Re: [Rats] [ietf-rats-wg/eat] Definition and usage of the term 'entity' (#16)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 04 October 2019 19:17 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D201B1200DB for <rats@ietfa.amsl.com>; Fri, 4 Oct 2019 12:17:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVQyum1RJL-M for <rats@ietfa.amsl.com>; Fri, 4 Oct 2019 12:17:05 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33AB4120025 for <rats@ietf.org>; Fri, 4 Oct 2019 12:17:05 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id c10so6199826otd.9 for <rats@ietf.org>; Fri, 04 Oct 2019 12:17:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f/ngCb88aJbl/SW/LlBk0+Ba3CQ5684bqbBAXuKR1FA=; b=UCBr5zIcWTScnKpGZsP+TI9K00ypaMvnaYK9Z21S0/nHMC6ocgFQTGSx7B2Dh+xTlY 6b2TS8ToUxO6pMKRxHtx/R33Kz5uwwHZm1kFPHuR+Uae49iXfRaSYfB0ScSxl9bHFLng lZm4Z+sKM0N/520SZsqU1AIPZa/eZRL4CQyhI9ppuqWranHf9zLrJqkwBh3xlqrkEl67 krW9jotksFlOnIgrnobbmgbM+JpgvarXhD9qZtRC5PhgBCAbuRBHQVum7vTI3y96Frss vnXk0TvjU3XYu9L42OCeeHi6zINkSfYB5R9X/GLl62QfdQHpCsqjHuRinV7tn40zrPv2 nbPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f/ngCb88aJbl/SW/LlBk0+Ba3CQ5684bqbBAXuKR1FA=; b=CuQp6X4kssnK9HWqQ4pRhRtXQQH2FA7rB2GBsQBjeguNEh3duKAgod08gqnY7WqDFf /6dqMDAg22+wvSkVcvoUyKa1jqS7kqbjb30BY4VuUlW0tEPtn7LSiARZ1IFWL+YpigFi zHNDYvfUOtS/D78GzTG3ej1Bun+x0ue+fuEw/d8HeY7y21kvGKWAjcPIZp/CPPrgdASu UctfMatJUD1Mp/12GljtIA/crv62pC9mPieMVXZ7aesSPqh2ysqCZuK9NbyzTZNlAq1v fvNtJZmNUnxRsBbJSC/mdetOR1xUwwL8x7Vb1r3AY0+usLE7Do8wBMWIhyleTIsudqOA jV+w==
X-Gm-Message-State: APjAAAVKaExqWjnOG+mlMq59PsHIoZ2eBQ2OGo4UJHo7ZVnCR+KBDOFM I2Jx/VBOIg+eqhv2UGU4uOqgUeDmm3UNuylc5Cw=
X-Google-Smtp-Source: APXvYqzLWeG6iB6OwLFf2IIU1PmDaqyQIQCX5sP4U4wBpQED+gWGAY6eD++qstFZnn1XyXrZ8Q8mWe2ryJkQ2qEZ6hU=
X-Received: by 2002:a9d:4e1e:: with SMTP id p30mr2152787otf.224.1570216624543; Fri, 04 Oct 2019 12:17:04 -0700 (PDT)
MIME-Version: 1.0
References: <ietf-rats-wg/eat/issues/16@github.com> <ietf-rats-wg/eat/issues/16/538489003@github.com> <E4998B54-DD72-46BA-8022-38F95F46021A@intel.com>
In-Reply-To: <E4998B54-DD72-46BA-8022-38F95F46021A@intel.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 04 Oct 2019 15:16:27 -0400
Message-ID: <CAHbuEH7Wr-6+ADcRDpoq7m_iDjndkaKWW5MRSG9DUDdc8c_f5A@mail.gmail.com>
To: "Smith, Ned" <ned.smith@intel.com>
Cc: ietf-rats-wg/eat <reply+ABPMCSFS3MJKQGCWIELN36V3UTAZLEVBNHHBX3OMDM@reply.github.com>, ietf-rats-wg/eat <eat@noreply.github.com>, "rats@ietf.org" <rats@ietf.org>, Comment <comment@noreply.github.com>
Content-Type: multipart/alternative; boundary="000000000000205a4905941a8c75"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/rCP_giP5cHEpwu28XxVhPH3jJ_4>
Subject: Re: [Rats] [ietf-rats-wg/eat] Definition and usage of the term 'entity' (#16)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Oct 2019 19:17:08 -0000
On Fri, Oct 4, 2019 at 1:56 PM Smith, Ned <ned.smith@intel.com> wrote: > The architecture defines: > > - Entity: a user, organization, device or computing environment. > - Principal: an Entity that implements RATS Roles and creates > provable Claims or Attestation Results (see [ABLP] and [Lampson2007]). > - Attesting Computing Environment: a Computing Environment capable of > monitoring and attesting a target Computing Environment. > - Attested Computing Environment: a target Computing Environment that > is monitored and attested by an Attesting Computing Environment. > > > > The attested computing environment is the subject of attestation which > clearly is creating provable claims. > > > > The ‘attested’ environment may be less clearly a Principal. At one point > the list suggested the architecture should define a term “target of > attestation” or “attestation target” (or something similar). The term > “attested computing environment” seems close to this. Do we think the > attested environment is semantically the same as “subject of the > attestation”? > > > > Using Lampson’s definition of Principal, an expression of attributes (aka > claims) is itself a principal. > > > > There are lots of cases where ‘entity’ is used to refer to organizations > and users (see https://csrc.nist.gov/glossary/term/entity ). Given the > broad use of the term to mean: a “user, organization, device or process” it > might not make sense for RATs to change its scope. The RATS Arch used the > term “computing environment” instead of process because not every computing > environment has an operating system. > > > > An “attested computing environment” is clearly intended to be a “computing > environment” and hence is an Entity according to the arch draft. > And from a review of the EAT draft (again), I am reading this as the attestation based on the installed code with the attestation performed at boot to match what was installed. This would verify that the code was what the system administrator installed and configured. As opposed to code being attested by the creator, which might be done with the same format, but would assure the code was as he creator expected. I'm asking about this clarification in light of supply chain and the flow document: https://datatracker.ietf.org/doc/draft-fedorkow-rats-network-device-attestation/?include_text=1 Does the supply chain use case hold in these definitions or is there some reason why we might not care about attestations on code from the originator that might include code it relies upon when chained attestations are considered? This would expand out the definition of entity as well. > > If the EAT draft’s use of entity is semantically equal to the architecture > draft use of “attested computing environment” then possibly it makes sense > for the EAT draft to begin using this term instead? > > > > The architecture draft potentially could be more clear as to whether an > “Attested computing environment” is both an entity and a principal or just > an entity. It seems clear that an “attesting computing environment” is a > Principal. > Is EAT limited to 'attested computing environments' or a broader definition of entity? Kathleen > > Ned > > > > On 10/4/19, 10:27 AM, "Laurence Lundblade" <notifications@github.com> > wrote: > > > > EAT and Architecture are absolutely NOT aligned on the term entity. See my > recent email comments on the architecture document. > > My basis for closure is that the architecture document will define some > term that is the is used to refer to the subject of the attestation. Maybe > we shouldn't close this until the architecture doc starts tracking issues > formally. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/ietf-rats-wg/eat/issues/16?email_source=notifications&email_token=ABPMCSG6S47KPNKHPDRK3TDQM54ILA5CNFSM4ID7KXSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAMLBKY#issuecomment-538489003>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/ABPMCSAPK5BFFBWNGO2SLZTQM54ILANCNFSM4ID7KXSA> > . > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats > -- Best regards, Kathleen
- Re: [Rats] [ietf-rats-wg/eat] Definition and usag… Smith, Ned
- Re: [Rats] [ietf-rats-wg/eat] Definition and usag… Kathleen Moriarty
- Re: [Rats] [ietf-rats-wg/eat] Definition and usag… Smith, Ned
- Re: [Rats] [ietf-rats-wg/eat] Definition and usag… Kathleen Moriarty
- Re: [Rats] [ietf-rats-wg/eat] Definition and usag… Henk Birkholz
- Re: [Rats] [ietf-rats-wg/eat] Definition and usag… Laurence Lundblade