Re: [Rats] how does the Verifier work
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Sun, 07 February 2021 14:51 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D783A0FD7 for <rats@ietfa.amsl.com>; Sun, 7 Feb 2021 06:51:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVUq5kiMtDnx for <rats@ietfa.amsl.com>; Sun, 7 Feb 2021 06:51:26 -0800 (PST)
Received: from mail-edgeKA27.fraunhofer.de (mail-edgeka27.fraunhofer.de [153.96.1.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3B2D3A0FCF for <rats@ietf.org>; Sun, 7 Feb 2021 06:51:23 -0800 (PST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2G0DwCT/R9g/xoBYJliHQEBAQEJARIBBQUBQIFPgXaBK4FBCgGENoNLhTmIKi0Dml6BLBYdCQsBAQEBAQEBAQEJGA0IAgQBAQOBU4J1AoICASU4EwIQAQEGAQEBAQEGBAIChk4NgnNigQYBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQESAg0iEh4iExIBAR4BAQEDAQEhDwEFMwMbCQIOBAYCAhEVAgInIAIOBgEMBgIBAYMiAYMFBQuSK5wIgTKECDgBE0FEg0SBRIEOKoZ/hkQWEA+BTT+BEScMA4I1Lj6Bf14BAQIBAYEUEgEMBgFgglqCYASBZRVGRCYBAwtABgEBIAINLAsfDA4iQ1gHEQOLMYUUgn6Ha500LAeBa4ESgRgFC4gOjC2GFAUKH5MvBo9tlDKJLoF9lnSBbYELcE0kT4JpCUcXAg2OLReCelSFFIVGcwI1AgYBCQEBAwl8iFSBNAEwYwEB
X-IPAS-Result: A2G0DwCT/R9g/xoBYJliHQEBAQEJARIBBQUBQIFPgXaBK4FBCgGENoNLhTmIKi0Dml6BLBYdCQsBAQEBAQEBAQEJGA0IAgQBAQOBU4J1AoICASU4EwIQAQEGAQEBAQEGBAIChk4NgnNigQYBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQESAg0iEh4iExIBAR4BAQEDAQEhDwEFMwMbCQIOBAYCAhEVAgInIAIOBgEMBgIBAYMiAYMFBQuSK5wIgTKECDgBE0FEg0SBRIEOKoZ/hkQWEA+BTT+BEScMA4I1Lj6Bf14BAQIBAYEUEgEMBgFgglqCYASBZRVGRCYBAwtABgEBIAINLAsfDA4iQ1gHEQOLMYUUgn6Ha500LAeBa4ESgRgFC4gOjC2GFAUKH5MvBo9tlDKJLoF9lnSBbYELcE0kT4JpCUcXAg2OLReCelSFFIVGcwI1AgYBCQEBAwl8iFSBNAEwYwEB
X-IronPort-AV: E=Sophos;i="5.81,160,1610406000"; d="scan'208";a="28794715"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeKA27.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Feb 2021 15:51:20 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BPDwBc/R9g/wpIDI1iHQEBAQEJARIBBQUBQIFPgXY1dlk3MQoBhDaJBIgqCCUDml6BaAsBAwEBAQEBCRgNCAIEAQGBVoJ1AoIAAiU4EwIQAQEFAQEBAgEGBHGFYQ2FcgEBBAEBIQ8BBTMDGwkCDgQGAgIRFQICJyACDgYBDAYCAQGDIgGDCguSLpwIgTKEQAETQUSDRIFEgQ4qhn+GRBYQD4FNP4ERJwwDgjUuPoF/XgEBAgEBgRQSAQwGAWCCWoJgBIFlFUZEJgEDC0AGAQEgAg0sCx8MDiJDWAcRA4sxhRSCfodrnTQsB4FrgRKBGAULiA6MLYYUBQofky8Gj22UMokugX2WdIFtI2dwTSRPgmkJRxcCDY4tF4J6VIUUhUZCMQI1AgYBCQEBAwl8iFSBNAEwYwEB
X-IronPort-AV: E=Sophos;i="5.81,160,1610406000"; d="scan'208";a="105578530"
Received: from ksapp01.sit.fraunhofer.de ([141.12.72.10]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Feb 2021 15:51:18 +0100
Received: from ksapp01.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by ksapp01.sit.fraunhofer.de (Postfix) with ESMTPS id E3A6E80267; Sun, 7 Feb 2021 15:51:17 +0100 (CET)
Received: from [192.168.16.50] (79.206.145.24) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Sun, 7 Feb 2021 15:51:17 +0100
To: Michael Richardson <mcr@sandelman.ca>, rats@ietf.org
References: <31999.1612560697@localhost>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <014d0f63-4350-4a64-8ecd-044a85f5a6fd@sit.fraunhofer.de>
Date: Sun, 07 Feb 2021 15:51:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <31999.1612560697@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.206.145.24]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/uc9VQq4gyd7qvkonpD0dy57WjLw>
Subject: Re: [Rats] how does the Verifier work
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 14:51:30 -0000
Hi Michael, thank you for putting some attention on this reoccurring pattern that we encountered in discussions a few times. I agree with the notion that the scope of the architecture document now reached its intended limit and it will we be completed with its current content and remaining open issues (aka "closing the mic again"). Anything else will have to go in separate documents. "The architecture of the Verifier" is one prominent thing we should look into next. There are some corresponding and reoccurring requirements we will have to take into account, I think. Maybe it helps if I elaborate a bit on two major topics that came up repeatedly: * Implementing RATS requires some kind of defined management logistics that effectively make Conceptual Messages move around. For Evidence, we have https://datatracker.ietf.org/doc/draft-ietf-rats-yang-tpm-charra/ to take on that task, but there are "other arcs in the diagrams" that point to the Verifier, too. * Shedding some light into how appraisal procedures conducted by Verifiers actually look like will be very useful to implementers. Some experts are already implementing: I'd like to point out this quite open and inclusive effort https://github.com/veraison/veraison as an example that we can build on. My expectation is that some of the presentations at the next (virtual) meeting will touch these topics already and if time permits, maybe we can plan for explicit discussion on these topics. Viele Grüße, Henk On 05.02.21 22:31, Michael Richardson wrote: > > In issue https://github.com/ietf-rats-wg/architecture/issues/210 > and in quite a number of discussions in the design team, we ratholed on > whether or not we were specifiying a normative description of how verifiers > worked. > > In the architecture document we want to specify what goes in to the Verifier > (from the Attester direction!), and what goes out of the Verifier (to the > Replying Party only). > https://www.ietf.org/archive/id/draft-ietf-rats-architecture-09.html#dataflow > > We did not want to specify the other arcs (Endorsements, Appraisal Policy for > Verifiers), but we did need to place some requirements on what was possible. > > For instance, that Evidence would be signed, and that Verifiers could verify > the signature on it. > > The large X diagram at: > https://www.ietf.org/archive/id/draft-ietf-rats-architecture-09.html#name-claims-encoding-formats > > which in many ways started the entire architecture document, remains an > intentional black box from this document. > > It seems that there is a desire among some participants to more clearly > articulate how many (but perhaps not all) Verifiers work. It seems that with > an appropriate initial narrow scope that such a document could be written by > the IETF. For pretty much all the cases of "perhaps not all", then it is > probably the case that the specifics will be very specific to a vertical, and > should be written in that technical consortium outside of the IETF. > > This email is basically the concluding recommendation of the design team: we > aren't going to put this into the architecture document, but we don't object > if someone else wants to write _Architecture of common Verifiers_, or some > equivalently titled document. > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > > > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] how does the Verifier work Michael Richardson
- [Rats] using symmetric keys in an Endorsement/Ver… Michael Richardson
- Re: [Rats] how does the Verifier work Henk Birkholz
- Re: [Rats] using symmetric keys in an Endorsement… Smith, Ned
- Re: [Rats] using symmetric keys in an Endorsement… Laurence Lundblade
- Re: [Rats] how does the Verifier work Simon Frost
- Re: [Rats] using symmetric keys in an Endorsement… Russ Housley