IETF Logo Mail Archive

Re: [sacm] [Rats] CoSWID and EAT and CWT

"Smith, Ned" <ned.smith@intel.com> Thu, 21 November 2019 17:01 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05BE7120B44; Thu, 21 Nov 2019 09:01:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.097
X-Spam-Level:
X-Spam-Status: No, score=-4.097 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QP0L6PNZlmMf; Thu, 21 Nov 2019 09:01:50 -0800 (PST)
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0693A12084B; Thu, 21 Nov 2019 09:01:50 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Nov 2019 09:01:49 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.69,226,1571727600"; d="scan'208,217";a="381797242"
Received: from orsmsx104.amr.corp.intel.com ([10.22.225.131]) by orsmga005.jf.intel.com with ESMTP; 21 Nov 2019 09:01:49 -0800
Received: from orsmsx153.amr.corp.intel.com (10.22.226.247) by ORSMSX104.amr.corp.intel.com (10.22.225.131) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 21 Nov 2019 09:01:49 -0800
Received: from orsmsx109.amr.corp.intel.com ([169.254.11.161]) by ORSMSX153.amr.corp.intel.com ([169.254.12.169]) with mapi id 14.03.0439.000; Thu, 21 Nov 2019 09:01:49 -0800
From: "Smith, Ned" <ned.smith@intel.com>
To: "Waltermire, David A. (Fed)" <david.waltermire=40nist.gov@dmarc.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: "rats@ietf.org" <rats@ietf.org>, Ira McDonald <blueroofmusic@gmail.com>, sacm <sacm@ietf.org>, Laurence Lundblade <lgl@island-resort.com>
Thread-Topic: [Rats] [sacm] CoSWID and EAT and CWT
Thread-Index: AQHVoG8Mmfd0MJQUgU+DKiylINck/aeV2dmA
Date: Thu, 21 Nov 2019 17:01:48 +0000
Message-ID: <CFA72C1A-3DEE-40D0-862E-EC0B512F733B@intel.com>
References: <BN7PR09MB2819D797B89183218BEFA823F04E0@BN7PR09MB2819.namprd09.prod.outlook.com> <922EA164-FB96-4245-A46C-6520809E6311@gmail.com> <5r0dnrkillm4odhp4it9ejl8.1574342669212@email.android.com>
In-Reply-To: <5r0dnrkillm4odhp4it9ejl8.1574342669212@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [10.255.231.167]
Content-Type: multipart/alternative; boundary="_000_CFA72C1A3DEE40D0862EEC0B512F733Bintelcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/bfqtJ4D5N4NqvRr6cQuG45ao4yQ>
Subject: Re: [sacm] [Rats] CoSWID and EAT and CWT
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 17:01:53 -0000

I think there are two conversations that could make sense (1) definition of a software integrity claim that can be asserted by an Attester as Evidence; (2) definition of a software integrity claim that can be asserted by an Endorser (aka supply chain entity) as Endorsement.

In (1) there is interest in an EAT token definition that likely will result in a JWT/CWT realization and signature. Possibly it makes sense to include an unsigned CoSWID / SWID structure inside a JWT/CWT or it makes sense to deviate from the JWT/CWT realization but keep the information and data model claims definition but allow use of CoSWID native signatures.
In (2) this is technically out of scope for RATS. However, it could result in a CoSWID / SWID structure using the built in signature method. It isn’t known yet if a token (CWT/JWT) realization makes sense for Endorsers.

From: RATS <rats-bounces@ietf.org> on behalf of "Waltermire, David A. (Fed)" <david.waltermire=40nist.gov@dmarc.ietf.org>
Date: Thursday, November 21, 2019 at 5:24 AM
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: "rats@ietf.org" <rats@ietf.org>, Ira McDonald <blueroofmusic@gmail.com>, sacm <sacm@ietf.org>, Laurence Lundblade <lgl@island-resort.com>
Subject: Re: [Rats] [sacm] CoSWID and EAT and CWT

Ok. Can you send some text?

Thanks,
Dave

-------- Original Message --------
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, November 21, 2019 7:38 PM +0800
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
CC: Ira McDonald <blueroofmusic@gmail.com>, rats@ietf.org, sacm <sacm@ietf.org>, Laurence Lundblade <lgl@island-resort.com>
Subject: Re: [sacm] [Rats] CoSWID and EAT and CWT

Sent from my mobile device


On Nov 20, 2019, at 11:29 PM, Waltermire, David A. (Fed) <david.waltermire@nist.gov> wrote:
It sounds like having a CWT claim that contains an entire CoSWID is a path forward. It may also make sense to do something similar for ISO SWID tags.

Am I right in thinking that this CWT work can be done in RATS, referencing CoSWID once it is published as a normative reference? This would allow CoSWID to go forward to the IESG, while the CoSWID CWT claim is worked in parallel in RATS.

Kathleen, if this is true, does this way forward address your CWT-related comments?

Hi Dave,

I think the signature may have to be on the CWT as opposed to on the claim that is the CoSWID or SWID.  We can define it fully in another draft, but should state it here so that option is understood.  It’s a simple write up, I think.

Thank you,
Kathleen


Regards,
Dave





________________________________
From: sacm <sacm-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Sent: Wednesday, November 20, 2019 9:10 PM
To: Ira McDonald <blueroofmusic@gmail.com>
Cc: rats@ietf.org <rats@ietf.org>; sacm <sacm@ietf.org>; Laurence Lundblade <lgl@island-resort.com>
Subject: Re: [sacm] [Rats] CoSWID and EAT and CWT

Great, thanks Laurence.  If that's easier I think having the CoSWID in one claim should be ok and would have the same result as the suggestion I made.  Changing the CoSWID format is a big enough process that it shouldn't happen very often.

Best regards,
Kathleen

On Wed, Nov 20, 2019 at 8:00 PM Ira McDonald <blueroofmusic@gmail.com<mailto:blueroofmusic@gmail.com>> wrote:
Hi Laurence,

That seems like a good suggestion for a simple way to integrate CoSWID content
into EAT.

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Co-Chair - TCG Metadata Access Protocol SG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fblueroofmusic&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C85a323f673924389c45e08d76e7745e5%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637099330879448050&sdata=HNKKsYDUx5jZoxujKDqJicqUBZ9oe9mxXcTjJ1JlhHM%3D&reserved=0>
http://sites.google.com/site/highnorthinc<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fhighnorthinc&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C85a323f673924389c45e08d76e7745e5%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637099330879448050&sdata=PPUqVo1NgGXTgtO10NkLvTHqh5OEqfAeoObWvguIzwY%3D&reserved=0>
mailto: blueroofmusic@gmail.com<mailto:blueroofmusic@gmail.com>
PO Box 221  Grand Marais, MI 49839  906-494-2434


On Wed, Nov 20, 2019 at 7:35 PM Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:
Hi,

I’m not on the SACM list, but did look at the archive. Hopefully I’m not out of sync.

My thought is to register one claim for CWT that is an entire CoSWID (in CDDL the concise-swid-tag).

That way CoSWID can grow and develop on its own without lots of adds and subtracts to the CWT registry. It has its own IANA registry with its own experts and such. Seems like the coupling / factoring is about right.

This would also be the way I’d like to have it in EAT attestation. We’ve done a mini version of this with the location claim<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-rats-eat-01%23section-3.8&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C85a323f673924389c45e08d76e7745e5%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637099330879458044&sdata=ssqf1hrDm3bHXDTpewMd%2BhxK9Yh7mNDfmJH%2B9Lk8JsM%3D&reserved=0>.

Then if you just want to sign a CoSWID CWT style, this works pretty well too. It has a slight overhead compared to having all the CoSWID data items as direct CWT claims in that it will have an additional map layer, but that is only about three bytes.

LL

_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Frats&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C85a323f673924389c45e08d76e7745e5%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637099330879458044&sdata=K4z%2BpZK5s6Ng%2B7amizoONuHllxjshmG5aTzP3yO8adU%3D&reserved=0>
_______________________________________________
sacm mailing list
sacm@ietf.org<mailto:sacm@ietf.org>
https://www.ietf.org/mailman/listinfo/sacm<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C85a323f673924389c45e08d76e7745e5%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637099330879468039&sdata=JviOvpKGQLNyMiV2fEFSE1qZA3XosOoECBCQuiTK4Lo%3D&reserved=0>


--

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email