Re: [lamps] Side meeting on PKIX key attestation format

Michael StJohns <msj@nthpermutation.com> Mon, 10 April 2023 02:59 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD6DC151B0B for <spasm@ietfa.amsl.com>; Sun, 9 Apr 2023 19:59:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRQdO8rJHqZD for <spasm@ietfa.amsl.com>; Sun, 9 Apr 2023 19:59:29 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ABF2C151B01 for <spasm@ietf.org>; Sun, 9 Apr 2023 19:59:29 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id ge18so1054442qtb.0 for <spasm@ietf.org>; Sun, 09 Apr 2023 19:59:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20210112.gappssmtp.com; s=20210112; t=1681095568; x=1683687568; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=wQapf9gnE09u6KSrwUiKINe4VhwL6pGSb3fSadaNhUs=; b=zoqJpy6JkWAui/EBb1Qyfh2dFDHaJqGE39iCry3YBG4vaso+he703BdCI+ZeooUWSX 8jjExsYMkGtdinJWLY6kFgXRWT46/Ar1GiHkfeHLOg0oVztz8JOAoSKESqMpY1ewJD7W i71mQhwdAjzwxeLR4KgzsV3pvm068J5j3+Yn5ERkkf+2VQDIvP2f5ZXBAGMogQmytHpR 6q529CXUUyb7EtV2EihSIBnDbs4WAU/RluFoCoTD+OaD6mt145iDCk7s+a29/lPBtRS5 mV+2BhV73ZHydyyIw6b17+mnu3MGFofogz4U0qZjFSsvNo7aOO0lFq3+WBFGX27Rx5k9 QDSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681095568; x=1683687568; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wQapf9gnE09u6KSrwUiKINe4VhwL6pGSb3fSadaNhUs=; b=S7wPR1ap1VMMYvaRTDqXT11094u1jZ4U/g2OE+OftKEL3XokZb+cnCQqZRTtZJOuQJ CR4mpzcMaHZ1+06CE+J2ZoK/JjJVCo+n0WlDVyAFrcxqIlpiaF9RYlyvHl5cts+NAAgJ oOsmJvxNetHmL7AahN9cJRDM8e36A/Tv++0s7W3biIezEh/tFWfP93X/cHyhJX6YfdEJ Bz4uh3QautnubMHSDONohKRWrssdfVzJ1YrFIp1SZaKmX/QDv+0Wv2zwP47IcuejZJru F0o5hvvA+2e+QdZtmQAzEJX7Vm1o/uSuNZiZgCGgfcJOC1X6VAlIR+bzArxztrx0GmAg sJbQ==
X-Gm-Message-State: AAQBX9cuIHD9FtpmNGWY0Na2MxsMZvVfLZwdcyokZYeFLTYOSsnzTzr/ JMnKsT/qTKtEPLUIkg89jlAQYs21KNNFVaVN8bU=
X-Google-Smtp-Source: AKy350bRMXBhLd8f3g0H0R1KbsljnJOKi24kXR77ERmXVpv1ZRMBfaQ54Dc25XPwaYp2x17P5IDzDg==
X-Received: by 2002:ac8:7d42:0:b0:3bf:cc89:9c8f with SMTP id h2-20020ac87d42000000b003bfcc899c8fmr15449687qtb.68.1681095567826; Sun, 09 Apr 2023 19:59:27 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id n9-20020a374009000000b00742bc037f29sm2982523qka.120.2023.04.09.19.59.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 09 Apr 2023 19:59:27 -0700 (PDT)
Message-ID: <cd87e5c4-b067-8a2a-d1df-38076349fa05@nthpermutation.com>
Date: Sun, 09 Apr 2023 22:59:26 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1
To: Michael Richardson <mcr@sandelman.ca>, spasm@ietf.org
References: <CH0PR11MB57397DE8A78F12D5779DC96D9F969@CH0PR11MB5739.namprd11.prod.outlook.com> <06a1fd2b-52e6-0359-5a63-05340faab69a@nthpermutation.com> <29668.1680984394@localhost> <e47c4863-ff63-8428-81d2-dc4ad4407f85@nthpermutation.com> <17397.1680989296@localhost>
Content-Language: en-US
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <17397.1680989296@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/nJDvYOxdAQuGdT5_i9i2Ks9Y8dY>
Subject: Re: [lamps] Side meeting on PKIX key attestation format
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2023 02:59:30 -0000

On 4/8/2023 5:28 PM, Michael Richardson wrote:
> Michael StJohns <msj@nthpermutation.com> wrote:
> ...
>      > I'm going to answer that two different ways - indulge me please.
>
> :-)
> What an amazing way with words.
> You put your name in for 2024 presidential race yet?
Never going to happen.  Or "The physics of pigs flying is sufficiently 
deterministic in a negative sense to suggest the answer to that question."
>
>      > 2) In this particular set of questions, the CA/BF has explicitly
>      > disclaimed the use of a TPM attestation statement as proof of a Code
>      > signing keys residence on a secure module, and has put in some
>      > interesting requirements for issuing a code signing certificate.
>
> is this fundamentally why we have to do this side meeting?

My personal take is that we've got an elephant and at least three blind 
men trying to describe it.   Mike O has an immediate (Real Soon Now) 
need for a way to carry an HSM attestation statement in a PKCS10 (or 
similar) ASN.1 based request - 
https://datatracker.ietf.org/doc/draft-ounsworth-pkix-key-attestation/. 
Since neither the HSM attestation format nor the general scheme for 
carrying attestation statements in PKCS10 has yet been defined, that 
showed up as a single document.  That document in turn collides a bit 
with 
https://datatracker.ietf.org/doc/draft-ietf-lamps-key-attestation-ext/ 
which appears to me to be targeted at carrying attestation statements 
wrapped in a semi-opaque Webauthn format for the Webauthn community.  
Neither of these approaches currently appears to me to provide a good 
answer to Task A.  Russ suggested we discuss.

I think that last sentence is probably the "have to" part of the above!


>
> My interest stems from
> https://datatracker.ietf.org/doc/draft-irtf-t2trg-taxonomy-manufacturer-anchors/

I didn't have time to look at this very long, but I did a quick scan 
over Section 3.  Mostly what you have here is how to prove things to a 
device (software, other devices, the back office, etc - onboarding 
mostly).  One of the things you appear to be missing is a 
uni-directional device proving to the word "Hi, I'm an MCU of type X 
from manufacturer Y, and here's a public key that you can use to verify 
cryptographic statements I make about my capabilities".  TPMs call that 
an Endorsement Key/Endorsement certificate for the built in key, and 
that can be used to bootstrap into an Attestation Key/Certificate that 
may be more local in nature and shorter in time scope.  The trust anchor 
for that is a manufacturer public key and/or certificate, chaining to 
the device EK certificate.  The root of trust for the Attestation 
Certificate need not chain back to the device manufacturer's EK root.

That model may not exactly equal the IDevID you mention in section 4.

Think of it this way:   During board manufacturing, I want to know that 
the secure part/MCU/etc is the part I ordered and will behave as I want, 
and I want to be able to link later credentials to the original hardware 
attestation.  During board manufacturing, I'll ask the MCU to generate a 
key pair, and then prove that the public key of that key pair is 
internal to the MCU using MCU credentials.  I'll bind that key pair into 
a IDevID based on my OEM manufacturing credentials.  When it gets to the 
field, the owner will look at my OEM IDevID, and use the MCU attestation 
functions to generate an LDevID key pair, use MCU to attest that key 
pair perhaps using the contents of the IDevID as the attestation key - 
using a combination of the various previous roots of trust.

Finally, in a device that has a multi-tenant model, I may need to 
bootstrap a tenant's key pair attestation as part of the administration 
of the device.  That brings us up to the possibility of 4 roots of trust 
for attested keys.

Enjoy - Mike

>
> I think that there will be a lot more HSM in the field.
> (That's a good thing)
ps - actually I'm hoping for less big-iron HSMs and more SEs (Secure 
Elements), smart card based HSMs, or MCU/MPUs with embedded SE IP cells.