IETF Logo Mail Archive

Re: [Rats] EAT Profiles

Thomas Fossati <tho.ietf@gmail.com> Mon, 19 September 2022 14:18 UTC

Return-Path: <tho.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72DCBC1524C4 for <rats@ietfa.amsl.com>; Mon, 19 Sep 2022 07:18:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bOG4MFrbJIMt for <rats@ietfa.amsl.com>; Mon, 19 Sep 2022 07:18:42 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089DBC1524BE for <rats@ietf.org>; Mon, 19 Sep 2022 07:18:42 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id bg5-20020a05600c3c8500b003a7b6ae4eb2so4768912wmb.4 for <rats@ietf.org>; Mon, 19 Sep 2022 07:18:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=M0v5+Q5OixVsSfNR8aVVKNmCLlL/59FvA0T/CciaiCM=; b=nPpCDEJIl1i2Vxuq7CxzXkq6ixhEadgQP5j55dUDaf0IjSl98/brg4v6kCsun25WI2 7ZjjeppmTTq5kzd2oKXzziXToTYalUr59pvUqr2fLxg+04onBONHzy3ip/aYT+YziiIZ RDmOmBKrGexBWxaTLI5FbRXsiOBt1co1LKjBce2GGmsm7yvW95gMGcJpcf490HdvGw4E RIUAep48m7qo1N7EqJFRzME3rO0KstlVJzxT9i25sd2ADxkLI9HjHP9mMt6l+RYcqi2O P2I+gUxWkdSNJrW5mrmPwNuPnuLnFz08IFeyUNv4d6k87kVMB+6lXBHf+J7vOrqhF5KX aSpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=M0v5+Q5OixVsSfNR8aVVKNmCLlL/59FvA0T/CciaiCM=; b=TpfbvWE+bnb4lk5RGA8nTs2206EDuP556KkRxskmcNOfjCNIJtqeOfBiQV0rYu8Hiw NSolSTgllVqaCpPMWi2yGDGoMOFsfzp4bCQfgAMD9RP8schz3HcmBzbjwzQiiGuJS+c0 ms4bAjnHfZvGhEiuNuiRG652PAcUHaqkgLOscJpa5hEdn46L5jjGT/n6OSVqKNhsINQG EDDVJ1dZ4IdP9TBjAxU7XSAv6X3E3q7dlllh1sQtnmoOaenzlS2+1IHBDYEGKWAavK50 CGoek3yctMfTUpmEsFQ/GBQAuA+bW2FRA0LsNpXt0sjBXvYh3jgoF7VFE17oISKR7YXC b7Lw==
X-Gm-Message-State: ACgBeo0yc+FsipYs1Vb9Phj44p4x09TXZSsmGDFR+rD9XbTZJoCNsKQO HLhDdZY4WLkdFEI0qyweyCu8mLgkDaCmoDS3n3qbWDDe3A6IUw==
X-Google-Smtp-Source: AA6agR7qdbHtpbowk5p+sPuK26NTrJPnme89iwG/geDhvhcHsP96SBGDA59jg5xlBXr+dQeVMwGN9Tiqwzcif8H4ckY=
X-Received: by 2002:a05:600c:a07:b0:3ab:945:77c4 with SMTP id z7-20020a05600c0a0700b003ab094577c4mr19337813wmp.97.1663597120166; Mon, 19 Sep 2022 07:18:40 -0700 (PDT)
MIME-Version: 1.0
References: <71934.1663019954@dooku> <DBBPR08MB5915AC23726BF997EB9E44C4FA489@DBBPR08MB5915.eurprd08.prod.outlook.com> <19805.1663344806@dooku> <AS8PR08MB5911DB2FE9608541698983B0FA4D9@AS8PR08MB5911.eurprd08.prod.outlook.com> <636099.1663593501@dooku>
In-Reply-To: <636099.1663593501@dooku>
From: Thomas Fossati <tho.ietf@gmail.com>
Date: Mon, 19 Sep 2022 15:18:28 +0100
Message-ID: <CAObGJnMkQFz23+JQ0bpDUJhsG=XG-16JsmH1yq=qTWBEhsw8uA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000659ee605e90863da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/w9tZ5lgHIcFdA3--Asyqc1iPmxU>
Subject: Re: [Rats] EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 14:18:42 -0000

hi Michael,

On Mon, Sep 19, 2022 at 2:18 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
>     > [Hannes] We have created a library that produced an EAT based on our
>     > profile and it was not too complex.
>
> You missed the point.
> You create *A* library that deals with *your* profile.
>
> So, we need N libraries for N-profiles, and since the EAT document has
> quite
> a large number of possible combinations, each use of EAT will wind up with
> its own library.  There will be no reuse, which was the point of doing
> this work.
>

I have to strongly disagree with the conclusion that "there will be no
reuse".
We reuse *a lot* of existing library code: COSE (~8k LOC), CBOR (~17k LOC)
& EAT (~3.5k LOC for the claims we inherit).
On top of that we push the profile-specific code that adds the PSA attester
claims and wraps all the other bits together into one interface.  That
amounts to (~3k LOC), which, considering we support two profiles (current
and legacy) with one codebase, I reckon it's OK.  Besides, with this
library we support both attesters and verifiers.
Basically, the delta amounts to defining the claims' set that have no EAT
equivalent.  I expect anyone designing an EAT-based token today to take
advantage of the richer EAT vocabulary compared to what was available to us
when we started the PSA token work (i.e., March 2019).

    > [Hannes] Maybe you could post it to the TEEP list.
>
> The EAT question is what a profile should say here.
>

IME §6.2. of EAT is doing a great job.  The only surprising bit in TEEP
(for me) is the absence of mandatory claims: can it really contain *any*
claims and still be called a TEEP token?  It seems strange, but as it's
been said, this is really a question for the TEEP WG to answer.

cheers,
-- 
Thomas

v2.23.0 | Report a Bug | By Email