IETF Logo Mail Archive

Re: [lamps] Two comments on draft-ietf-lamps-key-attestation-ext

Russ Housley <housley@vigilsec.com> Thu, 22 December 2022 19:51 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50992C14EB1E; Thu, 22 Dec 2022 11:51:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FP5bwOxbihnl; Thu, 22 Dec 2022 11:51:29 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D8F6C14E514; Thu, 22 Dec 2022 11:51:29 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 97C45158353; Thu, 22 Dec 2022 14:51:28 -0500 (EST)
Received: from a860b60074bd.fios-router.home (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 6711A158351; Thu, 22 Dec 2022 14:51:28 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <8A6BE5AB-0FC4-4266-AC3F-45EE9C6CE8F9@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E5A8BC8F-1CD3-4AB3-ABFE-BE451CC32C12"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Thu, 22 Dec 2022 14:51:27 -0500
In-Reply-To: <DB9PR08MB652423A4D0BA4C58C9A08ECD9CEB9@DB9PR08MB6524.eurprd08.prod.outlook.com>
Cc: LAMPS <spasm@ietf.org>, "draft-ietf-lamps-key-attestation-ext@ietf.org" <draft-ietf-lamps-key-attestation-ext@ietf.org>
To: Thomas Fossati <Thomas.Fossati@arm.com>
References: <DB9PR08MB652423A4D0BA4C58C9A08ECD9CEB9@DB9PR08MB6524.eurprd08.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.10 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/JeBuEMuqiwmZDSXp1-nhJlMwTUU>
Subject: Re: [lamps] Two comments on draft-ietf-lamps-key-attestation-ext
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2022 19:51:38 -0000

Thomas:

I think you are asking for a CMS Content Type OID for Conceptual Message Wrapper.  I'm wondering if two OIDs would be better, one for JSON encoding and one for CBOR encoding.

If this mades sense, then an appendix with the ASN.1 Module is super simple:

   CMWContentTypes
     { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
       smime(16) modules(0) id-mod-contentTypes(TBD1) }

   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN
  
   IMPORTS
     CONTENT-TYPE
     FROM CryptographicMessageSyntax-2009
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
         smime(16) modules(0) id-mod-cms-2004-02(41) } ;

   -- Conceptual Message Wrapper (CMW) with JSON encoding

   ct-CMW-JSON CONTENT-TYPE ::=
      { TYPE CMW-JSON IDENTIFIED BY id-ct-CMW-JSON }

   id-ct-CMW-JSON OBJECT IDENTIFIER ::=
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
        smime(16) id-ct(1) TBD2 }

   CMW-JSON ::= IA5String

   -- Conceptual Message Wrapper (CMW) with CBOR encoding

   ct-CMW-CBOR CONTENT-TYPE ::=
      { TYPE CMW-CBOR IDENTIFIED BY id-ct-CMW-CBOR }

   id-ct-CMW-CBOR OBJECT IDENTIFIER ::=
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
        smime(16) id-ct(1) TBD3 }

   CMW-CBOR ::= OCTET STRING

   END

Of course, you also need an IANA considerations to assign the OID values.

Russ



> On Dec 21, 2022, at 1:56 PM, Thomas Fossati <Thomas.Fossati@arm.com> wrote:
> 
> Thanks authors for a clear and useful document.
>  
> Would it be possible to get an OID for CMWs [1] alongside WebAuthn?
> That would help the case for passing attestation results when the RA/CA
> cooperates with a separate verifier.
>  
> Another question I have is related to defining a symmetric cert
> extension for carrying attestation evidence & results.
> There is an extension that would do the job defined by the TCG.  Maybe
> this document could reference it?
>  
> cheers, thank you
>  
> [1] https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/ <https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/>
>

v2.43.4 | Report a Bug | By Email | System Status