IETF Logo Mail Archive

Re: [Rats] Interoperability ... RE: EAT Profiles

"Smith, Ned" <ned.smith@intel.com> Mon, 26 September 2022 18:25 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C07C14CF01 for <rats@ietfa.amsl.com>; Mon, 26 Sep 2022 11:25:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNEhRJKdTjne for <rats@ietfa.amsl.com>; Mon, 26 Sep 2022 11:25:14 -0700 (PDT)
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D60C3C14F719 for <rats@ietf.org>; Mon, 26 Sep 2022 11:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1664216713; x=1695752713; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=B3Vww5AxFt7NDJAX5XR/r8rnF28TJDHqt7qQHgryxM8=; b=eizYVN0PCJkTb08A2H2DQQc+559uQo+/tax5JNf7mTwWmZgEEsnmQaxG jO0eEgFQ25UNp3LWZYhZVXxgeV3l/myNmoCo+jctL6Y/fKiMzZOEEcHEq Bn99b1moJisMgKLQ5ENjCVnABlNhVl8N5LjomjAF3yEfe8UysUHnkp3k/ bWL5YQ58kkPt/7p7vkPJlnkbrO6An9/AV8Xa8sVw8mwvvflYofmQmWTGH FZaDazd04u7tgJBz1QHmKxjDDbyrGmc7yTieOJhBSFaSbPfT0oyK730Ff qPz6hGOx4vhmgzpgsso+6CYk9Lhu/m0SUNWAg0dlEY4B1tp0bo6BKaKfJ Q==;
X-IronPort-AV: E=McAfee;i="6500,9779,10482"; a="365141602"
X-IronPort-AV: E=Sophos;i="5.93,346,1654585200"; d="scan'208";a="365141602"
Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2022 11:25:12 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6500,9779,10482"; a="616511518"
X-IronPort-AV: E=Sophos;i="5.93,346,1654585200"; d="scan'208";a="616511518"
Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by orsmga007.jf.intel.com with ESMTP; 26 Sep 2022 11:25:11 -0700
Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 26 Sep 2022 11:25:07 -0700
Received: from fmsmsx602.amr.corp.intel.com (10.18.126.82) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 26 Sep 2022 11:25:06 -0700
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Frontend Transport; Mon, 26 Sep 2022 11:25:06 -0700
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (104.47.73.47) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Mon, 26 Sep 2022 11:25:05 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TSAEh5souSosoQHOekEB6IismywZ7BKjY5rZ8KE8+8Lnir3AUZPzK0xjr0692GOjkyKqjG7IagpbXzM6fIE40uwq1dQg1H8T4DPGsuujXWum9aD5lxHESxNqDrOtMCTMcIpYJEJwJ4ZYug1Fm7qVX0l76pO2PHupzQtSJEHbHuMndLAzCd4PoRNqj850DJsyOoJ9Pwk9jtaoTcJH2IEIdKCFe4+ghY026M9cJTnkrCf/TVct3bbSMVbEC9KkeSMa9DJHtVNnNCUmEqytKRncCA/j/JEk5fRxtxNc8KmaP5huKOL64p865nub8yhhvOSidaB9HOR9fEsBAED/KdAlqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B3Vww5AxFt7NDJAX5XR/r8rnF28TJDHqt7qQHgryxM8=; b=QRZaOOV0OOJ9itiS48MLn0/qvJHmoY2rKADeTy1Tb/h5NzwL0Vw5Dd3ui/ljMom4F83aSY33VXWybroXdOeDKM+8uqDAu2/c/qpiYvt44cjt8+b71bqTWBicrhxSeWNLdvZCYgFiyM7qeZboDmBS9EQtJkNUc0SxAX77BVOPQWU86vuEy/o2DkQWY0j8//udUKBXaIjbYmaAdV8uW7a0C87K1c/QfCVolWo7kuHYHpZCnYdNMiwfsyjiDHKcR5WEDZXcwxWhXbDnCdAK0zR1OGGhdW6McrDaWCF8LU8CpjqjetZ8+5O5ziZfuRb95TsCczWz00rV2aIZdnpF+hOMdQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by CO1PR11MB4898.namprd11.prod.outlook.com (2603:10b6:303:92::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.26; Mon, 26 Sep 2022 18:24:59 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::7056:c22:10bd:3da%5]) with mapi id 15.20.5632.021; Mon, 26 Sep 2022 18:24:59 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Thomas Fossati <tho.ietf@gmail.com>
CC: Laurence Lundblade <lgl@island-resort.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Interoperability ... RE: EAT Profiles
Thread-Index: AQHYzG8RLg0QaERwJUqUf+f3XrGZrq3oR7WAgAFPGACAAA/TAIABx/GAgAYPTICAAB58AA==
Date: Mon, 26 Sep 2022 18:24:58 +0000
Message-ID: <914B1C45-2352-404D-B011-2FF17863D0EB@intel.com>
References: <AS8PR08MB5911E476356C4005F68D6D4CFA4D9@AS8PR08MB5911.eurprd08.prod.outlook.com> <6F9F204B-E01C-4C56-9FA3-0E5F88F8C225@island-resort.com> <EF696290-B899-482F-B41E-BA358D57C123@intel.com> <CAObGJnNZ7=-v=ue94C+1CyfmXX7eYMTDKvdLYaBQ8K2cje42DA@mail.gmail.com> <4554C994-57E6-4873-9B41-66352CEA2920@intel.com> <CAObGJnNp7DrCn4MfAzBTBog1niOY0u5auETJU-iR7kk-CivJSw@mail.gmail.com> <A20E8654-BD16-48DE-B0A3-71EC45E16FE9@intel.com> <CAObGJnPPLcKpqnHYRnDbOJo-Um2WuQbq4tHOF7CLP8auh=i6=w@mail.gmail.com> <DBBPR08MB5915547A166C910F051E4FD8FA529@DBBPR08MB5915.eurprd08.prod.outlook.com>
In-Reply-To: <DBBPR08MB5915547A166C910F051E4FD8FA529@DBBPR08MB5915.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|CO1PR11MB4898:EE_
x-ms-office365-filtering-correlation-id: 575d0792-4d9d-4b8a-2c11-08da9fec6b77
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2hyq/hAx+NXYi4yHDKgtdGaU2+L+l49e+uuazKB2jDDbSiE0zicLqah+WloQhGW6Y0Y3/ZnhAeUstvOZb/TH9k2PivuE6Q3O6m2RKrQgl4voiG/xToLDe//AVPgVYKPwDpQ5R59hXCrt2ErCP1avEFzZX/NEzacIX4otXiC41v0+D7bYgmu25zIjoDCIJVh2wKW4x+vA/XVvkGuzc6FfCUxfFrs1HtVTnf+RrrJnPrLds09sCJRftCFn2k5SKxyrTpkItGeg/f31NqM38rNNGBrVUOgeoCO/dadRcbMe4PbMpg/HO85XJ/q7SbAY1mNBNwP+C73Xviaryal1K/3d97kJRa3GgX1VZ/SAuy3w/wPIVb20dS99AmIFg4DONz0gnN7EIsnRGOvkjRP3vneEZI8xATTPAOFo79i30qMGBUc++eJtFvYmDk6BW2KjHdALd2zZuXdtA8k0nP5aVflQQzm+bsldnENXSlnYlh09BbcT9aqSVLVb7r9jsEWT9E57CTiGdaI52F5eoX0Js67xy6zbPWFWrGcPkoZCawwAtT5S17QSTTsIbEQo52eI0aMpe6bq9zlHQ2L9ylvMMcnrb6SViaW7HovYHjwOeWeJ5WncDn6ifzp4u3S48ur78O4CFUJgMYXNX2lXTlmPhmmqrhT+SvOGV4Wy25IPilQ2B7SsQkxikI4kbJDqppMYCSi5KvGT6h4RFW0dbXJT2LiPJ2fchfSfoPtsCHi5ln24pp/modHkx40nvsz9+KN0AvaH7YLFrdt6+LCxvLOmUUwqxrFHELYOQ0q62nnT9ro2CK4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(136003)(376002)(366004)(346002)(396003)(451199015)(33656002)(38070700005)(36756003)(86362001)(82960400001)(38100700002)(122000001)(2906002)(5660300002)(6486002)(478600001)(71200400001)(91956017)(4326008)(8676002)(76116006)(66446008)(66556008)(66476007)(66946007)(64756008)(54906003)(316002)(110136005)(8936002)(186003)(83380400001)(41300700001)(2616005)(6512007)(53546011)(26005)(6506007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1olkCYXpUbElomv7wiM9/84Y4Mci5QiB846ABDsXcVk7CPU9otcyH3Ki81MZ2lHMC9wUWBZmzYqWGCgGv5YmV4E1hFfDm5p+c16jz84fX2G9g1P1iJvWtWsEcj5UxtK3+1LnNnuP7zW3V5yPWDlG6T/lxPzti7+/oNSYA6f0VNMdo3UE+E0N4fNaGOD6NSgUxJqPkuq2bIcQPWhu38ND0tg1B8l8cyIHZK/FfZkKQxv6zb7hS9kEmVKJ4eT+h9bm8v8eFy3a0JkR/ZzWRTRYiuUHvrU4Ak7eW0IbWPzqyO8Rd9f+8EPgIXB7u0coavy1pc9KLQMFy3AtPInoHEx7Sl2v8ejbh7i/NwwHwUHq8lCTkzTX6IAWldHRZ1aYB9u6No6qSbGOnvHa7C/D/qkYgwkJKQ1dYoi+dsUgpAenb+E2xDqhDNV66xCdfyuw2z+wEdRRjZDJAge57vv1UYfM3PkCyqyr4urq7RoFYjtEHad5CryRU8ZbPDuw8JbWjFRGgQE2K9K1nvstHK11RMN1UipNBtw48OWQe4nhZFTU+V0fzpk0jDFNephyvi4WZ0ydXyb9n+2klgNWx3V9/aFu/0kP7C6kcFdKumd8x1XpxoXwCG9ooVfbQDo6KHM4UangCldSa3jGutnKqKwcpS6NPAjvo/x47twUtQ+pf0HFcDcvokkRsH6DFa5hHGQ+eX+KG1HuFFOOc/E8CRgkmZcXnrNbkvq+OpmT+C5F45prHpwvv5FEpi9MXSpPYftpZBQdd+PJozvWspqqByRODb253ag32z/Uh6ht8i52RzPcaIMRb7p8iFr1z8jl+AzzdAZ9TtN8Qp7aFtqX68/bw+h/yZdTh9AfCvIZ3ZP4cu5Ht1GfadIxz8l6MBltaQToPw/QbkmfygZqDv/468VT3Nwm5HRDJniJdaXt5Kdi/N0J1wnqzSH5RpQrFUAuWgfhoQw725y6MdArLRFS9tHjQO/3BsuFzIZJBYDpWRvhMNH+nASiJwNk0PTaMGYmI8GCgV/kfclgWzmxjHFM2CELMD0TnCHJwdMauA+5UYkuOf0RFxZ0GRQk2jb6p7kjomfaqH0X5usIGzk3oWA8YKN4A1LuvZ/gc7w0CItU7Vi6pnuRUMWu7SiLH4GYElLoRkfxs7slTxFkHml5SHYfaW5i2o7CTKnhoBVjaOPqC+yGSNmU7+aHW6IhYJf3JDsKAR5buq3eJrqp9Ix12ST0pHOEzsRzT/RqJagrgANMF25fVT/k/NQTxcwlRm6ju3xw+yuZEIedMuS3g+z9CEaogzv8iwKFklQY6+Rg34riCG8eD7Uf7vGTaAPJdBPFqkziOfZXDi/vxrWHpA1onU4gPQ4UqXyEVLvxXIampkhSdK6+mz6un6UYB8XZLFrmYB9ZR9fqtkJRG0E0Ioyz2OePQQXp3FrxMv5FWdr+REV49bd3XwLup33+zfSE7/N3ycuvqCzrnA5/LRWqlRfr8acskUD2wlY0EsxbGCkzF/txyAzxtnJ0sFm93v1eckL37I573ivt4Y5cvz1TUgyteZF0T6MhoxIFy7ItK8ISkktlkJMYfxuQAW+X4W7EE4eyfXdmzsj4zcpc
Content-Type: text/plain; charset="utf-8"
Content-ID: <AAFEB0325F07AB4CB18D1B263FA41203@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 575d0792-4d9d-4b8a-2c11-08da9fec6b77
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Sep 2022 18:24:59.0104 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /vG/521K2isX+M9zjaalnSNbzUIG5O7ns6MnC2RonT2cwTCsTiwsFhxWP934gX5+h4kgcX5wncC0XjG7KVLNYg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4898
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tKTe1zoS45fgPvAvUVeTVokDO50>
Subject: Re: [Rats] Interoperability ... RE: EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 18:25:18 -0000

Thanks Hannes and Laurence (per your reply on Friday), this all is helpful insight on how RATS / EAT views profiles. The RATS WG can reference the various threads on profiles if IESG or other reviews produces questions about interoperability and profiles. 
-Ned

On 9/26/22, 2:36 AM, "Hannes Tschofenig" <Hannes.Tschofenig@arm.com> wrote:

    Hi Ned,

    I would like to respond to your statement about the AISS token being an extension to the CWT/JWT rather than the EAT token.

    EAT intentionally builds on CWT/JWT. This is a good design approach.

    The AISS token re-uses claims in EAT and therefore extends EAT and indirectly the CWT/JWT.

    Should the draft provide more information regarding the recommendations in Section 6 of draft-ietf-rats-eat? Yes. Definitely.

    In a nutshell, I don't see a problem. FWIW I have implemented a prototype of the AISS token using the EAT library Laurence released.

    Ciao
    Hannes

    -----Original Message-----
    From: Thomas Fossati <tho.ietf@gmail.com>
    Sent: Thursday, September 22, 2022 3:04 PM
    To: Smith, Ned <ned.smith@intel.com>
    Cc: Laurence Lundblade <lgl@island-resort.com>; Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; Michael Richardson <mcr+ietf@sandelman.ca>; rats@ietf.org
    Subject: Re: [Rats] Interoperability ... RE: EAT Profiles

    hi Ned,

    On Wed, Sep 21, 2022 at 5:51 PM Smith, Ned <ned.smith@intel.com> wrote:
    > On 9/21/22, 1:55 AM, "RATS on behalf of Thomas Fossati" <rats-bounces@ietf.org on behalf of tho.ietf@gmail.com> wrote:
    > > On Tue, Sep 20, 2022 at 8:55 PM Smith, Ned <ned.smith@intel.com> wrote:
    > > > Profiles should extend standardized statements at a defined
    > > > extension point; but existing seem to go beyond this in several
    > > > ways.
    > >
    > > Can you point me to where that is happening?  Speaking for PSA, we
    > > do not extend any standardised EAT statement.
    >
    > [nms]    aiss-token = {
    >        aiss-nonce,
    >        aiss-instance-id,
    >        aiss-profile,
    >        aiss-implementation-id,
    >        aiss-lifecycle,
    >        aiss-boot-odometer,
    >        aiss-watermark,
    >    }
    >
    > Aiss-token seems to be an extension of a CWT/JWT token (rather than an
    > EAT token). However, this token does integrate with some claims found
    > in the EAT draft such as nonce, profile, UEID, and hash-type. Hence,
    > it is both a subset of EAT claims as well as a superset of an EAT
    > token.

    I am not sure I see a problem here.  An EAT can (and typically will) be a CWT/JWT, so anything claiming to be an EAT "profile" can a) inherit the CWT/JWT wrapping, b) extend the claims set using newly registered CWT/JWT claims if the available EAT claims are not sufficient.

    > Philosophically, EAT claims could be incorporated into other container
    > structures besides CWT/JWT tokens.

    True, but.
    In order to extend the top-level type one needs a "IETF standards track document." (see §3), so it's not going to be cheap to do that.

    > For example, an X.509 certificate
    > could define an extension that contains UCCS expression of EAT claims

    This X.509 extension would be wrapped in a UCCS which is a top-level EAT (when it gets its RFC number), so this is not the right example of "new bounding container", I think.

    > or a protocol frame could do something similar.

    If by "similar" you mean UCCS wrapping the EAT/CWT claims then there's no need to define anything for the profile.  Just reference [UCCS].

    > It seems reasonable that a profile could specify the bounding
    > container for EAT defined claims.

    yes, but in order to be called an EAT it needs to be defined in a STD track document.

    cheers,
    --
    Thomas
    IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email