https://github.com/lamps-wg/csr-attestation/pull/112>




  1.  Given the way EvidenceHint is used in the JSON example, would it be better to just define EvidenceHint as a UTF8String instead of as a CHOICE? This would be more consistent with the statement from the attestation draft that the “format and contents of the hint are out of scope of this document.”

Agree!


  1.  Should EvidenceHint be included in the NonceResponse to indicate which verifier was elected? This seems necessary given the attester may include a hint in the EvidenceStatement.

Yes (included or otherwise referenced).


  1.  Similarly, why does the hint need to be in the NonceRequest? The CA is the relying party. It seems to me that it will use whatever verifier it wants (so inclusion in the response makes some sense, to inform the EvidenceStatement creation, but inclusion in the request seems a bit like the tail wagging the dog).

The hint from the attester gives an indication of what the attester believes the correct verifier is. Of course, the relying party is free to ignore this hint.
So, including the hint in the nonce request, which is from the attester to the relying party, is correct.



  1.  s/a test value/a text value

Thanks


  1.  The statement “indicates the time the nonce is considered valid” should probably be “indicates the time after which the nonce is considered invalid” assuming a nonce would only be valid until the expiry time if not used already.

Fine with me.


  1.  What should occur if the verifier refuses to supply a nonce of the requested length?

We need to indicate that the use of attestation then fails.

Ciao
Hannes


From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> on behalf of <hannes.tschofenig=40gmx.net@dmarc.ietf.org<mailto:hannes.tschofenig=40gmx.net@dmarc.ietf.org>>
Date: Sunday, March 3, 2024 at 7:23 AM
To: 'rats' <rats@ietf.org<mailto:rats@ietf.org>>
Subject: [Rats] Nonce-based freshness for CMP/EST

Hi all,

I have just submitted a new version of the draft that describes how to add nonce-based freshness for certificate management protocols like CMP/EST. The solution relies on the CSR attestation specification.

Here is the updated draft:
https://datatracker.ietf.org/doc/draft-tschofenig-lamps-nonce-cmp-est/

As the recent mailing list exchanges have shown, there is room for more discussion about this freshness topic. FWIW I have requested an agenda slot in the LAMPS group.

Ciao
Hannes

_______________________________________________ RATS mailing list RATS@ietf.org<mailto:RATS@ietf.org> https://www.ietf.org/mailman/listinfo/rats