IETF Logo Mail Archive

Re: [Rats] UEID where an instance is a group member

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 25 March 2020 16:54 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D307C3A0A45 for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 09:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UamXPD2EbRE8 for <rats@ietfa.amsl.com>; Wed, 25 Mar 2020 09:54:42 -0700 (PDT)
Received: from mail-edgeKA24.fraunhofer.de (mail-edgeka24.fraunhofer.de [153.96.1.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 722863A0A03 for <rats@ietf.org>; Wed, 25 Mar 2020 09:54:39 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2ESFADvi3te/xoBYJlcAQkeAQscg3MFLGwDVS8qCoQPg0iLQ4FkLZlggRADTAgKAQEBAQEBAQEBBgEBGA0IAgQBAQKEQgKCKSQ4EwIQAQEGAQEBAQEFBAICaYVWDINTcAEBAQEBAQEBAQEBAQEBAQEBAQEBFgINNh43EgEeAQEBAQMBASEPAQU2AhkJAhEDAQIBAgIjAwICJx8BCAgGDQQCAgEBF4MLAYJ7AQQLki6bBHWBMoN9gU6DWYE4BoEOKowvD4FMP4ERJw+CMC4+gmQBAQKBLgEHAQoBTYJlgl4EjWCDE4YcmUYHgUl2ewSGYIoNhRYjgkwxh3uEKgWMN5ghkmQCBAIJAhWBaSNncU0kT4JsUBgNjikXgQQBAoUtgjCFQkcsAoEnjG4BgQ8BAQ
X-IPAS-Result: A2ESFADvi3te/xoBYJlcAQkeAQscg3MFLGwDVS8qCoQPg0iLQ4FkLZlggRADTAgKAQEBAQEBAQEBBgEBGA0IAgQBAQKEQgKCKSQ4EwIQAQEGAQEBAQEFBAICaYVWDINTcAEBAQEBAQEBAQEBAQEBAQEBAQEBFgINNh43EgEeAQEBAQMBASEPAQU2AhkJAhEDAQIBAgIjAwICJx8BCAgGDQQCAgEBF4MLAYJ7AQQLki6bBHWBMoN9gU6DWYE4BoEOKowvD4FMP4ERJw+CMC4+gmQBAQKBLgEHAQoBTYJlgl4EjWCDE4YcmUYHgUl2ewSGYIoNhRYjgkwxh3uEKgWMN5ghkmQCBAIJAhWBaSNncU0kT4JsUBgNjikXgQQBAoUtgjCFQkcsAoEnjG4BgQ8BAQ
X-IronPort-AV: E=Sophos;i="5.72,304,1580770800"; d="scan'208";a="20761248"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeKA24.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Mar 2020 17:54:37 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BXCACUi3te/1lIDI1cAQkcAQEBAQEHAQERAQQEAQGBe4F4BSxsA1QwKgqED48LgWQtmWCBEANUCgEDAQEBAQEGAQEYDQgCBAEBhEQCgigkOBMCEAEBBQEBAQIBBQRthVYMhWMBAQEBAwEBIQ8BBTYCGQkCEQMBAgECAiMDAgInHwEICAYNBgIBAReDCwGCfAQLki2bBHWBMoVLg1mBOAaBDiqMLw+BTD+BEScPgjAuPoJkAQECgS4BBwEKAU2CZYJeBI1ggxOGHJlGB4FJdnsEhmCKDYUWI4JMMYd7hCoFjDeYIZJkAgQCCQIVgWkiZ3FNJE+CbFAYDY4pF4EEAQKFLYIwhUJCMQKBJ4xuAYEPAQE
X-IronPort-AV: E=Sophos;i="5.72,304,1580770800"; d="scan'208";a="78654194"
Received: from mailext.sit.fraunhofer.de ([141.12.72.89]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Mar 2020 17:54:34 +0100
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 02PGsYke018094 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT) for <rats@ietf.org>; Wed, 25 Mar 2020 17:54:34 +0100
Received: from [192.168.178.14] (134.102.43.219) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 25 Mar 2020 17:54:29 +0100
To: rats@ietf.org
References: <C205FBA7-71A7-4987-AE82-DA855BF86B84@intel.com> <C3A707FF-4AF1-4E0A-BABB-8EE2F52A2D2B@island-resort.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <33f462bb-979e-80cc-9c27-af1e3b77d5e6@sit.fraunhofer.de>
Date: Wed, 25 Mar 2020 17:54:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <C3A707FF-4AF1-4E0A-BABB-8EE2F52A2D2B@island-resort.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.219]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/zJj038mIz7wQE4mUk-pR2eLBX0g>
Subject: Re: [Rats] UEID where an instance is a group member
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 16:54:45 -0000

Hi Laurence,

potentially, I just realized, it could serve the purpose of matching the 
Authenticator Moodel of a FIDO Authenticator and therefore might help 
the peer that the Atttester is talking to understand the format it has 
to expect being incoming based on the additional input of a FIDO 
Metadata-Service (aka the Authentcator-Model that is called, IIRC?). Any 
structure of that kind would help a Verifier to better... "guess" 
(well.. it probably is the output of some kind of negotiation), whether 
it is, e.g. FIDO or RIV?

Viele Grüße,

Henk

On 25.03.20 17:46, Laurence Lundblade wrote:
> A GEID of similar structure to a UEID  seems like a possibility, but 
> what exactly is purpose of such a GEID? What does the RP do with it? 
> What does the verifier do with it?
> 
> An RP will use the UEID to track the unique, specific device. That is 
> its clearly stated purpose.
> 
> In some designs, a verifier may use the UEID to identify the 
> verification key, but that is not the UEID’s purpose. It a useful 
> side-effect.
> 
> If the purpose of a GEID is solely for the verifier to identify the 
> verification key, then I don’t think it is should be a GEID. It should 
> be key id.
> 
> So for me this kind of hinges on what a GEID will mean for the RP. What 
> are the groupings it gives and how are they meaningful to an RP?
> 
> LL
> 
> 
> 
>> On Mar 25, 2020, at 9:29 AM, Smith, Ned <ned.smith@intel.com 
>> <mailto:ned.smith@intel.com>> wrote:
>>
>> Is a GEID structurally different from a EUID? I think currently a EUID 
>> is either a 128-bit or 256-bit bstr. I assume the semantics of 
>> uniqueness differ.
>> *From:*RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> on 
>> behalf of Simon Frost <Simon.Frost@arm.com <mailto:Simon.Frost@arm.com>>
>> *Date:*Wednesday, March 25, 2020 at 8:47 AM
>> *To:*Laurence Lundblade <lgl@island-resort.com 
>> <mailto:lgl@island-resort.com>>, "rats@ietf.org 
>> <mailto:rats@ietf.org>" <rats@ietf.org <mailto:rats@ietf.org>>
>> *Subject:*[Rats] UEID where an instance is a group member
>> We had an internal discussion in response to some changes in PSA which 
>> have elaborated the definition of an Instance Attestation Key (IAK) so 
>> that it may either be “unique to each device or a collection of 
>> identical devices”. The definition of the Identity claim is now a 
>> value that identifies the IAK. This has been done to support entity 
>> grouping for (some) privacy scenarios.
>> While we have an EAT Profile for PSA that uses a full set of custom 
>> claims, our intent has always been to be to migrate as many claims as 
>> possible to the standard once the RATS work is complete. Previously, 
>> there has been a direct analogy betweenarm_psa_UEIDand the standard 
>> UEID. With this change though, we would have to move away from this. 
>> The current description of UEID makes it clear that it must be device 
>> world unique. There is some discussion 
>> (https://ietf-rats-wg.github.io/eat/draft-ietf-rats-eat.html#name-ueid-privacy-considerations) 
>> of the group scenario, but the only statement about the claim 
>> situation is that “It will often be the case that tokens will not have 
>> a UEID for these reasons”.
>> In the privacy scenario, it is still desirable to have an entity 
>> identity claim, for use by a verifier or for general usage. The 
>> options seem to be:
>> a/ If the entity is unique, include an UEID claim, otherwise include a 
>> custom group claim. It seems a pity to encourage diversification 
>> between profiles.
>> b/ If the entity is unique, include an UEID claim, otherwise use a new 
>> standard GEID claim
>> c/ punt this problem out to the kid of the COSE wrapper. This would 
>> ignore any more general uses of group identities.
>> Of these, b/ (introduce a new standard GEID claim) seems to make the 
>> most sense and is the option we would propose to the WG.
>> Thoughts?
>> Thanks
>> Simon
>> Simon Frost
>> Senior Principal Systems Solution Architect, ATG, Arm
>> Mob: +44 7855 265691
>> IMPORTANT NOTICE: The contents of this email and any attachments are 
>> confidential and may also be privileged. If you are not the intended 
>> recipient, please notify the sender immediately and do not disclose 
>> the contents to any other person, use it for any purpose, or store or 
>> copy the information in any medium. Thank you.
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

v2.23.0 | Report a Bug | By Email