Re: [Rats] looking for better terms -- request for bike shed discussion

[Laurence Lundblade <lgl@island-resort.com>]

i think term “target”, perhaps short for “target (attested) environment”, holds up no matter how we define attester and is easier to use and better than “attested environment”.

For “attester” I see two choices.

1) Refers to the aggregate

What Panwei and Net are leaning towards in this thread. There would be by definition, one attester per device.

An attester could be made up of a number of “sub-attesters” (or attesting environments) plus maybe some on-device verifiers depending on daisy-chaining design. One attester could be made by many OEMs.


2) Refers to smallest functional attestation block

This is the way I used it in my text. There can be many attesters in a device.

I propose we use the term “aggregate attester” or “whole-device attester” to refer to the combination of the (atomic) attesters.


I prefer 2). I think it is cleaner and is easier to understand, particularly for people first learning about attestation. I think it makes my single paragraph description clean. I think we will want to refer to the atomic attester much more often than the aggregate attester. It keeps the simple case simple; you only incur complexity when you have a complex use case.

I think the definition of a device is going to cause some trouble with 1). Is the device a car, or is it the entertainment box, the motor control…? Is the device the router card or the router?

I like the association of one signing key per attester, rather than an attester having a lot of signing keys from different manufacturers.

In certification, I think the atomic attester would be the thing you’d certify, particularly if you were doing common criterion. It would be much harder, maybe impossible, to certify the aggregate.


Here’s a comment Ned made that I’m confused about:
>> For example, the TA might be the thing that signs the conveyance protocol
>> frames and delivers the cert chain to the Verifier. However, it (the TA) isn't an
>> "attesting environment" it only ever is a "target environment”.

What is “signing conveyance protocol frames”? It kind of sounds like TLS or IPsec. If that’s it, then I’d call that conveyance protocol and say that is incidental to attestation architecture.

I think of all signing in RATS as attesting, so if this is signing a token, then it would make the TA an attester.

LL





> On Jan 9, 2020, at 6:08 AM, Panwei (William) <william.panwei@huawei.com> wrote:
> 
> I agree with Ned, "attester" should be the device/endpoint.
> 
> I'd like to try to use this idea to explain the confusing terms appeared in my composite device PR. I'll use the router to be the example. 
> 
> A router consists of several slots: one main control slot and some line-processing or feature-processing slots. Each slot has a TPM and a CPU and can do the measured boot within this slot. Therefore the remote attestation of the router should consider verifying all the slots.
> The router is the "attester". For each slot in the router, it has an "attesting environment" (Root of Trust for Measurement) and several "target environment" (TPM, bootloader, OS, etc.), and this "attesting env" produces a set of "claims" about these "target env". 
> 
> One traditional method of doing remote attestation for this router may be the main control slot collects each set of "claims" which are separately produced by each slot, and puts all the "claims" together to be the "evidence" of the whole "attester" (maybe here some other operations like signature are also needed), then conveys the "evidence" to the "verifier" (only the main control slot can communicate with the verifier).
> 
> My PR (https://github.com/ietf-rats-wg/architecture/pull/13) wants to consider another method. The main difference is: after collecting all the "claims", the main control slot (the "attesting env" in it) can verify the "claims" of other slots and produces a different set of "claims" about the verification results, then it combines the original "claims" of its own and "claims" of the verification results of other slots to produce the "evidence".
> 
> So the "leader and subordinate units" are the slots of the router. The "attestation result of subordinate units" is just some sets of "claims" of the "Evidence of the Attester".
> 
>> -----Original Message-----
>> From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Smith, Ned
>> Sent: Thursday, January 9, 2020 9:34 AM
>> To: Dave Thaler <dthaler@microsoft.com>; Michael Richardson
>> <mcr@sandelman.ca>; Laurence Lundblade <lgl@island-resort.com>
>> Cc: rats@ietf.org; "Schönwälder, Jürgen"
>> <J.Schoenwaelder@jacobs-university.de>
>> Subject: Re: [Rats] looking for better terms -- request for bike shed
>> discussion
>> 
>> Equating the "attester" with an "attesting environment" may be fallacious.
>> For example, the TA might be the thing that signs the conveyance protocol
>> frames and delivers the cert chain to the Verifier. However, it (the TA) isn't an
>> "attesting environment" it only ever is a "target environment".
>> 
>> The Verifier MUST(?) detect the DICE layering convention and walk the
>> graph back to the original (root) "attesting environment". Even with DICE
>> layering, there is still only a single "device" (endpoint) that the RATS Role
>> will call "Attester" and it consists of multiple "attesting environments" and
>> multiple "target environments" where some of these are both an "attesting"
>> and a "target" environment during its lifetime.
>> 
>> It may be incorrect to say that the TA is the RATS "Attester" because the
>> Attester is supposed to be a pledge that can prove it is a trustworthy
>> endpoint to the Verifer. The endpoint isn't just the TA, it is the chain of
>> things that anchors it to the first "attesting environment".
>> 
>> The root/anchor "attesting" environment relies on its mfg to establish trust
>> using a mfg issued certificate that vouches for the process that
>> manufactured it and likely issues an identity credential (IDevID). The IDevID
>> allows the Verifier to disambiguate which of possibly multiple instances of
>> Attesters it is talking to currently.
>> 
>> It seems reasonable that an EAT submod structure can be used to represent
>> DICE layering (so could an X.509 certificate chain). However, a submod
>> could also describe other relationships / decompositions of a
>> multi-component endpoint. For example, if the OP-TEE consisted of
>> multiple chips then there could be multiple vendors, part numbers etc.. and
>> therefore multiple submods where all of them (likely) are "target
>> environments".
>> 
>> DICE layering comprehends hierarchies too. If one of the OPTEE sub
>> components had DICE capabilities it could become an "attesting
>> environment" to one of the OPTEE chips (branches). But this more complex
>> thing is still dependent on its path to the anchor/root "attesting
>> environment" so it can't (in isolation) claim to be the "attester".
>> 
>> If the TEE was an SGX instead of an OPTEE, then the anchor "attesting
>> environment" is SGX uCode rather than HW --> Trusted FW. The SGX
>> "attesting" and "target" environments are orthogonal to the non-SGX
>> "attesting" and "target" environments, but nevertheless part of an IA
>> "device". It is possible therefore to have multiple "Attesters" in the same
>> SGX-capable "device".
>> 
>> -Ned
>> 
>> On 1/8/20, 4:02 PM, "Dave Thaler" <dthaler@microsoft.com> wrote:
>> 
>>    I don't think I have any problems with Laurence's terminology but just
>> to test it...
>> 
>>    We have devices running Trusted Apps on OP-TEE over trusted
>> firmware on an ARM TrustZone processor.
>>    The full evidence is a DICE cert chain that has a set of claims for each
>> cert in the chain, where each layer is an attesting environment for the
>> subsequent layer (attested environment):
>>    	Hardware -> Trusted Firmware -> OP-TEE -> TA
>>    Thus there are four claim sets in a chain.
>> 
>>    Using Laurence's terminology, I believe the suggestion is that attesting
>> environment is an "attester" and an attested environment is a "target".
>> Thus the example above has 3 attesters (Hardware, TFW, and OP-TEE), and 4
>> targets (HW where target == attester, TFW, OP-TEE, and TA).
>> 
>>    Are you ok with saying that every claimset in a chain is from a separate
>> "attester"?   I believe this is different from our current definition of
>> Attester (which is the thing that sends the whole chain to a verifier), so want
>> to confirm.
>> 
>>    Dave
>> 
>>    -----Original Message-----
>>    From: RATS <rats-bounces@ietf.org> On Behalf Of Michael Richardson
>>    Sent: Wednesday, January 8, 2020 11:35 AM
>>    To: Laurence Lundblade <lgl@island-resort.com>
>>    Cc: =?utf-8?B?IlNjaMO2bnfDpGxkZXIsIErDvHJnZW4i?=
>> <J.Schoenwaelder@jacobs-university.de>; Smith, Ned
>> <ned.smith@intel.com>; rats@ietf.org
>>    Subject: Re: [Rats] looking for better terms -- request for bike shed
>> discussion
>> 
>> 
>>    Thank you for this very nice text. I rather like it.
>> 
>>    Laurence Lundblade <lgl@island-resort.com> wrote:
>>> Here’s some rough text:
>> 
>>> Conceptually, the “attester” produces a set of “claims” about a
>> “target”.
>>> The claims are known as “attestation evidence” and are sent to
>> the
>>> “verifier”. The verifier additionally takes in “endorsements”,
>> processes
>>> the attestation evidence and produces the “attestation result” for
>> the
>>> final consumer, the “relying party”.
>> 
>> 
>>> This description left conceptual for easy understanding and
>> discussion.
>>> Actual implementations are usually more complex in at least one
>> or more
>>> of these ways:
>> 
>> 
>> 
>>> * The attester is also the target
>> 
>> 
>>> * One attester produces claims about several targets
>> (submodules)
>> 
>> 
>>> * The verifier and the relying party are the same
>>> * Claims may be simple or complex, many or few
>>> * Some claims are measurements and some are not
>>> * Some claims in in the attestation evidence may be simply
>> passed
>>> through the verifier, others may be heavily processed.
>>> * Daisy chaining -- the evidence from one attester goes through
>> a
>>> verifier producing results which are taken as claims that are input
>>> to another attester that outputs a different set of evidence that
>>> goes on through a different verifier.
>>> * Daisy chaining may happen on the device producing the
>> attestations
>>> or in the infrastructure evaluating the device or both.
>> 
>> 
>>> (Next I’d write a plethoras of simple examples for attester, target,
>>> claims… assuming only the simplest implementation that maps
>> to the
>>> conceptual description )
>> 
>> 
>> 
>> 
>> 
>> 
>>> I am starting to prefer the basic conceptual / abstract description
>> over one
>>> that is inherently mappable to every possible.
>> 
>>> LL
>> 
>>    _______________________________________________
>>    RATS mailing list
>>    RATS@ietf.org
>> 
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
>> w.ietf.org%2Fmailman%2Flistinfo%2Frats&amp;data=02%7C01%7Cdthaler
>> %40microsoft.com%7Cb7301d9b535a436003db08d79471dc41%7C72f988b
>> f86f141af91ab2d7cd011db47%7C1%7C0%7C637141089066538773&amp;s
>> data=fynNh%2FKEJgaGj1fQNwQYBjdgxQE5XUFl%2BeyA0nOkpJs%3D&am
>> p;reserved=0
>> 
>> 
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats