IETF Logo Mail Archive

Re: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 30 November 2020 11:41 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E979D3A0964 for <rats@ietfa.amsl.com>; Mon, 30 Nov 2020 03:41:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jySdxAgq; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jySdxAgq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yhOKbTb7y4C for <rats@ietfa.amsl.com>; Mon, 30 Nov 2020 03:41:14 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60080.outbound.protection.outlook.com [40.107.6.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11B333A0966 for <rats@ietf.org>; Mon, 30 Nov 2020 03:41:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eyw9jG8kPMhE6eoT/Dd8Yki/QNB87wAptvDNOh0nH9o=; b=jySdxAgqEtPrSwiuex9sJaL+92XZs2jmh0uCNWUNzRoakhHjNl+SaHdJTGcFg6wMcR3nETJyiPzREiaj8hB0xlZ7jSAMDEqGY8VIXryTY62i2ebb7Ldc076KWjiMI1ADkTiWUZs3haMUe0J22L7FzfIv/SLhHFzfUmh3GkDT89U=
Received: from DB6P193CA0015.EURP193.PROD.OUTLOOK.COM (2603:10a6:6:29::25) by AS8PR08MB6231.eurprd08.prod.outlook.com (2603:10a6:20b:298::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.25; Mon, 30 Nov 2020 11:41:08 +0000
Received: from DB5EUR03FT056.eop-EUR03.prod.protection.outlook.com (2603:10a6:6:29:cafe::4d) by DB6P193CA0015.outlook.office365.com (2603:10a6:6:29::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend Transport; Mon, 30 Nov 2020 11:41:07 +0000
X-MS-Exchange-Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; ietf.org; dmarc=temperror action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT056.mail.protection.outlook.com (10.152.21.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.26 via Frontend Transport; Mon, 30 Nov 2020 11:41:05 +0000
Received: ("Tessian outbound 814be617737e:v71"); Mon, 30 Nov 2020 11:41:04 +0000
X-CR-MTA-TID: 64aa7808
Received: from 7d7dad1c7b4f.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 006D2790-240A-4A4E-B968-BC986B55A562.1; Mon, 30 Nov 2020 11:40:59 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 7d7dad1c7b4f.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 30 Nov 2020 11:40:59 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JBn6/QnB8g5Xm8lF3GACwEU70jQIoSEensERnUocWk9nuBMD5LuELn1AwQSKn9lnGwcqJaMgKTIHyYlj81e8Ng8Oo61CwnxAbGrOx5fTc/T2b/PMU6de4hv/KaAdTq1SyF03yoT00PeHLQt1PSlLxNpDnKl0wi8bbqJzDRPCPQZj2sgoJ5KRmW5FPGyHt/1rrsjvRszNFvfk5AE86pZUzv6JMqgdCbMlA2iJyiXuKWbk+THXEKNvgiU/DZoYzmlTs/S0TaWwZc58q3VhpC5zsg+bNaMwvfNyv+tzEEQ8B4eKWr0TYc6VF0NlVgKk8fllTPvRVGfDU/Ng0q5t08zoEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eyw9jG8kPMhE6eoT/Dd8Yki/QNB87wAptvDNOh0nH9o=; b=W2sshCCHdL+9AYnFa8yMnomFlLdfHqA67qx7nGF8egCERX4zA4eyXOp56GVRslTxV8Mu0NErBADfwVkkAEO0z8OUK+2v7FxGeq0unmRJ5aD3H6r88qYqrUsZys0P9kvZFwsjbqxtu8dnna4mTCSaRUhPAuh0Prb9W6YQlNUl3s3WIvc2IkzsBEDrS402ytbiq3bvec6ksTRCoEWOVbAtoy6MUfcbqqdpkjJzfR5GOSPLKvMW0RwL4A1xAnNJTEFz0Vc97tu5Xe+PmyJGj6G5qV2fjvYkkuql/0f1OSJ7RghscYbGLPL5yQ25cTc7bvIcfjo+xpRJmrAjZnw90mzzSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eyw9jG8kPMhE6eoT/Dd8Yki/QNB87wAptvDNOh0nH9o=; b=jySdxAgqEtPrSwiuex9sJaL+92XZs2jmh0uCNWUNzRoakhHjNl+SaHdJTGcFg6wMcR3nETJyiPzREiaj8hB0xlZ7jSAMDEqGY8VIXryTY62i2ebb7Ldc076KWjiMI1ADkTiWUZs3haMUe0J22L7FzfIv/SLhHFzfUmh3GkDT89U=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB5524.eurprd08.prod.outlook.com (2603:10a6:208:181::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.22; Mon, 30 Nov 2020 11:40:58 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::a80c:38e:8da2:8b48]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::a80c:38e:8da2:8b48%7]) with mapi id 15.20.3611.031; Mon, 30 Nov 2020 11:40:58 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Giri Mandyam <mandyam@qti.qualcomm.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT
Thread-Index: AQHWxozX+iZ16pOalkWO5saguRJyBKngjOCQ
Date: Mon, 30 Nov 2020 11:40:58 +0000
Message-ID: <AM0PR08MB37160A782B8CDC941DCBC45CFAF50@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <24519.1606681083@localhost>
In-Reply-To: <24519.1606681083@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 7FAFF116989F56499E67EE240843EC46.0
x-checkrecipientchecked: true
Authentication-Results-Original: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.118.246]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: d9d39931-6c22-41d2-109c-08d89524d284
x-ms-traffictypediagnostic: AM0PR08MB5524:|AS8PR08MB6231:
X-Microsoft-Antispam-PRVS: <AS8PR08MB62316E50506AE6FF662E9DE8FAF50@AS8PR08MB6231.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:4502;OLM:6790;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: rzsimcx38NgKJ1sS6MEMxwnge9lcbCAIYjQHWsQls1JIFP3fjAcJUrAKqXbH/s/1IkzjGflWWb4IYtTQIax5KpqnGj9m5Gg9IHxRv7KEUEVTePk3UCM5S9xKr4KiruAArEm41dksvjxgqljd1OcYgBSnWcLMbLM9VRBHe6VsbQhXpy+o8tOFbgdWwf9eCmxsjd3TQfdcx1niz8BMF0tTSNzP15V51ug3rETQOY6i3UXOSSoRbgvWBA9DPhBpSltrTHRTxQgPIdRzgHHGvKY2LIMy0DZusCo0UpJ9lWIb8fF36mSkAVnobV3PckRitq3o
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(396003)(346002)(136003)(39860400002)(8936002)(71200400001)(53546011)(83380400001)(66574015)(6506007)(478600001)(52536014)(66476007)(66946007)(66556008)(64756008)(9686003)(7696005)(86362001)(316002)(55016002)(5660300002)(76116006)(2906002)(33656002)(8676002)(66446008)(186003)(26005)(110136005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: P1U5MhSShBGyMaLHyWjuXmQFHJMF25quHwL6ztOvEg/1WE5yNhtfyQqvqgWvKKNqqmfjRjIF7dBkMtG/2aP0jwOAK8lxS+3RhoZ1bqVqQm+fZtpF5icaTAiMdutFHRp9O+i4zt4hIvuHr/hk29VQIlTaOAqqZqYm6w8vr7Uk6Rz/RqwTkpeTj6toY0ePTdK5+GyQujhVzOC58H7TzzoAlo1t/5wso3UJBPZgw9Bzda1O51Gsklxbbm4Bm4bSZbBvmD1M9QMeikLA1M5q5GC27qO5eaJ8lpOadO6R4rAYRuGkT0//P9LQm1E2U9LLZgiej+P8x/myn5ADNAPDJH/7g3bsq6BW+3racSnLjgBiRicKhVKZgL3rwnjgF+gdvPLkPdjw+mjT5fp/f9w7dT/uY1d0hmxhuOMFrLrl8yRb+5GSd2VkkObSPOtoiS6VDmSK1657hteGQs1mtOAI0+We95R1NhrqvEt+GZf95GAxVFFI1e7JxFeIrf6VqLakRMiivbStEUARwN1jjuGoP1TogjQ7OrqH7ZznFRNZsmIhN1RngGSLvPR5DGmQ3doFYl0wlVpBEFtZBH/r4LKr4R7Cf8A9cdTVXlGaL/WqrnHB6ZaLxpVKD1N0M8mpJ6pb6Q3xI6Mf3EXj3IUMiGwkWNB7Dbp9zzKgalFo1DDw3lPUd7KbKESZlIeE0aELzxFuWvjIhVELAw8nZ0Ysnd5Ji4y4bHJS6umkR2EfgfllQjnyj7toVIewKoCybwfAwsVUrhYl0d5l6a0KN3ku8U0PLY5+G0fS5RbX/ndX1xwPxIP9IHMRW9cwgE6fqoIWjjuLMWZfuCDfwrjE4460LjcZHUG+XJrFzB9RTCxc7hnWI4LtKojQD+PCtQK2wvne5JBoRJL8r4OIbGT6Jnk4knlQitKcJHiKe/Vw/XTpXgUNtfVApmGvw0SaDsR941etdjy+ZIdQolzNTYpMA5h2dhxTr3F6HX2TdGDgtXpTdrebGTMvjGI=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB5524
Original-Authentication-Results: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 86d907ba-3bde-42d4-98e8-08d89524ce22
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: p6WbGjwSU/CiZROthFa4AtvVRG56NIcqM+hczK9VMG8v0FzF1XiZpQwA509Tj9pykKFFpiAyT9gMSGubS70c/v7OovlChjsijHGEgQdq5/Y/ZCGyF0MQsiKmcJxYqJuOURgfi5ds4TIzK5QZuKXQOUQPJAm/VuMpRAigcINRCmCJxqpU0nRJQ9XpCc+vvNfGtimNZHnwhbDTUlTYNHmG+klP3I5F8HcgDaxQ9Icz+hfRAvcmNZNpIjwy9uhRHbqeHXz0YsUMo7ZeY4rsa8U2/8PLHzNxd6tdmmILtJbADprlbZPGphTDAUzYq7ZUBrjLcZLkurGlH1+bQqMAFz1O9L5+1iuCj2OatSTWhmCMPYBPXOkK5Hrn0An6hB96QkKP8OLodGnRXDALcK1NxYCC8g==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(136003)(376002)(39860400002)(396003)(346002)(46966005)(356005)(8936002)(82310400003)(81166007)(8676002)(478600001)(70206006)(47076004)(70586007)(82740400003)(110136005)(86362001)(33656002)(2906002)(53546011)(186003)(63350400001)(83380400001)(63370400001)(52536014)(55016002)(7696005)(9686003)(66574015)(336012)(316002)(5660300002)(26005)(6506007); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Nov 2020 11:41:05.6056 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d9d39931-6c22-41d2-109c-08d89524d284
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6231
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/oRHxBAJBz24t98wvdiJWAHSRsAo>
Subject: Re: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2020 11:41:17 -0000

Hi Michael,

In his presentation Giri pointed out that companies and industry groups want to see progress on the EAT specification.

In this specific case, Giri was talking about EAT being used by the FIDO device onboard specification. But the same is actually true for us (at Arm) and for Qualcomm, who are using EAT today.

A discussion about the FIDO device onboarding spec is IMHO distinct from the EAT topic.

Ciao
Hannes

-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Sunday, November 29, 2020 9:18 PM
To: Giri Mandyam <mandyam@qti.qualcomm.com>; rats@ietf.org
Subject: [Rats] challenges of building dependant specifications against Internet-Drafts -- a way forward for EAT


Hi, sorry that I missed the RATS IETF109 meeting: I was engaged as co-chair
of ASDF at the same time.   I watched the video.

I think that the many EAT concerns are now at the point where more conversation probably will make it worse rather than better.
It's time to move on with the EAT framework: many of the issues discussed will become much clearer when it is used.
That's why we have "PS" vs "Internet Standard".

I found Giri's presentation interesting: I scanned through the FIDO IoT Onboarding document, and I have no idea why FIDO needs to re-invent
(Constrained) BRSKI.   But, I'm excited about it!

The more the manufacturers understand the need for device identities, and for a "home base" (A Registrar), the better our whole industry will be.
When MS tried to do this with the XBOX-1 a decade ago, people cried foul, but maybe they weren't ready for this in the home yet.  We certainly need it to be standards based, and free of stupid IPR stuff.  What will CHIP do, I wonder.

The single reference to RFC8366 did not explain why that document did not adopt a semantically compatible voucher format.

draft-ietf-anima-constrained-voucher explains how to serialize the YANG to CBOR using draft-ietf-core-yang-cbor and draft-ietf-core-sid.
This is then signed with COSE.
{Or CMS, but that option is going away}

The result is almost *syntactically* identical to an EAT (a map of stuff signed by COSE)!
But the semantics are a fair bit different.
Vouchers contain many things which I would not call claims, but embody essentially a single claim concerning ownership.

draft-ietf-core-sid establishes a registry for SID values, which as essentially map keys for CBOR.  It has been difficult to get the document to advance, and until it did, we couldn't figure out how we'd be able to do the IANA allocation process: hard to get an early allocation against a registry which does not yet exist.

What we did, and what Giri could ask the EAT authors and WG to do is to allocate some claims in the initial IANA Considerations section.
That is, until such time as the document progresses through the IESG, the WG and the document authors essentially act as IANA.

Here is what it looks like from draft-ietf-core-sid:

section 7.5.3 (of sid-14):

   Initial entries in this registry are as follows:

   +-------+------+---------------------------+------------------------+
   | Entry | Size | Module name               | Document reference     |
   | Point |      |                           |                        |
   +-------+------+---------------------------+------------------------+
   |  1000 |  100 | ietf-coreconf             | [I-D.ietf-core-comi]   |
   |  1100 |   50 | ietf-yang-types           | [RFC6991]              |
   |  1150 |   50 | ietf-inet-types           | [RFC6991]              |
   |  1200 |   50 | iana-crypt-hash           | [RFC7317]              |
   |  1250 |   50 | ietf-netconf-acm          | [RFC8341]              |
   |  1300 |   50 | ietf-sid-file             | RFCXXXX                |
   |  1500 |  100 | ietf-interfaces           | [RFC8343]              |
   |  1600 |  100 | ietf-ip                   | [RFC8344]              |
   |  1700 |  100 | ietf-system               | [RFC7317]              |
   |  1800 |  400 | iana-if-type              | [RFC7224]              |
   |  2400 |   50 | ietf-voucher              | [RFC8366]              |
   |  2450 |   50 | ietf-constrained-voucher  | [I-D.ietf-anima-constr |
   |       |      |                           | ained-voucher]         |
   |  2500 |   50 | ietf-constrained-voucher- | [I-D.ietf-anima-constr |
   |       |      | request                   | ained-voucher]         |
   +-------+------+---------------------------+------------------------+




--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide




IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email