[Rats] Re: Hint Discussion in CSR Attestation Draft

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Mon, 24 June 2024 09:07 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDBFC169411; Mon, 24 Jun 2024 02:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojRn2OG8823Z; Mon, 24 Jun 2024 02:07:33 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 125D1C169434; Mon, 24 Jun 2024 02:07:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1719220046; x=1719824846; i=hannes.tschofenig@gmx.net; bh=0EGvNaG7uaSgMz1YZ2seYVxgyJDnY6WKmmArOSKJBYU=; h=X-UI-Sender-Class:MIME-Version:Message-ID:From:To:Cc:Subject: Content-Type:Date:In-Reply-To:References:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=KJCsdyE2VK3M+g8IHkGAU/dvLv0ZVJFwq5rdRk9p7nOLdT6ZO6rNuFI4OHx1e9oK XoY9rxQxOGzyRVjbNj7Jf7odvPPKNy0GM+wAell1zCNKsEV4V8SHwb17XTt7lUMax lPhPwDG07yINQC3t7/eZcZMED2WRyHehyeV8/L3eJC/7c6lKBMOafuolmir1K/ipo SRtnTPpdV3KuO8FvERvqx3z42zxKESOhOq+L2Y8YVW9I4X46Jtx9LhPDJlE8RGYhg MTcklLZWDn/c2IM2bQaG3nFlw0q/3qFqt88wkdvdXR7ru3UGHf9BmsD4X1glH/y+C US2Od4o3q6v41CUm3w==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [62.156.206.40] ([62.156.206.40]) by web-mail.gmx.net (3c-app-gmx-bap45.server.lan [172.19.172.115]) (via HTTP); Mon, 24 Jun 2024 11:07:26 +0200
MIME-Version: 1.0
Message-ID: <trinity-8f75d9d4-788f-4f1e-91e1-023dd5c5dcf9-1719220046267@3c-app-gmx-bap45>
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/html; charset="UTF-8"
Date: Mon, 24 Jun 2024 11:07:26 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <12592.1719171268@obiwan.sandelman.ca>
References: <AS8PR10MB742727BFEC71CB78468FB0E7EECD2@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <0145e095-e684-d2ee-58d5-41aee54a4b3b@ietf.contact> <2627.1718830718@obiwan.sandelman.ca> <FB01F359-84F4-4AAD-82F7-1CF2356DCD4B@redhoundsoftware.com> <CAObGJnO6bn5xEpqPxc46HRh3v2BnmxbE0YXwfNv9BtQnNV9Mag@mail.gmail.com> <E7968891-2903-4A53-8A8C-060BFBE349AA@redhoundsoftware.com> <12592.1719171268@obiwan.sandelman.ca>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:5b3F2gypv0Fjbj4QgirMzg1Sq6pGuONGPIqEtYNyRs8Vp9BNaSry058Q+SttCktOrVNHZ IadzfUZDTniFTGHyn9u5UeL3LyeEKnQ56R6pLnEGJOPaiP52tUNOQkNkZI9ZHLXbW1TlcXyIEjpW HHrreB0zuNE5jLswZOraIzkEJtu4WOG17MlIkkzCARMKuR4MPEMA52oJQPICn3qw6kCozI+pudiD 1D6nEKquBiTFJ8RB3aKBjRBwTErk7pzHwHuOaDe7tZbGnDKnmZ5SNLk7MY/NoZtQ0TWP1G7G7ARc CY=
UI-OutboundReport: notjunk:1;M01:P0:KcrixBYouQQ=;2Fm/GrV/8H0k4rvW4GIvTQqfT8O ri6eliReQhC8dxmpPepAUrV5df0TZ+EbcjOwGoBBAp1eTuh/bjG6nLmtJtbUxZm3IVc1vECdj gG8bFrn1zPxgh3z7pTZIsFou+JszFLF+rb65kvsKO/65URqepZp9RvDnWDH3QXPh2ocFExuPN Zl8qRljNKHLE8WFhanqWfsMp5i41nh0gbG9ZFdiBWDdHewx/1jbtPno8HyIn2r7iHv/3OA3Cf 7jic9MNjpJCeKgmGlZduPi/RUPsBzAhmdC2aApa36cLG1t0zvsNGQVuyV18PhmaRAgm3E6okz SxHAnjEon9FtsfduQ+O1jFsj3QkZ3yQDPetXGiDKrFCZoQtMmp46wQeJ1z8USGpHnzQp5ddz8 otwmnM77BzPCHFKjIPLs4CZNFaSB1Sb4RO5n+UYZLLVVkH86374TGLS2Gpm3WWUrMMFyW7/Mr KmPNGbP8BeE7bcFjguJxjk4j7yQvH9Jjxf1XG8/WrHk4tVVczJ1KAsfJCrql3u0IbTH5oMWOs pIUQZ/6x5xWSjsLUnUGq0QxnFLuLo0b2myO4Zggsa1zRpPOZtUSmHVTB25MrgpOnA8gYxcPVm jZ9kT5nBFcHWVV5Xrlk6OIcc7hI5TZTl82ArZ2Ep1/Sodq6X9Zo9HbtaQCWdXRYbnukG6MRRp SAmD/m+V7V8+KEQaPpMxWgg0hZxRUaWM8ox7ufc12MsuxXDMbcMOqEFr9tgeYzc=
Message-ID-Hash: NED7QMXNJT6O7QCW4JAVMDHNVNPJFLRH
X-Message-ID-Hash: NED7QMXNJT6O7QCW4JAVMDHNVNPJFLRH
X-MailFrom: Hannes.Tschofenig@gmx.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Carl Wallace <carl@redhoundsoftware.com>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Hint Discussion in CSR Attestation Draft
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/s8HyG6cENY2ggv4WQK_CRGu5pd0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Michael, Hi Carl,
 
I am fine with changing it to an FQDN. This will make processing simple and deterministic.
 
If we think about how AAA routing* works, there we also have a NAI with a domain part that is used for routing. The equivalent of the username part of the NAI would in this context be found in the attestation evidence. At least for EAT this is the case and I hope this is also true for other Evidence formats. In https://www.ietf.org/archive/id/draft-ietf-rats-reference-interaction-models-09.html#appendix-A, Henk added also a username equivalent into the protocol in form of a key id.
 
Ciao
Hannes
 
*: This is just my mental model of how I see this working. I am not proposing to replicate AAA routing.
 
 
 
Gesendet: Sonntag, 23. Juni 2024 um 21:34 Uhr
Von: "Michael Richardson" <mcr+ietf@sandelman.ca>
An: "Carl Wallace" <carl@redhoundsoftware.com>, "spasm@ietf.org" <spasm@ietf.org>, "rats" <rats@ietf.org>
Betreff: [Rats] Re: Hint Discussion in CSR Attestation Draft

Thomas Fossati wrote:
ts> You wouldn't. The hint is a routing label that is used by the relying
ts> party to decide which verifier to contact for handling this specific
ts> piece of attestation evidence. When evidence reaches the verifier the
ts> hint is no more.

Carl Wallace <carl@redhoundsoftware.com> wrote:

CW> OK, so relying party, not verifier. How would the relying party use a
CW> "free form" label to route anything?

I admit that I'm not keen about the free-form-ness of the hint.

I guess I'd rather it was specified as a URI, with ni:, or something like
that being the default string-like thing that one just strcmp() against a
configuration file. That way, once we figure out what we really want,
intepreting it as a URI will already be established.
(I see in the URI list, no uuid:, but also secondlife: ha)



--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide




_______________________________________________
RATS mailing list -- rats@ietf.org
To unsubscribe send an email to rats-leave@ietf.org