[Rats] WGLC Review of draft-ietf-rats-architecture-07

"Eric Voit (evoit)" <evoit@cisco.com> Wed, 18 November 2020 17:31 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7F333A0CE8 for <rats@ietfa.amsl.com>; Wed, 18 Nov 2020 09:31:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=baLMnIdt; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=rIEkWBYo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IuB3askUps5Y for <rats@ietfa.amsl.com>; Wed, 18 Nov 2020 09:31:26 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA28D3A0CF8 for <rats@ietf.org>; Wed, 18 Nov 2020 09:31:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10260; q=dns/txt; s=iport; t=1605720685; x=1606930285; h=from:to:subject:date:message-id:mime-version; bh=Yv3cv4ZcOt5ZgxcWu1rOfL9ZzsYZ5aXrHYKq3ii45VU=; b=baLMnIdtpbaelkVsTrKn7fM+uX5DEnhbQjht5IMlkhv5/7t3NRvuz6nn M0iFShNwWgUjqwWwzeugp7ercM7m4RXbem4Cwkh3bkbGtXvwyPxhGqTls HYSEORBOOQ707TbNRLprc3MBJ31uT1V1CriwbC4Ax7oGsB3rCXLvari9w c=;
X-Files: smime.p7s : 3975
X-IPAS-Result: =?us-ascii?q?A0BHDAD1WbVffZldJa1iHQEBPAEFBQECAQkBFYFPAoFQI?= =?us-ascii?q?y6BJy0vLgqHfAOmYIEuFIERA1QEBwEBAQoDAQEtAgQBAYRKAoIlAiU1CA4CA?= =?us-ascii?q?wEBAQMCAwEBAQEFAQEBAgEGBBQBAYY8AQuGCy4BATgRARo2MBcPAQQbBhSDB?= =?us-ascii?q?YF+VwMfDwGkOQKBPIhodIE0gTuBSQEBBYUOGIIJBwmBOAGBUoEgij4PG4FBP?= =?us-ascii?q?4ERQ4cWARIBI4NIgiyNa4JajAabbgqCbYRTgmSUBKF6k1OgVwIEAgQFAg4BA?= =?us-ascii?q?QWBVgE1aXBwFTuCaVAXAg1WkTqKWHQ3AgYKAQEDCXyMOwGBEAEB?=
IronPort-PHdr: =?us-ascii?q?9a23=3AKUqcSxYmbO3Vq+DfzRUZ0n//LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el21QaTD4TW9/wCjPDZ4OjsWm0FtJCGtn1KMJlBTA?= =?us-ascii?q?QMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8fze1OUpWe9vnYeHx?= =?us-ascii?q?zlPl9zIeL4UofZk8Ww0bW0/JveKwVFjTawe/V8NhKz+A7QrcIRx4BlL/U8?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.77,488,1596499200"; d="p7s'?scan'208";a="593487115"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Nov 2020 17:31:24 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 0AIHVOsf023542 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <rats@ietf.org>; Wed, 18 Nov 2020 17:31:24 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 18 Nov 2020 11:31:24 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 18 Nov 2020 11:31:23 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 18 Nov 2020 11:31:23 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ecnHiA0QeBoOywVizjsLBdQsOBwq58d6pf9B/nIBNZX6adDZkQYu/QcmYAwg9rvs6M6xFToRWTYlb81WJjbhycwjEBKYwxPahYNlbgEJoFltxpNN/E/SJvV3l0TkUTdvZayIWUD8kMi4R1CAp/TTy4tKKgmgFHHwH0Qg5WggA4JU6p4tZRjyspVDRKBnwp3uACDvuWBa8HzV9wHRJQk+AYqJH3OrmOVljZhWI2WaFes/KQrc8qivE0zsxC5sHgj76Cra4exExyS0qzKRuJidYHJh2rpOQ9wvXE7bWND1Cw2i7Ro1WR9ofZ2/KWvTKf2DpmT9d3jz48p67y1RLWEagQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DIvo4Wxv2DqOKcPMlqi/vz5zKnhQ5RfxjNjWoZyLckE=; b=BRMr+uLheS8IKOZYHXDN6WRfIuTMy00scMl/tBog8aqqJkO9RtRR9QMWqTKD3ariha1LcBzqpheg3dU3IulqP2HYbCd2ulMJoBlqENv/BwlXVESw15lFT3pKrPmazmip11tItSl+lcpysikFJ+RBCWO9fHU8lUTHh40WXR4Ys/ADm4LD/MV8CIg2WoBx5SIwd8YqP1n7q5z07yC+f+k3iSc9yUwvPpoRrTIfTAaTY4DWKYpAw/DVpYDmwlAKGCMn53pktvXj/4BEg9zRWE2Wga9OCAgct8HzySbFzD90cv8E5MVH4NvWS/0FVO53CZugAnKv5MNSbuazCgjJbjj8kQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DIvo4Wxv2DqOKcPMlqi/vz5zKnhQ5RfxjNjWoZyLckE=; b=rIEkWBYoNZp7sLYVK3D9j88EEdiv6Sb5Xnr2AHu05R+kpkI7QSLAFfPVduJlcdKOMIFsX/eUAHdnZHcnAcgEgEQc1mQ/aaosFNPPDEtadXenXWu7Y4/kQW7bP/g16Z1gExvhSzgDRfJtDfSawvaOJDgTHa+hga0KlWgEkYBWWGQ=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4709.namprd11.prod.outlook.com (2603:10b6:208:267::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20; Wed, 18 Nov 2020 17:31:22 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::1d48:9682:b349:ce7a]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::1d48:9682:b349:ce7a%6]) with mapi id 15.20.3499.034; Wed, 18 Nov 2020 17:31:22 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: WGLC Review of draft-ietf-rats-architecture-07
Thread-Index: Ada90JZcs3nUrJBAQ3ylFss/vpaZ5Q==
Date: Wed, 18 Nov 2020 17:31:22 +0000
Message-ID: <BL0PR11MB3122D6CFE059E3969C15E9F4A1E10@BL0PR11MB3122.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [75.170.135.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: efe695c6-d4fb-453c-30d8-08d88be7c4a1
x-ms-traffictypediagnostic: MN2PR11MB4709:
x-microsoft-antispam-prvs: <MN2PR11MB47090C1DC8935A027740CC38A1E10@MN2PR11MB4709.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5epAFcMl00YMFmIEQNvLlV9uuzVN0vssUE84a1YWdM0NoWO9xFtbJ149iFJWF8qcFd5msXJZWTDPjM2Z/Cw61CcebZGJndqJzdpfedhezgVm0EEj1zG3xdf2xQniGnfRfFWObU2XaAgww3a+71Ff2nA69D7QCPCtTBtPeXI6J6MBfr43INHJ7b0QndqB6Rr2/errav9Ix+Pw+KHxwz+bHzYsg1oMWSLiLZScACLxlasU1DspRxPZUEHxsqGezsWcLgtY0BDu4REBVm845KAAucuL3oIxY9pE2kv70TnJh8Ezveba89nA8fs0aCMVB9opULn82+WY29ROvdU8qsjz9Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(396003)(136003)(39860400002)(376002)(346002)(5660300002)(66476007)(52536014)(76116006)(66946007)(64756008)(66556008)(71200400001)(66616009)(316002)(6916009)(66446008)(9686003)(2906002)(8936002)(8676002)(186003)(7696005)(55016002)(6506007)(478600001)(99936003)(26005)(33656002)(83380400001)(86362001)(66574015); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cNuZgMjHQM4/WytdHM3GbTp3g6pRwQLWEuOO+NrxcZnJ33+RoVeyt9Y4Y+0AwBomK5334njxV6vhBCUU1f/xmwJSOxYHMRZ/5HJYNLbIc4Y14upuSr+R/8YXQSiuL4MgTSGTgp2UqILYT6kfIGRs/dzuHqvPuSWqdb8bsKtVSFKGsJLORcE4jA3R6ghng1uyxANoDYGAsVstIbnaI4xw6M1KOwULYnwTPXBrSxEaCXzrvZbKClFxQ8lzuwqX6Rkwh3cPMcN3EJq76f4Z7PrZ03uR3BkW2c44K3eF04Apu+gMsy5XwTyh/Hdn1OtBdI8QPkk+ZdwL9LsTa9qYAQRJ5neNrPruRoNGNiCRSYl/WNaoUtx6SX6pBjmCjq4gXGMkjRiqQmwHFrJCwegYnpWFF6mMs4Tes6A/yVQEzevqECrnT5d7v4NBjNg4DqkeLyGBw9EqMGDK4nspLDAzw9pBAwyrXhg4IMn9Pw2v5UOe6KxdrzFWeTrDxwYkiOjdBpGi3Y12cl+AzJwtr0LOANTXjzgeFj/Xgb4c2YI8PyQygcokkQV7Vm87qOl4a4o/xvpUnnlJciPZO5Xw5v14jxdht7vjTaX+mPKNtE1z8IVpRNaB0AVflUjJrqzRpooqP8bY1qFx0d1XvNmZ7Jcv+XDoXA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_007B_01D6BDA6.B59797C0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: efe695c6-d4fb-453c-30d8-08d88be7c4a1
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2020 17:31:22.4730 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wLfSplTkPumilD7KUJAlL5BVDmEPe257Lx1FkgNGYdrgsrSR2xQ1XI7NotHhTois
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4709
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/m65COAszSM7HfqL6O6ciw5AJVVk>
Subject: [Rats] WGLC Review of draft-ietf-rats-architecture-07
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 17:31:28 -0000

As part of WGLC, I have reviewed draft-ietf-rats-architecture-07, and
believe it an excellent document.  Below are three minor comments and five
nits which I believe are worth addressing.  


Major Comments
-----------------------
None


Minor Comments
-----------------------
Section  4:  General Comment  (this comment could also apply to Section 12)
It is up to the Relying Party to evaluate the Verifier.  And not all
Verifiers should be seen as equivalently trustworthy.  Additionally, any
particular Verifier might be able to provide a consistent level of certainty
in the "Attestation Results".  This is because the capabilities of the
Attesting Environment will vary.   This section does not hint at the varying
levels of certainty in the "Attestation Results" based on the varying
quality and quantity of available Evidence of different types of Attesters.
I am not sure if this truism belongs in this section.  Or if this truism
belongs in the document at all.  But without having this nuance being
described somewhere, it could leave the perception of a higher level of
confidence in the Appraisals being from a deployable RATS architecture made
than might necessarily be warranted.    Note that this issue is also alluded
to in Section 7.4 and Section 12.  But neither address things like whether
Attestation Result values should provide a minimum level of confidence
regardless of the type of Attester being evaluated.
In the end, I am fine if nothing changes in the document as a result of this
comment, but I wanted to have the authors consider whether this is worth a
statement or two.

Section  5.1
Current Text: If the Attestation Result was a successful one, the Attester
can then present the Attestation Result to a Relying Party, which then
compares the Attestation Result against its own appraisal policy.
Proposed Text: If the Attestation Result was a successful one, the Attester
can then present the Attestation Result (and possibly additional Evidence)
to a Relying Party, which then compares this information against its own
appraisal policy.
Alternative way to address comment: In Section 5.3 is a discussion on
"Combinations".  A final sentence or paragraph could be added on another
example of a combination where the Attestation Result from a Passport Model
can be a form of Evidence coming into a background check model.
Rationale #1: There are multiple statements in Section 5.1, including the
diagram which do not show additional Evidence allowed to be included as part
of the passport model.  We need at least one statement within Section 5
which shows this to be a valid scenario.  I do not think Figure 7 covers
this option sufficiently.  (Note: this goes back to previous email list
discussions showing that a even a government issued passport is stamped with
supplemental information as people transit country borders.)
Rationale #2: Section 8.3 on Attestation Results do not reference
"Combinations", nor that Attestation Results can be a type of Evidence.
Rationale #3: Section 16.2 includes a Nonce2 as supplemental evidence as
part of the passport model diagram. 

Section  16.3
The notational convention for the use of ' (i.e., prime) after timestamps is
not described.  E.g. time(HR'_v).   I think its meaning can be figured out
by the diagram.  But it might be worth making it an explicit notification
convention.  And other subsequent documents might want '' as well.


Nits:
------
Section 2: Reference Value Provider
Currently: ...Reference Values help Verifiers appraise the authenticity of
Evidence
Proposed: ...Reference Values help Verifiers appraise Evidence to determine
if only known and acceptable claims have been recorded by the Attester    

Section  3.6:
Currently: One significant problem is malware that holds a device hostage
and does not allow it to reboot to prevent updates from being applied.
This is a significant problem,
Proposed: There is a class of malware that holds a device hostage and does
not allow it to reboot to prevent updates from being applied.   This can be
a significant problem,

Section  4:
Currently: pppraisal policy
Proposed: appraisal policy

Section 11:
Currently: as well as any users the device is associated with.
Proposed: as well as potentially any users of the device.

Section  12.1
Currently: Key Material
Proposed: key material


Thanks,
Eric