Re: [Rats] Attestation of implementation vs authenticity of service

Ira McDonald <blueroofmusic@gmail.com> Tue, 04 August 2020 00:47 UTC

Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B828F3A11C3 for <rats@ietfa.amsl.com>; Mon, 3 Aug 2020 17:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Hsg1taKSTmg for <rats@ietfa.amsl.com>; Mon, 3 Aug 2020 17:47:11 -0700 (PDT)
Received: from mail-vs1-xe2f.google.com (mail-vs1-xe2f.google.com [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340453A11BE for <rats@ietf.org>; Mon, 3 Aug 2020 17:47:11 -0700 (PDT)
Received: by mail-vs1-xe2f.google.com with SMTP id y8so13954141vsq.8 for <rats@ietf.org>; Mon, 03 Aug 2020 17:47:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3Eqi+VoL8UGgWnJ//zaAbBdHdKYIWf2QLzOH1LmzYXA=; b=T084tq61F5+PZWQvGinBXo+IgW+5G3+Wy5CKURD3cyZ8c3LtjOVHFyvtQb4CXwX3c5 wYlcmoiEYimwaeetQIW8Ybm5L9jNLh6TG8LZfUnuu3vD7D5siYAp78sLH04Y0MEtFoqP bMAE+lilrnhNR0RiR8NrxS4Pe959E37kkFGexXh+ubfa+yiOC2XJmhiEajxA8CrLXPIx tduPfOvdrzfAn+X03CLdSxBgSunoxS/jY/hJugRm5JpZ4VZ5UWwlEmeFEFSjidqPMJ5D 42XkLDbbfMBf7RpcCnejWY1DMLxEkfyxPewUxwWmuf5Z5b7yrfOEtAdq8rfDGVkzPd9J Z74Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3Eqi+VoL8UGgWnJ//zaAbBdHdKYIWf2QLzOH1LmzYXA=; b=Vz44PG9Y/MrcjFQGPXQhJ/aONMntHS1OFD+Gz5Ix3GuCmIOPzPqGwFhTtCrtgM29Xl 6c/ZH5MiRwqKWoLrglSS/3HE/0FY6m3F9Oc0ZWaZrTobG/wGZ3CR2RWE8yvV3D4vDLgC lMdjYjkoJB1Gv79I5Uu6EwS7gy1WGP0zVTKVqKA1ztMKPIGzJyBtkBlLilgOtYdX6kDV RWQA+8FkIR5mphYQxIHaTuLHzfplfEPXFBTXSVD7o6w+YES0RqQjc9ka8jqdf5qjQewb 623PvgtGPMCehwJ6HJ98WMivA1U6HtoTdvRK4QdL2Z3niSaSeCTUmPplR2IapMxvTHNS 65jw==
X-Gm-Message-State: AOAM53392k50Sm7vLaByzVNjaL4ZpYN4A/CKlMQmikBh83G5OaPfeZrM 79IRUNpaISa2D38PHRrm2Uwx3BVKYDtmu1Pta6Q=
X-Google-Smtp-Source: ABdhPJy0eYFBMF6YzKdiXHJZIUm/3gXB5WTcDnFANENe7jWKLVLLIZHng+/aC271pYXgxXXgxogMC6XvkmpqwDkFIQw=
X-Received: by 2002:a67:f5ce:: with SMTP id t14mr12125270vso.240.1596502030263; Mon, 03 Aug 2020 17:47:10 -0700 (PDT)
MIME-Version: 1.0
References: <0B64B104-1BA0-4341-8470-A17D2C6AC181@island-resort.com> <002D1F7F-4894-44B0-82E6-5EBD80C698E4@akamai.com>
In-Reply-To: <002D1F7F-4894-44B0-82E6-5EBD80C698E4@akamai.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Mon, 3 Aug 2020 20:46:59 -0400
Message-ID: <CAN40gSt5ZYvmD5_NR7NZhnfL+xCboRRyeC9Y=C5jbmbB8YT2tA@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Ira McDonald <blueroofmusic@gmail.com>
Cc: Laurence Lundblade <lgl@island-resort.com>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000065a9d805ac02982e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/qj8mn1SR1Dqk0oXWR5JWAbwHXSQ>
Subject: Re: [Rats] Attestation of implementation vs authenticity of service
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 00:47:13 -0000

Hi,

+1 to Laurence's insight here on Attestation for Devices versus
TLS/HTTPS for Services.

Cheers,
- Ira




On Mon, Aug 3, 2020 at 3:03 PM Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>
wrote:

>
>    - Another way to look at this is from a certification / regulatory
>    view. If the thing you're looking at is a candidate for implementation
>    certification such as Common Criteria, FIPS, FIDO certification, then it
>    probably lines up with device attestation. On the other hand, if the thing
>    your are looking at lines up with regulation (e.g., banking regulation,
>    GDPR,...) and to some degree OWASP
>    <https://urldefense.proofpoint.com/v2/url?u=https-3A__owasp.org&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=i2HHx7M5shXvUZmbo2H9JWFNah1cQYR9QL8xSUTJHcw&s=D7ncLvRq-bcYsr722qYkwbNUSyi2i1Ap7rstjSY-zZ0&e=>,
>    then it probably lines up with service authenticity.
>
>
>
> That is a **very** interesting way to slice things; I’ll have to think
> about it more. Thanks!
>
>
>
>    - I think the RATS architecture document should probably have text
>    that describes when attestation is applicable and when it is not, for
>    example saying something like “attestation is not a replacement or
>    augmentation for HTTPS/TLS"
>
>
>
> Excellent point.  Doing so will likely avoid a round-trip with the
> security AD’s.
>
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>