Re: [Rats] my comments on the mic line
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 09 November 2023 13:55 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E0BC14F74E for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 05:55:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsLysPX8GiZt for <rats@ietfa.amsl.com>; Thu, 9 Nov 2023 05:55:43 -0800 (PST)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CA59C1705E7 for <rats@ietf.org>; Thu, 9 Nov 2023 05:55:17 -0800 (PST)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-53de8fc1ad8so1390449a12.0 for <rats@ietf.org>; Thu, 09 Nov 2023 05:55:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699538115; x=1700142915; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NEYuDENkPK0iQx1GFo2J9qYlrRnFcewISq+WlG+1mno=; b=E9MNw/BdpXhf757m7gQf53FNr3fKkPv0jjChR1gnMyKnoWl0W8kaBl/l4utOX+kbFu fh+cH1mv/LBZIl+8LuX/sTmEaRIt3TJ/Z0u39cS8aES+/Z+7wpLiaFb+T37ZfG3Vuxof Xb1ZL0vdhTdwr+mWkAFHrtqekkXDncgbi4TRaXCaZ9yxmYXCY/zCHlbp3e6sevMvveSL i0yaXNPJHLOkcVcOI+Za1v3D5arAeUiAVkCPZGvkj6R83H0xm/2hlAqdp0tRFBkR/De3 WZYNs+T6CAymjv0pdGUrUl6XduFDmA15yhiZGCdji2qPzpz5YIUG1iD7c7LoUzNrVyuC qwZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699538115; x=1700142915; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NEYuDENkPK0iQx1GFo2J9qYlrRnFcewISq+WlG+1mno=; b=dayLrJwNaYJAC9cmG4xv/CCmlr8oPdk7mD6GQYwfBel1nrSKGLfpO26mlcKr6A1fD8 BHIinFJP5obBFevHMxiWVCrS99vfxaThMSAbg/1eX/q069QEayXmNkLq0lVfrIfxtyth AgdPd6+c6FwTnaIFidw/ZP24HUDTSTbpClcZ3McNuJUmgNVOYO+bZ5H2FbdGH3GWMfDK binQjicZxbBmVdfqkBWqVEOg2Mmja6R1pSWKVbSbGmoKP0oY8B2tGH+p3QaiLIVn0weS ECevnvkddoXMDtRwO4v8J2FZ7SkUIB3K5PrY1EWHlDGAwXjOBYBQ+qS7ipNnr83oqQl1 Syvw==
X-Gm-Message-State: AOJu0YyR9/tFH2TYjVWewQ+/4YdHm1w6vHgINrOo+LBVIuDEJdqAQusN rnOyU+PBkmh8hmTWuxmyQ4eyALZYDrSE7xpHuIg31Oo1
X-Google-Smtp-Source: AGHT+IHLoxUvLwI2CV6Msx4iYvcVp7Gmm6a0+COBgOU0dRT6CoChbw5XFcVN1pwkEByEZxxFsYedgBRbc/Ue4sYAIX8=
X-Received: by 2002:aa7:df10:0:b0:543:54da:1a43 with SMTP id c16-20020aa7df10000000b0054354da1a43mr4562996edy.7.1699538114975; Thu, 09 Nov 2023 05:55:14 -0800 (PST)
MIME-Version: 1.0
References: <CA+1=6ycTGM+dPLWGnFLnF2njAtdO6f3PEEwvgs1RLQh+N6eBjQ@mail.gmail.com> <014101da1264$2967f7c0$7c37e740$@gmx.net>
In-Reply-To: <014101da1264$2967f7c0$7c37e740$@gmx.net>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 09 Nov 2023 08:54:38 -0500
Message-ID: <CAHbuEH7woP3_oUMCoFRB=_1p9U3=mOCB64EhV5UiT602a+Sf2Q@mail.gmail.com>
To: hannes.tschofenig@gmx.net
Cc: Thomas Fossati <thomas.fossati@linaro.org>, rats <rats@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a01d130609b88d13"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tgz7bMvrOj6b3oX5AyjHRNuCeao>
Subject: Re: [Rats] my comments on the mic line
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 13:55:46 -0000
Hi Hannes, Thank you for the helpful feedback. It's good to know exactly what would help in a new version. On Wed, Nov 8, 2023 at 11:53 AM <hannes.tschofenig@gmx.net> wrote: > Hi Kathleen, > > I have just re-read the draft myself and have similar questions. > The architecture is not clear to me. A figure would help me. > Great, I'll work on a figure. > > I also believe there is a bit of a terminology mix-up. The RATS > architecture already defines an extensive list of terms and you add even > more (without defining them). I have challenges understanding many of the > sentences. > Yes, I need to update on all the terms created over the last few years. I used terms that were okay 3 years ago and that the general population might understand. I'll work on this. > > There are also lots of references missing. Is it necessary to even talk > about these specifications/technologies to get the idea across? > I think they can be removed. I ran out of time and had wanted to put in the references. Part was that I wanted to make sure others understood that the assessments using local or implicit attestation are in place already for assurance of hardware, firmware, BIOS, and the host server (e.g. ESXi) in a container environment. We've been working with a couple of these vendors. > I believe a simplified example would help the reader understand. > > In general, there is also the question about what you are proposing. It > seems that you propose the following: > > - an architecture extension (in the style of how draft-ietf-rats-daa > extends the RATS architecture) , and > - new claims for EAT. > > Is this correct? > Yes, that's correct. It's meant to be simple, to create a registry that allows you to name a policy and level that is being communicated to a posture management system as well as the posture assessment result. Once all are collected, the posture management system can convey the status of a cluster or Pod, full VM stack, etc. > The document is somewhat incomplete. The claim definition is missing, the > IANA consideration section for those claims is empty, the reference to RATS > cannot be informative, the appendices should be removed, etc. Yes, I did this intentionally as I'd like to make sure there is collaboration, ideally in a WG, to reach consensus on what should be in the EAT. Laurence has offered assistance on the claims for when we are ready and Thomas has connected me to some key individuals who should have shared interest in the work to develop it as it would be needed. It will be important to have the input of implementers at both the point of assessment as well as the posture management system receiving the result. I hope that helps and your feedback was very helpful. Thank you, Kathleen > > > Ciao > Hannes > > > -----Original Message----- > From: RATS <rats-bounces@ietf.org> On Behalf Of Thomas Fossati > Sent: Mittwoch, 8. November 2023 13:12 > To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>; rats < > rats@ietf.org> > Subject: [Rats] my comments on the mic line > > Hi Kathleen, > > sorry you didn't feel good, I hope you'll recover soon! > > This is a copy of the comments I made on the mic line, feel free to > address them whenever you feel better. > > First of all, for me, it is important to get a grasp of the system > architecture you have in mind to understand whether this work is in the > scope of RATS. > > IIUC, you have a composite device that produces complex, multi-layered > evidence. Then a (local) verifier appraises the evidence and produces an > attestation result. Then a relying party (i.e., some kind of > governance/risk-compliance application) uses its application-specific > appraisal policy to process the attestation result and create an > “attestation” (= NIST definition #2, see [1]) using the claims you want to > define/register. > > If that is the case, it'd seem to me that the claims set is outside of the > RATS picture - they'd be a message coming out of the RP box in the bottom > right-hand corner of the architecture picture. > > If that is not the case - apologies if I misconstrued your design :-) > - and the claims set is part of the attestation result coming out of the > verifier, then it's good to go for me because this would be semantics > encoded in one of the RATS conceptual messages. > > In any case, RATS or not, this is very relevant work. > > cheers, thanks! > > [1] https://csrc.nist.gov/glossary/term/attestation > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats > > -- Best regards, Kathleen
- [Rats] my comments on the mic line Thomas Fossati
- Re: [Rats] my comments on the mic line Kathleen Moriarty
- Re: [Rats] my comments on the mic line Stein, A.J. Mr. (Fed)
- Re: [Rats] my comments on the mic line Tom Jones
- Re: [Rats] my comments on the mic line hannes.tschofenig
- Re: [Rats] my comments on the mic line Kathleen Moriarty
- Re: [Rats] my comments on the mic line Kathleen Moriarty
- Re: [Rats] my comments on the mic line Kathleen Moriarty
- Re: [Rats] my comments on the mic line Kathleen Moriarty
- Re: [Rats] my comments on the mic line Thomas Fossati