IETF Logo Mail Archive

Re: [Rats] Orthogonal: UUID? (was RE: Some new comments for CHARRA YANG module)

Laurence Lundblade <lgl@island-resort.com> Fri, 14 August 2020 20:40 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FF513A0828 for <rats@ietfa.amsl.com>; Fri, 14 Aug 2020 13:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.884
X-Spam-Level:
X-Spam-Status: No, score=-1.884 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nTq-Hu6KfcS for <rats@ietfa.amsl.com>; Fri, 14 Aug 2020 13:40:21 -0700 (PDT)
Received: from p3plsmtpa08-09.prod.phx3.secureserver.net (p3plsmtpa08-09.prod.phx3.secureserver.net [173.201.193.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EBE13A0829 for <rats@ietf.org>; Fri, 14 Aug 2020 13:40:21 -0700 (PDT)
Received: from [192.168.1.78] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id 6gUukGkdl0z4J6gUukofDd; Fri, 14 Aug 2020 13:40:20 -0700
X-CMAE-Analysis: v=2.3 cv=EP14LGRC c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=HLvPDLHGFjgA:10 a=48vgC7mUAAAA:8 a=AUd_NHdVAAAA:8 a=i0EeH86SAAAA:8 a=xmUNafhd6lKAHtGaHIgA:9 a=jfNWjsY6Fqv2vH6u:21 a=6oluxLdc4AcZMxH5:21 a=CjuIK1q_8ugA:10 a=-RoEEKskQ1sA:10 a=T3wz0T-rhxfyFPLmYl0A:9 a=GDVG_9hhRVaeYIu-:21 a=gx20X-eYy1KLarAA:21 a=PLh_Fdiy6M89ooQr:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <C81B47B7-A9B6-4F2B-9F20-E27BF01C8B15@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_56E047AC-F617-4E22-B475-F17B6D0A7421"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 14 Aug 2020 13:40:18 -0700
In-Reply-To: <BL0PR11MB312275D009055A74A688C083A1400@BL0PR11MB3122.namprd11.prod.outlook.com>
Cc: "Panwei (William)" <william.panwei@huawei.com>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "rats@ietf.org" <rats@ietf.org>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
To: "Eric Voit (evoit)" <evoit=40cisco.com@dmarc.ietf.org>
References: <BL0PR11MB312275D009055A74A688C083A1400@BL0PR11MB3122.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfF96k2xUaMhMfm015XQFbnECtabaADaqW5ANy1m2WCq4r03xC/OBsZ97JtihAh/2xccBr1fqpH22tsnykd9teDkuF/Af0uVVzlE76HgB8WT2bmXR3ZJQ t2k9X3LbKEtCnKrx2AwD3uqttTgF+DU0c7y48zSTz0tBS0bqJhRYvZQH/fca5YdKaG0sm5Aqt82H0x2vBeocwoXAl3w0BL6pu6808dsztwp7VynmwQgWEvhe DsshLReK2p9r4uZiUPPieKoIl4jv4Cp7F6le7tmZ5pgcpRmI2IIfwwD6pbw6aHd2RFGGh+XxGRMI4W0CJ4gCFUj0q3mqbo8Awl2i+Drqw9M=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tkILCJcqx4yXDE2MfbIyZfmpgbo>
Subject: Re: [Rats] Orthogonal: UUID? (was RE: Some new comments for CHARRA YANG module)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 20:40:23 -0000

I would suggest avoiding UUIDs if possible. Nowadays good RNGs are available and you can just use them to generate a nonce or such. Good RNGs were not available commonly in CPUs when UUIDs were invented, but they are now.  If you just want a nonce, then the internal structure of a UUID is of no value and just adds complexity and confusion.

LL

> On Aug 14, 2020, at 12:25 PM, Eric Voit (evoit) <evoit=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hi Wei Pan,
>  
> Just slightly related to the question you asked previously, I have a question on the model/tree you sent back (in-line...)
>  
> > From: Panwei, August 14, 2020 6:01 AM
> > To: Eric Voit (evoit) <evoit@cisco.com <mailto:evoit@cisco.com>>; Shwetha Bhandari (shwethab)
> >
> > Hi Eric,
> >
> > Thanks for your reply, please see inline.
> >
> > Regards & Thanks!
> > Wei Pan
> >
> > From: Eric Voit (evoit) [mailto:evoit@cisco.com <mailto:evoit@cisco.com>]
> > Sent: Thursday, August 13, 2020 10:32 PM
> > To: Panwei (William) <william.panwei@huawei.com <mailto:william.panwei@huawei.com>>; Shwetha Bhandari
> > (shwethab) <shwethab@cisco.com <mailto:shwethab@cisco.com>>
> > Cc: rats@ietf.org <mailto:rats@ietf.org>; draft-ietf-rats-yang-tpm-charra@ietf.org <mailto:draft-ietf-rats-yang-tpm-charra@ietf.org>
> > Subject: RE: Some new comments for CHARRA YANG module
> >
> > Hi Wei Pan,
> >
> > From: Panwei (William), August 13, 2020 8:29 AM Hi Eric,
> >
> >
> > 2. The styles of challenge input for TPM1.2 and TPM2.0 are different.
> >       +---x tpm20-challenge-response-attestation {TPM20}?
> >       |  +---w input
> >       |  |  +---w tpm20-attestation-challenge
> >       |  |     +---w nonce-value          binary
> >       |  |     +---w challenge-objects* []
> >       |  |        +---w pcr-list* [TPM2_Algo]
> >       |  |        |  +---w TPM2_Algo        identityref
> >       |  |        |  +---w pcr-index*       tpm:pcr
> >       |  |        +---w TPM2_Algo?          identityref
> >       |  |        +---w (key-identifier)?
> >       |  |        |  +--:(public-key)
> >       |  |        |  |  +---w pub-key-id?   binary
> >       |  |        |  +--:(uuid)
> >       |  |        |     +---w uuid-value?   binary
> >       |  |        +---w tpm-name*           string
> > In the TPM2.0 challenge input, the nonce is put aside and the challenge-objects
> > is a list. So you can challenge for different pcr-lists of different TPMs in one
> > challenge input.
> >       +---x tpm12-challenge-response-attestation {TPM12}?
> >       |  +---w input
> >       |  |  +---w tpm1-attestation-challenge
> >       |  |     +---w pcr-index*              pcr
> >       |  |     +---w nonce-value             binary
> >       |  |     +---w TPM12_Algo?             identityref
> >       |  |     +---w (key-identifier)?
> >       |  |     |  +--:(public-key)
> >       |  |     |  |  +---w pub-key-id?       binary
> >       |  |     |  +--:(TSS_UUID)
> >       |  |     |     +---w TSS_UUID-value
> >       |  |     |        +---w ulTimeLow?       uint32
> >       |  |     |        +---w usTimeMid?       uint16
> >       |  |     |        +---w usTimeHigh?      uint16
> >       |  |     |        +---w bClockSeqHigh?   uint8
> >       |  |     |        +---w bClockSeqLow?    uint8
> >       |  |     |        +---w rgbNode*         uint8
>  
> UUID is represented differently in the TPM1.2 and TPM2 models.   In fact in the TPM1.2 modeling has the UUID broken into constituent parts, none of which are mandatory where other UUID parts exist.  Shwetha told me that the UUID structures originally came from Huawei.    A few questions:
>  
> (1) UUID only appears in RPCs.  It doesn't appear in the datanodes.   Nor does UUID appear in draft-ietf-netconf-keystore.  As a result it is hard to see how it might correspond to a key, at least in an IETF YANG ecosystem.  Is support for UUID really essential?   Why?
>  
> (2) Assuming you really want UUIDs, I am hoping the datatypes can be reconciled between TPM1.2 and TPM2 RPCs.    Is there reason you wouldn't just use the uuid YANG typedef of RFC6991 for both?
>  
> (3) Assuming you really want UUIDs, you need to propose how a UUID might relate to keys within the IETF ecosystem of YANG models.  
>  
> BTW: If you don't need UUIDs, we could always drop them from the model.  (Leaving them to vendor specific augmentations if necessary.)
>  
> Thanks,
> Eric
>  
> >       |  |     +---w add-version?            boolean
> >       |  |     +---w tpm-name*               string
>  
>  
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email