IETF Logo Mail Archive

Re: [Rats] Requesting a Nonce from a Verifier

Orie Steele <orie@transmute.industries> Sun, 03 March 2024 13:45 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8160FC14F61E for <rats@ietfa.amsl.com>; Sun, 3 Mar 2024 05:45:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7UNM6VnzYJI for <rats@ietfa.amsl.com>; Sun, 3 Mar 2024 05:45:11 -0800 (PST)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5711CC14F68A for <rats@ietf.org>; Sun, 3 Mar 2024 05:45:11 -0800 (PST)
Received: by mail-ot1-x32f.google.com with SMTP id 46e09a7af769-6e4e673d9abso41776a34.3 for <rats@ietf.org>; Sun, 03 Mar 2024 05:45:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1709473510; x=1710078310; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GdpCcVXX5iWRAbmJHKGrCQoN/YR0xcIEGIBn1S5xfr4=; b=P0VHuojeMwYj/etht2Z83OKazZ5ruqqpufsoQUg0jkvUYwvL1lA1xZw4D76vfWW024 IDwhrY04r7sfA5AMj/Mt2XDE1Cp09CVrmLSNEKTE7FZgTr9lopSW9+BDPlNWX56Y5QN7 QRyh3WJp/7I5oFVo7BnyrSMWnEms8qbxRjD7OzHLB6LRA9m0ZJ85Q0zHqDysO/Wv8ZBk PSSU1f2FQ3IykhMXlIt7J6LDhH6eJbzJuYcfmmN8WaB6pfZMtTAe412TByhMWob/uEdS N1TVnrwtMHPCdwG0DLNnC3B2kXzcPNsV88KLwLehP1VNHADAkrcFtxhldhfmaPKtttDM EEaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709473510; x=1710078310; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GdpCcVXX5iWRAbmJHKGrCQoN/YR0xcIEGIBn1S5xfr4=; b=Nzz+3lW6YYwPOrhLBiJZXs+jtzvtxXQNPd93g4LCMmwwhDLrCHHFATGjiKjGh2uvQU 87fESzq+rcPQiWd4ynF/YB9fL9RD9NvrNQbLt7l6gnasFZoGRxBh4P5N0sDHpJ3pJUCR MbbU6LW7AA3kmEqCcQHo72uHlduFGDib2cWM8Z6rXIJ8zQdkVAj5GIVyGGrAd7zsOwrc WoKPhrLsPHA41MhOSHdW8RGmcjn7lizVg0SmQXv1QldK4K9uDrk6tNveoWSeGHsGnvRt Syp1MctXr8TyiXD0hMXGMcf9dWOE2sCTephHfjw54tWScUbtbf1+66Bu8+RdZ5fnDjEL nvWQ==
X-Forwarded-Encrypted: i=1; AJvYcCVNkhYPSALiU3nkTEF95uJDwWG53XzQsaqNyUWx2wBqZ7yseU2k7/wkH4BaaEweWvAvLKOePtce61H789LA
X-Gm-Message-State: AOJu0YzQ6auLNw7htrnRzj4T/qXlb+aO3CcLOFKpwrOXFDLCNcQ8puQa u3dVA8anV6AKoZ9/A/7ro/S85dIcvc0qHPYnsqDjLATjwvANDaXhjbAKp4ezk5hDduGgcnI3uiz XXaXmlyZk9YxeRALjOiJ3AhQ325AD4UtJc9onow==
X-Google-Smtp-Source: AGHT+IFS49WbuwwU6kMpIKE86AxRRoCLWyHP/7zNxG6Nty/CM1ADopRxOE7CRmRELv0tOyTBPTRyny3b4Sqeg95zVfw=
X-Received: by 2002:a05:6808:199f:b0:3c1:9b7d:d612 with SMTP id bj31-20020a056808199f00b003c19b7dd612mr7399432oib.4.1709473510100; Sun, 03 Mar 2024 05:45:10 -0800 (PST)
MIME-Version: 1.0
References: <02c501da6987$d2d64490$7882cdb0$@gmx.net> <ecf9ac86-82f2-80b7-160a-bdde42387ef0@ietf.contact> <2E3E84DF-F528-420D-BB70-B6E23FEE0978@intel.com> <CAN8C-_LO+J+gj3=RutGiyxzpvint3Jb40-OwEEraGht-1dhdBw@mail.gmail.com> <010201da6d59$dc8a9ec0$959fdc40$@gmx.net>
In-Reply-To: <010201da6d59$dc8a9ec0$959fdc40$@gmx.net>
From: Orie Steele <orie@transmute.industries>
Date: Sun, 03 Mar 2024 07:44:58 -0600
Message-ID: <CAN8C-_LH+oeMRUuEZrWr1Ksn53CuFL2qx6V1pAwZ59-ZgmSg2g@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: "Smith, Ned" <ned.smith@intel.com>, Henk Birkholz <henk.birkholz@ietf.contact>, rats <rats@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000052a6e00612c1d180"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/r_hQD91-dX7IeTHDrYXJGdjQDf0>
Subject: Re: [Rats] Requesting a Nonce from a Verifier
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2024 13:45:15 -0000

The draft is meant to support use cases where a nonce is needed in digital
credential issuance and presentations.

Using a signed or encrypted value allows the verifier to remain stateless.

Which prevents DoS against table based nonce solutions.

It also enables scope or context binding for the nonce value.

In the attested status draft the credential holder needs to demonstrate
possession in order to receive a fresh status attestation... This means
they need to aquire a nonce first.

For a concrete example, imagine a digital wallet requests proof that a
digital drivers license is not suspended, every few days.

The wallet proves possession of the license, the issuer provides a fresh
proof of non revocation, and then later (within some validity period window
for the status attestation) the wallet can present both the credential and
the proof of non suspension, even to an offline verifier.

OAuth has a number of endpoints that are anonymous access, but endpoints
that perform more expensive operations, such as encryption or signatures,
should consider more aggressive restrictions... Suggestions are welcome :)


OS



On Sun, Mar 3, 2024, 4:59 AM <hannes.tschofenig@gmx.net> wrote:

> Hi Orie,
>
>
>
> Thanks for sharing the draft. Of course, I have been aware of it.
>
>
>
> I have been wondering about three aspects of your design:
>
>
>
>    1. What use cases do you have in mind? Obviously, this draft was not
>    written for DPoP since that already has a solution. You also haven’t
>    written it for attestation in OAuth since there is this other great
>    document that also specifies a solution.
>    2. Why do you require encryption of the nonce?
>    3. How do you protect the nonce issuer from DoS attacks?
>
>
>
> The write-up in the CMP/EST nonce draft was inspired by  the Attestation
> Verifier implementation.
>
>
>
> Ciao
>
> Hannes
>
>
>
>
>
> *From:* RATS <rats-bounces@ietf.org> *On Behalf Of *Orie Steele
> *Sent:* Mittwoch, 28. Februar 2024 02:42
> *To:* Smith, Ned <ned.smith@intel.com>
> *Cc:* Henk Birkholz <henk.birkholz@ietf.contact>; rats <rats@ietf.org>
> *Subject:* Re: [Rats] Requesting a Nonce from a Verifier
>
>
>
> In the context of OAuth DPoP the same endpoint that requires proof of
> possession, can return a fresh nonce, in error messages, and there is also
> this draft:
>
>
>
> https://datatracker.ietf.org/doc/draft-demarco-oauth-nonce-endpoint/
>
>
>
> Which seeks to solve a similar challenge, without overloading an error
> response.
>
>
>
> OS
>
>
>
> On Tue, Feb 27, 2024, 7:24 PM Smith, Ned <ned.smith@intel.com> wrote:
>
> Given 9334 outlines several possible ways to incorporate freshness and
> recentness and given the reference interaction models I-D provides patterns
> for exchanging information that should possibly include freshness and
> recentness considerations. And considering the WG charter biases the WG to
> focus on augmenting existing protocols over designing new ones, it seems
> Henk's suggestion to improve the reference interaction models I-D make
> sense.
>
> If this thread is focused on an I-D that modifies an existing protocol
> with freshness and recentness, then would it make sense to use the
> interactions models I-D to work out the general principles for how
> freshness/recentness is achieved first. Then, can it be cited as background
> for other I-Ds that describe specific modifications for an existing
> protocol?
>
> -Ned (not as chair)
>
> On 2/27/24, 11:35 PM, "RATS on behalf of Henk Birkholz" <
> rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of
> henk.birkholz@ietf.cont <mailto:henk.birkholz@ietf.cont>act> wrote:
>
>
> Hi Hannes,
>
>
> I am in a weird TZ offset, so just a quick reply.
>
>
> On 27.02.24 15:18, hannes.tschofenig=40gmx.net@dmarc.ietf.org <mailto:
> 40gmx.net@dmarc.ietf.org> wrote:
> > Hi all,
> >
> > Hendrik and I have been working on an update of the CMP/EST extensions,
> > which allow an Attester to request a nonce via the Relying Party (in the
> > background check model). This “nonce draft”, see
> > draft-tschofenig-lamps-nonce-cmp-est, aims to provide freshness for the
> > CSR attestation draft (see draft-ietf-lamps-csr-attestation).
>
>
> Why focus on a nonce for a combination of recentness and freshness, when
> you could also use an epoch marker?
>
>
> >
> > We have been wondering about the design of this protocol interface. At a
> > minimum, the attester needs to indicate the length of the nonce being
> > requested from the verifier.
>
>
> Why? It can cut it short, the Verifier will understand? Are there
> obvious security considerations that I am missing here? The nonce is
> requested via an authenticated channel, I assum?
>
>
> > EAT, however, supports also an array of
> > nonces in the nonce claim. Should such a protocol interface allow a
> > request for multiple nonces?
>
>
> Sure, the you do not have to request a nonce for ever interaction and
> the Verifier can keep track.
>
>
> > Furthermore, the Attester may also need to
> > provide information about the Verifier. This is necessary when there are
> > many Verifiers in the system and not everyone of them might be able to
> > successfully verify the Evidence. Should the request for a nonce also
> > include information about the attestation technology supported by the
> > attester?
>
>
> Discovery of appropriate Verifier and "requesting nonces" (which kinda
> is still shooting from the back into the eye) are different things. You
> can compose both protocol action, but my initial reply would be:
> Discovery, Feature negotiation, and then epoch marker requests are quite
> different things.
>
>
> >
> > We thought that this type of foundational feature is described in detail
> > in one of the RATS working group documents and the
> > draft-ietf-rats-reference-interaction-models seemed like a good starting
> > point for such details. Unfortunately, this document falls short in
> > explaining these types of aspects because it is heavily focused on a
> > specific TPM deployment.
>
>
> That is bad. Please help us fix that.
>
>
> >
> > Has someone in the group thought about this aspect already or has
> > otherwise gained experience with this aspect?
>
>
> Requesting a nonce and therefore taking on the role of a challenger in
> arequest/response interaction model to then get a nonce to provide a
> solicited push of Evidence is bit of a flaky procedure, isn't it?
>
>
> How do you assure that the recently received nonce is used to convey
> fresh evidence? Is there a timeout? Can you cache it? (like with the
> array of nonces). Why can't the Attester just trigger the Verifier to do
> the challenge/response? That seems a bit more straight forward? Maybe I
> am missing something very obvious here.
>
>
> >
> > Ciao
> >
> > Hannes
> >
> >
>
>
> Viele Grüße,
>
>
> Henk
>
>
> > _______________________________________________
> > RATS mailing list
> > RATS@ietf.org <mailto:RATS@ietf.org>
> > https://www.ietf.org/mailman/listinfo/rats <
> https://www.ietf.org/mailman/listinfo/rats>
>
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <
> https://www.ietf.org/mailman/listinfo/rats>
>
>
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>
>

v2.23.0 | Report a Bug | By Email