IETF Logo Mail Archive

Re: [Rats] Entity vs. role

Thomas Fossati <tho.ietf@gmail.com> Tue, 22 March 2022 20:12 UTC

Return-Path: <tho.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A32A53A10E5 for <rats@ietfa.amsl.com>; Tue, 22 Mar 2022 13:12:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YDpwixmfGGpc for <rats@ietfa.amsl.com>; Tue, 22 Mar 2022 13:12:21 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97CAD3A10A4 for <rats@ietf.org>; Tue, 22 Mar 2022 13:12:14 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id h11so25511077ljb.2 for <rats@ietf.org>; Tue, 22 Mar 2022 13:12:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=S97sfhXzk1X16Ihc+VtaOI5JifLWSazJdxeC4fqJKTA=; b=VrBYfbMm65Q52nCmWH9riY3NDOaWWQUVbYyf28AIHi0bnKGWBj1lkNHJGXiwuQSc80 tWt617J/Zu9k9a5Y+BRlkzB3005acRTy48Yz7HK8ojg/nXiB99NJYgeXRe02fvLQ14Ea D3o35xcwo9mY58emGNwlhBhgw+1ejJq9q/TfT00JmasYxLVL3KoRmkJA8KsMXOeyg/2u BPQErERvkT0y04FoCLPB/RGHp/5PasOhHlpsG+bgmG/SP5g4u1/Ms7SGIbNPgxlgQ0Gt N5ysJQ7KLnbyiDPD0xtb8sk70Uh3+BjP4r+Q2zqiJr/ByuxuSNPnOqFH3hNYG/Je6aLk FGvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=S97sfhXzk1X16Ihc+VtaOI5JifLWSazJdxeC4fqJKTA=; b=7PQKPuUV4Wn7HlGRy/8w8NAX1dtZPUhrvS84f6WQZJY8E9WNfNVwsek1C/XQSwo5no e2j9K/n/s3TdTa0QgDTqWiEudvXQkn3IZO7dvbJtHyL4HNa9F9bVTA96ZlUYabu2Akhe ExrH1rP0kvW27OEjTV9LIZu1O43D6fyI3xEz8TZrBRa1HVb0hMIqktanEG6BvPz+Sblq z1QEQiR1CCU0mDITMh9jt89LKoO/S3XxQP66EH0wCDDs1zmkrsQnXTOxZNrcdcsqXeRN KuMNNy97gIIi8nZ8Zz8Y9m1ttfrIjbxp+AmbZdokzejSfa6+MI/46HevYgqtDWjaSNMF We/Q==
X-Gm-Message-State: AOAM531q7yz4aHUu9I8zk4fLEWc/RdDGPZJnbh9nKOBr+L4MqBe6rLbS hUSGvN6lwM4t2M+1TRFzxQvJvTvFgVnj2Ng9qi8jFmEvgYv0eg==
X-Google-Smtp-Source: ABdhPJywbPtXO1pBqoUdJSitN4P9IxdSgU3GkI+1ybwN0WzeFaYL6v9wFfUVfpuJ4ZZvzElwjhzBQivBxSqJtZ1tDKE=
X-Received: by 2002:a2e:a447:0:b0:249:5d85:aa54 with SMTP id v7-20020a2ea447000000b002495d85aa54mr20243028ljn.528.1647979931702; Tue, 22 Mar 2022 13:12:11 -0700 (PDT)
MIME-Version: 1.0
References: <3407CFB9-B713-4E13-BDA3-08EC7B5A905E@intel.com> <CAObGJnOxU0vfxzzZ9tv1J64KHDigxLcEMrgx0gDy97bE7NQJcA@mail.gmail.com> <E20F61DD-8775-4E68-8E56-E6EC92682A18@island-resort.com>
In-Reply-To: <E20F61DD-8775-4E68-8E56-E6EC92682A18@island-resort.com>
From: Thomas Fossati <tho.ietf@gmail.com>
Date: Tue, 22 Mar 2022 20:12:00 +0000
Message-ID: <CAObGJnOv8ePE=R6vvdg5uib3Y9=WS8A5vcOdpWY0sREXA98aPQ@mail.gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
Cc: "Smith, Ned" <ned.smith@intel.com>, "rats@ietf.org" <rats@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/zDULTqPAkuxGj79gth4RyPTnq9Q>
Subject: Re: [Rats] Entity vs. role
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 20:12:35 -0000

On Tue, Mar 22, 2022 at 6:42 PM Laurence Lundblade
<lgl@island-resort.com> wrote:
>
> Agree entirely with what’s below, but it doesn’t quite address what I am on about.
>
> RATS architecture clearly separates two polices:
>    1) Appraisal Policy for Evidence
>    2) Appraisal Policy for Results
>
> The first one is used only by the Verifier role and never by the Relying Party role. It can only be use to process Attestation Evidence, never to process Attestation Results. In a chain of Verifiers all the intermediate results are Attestation Evidence, never Attestation Results.
>
> When all the Verifiers are done, then you have Attestation Results.
>
> Similarly, the Appraisal Policy for Results is used only by the Relying Part role, never by the Verifier role. It can never be applied to Attestation Evidence.
>
> Since we are talking roles not entities, here, the Relying Party can *never* by definition receive Attestation Evidence. Again, since we’re talking *roles* not entities, a Relying Party can *never* host a Verifier.
>
> Said another way, the definition of the Verifier and Relying Party roles gives a hard one-way transition from Evidence to Results.
>
>
> I think the Verifier and the Appraisal Policy for Evidence is all about the device/implementation/attester.
>  - Who made the device?
>  - Is it configured correctly?
>  - Is it in the right state?
>  - Does it have the right SW?
>  - What certifications does it have?
>
> This is represented in the Attestation Results, perhaps in summary or in detail.
>
> Then the RP and the Appraisal Policy for Results is about the application-specific stuff:
>   - Is this device OK for this dollar amount (the RP knows the $ amount, not the Verifier)
>   - Can this content be played on this device — the RP knows which device and what characteristics it requires for the content
>   - Is the sensor data accurate — the RP knows which sensors it can trust

I think that the terminology choice made by the architecture is quite
precise: "AP for attestation results."

The appraisal logic you are describing above covers more ground than
just attestation results.  The way I picture myself the "complete"
appraisal process done by the RP looks more or less like:

          AP for AR
              |
       .------v-------.    .--------------------------------.
 AR -> | AR appraisal | -> | Application-specific appraisal | -> [0..1]
  :    '--------------'    '--^--------^---------^----------'
  :                           :        |         |
  '- - - - - - - - - - - - - -'        other     application-
                                       input     specific
                                                 policy

But otherwise, at least at a high level, I agree with the functional
split between evidence and ARs you are describing above.

There are grey areas though: for example, the RP may need to access
the software inventory in the evidence to decide whether the SW on the
attester needs updating.  And that is where your

> [...] as long as we’re open and flexible about what is in Attestation Results

(e.g., via passthrough) comes in the picture.

-- 
Thomas

v2.37.1 | Report a Bug | By Email | System Status