[sacm] Proposed additions to problem statement of SACM information model I-D
"Kahn, Clifford" <cliffordk@pulsesecure.net> Tue, 14 October 2014 02:59 UTC
Return-Path: <cliffordk@pulsesecure.net>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 9D5D01A1BCD
for <sacm@ietfa.amsl.com>; Mon, 13 Oct 2014 19:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id gyGg4SBThx4r for <sacm@ietfa.amsl.com>;
Mon, 13 Oct 2014 19:59:55 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com
(mail-bn1on0638.outbound.protection.outlook.com
[IPv6:2a01:111:f400:fc10::638])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 9D9D21A6EE5
for <sacm@ietf.org>; Mon, 13 Oct 2014 19:59:55 -0700 (PDT)
Received: from BN1PR06MB200.namprd06.prod.outlook.com (10.242.215.154) by
BN1PR06MB197.namprd06.prod.outlook.com (10.242.215.144) with Microsoft SMTP
Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 02:59:31 +0000
Received: from BN1PR06MB200.namprd06.prod.outlook.com ([169.254.5.218]) by
BN1PR06MB200.namprd06.prod.outlook.com ([169.254.5.218]) with mapi id
15.00.1049.012; Tue, 14 Oct 2014 02:59:30 +0000
From: "Kahn, Clifford" <cliffordk@pulsesecure.net>
To: "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: Proposed additions to problem statement of SACM information
model I-D
Thread-Index: Ac/nWnsYETrfzYURRCqvCQxuINbvLg==
Date: Tue, 14 Oct 2014 02:59:29 +0000
Message-ID: <fc3eda38566c4a0c995486d90261b89b@BN1PR06MB200.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [66.129.239.10]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BN1PR06MB197;
x-exchange-antispam-report-test: UriScan:;
x-forefront-prvs: 03648EFF89
x-forefront-antispam-report: SFV:NSPM;
SFS:(10009020)(6009001)(199003)(189002)(76482002)(74316001)(66066001)(64706001)(54356999)(101416001)(92566001)(80022003)(46102003)(20776003)(76576001)(85852003)(50986999)(105586002)(95666004)(77096002)(31966008)(108616004)(85306004)(2501002)(99286002)(120916001)(4396001)(107886001)(2351001)(40100003)(229853001)(107046002)(21056001)(86362001)(33646002)(110136001)(97736003)(106356001)(2656002)(87936001)(122556002)(24736002);
DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR06MB197;
H:BN1PR06MB200.namprd06.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords;
A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: pulsesecure.net
Archived-At: http://mailarchive.ietf.org/arch/msg/sacm/KAYfYewzS3hENw2naih0tGQIM78
Subject: [sacm] Proposed additions to problem statement of SACM information
model I-D
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>,
<mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>,
<mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 02:59:57 -0000
The following additions motivate the core concept of the "endpoint attribute assertion". 2.2 Referring to an Endpoint How to refer to an endpoint is problematic. Ideally, an endpoint would have a unique identifier. These identifiers would have a one-to-one relationship with endpoints. Every observation of an endpoint, or inference about an endpoint would be labeled with its identifier. However: - An external posture attribute collector typically cannot observe the unique identifier directly. An external posture attribute collector should be able to report exactly what it has observed, unembellished. It should not have to *infer* which endpoint it has observed; that inference should be leavable to other SACM components. So, SACM cannot require that every observation include the unique endpoint identifier. - Internal posture attribute collectors are not present on all endpoints. They are not present on "dumb" devices such as Internet of Things (IoT) devices, or on Bring Your Own Device (BYOD) devices. In these cases, *no* observers have direct access to the unique endpoint identifier. - An endpoint identifier is generally subject to cloning, when a system image is cloned. Then it is no longer unique. - Suppose the endpoint identifier is highly clone resistant -- such a unique certificate within a trusted platform module (TPM). Even so, it is possible to replace all of the software -- for example, changing a Windows machine to a Linux machine. Is it still the same endpoint? For SACM purposes, it isn't really the same endpoint. So SACM components must be able to put disparate observations together and form a picture of an endpoint -- somewhat like a detective. The SACM information model must facilitate this. 2.3 Dealing with Uncertainty With many information models, the information is considered certain. So it is OK to blur the difference between the representation and the thing represented. In SACM, information is not certain. Attackers may develop countermeasures to fool some SACM components. Attackers may compromise some SACM components. So the model must let SACM components and humans reason with uncertainty. Therea are no facts, only assertions. SACM components must be able to cross check observations and inferences against each other. They should be able to give weight if an observation or inference is corroborated by more than one method. SACM components must be able to consider the reputation of the observer or inferer. That reputation should account for the method of observing or inferring, the implementer of the SACM component that made the observation or inference, and the compliance status of the endpoint on which the observation or inference was made. For example, if some observers are found to be vulnerable to a Day 1 exploit, observations from those observers deserve less weight. Clifford Kahn Principal Engineer/Technical Lead
- [sacm] Proposed additions to problem statement of… Kahn, Clifford