IETF Logo Mail Archive

Re: [Rats] Call for Adoption: EAT draft

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 24 May 2019 16:01 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F3D12016F for <rats@ietfa.amsl.com>; Fri, 24 May 2019 09:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0LTC8WyIjlP8 for <rats@ietfa.amsl.com>; Fri, 24 May 2019 09:01:18 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150087.outbound.protection.outlook.com [40.107.15.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E1BE12010C for <rats@ietf.org>; Fri, 24 May 2019 09:01:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hr0BipJVIj4x+u/i6bPLOVyDdVT8nuH9bx1P9fbWn1E=; b=3N20ikKjHe4DBUpZ5FlmsSn8PO9U5J0SC5SaL6NjYUTiSZKxfiTY8y+2bzEb+2K2lfXDQwzOhKj3Ns4Tujr3YEGv4cS7QZEydn2PFK+9+G7WOMt/wPP6/A/Bux4LP34G5fNocul8wPq2jsc2eQ2FY5j+s4AV5qQHWPmteBhQIvM=
Received: from DBBPR08MB4539.eurprd08.prod.outlook.com (20.179.44.144) by DBBPR08MB4886.eurprd08.prod.outlook.com (20.179.47.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.19; Fri, 24 May 2019 16:01:15 +0000
Received: from DBBPR08MB4539.eurprd08.prod.outlook.com ([fe80::91a5:7d70:3c7e:d096]) by DBBPR08MB4539.eurprd08.prod.outlook.com ([fe80::91a5:7d70:3c7e:d096%6]) with mapi id 15.20.1922.018; Fri, 24 May 2019 16:01:15 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>, Anders Rundgren <anders.rundgren.net@gmail.com>
CC: Carsten Bormann <cabo@tzi.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Call for Adoption: EAT draft
Thread-Index: AQHVB0Ih4Xja5WRZnUanrv/uEd79H6Z3mXcAgAEG8UCAAGEkgIAAAReAgAGCORA=
Date: Fri, 24 May 2019 16:01:15 +0000
Message-ID: <DBBPR08MB4539CA90C9EF09895B25720FFA020@DBBPR08MB4539.eurprd08.prod.outlook.com>
References: <CAHbuEH6Mdwp+neWbcecA-pMYZoXKiNda2A0EnMh-8WX=W9_edA@mail.gmail.com> <124ACA8D-6209-440C-99E4-B82A24FC18D1@tzi.org> <DBBPR08MB4539FA533892FA012E61216EFA010@DBBPR08MB4539.eurprd08.prod.outlook.com> <03c7fe24-d0ac-c96c-533c-13604433be08@gmail.com> <BBB0003A-1186-43DB-B95E-972A6045C7C5@qti.qualcomm.com>
In-Reply-To: <BBB0003A-1186-43DB-B95E-972A6045C7C5@qti.qualcomm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.119]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dc3ebbef-5c91-46c3-c4ac-08d6e0610ce1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:DBBPR08MB4886;
x-ms-traffictypediagnostic: DBBPR08MB4886:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DBBPR08MB48867110095EA66809EA1E97FA020@DBBPR08MB4886.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0047BC5ADE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(136003)(346002)(396003)(376002)(13464003)(199004)(189003)(40434004)(2906002)(14454004)(316002)(229853002)(8936002)(9326002)(8676002)(966005)(72206003)(86362001)(81156014)(81166006)(6436002)(6306002)(9686003)(54896002)(236005)(55016002)(186003)(66446008)(66946007)(5660300002)(478600001)(476003)(606006)(66066001)(446003)(11346002)(7736002)(486006)(54906003)(68736007)(110136005)(4326008)(74316002)(102836004)(53936002)(5024004)(14444005)(256004)(7696005)(99286004)(6506007)(6246003)(53546011)(76176011)(33656002)(3846002)(64756008)(66556008)(25786009)(52536014)(26005)(76116006)(66476007)(790700001)(73956011)(71200400001)(71190400001)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:DBBPR08MB4886; H:DBBPR08MB4539.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: UxH5obKVQ1mP3YyHmvkokFU6e03uYX0vXw/mbq/cPx4g6m/PAaFkrXx9Y5JxrgWfsg4460FSNfL+CR/ZPUNZxpbMRRplqZBIhT3yZO3EAKZ/93petks5KLVpReQnMcTDVZlVJ9cX8WBu8SwV4lMSlDBbifUVNAw2IFRFdKSjg6hUd13jzSlbEBXTqaRRrUOSD0FwwgKt39K34xpjqFSIRXmOVJBO9ChehkYKxehINXHbUP2mi9fJPGZZMQwNY+kXuYgBWtJzAHgtSgeZrk/0z3JjcKaCwPI0Y2NsE/w8IBDJxBWYMqiiKKv4ofclzTmXRFCwyDu9k1/aZnyH+zBB9vtI4mlokfA+paS6YsRSJDQuXg5aQhpqU1xW3PQ2I1R8GWfAdIcuOAzxA1dActM3SOOVEHnAyqgWIyOjAAS14wY=
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB4539CA90C9EF09895B25720FFA020DBBPR08MB4539eurp_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dc3ebbef-5c91-46c3-c4ac-08d6e0610ce1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2019 16:01:15.0796 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Hannes.Tschofenig@arm.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4886
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/vhiLF9kyV-VFfUkmDwX43aUR7eE>
Subject: Re: [Rats] Call for Adoption: EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 16:01:22 -0000

Hi Jeremy,

This is probably a discussion for the TEEP working group but I was indeed wondering whether it makes sense to refer to the ongoing TEEP work as a “OTrPv2”.

Ciao
Hannes

From: Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>
Sent: Donnerstag, 23. Mai 2019 18:57
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Carsten Bormann <cabo@tzi.org>; Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>; rats@ietf.org
Subject: Re: [Rats] Call for Adoption: EAT draft

You could probably rewrite the messaging to use CWT, but...


  1.  There are a lot of protocol aspects in OTrP that don't really map well into EAT. You would still need a protocol definition.
  2.  An awful lot of what is in OTrP would be difficult to classify as "claims" (some of the auditing information meets the definition, but something like "Install TA" is not really a claim.
  3.  There are deployments of OTrP out there already, and other specifications that build on it. I don't believe such radical change would be a good idea (or at least should no longer be called OTrP)

Best regards
Jeremy


On 23 May 2019, at 17:53, Anders Rundgren <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>> wrote:

-------------------------------------------------------------------------
CAUTION: This email originated from outside of the organization.
-------------------------------------------------------------------------

On 2019-05-23 13:53, Hannes Tschofenig wrote:

Hi Carsten,
You have been around when CWT defined but let me provide a history for those who weren't.

Couldn't an iteration of
https://tools.ietf.org/html/draft-ietf-teep-opentrustprotocol-03
could build on EAT/CWT?

Anders


The CWT was defined in ACE to correspond to a JWT. CWT uses CBOR together with COSE while the JWT uses JSON with JOSE.
The CWT spec aimed to provide an easy mapping of claims already defined for the JWT. The JWT, a standardized access token format, is widely used in OAuth deployments and because ACE-OAuth uses, as the name indicates, OAuth as a foundation it created a "more lightweight version" of the JWT in form of the CWT. Defining an alternative token format for use with OAuth was possible because in the OAuth architecture the format of the access token is opaque to the OAuth Client.
The CWT and the JWT have been defined for the OAuth authorization framework but they have later been used in other context too. Is this useful? It seems that the idea of having signed/encrypted/MACed claims is something people want to use even if different claims are used in different environments. Do they use different names then for these tokens (similarly what we do here with EAT)? Of course. People working in standardization like to come up with new names. That's why there are things like the "protection API access token (PAT)" or the "persisted claims token (PCT)".
Is a token, like the CWT or the JWT, now a protocol message, a "document" or what? If you don't send it around then it does not seem to be a message. Not sending a token anywhere wouldn't be too useful either. The question I have is: does it matter? From a practical usage point of view you will have to send it around and it will be part of some message. I personally don't call it message or protocol but that's just me. There are claims defined for CWTs and JWTs that provide some meta-data, such as allowing to restrict its validity (time-based and even to a one-time use), or information that indicate when it was created.
The main use case for attestation is a bit different than OAuth or ACE-OAuth because in OAuth/ACE-OAuth the access token gets created by the Authorization Server and is consumed by the Resource Server. While this is a possible use case also for RATS (when combined with an OAuth-based system, as folks in the OAuth group had suggested), the main use case (at least from my point of view) is that a device creates the token and then passes it on to the party that wants to verify it.
If the EAT document uses the same structure as a CWT but defines new claims should you therefore say that "it is" a CWT or should one rather say "it is like" a CWT. I think it a matter of taste. I do not care - pick something.
So, can you use claims defined already in an EAT token? Sure, you can. Will all the claims defined in the past be useful for an attestation context? Probably not. Will there be organizations defining profiles what claims they expect to see in an attestation token in a given deployment? Absolutely. GP, for example, is already working on it.
In a nutshell: EAT is a simple effort and that's a good thing. This is why we implemented it and it is waiting for you to use it.
Ciao
Hannes
-----Original Message-----
From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> On Behalf Of Carsten Bormann
Sent: Mittwoch, 22. Mai 2019 21:25
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com<mailto:Kathleen.Moriarty.ietf@gmail.com>>
Cc: rats@ietf.org<mailto:rats@ietf.org>
Subject: Re: [Rats] Call for Adoption: EAT draft

The Entity Attestation Token (EAT)
https://datatracker.ietf.org/doc/draft-mandyam-rats-eat/

This begins a 2 week period to determine interest in adopting this draft as a working group item.  The poll will close on May 24th EOD PDT.
Hi Kathleen,
I am definitely interested in this work.  This is important, and I’d like to be able to convince myself we are doing it right.
I apologize for maybe being a bit slow on the uptake, but currently I don’t have enough data to make a decision that the present document is on the trajectory yet where I’d normally ask for WG adoption.  Maybe this adoption call simply is a few weeks (draft revisions) too early.
While we can fix a lot of details in the WG process, I’d like to understand some fundamentals before committing to the trajectory I don’t understand.
For instance, I’d like to understand whether an EAT is a token or a protocol message in some as yet undescribed protocol.  E.g., there is the 11, nonce.  Is this the same thing that would be 7, cti in RFC 8392?  Or is it really something that is about an attestation protocol?  If this is a nonce, what does the “nonce” mean?  A single-use token?  A nonce that isn’t quite a nonce but only can be reused in a limited context?  How does the nonce bind to that context?
More generally, I’d like to understand whether an EAT *Is* a CWT, or *Is like* a CWT.
Can I put in an “exp” claim?  If yes, why do we need a new CBOR tag for something that essentially is a CWT?  Wouldn’t it be useful to explain when a CWT is an EAT and when it is just a plain CWT?  Tagging outside the COSE sign/mac isn’t enough (an attacker can change the tag and make a confusion attack).  Is this spec really the place to define a “loc” claim and its subclaims?  Is subclaims a concept that is only for EATs or is it for CWTs in general?
I could go on explaining my lack of understanding here, but I think it should be clear that there are a lot of questions on *what* we are doing here (as opposed to *how* we are doing it, which is what the WG process is good for nailing down).  A couple of iterations on this document might allow us to make a much better case that this is indeed going to be one of the base documents for the WG.  Or maybe it really is a couple or three documents waiting to hatch from the eggshell.  We still have > 6 weeks before I-D deadline for Montreal to clean this up.
Grüße, Carsten
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email