IETF Logo Mail Archive

Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Dave Thaler <dthaler@microsoft.com> Mon, 18 November 2019 09:04 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBAB1120104 for <rats@ietfa.amsl.com>; Mon, 18 Nov 2019 01:04:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lfzx-z8lF979 for <rats@ietfa.amsl.com>; Mon, 18 Nov 2019 01:04:03 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-eopbgr820120.outbound.protection.outlook.com [40.107.82.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AE2F120047 for <rats@ietf.org>; Mon, 18 Nov 2019 01:04:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gJSGHtn+aeP7dkMGOjfe7L0Awln5EEENol/z/rpVby/+Tf7YWzLUAqQDjy7P95h+SHf+2brDUrLEP8f5iY+p321hzp92PaJPJROjy7v7Z0FXU0UYztA3+KlMeT/YzdPyup0HrRQQT/egwLZxBJKPMvfLqLJSZxBc2jtktBw+9NKhkFSEQX7DoXy1KQy/3WlFx6PfDZJboCyxZ0sFnOMhPHeTZsyWq2s/G4l4c5eFSFxsN9uxS7G23lOpsBi06zI7DOLfmChH7rdIiMl7wWXzOPivLDf23hmSYwvceJ+ISUVBZdTHTBOIGF0G0chmMeDYUkSbS13BWcoNcDvJdxTreg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ko1/ZeKLRDTrm33ZFMKXGUfEscUIqyQlBI9XNAc3BtE=; b=cTqaSLMj4iyGqXW82tsKqBROqu6NKiiwC2v4ZYRFW9gKrvs4S/jjnDIC54AauqOu+RyMpNDKffVsJmiTtBEGLXTgRxAr3pj3hoMXffDNp8zTNkg4VxIj4WKYz9cTIA7/IJWNesWfhgw/Hr/TaPFmUXKt0xc8nk9m0xhZitbdqZaf4Ok9nhydUMiIZMODaOVG0l1ZNEyMd3skkVYLj5yyMB/rlg1dzXLJvwM6rvjin02DXiASd45Weg0PnMBOTlToQSHJbQxEOyIOYsIHAogD6tRaFHq1rN90oftD/gsuKrEkRNtDwZ4Id/nGbnY1dZOksUjTfy3mdHkvHM8IlWyflw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ko1/ZeKLRDTrm33ZFMKXGUfEscUIqyQlBI9XNAc3BtE=; b=Jy0prTAFReitpoUhUuU3Mh98niK3FRM3iWH1nPq9Z3gtT7O4nvuWQi1beNJArQbUB3igAEevYS+OH5QorFwH02tyCMywQa0Rnt9bvAshCtThrOl3TEF++lndDvHOgGJo6nXRNIodnhboM00vBytzwGAhNKe2oFm68op5XemPwv8=
Received: from MWHPR21MB0784.namprd21.prod.outlook.com (10.173.51.150) by MWHPR21MB0639.namprd21.prod.outlook.com (10.175.141.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.6; Mon, 18 Nov 2019 09:04:01 +0000
Received: from MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439]) by MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439%12]) with mapi id 15.20.2495.004; Mon, 18 Nov 2019 09:04:01 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: "\"Schönwälder, Jürgen\"" <J.Schoenwaelder@jacobs-university.de>, "Smith, Ned" <ned.smith@intel.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Call for adoption (after draft rename) for Yang module draft
Thread-Index: AQHVlCwI8/lytau3hU+AhCwtIdg/0ad+jL2AgAAHhQCAAAO1AIAF46wAgACM2YCAAJAzgIAAtdsAgAB9XUCAAqYNAIABt5oQgARYS4CAAS4Y4IAABJ6AgAAA1fA=
Date: Mon, 18 Nov 2019 09:04:01 +0000
Message-ID: <MWHPR21MB078427872BAEEBA45B34E589A34D0@MWHPR21MB0784.namprd21.prod.outlook.com>
References: <147F9159-6055-4E55-ABDC-43DFE3498BF1@island-resort.com> <ce5f8206-74dc-36bb-0093-a93045d5c67f@sit.fraunhofer.de> <0A7E3A4F-8534-4E98-BCB7-1454E07699F4@island-resort.com> <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com> <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com> <HE1PR0702MB375366C5F7FE5C497C35D73B8F740@HE1PR0702MB3753.eurprd07.prod.outlook.com> <7106C9D3-8ED1-419E-81F8-4CDA799BEDAE@intel.com> <MWHPR21MB07844F61BEFAE03F9E7DD290A3770@MWHPR21MB0784.namprd21.prod.outlook.com> <6E7D64B4-2049-4D0A-ADC5-CA3F0647779B@island-resort.com> <MWHPR21MB07840B6CF7BEE0A11ABE54BFA3700@MWHPR21MB0784.namprd21.prod.outlook.com> <20191117144129.llvg7fsrqgaqtgkn@anna.jacobs.jacobs-university.de> <MWHPR21MB0784B0111EADA4A9A6C766D0A34D0@MWHPR21MB0784.namprd21.prod.outlook.com> <FADBA46B-5B70-4B21-A159-B22593310B53@island-resort.com>
In-Reply-To: <FADBA46B-5B70-4B21-A159-B22593310B53@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-18T09:04:00.0925803Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=5c584a7f-72ef-4b89-ae69-fae01f29d259; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [31.133.156.163]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 6ef479ed-660b-46de-520a-08d76c064144
x-ms-traffictypediagnostic: MWHPR21MB0639:
x-microsoft-antispam-prvs: <MWHPR21MB063928C74B21281EC05C5903A34D0@MWHPR21MB0639.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0225B0D5BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(396003)(366004)(346002)(376002)(136003)(39860400002)(189003)(199004)(52314003)(6436002)(81156014)(229853002)(6116002)(8676002)(790700001)(3846002)(14454004)(186003)(81166006)(486006)(2906002)(6916009)(66556008)(25786009)(71190400001)(71200400001)(66476007)(7736002)(4326008)(76176011)(7696005)(66446008)(64756008)(256004)(102836004)(53546011)(6506007)(86362001)(236005)(26005)(76116006)(52536014)(74316002)(8936002)(99286004)(9686003)(6306002)(66066001)(66946007)(54896002)(55016002)(5660300002)(22452003)(6246003)(11346002)(446003)(8990500004)(33656002)(478600001)(10090500001)(476003)(10290500003)(316002)(54906003)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0639; H:MWHPR21MB0784.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SoKiHhF8xf304oUkxBdcaXPrUnP9wA7iS8C9ddR5i790tGi8vdJDdsdX8cUopLkYPtpnufefGKIxkZLG6T8PjMaQs+sEm1e6qkQzbdP55wCetL9Qu/hpwbloAEcIum9SCd4KmF3AQ5yoZIuJbL+PExnKQb7zyA9C2AzXLMDMky8hhYjIp5VxZtiecHCY99fcnM104xC8+6IAuqW50Qc5bU+dxUhPHwmU+PpZXKorMMb37EZVtYVe+TbrJK0KwydOcUinAitNhxWVkOZ37TXJ7MdAVTaZQcsVpDKLiteok53AMOuuIdA1S1wbRaAJqesuIC76iPp85KjzXuZ1JytgVGxDnIMYlzTzo5EhnagACiND923USCAqS21RUUg1I8jeK7idqoPaj9t4baxLRl8SQrW1tIQHYVnYOTv685QcE9QjWBIyIDN92LVC/6oLQ9hS
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB078427872BAEEBA45B34E589A34D0MWHPR21MB0784namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ef479ed-660b-46de-520a-08d76c064144
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 09:04:01.5675 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YgiyOWiXm2a6y+n+9wzwAFg2XB+8z9EnGOY4PDuWt0E5LOOl0PPT++zUGdBwHOFBESjbxewMhhYt8DX2flRnTPG1+ZxuyjGBl/0ra7TJUME=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0639
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/v7PppeeivWkzF5GWATJ7n9HmLXI>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 09:04:06 -0000

If all you do is log, then there is no enforcement, and since the device doesn’t talk to the log, you can’t call the log a “Relying Party”.
I didn’t say there was never a Relying Party (if you do enforcement and kick the device off the network or something then yes there’s a Relying Party), I said “might be no”.
So I disagree with “Attestation always has a relying party” based on my discussion with Nancy.
Before the hackathon I would have agreed with that statement ☺

From: Laurence Lundblade <lgl@island-resort.com>
Sent: Monday, November 18, 2019 4:59 PM
To: Dave Thaler <dthaler@microsoft.com>
Cc: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>; Smith, Ned <ned.smith@intel.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>; Oliver, Ian (Nokia - FI/Espoo) <ian.oliver@nokia-bell-labs.com>; rats@ietf.org
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft


On Nov 18, 2019, at 4:52 PM, Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org<mailto:dthaler=40microsoft.com@dmarc.ietf.org>> wrote:

Case 1) The network notices anomalous traffic coming from a device already on the network, which triggers a verifier to ask the device to attest to its health (which may have changed since it was last attested).  Here there might even be no Relying Party involved per se.
Case 2) The network has not noticed anything odd, but wants to proactively query a device anyway, e.g., because the network's appraisal policy of what is considered trustworthy has just changed.  Again there might even be no Relying Party involved.

I would call the network the relying party. Attestation always has a relying party because there would be no point if no one cared (if a tree falls in a forest…)

LL

v2.23.0 | Report a Bug | By Email