IETF Logo Mail Archive

Re: [Rats] AD Review of draft-ietf-rats-architecture-15

Roman Danyliw <rdd@cert.org> Thu, 21 July 2022 21:20 UTC

Return-Path: <rdd@cert.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1507C15A724 for <rats@ietfa.amsl.com>; Thu, 21 Jul 2022 14:20:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIKDrXv6d8AN for <rats@ietfa.amsl.com>; Thu, 21 Jul 2022 14:20:06 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0112.outbound.protection.office365.us [23.103.208.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDDCAC147920 for <rats@ietf.org>; Thu, 21 Jul 2022 14:20:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Lwa5qeTXiVxbO6jATvBIJ9Uht/g9wWZ58kNJONjqRVOXzjArhrW/4gDs/Onsi9QvSFe8kauq7/OOzyoZyH3ONx4XTIdxrSRetcmIbvLXZ28+tz3hBue4ER4Ctmtr8OFlkvmX9DkSs/MSuie2UoPA5XaWOg7sv/CYQa7kqOEAVeuHZLnlpCbL1xHJKG8fkU02e+wfHWTvK8MOpv1/CG2p22fTRYLz0WMALjXSyfdgB8zqDT90HFwLl3EalamjRfEwOQjhZiCdDnawfzKq9nGprKOO8O0oGCREI2YNMgZjcyRftqes1uayVjN7+a0rfO2cuYz4zzuMpmNQZXJ57N8Gqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dkycDRJYIf6u5lvgfoEg7Za3izakKbUGwf24rpYX4DA=; b=EllbMC8uzj/onR65FV6Leo9HHwV7zhWl5AbBBszXUYiyHy9dO/oCN3JEJXm4CaktN96s/wY8Ghf6tud1omSp2zU36d6MNnymrtwkoQOleZQIavy/CTmoMUpjav15BF3CrCDREGhJOfcTVm8BIVtB30dODNAPB4FMBHu2qa1iUXPplUS+fJyVn5MlmRPJ2cCHYywi53k53/eQAMVBINdblOtY3UImzsSymQMjzY/hY+GnsFSo9EriO40dAufH2AMqqrYdgfo3PHJ2Y5jtHSO+4iG8QOO+DX79jP+oL2Kq79WtxvO/yctb1bL0SDSM8iiqktH/d8y4l6yzU4xh1DfHug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dkycDRJYIf6u5lvgfoEg7Za3izakKbUGwf24rpYX4DA=; b=FIx15V0o3LwG160G1lbRDppUyYKsh/xdChV0q3Hl9kOzgKcAApIiYE7xNnk8otbMo6gf1nR3FFxAANa3JKgx3PIWvIrL+um/y6QqdmVXPLJCPmKmc8wFqudHunl8dAsuvbY57+N8iq57WBnZBIxqESkJGynqoRpFRJdijSf4GC8=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1175.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.22; Thu, 21 Jul 2022 21:20:03 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61c5:afc3:7804:7d27]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::61c5:afc3:7804:7d27%3]) with mapi id 15.20.5438.024; Thu, 21 Jul 2022 21:20:03 +0000
From: Roman Danyliw <rdd@cert.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] AD Review of draft-ietf-rats-architecture-15
Thread-Index: AdhfNo/YbgZCs0OMSiqFXlqIAvRN0wAmn8KAA+7EkoALbMRJ0A==
Date: Thu, 21 Jul 2022 21:20:03 +0000
Message-ID: <BN2P110MB11077E3694C78ACBA39F2F3ADC919@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB110748C2C81E515E5E7277C5DCC09@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <3256.1651680451@localhost> <dabb272d-1e69-8a0e-ba91-4d5d85cfb8ab@sandelman.ca>
In-Reply-To: <dabb272d-1e69-8a0e-ba91-4d5d85cfb8ab@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 558e35e2-bde9-4727-5e8d-08da6b5ec706
x-ms-traffictypediagnostic: BN2P110MB1175:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: T5JX4s7wEsPqxmWCnZD0p51gW/hW+TjQAO0I9giq1f/gu63gU2SH5GWvZQFf24hx98CB8JvlkHbjdXCEZ+FGYLsW1xyheWNxz6n6nMlyo2UyeHrIDgOQUu9Whh16A41mq2wia4qf1Mo2fK8KGIA4v9L0wb0AMULg5L1UAKTmhoZQ8qrh8LJtUhbFCQxpNLWXzHOmykym2DpDqIcXqfsE4ejkF18XSOMAM1t7YP5V0TA66uRZ4vDkXaFlYOzeqCpjsNqYh7ttnVmtIsPyzEjdbgEqgtgB1B/kncJEJwFQQU5KIRWudGNGWv247BWAr0SOvuaYXs0wfgUzAWH5QQ96tJ/PfG8gp48C190RfdyanTlHtqhacW2qY5Mk4/XkpS5drLSgPxjfe1F/Fyb35/tfTndN1UT/CiIVJUW/4jIs8LOvsaW/SuD8UevEsmap1+e6VH9TjvLLhmtQ0lVfi8kEOqmSQNkN9wsOJVBitSn4CqqpMTWohHATaO1eOl4WiRpOHroP0Dm3OT7Y3Jl7V8kr7JXlFbmUJRGRYhKrEA2HvJihWvm+GXsqGRtElQRZwA/2/brn70R714sp8FuHGCXnPGEtLvpVPdDAAXCjJYKtUhw+OQY0VhXMyswl8xBXYF+zgqfZwgBawDRo6th4LdrwkHDFmCGUV9hziV+ar4/I/Ux3iKOuIovcuRG7NzaoNfSha0JS8qkPSmX7w1wVOdCH0x2eKMaWyeGl/3TFDzDWnmOpt3y41xQKy+4CuDrqqx5O
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(6506007)(498600001)(966005)(76116006)(122000001)(186003)(82960400001)(66946007)(53546011)(38070700005)(7696005)(71200400001)(66446008)(33656002)(8936002)(2906002)(9686003)(38100700002)(5660300002)(66476007)(66556008)(26005)(86362001)(8676002)(64756008)(83380400001)(110136005)(52536014)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: s3ZCPa7EnK5VHVnZNIoAfCkh5ZFOohedWa5w132LyB0A0ACgGf/PM/Oenrje1QW9eHs0aOUMvvsTzbLZyg7EvWW2lCc8KXC/Mq/viQIADTX7Ocp6FjrlDXIlOySSRXzjt8rW8op2eTGHhfVNKqozrsEFyCB0h1M7LP1zxjVUTf8q0wnH+FYE190ihMYnCchHjyUyU7XQT5BBMU7EEiCJQuLrnXlW5Ljf9wGRodcWMTXuiknnro9Lhp4X0bDVawhgVh7O5+LPiFexTy718l8zcJej1muguDBEhM7N2DQHAbSgthOq6chwNQt9RvH6RUXuuqRn23GukXVU2UVpdGUkEmlTHvLEi3rlVYPkDjdQY9zFjr3gVGqt3DVSdOJVih3sfs/lfgfK6Hqg4TcrHCnoMl7IrS1ZTirg7QTvISmkf+c=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 558e35e2-bde9-4727-5e8d-08da6b5ec706
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2022 21:20:03.6059 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1175
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/K_sU1kLQybiywE1nax9SJRgw_UI>
Subject: Re: [Rats] AD Review of draft-ietf-rats-architecture-15
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 21:20:08 -0000

Hi!

Thanks for the updates in -16 to -18.

I'm putting together multiple threads and github comments in one place below ...

> -----Original Message-----
> From: Michael Richardson <mcr+ietf@sandelman.ca>
> Sent: Tuesday, May 24, 2022 12:34 PM
> To: rats@ietf.org; Roman Danyliw <rdd@cert.org>
> Subject: Re: [Rats] AD Review of draft-ietf-rats-architecture-15
[snip]

> 
> On 2022-05-04 12:07, Michael Richardson wrote:

[snip]

> >> ** Section 5 -- Topological Patterns
> >
> > https://github.com/ietf-rats-wg/architecture/issues/404
> 
> We made a few small changes.
> You asked:
> 
> > Figure 5. Shows the Attester consuming Attestation Results Figure 5.
> > Shows the Attester producing Attestation Results
> 
> The text is pretty clear that this is not the case.
> We introduced a new paragraph break to make this easier to see, which is
> at:
> https://www.ietf.org/archive/id/draft-ietf-rats-architecture-16.html#section-
> 5.1-3
> 
> In the passport model, the Attester may well obtain the Attestation Results
> (the "passport"), and may well cache it for sometime and might use it
> repeatedly.  But these Results are signed in some way, and can not modified, so
> they aren't consumed or produced.  We debated putting a line through the
> Attester box, but due to the caching, we decided not to.
> 
> 
> > Figure 6: Shows Relying party consuming Evidence Figure 6: Shows the
> > Relying Party producing/passing Evidence
> 
> In this case, we changed the diagram to show the Evidence passing through the
> RP to get to the Verifier.  We discussed whether the RP could in fact cache that
> Evidence; whether there are cases where the Attestation Results might have a
> shorter lifespan than the Results.
> We think that this could sometimes be the case, but we felt that that the
> diagram would best be adjusted anyway.
> (Yes, we came up with different answers two what are apparently the same
> problem with the diagram)
> 
> https://github.com/ietf-rats-wg/architecture/pull/414/files

Thanks for clarifying.

What I'm getting from this text is that there is "producing" and "consuming" per Section 4.  I took those terms to be describing/constraining information flow -- what information can comes and go among the various architectural elements.  It appears that Section 5 is introducing a new behavior which is "accepting" (receiving but not processing) and "passing" (sending but not processing).  There also appear to be element specific behavior of "caching".

I see no conflict with these four behaviors.  My concern is that these nuances in behavior were not explicitly stated.  They should be.  Furthermore, just as certain architectural elements are defined by what they can produce or consume, I'm wondering if the same is true for the "accepting"/"passing" behavior?

> > -- The overall Section 12 seems silent on:
> >
> > o What is the implication of combining roles into a single entity as described in Section 3.4 and 6. Does this lack of separation present any additional issues?

[github said: https://github.com/ietf-rats-wg/architecture/issues/407]
==[ snip ]==
We need to acknowledge that there is a deep hole (not infinitely deep, but not trivial) where we need to look at integrity of all of the different platforms.
The way that the compositions are composed is a bit tricky, and the results are sometimes different than other people would naively assume.
Are there references here to other papers that we should include?
==[ snip ]==

I completely agree, that's why I mentioned it.  Composition is hard and can alter the security assumptions of the individual components and introduce emergent risk.

I don't think it can be solved generically.  However, we do need cautionary text here.  Perhaps:

NEW (roughly)

The RATS architecture allows for an entity to function in multiple roles (Section 6) and for composite devices (Section 3.3).  Implementers need to evaluate their designs to ensure that the assumed security properties of the individual components and roles still holds despite the lack of separation, and that emergent risk is not introduced.  The specifics of this evaluation will depend on the implementation and use case is out of scope for this document.

> ** Section 16.  Can the thinking of this section be explained.
[snip]

Thanks for explaining the thinking.  I do not agree that this text is appropriate given it's uneven treatment, but will support the desire of the WG to keep it.

One editorial matter that got introduced somewhere after -15, please make this a proper appendix.  It's currently " 16.  Appendix A: Time Considerations", that is, Section 16 with word "appendix" in the title.  Perhaps this is a rendering issue.


Regards,
Roman

v2.23.0 | Report a Bug | By Email