[Rats] Time stamps in tokens
Laurence Lundblade <lgl@island-resort.com> Tue, 10 March 2020 20:26 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2243C3A0CA9 for <rats@ietfa.amsl.com>; Tue, 10 Mar 2020 13:26:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjRf02kMMG9e for <rats@ietfa.amsl.com>; Tue, 10 Mar 2020 13:26:41 -0700 (PDT)
Received: from p3plsmtpa06-05.prod.phx3.secureserver.net (p3plsmtpa06-05.prod.phx3.secureserver.net [173.201.192.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 273093A0C7F for <rats@ietf.org>; Tue, 10 Mar 2020 13:26:41 -0700 (PDT)
Received: from [192.168.1.78] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id BlSajaA5Q0nFvBlSajajHX; Tue, 10 Mar 2020 13:26:40 -0700
X-CMAE-Analysis: v=2.3 cv=eadDgIMH c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=0XtbOteLAAAA:20 a=T37vzS6qiPLK9yS2R7cA:9 a=G7mss7-ENFJi7UmT:21 a=6Ptrt5xIHUTVbXKq:21 a=QEXdDO2ut3YA:10 a=whrhvlVfouyLw_hh:21 a=QJQpVb5qTuKV6JW8:21 a=pGeRbiyE78ev5EHP:21 a=_W_S_7VecoQA:10 a=WQnItmPV2fbdzLaCP6-h:22 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7927BB22-1557-4F09-BB8D-B7939337088D"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <C54683D0-C66E-4479-897D-DD9BCF4EC69D@island-resort.com>
Date: Tue, 10 Mar 2020 13:26:40 -0700
To: rats@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfDIuqXpxtveKAVKtk7vCpb9Fx6Ps1Kx8H/BloIdLJ/SOwO9081ucacbM+KADdsyKW+1c4gQ4R0fFjmtIQ6O825dnYQO0zbswO83F3XMDcD3/zaHoZ60g pCxdXhAJ2XIgpu4c98T7DF6G5x2k4W0N/50v2zIM7yB/4n2AwkN0W9+B
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/uaP4IkaW2w1j3n9TFrH4oCaUlNk>
Subject: [Rats] Time stamps in tokens
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 20:26:51 -0000
The issue of time stamps came up in the architecture group. Some discussion is here in GitHub <https://github.com/ietf-rats-wg/architecture/issues/42>. This is a rough proposal for changes to EAT to make it more sophisticated and flexible at handling time stamps. This is not actual normative text yet. Creation time — This is the time that the value for a claim came to be, for example the time a measurement or a sample was taken. This value may be stored for a long time before the Attester collects it. Examples include a GPS sample taken before entering a basement, a SW measurement taken at boot or a SW integrity measurement taken by a run time integrity checker (RTIC). Each claim, or even sub parts of a claim can have its own Creation Time. You could say Creation Time is roughly per-claim. There is no generic means for time stamping a claim, instead the definition of each claim for which Creation Time is important should include a data item for a Creation Time. EAT would add time a stamp to the location claim and for any measurement and integrity check claims. Most of the other claims don’t vary over time. Issued At Time (collection/signing time) — This is the time that a token is created, the time when all the claims are collected and the token is signed. For simplicity, it is assumed that all the claims are collected at the same time and that is the same time that the token is signed. Each submodule may have an Issued At Time. Though it is not expected to be common, this makes submodules a way to group claims that are collected together at a different time. The Creation Time can be absolute or relative. If relative, it is to the Issued At Time and is filled in by the attester when collecting the claims values. The Issued At Time is either absolute or absent, never relative (If we allow it to be relative, we have add the complexity of distinguishing the collection time from the signing time and assume the signing time is the conveyance time as we don’t want any claims that are not signed). The Expiration and Not-Before Time claims typically only go in the Attestation Result, the output of the Verifier, but they may occur in Attestation Evidence too. Like the Issued At Time, they are per submodule and absolute. When they go in the Attestation Result, they represent some recommendation by the Verifier as to the validity period, typically how long until the token is no longer considered trustworthy. It is more meaningful for the Verifier to make this recommendation than for an Attester to claim this about itself. (A time-to-live/expire could be added as a relative expiration time if we want to accommodate Verifiers that don’t know what time it is). Since Issued At, Expiration and Not-Before already exist in CWT, all that is needed is some explanatory text for them. LL
- [Rats] Time stamps in tokens Laurence Lundblade
- Re: [Rats] Time stamps in tokens Thomas Fossati