[Rats] Re: Freshness with Nonces

Henk Birkholz <henk.birkholz@ietf.contact> Mon, 24 June 2024 17:04 UTC

Return-Path: <henk.birkholz@ietf.contact>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B680C151094; Mon, 24 Jun 2024 10:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.46
X-Spam-Level:
X-Spam-Status: No, score=-2.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.355, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ietf.contact
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDVTjGwaURkv; Mon, 24 Jun 2024 10:04:18 -0700 (PDT)
Received: from smtp03-ext2.udag.de (smtp03-ext2.udag.de [62.146.106.30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BD36C15106A; Mon, 24 Jun 2024 10:04:18 -0700 (PDT)
Received: from [192.168.16.50] (p4fce9787.dip0.t-ipconnect.de [79.206.151.135]) by smtp03-ext2.udag.de (Postfix) with ESMTPA id DBB35E0578; Mon, 24 Jun 2024 19:04:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ietf.contact; s=uddkim-202310; t=1719248656; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ifW+ojfrAh9EYn0d6X+t5KNTCvOINMg/PzNMb8OIv9c=; b=MaXb8R37FfOTKbcM7tr/1wLBF/MwlgaTo9Yq4N5nbCfGlezYW1RKQUjTAY2br7dWLK+Y15 sVBJtNjgs++onuOEF/Kjkt9+XIVz6cY+qjrY5TCiwRLNSWnLoSyq3mqJJ4nS/zbKhZZAxw oqHSXNSu/4sNsT8wlEEGGkg/HNLXBD6Dy5oK+k5A1DinX9lQQ+qinxddtNud9hzM0niOZg zyWg5O1QZ437pcRKvA8mHbrqsRKaJInZ0JbuvDmRF9G2oLabhIZ0PZxSSwtTBnyVCMI/li JMrUJ4sPAOYM0Abz+HrSdWtQLyIQowJwB8tYGeP39nfn0CIm1CDdKiE74oGL1w==
Message-ID: <fb269c87-c360-827b-f108-a5f952f6f107@ietf.contact>
Date: Mon, 24 Jun 2024 19:04:15 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Carl Wallace <carl@redhoundsoftware.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <3D0F8C7D-D1C6-4014-B69B-714771152A7E@redhoundsoftware.com> <trinity-e9d548b8-7cfa-4b36-a9d3-a304d09cba32-1719211973692@3c-app-gmx-bs24> <D13A6B1A-37B5-413B-9D8A-9368F24B7827@redhoundsoftware.com>
From: Henk Birkholz <henk.birkholz@ietf.contact>
In-Reply-To: <D13A6B1A-37B5-413B-9D8A-9368F24B7827@redhoundsoftware.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: smtp03-ext2.udag.de; auth=pass smtp.auth=henk.birkholz@ietf.contact smtp.mailfrom=henk.birkholz@ietf.contact
Message-ID-Hash: DFZEL3SB63XAKOHII4RE2Z7RS36YAR2G
X-Message-ID-Hash: DFZEL3SB63XAKOHII4RE2Z7RS36YAR2G
X-MailFrom: henk.birkholz@ietf.contact
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: Freshness with Nonces
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/yWkudEZMhhO4I-xHVOsqcb36Opg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

I still am puzzled why everybody is fixating on nonce use.

Let's assume that makes sense. Then I think Hannes is correct, to cover 
every usage scenario for the csr-attestion spec - especially in cases 
where the nonce is not generated by one of the interacting RATS roles - 
an additional nonce provider role is required as well as three 
protocol-(flavor)s that cover the interaction models illustrated 
draft-ietf-rats-reference-interaction-models.

As soon as the epoch marker I-D is adopted (I am not sure what the 
blocker is there, tbh), it will be relatively simple to specify a 
coap/cbor based protocol suite for the three interaction models or, for 
example, to augment draft-demarco-nonce-endpoint to make it an epoch 
marker endpoint, too.

If you really think a nonce is the hammer for all your nails.

Viele Grüße,

Henk

On 24.06.24 17:44, Carl Wallace wrote:
> Inline…
> 
> *From: *Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
> *Date: *Monday, June 24, 2024 at 2:52 AM
> *To: *Carl Wallace <carl@redhoundsoftware.com>
> *Cc: *"Tschofenig, Hannes" 
> <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" 
> <spasm@ietf.org>, rats <rats@ietf.org>
> *Subject: *Aw: [Rats] Re: Freshness with Nonces
> 
> Hi Carl,
> 
> what you are saying is that you have some proprietary protocol that 
> allows the attester to obtain the nonce. I am arguring that we need to 
> standardize the details for the integration of the CSR attestation into 
> CMP, EST & co if we care about interoperability.
> 
> [CW] This is not at all what I am saying. You wrote below that ‘we must 
> request the nonce’. I noted that in some contexts the nonce is provided 
> to the attester and gave a concrete example instead of an abstract one. 
> Of course, someone must still request and/or generate the nonce in my 
> example (though how that occurs is not particularly relevant to the 
> attester). In your case, what protocol or mechanism is used when ‘we 
> must request the nonce’? I would tend to view nonce distribution 
> mechanisms are being outside the scope for the CSR attestation 
> extension/attribute draft but if you are saying this draft is going to 
> address nonce handling in each protocol but has not done so yet, then OK.
> 
> Ciao
> Hannes
> 
> *Gesendet:* Mittwoch, 19. Juni 2024 um 11:57 Uhr
> *Von:* "Carl Wallace" <carl@redhoundsoftware.com>
> *An:* "Tschofenig, Hannes" 
> <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" 
> <spasm@ietf.org>, "rats" <rats@ietf.org>
> *Betreff:* [Rats] Re: Freshness with Nonces
> 
> Inline…
> 
> *From: *"Tschofenig, Hannes" 
> <hannes.tschofenig=40siemens.com@dmarc.ietf.org>
> *Date: *Monday, June 17, 2024 at 8:33 AM
> *To: *"spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
> *Subject: *[Rats] Freshness with Nonces
> 
> Hi all,
> 
> In the RATS architecture the Evidence is processed by the Verifier. For 
> a given Verifier to check for replays timestamps, nonces, and epochs 
> have been introduced. I only talk about nonces here.
> 
> The nature of nonces is that they are randomly selected by the party 
> that checks against replays, the verifier in our case. Section 10.2 of 
> RFC 9334 talks about nonce-based freshness.
> 
> No problem so far. However, when we integrate CSR attestation (which 
> carries the evidence) into a certificate management protocol like EST or 
> CMP we must request the nonce in advance before the attester is able to 
> include the nonce in the signed evidence.
> 
> [CW] I don’t think this “we must request the nonce” is correct, at least 
> where “we” includes the attester. In some cases, the attester is acting 
> upon instructions provided to it. Those instructions may include a 
> nonce. An example of this arrangement is a SCEP payload in the iOS OTA 
> protocol. How the MDM (or whatever prepared the instructions) obtained 
> the nonce is irrelevant to the attester and, in my experience, need not 
> be signaled in the subsequent request.
> 
> This raises questions about how the relying party (in the background 
> check model) obtains that nonce without conveying any extra information 
> from the attester to the relying party about which verifier to select.
> 
> What information should be used by the attester and subsequently by the 
> relying party to determine the verifier before transmitting the evidence?
> 
> [CW] Your question raises questions about how the attester knows where 
> to obtain that nonce without having been provided any extra information.
> 
> Ideally, the RATS architecture should have provided an answer to this 
> question but unfortunately it does not.
> 
> [CW] I think this discussion is hinting at a desire for some attestation 
> verification protocol. It may be that sticking an extensible field where 
> the hint is now is the thing to do, to facilitate the relatively 
> abstract current hint mechanism or a future, more concrete, link to a 
> verification service.
> 
> Ciao
> Hannes
> 
> PS: We (Hendrik and I) thought that the hint introduced in the CSR 
> attestation would have been a good candidate for this determination. In 
> our mental model the hint would be something like an FQDN because in the 
> passport model of the RATS architecture the attester also needs to have 
> the FQDN (or even a URL) of the verifier to get the communication working.
> 
> _______________________________________________ RATS mailing list -- 
> rats@ietf.org To unsubscribe send an email to rats-leave@ietf.org
> 
> _______________________________________________ RATS mailing list -- 
> rats@ietf.org To unsubscribe send an email to rats-leave@ietf.org
> 
> 
> _______________________________________________
> RATS mailing list -- rats@ietf.org
> To unsubscribe send an email to rats-leave@ietf.org