Re: [Rats] Which Asymmetric algorithms for Charra?

"Eric Voit (evoit)" <evoit@cisco.com> Wed, 12 August 2020 00:17 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7780A3A0DE7 for <rats@ietfa.amsl.com>; Tue, 11 Aug 2020 17:17:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=FCAArnZ5; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=mulZ57oO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbSLaB_tNGJM for <rats@ietfa.amsl.com>; Tue, 11 Aug 2020 17:17:38 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5E863A0DDF for <rats@ietf.org>; Tue, 11 Aug 2020 17:17:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8930; q=dns/txt; s=iport; t=1597191458; x=1598401058; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=wrUvm9qB0VDji8k8ADSU9EHAdA++tSOZb7ageGCaBQM=; b=FCAArnZ5XUEUrzs7UdVGCBMwqxU3WpOu3IWLJO91Uzdw1jfE8HxH/PmB XAIhJUsX2erAHF6E9F6181RKE4z7OMWTMKAlQBIY/exi/PoZ+OFW96hUy YtaE5z/XzOHrlfn+mNA829A4yjdpDcjuzAxHzXqmnapAIa2FPb5XEss0D o=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3Asq/F7RzmvXGKSkPXCy+N+z0EezQntrPoPwUc9p?= =?us-ascii?q?sgjfdUf7+++4j5ZRaHt+5kilPEWYDS7bRPgrmev6PhXDkG5pCM+DAHfYdXXh?= =?us-ascii?q?AIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtOEcDyalnXq3v05jdBUh?= =?us-ascii?q?n6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mR?= =?us-ascii?q?Y=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CoBQDxMzNf/5pdJa1XCRwBAQEBAQE?= =?us-ascii?q?HAQESAQEEBAEBQIFKgVIjLgdvKy0vLAqHcgONU5hmglMDVQQHAQEBCQMBASU?= =?us-ascii?q?IAgQBAYFWgnYCgjMCJDgTAgMBAQsBAQUBAQECAQYEbYVcDIVxAQEBAwESLgE?= =?us-ascii?q?BNwEECwIBCBUDLgIwJQEBBA4FCAYMCIMFgX5NAw4RDwEOp0gCgTmIYXSBNIM?= =?us-ascii?q?BAQEFgTMBAwSDWBiCBwcDBoE4gVOBHohcgUMagUE/gRFDgh8uPoJcAgKBMS6?= =?us-ascii?q?DSIItj2CLP5sNCoJihDiCXIFPkVegFZxslHcCBAIEBQIOAQEFgWojgVdwFTu?= =?us-ascii?q?CaVAXAg2OHwwXg06FFIVCdAI1AgYIAQEDCXyPFgGBEAEB?=
X-IronPort-AV: E=Sophos;i="5.76,302,1592870400"; d="p7s'?scan'208";a="525298048"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Aug 2020 00:17:37 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 07C0Hbrt031895 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 12 Aug 2020 00:17:37 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 19:17:37 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 19:17:36 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 11 Aug 2020 19:17:36 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hNqhLcBWoZoi1uhQJwLuueyvYrxNNUbKlfcQvg6slvv2TlRqhe5UTGfwAoWYxWoB1r9YtHaQ+1UvHP9ej/eO1rzaJkKSZSPt6bS6vLj10N8KAAPQino6X6CiqvCp3sLOczFvs3kjc7qF8Ex06tj8l3gJiRBsRci1lVqjaJX6JLWmJIduq72oRWPPT1dx1l7LQcNyG1LEGqDzJc/DRTDSNi4fNXnXb/zLrddoKQ/QW9Nhmpm7RWhrzXYkbd33GpIIRjPjbfiFLXZLngPBUi+o5fssCLx5WUqwPU1i4CGhJA6B5uRbNSBj6KNGWwnHKbkZTF4/nahdd8s/N2nO4b7OfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PpM6P5ZNphy7O6nxDpA8abTCIhj7JNNZIgfllM6xreY=; b=Ir5SXMclZdTg2G1sSJqtB3srwHmgL8ofowIVwsJNWhsGMmbKzjnk1EAi86oCo2U52bD8TNu/qgGT7wCx9dm7c29DJQualeNYCrmwUU+f7BlWd8ZcrAxDTKrRKMq0cdE44GYk1sxkTQLw/Ez4cgwqNJUe4iassGgWDwV3wBQOkOlazjQpjtBw4qdQUee8jtoH/gWvat/IMj1Pw/MEouEVehzRnRFUzXON9CtD61h3ss33RUx3aQhDiGagjpZqTgid5Z/cofn2B5JhiQR/AOMj4CSyn/T5cjd+BgPRbpURDcvAlTxiCV+5h4KcHJYdmjsXJ0P+mC6jE4TJO2NpjFPXWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PpM6P5ZNphy7O6nxDpA8abTCIhj7JNNZIgfllM6xreY=; b=mulZ57oOlFvIk+59/+hVjNI4WiR16spk/Y9UjNDl2Xwe/MLkOqcpB/RyS9OPoYnFrwitNoltP9XJAX821fBT990uTWIrjuhy1C0ohXJfQfVdKxGx7qL6eev4Lwf+zhwQ0XJqqm4+YeMxT5N3B7VKtLMZ/kWDi/fft8YYMONTX8I=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL0PR11MB3220.namprd11.prod.outlook.com (2603:10b6:208:2f::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Wed, 12 Aug 2020 00:17:35 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::3496:c7b1:6ba3:ace2]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::3496:c7b1:6ba3:ace2%5]) with mapi id 15.20.3261.025; Wed, 12 Aug 2020 00:17:35 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Which Asymmetric algorithms for Charra?
Thread-Index: AdZwFfR0sMtRnzzORw2twimiOLxijgAIPDCAAAFHS/A=
Date: Wed, 12 Aug 2020 00:17:35 +0000
Message-ID: <BL0PR11MB3122C56AB235DFF6614505E1A1420@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <BL0PR11MB3122651915512C2D122B35A7A1450@BL0PR11MB3122.namprd11.prod.outlook.com> <9899.1597188413@localhost>
In-Reply-To: <9899.1597188413@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.78]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 45ca42cd-6088-448b-fb22-08d83e551d3d
x-ms-traffictypediagnostic: BL0PR11MB3220:
x-microsoft-antispam-prvs: <BL0PR11MB322069C10BE385B7634F4572A1420@BL0PR11MB3220.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5IMdLnsAZTKTDuAWozDXq3ecUl2JaKYjot+D+u9lWOAxSUH5lovoiNQKGjn/e/YXxsSc/kUe7DxAljacSJAv/8xZW4pg6NjPKiocd/uxZa+gHuxub1T30LD/Qyzi44+ad9KLZazT6TakLLdsJqcetAYus9FzYbkHQKl3FNK+aB7M0jt2dXy934BjVWCHrLfG+XT5rnNz9BOAOTxnEUZG3oEnAAATNbyk29yjKZAD9Mqy4eqBgoLK/qk5nhEB3i5svnwbzr91GGxDvXhpxPdkoOVYiK9xRigCcTe12sjcyDJkf5C4BcKl1IkhpCsBvP7FQMwCFT0YvjgV+MXU8nAFiVtqIU+Io3/8wR5+MdSkNFjHElG9RPQuFMbfovyM6BynRMYBRsd4g/hHsj3k/8tgYA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(346002)(376002)(366004)(39860400002)(2906002)(5660300002)(9686003)(8676002)(8936002)(4326008)(86362001)(52536014)(55016002)(316002)(478600001)(64756008)(66946007)(33656002)(66446008)(76116006)(966005)(99936003)(7696005)(186003)(26005)(66476007)(71200400001)(6506007)(66616009)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: mgptWeId98tBxXz/UYZJhNbpSAjznhpIaUomO77zKJGbYhAWflxIcYTm0Z0Q7ZsLNQQGbm64tKn/+B9qlw0o62QPQH3/6NEs+yMcnc3CzdxAzuIWiHTRIR/tQ3AvfbwVqjtlggcxUgkBqYwZ100XO0IdwyKqpnAGjpRtpsJrpZdK1jBmF1m2Fwhe8fO5Q5mbQnWGIqqWvOnFQi6/Hh9hU+7IR/Ku+DMqWv8PINxDBSCk1/o41Gm8qLQ9nQFNkA608R4gB/YYEh/0JIVmjhFn8ZZex+7DcKXad6Ci+kx4FZYPTt0VVYaG9gZVoa1l6Y27bJWuUYe2KuGEbDdCkPJjlqNs0Nfw+hs7KF39RpQaZpomA1Pqq9DmMKmRmL+Gmos1mbf6XJxy5a2HUEx6/WL7Ths58PutbTESVKz1ISv7Dq9TSFuFy4SyyrMqr0H/l0c9k1LvDgbgyAOnklg6Nvo/nm0b3pd1aZLPQmWlv9c1+ONn8tQZYX21I399C9wTVbA4K2T9pBtxs/fRziAyDgD/6RknWTeVwjbO/KxqOpbAK1V1hmD6q7XE1kXOJ7jBP0tYeyPeSAJ+1rxdq0M5Qb44owYhluG3uo0kSNnQUpMjh63TNrHvG5NbxzSOeTwPOZAXKT9ojFJzbABJwCAPq8tP3A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_008F_01D6701C.71FC3E80"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 45ca42cd-6088-448b-fb22-08d83e551d3d
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Aug 2020 00:17:35.4439 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: me2IER4o+kq4AMjiCI2SWf+s5WNSpirVSAVIL4MhcsHaj4Db9VLOhQymdjlrdebt
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3220
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/yQmUKtAcNWflBWANPiVIO_NFIGE>
Subject: Re: [Rats] Which Asymmetric algorithms for Charra?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 00:17:41 -0000

Hi Michael,

> From: Michael Richardson, August 11, 2020 7:27 PM
> 
> Eric Voit \(evoit\) <evoit=40cisco.com@dmarc.ietf.org> wrote:
>     > During the charra presentation at IETF 108, we said we were going to
ask
> the
>     > following question to the list: "Should the algorithm set defined in
YANG be
>     > reduced to just those asymmetric algorithms currently exposed in the
> current
>     > TPM 1.2 and 2 specifications?"
> 
> You are asking about *asymmetric* algoritms.
> I'd like to see EdDSA in the list, and I suspect that they aren't in the
TPM spec.

The intent of charra is to be TPM specific.  So for charra it seems to make
sense to only include only asymmetric algorithms which can be served from
TPM chips.  I.e., Non TCG algorithms don't seem standardizable for this
role.

The good news is that the proposed model has been structured to allow the
addition of new algorithms by TCG or other non-standard entities who wish to
take on new algorithms.  This can be done by simply defining a new algorithm
which imports and extends the YANG identity set currently defined.
 
>     > This is reflected seen in
>     >
https://www.ietf.org/proceedings/108/slides/slides-108-rats-sessb-charra-
> upd
>     > ate-00, Slide 7.
> 
> And that slide shows them missing.
> 
>     > The proposal I would like to make is as follows:
> 
>     > *	The TCG tracked algorithms supportable by a TPM should be
the only
>     > ones included in a charra maintained list of YANG identities.
> 
> You also write:
>    2. Identities instead of strings for TCG and IETF crypto algorithm
types.
>       Strings allow lots of errors to be introduced. (Question #1)
> 
> the otherside if you don't use strings is you use an enum, which is not an
IANA
> registry.  So you need an integer with an IANA registry.

I initially had used ENUMs.  But ENUMs in YANG are hard to extend with new
values, this is why I moved to YANG identities.   Otherwise than that
identities should effectively give the same result as YANG models are
registered with IANA.
 
>     > *	The YANG model will indicate what TCG algorithms are
deprecated by
>     > the IETF.  However identities for these deprecated algorithms from
the TCG
>     > table will be assigned.  (e.g., SHA-1)
> 
> Good.
> 
>     > Are there any objections/questions/comments on this proposal?    I
have a
>     > strawman YANG file posted at:
> 
>     > https://github.com/ietf-rats-wg/basic-yang-
> module/compare/master...ericvoit:
>     > patch-4
> 
> I think you need determine if this is a *TCG TPM* yang module, or if it is
> intended to accomodate other technologies.  They might be essentially
> proprietary, but for this interface, makes them interoperate.

Exactly.  During IETF 108, the file integrated TCG and IETF values.  Since
TPMs can't really handle IETF values, I rescoped and renamed to be only TCG
algs (i.e., "ietf-tcg-algs.yang") in this proposal.

Eric

 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works  -
> = IPv6 IoT consulting =-