Re: [Rats] UEID where an instance is a group member
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 25 March 2020 16:54 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D307C3A0A45 for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 09:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UamXPD2EbRE8 for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 09:54:42 -0700 (PDT)
Received: from mail-edgeKA24.fraunhofer.de (mail-edgeka24.fraunhofer.de [153.96.1.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 722863A0A03 for <rats@ietf.org>; Wed, 25 Mar 2020 09:54:39 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2ESFADvi3te/xoBYJlcAQkeAQscg3MFLGwDVS8qCoQPg0iLQ4FkLZlggRADTAgKAQEBAQEBAQEBBgEBGA0IAgQBAQKEQgKCKSQ4EwIQAQEGAQEBAQEFBAICaYVWDINTcAEBAQEBAQEBAQEBAQEBAQEBAQEBFgINNh43EgEeAQEBAQMBASEPAQU2AhkJAhEDAQIBAgIjAwICJx8BCAgGDQQCAgEBF4MLAYJ7AQQLki6bBHWBMoN9gU6DWYE4BoEOKowvD4FMP4ERJw+CMC4+gmQBAQKBLgEHAQoBTYJlgl4EjWCDE4YcmUYHgUl2ewSGYIoNhRYjgkwxh3uEKgWMN5ghkmQCBAIJAhWBaSNncU0kT4JsUBgNjikXgQQBAoUtgjCFQkcsAoEnjG4BgQ8BAQ
X-IPAS-Result: A2ESFADvi3te/xoBYJlcAQkeAQscg3MFLGwDVS8qCoQPg0iLQ4FkLZlggRADTAgKAQEBAQEBAQEBBgEBGA0IAgQBAQKEQgKCKSQ4EwIQAQEGAQEBAQEFBAICaYVWDINTcAEBAQEBAQEBAQEBAQEBAQEBAQEBFgINNh43EgEeAQEBAQMBASEPAQU2AhkJAhEDAQIBAgIjAwICJx8BCAgGDQQCAgEBF4MLAYJ7AQQLki6bBHWBMoN9gU6DWYE4BoEOKowvD4FMP4ERJw+CMC4+gmQBAQKBLgEHAQoBTYJlgl4EjWCDE4YcmUYHgUl2ewSGYIoNhRYjgkwxh3uEKgWMN5ghkmQCBAIJAhWBaSNncU0kT4JsUBgNjikXgQQBAoUtgjCFQkcsAoEnjG4BgQ8BAQ
X-IronPort-AV: E=Sophos;i="5.72,304,1580770800"; d="scan'208";a="20761248"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeKA24.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Mar 2020 17:54:37 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BXCACUi3te/1lIDI1cAQkcAQEBAQEHAQERAQQEAQGBe4F4BSxsA1QwKgqED48LgWQtmWCBEANUCgEDAQEBAQEGAQEYDQgCBAEBhEQCgigkOBMCEAEBBQEBAQIBBQRthVYMhWMBAQEBAwEBIQ8BBTYCGQkCEQMBAgECAiMDAgInHwEICAYNBgIBAReDCwGCfAQLki2bBHWBMoVLg1mBOAaBDiqMLw+BTD+BEScPgjAuPoJkAQECgS4BBwEKAU2CZYJeBI1ggxOGHJlGB4FJdnsEhmCKDYUWI4JMMYd7hCoFjDeYIZJkAgQCCQIVgWkiZ3FNJE+CbFAYDY4pF4EEAQKFLYIwhUJCMQKBJ4xuAYEPAQE
X-IronPort-AV: E=Sophos;i="5.72,304,1580770800"; d="scan'208";a="78654194"
Received: from mailext.sit.fraunhofer.de ([141.12.72.89]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Mar 2020 17:54:34 +0100
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 02PGsYke018094 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT) for <rats@ietf.org>; Wed, 25 Mar 2020 17:54:34 +0100
Received: from [192.168.178.14] (134.102.43.219) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 25 Mar 2020 17:54:29 +0100
To: rats@ietf.org
References: <C205FBA7-71A7-4987-AE82-DA855BF86B84@intel.com> <C3A707FF-4AF1-4E0A-BABB-8EE2F52A2D2B@island-resort.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <33f462bb-979e-80cc-9c27-af1e3b77d5e6@sit.fraunhofer.de>
Date: Wed, 25 Mar 2020 17:54:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <C3A707FF-4AF1-4E0A-BABB-8EE2F52A2D2B@island-resort.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.219]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/zJj038mIz7wQE4mUk-pR2eLBX0g>
Subject: Re: [Rats] UEID where an instance is a group member
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 16:54:45 -0000
Hi Laurence, potentially, I just realized, it could serve the purpose of matching the Authenticator Moodel of a FIDO Authenticator and therefore might help the peer that the Atttester is talking to understand the format it has to expect being incoming based on the additional input of a FIDO Metadata-Service (aka the Authentcator-Model that is called, IIRC?). Any structure of that kind would help a Verifier to better... "guess" (well.. it probably is the output of some kind of negotiation), whether it is, e.g. FIDO or RIV? Viele Grüße, Henk On 25.03.20 17:46, Laurence Lundblade wrote: > A GEID of similar structure to a UEID seems like a possibility, but > what exactly is purpose of such a GEID? What does the RP do with it? > What does the verifier do with it? > > An RP will use the UEID to track the unique, specific device. That is > its clearly stated purpose. > > In some designs, a verifier may use the UEID to identify the > verification key, but that is not the UEID’s purpose. It a useful > side-effect. > > If the purpose of a GEID is solely for the verifier to identify the > verification key, then I don’t think it is should be a GEID. It should > be key id. > > So for me this kind of hinges on what a GEID will mean for the RP. What > are the groupings it gives and how are they meaningful to an RP? > > LL > > > >> On Mar 25, 2020, at 9:29 AM, Smith, Ned <ned.smith@intel.com >> <mailto:ned.smith@intel.com>> wrote: >> >> Is a GEID structurally different from a EUID? I think currently a EUID >> is either a 128-bit or 256-bit bstr. I assume the semantics of >> uniqueness differ. >> *From:*RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> on >> behalf of Simon Frost <Simon.Frost@arm.com <mailto:Simon.Frost@arm.com>> >> *Date:*Wednesday, March 25, 2020 at 8:47 AM >> *To:*Laurence Lundblade <lgl@island-resort.com >> <mailto:lgl@island-resort.com>>, "rats@ietf.org >> <mailto:rats@ietf.org>" <rats@ietf.org <mailto:rats@ietf.org>> >> *Subject:*[Rats] UEID where an instance is a group member >> We had an internal discussion in response to some changes in PSA which >> have elaborated the definition of an Instance Attestation Key (IAK) so >> that it may either be “unique to each device or a collection of >> identical devices”. The definition of the Identity claim is now a >> value that identifies the IAK. This has been done to support entity >> grouping for (some) privacy scenarios. >> While we have an EAT Profile for PSA that uses a full set of custom >> claims, our intent has always been to be to migrate as many claims as >> possible to the standard once the RATS work is complete. Previously, >> there has been a direct analogy betweenarm_psa_UEIDand the standard >> UEID. With this change though, we would have to move away from this. >> The current description of UEID makes it clear that it must be device >> world unique. There is some discussion >> (https://ietf-rats-wg.github.io/eat/draft-ietf-rats-eat.html#name-ueid-privacy-considerations) >> of the group scenario, but the only statement about the claim >> situation is that “It will often be the case that tokens will not have >> a UEID for these reasons”. >> In the privacy scenario, it is still desirable to have an entity >> identity claim, for use by a verifier or for general usage. The >> options seem to be: >> a/ If the entity is unique, include an UEID claim, otherwise include a >> custom group claim. It seems a pity to encourage diversification >> between profiles. >> b/ If the entity is unique, include an UEID claim, otherwise use a new >> standard GEID claim >> c/ punt this problem out to the kid of the COSE wrapper. This would >> ignore any more general uses of group identities. >> Of these, b/ (introduce a new standard GEID claim) seems to make the >> most sense and is the option we would propose to the WG. >> Thoughts? >> Thanks >> Simon >> Simon Frost >> Senior Principal Systems Solution Architect, ATG, Arm >> Mob: +44 7855 265691 >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose >> the contents to any other person, use it for any purpose, or store or >> copy the information in any medium. Thank you. > > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] UEID where an instance is a group member Simon Frost
- Re: [Rats] UEID where an instance is a group memb… Smith, Ned
- Re: [Rats] UEID where an instance is a group memb… Laurence Lundblade
- Re: [Rats] UEID where an instance is a group memb… Henk Birkholz
- Re: [Rats] UEID where an instance is a group memb… Thomas Fossati
- Re: [Rats] UEID where an instance is a group memb… Simon Frost
- Re: [Rats] UEID where an instance is a group memb… Smith, Ned
- Re: [Rats] UEID where an instance is a group memb… Laurence Lundblade
- Re: [Rats] UEID where an instance is a group memb… Smith, Ned
- Re: [Rats] UEID where an instance is a group memb… Laurence Lundblade
- Re: [Rats] UEID where an instance is a group memb… Smith, Ned
- Re: [Rats] UEID where an instance is a group memb… Henk Birkholz
- Re: [Rats] UEID where an instance is a group memb… Simon Frost
- Re: [Rats] UEID where an instance is a group memb… Thomas Fossati
- Re: [Rats] UEID where an instance is a group memb… Laurence Lundblade
- Re: [Rats] UEID where an instance is a group memb… Laurence Lundblade
- Re: [Rats] UEID where an instance is a group memb… Laurence Lundblade
- Re: [Rats] UEID where an instance is a group memb… Smith, Ned