Re: [lamps] Side meeting on PKIX key attestation format
Michael StJohns <msj@nthpermutation.com> Mon, 10 April 2023 02:59 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD6DC151B0B for <spasm@ietfa.amsl.com>; Sun, 9 Apr 2023 19:59:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRQdO8rJHqZD for <spasm@ietfa.amsl.com>; Sun, 9 Apr 2023 19:59:29 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ABF2C151B01 for <spasm@ietf.org>; Sun, 9 Apr 2023 19:59:29 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id ge18so1054442qtb.0 for <spasm@ietf.org>; Sun, 09 Apr 2023 19:59:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20210112.gappssmtp.com; s=20210112; t=1681095568; x=1683687568; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=wQapf9gnE09u6KSrwUiKINe4VhwL6pGSb3fSadaNhUs=; b=zoqJpy6JkWAui/EBb1Qyfh2dFDHaJqGE39iCry3YBG4vaso+he703BdCI+ZeooUWSX 8jjExsYMkGtdinJWLY6kFgXRWT46/Ar1GiHkfeHLOg0oVztz8JOAoSKESqMpY1ewJD7W i71mQhwdAjzwxeLR4KgzsV3pvm068J5j3+Yn5ERkkf+2VQDIvP2f5ZXBAGMogQmytHpR 6q529CXUUyb7EtV2EihSIBnDbs4WAU/RluFoCoTD+OaD6mt145iDCk7s+a29/lPBtRS5 mV+2BhV73ZHydyyIw6b17+mnu3MGFofogz4U0qZjFSsvNo7aOO0lFq3+WBFGX27Rx5k9 QDSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681095568; x=1683687568; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wQapf9gnE09u6KSrwUiKINe4VhwL6pGSb3fSadaNhUs=; b=S7wPR1ap1VMMYvaRTDqXT11094u1jZ4U/g2OE+OftKEL3XokZb+cnCQqZRTtZJOuQJ CR4mpzcMaHZ1+06CE+J2ZoK/JjJVCo+n0WlDVyAFrcxqIlpiaF9RYlyvHl5cts+NAAgJ oOsmJvxNetHmL7AahN9cJRDM8e36A/Tv++0s7W3biIezEh/tFWfP93X/cHyhJX6YfdEJ Bz4uh3QautnubMHSDONohKRWrssdfVzJ1YrFIp1SZaKmX/QDv+0Wv2zwP47IcuejZJru F0o5hvvA+2e+QdZtmQAzEJX7Vm1o/uSuNZiZgCGgfcJOC1X6VAlIR+bzArxztrx0GmAg sJbQ==
X-Gm-Message-State: AAQBX9cuIHD9FtpmNGWY0Na2MxsMZvVfLZwdcyokZYeFLTYOSsnzTzr/ JMnKsT/qTKtEPLUIkg89jlAQYs21KNNFVaVN8bU=
X-Google-Smtp-Source: AKy350bRMXBhLd8f3g0H0R1KbsljnJOKi24kXR77ERmXVpv1ZRMBfaQ54Dc25XPwaYp2x17P5IDzDg==
X-Received: by 2002:ac8:7d42:0:b0:3bf:cc89:9c8f with SMTP id h2-20020ac87d42000000b003bfcc899c8fmr15449687qtb.68.1681095567826; Sun, 09 Apr 2023 19:59:27 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id n9-20020a374009000000b00742bc037f29sm2982523qka.120.2023.04.09.19.59.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 09 Apr 2023 19:59:27 -0700 (PDT)
Message-ID: <cd87e5c4-b067-8a2a-d1df-38076349fa05@nthpermutation.com>
Date: Sun, 09 Apr 2023 22:59:26 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1
To: Michael Richardson <mcr@sandelman.ca>, spasm@ietf.org
References: <CH0PR11MB57397DE8A78F12D5779DC96D9F969@CH0PR11MB5739.namprd11.prod.outlook.com> <06a1fd2b-52e6-0359-5a63-05340faab69a@nthpermutation.com> <29668.1680984394@localhost> <e47c4863-ff63-8428-81d2-dc4ad4407f85@nthpermutation.com> <17397.1680989296@localhost>
Content-Language: en-US
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <17397.1680989296@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/nJDvYOxdAQuGdT5_i9i2Ks9Y8dY>
Subject: Re: [lamps] Side meeting on PKIX key attestation format
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2023 02:59:30 -0000
On 4/8/2023 5:28 PM, Michael Richardson wrote: > Michael StJohns <msj@nthpermutation.com> wrote: > ... > > I'm going to answer that two different ways - indulge me please. > > :-) > What an amazing way with words. > You put your name in for 2024 presidential race yet? Never going to happen. Or "The physics of pigs flying is sufficiently deterministic in a negative sense to suggest the answer to that question." > > > 2) In this particular set of questions, the CA/BF has explicitly > > disclaimed the use of a TPM attestation statement as proof of a Code > > signing keys residence on a secure module, and has put in some > > interesting requirements for issuing a code signing certificate. > > is this fundamentally why we have to do this side meeting? My personal take is that we've got an elephant and at least three blind men trying to describe it. Mike O has an immediate (Real Soon Now) need for a way to carry an HSM attestation statement in a PKCS10 (or similar) ASN.1 based request - https://datatracker.ietf.org/doc/draft-ounsworth-pkix-key-attestation/. Since neither the HSM attestation format nor the general scheme for carrying attestation statements in PKCS10 has yet been defined, that showed up as a single document. That document in turn collides a bit with https://datatracker.ietf.org/doc/draft-ietf-lamps-key-attestation-ext/ which appears to me to be targeted at carrying attestation statements wrapped in a semi-opaque Webauthn format for the Webauthn community. Neither of these approaches currently appears to me to provide a good answer to Task A. Russ suggested we discuss. I think that last sentence is probably the "have to" part of the above! > > My interest stems from > https://datatracker.ietf.org/doc/draft-irtf-t2trg-taxonomy-manufacturer-anchors/ I didn't have time to look at this very long, but I did a quick scan over Section 3. Mostly what you have here is how to prove things to a device (software, other devices, the back office, etc - onboarding mostly). One of the things you appear to be missing is a uni-directional device proving to the word "Hi, I'm an MCU of type X from manufacturer Y, and here's a public key that you can use to verify cryptographic statements I make about my capabilities". TPMs call that an Endorsement Key/Endorsement certificate for the built in key, and that can be used to bootstrap into an Attestation Key/Certificate that may be more local in nature and shorter in time scope. The trust anchor for that is a manufacturer public key and/or certificate, chaining to the device EK certificate. The root of trust for the Attestation Certificate need not chain back to the device manufacturer's EK root. That model may not exactly equal the IDevID you mention in section 4. Think of it this way: During board manufacturing, I want to know that the secure part/MCU/etc is the part I ordered and will behave as I want, and I want to be able to link later credentials to the original hardware attestation. During board manufacturing, I'll ask the MCU to generate a key pair, and then prove that the public key of that key pair is internal to the MCU using MCU credentials. I'll bind that key pair into a IDevID based on my OEM manufacturing credentials. When it gets to the field, the owner will look at my OEM IDevID, and use the MCU attestation functions to generate an LDevID key pair, use MCU to attest that key pair perhaps using the contents of the IDevID as the attestation key - using a combination of the various previous roots of trust. Finally, in a device that has a multi-tenant model, I may need to bootstrap a tenant's key pair attestation as part of the administration of the device. That brings us up to the possibility of 4 roots of trust for attested keys. Enjoy - Mike > > I think that there will be a lot more HSM in the field. > (That's a good thing) ps - actually I'm hoping for less big-iron HSMs and more SEs (Secure Elements), smart card based HSMs, or MCU/MPUs with embedded SE IP cells.
- [lamps] Side meeting on PKIX key attestation form… Mike Ounsworth
- Re: [lamps] Side meeting on PKIX key attestation … Mike Ounsworth
- Re: [lamps] Side meeting on PKIX key attestation … Michael StJohns
- Re: [lamps] Side meeting on PKIX key attestation … Michael Richardson
- Re: [lamps] Side meeting on PKIX key attestation … Michael StJohns
- Re: [lamps] Side meeting on PKIX key attestation … Michael Richardson
- Re: [lamps] Side meeting on PKIX key attestation … Michael StJohns
- Re: [lamps] [EXTERNAL] Re: Side meeting on PKIX k… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Side meeting on PKIX k… Michael StJohns