IETF Logo Mail Archive

Re: [Rats] EAT Review Comments

Laurence Lundblade <lgl@island-resort.com> Fri, 10 December 2021 18:11 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EF603A0B12 for <rats@ietfa.amsl.com>; Fri, 10 Dec 2021 10:11:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-XM6JBHwVHi for <rats@ietfa.amsl.com>; Fri, 10 Dec 2021 10:11:52 -0800 (PST)
Received: from p3plsmtpa06-08.prod.phx3.secureserver.net (p3plsmtpa06-08.prod.phx3.secureserver.net [173.201.192.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F336A3A0B1E for <rats@ietf.org>; Fri, 10 Dec 2021 10:11:46 -0800 (PST)
Received: from [192.168.1.7] ([75.80.148.243]) by :SMTPAUTH: with ESMTPA id vkN0mGFmUJ2b8vkN0mkQ1Q; Fri, 10 Dec 2021 11:11:46 -0700
X-CMAE-Analysis: v=2.4 cv=Lt9XdlRc c=1 sm=1 tr=0 ts=61b39862 a=VPU1mRQhDhA4uSX60JRRww==:117 a=VPU1mRQhDhA4uSX60JRRww==:17 a=kj9zAlcOel0A:10 a=7CQSdrXTAAAA:8 a=1hVuqm5nvxOysAABxHEA:9 a=CjuIK1q_8ugA:10 a=a-qgeE7W1pNrGK8U0ZQC:22
X-SECURESERVER-ACCT: lgl@island-resort.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <DBBPR08MB59152EA489927AC3C1E59B69FA719@DBBPR08MB5915.eurprd08.prod.outlook.com>
Date: Fri, 10 Dec 2021 10:11:46 -0800
Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <68208DDA-1EF1-409D-B333-804CE903A5A6@island-resort.com>
References: <DBBPR08MB59150EEE386E675005A52124FA6E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <B81765CF-8515-440B-A021-977FCD59D5E2@island-resort.com> <DBBPR08MB5915DD8BAA394E7D665E4C7DFA709@DBBPR08MB5915.eurprd08.prod.outlook.com> <7e8275a1-10ce-bff8-9252-8c0d32d3e395@sit.fraunhofer.de> <DBBPR08MB59152EA489927AC3C1E59B69FA719@DBBPR08MB5915.eurprd08.prod.outlook.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfIs7vBq7XGSap8djtjh5kFDyXbAAGiPk2PTGlaNVlIKJNwNPESdofzOq8qIhrtmKub8x/JhxFOQbfL3zJdqYlo7lodi+QwqCvyg7/vMvdKFlb/SaGA4m ByktwtYffXBs/HRzk39qA+KuMfsmW3xt+YqH+7c8uA4iAHrMyEIBsKG7FTVhqj4E7/KLPXZOk9AOoNX3TSBSYr1X4aZ7tj0ViA/Qk4rRt0yUQnkWJ//JfOu3 WbhB44Rul0N3ZsiBFquE5eTq9LbLSUIBKqvc+EXDuWw=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/v1hExarmp9qebdtSotXEX880lIM>
Subject: Re: [Rats] EAT Review Comments
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2021 18:11:56 -0000

Below...

> On Dec 9, 2021, at 11:57 PM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
> 
> Hi Henk,
> 
> You write:
> 
>> My biggest point of concern is the scope creep into JWT.
> 
>> EAT was intended to be a CWT (more on that detail below). The
>> implementation complexity of including JWT now is kind of mind-boggling.
>> I have been for a while and will continue to be in strong support of
>> moving JSON encoding related normative text out of the EAT core doucment
>> to supplemental EAT document.
> 
>> Fundamentally, I am still opposed to EAT being a CWT. It allows to
>> include any kind of CWT claims from an increasingly growing CWT Claims
>> registry. I am allowed to include a nonce and a cnonce Claim
>> simultaneous due to that. Or simply mix an exi Claim in. How shall an
>> implementation act on that? That is a valid EAT composition. Is "ignore
>> what you do not understand" the strategy here? That is not a really
>> useful approach, if your goal is to establish an interoperable way to
>> assert trustworthiness. I'd very much prefer a better scoped usage
>> scenario for EAT for RATS by making an EAT something more specialized
>> than a CWT (on the CBOR tag level). Maybe someone can explain to my why
>> this is not an implementer's nightmare as I might miss something obvious
>> here.
> 
> We are long past the point of deciding that an EAT is a CWT with special claims. Companies have spend a lot of resources implementing it that way. Practically, there is no problem since you will not randomly add claims to an EAT. As stated in the draft, a profile needs to determine what claims must be present and what to do with optional claims. Then, this is not an issue at all.

Yes, I think we are long past on that decision.

The flexibility is necessary for the broad range of use cases, the ones listed in RATS Architecture and more. I doubt we could converge on one set of claims.

We have profiles to address the problem too many and confusing claims.

LL

v2.39.1 | Report a Bug | By Email | System Status