Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Michael Richardson <mcr@sandelman.ca> Thu, 05 December 2019 14:26 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 175131200C7 for <rats@ietfa.amsl.com>; Thu, 5 Dec 2019 06:26:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ucBKeh7hrVBi for <rats@ietfa.amsl.com>; Thu, 5 Dec 2019 06:26:17 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96E76120013 for <rats@ietf.org>; Thu, 5 Dec 2019 06:26:17 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id BF3453818F; Thu, 5 Dec 2019 09:22:37 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 60F0AAAB; Thu, 5 Dec 2019 09:26:16 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ca>
To: "Smith, Ned" <ned.smith@intel.com>
cc: "rats@ietf.org" <rats@ietf.org>
In-Reply-To: <E895051D-6F8F-4EF7-B08E-DFFF28A3AB91@intel.com>
References: <8B173958-FC2A-4D1D-A81C-F324AB632CD7@cisco.com> <147F9159-6055-4E55-ABDC-43DFE3498BF1@island-resort.com> <ce5f8206-74dc-36bb-0093-a93045d5c67f@sit.fraunhofer.de> <0A7E3A4F-8534-4E98-BCB7-1454E07699F4@island-resort.com> <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com> <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com> <HE1PR0702MB375366C5F7FE5C497C35D73B8F740@HE1PR0702MB3753.eurprd07.prod.outlook.com> <7106C9D3-8ED1-419E-81F8-4CDA799BEDAE@intel.com> <MWHPR21MB07844F61BEFAE03F9E7DD290A3770@MWHPR21MB0784.namprd21.prod.outlook.com> <6E7D64B4-2049-4D0A-ADC5-CA3F0647779B@island-resort.com> <MWHPR21MB07840B6CF7BEE0A11ABE54BFA3700@MWHPR21MB0784.namprd21.prod.outlook.com> <10511.1574490818@dooku.sandelman.ca> <8363AFEC-C92C-466D-8F2C-CE7A3E94370B@intel.com> <22086.1575499045@localhost> <E895051D-6F8F-4EF7-B08E-DFFF28A3AB91@intel.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <22983.1575555976.1@localhost>
Content-Transfer-Encoding: quoted-printable
Date: Thu, 05 Dec 2019 09:26:16 -0500
Message-ID: <22984.1575555976@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/t_cq-eGSIcEXvDZcCQyRM_WlZQM>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 14:26:19 -0000

Smith, Ned <ned.smith@intel.com>; wrote:
    > Smith, Ned <ned.smith@intel.com>; wrote:
    >> The step-0 protocol may have payload size or timing limitations that
    >> prevents fully attesting. This is the case for 802.1X ethernet ports.

    > EAP-TLS would carry the certificate, and it has a way to segment the
    > payloads, I think.  If not, DTLS does.

    > The attestation would go into the TLS as data, inside the voucher-request, so
    > I don't imagine that there would be further size limitations.


    > That is one approach, other approaches include Evidence in
    > certificates. Sometimes protocols have upper bound on the size of the
    > certificate path payload. Doing attestation as part of a session
    > establishment (e.g. TLS handshake) is the trust semantics of
    > attestation apply to the session keys. If attestation is part of a data
    > block, then it is possible for the trust semantics of attestation to be
    > separated from the session endpoints.

BRSKI connects the inside to the outside via RFC8366 vouchers, so the end
points are really quite well pinned down :-)