Re: [SCITT] IDevID and draft-ietf-netconf-keystore
Alexander Stein <ajstein.standards@gmail.com> Mon, 29 January 2024 20:56 UTC
Return-Path: <ajstein.standards@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA88DC151701 for <scitt@ietfa.amsl.com>; Mon, 29 Jan 2024 12:56:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NDJ7oCFA0Ac for <scitt@ietfa.amsl.com>; Mon, 29 Jan 2024 12:56:03 -0800 (PST)
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32EBCC151097 for <scitt@ietf.org>; Mon, 29 Jan 2024 12:56:03 -0800 (PST)
Received: by mail-io1-xd44.google.com with SMTP id ca18e2360f4ac-7bc32b04d16so149549339f.0 for <scitt@ietf.org>; Mon, 29 Jan 2024 12:56:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706561762; x=1707166562; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BiW3Cp7KopHZS/UBYAt0fibA6UGG7J1/6Cd+Zzrx+7k=; b=g59pkcmqgUfT2p00pzjwtC35uNvEJthahtqj7VKQpUOx/OaVKmzpEYMs8nVwzuMABR N3OJaNqYK126txVxSChmNd0vzV7Nerwu+0cIP520FIKz/k5AJvQkkWHL8egODECPURwB LL9eZX7IfJa+a+6F2P75azQtfyU5GoPOflaBR+ci21lO8Wz1oxyA7jfY9P53axGOTFu+ ZvuD6kCq7c0mvsMDNJji9vumXF317/JQ8SYTrwtdrQ7RxzWiCtvNRw8Wicf/u7cGV9An 5IomNcx+4k7O8GhxFXnzpwGzRdmlElmKGX8nFhTkM27rtIok1nPd322GJTRUq5MgkaCV x1dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706561762; x=1707166562; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BiW3Cp7KopHZS/UBYAt0fibA6UGG7J1/6Cd+Zzrx+7k=; b=TRhhPk0pVGUbqYVpr5625T3WomwyxnJSMzYfTsAOtEUvMQA1I/O+EFmYcAI6+afG/Y 4UadiOUMgQnZ7ChmcEGzLT4f86XHwwdLlgUgLoiXwAGII4Or7lbcurPaKiaoZIqgMeKY D+nAIHUSZf8JSaqsszdtdEWp+kH9zRnAxtry5ma10iDW17161bv0qKT0656RFtObFjbD poae/YaASPqt5XXFNJVIL9jfd0Qr/grbXJM8ufUhabXnbeRj1RPRDVmMYBP5vOXqTHmj iIUeTAnhAacO7fesI0s/mDRwO2zZUSdtjXwSpSXbnwFqkWzh+hkp5BVRLztoerk8e6Ao p8WQ==
X-Gm-Message-State: AOJu0YwRaolJalioZXIylRblnhHCzqJy5wBWXttsrAdJSG1C4M6451wg WtwZKPq4Gx8Kw+dqinMLAID8bIW/u4/OhNKMRRrSLMuNbJ3w+mUcUW424mdxM20cr8QQ2WZyo9+ uvmd0/d9YFu7Ul2mAYzWJegh/LHRbEivi/T+3jA==
X-Google-Smtp-Source: AGHT+IFMpDmBthKt7/BHg/oBDTl/5GcqqMUt6j474Cas9xLe5ldg0NJnfZeLA6O5wWHXSRzlk3JzgqcBg7dJYs7zk94=
X-Received: by 2002:a5d:81c7:0:b0:7bf:ccc9:d80 with SMTP id t7-20020a5d81c7000000b007bfccc90d80mr6647254iol.7.1706561762384; Mon, 29 Jan 2024 12:56:02 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_J=VcOGOFK1C_f2NHM8zX+FbpJZF3D=sMXHKmodNSo8ng@mail.gmail.com>
In-Reply-To: <CAN8C-_J=VcOGOFK1C_f2NHM8zX+FbpJZF3D=sMXHKmodNSo8ng@mail.gmail.com>
From: Alexander Stein <ajstein.standards@gmail.com>
Date: Mon, 29 Jan 2024 15:55:51 -0500
Message-ID: <CAMvBLPLZSX3=6yZYXR=f6NpXLUELQdrL3zyZ=k2GJVPEyQ+iFA@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: scitt <scitt@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a2618906101bdfcb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/VWSpgeXMuQ2-QUx_0-4u7JfiqHY>
Subject: Re: [SCITT] IDevID and draft-ietf-netconf-keystore
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jan 2024 20:56:08 -0000
This is an interesting specification, thanks for posting. I am having trouble understanding how a SCITT TS may fit in: registering transparent statements across one or more TS instances for certificate authorities? A unique system key? Is the identifier structure the issue? I know that they were stored that way in Keychain.app in macOS years prior, but I have lost track. I am reviewing this draft but didn't know keystores in this spec or other commonly adopted approaches structure their data that way, I thought it was specific to the macOS UI and UX. P.S. As a side note, does Keychain even do certificate verification itself? I have not owned a current generation Macbook or supported macOS workstation in 5-10 years, so I am behind the times. I strongly doubt the common ones for Linux do (GNOME Keyring/KDE Wallet/libsecret wrappers do this) or if current versions of Microsoft Windows do that for the keystore directly instead of systems), so thanks for inspiring me to investigate the UX and implementation of these applications directly. On Mon, Jan 29, 2024 at 3:09 PM Orie Steele <orie@transmute.industries> wrote: > Implementations may utilize operating-system level keystore utilities > (e.g., "Keychain Access" on MacOS) and/or cryptographic hardware (e.g., > TPMs). > > https://datatracker.ietf.org/doc/html/draft-ietf-netconf-keystore-30 > > It's interesting to consider how a SCITT transparency service might fit > into this picture. > > OS > > > -- > > > ORIE STEELE > Chief Technology Officer > www.transmute.industries > > <https://transmute.industries> > -- > SCITT mailing list > SCITT@ietf.org > https://www.ietf.org/mailman/listinfo/scitt >
- [SCITT] IDevID and draft-ietf-netconf-keystore Orie Steele
- Re: [SCITT] IDevID and draft-ietf-netconf-keystore Alexander Stein