Re: [Rats] Function of an endorsement relative to evidence

"Smith, Ned" <ned.smith@intel.com> Mon, 06 June 2022 17:27 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D66DC14CF01 for <rats@ietfa.amsl.com>; Mon, 6 Jun 2022 10:27:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.852
X-Spam-Level:
X-Spam-Status: No, score=-2.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WMW-J-vGZAFY for <rats@ietfa.amsl.com>; Mon, 6 Jun 2022 10:27:28 -0700 (PDT)
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E26AC14F739 for <rats@ietf.org>; Mon, 6 Jun 2022 10:27:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1654536448; x=1686072448; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=vo6cw2YzXOiDV6+9ouM7rnNWO5pbh2v7uR9oFo1ipUI=; b=UigwlN+q/4Rwjz6jLkBq4KX3mM5Irx4Jpis5ZAgpwSmY2JVick2fuGE6 e5v92cg3ct9X5oYxfywuCrHxcb1o6u/Y5DxSYTLyda4ljxYginVTeaI4I y7QrsWJzZB1yVKaKlnRH18XNI7u+r7hpOpNnYR90vqpTaljBDCC13AZv5 jgJSrS24xS/dXSOizioMIGETqS82by3mlKVKmM0Kp3gFxEIoxYXcE8B7C zSadWMKLBPJRvRQM1YcscsRpPgs46LhT7wo3oIRz9gXVDTlO4bAhLFp5b +0Bx7E7hD+26ULAuoTAxMesgjSCxUjJkfFHgrOLP06URERVsNDsunpZUH g==;
X-IronPort-AV: E=McAfee;i="6400,9594,10370"; a="275450551"
X-IronPort-AV: E=Sophos;i="5.91,280,1647327600"; d="scan'208";a="275450551"
Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jun 2022 10:27:13 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.91,280,1647327600"; d="scan'208";a="647644662"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga004.fm.intel.com with ESMTP; 06 Jun 2022 10:27:13 -0700
Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Mon, 6 Jun 2022 10:27:13 -0700
Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Mon, 6 Jun 2022 10:27:13 -0700
Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Mon, 6 Jun 2022 10:27:13 -0700
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.176) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Mon, 6 Jun 2022 10:27:13 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OdoICnDWDUpVAYO3XrXDW3U4zZsXEEc3dnDpPmHrjsgi0SighEU4lNZyX7MRzvLbaUvoDR4Zqbauhy+uSrdNESomeps8Lj28LtrkrjD2KpifA9CODDxgJTAxsqC4REmbsuOMGfmIEHDETw+94mFy+5C3g+pRlL1yZxLPxcrImXLsfg38ve79zJIqMzPoW2LOrKwTXXgP7Nb42VNMb7xd4V3OU8LcL9KtAVV6elzFXQbbx0a1XSqEu/FpZiPqg0gKg4HVBlsE82lIh0O5OJeGaWWtYOIkif+IxPFKnJZt6z0LiHarynaIhk5lUrnB1IfJSAaR4/ZGB/8v/XnWzVRZZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vo6cw2YzXOiDV6+9ouM7rnNWO5pbh2v7uR9oFo1ipUI=; b=j1QXRMXTqcFojO31DeC8MgsPHs0RAPZdglpVDjvgdT7gJVbmx7TNjzDhvzbZuvP+BmoKdSz+EXw1ZW8Uj0w6iVVA4swbYcEY8feoWyO9rb8t/xIp/pls21f14BMbMebcWRR1Xi3PWrNKAH98WvY/gMceaMK8r/23ZuBrVR73aKm4NoVQyn/2yla/KaPBYebmcqep0PCbGnSI6YuWls7VYhtTqGyzq6YpHmxqWR8RnDd5NKqc0E2gaboUjR+2kVaHN+C1f+Q+/zsCVbZfh+ry1RPu2impQvlN4/Ig+otdDu+X5ZYOJbUVo8SQqj9BCHYWIUSRDKH8Mmqm4bFfWjkZsg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by CY5PR11MB6389.namprd11.prod.outlook.com (2603:10b6:930:3a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5314.18; Mon, 6 Jun 2022 17:27:11 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5dfe:31c7:a62a:d8b8]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5dfe:31c7:a62a:d8b8%3]) with mapi id 15.20.5314.019; Mon, 6 Jun 2022 17:27:11 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Laurence Lundblade <lgl@island-resort.com>, rats <rats@ietf.org>
Thread-Topic: [Rats] Function of an endorsement relative to evidence
Thread-Index: AQHYeFhidL6A4/frnEeYUPzyIMnDtq1CL0WA
Date: Mon, 06 Jun 2022 17:27:11 +0000
Message-ID: <0094B7EC-B2C8-4497-B882-3A521049B280@intel.com>
References: <6F919543-37BA-484B-AA7E-BAC3497EB125@island-resort.com>
In-Reply-To: <6F919543-37BA-484B-AA7E-BAC3497EB125@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: acfb4e2f-b9b5-4a26-3e67-08da47e1ca5f
x-ms-traffictypediagnostic: CY5PR11MB6389:EE_
x-microsoft-antispam-prvs: <CY5PR11MB63894E1E6D729577332A1B06E5A29@CY5PR11MB6389.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UcEG5U+vyJBNiUKOMIYIAwOtAM0VO0bM2GnTBrlbktQfVGQMvkZNMDRxX+L74gP77oXZFbk/rz3u6XNAsFbCtm4XxoXNh5XGiodUsHZ2uw9gm230hTCc2VqmGWVLW1GKHkWegtUaY6nl4ARTarYe1ZdEfwNcVmrjorsjph6FwzM2pPNq0XKMWLhxYCAHuo/58LqiAZ1CxVbdOwsuXUDCBFJWha2omTwANucL9cD8fKbOBOo5wSgrrIBDW7kc9vZoy7a/YHxYwmaOITgTLdizLZkfxaF3UC/WXUdUkMIFnqP54uzXC8sqtH5X+BI2iZ5jjQosyIornxlG62jVCxnxjqF62bmHF44VZPZFdL5iqGQvLXQutvAVNwwhjpNROdTEdm137i96G29Xy5H4lI0VUZFZwduaQyxgas58yFQ9HIqUKwM0yzclu5Ok1mmnEtUpMv7o+zB5bVPpa7s1OpLhTrU/D64UmGpozu5XR2egfih7U1Wbh0CdMAxMP8sHMzJyVEwqiUFM2F76SApkZKr/caLvbtRYeoYvzLAcbWmPxnkfBsGKGG7Ho0/MFsgEDnKcBzVUyYyRBThbk/f6whPfpdMevgExABCADrNinGbwg3aTfFl2EiK2nOtwcmtk9SehWPsR4769U/KR03gVz6W2MzveJMsAUfKp5o+qAKgnH+X3kdObfOolEaUvF/4gystDzhELm9rh8/cE01B4g9B2k7QAUxkQOLOBYdVcPdQTpP3JdH196exO2XEJARs5GS/lFTyoo2ZrQl71569nblFI6XnD8SsL054+wn9kFt1fKr8is6DDJz9aNq4mf9tl2qwB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(33656002)(2906002)(2616005)(122000001)(6506007)(966005)(6486002)(6512007)(508600001)(5660300002)(26005)(64756008)(66946007)(66476007)(76116006)(66556008)(66446008)(8676002)(83380400001)(71200400001)(82960400001)(110136005)(8936002)(316002)(38100700002)(38070700005)(86362001)(36756003)(186003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DRcO/NB0HjFpRaChfVJ/Wza4qVDOZxnAuRnweCGNupLtGJD1rO1kwVZaRTac+OsYAr53brACUU70xcSA8WSs9H0PeehdE7tv2T5W7ed/8s298moACquiHOV9AEbEboElY9zVFlqZzBFn36ExaqmL2luZXikBZRUaHkR+pNlY7MJ6DXkho341pdBSQ60ZFfRi2b/+k+aAEZaCBjWkWJ5Fw5xHQBJ61XOGUPQRGalw7jVgrbm9R6z5TPPm7Rj+sb7z+TZAfk2WmxySwNf64RStpFG+iyQBwZkFub995tDR/kXgBiHJNjUNE6SNlBZu6mdgrpD65TJlhUSaKW9M9GOJVRs/m1yY6qb2EJq11htu1pgD7pkGjIzu58fPHvG1iYeDWLqnMT+14L8y1Cgllj/N9UTpUkEO2gaWZOrmBGhokvDi4/MFIup5GkFozx4DzNFUvQaX8SaZMCZRVABsdQ6z/n0L8jqeP3xbiUmsCmvpx8OcT4apQoMgIgBePvPGCXGzOC2K9n5QspQVvzfrAfE5JkyNnhNxqdfLyx9cTYxE4c54tFHM/WCsL8s/Gx5UJvOzFVCUWpKdRZIOcMqJ6/4nF3WPBeP8I8OMkk9GsOhoo1Nt1ci2bF5kKOJ1r842c8S4z+mxJR52O0sKWtAdouOdM73mejWESgVX1GNIMxh08+kX9IfTlD4/QVgOXkZlifOhdkxgRQM1X11Najx6TdLmimF+2RQsIMoq78eiZtuil/KvZ/OLj0sMz0j2XttmNBhXMAT4BeHRuqayr9PCTNjba/ZXT49iPym0+Rr6d7rwwP+RJsllNR93EatsLTbFLdn6IhNOA3fAplY+lxfm3x0McYb0LFhiEX0ri0AmYKLlcnbcEWt0xRYD1L7gXjpzTL1E/DDXNyaGqaZTWexEE0Za83L4mmGIPpKZV19OO/UGw287LQzVB5xre0FMsy8jLSnrGtwt9xA+mJoe0eCOo20mt59ujdRbyKhou25ZQdnCGxvT9yQ3TPPI9EyfI4/DzxAyWT48s//e570YOSKOB6lMVb1seHujCEmGskhC//LZ/KC1Yki9cc4tN7ko7o7wiRV+t/iNlxLeOJHADySItkCQtu7TIxDr2Gdrt71P0nNvMPKn62ihBL5OZO0fn89E9VeKS3eaMfrQu+GapvFP6eVRP5+GYvwMPPg4uIwiUCKlARDxXwlREj8PngZl4TK3/OVXBjsU50JEGNoU3Se9PQ69jIWUWXUMu4SUYsfhAIovK8beYlW4EmVTpT+Dk8Zp0IyGR7foz4XoabcB0XG2VZzaWk6D0VkC7qwHcKHaGUTtvAPH7IuNPJPKwKZolHulZWzP6QfMKBH7QIkiB7eI4Oj047BrX5WN8UCh/XhzeSmvkxKAxxrd/mrDY39TxCo0CpTAjKwyOs03bVu3dXG4CQFEPHQniFI1BzwjYvggNeNl3d0NyJGWJ7P99/rHdB6HDyYs1lhawqY/dhraZDUBrWcNdeHeMVfarV6J04lHOzTYoUOpCL/U7EV4ZVb7G71YoTELtL9WpqW37A9vNrs7w5oSzw1sBG5/rPKy2A9FzaDEOuAvlofO12T46rLXD+Cjx9qxXVvaI+Bd68G5ErfeY125W1ljJ2FZbiLLm/s7nWskZ14ZoFAl1vb+Z3peau96FYP4QwGqycJg85Ln34ouSbqm82f8opWhlaQVceiTkwvH1mrD6mDPL/8wDW/rtiMiV5EmQ+c4AoKzXxPCfRssNMepAQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <D8678562E816404D8D9CEC3027C570B4@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: acfb4e2f-b9b5-4a26-3e67-08da47e1ca5f
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jun 2022 17:27:11.4331 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gC7r2VGvLCAYfaZctUUUnHYBvqEht+mW0f7pdP5qXgjve3lUMABeev26z15mKY021spz4Yr/XVxBtp64h2R37Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR11MB6389
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/u2IOrsGuuUpuK_1s2nkPyhNYpLg>
Subject: Re: [Rats] Function of an endorsement relative to evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2022 17:27:32 -0000

> The fundamental purpose of an Endorsement is to tell the Verifier that they can believe what they get in Evidence. 

The RATS Architecture defines Endorsement according to [1] and Reference Values according to [2]. The statement above seems misleading since Evidence is believed based on how it matches with Reference Values. Endorsements describe the intrinsic properties that are not surmisable by an Attesting Environment.

For security-level claim asserted as Evidence to make sense, the claims collection capability of the Attesting Environment must be able to assess the security-level of the Target Environment. According to [3], the Attesting Environment relationship to the Target Environment is already anticipated to be reliable. Hence, security-level claims must apply to the *type* of Target Environment being assessed. The primary question is whether or not such an assessment mechanism has been built into an Attesting Environment (or reasonably can be). 

The security-level criteria are 'unrestricted', 'restricted' (as defined by the FIDO spec), and 'hardware'. The 'unrestricted' level reasonably applies if the Attesting Environment can't surmise the hardening properties of the TE. It is likely to apply to at least some portion of the Attester if the entire Attester is attested. The Reference Value is likely to be 'unrestricted' given the reported value is supposed to be the weakest link security level. 

The FIDO spec 'restricted' list names various TEE technologies including TrustZone, SGX, TEEs with a GP protection profile (though certification to the profile doesn't appear to be a requirement?), virtualization technology, Windows10 virtualization technology (unclear if this means SW only or SW + HW), security co-processors, TPMs and Secure Elements. The other category is 'hardware' which EAT references TPM and Secure Elements. This seems like a problem since TPM and SE are in both the 'restricted' and the 'hardware' categories. Additionally, environments such as SGX, TrustZone, and some virtual environments are implemented using hardware, so it is unclear why these should not be categorized as 'hardware'. 

The TCG defines a TPM as an interface. This means a TPM could be implemented in software, firmware or hardware. Aside from the apparent contradiction that the FIDO restricted environments list includes TPM and Secure Elements, it isn't obvious how an Attesting Environment can be certain the hardening properties of the Target Environment with any confidence greater than 'unrestricted'. The EAT spec indicates that the weakest link determines the actual security level. Hence, if any part of the Attester is 'unrestricted' then the claim in Evidence should be set to unrestricted. Following this guidance, it seems a large majority of Attesters should report unrestricted in Evidence. 

Given EAT claims may also be supplied as Endorsements. The manufacturer might be better able to assess the properties of the Target Environments based on the manufacturing processes / people familiar with the environment. Hence, it is possible, for a given Target Environment, the security-level claim asserted as Endorsements will disagree with security-level claims asserted as Evidence.

This creates a scenario where the Endorsements security-level may be different from that of Reference Values/Evidence. The Verifier must decide how to proceed given apparent contradictory information. 

Possibly, given the FIDO context, the apparent contradictory conditions can be explained? But if so, would it make sense for FIDO to do so in the context of that group defining a security-level claim? 

-Ned

[1]"An Endorsement is a secure statement that some entity (e.g., a
   manufacturer) vouches for the integrity of the device's various
   capabilities such as claims collection, signing, launching code,
   transitioning to other environments, storing secrets, and more."

[2]"Reference Values used in appraisal procedures come from a Reference
   Value Provider and are then used by the Verifier to compare to
   Evidence."

[3]"An arbitrary execution environment may not, by default, be capable of
   Claims collection for a given Target Environment.  Execution
   environments that are designed specifically to be capable of Claims
   collection are referred to in this document as Attesting
   Environments."

On 6/4/22, 2:16 PM, "RATS on behalf of Laurence Lundblade" <rats-bounces@ietf.org on behalf of lgl@island-resort.com> wrote:

    This is a step back for framing for the security-level discussion.

    The fundamental purpose of an Endorsement is to tell the Verifier that they can believe what they get in Evidence. There may be some varying degree here from claim to claim and device to device, but the basic  principle always holds.

    Assuming for the sake or argument here that the Attester Manufacturer and Endorser are the same, it goes like this. The Endorser/AttesterManufacturer only puts private keys into devices that it knows are built correctly. They won’t lie. They’ll protect their keys. They produce correct claims. This really is the fundamental work of the Endorser/AttesterManufacturer above all else.

     For example, maker of a device with a TPM selects a good TPM and also carefully writes the boot code that does the measurement. They make sure that the devices that the TPM is soldered into always has the good boot code. Then they publish the public keys supplied with the TPM to the Verifier so it knows it can trust the measurements.

    In the TPM world, you can’t really have the Attester send much more than PCRs in Evidence, but in the non-TPM world, lots of stuff can go into Evidence.

    Tell me if you disagree with this!


    By all that, Evidence can be a parallel channel for the Endorser/AttesterManufacturer to convey claims to the Verifier.

    The Endorsement can mean “believe all the Evidence from this Attester”. (It might always not be all the Evidence, but it will always be some of the Evidence).

    By this it is entirely reasonable for security-level to be transmitted either as an Endorsement or in Evidence.


    I think there is also room for security-level in Evidence in composite device attestation. One Attester may have a good way to evaluate the security-level of a subsystem, perhaps a subsystem that varies from device to device.

    LL

    _______________________________________________
    RATS mailing list
    RATS@ietf.org
    https://www.ietf.org/mailman/listinfo/rats