IETF Logo Mail Archive

Re: [Rats] Minimizing the Attestation Results objects which can represent overall Attester trustworthiness

"Eric Voit (evoit)" <evoit@cisco.com> Mon, 16 August 2021 21:54 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F2A33A1655 for <rats@ietfa.amsl.com>; Mon, 16 Aug 2021 14:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.098
X-Spam-Level:
X-Spam-Status: No, score=-10.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=U7OEeSkw; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=lQRjmP7e
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGX68f-quo7v for <rats@ietfa.amsl.com>; Mon, 16 Aug 2021 14:54:03 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66F113A1631 for <rats@ietf.org>; Mon, 16 Aug 2021 14:54:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12845; q=dns/txt; s=iport; t=1629150843; x=1630360443; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=fUtwCroIhloSgCWWoyACQvqczVbw3J5vT4zcdhYqs2k=; b=U7OEeSkwOsLgEc6gJ2M7R/Z1LiUI/4Z8zaqhuYzhaWXtxQR9QflHkfVN qurILJZGx5d0bRBiB9MQTnCQzAEVwxJpJp5YVna3wZDFi7Q7CGqtH4ZhR 7tsEkI3bCIZaO+i2ay5XyFky92lI7UtDKuNpHN29l4sEqo0WXJpwq7/Sj o=;
X-Files: smime.p7s : 3975
IronPort-PHdr: A9a23:170jzxTdBb2m7So5mh2B1cepxdpso1PLVj580XJvo6lPbuKt5Z3/OkzY6/h3ylPEDs3X6PNB3uzRta2oGWkN+o2Iv31KdptQHwQEhsMbk01FYoaFBET3IeSsY3k8G8JPB0Rk4ze1K0FIHsb5aVDI5HG/vnYeHxzlPl9zIeL4UofZk8Ww0bW0/JveBmcAhDe0bb5oahusqgCEvcgNiowkIaE0mXP0
IronPort-HdrOrdr: A9a23:CRbtaKHR9wMR3DIbpLqFSpHXdLJyesId70hD6qkvc31om52j+fxGws516fatskdvZJkh8erwX5VoMkmsi6KdgLNhfItKOTOHhILGFvAY0WKP+UyEJ8S6zJ8g6U4CSdk/NDSTNykBsS+S2mDReLxMrKjlgcKVbKXlvgpQpGpRGsddBnJCe36m+zpNNXB77PQCZf6hz/sCgwDlVWUcb8y9CHVAdfPEvcf3mJXvZgNDLwI76SGV5AnYq4LSIly95FMzQjlPybAt/SzuiAri/JiutPm911v1y3LT1ZJLg9Hso+EzRvBky/JlbwkEuDzYI7iJaIfy+gzdZ9vfsWrCpeO85yvI+f4Ds085MFvF+icFkDOQoQrGo0WSuWNwx0GT+/AQgFkBepZ8bUUzSGqF16NohqAO7Itbm22erJZZFhXGgWD04MXJTQhjkg6urWMlivN7tQ0TbWIyUs4bkWUkxjIeLH7AJlOM1Kk3VO11SM3M7vdfdl2XK3jfo2l02dSpGnA+BA2PTEQOstGcl2E+pgE382IIgMgE2nsQ/pM0TJdJo+zCL6RzjblLCssbd7h0CusNSda+TmbNXRXPOmSPJkmPLtBKB1vd75rspLkl7uCjf5IFiJM0hZTaSVtd8XU/fkr/YPf+lKGjMiq9CVlVeA6dhP22y6IJz4EUdYCbRxFrEmpe4fdIi89vdvHmZw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHCwAO3Rph/5xdJa1aHQEBAQEJARIBBQUBQIFZgVNRB4EjLjcxiA8DhTmIaQOPcYpJglMDVAQHAQEBCgMBAUEEAQGBbIJ1AoJuAiU4EwECBAEBARIBAQUBAQECAQYEgREThWgNhkIBAQEBAgESLgEBNwEECwIBCBUDIwsCMCUBAQQBDQ0GBg6CUIF+VwMOERABmy8BgToCih94gTOBAYIHAQEGBASFLhiCLQcJgTqBU4ErhnuDehcQHIFJRIEVQ4IyMD6ERhWDNoIug0EJbA5gQwuBChomBgIRSQUGCSSRL44gnXsKgyiFP4MIliQSpnWWEaAZBBuEZAIEAgQFAg4BAQaBdySBWXAVO4JpUBkOjiAMFhWDO4pdAXM4AgYBCgEBAwmJdQEB
X-IronPort-AV: E=Sophos;i="5.84,327,1620691200"; d="p7s'?scan'208";a="920024211"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Aug 2021 21:54:00 +0000
Received: from mail.cisco.com (xbe-aln-003.cisco.com [173.36.7.18]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 17GLs0Sb002525 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 16 Aug 2021 21:54:00 GMT
Received: from xfe-rtp-001.cisco.com (64.101.210.231) by xbe-aln-003.cisco.com (173.36.7.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 16 Aug 2021 16:54:00 -0500
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xfe-rtp-001.cisco.com (64.101.210.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 16 Aug 2021 17:53:59 -0400
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 16 Aug 2021 16:53:59 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b1WmOf316Ly8IySIxic16HlpprBGy3jJvIImoEE1RELPLRKVpwPOVnpzC0bhxR2aK69c29mf+q63WAc1ni6RCHCjWNxj1A40EChaIKSutzOWucRPo/L3gOp8lKthNt+KLsDqGWqzGrvghMJ33MSiFIFeoAHZlGdO+GGWjNguE+ESvSkX76ZvTCdof517i6piawWDZZ6E+s1JKmMo8jrZqXzgvMFUbiRNKqTc8IPmOeNtBQ7YHz0s0NWGJiajEwgoOqAehzqqOk32Zom/j8sQUkb6bVs9fpB2bsvOeOSHXmT/dW557NC0x5QOmwRm1t4DKvzOAZ+K7tMqSqZxCv8bAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yQ66Z/TqXnfNzTD0+OPe5AsF8eTGPZVVK/Dd9WFnCgA=; b=DOj+GvgmdhXpHEcyVNXAHwfRlPtldv+Yi34seE7+Nv3IljBhK5m9y+H4MCXJs4D1ZdqVElEqH29cFaJnJ3AHgBihIgd6kN/NKUM1xcaDfRVn7Z8LdJcZRNvRyg8fQ3BwU1e1k+jTUqlM/U4AoXJvHNXl7O39lD8u4wmjbiijEsFuu4OcaBzGGookSmtUISsRhDy1JJ9rniw/RowuqRqKZ6I8pzHjb9kUnkqPHR/4j+uG5NuI/lgvnVuM/YEuZFeVOfIAOtNyCmOHuBZ9LXs9/5CBCyVwTUIp4GvYW7AbK8e54C1NxWYc7kvcomKKrh/ZqoEOIBs2aQvW6wR4ALlF0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yQ66Z/TqXnfNzTD0+OPe5AsF8eTGPZVVK/Dd9WFnCgA=; b=lQRjmP7e7Ncpe6Bv/R5wXsaPJdb39m+sVBODE7Peq4dKFwUtgxzdsiKKsqi4EvS0q7AAdFCmh8rhXCXfV51qRyszMqj+EHIbdiljqLQJZtTjEB2f5HUw10QA8ssHru38baxYU0JvCyWPvOyYLiH2n2pA7Nvp89Cx+3Oj2eTOBh8=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4302.namprd11.prod.outlook.com (2603:10b6:208:179::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.15; Mon, 16 Aug 2021 21:53:58 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9923:df2f:c942:4aaa]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9923:df2f:c942:4aaa%7]) with mapi id 15.20.4415.023; Mon, 16 Aug 2021 21:53:58 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Laurence Lundblade <lgl@island-resort.com>, rats <rats@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>, Thomas Hardjono <hardjono@mit.edu>, "Scarlata, Vincent R" <vincent.r.scarlata@intel.com>
Thread-Topic: Minimizing the Attestation Results objects which can represent overall Attester trustworthiness
Thread-Index: AdeOJ92sIe44PjiKTG2YzmuXnbyfjwErRkAAAARiqrA=
Date: Mon, 16 Aug 2021 21:53:58 +0000
Message-ID: <BL0PR11MB31224EF7FED9EAA8D0C6C382A1FD9@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <BL0PR11MB31227C3A0BC34E904B0C62FDA1F79@BL0PR11MB3122.namprd11.prod.outlook.com> <1fda2b91-f5f7-b2b4-864c-5b0253e36abd@sit.fraunhofer.de>
In-Reply-To: <1fda2b91-f5f7-b2b4-864c-5b0253e36abd@sit.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: sit.fraunhofer.de; dkim=none (message not signed) header.d=none;sit.fraunhofer.de; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eb65dd14-63b7-412b-ab66-08d9610059e3
x-ms-traffictypediagnostic: MN2PR11MB4302:
x-microsoft-antispam-prvs: <MN2PR11MB43021310071D1F449BCF21D4A1FD9@MN2PR11MB4302.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /aHG7al1QWUovSHU7E0vYxn1J4+AzKJh8NqwoRgbOyva8R7mBvlvxcB7MbTtOMVd2SKrBaYvJAU7cC2IX8CDrNNYTI8SzvtR59Rcq2pHxc4r3aDrdJSzpDJSLD/e0DCylREzKvd9Z9tzWPugpsnFx/SreE/4LKX3t/PuW/l1Cm9mXNCZ7H+zgOK2L7Kg5gDQ7ERKxocbfQmxn/LL72I2ic49+RQB4HknMljxyOn/EHtwCXkM49W+wRU1ikMPPhpqM4NnUZ5bx8OHuNenhwTbwzZ0Kuyor0RPkJwcTSQ05pR6ecji+s71cWdO1lGGtcsTJ+WCtNPlHC+HUZU81w8502I/Fs3HpCqQ90w5kRNV9Vakn6RR8MK4g98HS49HX7o3g6uocPL1UAePKsMi6cdvHi3e1i4oKr6EdMkyTeTfRyZbKTDE6atcv/b5d3CXrKgMe6FdwF5/L4TueHYA/TTNe2C4DrTg92jGcUUUpn3kvl9jGg+pfy3Gi/3av2728xVTLI+E5v7f89LOJxRQKxSUtXA6JYYwpy+Jde2OllbVqh/6gBCQHaFkeElz2UfUH86eMYDNVIyT6PWT8vxJHhLlXETv5OzrIN1Ab/ex1JmJ/xmv4xI7kRHjobzQohrqkh0qi9RYv+Uf5teutfCAiEoICdBMUXQKDCQnwS5PqMmyJx/aMBrhcnP+dJPzDVYpBHNRr8f13W8y8K8C5ep6aqHlJw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39860400002)(366004)(396003)(136003)(346002)(86362001)(53546011)(99936003)(33656002)(6506007)(7696005)(5660300002)(478600001)(186003)(122000001)(26005)(83380400001)(2906002)(8676002)(8936002)(66556008)(52536014)(64756008)(66446008)(54906003)(38070700005)(66946007)(9686003)(110136005)(66616009)(55016002)(71200400001)(316002)(4326008)(76116006)(38100700002)(66476007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jb2bkOHFKoICdKMzLalz0UwabTBJVks2d3u4w3W7+ZPU7Zdk4YAoy6Vze6x8ibrxBQnVHgjDVVJrJAu6Q/BSXKfPTicQzx+WMjCciV2CCJVYpdArfQROhDMhc2AiRHMUEWaZ6pa+kBrWs1R2omUhxzp0Bs55MANJouda8iX6SRgJpAtT3vu8sA8wOkaPKZwfeBp2bd4lLoImPFlDVYN6egyWMXmO+eOJpvMXDTKkkvUbkFodcpPg2ipGgGRKT0mgc9jx97Pcq/EtIMrWo1Ap+uam56I9NSr+8KUrxlZB7NxkYnYfUYlCZ6brooKHI6NdE8mnyEe479pBJYspAjOJp2fDuzi/NFq6ryTJQyX9aaz4sivIJdWTgyQlwc750BsPVEjcc/q25bho99jXijeyxC7nUoOZyibBsxgGWFAEQ5SrCN2F2S+hlp3F5WXvmVilT/MxBK2hqTto6XUWVZDRNiOUJpvg9npc/pGiSZd+YunQrdEA2cxK7KR7HWjryyyhQ65g7W3aamuR8+VIbKhHizhNBe4YTweEH4YPxubPpw9HSL0yB1PRayb3j3iiYgPDX2ln9KIernD5F5Ilr0FsmSSTHI6O1c/L130cWxr4pTwG46z+EOXUOUlZgZpGYrFO7PqBqF+DnM9mrEIHGED/jTWCNocrjxezdnvtoxmEIkjknpIrSmynDtblSZAaaIKmHd2PAFmzJGFZ6yirFSGn3YuLLiFCxrmEq27hjBkwHoZhAedxbYhNlBSBmQ++ZkUWinNlAJU4pZdekrWKRm9FEt+0+DVAoiZ/4ar9XDvjK+0vV+iqQbmQ+uaIKh6M5LWHVXQXV5ZxzICtJuRcQayvb3cwmd8TFIT1mX9xGcqKzNzC1H+GSOqiXiA5YOdDkVfNmWPCantk6x5DuygFRSAAMijqGvtmmqxhXXOtdXQ93w07QfmfDbqIZvfp2f58itjLUwNFg2RRXUC9/FYOVMuWO0vyMW3O0orK5Fup3B5BEXOeNH2fxckQ6wwE6VsjWNd9HlgDVQdzrKBXM+MVHphEvxH8zOn55A1tO688QRxizzcYO5BG0dsrZ/gofhP3qX+7QToN04SemhE0LAVYO2sXZtz+tzL7+aNE00NIzSEYd+b1HF68xYEZExXkOisrKmYPIeh0x3BFtcgOFuFRYr3oQgID9CYLK34t2Hfr/VvxX8ACZluoXBAh6LpM5NbpgH8p+JDJJCXsw7ccv2pXpxzFLFT2+vPyXJB+6jVArXPlmZAvpDwUe6egEk9CJey0iaa8k2X05yVSs4Uk5qGJ7DkyJn7aRfS0couyvALLFLe29+Gb6bamJ781YMdHMhO3xyEf
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_02D8_01D792C7.A221F2C0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eb65dd14-63b7-412b-ab66-08d9610059e3
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2021 21:53:58.4893 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZcS45uL/spzenNurx6GCknDXFO88kvQIs3A9EqczZ04wdeB1zo8SlSn9LMRym+iO
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4302
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.18, xbe-aln-003.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ujXCUrtQd4PduHqgmSnrLKNn37M>
Subject: Re: [Rats] Minimizing the Attestation Results objects which can represent overall Attester trustworthiness
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2021 21:54:09 -0000

Hi Henk,

Yes.   To me, the Verifier is interesting because it is responsible for the
*hard* problem: can I trust you at all?  Only when general aspects of
trustworthiness established are specific claim sets actually
helpful/actionable.

If the WG accepts this premise, then how do we (as a community) converge on
the general aspects of trustworthiness?   That is that the conversation the
design principles below is attempting to start. 

Eric

> From: Henk Birkholz, August 16, 2021 3:29 PM
> 
> Hi Eric,
> 
> what you are highlighting here, I think, is an important distinction.
> There are two "layers" of Attestation Result Claims here. (1) Attestation
Results
> about the intrinsic trustworthiness characteristics of an Attester and (2)
> Attestation Results that a Relying Party can trust, because they are about
an
> Attester associated with such trustworthiness characteristics.
> 
> I-D.voit-rats-attestation-results I believe is strictly scoped to the
former set (1)
> of Attestation Result Claims. These Attestation Results (the
Trustworthiness
> Claims) MUST always be generated by a Verifier's appraisal procedure. It
is
> virtually impossible that only a signature (or secure channel)
verification will be
> enough to allow for the generation of Trustworthiness Claims (basically
the only
> assurance generated by that would be a proof-of-possession that implies
"trust
> everything I do, because it is 'I, the key holder' doing it").
> 
> To enable interoperable "understanding" of Trustworthiness Claims, their
> number must be suitable small, unambiguously actionable by Relying Parties
and
> they must, of course, be Verifier generated and never Attester generated.
> 
> Set (2) of Attestation Results can be vastly more refined, specific,
expressive or
> voluminous, I think (and potentially also even Attester generated). The
swresult
> Claim highlighted, I think is an excellent example of a highly versatile
Verifier
> generated Claim that conveys additional context information to a Relying
Party.
> 
> Viele Grüße,
> 
> Henk
> 
> On 10.08.21 23:00, Eric Voit (evoit) wrote:
> > Hi Laurence,
> >
> > During the RATS IETF 111 sessions, we both shared views of how to
> > encode Attestation Results (AR).   From the perspective of
> > draft-voit-rats-attestation-results, the AR in scope are Verifier
> > generated claims* about trustworthiness of the Attester itself.   Some
> > examples of such claims include:
> >
> >   * the Verifier asserts that the Attester has only known good software
> >     loaded
> >   * the Verifier asserts Attester's configuration doesn't expose
> >     security holes
> >
> > We are now beginning to standardize these Verifier generated claims
> > (and associated AR object definitions).   We need to do this with the
> > stated objective of maximally simplifying the interworking of
> > different types of Attesters, Verifiers, and Relying Parties.  That
> > maximal simplification is essential as we diverse group of RATS roles
> > and developers spanning different industries.  And to accomplish this,
> > I suggest we adopt the following set of design principles:
> >
> > (1) We should only have a small number of Verifier trustworthiness
> > claims standardized at this time.  Reason: a plethora of similar
> > trustworthiness claims will result in divergent choices made between
> > different Verifiers.  This would place a lot of complexity in the
> > Relying Party as it would be up to the RP (and its policy language) to
> > enable normalization across rich incompatible Verifier object
definitions.
> >
> > (2) Any objects from (1) which we do standardize should only include
> > specific enumerated states that could viably result in a different
> > action from the applied Policy for Attestation Results.   Reason: by
> > explicitly disallowing the standardization of any enumerated states
> > which cannot easily be connected to a use case, we avoid forcing
> > implementers making incompatible guesses on what could happen.  This
> > will eliminate many types of errors.
> >
> > (3) Verifier and RP developers need explicit definitions of *each*
> > state in order to accomplish the goals of (1) and (2).  Without such
> > guidance, the Verifier will send plenty of raw info, as it relieves
> > the Verifier of making the hard decisions.  Of course, this raw info
> > will be mostly non-interpretable and therefore non-actionable by the RP.
> >
> > (4) We do need extensibility for this type of Verifier generated claim.
> > But Verifier generated claims should be worked in the WG and managed
> > via the RFC process, rather than being in a separately maintained
> > Attester Claims list.  This will keep a tight lid on extensions which
> > must be considered by the RP's policy language.
> >
> > These design principles are important to keep the number of Verifier
> > generated claims low, and to retain the complexity in the Verifier
> > rather than the RP.   We followed these design principles in
> > draft-voit-rats-attestation-results.   Consequently, the next version
> > of draft-voit-rats-attestation-results will include a total of 9
> > Verifier generated Trustworthiness Claims supporting a total of 18
> > enumerated states.   18 enumerated states feels like an easily
> > digestible number for the developers of RP policy language :-).
> >
> > I am hoping we can connect this thinking to your swresult object from
> > your IETF 111 slides.   Looking at your slide on the swresult claim,
> > *each* software measurement could include a large array of results.  I
> > believe this unbounds the complexity of the RP policy language.
> > Effectively, the Evidence to the Relying Party may often be richer
> > than that originally sent by the Verifier.  In what scenarios do you
> > see Relying Party applying such a rich language?   And at least from
> > the perspective of deciding whether Attester itself is trustworthy, do
> > you see ways for just a few Verifier generated claims to expose key
> > trustworthiness attributes and states evaluated for the Attester?
> >
> > I know this is a complex question which might only be worked in an
> > upcoming interim.  But I figured I would start the dialog now.
> >
> > Thanks,
> >
> > Eric
> >
> > * Note from above: these Verifier generated claims are not the same
> > thing as a Verifier ratifying specific claims generated within the
> > Attester (such as UEID, location, software manifest, etc.)   Many of
> > your AR definitions within the swresult appear aimed at this context.
> > So there might not be an explicit overlap between our drafts.
> >
> > Eric Voit
> >
> > Principal Engineer
> >
> > *.:|:.:|:. *Cisco Systems, Inc.
> >

v2.23.0 | Report a Bug | By Email