[lamps] Re: About MSJ's proposal for the new Attestation OID Registry in draft-ietf-lamps-csr-attestation

Mike Ounsworth <ounsworth+ietf@gmail.com> Wed, 11 February 2026 01:52 UTC

Return-Path: <ounsworth@gmail.com>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 14822B5183FD for <spasm@mail2.ietf.org>; Tue, 10 Feb 2026 17:52:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKT1CRFKPSsi for <spasm@mail2.ietf.org>; Tue, 10 Feb 2026 17:52:43 -0800 (PST)
Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 15B8FB5183F3 for <spasm@ietf.org>; Tue, 10 Feb 2026 17:52:43 -0800 (PST)
Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-4042cd2a336so978129fac.0 for <spasm@ietf.org>; Tue, 10 Feb 2026 17:52:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770774762; cv=none; d=google.com; s=arc-20240605; b=M6esOy4sllNp6MDvywq8Yl+AZRL1QZB0G8nS4hgwmO99y0LCiiimRejS16ZHt7i03p FmklNP6Jgnguvn0MdPzg9x1ol8CASq3qaQtGOUeW0fAORz0DegFytRFlpXZ0MqvH9NcK oHPt9WBEbB8L7M8z0WRB/LdV952M7FiZF9tMgRh9+k/JZDFT+GO2TMZxFGdmq9O/ej7E z2TOaJ1QjyYHe0q+Su2YFZw2gnW717lmLs+T7L5z7TCf8Am0uZ4eghYLrIrl/J8dvw0f FrE9DoyBkKb+TmbTTZITtDGRJMuAMFFlUD6NYlpO79pKXb01hzbHRhjTpgLIlNW26pdV sb4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=TwOpk3fw9y/BBcfPHIxc7aDL6PWT2tf/yyLBvH4A/KY=; fh=SVSwHwwsf8z9oGN2fvNLE6D/fNAwHEmi/TnXsdC2uNE=; b=e2toisnkbzma4w92RE/F8DFMSDM4V5GjryAyhIrqLPGxdnwfBrVdrPcvUzU+M8M3tV Tc0Kazoph3cnX+uTQ0HeD0uTqDZnU2fhIuIOV+F3TJPHVjREmiqLcWPggrwacJGqZ4lg Ke/VecBgoa6EXHfO1A4HqBBprK503HAikBZ82DTT31O1d6gQM1SBUYcnPTlJYXtd2ylk U8dv4dIpH4NPCMui1+fVM9pGASH+ElLh0bsnYO6/D7WNrw7vznnSKaY5ahlN3yqHC2io N9p7JmyjAno2eZeLwSIJ84LdttVdvyLFvaNvpRwxDo2Fua9/xUV4nBSeyoYNbG5XNq1S i8tQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770774762; x=1771379562; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TwOpk3fw9y/BBcfPHIxc7aDL6PWT2tf/yyLBvH4A/KY=; b=BFdisQDWVthfsLFSHflAIa87xMs3oKmNMR4p23tWTDByHeONYfHPOG6MhRIjHxXsYE VzION3xNXgKi/BGQHeNP5cuxam8jVH+HRrS09B/Rvi3rEMAg4ItjfYk49q0xnvyNwEMV hgtdbY7No+MLGB9VDBzUy0RJq80w34VzQxrBILGWpnI86FRpkHuMh4sjkBgh2S/g7+rF DpPkvVn5dxhYbTMj7eqeXkwKcVyHroNoec4DQjm8EzzIOxFoHHVik/HH9FGaA/RyWCLJ k8umSld6D4xQJRUXsftvINYiBtaK5xXdRHsLLYhygM49I41E4g7SHUpVujh6zr69jqnV z3Cw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770774762; x=1771379562; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TwOpk3fw9y/BBcfPHIxc7aDL6PWT2tf/yyLBvH4A/KY=; b=c4t+/3MZMX15uovrUbedMEOUkBASrKgkZk1U4O7NLS2+MpFBa1qnniur7X5oB+z0wx 4294d+Arr0T1u/mCp6bpcyb4zWM5SrTCp3BWTd6q0KBL0/BLtYcr/xoCVk2uTqpnmEN9 71d4O00ljT0/1FlGl9Df5/yCZQ28aCDq40RV2QqfeYjmL7rs07MVsoBoUIvV46wpmdAl CWH453fYyfhTjX9kOPMFF4ZIL9hl/AZxbGMuXnly5Zrh+y3ykWPvHWe1gJnRV1jRXJIx JRhtMnVmz6ywwPq/JRz0DEv2PWfpKmj1iB6dB9UwXDVwXP5EUfWdegEitq6OwXcnLcwy E65A==
X-Gm-Message-State: AOJu0Yw9uobY2yJV/kttJ96hc9lfSydnaoXCMH3YLBvS4tVkAo07ngSn R6TxFbBgIuaopTYv8YjSGHGi4SbQNy+NO8MqY5A0H3nC9Zd/gUhwRTkYcEtSeecs9fUVm/kbeyz Xr9nEDa9sPYv0lbfsZeclqxPvBu5Glew=
X-Gm-Gg: AZuq6aLPavL0pg7RnrB9ptRZSRZQKKwW1zrlcl05czUfbGY24OhrBnNTrJanx30KGZf 94dcu430ddw9HiMDbRPWO4EsSOvzuCHjr1EOSulRjWxHs72ZR9En6YlSIATuer1lNqLX6Wj9wfC N5RJN1ZoJUuYIW29YXak+WAfI/xKDhU1Dw1y0GZdwzM3EWfWFTPmEahpvTp/Qc90HXvdzyoeGnG VD26d6L8Wp3TQ49WwPKdWsypONM6SQe/Be/S2o/RyKFrEePht/vy/OGzIP8/m2ObxkXTH9NzxNS vCxZXACY
X-Received: by 2002:a05:6820:a182:b0:66e:20fb:7482 with SMTP id 006d021491bc7-66e20fb7782mr4318414eaf.9.1770774762221; Tue, 10 Feb 2026 17:52:42 -0800 (PST)
MIME-Version: 1.0
References: <CAKZgXHoQ7cLUvhVKL6A1NnOX_xyfn=PG5FcD4LX2L78HvPCY9Q@mail.gmail.com> <f0ccd2c0-ce1f-4d44-9f63-e469b7d643d7@nthpermutation.com>
In-Reply-To: <f0ccd2c0-ce1f-4d44-9f63-e469b7d643d7@nthpermutation.com>
From: Mike Ounsworth <ounsworth+ietf@gmail.com>
Date: Tue, 10 Feb 2026 19:52:29 -0600
X-Gm-Features: AZwV_QjIbFkEFTWLwERFkqgNIC5btqHthwH-ALvoYLsBAM1_Y5MuTti4CPHX-q0
Message-ID: <CAKZgXHpay5Fw75twEbJciwFVi-+pMoFtowmhwD-j=pwmAzjTQg@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: multipart/alternative; boundary="000000000000adf4fc064a82a001"
Message-ID-Hash: ER27V5O3AFWFWHHFWD7RO7AH4VSLF2NH
X-Message-ID-Hash: ER27V5O3AFWFWHHFWD7RO7AH4VSLF2NH
X-MailFrom: ounsworth@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: LAMPS WG <spasm@ietf.org>, draft-ietf-lamps-csr-attestation@ietf.org, Carl Wallace <carl@redhoundsoftware.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: About MSJ's proposal for the new Attestation OID Registry in draft-ietf-lamps-csr-attestation
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/fu1kbbDwl_W5tjOdfRRcflEyn-E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Hi Mike,


> *The allocation of an OID is not sufficient to declare an
ATTESTATION-STATEMENT binding*

Yeah, full agreement. When you pointed that out several months ago, the
authors went "oops -- of course the registry needs to list what the
structure is, not just its OID", and we added it in -21.

The ASN.1 module in draft-ietf-rats-msg-wrap-23 is:

id-pe-cmw  OBJECT IDENTIFIER  ::=
   { iso(1) identified-organization(3) dod(6) internet(1)
     security(5) mechanisms(5) pkix(7) id-pe(1) 35 }


CMW ::= CHOICE {
    json UTF8String,
    cbor OCTET STRING
}


To me, that is a perfectly well-defined pair of OID and wire encoding.
Maybe I'm bad at ASN.1, but to me that is a perfectly unambiguous ASN.1
specification of what the bits on the wire will be. If the ASN.1 structures
in draft-csr-attest are not capable of ingesting that definition as a valid
payload, then that's a problem with our ASN.1 being too complicated. I
understand the difference between a concrete ASN.1 Type, and an ASN.1
CLASS. I understand that the ASN.1 mod in draft-ietf-rats-msg-wrap-23 is
not sufficient to instantiate the CLASS stuff currently in
draft-csr-attest, and I don't think it should have to.

I like analogies: if someone is providing you an XML document, it is
reasonable to expect them to also provide an XML Schema for it. If you
choose to use a C++ XML parser that requires the schema as a C++ header
file; cool, but don't expect the authors of the format to provide that
header file for your chosen parser. The world doesn't run on ASN.1 anymore.
CMW is fundamentally a CBOR or JSON encoded object. The fact that CMW
authors provided us with a definition for a DER wrapper is great and now
it's on us to figure out how to carry that (and other DER structs defined
in similar ways which I'm sure there will be more of in the future), not to
declare it uncarryable because it didn't also provide compiler abstractions
for your chosen compiler.

Also, the CMW payload, and the CSR-Attest transport should be separate
layers. Requiring the CMW specification to even be aware of the CSR-Attest
semantics seems to me like a crazy layer violation; that would be like
saying that that XML Schema is incomplete if it doesn't also specify HTTP
headers and TLS cipher suites. Why?

I see two possible ways forward here:

1. We decide that the difference between the CMW CHOICE def
in draft-ietf-rats-msg-wrap-23, and the AttestationStatement
in draft-ietf-lamps-csr-attestation are compatible enough that an
implementer should be able to bridge them.

or

2. We decide that the AttestationStatement definition
in draft-ietf-lamps-csr-attestation is too complex and needs to be
simplified.

I do not accept the position that we've made the CSR attribute definition
so complex that every DER-encoded payload that we want to carry will now
require its own spec telling you how to set all the CSR attribute metadata.

On Tue, 10 Feb 2026 at 16:16, Michael StJohns <msj@nthpermutation.com>
wrote:

> On 2/10/2026 15:50, Mike Ounsworth wrote:
>
> Hi MSJ,
>
> Sorry I had to leave the meeting at the top of the hour yesterday, so I
> did not hear your explanation about your proposed change.
>
> The commit and line number in question is here:
>
>
> https://github.com/lamps-wg/csr-attestation/pull/232/changes#diff-0f9c8dc6ee2ac6d331a3fdf2859e38c90e83c56ad6b667bfd79bb44877b43820L360
>
>
> Let me take a step back to make sure we're level-set on the purpose of
> this registry: it is to collect a list of OID - ASN.1 Type pairs that
> implementers may encounter inside CSRs in the wild. Informative, not
> Normative.
>
> A while back you suggested that this registry had a column for OID but not
> a column for the corresponding ASN.1 type. The authors agreed with you and
> we added this in --21. At the same time we deleted from the Initial
> Registry Contents all of the TCG stuff since we (the authors) could find
> published OIDs for them but not published ASN.1 defs, which means they did
> not meet the criteria for inclusion in this registry at the current time.
> That left CMW, which is the only thing we are aware of at present which is
> a valid payload for an attested CSR, and has a published OID, and has a
> published ASN.1 type (all in draft-ietf-rats-msg-wrap-23).
>
> You have now proposed a PR to the draft which removes the "Initial
> Registry Contents" section, removes this:
>
>
> * CMW
>   * OID: 1 3 6 1 5 5 7 1 35
>   * Type: CMW
>   * Description: id-pe-cmw
>   * Reference(s): {{I-D.ietf-rats-msg-wrap}}
>   * Change Controller: IETF
>
> and replaces it with
>
>
> - OID: 1.2.3.4.5
> - Name: exampleAttest
> - Type: ExampleStruct
> - Description:  This is an example template for registering
> ATTESTATATION-STATEMENT declarations
> - Reference: Provided by example@example.com, no specification provided.
>
>
> Can you please explain your thinking behind this proposed change? Surely
> you agree that CMW as specified in draft-ietf-rats-msg-wrap-23 meets the
> criteria for inclusion in this registry (and in fact, is currently the only
> standardized thing that does).
>
> Sure.  This will be pedantic because ASN.1 CLASS and open type stuff is
> complicated.  This is all assuming modern ASN.1 not ASN.1 1988 stuff.
>
> *The allocation of an OID is not sufficient to declare an
> ATTESTATION-STATEMENT binding*. Or for that matter an ATTRIBUTE or
> EXTENSION binding.
>
> For example, ATTRIBUTE, EXTENSION and ATTESTATION-STATEMENT are
> TYPE-IDENTIFIER like declarations.  You can bind an OID to pretty much any
> structure, but the actual underlying class declaration may give you more
> options for your declaration:
>
>   attr-cmw ATTRIBUTE ::= { TYPE CMW IDENTIFIED BY id-pe-cmw }
>
>   ext-cmw EXTENSION ::= { SYNTAX CMW IDENTIFIED BY id-pe-cmw }
>
>   attest-cmw ATTESTATION-STATEMENT ::= {  CMW IDENTIFIED BY id-pe-cmw }
>
> All of these are legal declarations, and we sometime omit actually making
> them explicitly - e.g. by stealing an OID for an extension and just
> plugging it in to use for an ATTRIBUTE.  But this is also legal for an
> ATTRIBUTE:
>
>
>
>   attr-cmw ATTRIBUTE ::= { TYPE CMW
>                            COUNTS MAX 1
>                            EQUALITY MATCHING RULE
> id-someoid-for-matchingrule
>                            IDENTIFIED BY id-pe-cmw }
>
> Note that this still assigns the CMW to an OID, but also provides some
> additional rules specific to use with ATTRIBUTE.  This turns out to be the
> usual way we do this assignment.
>
> Declaring the CMW structure by itself does not meet the criteria for
> inclusion, nor does declaring the oid, or merely stating the OID/structure
> combo.  What you want is an actual ATTESTATION-STATEMENT declaration you
> can reference:
>
>      attest-cmw ATTESTATION-STATEMENT ::= { CMW IDENTIFIED BY id-pe-cmw }
>
> and around that declaration you need some text explaining things like "The
> Attributes field is optional, but when present at least one
> ATTRIBUTE/Attribute that will usually be present is the 'attr-hint' defined
> as "attr-hint ATTRIBUTE ::= { TYPE IA5String IDENTIFIED by id-at-hint }"
>
> The side effect of creating the declaration is to populate declaration
> into the "..." part of the "AttestationStatementSet ATTESTATION-STATEMENT
> ::= { ... }" table.  That is the table referenced by the
> "AttestationStatement" structure declaration.
>
> We also pair a name for the declaration so the declaration can be used
> later in other things - like the set of attributes or set of types of
> attestation statements. Example using FAKE TPM-like attestation
> declarations:
>
> attest-tpm-set ATTESTATION-STATEMENT ::= { attest-tpm-key |
> attest-tpm-chip | ... }
>
> Fake related text: " An Extension containing an AttestationBundle for TPM
> attestations will generally include the Attestation(s) listed in
> 'attest-tpm-set', but may contain additional Attestation types "
>
> So the registry table is not simply OID/Structure, but Name/OID/Structure
> to match the declaration.
>
> As for not including it here - this is a cross reference rather than a
> registry per se.  Declaring this in the CMW document, or even just
> declaring it later and providing text related to say the actual
> implementation is a more appropriate way of doing things especially with my
> suggested change to "Expert Review" from "Specification Required".
>  Otherwise declaring it here would mean that the ASN.1 module would have to
> import the CMW module, CMW structure and the CMW OID from the CMW document
> and would lead this document dependent on that one.
>
> *TL;DR - The declaration of an OID and a structure is necessary, but not
> sufficient to create a CLASS instantiation of any type.  *
>
>
> Mike
>
>
>
> Post script:
>
> At the last F2F meeting, I had a brief discussion with the IANA folks of
> creating a single cross-ref registry-like table:
>
> Name:  The declaration name - the left most part of a class instance
> declaration.
> *Declaration Type:* The class type - e.g. EXTENSION, ATTRIBUTE,
> ATTESTATION-STATEMENT *Identifier:*  The OID.  Note that the same OID may
> be used for multiple CLASS declarations, but only a single declaration
> within a given type.  So there may be multiple entries with the same OID,
> but there may not be multiple entries with the same OID/Declaration Type
> pair. *Structure Type:*  The main  or first field type in the
> declaration.  If there are multiple open type fields, list only the first
> one here. *Description:* yada yada *Reference:*  The requester or Ideally
> a URL or stable reference to figure out what the declaration actually meant.
>
> If the group thinks the stuff immediately above is a better approach, then
> the right answer is to remove the "registry" from the draft document and
> I'll write a request/draft  for the creation of a "ASN.1 Class declaration
> cross reference registry".
>
> Personally, I'm getting a bit tired of having to figure out from an OID
> where to find a declaration in various certificates, attributes and other
> random ASN1 structures I've encountered.  Having a curated list would
> help.  However, it might be a lot of work.
>
> Later, Mike
>
>
>
>