IETF Logo Mail Archive

[Rats] UEID where an instance is a group member

Simon Frost <Simon.Frost@arm.com> Wed, 25 March 2020 15:47 UTC

Return-Path: <Simon.Frost@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D064C3A0983 for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 08:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=WxF8TJOV; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=WxF8TJOV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8FuJzeWDOA4 for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 08:47:00 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2062.outbound.protection.outlook.com [40.107.21.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 495943A0A08 for <rats@ietf.org>; Wed, 25 Mar 2020 08:47:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vXyhY8rkROjngp++DkOBbZQmLYkeE/29nqsxZdRzEGU=; b=WxF8TJOVDKvN2VPmoiPrQWup9eGmuBrY1XJjtlmhLHwcN3mCqfP45NeT2WnXHXtgc9da2IYU26vono/4ti4oWy5Vf82u6OVjS3PXePcYAVqrJmx77EOwK4pChdcdJCx1TxCA0n6EJaXKsS9ztJ0S5NrJ+7Ps6xIYNxIWo67TffU=
Received: from DB3PR0202CA0021.eurprd02.prod.outlook.com (2603:10a6:8:1::34) by AM0PR08MB4065.eurprd08.prod.outlook.com (2603:10a6:208:12d::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.18; Wed, 25 Mar 2020 15:46:56 +0000
Received: from DB5EUR03FT028.eop-EUR03.prod.protection.outlook.com (2603:10a6:8:1:cafe::a1) by DB3PR0202CA0021.outlook.office365.com (2603:10a6:8:1::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.18 via Frontend Transport; Wed, 25 Mar 2020 15:46:56 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT028.mail.protection.outlook.com (10.152.20.99) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.17 via Frontend Transport; Wed, 25 Mar 2020 15:46:56 +0000
Received: ("Tessian outbound d6b3ed9fc62a:v48"); Wed, 25 Mar 2020 15:46:56 +0000
X-CR-MTA-TID: 64aa7808
Received: from 61920eabe650.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9BF5D625-6678-4C3F-B420-27678F966D73.1; Wed, 25 Mar 2020 15:46:51 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 61920eabe650.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 25 Mar 2020 15:46:51 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PjG50flm095YK2JnUf6kcVhOJKhIlGPYLt+vOGNwy++oJlhUrk46i8BqQTqEAkAsQlz9fwyJEm1SrVNeDIXSeyt6vBaWSiTue2D3HHShSvx96Y0lUmkBoZC5RAHIfaVDDvN7kxxLFiv3ZMlg7z3CpXD+hPOhb5XKRdXeqOIzKmEekc8+cFhb+iQARMFQxE/7rFmiSnCZi5i9h8YalyvIzhjeG9Jsmte4AnSHwZMdk8R48IngHGSgyNdX07haelmePCy8ruWfp0tE62sY+vo/OfiOJSHlPYbJCxR+fGxmTJcImNDb/PMw5H0KFYDLh0jAlpR6hexAkBtbP8b12oizhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vXyhY8rkROjngp++DkOBbZQmLYkeE/29nqsxZdRzEGU=; b=JnJ8AiSoIluDGTQqD5nb1voP6SrRmlj1+G3umeJtYvKa20GgYBt+im3Ya8rVOvwz7ah/EpU+gvsL4kmgxYpVmcp4JFLBOrfwIfWk0pXWu6CF0jq++T+ql32H054NlLQDp77BMiEWNsvs8nXt0g0ed16JYaXHHwkqZ/rk9FVszkD23sGhCCasq5+wm2UWGEOFSWVMVNaVWJIsz7jKOAES85Rju3RETDSjyGyt9lmBCkKuqLtypTKdx4gTW4Kd2RqvGsFAyEcRDwGnuUCcRMRqCNcmVDKGOaWHE1Uikrr17Ep1vFl2R7I/rxQjz2Q2OcqheohROjIEDx1Zq8t19iQp2A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vXyhY8rkROjngp++DkOBbZQmLYkeE/29nqsxZdRzEGU=; b=WxF8TJOVDKvN2VPmoiPrQWup9eGmuBrY1XJjtlmhLHwcN3mCqfP45NeT2WnXHXtgc9da2IYU26vono/4ti4oWy5Vf82u6OVjS3PXePcYAVqrJmx77EOwK4pChdcdJCx1TxCA0n6EJaXKsS9ztJ0S5NrJ+7Ps6xIYNxIWo67TffU=
Received: from DBBPR08MB4903.eurprd08.prod.outlook.com (10.255.78.17) by DBBPR08MB4919.eurprd08.prod.outlook.com (10.255.78.80) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.20; Wed, 25 Mar 2020 15:46:50 +0000
Received: from DBBPR08MB4903.eurprd08.prod.outlook.com ([fe80::4126:33a9:6bb6:9c0]) by DBBPR08MB4903.eurprd08.prod.outlook.com ([fe80::4126:33a9:6bb6:9c0%5]) with mapi id 15.20.2835.023; Wed, 25 Mar 2020 15:46:50 +0000
From: Simon Frost <Simon.Frost@arm.com>
To: Laurence Lundblade <lgl@island-resort.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: UEID where an instance is a group member
Thread-Index: AdYCuJk4bgAfhgIGRwKGTGHo+z0MJA==
Date: Wed, 25 Mar 2020 15:46:50 +0000
Message-ID: <DBBPR08MB4903BE72097CBCD14C15C4A8EFCE0@DBBPR08MB4903.eurprd08.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 4490915d-8787-4b67-95f8-e413b72de6c0.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Simon.Frost@arm.com;
x-originating-ip: [212.69.61.73]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 9e23c96d-fa1d-4c48-17e6-08d7d0d3bfab
x-ms-traffictypediagnostic: DBBPR08MB4919:|AM0PR08MB4065:
X-Microsoft-Antispam-PRVS: <AM0PR08MB4065E8019931BE5FE4813904EFCE0@AM0PR08MB4065.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:6430;OLM:7691;
x-forefront-prvs: 0353563E2B
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(366004)(26005)(33656002)(6506007)(8936002)(7696005)(81166006)(81156014)(8676002)(86362001)(186003)(5660300002)(66556008)(66946007)(498600001)(76116006)(71200400001)(110136005)(66446008)(64756008)(66476007)(52536014)(9686003)(2906002)(55016002); DIR:OUT; SFP:1101; SCL:1; SRVR:DBBPR08MB4919; H:DBBPR08MB4903.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: BPILDFFqD4nthMjTa8dkiTGkv/ULUYYCd6aszt68EReTzeCQCpgu+0YdJmXGc0nPk9BZA/VAyol1YGcVdvwcUHogxR13OPzgPin4tuTKYP8/iBNJnXQYefOAlNpdyk+sbmoDtpEIQ08X3vp6rGd6fKIyIrqLPVniFF4uEhnq0iV+D4o8HSMU66KxAWNgVkKACP7vnBaeJAzEX8yh9tx5G77lLr30FvbEQp7wXzzdUQ0N5zObVP6G9sjqeZEnLVuvw/x5PhOrEoa3s30Dje1IRNoyyikXCOBeqdG2FAmpJfg14WArNmyor5nEwKsZDb37Y8wmpm+lWzvZZoKuA45JIbh56XphAzsc7/Gnc1qAP9FP1ZNp1R33eYR+mtTRR86nkjFTfzazSABl2XssEvX6YvO5HkklDlxtk2zFTBBd6Sx+p+AbtyYUinPN+wD+I/p8e/ff6zY5gEQwRth97I79b6E6mKt3OAM+CDWiAiX7wj8=
x-ms-exchange-antispam-messagedata: VQ1yxgbiusHE8K6gffuWRdYKaC0J4AYvSo/X6ZRO+x5SJCso6qjVzsFboYrYZI198ye7jLz/C8yeKuzVxPQyovhKh4FAmabiBSRPGEAs3qj1E/QnSRMxyOwaJo9PV8Vc9EUP8frJxZGIH0q/tCb9EA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB4903BE72097CBCD14C15C4A8EFCE0DBBPR08MB4903eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4919
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Simon.Frost@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT028.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(346002)(136003)(396003)(46966005)(7696005)(2906002)(86362001)(55016002)(8676002)(9686003)(316002)(33656002)(70206006)(26826003)(70586007)(52536014)(5660300002)(478600001)(110136005)(186003)(82740400003)(336012)(26005)(81166006)(81156014)(356004)(8936002)(47076004)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB4065; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 83a826d4-4d1c-4f28-89e6-08d7d0d3bc04
X-Forefront-PRVS: 0353563E2B
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: fjLJ5AFpd5X+R16Vx+6skUOHdNccCGbbu/xrCd2DRRTbEr6xSV8EGJGsEhoU6ClGe7AykhduF7V1AygQU9HpJFzE9N6s/WXPS7ic5RFlOJp/1cCn06g/yrUh85mH5aCVkSspgOPxwqgfJpOLhxdXJp9xCACWH/44gs9DjCU3mCeFDeGGPBJ6tM0Ch9qsj0zFmdeiVovLGBZxSbvz2b8RSl7SUNp3R7elwUoUCR34EHUfBavWPkiPA90csz4AeOC2L5Fn0ig8CoWo7SJTmOayMS+6MPLzrWYfFabgZ62ITJz/hHiWmoZZRRbguaDJjYm4yP0R4jyud8OYLkwpWgHi4Lm/7tCKuf+49bTokS+zY22hOfq/P1/yN5yRLg1MGVILPF7h0FXc7UKF7zMr/+qb06y1c/jfJay120qBFsCdY/2xYfaKkoIHy46cRlHg3zhTiGAdFHCqvYVBxU03vohnjzB5A+c5YUfZR9IdL1O3GzNANhz0074UjFqbzx4QXfTe0RG/7K76tKbRKKEeRCKWWkAmkvhTwsjqg20vulO3T+o=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Mar 2020 15:46:56.8472 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9e23c96d-fa1d-4c48-17e6-08d7d0d3bfab
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4065
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Xk4aPB4bDON0tYB0Wjhrp9zvp8M>
Subject: [Rats] UEID where an instance is a group member
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 15:47:03 -0000

We had an internal discussion in response to some changes in PSA which have elaborated the definition of an Instance Attestation Key (IAK) so that it may either be "unique to each device or a collection of identical devices". The definition of the Identity claim is now a value that identifies the IAK. This has been done to support entity grouping for (some) privacy scenarios.

While we have an EAT Profile for PSA that uses a full set of custom claims, our intent has always been to be to migrate as many claims as possible to the standard once the RATS work is complete. Previously, there has been a direct analogy between arm_psa_UEID and the standard UEID. With this change though, we would have to move away from this. The current description of UEID makes it clear that it must be device world unique. There is some discussion (https://ietf-rats-wg.github.io/eat/draft-ietf-rats-eat.html#name-ueid-privacy-considerations) of the group scenario, but the only statement about the claim situation is that "It will often be the case that tokens will not have a UEID for these reasons".

In the privacy scenario, it is still desirable to have an entity identity claim, for use by a verifier or for general usage. The options seem to be:

a/ If the entity is unique, include an UEID claim, otherwise include a custom group claim. It seems a pity to encourage diversification between profiles.

b/ If the entity is unique, include an UEID claim, otherwise use a new standard GEID claim

c/ punt this problem out to the kid of the COSE wrapper. This would ignore any more general uses of group identities.

Of these, b/ (introduce a new standard GEID claim) seems to make the most sense and is the option we would propose to the WG.

Thoughts?

Thanks
Simon

Simon Frost
Senior Principal Systems Solution Architect, ATG, Arm
Mob: +44 7855 265691

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email