Re: [Rats] Implementation report
Henk Birkholz <henk.birkholz@ietf.contact> Wed, 21 February 2024 11:11 UTC
Return-Path: <henk.birkholz@ietf.contact>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E64C14F6EE for <rats@ietfa.amsl.com>; Wed, 21 Feb 2024 03:11:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Level:
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ietf.contact
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBpWl3y63iSi for <rats@ietfa.amsl.com>; Wed, 21 Feb 2024 03:11:11 -0800 (PST)
Received: from smtp05-ext.udag.de (smtp05-ext.udag.de [62.146.106.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFF62C14F609 for <rats@ietf.org>; Wed, 21 Feb 2024 03:11:11 -0800 (PST)
Received: from [IPV6:2a01:599:718:40b8:39b2:a35e:da79:d5f] (tmo-125-80.customers.d1-online.com [80.187.125.80]) by smtp05-ext.udag.de (Postfix) with ESMTPA id 678AEE043F; Wed, 21 Feb 2024 12:11:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ietf.contact; s=uddkim-202310; t=1708513865; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=l9F12B/5wgD8VbPTUo9p1ZgtCFjiTe7Z2Opq0tiN6hQ=; b=UtPY77AQeEbb5dwhghr2nOoBt1fSBbiKo8q89M0COWisOqsoJXXrqaIjsSyjTSK+GjPzzH 6Ut8q5TW7r7dHVo9/bygPLMhUu99MNdWoadaaV9j3Hu75kvMMEJOlGIArt18Rgd19PiOfR WTknjwVfIOxE44Y1nlK6x8vfLW9VoPzYa4dI/s7KcQCCrrGAM/jYI9u8OYDmGHCRFBSWbI xk8fpn+xGClBlWcXdYc0Vgt/o/wVPCf9io48fvIKKSoPaWDX2B0h4XHt69spOPJ1NhCN8Z rQ68UZBKsDqt4b5x/+AIYLiVRTHK9JrY8/IP8hTMY/Nz42gp1Np0qzRNHmzWEA==
Message-ID: <4376cd0f-bd4d-c2dd-4ace-047e05d55677@ietf.contact>
Date: Wed, 21 Feb 2024 12:11:03 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, rats <rats@ietf.org>, John Schmidt <john.schmidt.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
References: <CAHbuEH6NU0yKDX=qwwf_xauKraejKuDa+5XNY-Q6pVv-i1RKbQ@mail.gmail.com>
From: Henk Birkholz <henk.birkholz@ietf.contact>
Cc: Allan Friedman <allan.friedman@cisa.dhs.gov>
In-Reply-To: <CAHbuEH6NU0yKDX=qwwf_xauKraejKuDa+5XNY-Q6pVv-i1RKbQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: smtp05-ext.udag.de; auth=pass smtp.auth=henk.birkholz@ietf.contact smtp.mailfrom=henk.birkholz@ietf.contact
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/u-KXhnNGR0XOIwNJHnhk7MipyG8>
Subject: Re: [Rats] Implementation report
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 11:11:16 -0000
Hi Kathleen, thank you for the pointers! Will you be in Brisbane? Looking at your last link, I am wondering if there are plans for future projects. Say... remote attestation based authenticity assurance in the software supply chain chain: and I am thinking along the lines of "Trustworthy SBOMs", which would be scenario that would combine various building blocks and that is definitely still in demand of more standards consolidation. Because https://learn.cisecurity.org/built-in-security-scale-hardware-support cited https://www.cisa.gov/securebydesign, I am reeling Alan into this reply. So that he is aware that we could do something meaningful here :-) Viele Grüße, Henk On 13.02.24 15:58, Kathleen Moriarty wrote: > Greetings! > > Last year, I introduced my team to RATS work and pulled together a > project that was a lead in to the attestation sets draft, implementing > largely what's described in > https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/ > <https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/> > > It took some time to complete due to some hyperscaler environments not > having a TPM or access to it from the container orchestration platform > or virtual server host. Once we secured an environment where this was > possible, through use of the IMA libraries (created for this purpose and > previously proven by RedHat), positive results were demonstrated. The > objective was to test assurance to CIS Benchmarks as that was my > employer at the time. We hope you find this report useful. > > https://www.rsaconference.com/Library/blog/automated-assurance-on-a-path-to-becoming-practical <https://www.rsaconference.com/Library/blog/automated-assurance-on-a-path-to-becoming-practical> > > This was done at the same time other team members were researching the > prevalence of TPMs and TEEs in infrastructure. The purpose of that work > was to signal that hardware support is increasingly available and should > be used to ease configuration management and posture assurance capabilities. > > https://www.cisecurity.org/insights/white-papers/built-in-security-at-scale-through-hardware-support <https://www.cisecurity.org/insights/white-papers/built-in-security-at-scale-through-hardware-support> > > The timeline could include more data points, we included key points. > > I am copying John Schmidt who did the work. Sean Turner joined the > project in September and assisted with key management, application of > cryptography, and validation. Thank you both for your great work to > successfully implement this PoC! > > -- > > Best regards, > Kathleen > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats
- [Rats] Implementation report Kathleen Moriarty
- Re: [Rats] Implementation report Henk Birkholz
- Re: [Rats] Implementation report Yogesh Deshpande
- Re: [Rats] Implementation report Laffey, Tom (HPE Aruba)
- Re: [Rats] Implementation report Kathleen Moriarty
- Re: [Rats] Implementation report Tom Jones
- Re: [Rats] Implementation report Friedman, Allan
- Re: [Rats] Implementation report Tom Jones