IETF Logo Mail Archive

Re: [Rats] Where does a EAT end? - consensus?

Laurence Lundblade <lgl@island-resort.com> Sat, 04 June 2022 18:39 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2166DC1595E6 for <rats@ietfa.amsl.com>; Sat, 4 Jun 2022 11:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.928
X-Spam-Level:
X-Spam-Status: No, score=-1.928 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QacFYWB2Nx6i for <rats@ietfa.amsl.com>; Sat, 4 Jun 2022 11:39:18 -0700 (PDT)
Received: from p3plsmtpa09-06.prod.phx3.secureserver.net (p3plsmtpa09-06.prod.phx3.secureserver.net [173.201.193.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E7DDC1594AF for <rats@ietf.org>; Sat, 4 Jun 2022 11:39:17 -0700 (PDT)
Received: from [192.168.1.4] ([75.80.148.139]) by :SMTPAUTH: with ESMTPA id xYg8nkOPGOzp0xYg9ntLnE; Sat, 04 Jun 2022 11:39:17 -0700
X-CMAE-Analysis: v=2.4 cv=Qo2bYX+d c=1 sm=1 tr=0 ts=629ba6d5 a=qS/Wyu6Nw1Yro6yF1S+Djg==:117 a=qS/Wyu6Nw1Yro6yF1S+Djg==:17 a=QyXUC8HyAAAA:8 a=K6EGIJCdAAAA:8 a=EUspDBNiAAAA:8 a=7CQSdrXTAAAA:8 a=48vgC7mUAAAA:8 a=NEAV23lmAAAA:8 a=WNvzRCA4Pz10EFWaNrAA:9 a=QEXdDO2ut3YA:10 a=wQAYRyDJVHRH8WtgKrgA:9 a=LvmwmflfaAduKql4:21 a=_W_S_7VecoQA:10 a=L6pVIi0Kn1GYQfi8-iRI:22 a=rMCfJy6NHDicN4J276Yl:22 a=a-qgeE7W1pNrGK8U0ZQC:22 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <A0E27D96-BB92-4B66-A88B-BAD61F1D3C47@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8763622A-8940-4D7D-A7BD-42DD7854EBAF"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Sat, 04 Jun 2022 11:39:16 -0700
In-Reply-To: <D13E3D0F-CDEB-47F5-856B-A355CE464E55@intel.com>
Cc: Giridhar Mandyam <mandyam@qti.qualcomm.com>, Thomas Fossati <Thomas.Fossati@arm.com>, "rats@ietf.org" <rats@ietf.org>
To: "Smith, Ned" <ned.smith@intel.com>
References: <5CCD6415-B43B-4BB5-BD05-E7A2B7839B3A@intel.com> <C857641A-8673-4F81-8D9B-D99D6529A836@island-resort.com> <D13E3D0F-CDEB-47F5-856B-A355CE464E55@intel.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-CMAE-Envelope: MS4xfIXv5/8kUD5FOlNikJ0qFEF0Ct0Mefp4pc2Nz8RdwO55rRl8a545y+RFb3ZVLmBw3g1pAJ4h/rxqN7g7VPToHAi//mGp3SaBlI2p//sxppj4mn/C6FiV xJYDume13y7wW6KxGrIuGJ6vrkAB/H+sYzONW3Ksuc8lp8iOF8bwj5W/XPzrVdqTmGTVyvJMRL/05k/loTgjsmG8HmjuTpiQNh1NqA32jBzve5hRwEqHJzkn Vb8HG0iAJM28Wfd3nUmuJ/9jtZc3L4LjKvPk+KCbwXBu1ah5V2uNpi5Q3KIprflT
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/w1LsmhXWo126pYK8hVlFJdP4zZA>
Subject: Re: [Rats] Where does a EAT end? - consensus?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2022 18:39:19 -0000

> On Jun 3, 2022, at 12:53 PM, Smith, Ned <ned.smith@intel.com> wrote:
> 
> Is the motivation for limiting extensions to an IETF standards track document that extension by a vendor or other standards setting organization might result in non-interoperable tokens? Something else?

To be clear, the issue at hand here is only the definition of more top-level formats for EAT. This is not about limiting EAT extension in general (not about limiting claims, not about limiting profiles…).

The more top-level formats we have for EAT (e.g., XML claims-set, DER claims-set, …) the more complicated it is for implementors and/or the less interoperability we have. It is already difficult enough with CBOR and JSON. Many RATS people don’t have any need for JSON (but note that JSON and CBOR support is mentioned in the charter).

This is worse when you consider composite devices. If every attester picks the format convenient for themselves and then someone builds a device that uses 4 attesters that use 4 different top-level formats, the composite / collection might have one token that is CBOR, one that is JSON, one that is XML and one that is DER. That makes it pretty difficult for the verifier.

I think we do need to consider the composite device in most of what we do for the sake of wide-spread adoption of attestation over the next decades.


To me the IETF was founded on the idea of having one protocol we all speak rather than n. You know going back to when there was SNA, DecNET, AppleTalk, NetBios… When you have n, you end up with an n^2 implementation problem.

LL



>  
> From: Laurence Lundblade <lgl@island-resort.com>
> Date: Friday, June 3, 2022 at 12:36 PM
> To: "Smith, Ned" <ned.smith@intel.com>
> Cc: Giridhar Mandyam <mandyam@qti.qualcomm.com>, Thomas Fossati <Thomas.Fossati@arm.com>, "rats@ietf.org" <rats@ietf.org>
> Subject: Re: [Rats] Where does a EAT end? - consensus?
>  
> Didn’t think this was an interoperability issue. It is an extensibility issue. How much extension to other formats are allowed.
>  
> My question is whether there is consensus or objections around this PR <https://github.com/ietf-rats-wg/eat/pull/194>. 
>  
> It simply adds the sentence "Any new format that plugs into this socket MUST be defined in a IETF standards track document."
>  
> LL
>  
> 
> 
>> On Jun 3, 2022, at 11:38 AM, Smith, Ned <ned.smith@intel.com <mailto:ned.smith@intel.com>> wrote:
>>  
>> To summarize, it appears the way to address the issue of a potential for non-interoperability of “top-level” statements in the EAT draft is to acknowledge that this potential exists, and that it can be accommodated in a variety of ways that don’t need to be discussed within the EAT draft.
>>  
>> Does anyone disagree that this addresses the issue?
>>  
>> -Ned
>>  
>> From: RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> on behalf of Giridhar Mandyam <mandyam@qti.qualcomm.com <mailto:mandyam@qti.qualcomm.com>>
>> Date: Thursday, June 2, 2022 at 1:40 PM
>> To: Thomas Fossati <Thomas.Fossati@arm.com <mailto:Thomas.Fossati@arm.com>>, "rats@ietf.org <mailto:rats@ietf.org>" <rats@ietf.org <mailto:rats@ietf.org>>
>> Subject: Re: [Rats] Where does a EAT end? (was: Re: WGLC for https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat>)
>>  
>> > Not sure I follow: profiles are type constraints that apply to *existing* top-level EAT types.  They can't be used to extend the number and shape of base EAT types.
>>  
>> I was commenting on interop, not on extension of top-level EAT types.  I don’t think we need to provide a mechanism to extend the base EAT types within the EAT specification itself.  I’ve already mentioned with the example of JWT’s that the underlying specifications such as JS allow for that today.
>>  
>> If someone has identified a new field that must be added at the top-level of an EAT, they are welcome to come up with their own specification, as described in https://github.com/ietf-rats-wg/eat/pull/194 <https://github.com/ietf-rats-wg/eat/pull/194>.  I personally don’t think we should call it an EAT at that point, but that is a minor point.
>>  
>> -Giri
>>  
>> From: Thomas Fossati <Thomas.Fossati@arm.com <mailto:Thomas.Fossati@arm.com>> 
>> Sent: Thursday, June 2, 2022 1:30 PM
>> To: Giridhar Mandyam <mandyam@qti.qualcomm.com <mailto:mandyam@qti.qualcomm.com>>; rats@ietf.org <mailto:rats@ietf.org>
>> Subject: Re: [Rats] Where does a EAT end? (was: Re: WGLC for https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat>)
>>  
>> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
>> > Giridhar Mandyam <mandyam@qti.qualcomm.com <mailto:mandyam@qti.qualcomm.com>> wrote:
>> > > > I think the underlying data structures make it extensible,
>> > > > independent of the CDDL notation.  However if an implementor
>> > > > chooses to extend EAT without an accompanying standard as a
>> > > > result, then interoperability may not be assured.  Therefore it is
>> > > > in an implementor’s interest to define a standard if they are
>> > > > seeking interop.
>> >  
>> > > The core difference is the extensibility story for the claims-set is
>> > > governed by the CWT Claims registry, whilst the EAT type system has
>> > > no such mechanism (yet).
>> >  
>> > I don’t agree:  the profile definition addresses interop – see
>> > https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat#section-7 <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat#section-7>.
>> > Up to this point, no-one has objected to the way profiles are defined
>> > in the specification, nor the lack of a registry.
>>  
>> Not sure I follow: profiles are type constraints that apply to
>> *existing* top-level EAT types.  They can't be used to extend the number
>> and shape of base EAT types.
>>  
>> FWIW, I'm a big fan of profiles.
>>  
>>  
>>  
>>  
>>  
>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org <mailto:RATS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email