IETF Logo Mail Archive

Re: [lamps] Call for Adoption of draft-tschofenig-lamps-nonce-cmp-est

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 15 April 2024 16:10 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51EE6C14F6A4 for <spasm@ietfa.amsl.com>; Mon, 15 Apr 2024 09:10:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EhQXybojJGS1 for <spasm@ietfa.amsl.com>; Mon, 15 Apr 2024 09:09:57 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59A9AC14F694 for <spasm@ietf.org>; Mon, 15 Apr 2024 09:09:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 70DBA3898D for <spasm@ietf.org>; Mon, 15 Apr 2024 12:09:55 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id gtfX0R7-wAsn for <spasm@ietf.org>; Mon, 15 Apr 2024 12:09:54 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 187993898C for <spasm@ietf.org>; Mon, 15 Apr 2024 12:09:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1713197394; bh=ZNVBQ5wWHeir7tWSakIgOeKXEhfOlqPTIWEhmmjLO5E=; h=From:To:Subject:In-Reply-To:References:Date:From; b=IJ4vZg7pTLxu+B3pXnCXzypbVY0pRux+urK987ngHNuJaj/cx77inkfW8/+ZXcUiE G7jD3AjGGxpYU+MdTyld6uTVLdu35Kyk2OEry9fYtxfs/z6kjboahwR9NP710vweIr Nc+v+2MqtZssXgrr5Ya8UaDDP+cA9/ZLg8T891tvFs2gClHDmQ/26rJ7feaWygf/+h 0X4IjsGfkrhL5TdBMSmLzUDDdbxNA9nKeAaqg5UxA1R4NFBsEZiDbZLj2b7ZgXeLMk qBGW4xZkPTkciedmGaS+tKcRhKrpK43ttpui9UiPi3e7rwEhIDRFQS/4oCZh6rpGXd 9PWV/sfAggIlw==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 0ED2EE5 for <spasm@ietf.org>; Mon, 15 Apr 2024 12:09:54 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: LAMPS <spasm@ietf.org>
In-Reply-To: <CH0PR11MB57390AB68E3AABC66A30AC4E9F092@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <9025794D-0FD9-4F65-B366-7785DA2C1045@vigilsec.com> <3727B590-50EF-4137-92D2-968BC954ED3A@redhoundsoftware.com> <CH0PR11MB57390AB68E3AABC66A30AC4E9F092@CH0PR11MB5739.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 15 Apr 2024 12:09:54 -0400
Message-ID: <2477.1713197394@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/oikpY49ZdBZpDbg6TEZc91sKV3s>
Subject: Re: [lamps] Call for Adoption of draft-tschofenig-lamps-nonce-cmp-est
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2024 16:10:02 -0000

Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
    > In draft-ietf-lamps-csr-attestation we say that establishment of the
    > nonce between the CA and cert requester is important but needs to be
    > handled by the cert enrollment
    > protocol. draft-tschofenig-lamps-nonce-cmp-est is an instantiation of
    > that. It’s good and important work.

For some time a few of us have been considering how to carry Attestion
Evidence in an RFC8366/8995 voucher request.  The result would be a
background check with the Registrar acting as RP, and the MASA acting a
Verifier.  To make this work we need some freshness for that evidence. Up to
now, I considered doing this via a TLS Exporter on the EST connection.

A reason I haven't gone ahead with that idea is that any remote attestation
that is done at onboarding time might create more execute once code paths.
It would better if IoT devices that are onboarded do some continuous
assurance, and it would better to just run that protocol right after onboarding.

This document suggests in the filename that it is going to support EST, but I
can't see that in the document itself.  I'm not sure what the intentions are;
maybe there is an interaction with  draft-ietf-lamps-rfc7030-csrattrs ??

I think that this document says too much about the CSR attestation situation
(end of section 3).  I would just remove it, and let csr-attestation say
this.



--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email