IETF Logo Mail Archive

Re: [Rats] [EAT] Rats and EAT

"Diego R. Lopez" <diego.r.lopez@telefonica.com> Wed, 11 July 2018 18:34 UTC

Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F850130F99; Wed, 11 Jul 2018 11:34:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telefonicacorp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7FXiCC74JUL; Wed, 11 Jul 2018 11:34:31 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10103.outbound.protection.outlook.com [40.107.1.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19513130F8A; Wed, 11 Jul 2018 11:34:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telefonicacorp.onmicrosoft.com; s=selector1-telefonica-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xQPsHAd0HeTq69D1tLFRfH4Y8FSNO83vPalTpxd/GKs=; b=JtFlLzBvXxR3PUeIExL2jkGmE71UW8Bu7n0Rzu1XKF2cXwK6yP9EPIFAPjIojPtC1+7z0xyMSPEiSvvGB1UOeMR5Rcg/JIJ8mv9SqxjMrgsmlstpVfoade47ZEADkqOfhgFHyCfobxJO6YQNvl1zTcxMVG9ssRrStlYTWJZLhqs=
Received: from DB3PR0602MB3788.eurprd06.prod.outlook.com (52.134.70.148) by DB3PR0602MB3817.eurprd06.prod.outlook.com (52.134.70.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.17; Wed, 11 Jul 2018 18:34:26 +0000
Received: from DB3PR0602MB3788.eurprd06.prod.outlook.com ([fe80::e8a7:c15c:d575:4c71]) by DB3PR0602MB3788.eurprd06.prod.outlook.com ([fe80::e8a7:c15c:d575:4c71%4]) with mapi id 15.20.0930.016; Wed, 11 Jul 2018 18:34:25 +0000
From: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
To: Laurence Lundblade <lgl@island-resort.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: Yaron Sheffer <yaronf.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>, "eat@ietf.org" <eat@ietf.org>, Diego Lopez <dr2lopez=40icloud.com@dmarc.ietf.org>
Thread-Topic: [EAT] [Rats] Rats and EAT
Thread-Index: AQHUGKHhBbE88/3o1Eaf0BX/NJaF5KSJezaAgAC/yoCAAFGagA==
Date: Wed, 11 Jul 2018 18:34:25 +0000
Message-ID: <3E71B48D-FC68-422F-82CC-DF7944E7EADB@telefonica.com>
References: <eb1d952b-1e73-4c41-bf12-82299b44ff3d@me.com> <0FE06C34-D430-451C-834B-0A39082160BA@island-resort.com> <VI1PR0801MB21125196C5AE9B9081422752FA5A0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <36049360-1D1C-444A-8359-616D0ED2B989@island-resort.com>
In-Reply-To: <36049360-1D1C-444A-8359-616D0ED2B989@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.f.0.180701
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-originating-ip: [87.235.190.32]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB3PR0602MB3817; 7:j3gNypideo4F8JCTRZl3HUljRMo3SDTsCkQYEy/RpXKJzZwhPiEX7D2c+01ULFwQwg6PaQ5wtkeYAXgrXDCifbtKyHTLd7NnX6IN4Ib6wSNz01HBAh1COFyKOp8gEJHNBU+iJagbYrq7E6dhpC2xuBkNgIwRvIQywvwFWBgfHm0orEdUpUM2njTMbx3aoPcYjxIgw96Qvi66S+1B0afMcJ2Hw9+iYw8qN++sz6dZx0VKxnv+BCg3IBrNjHwlpV42
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 1a571625-0393-4934-89e8-08d5e75cedd1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:(40392960112811)(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(7193020); SRVR:DB3PR0602MB3817;
x-ms-traffictypediagnostic: DB3PR0602MB3817:
x-microsoft-antispam-prvs: <DB3PR0602MB381797003A52E474CE341691DF5A0@DB3PR0602MB3817.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(40392960112811)(180628864354917)(84792000423722)(120809045254105)(192374486261705)(223705240517415)(3650984025655)(128460861657000)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231311)(944501410)(52105095)(3002001)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123564045)(20161123562045)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DB3PR0602MB3817; BCL:0; PCL:0; RULEID:; SRVR:DB3PR0602MB3817;
x-forefront-prvs: 0730093765
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(376002)(39860400002)(366004)(136003)(252514010)(52314003)(199004)(189003)(40434004)(15404003)(40134004)(25724002)(69234005)(476003)(54906003)(110136005)(25786009)(33656002)(7736002)(236005)(6306002)(54896002)(6512007)(105586002)(93886005)(2906002)(53546011)(446003)(786003)(6506007)(2900100001)(5250100002)(102836004)(11346002)(97736004)(76176011)(58126008)(316002)(2616005)(606006)(5024004)(256004)(6246003)(966005)(3846002)(68736007)(229853002)(39060400002)(5660300001)(478600001)(66066001)(45080400002)(14444005)(99286004)(82746002)(81156014)(6116002)(106356001)(81166006)(53946003)(86362001)(4326008)(6436002)(8676002)(36756003)(6486002)(8936002)(53936002)(486006)(14454004)(83716003)(186003)(26005); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR0602MB3817; H:DB3PR0602MB3788.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: FC2NNOr+Fa5+VqROlinYsnw1L/cxZEOfaMQZl5zWiHIkRQo+5gOtsiKbr715+j2O1uv3PqAyQIGXZ0jHngV5LQ6TknvGBGRw0wZ8QQvvxX7TtORgxi4b1tUkHDjqTADMx7BZQo9cUDyaJiG4CveMILXYEcfo4clLukVxV277mnW5wC9dTtwiZ0AFyAbDYzDmRy8AufNLEptGHDqLbGvjS+9MyvQcOmSeKQ6k/oyYCZm51n+lzskvdNFW73miPcB8M0JW0S/KWrn1An98qqysu5rnoeKLEJle4120g/EUR0ul1V4fclq6a9zJ2wdaxpIF72r24uSpL3zuNDHS3SWkEiW7OuS+bJzUv0irCRdggvE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_3E71B48DFC68422F82CCDF7944E7EADBtelefonicacom_"
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a571625-0393-4934-89e8-08d5e75cedd1
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2018 18:34:25.4292 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR0602MB3817
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/y-yRy1ki4-cy3VV4DEVQ6iOw2oY>
Subject: Re: [Rats] [EAT] Rats and EAT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 18:34:43 -0000

I’d say this is an accurate analysis.

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
https://www.linkedin.com/in/dr2lopez/

e-mail: diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>
Tel:         +34 913 129 041
Mobile:  +34 682 051 091
----------------------------------

On 11/07/2018, 18:42, "EAT on behalf of Laurence Lundblade" <eat-bounces@ietf.org<mailto:eat-bounces@ietf.org> on behalf of lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:

Would it be correct to say that NEA was mostly about enterprises (businesses, colleges…) that manage the endpoint devices and SW on those devices on their network?  It is entirely impractical for ISPs and wireless operators to manage SW on endpoint devices, so it seems it would have to be only enterprises.

LL



On Jul 10, 2018, at 10:15 PM, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:

Here is what I believe we should / could learn from NEA.

NEA (via the TCG) came up with the idea that devices would communicate their posture to the network when performing network access authentication. Posture refers to the hardware or software configuration of an endpoint as it pertains to an organization's security policy.

I believe NEA was unsuccessful to accomplish its goal because it was too difficult for enterprise network operators to keep track of software installed on devices and to make a reasonable policy decision.

As such, I think it would be better to communicate information about the device with less granularity.

Ciao
Hannes

From: Laurence Lundblade [mailto:lgl@island-resort.com]
Sent: 11 July 2018 08:01
To: Diego Lopez
Cc: Hannes Tschofenig; Yaron Sheffer; eat@ietf.org<mailto:eat@ietf.org>; rats@ietf.org<mailto:rats@ietf.org>
Subject: Re: [EAT] [Rats] Rats and EAT

Here’s a little compare-contrast between EAT and NEA. Please correct and forgive incorrect characterizations I might have made about NEA.

EAT uses CBOR and wants to accommodate translation to JSON and compatibility with web infrastructure, NEA used TLV.

EAT signs and possibly encrypts the claims with COSE so they form a self-secured token that can be transported by any other protocol. NEA defines a back-and-forth protocol and is more of an end-end solution.

EAT orients around key material provisioned to the entity by the manufacturer that is to be used for signing the token. This signing of a nonce by an entity serves to prove the device is not a fake.

EAT wishes to accommodate different signing schemes including privacy-preserving schemes like ECDAA. NEA seems to assume some secured transport (e.g., TLS) will be available.

NEA is oriented around network management, trying to track the security posture of devices in an enterprise's network. EAT is broadly targeted at establishing trust between entities, often consumer devices (phones, refrigerators, cars...) and servers/services (online banking, IoT services, enterprise authentication…).

LL






On Jul 8, 2018, at 12:46 PM, Diego Lopez <dr2lopez=40icloud.com@dmarc.ietf.org<mailto:dr2lopez=40icloud.com@dmarc.ietf.org>> wrote:

Hi Hannes,

I was not deeply involved in the work, but NEA seemed to be focused on a particular use case (that of user devices attaching to a network) and not to the more general problem of mutual attestation in more P2P relationships, that I think are the most relevant right now. And it seems to me that at the moment NEA produced its work, user devices were not that much able of performing the procedures defined by the WG...

Anyway, I think there are several of these procedures that are applicable to P2P environments, once adequately adapted.

Be goode,

--
Eih bennek eih blavek!

Dr Diego R. Lopez
dr2lopez@icloud.com<mailto:dr2lopez@icloud.com>
https://es.linkedin.com/in/dr2lopez

On Jul 08, 2018, at 06:54 PM, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Hi Diego,

what do you think are the lessons we can learn from NEA?
It clearly wasn’t as successful as hoped. I am sure there are reasons for that.

Ciao
Hannes


From: Diego Lopez [mailto:dr2lopez@icloud.com]
Sent: 09 July 2018 01:45
To: Hannes Tschofenig
Cc: Yaron Sheffer; Laurence Lundblade; rats@ietf.org<mailto:rats@ietf.org>; eat@ietf.org<mailto:eat@ietf.org>
Subject: Re: [EAT] [Rats] Rats and EAT

And the use of NEA results is mentioned at least in one of the drafts on remote attestation referred in a previous message. Using NEA’s findings is certainly in our aim.

Be goode,
--
Likely to be brief and not very
elaborate as sent from my mobile
Diego R. Lopez

On 8 Jul 2018, at 15:39, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Hi Yaron,

Eliot mentioned NEA on the mailing list. It would be interesting to hear what lessons can be learned from NEA.

Ciao
Hannes

From: EAT [mailto:eat-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: 08 July 2018 06:51
To: Laurence Lundblade; rats@ietf.org<mailto:rats@ietf.org>; eat@ietf.org<mailto:eat@ietf.org>
Subject: Re: [EAT] [Rats] Rats and EAT

I'm a bit surprised that nobody's mentioning the work done by the IETF NEA working group<https://datatracker.ietf.org/wg/nea/about/>. Yes, it's been some time ago, but the people involved were (to the best of my knowledge) involved with the TCG community.
NEA was about desktop machines and NAC rather than mobile devices, but hey, by now we should be looking for solutions that encompass both technologies!
See this diagram<https://wiki.strongswan.org/projects/1/wiki/trustednetworkconnect> on how the complex NEA/TNC architecture fits together, including the TPM.
Thanks,
    Yaron

On 06/07/18 22:20, Laurence Lundblade wrote:
Hey EAT and Rats folks, just became aware of IETF attestation work running in parallel. Seems like EAT is focused more on an independent signed, self-secured data structure with a lot of clams. Rats, seems more TPM and full protocol centric, but I’m still reading.

Here’s a list of attestation work that Diego and Henk made:
https://datatracker.ietf.org/doc/draft-pastor-i2nsf-nsf-remote-attestation/
https://datatracker.ietf.org/doc/draft-birkholz-i2nsf-tuda/
https://datatracker.ietf.org/doc/draft-mandyam-eat/
https://datatracker.ietf.org/doc/draft-mandyam-tokbind-attest/
https://datatracker.ietf.org/doc/draft-birkholz-reference-ra-interaction-model/
https://datatracker.ietf.org/doc/draft-birkholz-yang-basic-remote-attestation/
https://datatracker.ietf.org/doc/draft-birkholz-attestation-terminology/

A couple of other interesting non-TPM “attestation" technologies:
- FIDO<https://www.w3.org/Submission/2015/SUBM-fido-key-attestation-20151120/> does attestation of FIDO authenticators
- Android KeyStore<https://developer.android..com/training/articles/security-key-attestation> uses the term to mean proving the provenance of a stored key
- IEEE 802.1AR is kind of an attestation too

FYI, the IETF attestation events I know of so far are:
 - I’ll present EAT at HotRFC Sunday around 18:00
 - Secdispatch discussion of EAT (and Rats?) Monday at 15:30 (At least I hope; no confirmation yet)
 - EAT BarBof Monday at 18:00
 - Rats BarBof Thursday after dinner

I will attend them all :-)

LL

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
EAT mailing list
EAT@ietf.org<mailto:EAT@ietf.org>
https://www.ietf.org/mailman/listinfo/eat
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you..
_______________________________________________
EAT mailing list
EAT@ietf.org<mailto:EAT@ietf.org>
https://www.ietf.org/mailman/listinfo/eat
_______________________________________________
EAT mailing list
EAT@ietf.org<mailto:EAT@ietf.org>
https://www.ietf.org/mailman/listinfo/eat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

v2.23.0 | Report a Bug | By Email