Re: [Rats] RATS use cases review
"Panwei (William)" <william.panwei@huawei.com> Thu, 11 July 2019 10:14 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AA201200EB for <rats@ietfa.amsl.com>; Thu, 11 Jul 2019 03:14:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqVVKJB0uHWE for <rats@ietfa.amsl.com>; Thu, 11 Jul 2019 03:14:24 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FFDF1200D6 for <rats@ietf.org>; Thu, 11 Jul 2019 03:14:24 -0700 (PDT)
Received: from LHREML710-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id A4D9C2B92355FC99C71E; Thu, 11 Jul 2019 11:14:22 +0100 (IST)
Received: from NKGEML413-HUB.china.huawei.com (10.98.56.74) by LHREML710-CAH.china.huawei.com (10.201.108.33) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 11 Jul 2019 11:14:21 +0100
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.66]) by NKGEML413-HUB.china.huawei.com ([10.98.56.74]) with mapi id 14.03.0415.000; Thu, 11 Jul 2019 18:14:10 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "jmfmckay@gmail.com" <jmfmckay@gmail.com>, "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] RATS use cases review
Thread-Index: AdU3uOlwLKSHqMdGQiuJZWyAUZXxHw==
Date: Thu, 11 Jul 2019 10:14:10 +0000
Message-ID: <30E95A901DB42F44BA42D69DB20DFA6A69FAD147@nkgeml513-mbx.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.37.117]
Content-Type: multipart/alternative; boundary="_000_30E95A901DB42F44BA42D69DB20DFA6A69FAD147nkgeml513mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/q2KI5oBzAgVHZHfAQ_85U7_OpgU>
Subject: Re: [Rats] RATS use cases review
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 10:14:27 -0000
Hi Jessica and Frank, The RATS charter says to standardize the information model for assertions/claims about system components characteristics scoped by the specific use-cases, so I think identifying what information should be attested is helpful. But the RATS charter also says to standardize interoperable protocols to securely convey assertions/claims, and I think categorizing the use case based on the type of information collected may not help archive this goal. Different devices/services have different characteristics and different requirements, for example, the network devices like routers and switches are all composited devices and may have the out-of-band links for doing the RA, while the IoT devices are more resources-constrained and may have to use the public Internet. In order to prevent omissions, I suggest that we can first categorize the use cases by the devices/services (in other word, Attester) types, then consider the how the RA can be used by these devices/services (including the function requirements and trigger conditions, e.g., attesting the device’s boot processes after it reboots), and last analysis how these devices/services do the RA (including what information should be attested and what requirements should the conveying protocols have). After such analysis, if we find that there are not many differences among different devices/services, we can re-adjust the sections. But before the analysis done, I don’t know if we can foresee the differences don’t exist. Regards & Thanks! 潘伟 Wei Pan 华为技术有限公司 Huawei Technologies Co., Ltd. From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Xialiang (Frank, Network Standard & Patent Dept) Sent: Thursday, July 11, 2019 12:06 PM To: Jessica Fitzgerald-McKay <jmfmckay@gmail.com>; rats@ietf.org Subject: [Rats] 答复: RATS use cases review Hi Jessica, Good point and topic! Categorizing the use cases on the type of information collected is a possible, but maybe not the best way. Since this kind of difference seems to have no much influence to the RATS protocol design. I have no definite answer to it now, but propose more options for discussion: 1. Define different use cases for device/service types: network device, IoT device, web service, NFV, … 2. Define different use cases from different functional requirements: boot time attestation, running time attestation, periodic attestation, on-demand attestation, on-change attestation, mutual attestation, batch attestation, pub/sub mode attestation, … 3. Trigger condition of RA: device initial provisioning, device reboot, device post-update, line card insert/removal, some key event on phone/IoT device (i.e., execute key app, read important data), … 4. Partial combination of the above use cases B.R. Frank 发件人: RATS [mailto:rats-bounces@ietf.org] 代表 Jessica Fitzgerald-McKay 发送时间: 2019年7月11日 1:54 收件人: rats@ietf.org<mailto:rats@ietf.org> 主题: [Rats] RATS use cases review Hello, all, I took a careful read of the use cases document. I notices that Sections 5.1 - 5.6.2 each are variations on the themes of attesting to a device's: - identity - hardware inventory - software inventory - firmware - configuration Section 5.1 is fairly explicit about that. Section 5.2 seems to be describing a particularly reslient remediation to hardware/software vulnerabilities (presumably discovered via a device's hw/sw attestation?). Sections 5.3 and 5.4 are concerened with the configuration of a device's hardware or software TEE. Section 5.5 describes how these forms of attestation are directly applicable to critical infrastructure. While I am sure there will be protocol restrictions for that type of device, the idea of what is being attested to is the same here as it is for other device types. Section 5.6.1 seems to be relatively the same as the TEE/ML use cases. And, 5.6.2 admits to being essentially a subsection of the same. In this light, the right approach is to organize the document around the information that is being attested (the above list, plus end-user information (section 5.6.3), geographic attestation (section 5.7), and connectivity attestation (section 5.8)), with perhaps additional information on how these types of attestation can be combined in support of things like, say, critical infrastructure security, etc. What does the work group think? Thanks, Jess
- [Rats] RATS use cases review Jessica Fitzgerald-McKay
- [Rats] 答复: RATS use cases review Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Rats] RATS use cases review Panwei (William)
- Re: [Rats] RATS use cases review Michael Richardson
- Re: [Rats] RATS use cases review Jessica Fitzgerald-McKay
- Re: [Rats] RATS use cases review Michael Richardson
- [Rats] Claims for to device trust (was Re: RATS u… Laurence Lundblade