IETF Logo Mail Archive

Re: [Rats] Android comments on EAT draft

Shawn Willden <swillden@google.com> Thu, 11 July 2019 12:05 UTC

Return-Path: <swillden@google.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 389181200F5 for <rats@ietfa.amsl.com>; Thu, 11 Jul 2019 05:05:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.204
X-Spam-Level:
X-Spam-Status: No, score=-16.204 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yw6JxJXetWr1 for <rats@ietfa.amsl.com>; Thu, 11 Jul 2019 05:05:08 -0700 (PDT)
Received: from mail-yw1-xc2e.google.com (mail-yw1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3563120108 for <rats@ietfa.amsl.com>; Thu, 11 Jul 2019 05:05:07 -0700 (PDT)
Received: by mail-yw1-xc2e.google.com with SMTP id l124so3135390ywd.0 for <rats@ietfa.amsl.com>; Thu, 11 Jul 2019 05:05:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Tt34aidcfOG0NBVTF1gvsAXqKbvWgj66HbKjTWwJaD8=; b=koESLS+eQrlxhf8PWhEdS/eGLmZchgOLJKRsAfZM3lKvuok4xz6FhZEOBN15fFRz4N OIRjTN88+QmtvkdrcHJHD+mCjpV1xKVQnPQwGJyJ/2WWyAP3hEg35m55p6dGCKmK9WOe QurqFMxygwlqmfxWJnKOFQXyn+qvPA0NiGD6yEvfHePq1NAZfjfojzIXWass6qOH2Tum nsu0NSW+SHQ7arkdc9SRGz+Etegvij7nqZzJnvseaDhVYABfpNQUUk09eUN5AhW8ErEZ kZCRIVyWQCYjGtNbJ2DAdZRzChxy4BXCwJ9YmuRk+afEY8aExLQUBPgctJezmfi/UqYx nZIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Tt34aidcfOG0NBVTF1gvsAXqKbvWgj66HbKjTWwJaD8=; b=R3bSHbDaUSPk4GUXfaICpijro8E8h8eELsOQcwAOXVzIf0s3qCaoxD69kz9gYxyD44 VIU9TcT9dFFImHDw6tGo88phH/gxiq/9Ut7dc7D1vci4bJkcLJGM+vNAWV0Yq57ebFl5 kwua5qbjIslzrsNqQkY0Yr6wPgufSNu4a/LYjeDzORthB1iyl8pXn+yb8HTft40z+xgc OJbJTTkt9DqGKW23ExzIQmWf0pzTXnq4AEBOGAHKpOCTsPEGYI34OFmRXUlyYF/uHO2J LdTFoAI3Y0hTRRpIGSjXU6+jn8j2wyxQf7vljaIU+hDnnFJWFFv/7Ic/HUABzdDJTxZa Vq8A==
X-Gm-Message-State: APjAAAWLGeyTXyUj7MTlaHYGjaJdVD+7SBJNBinNzKo/az0uXUSzx3ft yB+0VgRmuk4skB+zHORr2/JwgcQZcwqd1rf3fPb2PA==
X-Google-Smtp-Source: APXvYqxhdiD+x3VaTygxDiUrhuEo1MS4vpyQImJg6/6u0o07Xd8U4dN7znnA6Td4K+6r0ZSCBqN07P6uViqHBIh5SzA=
X-Received: by 2002:a81:4ec7:: with SMTP id c190mr1743158ywb.160.1562846706565; Thu, 11 Jul 2019 05:05:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAFyqnhVJ-ps4bdhsyQDOHdzHVZsXeK7_kCDXxUVUcuyDzWS3uA@mail.gmail.com> <29657.1562351277@localhost> <CAFyqnhU3KQN_Ww9km8yu7RsdJ1=6ut-bzLmFXtk00H-Zn1ykuQ@mail.gmail.com> <d572ce18b5ea40f18e8ff460dbab1e8b@NASANEXM01C.na.qualcomm.com> <CAFyqnhWQhw-JpDxdQLyXhf1wAJX_BUzOftouxBZjGk35q=Vnag@mail.gmail.com> <5C3D43D7-8C32-4C83-AEC9-DF98FE5DCF6B@island-resort.com>
In-Reply-To: <5C3D43D7-8C32-4C83-AEC9-DF98FE5DCF6B@island-resort.com>
From: Shawn Willden <swillden@google.com>
Date: Thu, 11 Jul 2019 06:04:54 -0600
Message-ID: <CAFyqnhU23bwrY8UmBGf-=f665coHLX7PmhZWbCJp3qxrcAsvEw@mail.gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
Cc: Giridhar Mandyam <mandyam@qti.qualcomm.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietfa.amsl.com" <rats@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="000000000000c8e169058d669a17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tGZ3xZfB9SLNiinRVMbJHx5_f7g>
Subject: Re: [Rats] Android comments on EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 12:05:10 -0000

On Wed, Jul 10, 2019 at 10:18 PM Laurence Lundblade <lgl@island-resort.com>
wrote:

> First comment: I’m not sure this discussion has a big effect on what we
> standardize here. It seems reasonable to standardize the location claim
> even if Android or others don’t use it because it is a useful claim. So we
> should keep the location claim.  There should be some privacy discussion
> for the claim, probably suggesting at minimum the user’s consent be
> obtained before it is sent.
>

Completely agreed.


> Second comment (not really relevant to standards work): It could work like
> this. The non-TEE part of the device (i.e., Android) tells the TEE if it
> can include the location or not. When the TEE includes it, it will be
> non-spoonable. That should be OK, because the user and Android are still in
> control. I fully agree that the TEE should not be sending any data that has
> any privacy issue on it’s own.
>

We'll go a step beyond that, I think, and mandate that the TEE also must
refuse to provide the location claim under any circumstances.  But the
location claim may certainly be useful elsewhere..

I'll point out that those of you who find location claims useful for your
solutions really do not want Android to provide location claims (from the
TEE). The reason is that location is inherently spoofable, by spoofing the
RF signals that tell the device where it is.  At present, such RF spoofing
equipment is custom and relatively expensive and difficult to use, but if
Pokemon GO players couldn't spoof via software you can bet that within six
months you could buy $500 GPS spoofing devices and within a year there
would be multiple manufacturers competing and driving the price down.

> On Jul 6, 2019, at 12:33 PM, Shawn Willden <
> swillden=40google.com@dmarc.ietf.org> wrote:
>
> On Sat, Jul 6, 2019 at 8:05 AM Giridhar Mandyam <mandyam@qti.qualcomm..com
> <mandyam@qti.qualcomm.com>> wrote:
>
>> >>Can you say more about location?
>> Are you saying that Android would never provide a relying party (say, an
>> open-protocol implementation of Pokemon GO) with where a device is?
>>
>>
>>
>> >I strongly doubt that we will ever provide that.  I understand the
>> benefits, but the privacy team feels like the risks are too great, that
>> it's important that it always be possible to spoof privacy-critical data
>> elements like location.
>>
>>
>>
>> Can you expand on why “it’s important that it always be possible to spoof
>> privacy-critical data elements like location”?
>>
>
> I'm not a member of the privacy team, so I don't know all of the
> rationale/considerations, but I know one element of it is to protect
> dissidents living under oppressive regimes.  There's a desire to make it
> possible for them to prevent their devices from giving away any information
> they don't want revealed, via rooting and modification of the Android OS.
> Since they can't modify TEE/SE functionality, it's on us to limit the
> feature set of the TEE/SE code so it doesn't reveal private information, to
> the degree we can.
>
> This is why the existing Android attestation uses batch attestation keys,
> to avoid making the attestation key a strong unique identifier, and why the
> ID attestation features are tightly restricted and include a low-level API
> to wipe the IDs and thereby disable ID attestation.  I'm assuming that
> similar logic would preclude location attestation, though the question
> hasn't actually come up.
>
>
>> If we compare to the FIDO 2 location extension (
>> https://www.w3.org/TR/webauthn/#sctn-location-extension), which can be
>> included as part of the FIDO 2 attestation, the location data inclusion in
>> the attestation is managed by the browser permissions framework that
>> already exists for location (
>> https://www.w3.org/TR/webauthn/#browser-permissions-framework-extensions
>> ).
>>
>>
>>
>> It seems that the Android permissions framework could be similarly
>> leveraged for an EAT-based location claim.
>>
>
> It could, yes, but I don't think Android will enable that.
>
>
>>
>> -Giri Mandyam, Qualcomm
>>
>>
>>
>> *From:* RATS <rats-bounces@ietf.org> *On Behalf Of * Shawn Willden
>> *Sent:* Saturday, July 6, 2019 7:25 PM
>> *To:* Michael Richardson <mcr+ietf@sandelman.ca>
>> *Cc:* rats@ietfa.amsl.com
>> *Subject:* Re: [Rats] Android comments on EAT draft
>>
>>
>>
>> *CAUTION*: This email originated from outside of the organization.
>>
>>
>>
>>
>>
>> On Fri, Jul 5, 2019 at 12:28 PM Michael Richardson <mcr+ietf@sandelman.ca>
>> wrote:
>>
>>
>> Shawn Willden <swillden=40google.com@dmarc.ietf.org> wrote:
>>     > Specifically, EAT is about attesting to a *device* while Keystore
>>     > Attestation is about attesting to a *key* -- though we also attest
>> to
>>     > quite
>>
>> I have include a section in the use case document called "Cryptographic
>> key
>> Attestion"
>>
>>
>>
>> Great!
>>
>>
>>
>>     > Another, more tractable, area of difference is that EAT provides
>> Claims
>>     > for
>>     > several data items which Android will likely never allow to be
>> attested
>>     > because of their privacy implications and potential for ecosystem
>>     > fragmentation (apps choosing which devices they'll run on -- we
>> generally
>>     > try to deny them the information they'd like to have to make those
>>     > choices).  These are:
>>
>>     > - UEID
>>     > - Origination
>>     > - Location
>>
>> Can you say more about location?
>> Are you saying that Android would never provide a relying party (say, an
>> open-protocol implementation of Pokemon GO) with where a device is?
>>
>>
>>
>> I strongly doubt that we will ever provide that.  I understand the
>> benefits, but the privacy team feels like the risks are too great, that
>> it's important that it always be possible to spoof privacy-critical data
>> elements like location.
>>
>>
>>
>>     > Some other claims that we have, and think are important, are OS
>> version
>>     > and
>>     > patch-level (represented as a date, YYYYMMDD); secure boot
>> verification
>>     > key
>>     > digest; secure boot digest (hash of all verified code); application
>> ID (a
>>     > digest of the requesting app signing key); and secure app version
>> (hmm,
>>     > don't have a patchlevel, but we should!  I'll see about adding that
>> for
>>     > R).
>>
>> These are all intended to be covered under "network attestation", but
>> now I wonder if that term is mis-leading.
>>
>>
>>
>> Hmm.  Yes, you're attesting to the device state, not anything about a
>> network.  I guess "network attestation" is because you're expecting the
>> relying party to be the network?
>>
>>
>>
>>
>> --
>>
>> Shawn Willden | Staff Software Engineer | swillden@google.com |
>>  720-924-6645
>>
>
>
> --
> Shawn Willden | Staff Software Engineer | swillden@google.com |
>  720-924-6645
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>
>
>
>

-- 
Shawn Willden | Staff Software Engineer | swillden@google.com | 720-924-6645

v2.23.0 | Report a Bug | By Email