Re: [Rats] Paul Wouters' No Objection on draft-ietf-rats-architecture-21: (with COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 27 September 2022 12:29 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E8CC14CE34; Tue, 27 Sep 2022 05:29:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.797
X-Spam-Level:
X-Spam-Status: No, score=-0.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZtDFZQOGhU50; Tue, 27 Sep 2022 05:29:43 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6378C14F723; Tue, 27 Sep 2022 05:29:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 550FC18073; Tue, 27 Sep 2022 08:51:48 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id w3yUxK20Vh3Q; Tue, 27 Sep 2022 08:51:46 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 4D07A18019; Tue, 27 Sep 2022 08:51:46 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1664283106; bh=QEjY+wWWpDpQJchxlkyD5DMSRGczmUFwQf35VKBCNjo=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=LZ9mZJgRO4tNffH7IGtlYpM1l9lasIRsvti/ouUvs8p0KsKsdtWk2uI8g3AeY7FH1 w1RhNMMjaiw9SzUF2NjYJ8/tQ7hD5EUoJ9LmwI0x4C+PEIyIgUqK/GDIKPicGLiUfq GAHJ7yP/Nib85DfDG5lPB33BE6xkjdnjYa+9ZowsH3l3dOcFJEktORSiE8IiiXuWcU 0ZIfDs0CpoV6i3vv9tSBGI1T7D+wYLOAou6e8j1n2rJZ7Mg8Ea61zKjvyjREAtCVAt aK28nEYzJaAY+A3ECMcDOG6pJePPk6nHIzuPLrneztG0/87L6w5JSOrahHYGPIVoBP BWnUFLM62G39g==
Received: from [127.0.0.1] (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 523C62F6; Tue, 27 Sep 2022 08:29:39 -0400 (EDT)
Message-ID: <b74ef52c-2075-3c69-c388-62b64ebdbd52@sandelman.ca>
Date: Tue, 27 Sep 2022 08:29:39 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
Content-Language: en-US
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>
Cc: draft-ietf-rats-architecture@ietf.org, rats-chairs@ietf.org, rats@ietf.org, Kathleen.Moriarty.ietf@gmail.com
References: <166258803083.57470.128494099506736352@ietfa.amsl.com>
From: Michael Richardson <mcr+ietf@sandelman.ca>
In-Reply-To: <166258803083.57470.128494099506736352@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------mzfY3EUJ82G060JikrSdGEOq"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/txkRHuvy2T9FQ_iYUnHeOQ9DJbA>
Subject: Re: [Rats] Paul Wouters' No Objection on draft-ietf-rats-architecture-21: (with COMMENT)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2022 12:29:46 -0000
On 2022-09-07 18:00, Paul Wouters via Datatracker wrote: > #1 Figure 3 > > I cannot make sense of Figure 3. I understand the text in Section 3.2, so it > might not matter. But for instance the figure does not show to me at all that > the bootloader attested the kernel. I've spent fifteen minutes wondering how I can make the "Collect Claims" arc clearer. Maybe part of the issue is that the bootloader did not attest the kernel. It didn't check a signature on the kernel, which would be secure-boot. We aren't doing secure-boot, because it's total lock-down, and has proven hostile and ineffective over the device lifecycle. Rather, the bootloader measured the kernel, and it will the verifier which will be "Attest" the kernel. Mostly, we try to avoid using the word "Attest" as a verb. But, I'd like to improve the diagram if at all possible. Since it's just a repeat of the elements of Figure 2, I wonder how you felt about Figure 2: https://www.ietf.org/archive/id/draft-ietf-rats-architecture-21.html#section-3.1-2.1.1
- [Rats] Paul Wouters' No Objection on draft-ietf-r… Paul Wouters via Datatracker
- Re: [Rats] Paul Wouters' No Objection on draft-ie… Roman Danyliw
- Re: [Rats] Paul Wouters' No Objection on draft-ie… Paul Wouters
- Re: [Rats] Paul Wouters' No Objection on draft-ie… Michael Richardson
- Re: [Rats] Paul Wouters' No Objection on draft-ie… Michael Richardson
- Re: [Rats] Paul Wouters' No Objection on draft-ie… Michael Richardson