[Rats] Trust Anchors and CA Certificates
hannes.tschofenig@gmx.net Thu, 14 December 2023 13:12 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD493C14F601 for <rats@ietfa.amsl.com>; Thu, 14 Dec 2023 05:12:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.102
X-Spam-Level:
X-Spam-Status: No, score=-7.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3mXYnuGoSH7K for <rats@ietfa.amsl.com>; Thu, 14 Dec 2023 05:12:51 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E191C14F5E3 for <rats@ietf.org>; Thu, 14 Dec 2023 05:12:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1702559566; x=1703164366; i=hannes.tschofenig@gmx.net; bh=KqJizULP97F8PgQbKmvcMm9+Fuzc89HUVEcgGPIbAXM=; h=X-UI-Sender-Class:From:To:Subject:Date; b=SvExtJUh1BK8eIBsGoXCRFsAeGJD8v1WMn/Gv3sZjYxZRX+PRW97qd3SNz2Ijj28 jEmilEgJFgjOhiuksa4ShhfqBP+VxnDV48Oc4c6iiija53QxQb4aND+FswrI0q/ZF HJ7/ADjO+lWud1+NC4mq184Tcqyp7PnJQMCfbsmkOaCGysOAT6jC+aqKwhhKQosJj KHMGULWoAXP7waTrtGil6QWHJKhvmClMKA0ve6yZXk3pEdKRcDvfKOeBed3gtRS9C zxPM5dc0bNm4QaO7NGzRh/54Tg0/J8OTU420Ezde9CJfrzx50v2hETKcGIDfp+ABj q4jwIrRENY5dk6oXEA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from Surface ([185.104.138.31]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MYvcG-1qiqZz3Bgm-00UsGx for <rats@ietf.org>; Thu, 14 Dec 2023 14:12:46 +0100
From: hannes.tschofenig@gmx.net
To: rats@ietf.org
Date: Thu, 14 Dec 2023 14:12:08 +0100
Message-ID: <016401da2e8f$31fd8430$95f88c90$@gmx.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0165_01DA2E97.93C45D30"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: Adoujingl6UrImx2Qoy+m33U8vy6GQ==
Content-Language: de-at
X-Provags-ID: V03:K1:Nr5Ptnd6w+Y75c0d5XCUTlPK2l9ZbYeFHz9WsBX6O1Rmfu9fNtn PBUtx8iLk6uTx0ImuChgPU7ZspvZg/whPonUt5rm8C1/BmW131jstTtDAOgkkEsN6ecJ2B/ NLAbrJw4O+Jwq6PrODytxNG5zRLfxbQrcpdjUaK2j8dM7UvJ8rlf9PVB8jhSlVJN9mXxTGJ w2LzD+CuD1+uU59vPE46Q==
UI-OutboundReport: notjunk:1;M01:P0:IYtmBhyLl1E=;332k6dZgtPmBQTP4612t4CkQpds ZZls4Z9q6ZwZTSeQ96IIC1GuiBBfHXSPfBlrHTSFuHjVQuF57q5rvLDYEye36vAZYkd+L1lgi xmylTzYcbjjy6P1cTa3v5HX1acqvpB0P2JkT3iMI/mKNnWKtIH2azy9/X19Apk6IcVtwowzqg kTdqsPJFulM6fZtnfjguZz3tr1AcDUMsERU8OytmekLuO/o2CJJ62LktgAEvykKQUk2+tvOR8 PEXfEJV1XpqLr94Kwk+ipNsChPPMOB+fwDATXSGmn6NG5CGPsXdQyAtHewrSY0qIq9la7Qk2G GqcyN4X8L2dg/LJMmvfoz+3oIOfDDnYYEeWhT7nczfYNefyB+1XsHwEgmBSpONpLmHEWscYKK 9k0j1DHO7zjbnN0ofIeB8lWq7sWBC9SHhULJiiEEA2FrEijMLMpXRxwJghh6T56ixsfVsB9tX vsmSJ7bgSw6oQdRR4SraN73m2HTlXKw5x8Yq4A4oHGXv8Xxau0nQAOV4xwrUhdPrEP9Bwruzi mjzlUJMD36lKjqrzvD+mZWjQBZ2pSye1bqD4ZqXUm77dSHtgSMGp3RTdd9LpPL62fZXVnX+zo Qs+4b9u5HdBLj142CqttRx5eP7Mz17zrH6ISoAeIYQU5a55RAXomc7CNAV4SO7Wn/ijmqAJv6 Kho1rmqKwPhY2Lg3EwtfcDdi6jiDvCNzHlBsEZF2kAWcBFETdPpwUyg495z4pPchLMaYxTR0j oQaX4aOg8IUYawBIucvW7a0wfQkGab9Qmoo6M4K2SYdheXHuFuJGFueyIi+SbNMXFIM+QTeKG cE7aWCGmC8suX5j/KLh2YIoVB0wyeiQkTVQdO+b4iIOSPs1vlr2GkK2SZlCc9xoiRcrdJfews KAIHrhqXC58C7ymSh3VZfRLjOOMaM2XlueSl2tRpE8USuEl+xCyF9/IgLwRE4rb2NcQ8yEWI1 TIGug6wxegDR1ijePzYs6oWWzCE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/z57W4NerOTBvYJdOcF47hImxDJU>
Subject: [Rats] Trust Anchors and CA Certificates
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2023 13:12:55 -0000
Hi all, Trust Anchors are defined as "A trust anchor represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative." (from https://datatracker.ietf.org/doc/draft-ietf-rats-concise-ta-stores/, which again references RFC 6024. “The Trust Anchor may be a certificate, a raw public key, or other structure, as appropriate. It can be a non-root certificate when it is a certificate.”, as the TEEP architecture notes. This definition is intentionally quite broad and https://datatracker.ietf.org/doc/draft-ietf-rats-concise-ta-stores/ also talks about CA Certificates to implicitly refer to X.509-based certificates. While correct, I wonder whether it would be more useful to just refer to trust anchors all the time or to note in the introduction why it is necessary to explicitly call out these types of trust anchors. Ciao Hannes
- [Rats] Trust Anchors and CA Certificates hannes.tschofenig