[lamps] Qualified certificates and key attestations
Carl Wallace <carl@redhoundsoftware.com> Wed, 27 July 2022 17:45 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 360D3C159489 for <spasm@ietfa.amsl.com>; Wed, 27 Jul 2022 10:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPVmcKY6CghT for <spasm@ietfa.amsl.com>; Wed, 27 Jul 2022 10:45:03 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCFAAC157901 for <spasm@ietf.org>; Wed, 27 Jul 2022 10:43:34 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id x11so13111532qts.13 for <spasm@ietf.org>; Wed, 27 Jul 2022 10:43:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=content-transfer-encoding:mime-version:thread-topic:message-id:to :from:subject:date:user-agent:from:to:cc; bh=TIQauu3d6ZJVewBpQ5ukBTK/E0jpNwTix7M6Vlrfr4A=; b=1mq5Dz+gBbxJUdCRWvd1KiG3+56TPlFQ9Jd0c5h9FSFMSLZMcfU48tlnHbVo22Q6yu Xpm1NFmUqif0oGm52IMfVB0JGjigc9oyRqr3cNJsPEvZCjW/eduj55PjnAgheom4AAvh /9rqlLMBpJP7hG3wIDP6qfxoC0MEWYxWK0/ig=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:thread-topic:message-id:to :from:subject:date:user-agent:x-gm-message-state:from:to:cc; bh=TIQauu3d6ZJVewBpQ5ukBTK/E0jpNwTix7M6Vlrfr4A=; b=Kkrw+S4mLZFYg7KxU0r+V4EAgJRmtL9qu1ep4OaLHmKsHCiK9Bs6R6/7yXoc0/ZNcu YFTxaOPLTv8vdNFsV19irXpN7dvId6n6ibtNnBrdbAPwvs1CqQhd/50w0So9Av5Dlr+F a/puyNSm66CZLNsKeW10eRs9+3oQpGvY0eGMlZ4XuHNPQrPAWidihnkvt1XwwAoXfwFl CAymmjOvv42PqwJX9QHIrSDgGrdpCDe+iV19P6YZhl0WTGe1Rw65XO0dAvV1qb+kzfLI vxH+3rJIvYvrfHqCrDFnRO8xL6r4A7LfWet/7lmA4d8jLxsbxCOXyAO1X11Z2wMeg5MR PbAw==
X-Gm-Message-State: AJIora/AzbFfQqToukHrE0gtY71bsfKr2MXh6CEFUaANmIbXF9KudOOl dlb7JR4iAJ7byuIg2z+CCA7ABS3JVj9v5g==
X-Google-Smtp-Source: AGRyM1uRI1PNjQb13UfaD2qy+c6/Kwzni58a9c+K0TEQcba/1tkRkznPtPdbjF1zG4hLrmxoQSkn8g==
X-Received: by 2002:a05:622a:1a0c:b0:31e:eb01:d089 with SMTP id f12-20020a05622a1a0c00b0031eeb01d089mr19743213qtb.341.1658943813180; Wed, 27 Jul 2022 10:43:33 -0700 (PDT)
Received: from [31.133.147.142] ([2001:67c:1232:144:3587:eef:88f2:5290]) by smtp.gmail.com with ESMTPSA id f17-20020a05620a409100b006a6b374d8bbsm14205334qko.69.2022.07.27.10.43.32 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Jul 2022 10:43:32 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.63.22070801
Date: Wed, 27 Jul 2022 13:43:30 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "spasm@ietf.org" <spasm@ietf.org>
Message-ID: <4E6F09CC-90D9-4255-BF65-7EACC0765387@redhoundsoftware.com>
Thread-Topic: Qualified certificates and key attestations
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/DGj4UyjnkRjLQ70rWyda23zONtg>
Subject: [lamps] Qualified certificates and key attestations
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 17:45:07 -0000
During the LAMPS session today, Stefan and Leif suggested that the proposed key attestation draft needs to consider qualified certificates. Some thoughts on the possible points of intersection are below. Please correct or expand as needed. In https://datatracker.ietf.org/doc/html/rfc3739, there is a QCStatement structure that is very similar to the structures used for extensions and attributes. QCStatement ::= SEQUENCE { statementId QC-STATEMENT.&Id({SupportedStatements}), statementInfo QC-STATEMENT.&Type ({SupportedStatements}{@statementId}) OPTIONAL } It would be straightforward to include a reference to RFC 3739 with note that the OIDs and values defined in the draft for CMPv2, EST, etc. could be used with QCStatement as well. This could be a complementary mechanism to the QC statement defined in 4.2.2 of https://www.etsi.org/deliver/etsi_en/319400_319499/31941205/02.03.01_60/en_31941205v020301p.pdf, i.e., one could elect to require an attestation prior to asserting this QC statement. I don't see anything in the QC materials I reviewed in the way of prior art that would motivate not using the WebAuthn format. Given Thomas chimed in during the meeting that they use WebAuthn already and, as noted in the draft, so does the ACME mechanism that will be briefed tomorrow, I think using WebAuthn as a means of supporting different attestation formats is fine. The main open item is defining a registry w.r.t. format since reuse of the WebAuthn registry is not recommended. Sean and I plan to address in the next draft. Hopefully the above addresses the concerns. If more QC-focused text is desired, that may be better handled in a separate draft (similar to how this draft is separate from the similar ACME draft).
- [lamps] Qualified certificates and key attestatio… Carl Wallace