IETF Logo Mail Archive

Re: [Rats] EAT Profiles

"Smith, Ned" <ned.smith@intel.com> Sat, 17 September 2022 00:49 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E98E4C14CF0C for <rats@ietfa.amsl.com>; Fri, 16 Sep 2022 17:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOAxa7lKi0hh for <rats@ietfa.amsl.com>; Fri, 16 Sep 2022 17:49:51 -0700 (PDT)
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72ACBC152578 for <rats@ietf.org>; Fri, 16 Sep 2022 17:49:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663375791; x=1694911791; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=JiWIWJot92uHaSPpU3voJm0iMcvZQgSbVQUmTzwfQQg=; b=aNMRooM/09R0YEX6q/S5duW7om1kTrX+mBpsIYfIh2rUfLn6w76OFXs4 EJ0o37jCn9hT4N8e4kFuNBfvDa7ww/DS5L1iDRrRbrskcjUX5kMzzNGzL gGc2LAzSLHpjYl3JuhV5TbcTtqQsES55zasi+igGhjNA3ZON9QpW0lQt2 4yW7S/czsTIPa+OMKQk2/TVEEpNcZRHTyVoW8th42/lYzxuVhCFIxNtXY +J0Ars3VY8uBXlgqncs7GR7xn9Ss6S6EfrMc3FgtahOpueycNBeI2zqVT FYvB5iw+ZBwGryEQ0hwSck/62UxKqJTLeh3mKOgBVuG4SSlP6nKxcY0F5 w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10472"; a="363070077"
X-IronPort-AV: E=Sophos;i="5.93,321,1654585200"; d="scan'208";a="363070077"
Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Sep 2022 17:49:47 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.93,321,1654585200"; d="scan'208";a="743520510"
Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by orsmga004.jf.intel.com with ESMTP; 16 Sep 2022 17:49:47 -0700
Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 16 Sep 2022 17:49:46 -0700
Received: from orsmsx602.amr.corp.intel.com (10.22.229.15) by ORSMSX608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 16 Sep 2022 17:49:46 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Frontend Transport; Fri, 16 Sep 2022 17:49:46 -0700
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.102) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Fri, 16 Sep 2022 17:49:46 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ndGfbKa93BRrNqH7N6QSNhsDhizEOIiBlnW4m73hizmZ8zyMKJcMq+VkYLrMkzD2mvZBSMufE/zhUJTzD+xBJELBc8ZukewfhYjE0TSFrCTMe0NHeAppv/5jchbm9Cnd/JfEgAt5OPnwZZvipffYLgAdhPI8+IdELoF8F5iOVcgKZfkZy9CP74Eaz2J2OplugSfpaSjEf5a9LLax1aZJBhTC7gZipblqnvAs73V45iNN+Fx1wnpRGptQghx8kNdD1L7M34cE9lXU5RP8DjEIKghnaM2I7HPJVQA9RA24ioY7HCYZa5hssdUlFYw23gYAILkTiWLiQkw0ZTHggBSvrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JiWIWJot92uHaSPpU3voJm0iMcvZQgSbVQUmTzwfQQg=; b=aOgYduSxZtDC4gKKdMcwB84wuuytkxBnmzb880O69FNdQSVlhm5hlvQfwFc5xecZwiL7lzZoN2zKpTLug2vgPoRz974GLwWMBuMF3IH+5+g3x4fGo5qZFBZS+M/Y6VLuUQerSjEK/vqIkiIJi6D5Q0CbswjgA1jvOW22g8GOBoUAEFcJB9s+gAVcXmUvd8ifdjoh1nFlgBS9I0GdDoDD0MdycFkj6+aLL58tibWTv37e3i5vE4eEZBo0t2OCQAzz8Ne6t7ZA57kbCp/jiA22jmiDFj/GAScgi8xYnZR+0E0Fp6o750eXKwCBT0Oag6iS5uTxPM79ywZed6qqi8hxpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by CY5PR11MB6234.namprd11.prod.outlook.com (2603:10b6:930:25::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.19; Sat, 17 Sep 2022 00:49:44 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da%5]) with mapi id 15.20.5632.017; Sat, 17 Sep 2022 00:49:44 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Laurence Lundblade <lgl@island-resort.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] EAT Profiles
Thread-Index: AQHYyEtV8Kv81tPlmkOf+Jnakzi5Fa3fQG+AgAK0jYCAAD85AIAAChCAgAAai4A=
Date: Sat, 17 Sep 2022 00:49:44 +0000
Message-ID: <9584F991-42AC-47BC-9170-D52E49917D0D@intel.com>
References: <71934.1663019954@dooku> <6D74BAE0-3B37-4A1F-9966-96EB60B9D675@island-resort.com> <240776.1663329145@dooku> <DBBPR08MB5915D186BBDF010933513701FA489@DBBPR08MB5915.eurprd08.prod.outlook.com> <F985109D-BAB7-4313-986A-DB9B92893BD9@island-resort.com>
In-Reply-To: <F985109D-BAB7-4313-986A-DB9B92893BD9@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|CY5PR11MB6234:EE_
x-ms-office365-filtering-correlation-id: cd117632-02aa-4dd7-b50e-08da98468352
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: b+QmMSOmPg2zbqLIQZ8XLjdozKzMg8AavBk4EWvst+7Ae9ij5GmbpDhg9vQ6zVfu+oI0nDLnsJWiSLTGtx0KNAJH33m4lkrRRtq8wFcJ4/3NKCJ1FjREGpop79W1ePmZvRT+ypjFKfMsQTU72FaILMeD4Jnm4rdb7yONoF9qvT8yWrP8/mwsiH1lbzBPjWO+Mn9Ec+xspBPefot+kLFgVnjM92qLton9nHHPow7xBosjcWj7UgE2xen4b6V+PRBN0zh22PMZ3YP3l7RMT2l/XTD2a3JJKWQNle8hOxN/OWcBqB5h80pseqzc+cXFKqNMC7pLqRkN/thjn0kwMP0zp5hyLUAxJrgBMvf/D492+HzSxeIGxb6bqbm2ORlZADkPCCbMgPBDuZX1fitc6xurpAf8RWwy/LjbglxmMlB0ls7i+yFXm9oKdRyeCheOgmdZZrTm1gIui/1RzFaDl71UWs6T6Kp58R57m45s0ndWTOkQcwXvwaKHWQPD/1mYHYYVRyVoUqvixtf1ZfNz9oKDBwlWBp/c2lSfojy0zB5U6NkRjJZCjlAo+9FZQ7FYQPDzdzpqCGr2fmeNFZTuINU75fru1Yms826Ktr6UI7IiIM1/gJdXZeIfIbRQzS123LYRpK0vnrraQvFhiHe3l97VVud8RoQERDfXMHfSphSPMsRlN+xlR5UFpkMka4/fcE86yz4TF6Z5MMCNcPEGfPy/EVL78XPAWyYt8qs8BHmMq9uMYYUvUHPv1xfsYB/AjJFYcyZLpX3KcWnOF2FS4H5ZK8oPVhDUHjaGVwDImF8HitbnDMy8rtPmgktgpBFF5SbOQiYLQDR2XOiy7X+j2MX+cjRAtyQio4jvX29DcOgi4QQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(39860400002)(366004)(136003)(376002)(346002)(451199015)(54906003)(41300700001)(86362001)(6486002)(64756008)(82960400001)(6512007)(478600001)(91956017)(2616005)(2906002)(66946007)(4326008)(186003)(66446008)(33656002)(8676002)(76116006)(8936002)(36756003)(66476007)(71200400001)(53546011)(966005)(316002)(6506007)(26005)(110136005)(38070700005)(5660300002)(38100700002)(122000001)(66556008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jCj+LD+1Tf/rB1iiIAvfdGCk1proxD2eS4FfJQXkulHMMcHHjLNsE48zAhK5cysPLfiovzpOcqbUdkAcEy+7YCYIDWn7h100uZ9pZYtLNgSRS6quUT+A3k5lMIl+RFpjlo3ea4F0D+pWl8HO8ImWMj3WN3mjt4ROsW99k9b4o6GxXbuYOuROj8UOoAbJOXN10h1C1DqW6wTOi3ajMvrvaAOY2kyqVt5AzqYn3d1QurWLixnyva7EkMe0e6x+jmqSaUsIMkZJD0UrwBTcE2um7xx4nXf00oK0CrTR4HB7SgZkd51YYaxMD2Sumw+xH71w5Lr0LiXWwPJwMSV3QTaLIF+hETjs4rF1RJ4u74OmRvWzk78B4H/Ho+8UKW9aiXk8MtIzSkth0aypbksaptj+1UXU9D+QZgmrfNnggWFQRFsEkRZceOaVcMlgedqthWDUmADK9cVVQPKd41cobbs9Y8IYhwcTFQGHrKi8qRYWzjvf/1pdlsTXcdIL9B5VWFz5R5srKOTbO+eBp1ITsN5Yylzhdwz5cc9ErJMYSe97/02QSMQKVssvJPRermzqKknMQUcRsKH/fuxUfp6kH5BlROFzJXjyEHIeJooVRTFyzdA7ccLyvKa6aGYXsJ3CxOKzmeyGlvexIFW32Kyat5KshyH6XfIBgbitMuu+RHnuLrwgSc3Fy7XazYEiXAulqkSuwPBHsmK8n+2MNBqHBGBmjUI+g5ciXZpf8lUJijaeDlUyihzLuvrdXJMCX7/YVlFcj2r4Y9AM7pkg+OTZbpGau8vtwwzsmGyZsewzZkwAyMo2EkVcibEXA7pcpPKSRDwnwKmSTVdF+LcLXxr+8U0EO9kt2Wi5ceibLg7YOVhZMAlSD2QfL19SGd6D/F0kyCge0lYvnjXIZtxVaDZsdYJlytNVwFc1iWWBqYGA0hK6NaGYgZFV/Oz6vX2BGPFuhq6nCZ8ve22aTL/VB9wrzpsbupztYb66WXPe5KoyjrO0JbzTTT9L/WGL5eSVIMdz9usw4VezGw53HXIrtSMhkuMGRaMLCHu/QR6Sz0n0U5l4znG6y/jI4bxIH3C1AJCTWkL1eMCOlUPCu5Gv/OmQc6pY+wpgtWA/CTP6hXdgWYszR31o/3pPsLNWQRAOVNWOTkUcrGLQ1wmcBZB+zqAxuxoOQK18R5fq8psky/R2OoNFb3a0AF1ICd3XHcOm7YNjX4Uw4maDPNUD8jGocmnyuYsnkk2LfGrnE+ZyUc48a5iY6peklGrBFHckLCZJN7h7KAHttSzJLapVylvY+D2Z5kfGgPGt1DslAuc/jDKWvJk8OI2RsF/G2yAOAspaS89aQSzs58rVm3xrFz0kOD9NveyI0nGnu/Gyuwmr7LG5Cr5M5H2UyWm3d0H1/bZhANaOnXj7BZY+zILJjx8Gn8fzvJQ/cr2v1xweHPOINjA4XqTmGgwy+UhNYVFQj3WNUp9SWv1iJvZhy1qwl/jayiATLEaT2E3kRVFTegdbEcYKkvsXaQVSvlwOhlxbZl+j3foFrK50TKcQQqQDY/bVQ7/1Et2KGLRe15LVaTQY1cbbIgeppyxgu4WpOmY1jPg61JkpIgbw2KT98dFlvIfkAd/VW0DraA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <40D6F11476B1F2408833B1C2BCA6A860@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cd117632-02aa-4dd7-b50e-08da98468352
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2022 00:49:44.4558 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cEqwZxfpnnwnU8dzvhK8xrMoV+njjc7hzUnI8MME2O1lyBUVSc8d2vMLYEPeC1AjvOMht2thzgbQBhJCy0d7Zg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR11MB6234
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/rMeGUiimsLXJJxUXGaTrU2R0NZY>
Subject: Re: [Rats] EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Sep 2022 00:49:56 -0000

There are two other "EAT" profiles published besides the TEEP profile (https://datatracker.ietf.org/doc/draft-tschofenig-rats-aiss-token/ and https://datatracker.ietf.org/doc/draft-tschofenig-rats-psa-token/ ). The AISS profile lists the subset of EAT that it uses (see [1]). They are described as "EAT Profiles". The AISS profile uses a few EAT code points but seems to redefine structures such as nonce-label as an aiss-hash-type. Unless I'm not reading it right this is different from the EAT definition [2]. The AISS profile is within the EAT definition for nonce, namely .size 32, .size 48 and .size 64 are a subset of .size (8..64). I'd have to see the CBOR encodings for each to be certain, but it seems they would have the same encoding and would satisfy an EAT schema check. But a AISS schema check would likely reject some other nonce statements that pass a schema check written to the EAT draft. 

Is this a good example of what the WG intends in terms of how profiles should work? 

To Michael's earlier point, the aiss seems to do a lot of work to arrive at a profile (given it appears to use just 3 EAT claims and each is redefined as a more constrained interpretation of the EAT type definition at the leaf. 

The aiss token profile defines an aiss-token map structure [3] that is signed by COSE_Sign1. But I'm not sure if the  aiss-token map is correct CDDL since my experience in working with map structures expects there should be code points defined for each item as in [4] (latitude, logngitute, etc...) and [5] (where ueid-label extends the claims-set-claims map). 

I struggle to understand how a schema checker informed by an aiss compliant schema could be evaluated to show that it also satisfies an independently developed schema checker written based on the EAT draft. If a constraint of profiles is this (the profile compliant structure must satisfy a schema check developed independently, then more is needed to connect the dots IMHO). The alternatives seem to be that (a) compliance checking is manual which doesn't scale or (b) schema compliance can't be achieved via an independent developer; the developer must implement the profile schema also. This implies schema compliant profiles incur development cost to be vetted as subsets of the EAT schema. The EAT draft doesn't seem to expect automated schema acceptance (by the EAT schema) as profiles can be human readable text. It does expect that schemas can be accepted. (e.g., "A profile may also reuse one or more already defined claims, either as-is or with values constrained to a subset or subrange."; which I interpret as something like [1]. But a profile may also be a superset of EAT schema - "A profile may define, and possibly register, one or more new claims if needed."

In short, should a profile of EAT could pass an automated schema check based on independent implementation of an EAT schema checker without foreknowledge of the profile's schema? The intention seems to be that (at least a subset of) the profile schema is subset of the EAT schema. Should that subset be checkable by automated means?

-Ned

[1]
; from EAT
   nonce-label = 10
   ueid-label = 256
   profile-label = 265
   aiss-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64
   aiss-nonce = (
       nonce-label => aiss-hash-type
   )

[2]
   $$Claims-Set-Claims //=
       (nonce-label => nonce-type / [ 2* nonce-type ])

   nonce-type = JC< tstr .size (10..74), bstr .size (8..64)>

[3]
  aiss-token = {
       aiss-nonce,
       aiss-instance-id,
       aiss-profile,
       aiss-implementation-id,
       aiss-lifecycle,
       aiss-boot-odometer,
       aiss-watermark,
   }

[4]
location-type = {
      latitude => number,
      longitude => number,
      ? altitude => number,
      ? accuracy => number,
      ? altitude-accuracy => number,
      ? heading => number,
      ? speed => number,
      ? timestamp => ~time-int,
      ? age => uint
  }

[5]
$$Claims-Set-Claims //= (ueid-label => ueid-type)

On 9/16/22, 9:15 AM, "RATS on behalf of Laurence Lundblade" <rats-bounces@ietf.org on behalf of lgl@island-resort.com> wrote:


    > On Sep 16, 2022, at 8:38 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
    > 
    > Hi Michael, Hi Laurence,
    > 
    > I am curious why it matters whether an EAT is a CWT (or not).

    EAT makes normative reference to CWT and JWT. If EAT didn’t it would have to replicate text from them, for example the section on creating and validating CWT/JWT.

    EAT shares the CWT/JWT registries rather than creating new ones.

    It seemed better than striking out on our own with something new. Mike Jones agreed.

    It makes it more likely that a library implementation will be able to support both to reduce object code on a device occasionally.

    LL


    _______________________________________________
    RATS mailing list
    RATS@ietf.org
    https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email