[Rats] Primary and secondary trust flows in RATS

Laurence Lundblade <lgl@island-resort.com> Fri, 31 July 2020 01:05 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DF9553A02F9 for <rats@ietfa.amsl.com>; Thu, 30 Jul 2020 18:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.513
X-Spam-Status: No, score=-0.513 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id T15J4qFM_eLQ for <rats@ietfa.amsl.com>; Thu, 30 Jul 2020 18:05:31 -0700 (PDT)
Received: from p3plsmtpa07-04.prod.phx3.secureserver.net (p3plsmtpa07-04.prod.phx3.secureserver.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47CE33A02F7 for <rats@ietf.org>; Thu, 30 Jul 2020 18:05:31 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id 1JUHkd5r2YsjC1JUHkaNgv; Thu, 30 Jul 2020 18:05:29 -0700
X-CMAE-Analysis: v=2.3 cv=A7YSwJeG c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=SeHIl_t-TDdhnmqP4ekA:9 a=uPeOTA0NQJCBQUlE:21 a=WfL2ITLW3AW6gX5S:21 a=QEXdDO2ut3YA:10 a=nMLCxLnFpPFCanOVVs8A:9 a=NgSAqW6IdS_949Lz:21 a=PYsnzAz18ta48HyL:21 a=_W_S_7VecoQA:10 a=UNufMw7wX1kDfnqieNMA:9 a=rJQfVcVWgbPaiqvO:18 a=HXjIzolwW10A:10 a=T6a71-JsGAwA:10 a=zqoWlk-6egBxjpx_U_4A:9 a=sXAURecWM_4HQ4Ta:18 a=pHzHmUro8NiASowvMSCR:22 a=nt3jZW36AmriUCFCBwmW:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_002D4070-A15C-414F-BB6C-73E7D7FA0A3D"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <27069F96-E572-46E5-A160-7E325F24C420@island-resort.com>
Date: Thu, 30 Jul 2020 18:05:28 -0700
To: rats@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfJ5A8XtmS/Vik1wCFz/yk1FTEZvrp2QbfWBPV+poLlhF3rz/CyTw3quKhm77jmK9HcTFfyUDV3ECP72EtEbeqzcpkTRWYQB6CdRNfzklheagnIMKhOzD 6wPaX6vueDwXBZ9Fr2y4FyMX7sZWZDmarHbHAxnGDRYuUX/SwE3iFtUA
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/shjdZSaSVPnJU3b64TYZduD-fX8>
Subject: [Rats] Primary and secondary trust flows in RATS
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 01:05:33 -0000

In recently reviewing the RATS architecture, I think the trust flows between the major entities can be classified as primary and secondary.

The primary trust flow is how the RP comes trust to the attester/device/manufacturer. It is the main purpose of attestation.

The secondary trust flow is about privacy and confidentiality of endorsements, policy, evidence and results. You can do attestation without it if there is nothing to hide.

Below are diagrams for both.  

I went through the Trust Model (7) section of  draft-thaler-rats-architecture-05 and could easily classify each paragraph as to whether it addresses the primary or secondary trust flow, which I think validates the primary/secondary distinction.

I’m sharing this here on the RATS list rather than just filing issues and PRs against RATS architecture because I think it is a useful general concept, but also think it would be helpful to incorporate it into the document:
Consider adding the diagrams below to the document and the transitive nature of the primary trust flow
The sections on the Attester (7.2) and Endorser (7.5) only discuss the secondary trust flow. I think they really need to have text about there role in the primary trust flow.
7.4 on the Verifier Trust is very confusing to me. I don’t think Verifiers ever trust Attesters directly. It is only through the Endorser/Manufacturer that they come to transitively trust an  Attester