Re: [Rats] [sacm] CoSWID and EAT and CWT

"Smith, Ned" <ned.smith@intel.com> Fri, 22 November 2019 19:39 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154B5120872; Fri, 22 Nov 2019 11:39:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rutqiMIGfT0B; Fri, 22 Nov 2019 11:39:40 -0800 (PST)
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 848FA120819; Fri, 22 Nov 2019 11:39:40 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 11:39:39 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.69,231,1571727600"; d="scan'208,217";a="210343216"
Received: from orsmsx101.amr.corp.intel.com ([10.22.225.128]) by orsmga003.jf.intel.com with ESMTP; 22 Nov 2019 11:39:38 -0800
Received: from orsmsx124.amr.corp.intel.com (10.22.240.120) by ORSMSX101.amr.corp.intel.com (10.22.225.128) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 22 Nov 2019 11:39:38 -0800
Received: from orsmsx109.amr.corp.intel.com ([169.254.11.161]) by ORSMSX124.amr.corp.intel.com ([169.254.2.83]) with mapi id 14.03.0439.000; Fri, 22 Nov 2019 11:39:38 -0800
From: "Smith, Ned" <ned.smith@intel.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
CC: "suit@ietf.org" <suit@ietf.org>, sacm <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>, Laurence Lundblade <lgl@island-resort.com>, Ira McDonald <blueroofmusic@gmail.com>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
Thread-Topic: [Rats] [sacm] CoSWID and EAT and CWT
Thread-Index: AQHVoVdERUlUpfZbOEKEXvzBDRBA7aeYCEIA//+ONYA=
Date: Fri, 22 Nov 2019 19:39:38 +0000
Message-ID: <65CFC5E3-1B46-4235-B4F4-692F475AC80F@intel.com>
References: <BN7PR09MB2819D797B89183218BEFA823F04E0@BN7PR09MB2819.namprd09.prod.outlook.com> <922EA164-FB96-4245-A46C-6520809E6311@gmail.com> <01f09bc9-bd79-89da-243d-cd766f297a5b@sit.fraunhofer.de> <CAHbuEH7uEjYK8obQ78B4paaB426Xrhuh+E7SJGsXNi_cRDYYAg@mail.gmail.com>
In-Reply-To: <CAHbuEH7uEjYK8obQ78B4paaB426Xrhuh+E7SJGsXNi_cRDYYAg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [10.24.10.124]
Content-Type: multipart/alternative; boundary="_000_65CFC5E31B464235B4F4692F475AC80Fintelcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/q4gr08hLMFXqF8XHE9oxZS9_BZI>
Subject: Re: [Rats] [sacm] CoSWID and EAT and CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 19:39:44 -0000

Regarding issue 46 (link below), the proposed (9) claims distinguish between Evidence, “Payload” and SUIT Manifest variations. Evidence is defined by RATS architecture, SUIT Manifest by SUIT WG, but not sure where “Payload” is defined and how it differs from Evidence. Possibly 8 claims can be collapsed into 4?

From: RATS <rats-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Friday, November 22, 2019 at 10:27 AM
To: Henk Berkholz <henk.birkholz@sit.fraunhofer.de>
Cc: "suit@ietf.org" <suit@ietf.org>rg>, sacm <sacm@ietf.org>rg>, "rats@ietf.org" <rats@ietf.org>rg>, Laurence Lundblade <lgl@island-resort.com>om>, Ira McDonald <blueroofmusic@gmail.com>om>, "david.waltermire@nist.gov" <david.waltermire@nist.gov>
Subject: Re: [Rats] [sacm] CoSWID and EAT and CWT

Hi Henk,

I am not entirely following you, so I am not stating agreement yet.

On Fri, Nov 22, 2019 at 12:06 PM Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
Hi Kathleen,
hi SACM, SUIT & RATS list,

the corresponding *SWID authors discussed this issue and are proposing:

> https://github.com/ietf-rats-wg/eat/issues/46

This includes an extended scope to include the option of SUIT Manifest
related Claim values, next to various *SWID Claim values. We permutated
"signed" & "not-signed" as well as "payload tags" and "evidence tags"
for *SWID tags in this proposal. The authors are convinced that the
"not-signed" variants are of essence (as CWT does not allow "not-signed
CBOR items", but also do not imply any implications to the SUIT Manifest
Claim definition (although there are strong similarities and there could
be some).

Can you write the above again?  Are you saying this in terms of a CWT?  Wouldn't the claims and the text value in a CWT be represented as-is, then signed, so you'd get what you are saying is needed?

The current *SWID contributors prefer this contribution as a parallel
effort to the EAT I-D, SUIT Manifest I-D, the CoSWID I-D and existing
ISO XML SWID standard. This proposal includes the primitive to not delay
corresponding IETG I-D in their respective WGs.

Are you saying you don't want to add text stating the use of a CWT is a possible alternative, as that is what was requested.  I offered to write a separate document to put the CoSWID in a CWT in SACM as I think that's the right home, referencing EAT work.

Having said that, we would like to get feedback for the proposal
references above.

If there is no dissent or push-back on either the SUIT, SACM, and RATS
lists, our proposed way forward is a unified creation of EAT Claim Sets
in the RATS WG that enables the use of various *SWID variants & the SUIT
Manifest as payloads for RATS via the RATS EAT I-D.

I think this should be in SACM.  And I've offered to help.  I do think that a little text saying it's possible should be in the CoSWID draft and will provide that soon as not to delay progress of the CoSWID document.

Best regards,
Kathleen

In summary, we would like to create this interop I-D in concert and
welcome every joint effort in this domain.

Viele Grüße,

Henk

On 21.11.19 12:37, Kathleen Moriarty wrote:
>
>
> Sent from my mobile device
>
>> On Nov 20, 2019, at 11:29 PM, Waltermire, David A. (Fed)
>> <david.waltermire@nist.gov<mailto:david.waltermire@nist.gov>> wrote:
>>
>>
>> It sounds like having a CWT claim that contains an entire CoSWID is a
>> path forward. It may also make sense to do something similar for ISO
>> SWID tags.
>>
>> Am I right in thinking that this CWT work can be done in RATS,
>> referencing CoSWID once it is published as a normative reference? This
>> would allow CoSWID to go forward to the IESG, while the CoSWID CWT
>> claim is worked in parallel in RATS.
>>
>> Kathleen, if this is true, does this way forward address your
>> CWT-related comments?
>
> Hi Dave,
>
> I think the signature may have to be on the CWT as opposed to on the
> claim that is the CoSWID or SWID.  We can define it fully in another
> draft, but should state it here so that option is understood.  It’s a
> simple write up, I think.
>
> Thank you,
> Kathleen
>>
>> Regards,
>> Dave
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* sacm <sacm-bounces@ietf.org<mailto:sacm-bounces@ietf.org>> on behalf of Kathleen Moriarty
>> <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>>
>> *Sent:* Wednesday, November 20, 2019 9:10 PM
>> *To:* Ira McDonald <blueroofmusic@gmail.com<mailto:blueroofmusic@gmail.com>>
>> *Cc:* rats@ietf..org<mailto:rats@ietf.org> <rats@ietf.org<mailto:rats@ietf.org>>; sacm <sacm@ietf.org<mailto:sacm@ietf.org>>; Laurence
>> Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
>> *Subject:* Re: [sacm] [Rats] CoSWID and EAT and CWT
>> Great, thanks Laurence.  If that's easier I think having the CoSWID in
>> one claim should be ok and would have the same result as the
>> suggestion I made.  Changing the CoSWID format is a big enough process
>> that it shouldn't happen very often.
>>
>> Best regards,
>> Kathleen
>>
>> On Wed, Nov 20, 2019 at 8:00 PM Ira McDonald <blueroofmusic@gmail.com<mailto:blueroofmusic@gmail.com>
>> <mailto:blueroofmusic@gmail.com<mailto:blueroofmusic@gmail.com>>> wrote:
>>
>>     Hi Laurence,
>>
>>     That seems like a good suggestion for a simple way to integrate
>>     CoSWID content
>>     into EAT.
>>
>>     Cheers,
>>     - Ira
>>
>>     Ira McDonald (Musician / Software Architect)
>>     Co-Chair - TCG Trusted Mobility Solutions WG
>>     Co-Chair - TCG Metadata Access Protocol SG
>>     Chair - Linux Foundation Open Printing WG
>>     Secretary - IEEE-ISTO Printer Working Group
>>     Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
>>     IETF Designated Expert - IPP & Printer MIB
>>     Blue Roof Music / High North Inc
>>     http://sites.google.com/site/blueroofmusic
>>     <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fblueroofmusic&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=GDIVVIesvqqXnuU6TtLbK7GJ4eI1b1EcYSPoXsHlj04%3D&reserved=0>
>>     http://sites.google.com/site/highnorthinc
>>     <https://gcc01.safelinks.protection..outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fhighnorthinc&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=7z%2BoMcYSSFD8hAYHmELqNoyGAxTBE9gknbV6kAzKWX8%3D&reserved=0<http://outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fhighnorthinc&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=7z%2BoMcYSSFD8hAYHmELqNoyGAxTBE9gknbV6kAzKWX8%3D&reserved=0>>
>>     mailto: blueroofmusic@gmail.com<mailto:blueroofmusic@gmail.com> <mailto:blueroofmusic@gmail.com<mailto:blueroofmusic@gmail.com>>
>>     PO Box 221  Grand Marais, MI 49839  906-494-2434
>>
>>
>>
>>     On Wed, Nov 20, 2019 at 7:35 PM Laurence Lundblade
>>     <lgl@island-resort.com<mailto:lgl@island-resort.com> <mailto:lgl@island-resort.com<mailto:lgl@island-resort.com>>> wrote:
>>
>>         Hi,
>>
>>         I’m not on the SACM list, but did look at the archive.
>>         Hopefully I’m not out of sync.
>>
>>         My thought is to register one claim for CWT that is an entire
>>         CoSWID (in CDDL the concise-swid-tag).
>>
>>         That way CoSWID can grow and develop on its own without lots
>>         of adds and subtracts to the CWT registry. It has its own IANA
>>         registry with its own experts and such. Seems like the
>>         coupling / factoring is about right.
>>
>>         This would also be the way I’d like to have it in EAT
>>         attestation. We’ve done a mini version of this with the
>>         location claim
>>         <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-rats-eat-01%23section-3.8&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070426961&sdata=%2Fhi008Am2dlY6tBQHdPVVGZzEcWNmqd5MvgPOM14jE8%3D&reserved=0>.
>>
>>         Then if you just want to sign a CoSWID CWT style, this works
>>         pretty well too. It has a slight overhead compared to having
>>         all the CoSWID data items as direct CWT claims in that it will
>>         have an additional map layer, but that is only about three bytes.
>>
>>         LL
>>
>>         _______________________________________________
>>         RATS mailing list
>>         RATS@ietf.org<mailto:RATS@ietf.org> <mailto:RATS@ietf.org<mailto:RATS@ietf.org>>
>>         https://www.ietf..org/mailman/listinfo/rats<https://www.ietf.org/mailman/listinfo/rats>
>>         <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Frats&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070426961&sdata=fdpXMIU%2BNkMSn3RJ4X5AsSuMU7pbokHXltsX8ZYP9E0%3D&reserved=0>
>>
>>     _______________________________________________
>>     sacm mailing list
>>     sacm@ietf.org<mailto:sacm@ietf.org> <mailto:sacm@ietf.org<mailto:sacm@ietf.org>>
>>     https://www.ietf.org/mailman/listinfo/sacm
>>     <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070436893&sdata=okSPAqVHj9KBxPtViQdnffsfhlMF4t0%2F87PXXY78fA0%3D&reserved=0>
>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org<mailto:sacm@ietf.org>
> https://www.ietf.org/mailman/listinfo/sacm
>


--

Best regards,
Kathleen