IETF Logo Mail Archive

Re: [lamps] Two comments on draft-ietf-lamps-key-attestation-ext

Carl Wallace <carl@redhoundsoftware.com> Thu, 22 December 2022 10:20 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB81BC14CE3A for <spasm@ietfa.amsl.com>; Thu, 22 Dec 2022 02:20:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDKeGj0VuITT for <spasm@ietfa.amsl.com>; Thu, 22 Dec 2022 02:20:32 -0800 (PST)
Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B9B0C14CE38 for <spasm@ietf.org>; Thu, 22 Dec 2022 02:20:32 -0800 (PST)
Received: by mail-qv1-xf29.google.com with SMTP id h10so973751qvq.7 for <spasm@ietf.org>; Thu, 22 Dec 2022 02:20:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=mime-version:in-reply-to:references:thread-topic:message-id:to:from :subject:date:user-agent:from:to:cc:subject:date:message-id:reply-to; bh=iNpeoI9bPxFr5I0QkSpcBOrH46vmzlrGDVudiP4rz0g=; b=0pi6cO59R2MhZG4rXtVaFxpyWkgevSKPRdHfg+Jlr3a49NSjLkIy51SbWqyeoVMur0 dR/qksnmzmNzWuHLhXbkf4NOeZXVQO6Fc+JsM7bsoyui7eUxoPhhJSgXXMyozoJugK3l Km6smWm/gzGFUkBBoV7QxEumO3ODuVsm0ZsmY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:in-reply-to:references:thread-topic:message-id:to:from :subject:date:user-agent:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=iNpeoI9bPxFr5I0QkSpcBOrH46vmzlrGDVudiP4rz0g=; b=46GzDC8hUvCrlf5Uq2c1wFVBDDaDSI3zwK5nw7eQinRlaPWT/BEtzgjf7tKVzDdw96 Tqg5pMXj4vbrrwgNy6OK+os+RcrvyKofFalhdMgRC6IHhzn6XKWg2tskCktEHJ8R4eqB V4100obHEKgFUU9LU6JbYrzTsyaSRG+Bd6pdqgGI6JNlpvb4tu2PbzaogDZ3XCxFsDNp EaEvxuGCggr60zswXWH2xnNjNIRkaGt+40uJGBjSClc/mx4TJN05j1sW/Mpw2gEU2rkc 7HusH27sVfCRWqMqYvl3/CDAFB0pIZRwOnCyTTtg0enm0/K94sfm+FXE/sXdzpmCn4nK yt6Q==
X-Gm-Message-State: AFqh2kqNPLxFSCBaiDypvLLCEHwy8YSvqHPJrBBtMaJK4f6zjUD5BUEs +wjM4xpYDwocuH5ddbil6DncZg==
X-Google-Smtp-Source: AMrXdXtQoa6aN2g1PFHgpJHUi+VZ1Z2OmDYB5Ro5v9n0yO6pZjYTzWmXMdLf7z0VVRhYjFwIWkqv/Q==
X-Received: by 2002:a0c:90c5:0:b0:521:2df4:f467 with SMTP id p63-20020a0c90c5000000b005212df4f467mr7956033qvp.38.1671704431237; Thu, 22 Dec 2022 02:20:31 -0800 (PST)
Received: from [192.168.2.16] (pool-74-96-253-253.washdc.fios.verizon.net. [74.96.253.253]) by smtp.gmail.com with ESMTPSA id u7-20020a05620a430700b006cbc6e1478csm41012qko.57.2022.12.22.02.20.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Dec 2022 02:20:30 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.68.22121100
Date: Thu, 22 Dec 2022 05:20:30 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>, "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-key-attestation-ext@ietf.org" <draft-ietf-lamps-key-attestation-ext@ietf.org>
Message-ID: <4A88E7BA-9341-4ED1-8CC7-5BF7D241020C@redhoundsoftware.com>
Thread-Topic: Two comments on draft-ietf-lamps-key-attestation-ext
References: <DB9PR08MB652423A4D0BA4C58C9A08ECD9CEB9@DB9PR08MB6524.eurprd08.prod.outlook.com>
In-Reply-To: <DB9PR08MB652423A4D0BA4C58C9A08ECD9CEB9@DB9PR08MB6524.eurprd08.prod.outlook.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3754531230_1715883457"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/tJaiqF1g3vMtdUcjPJR0EIfiG8Y>
Subject: Re: [lamps] Two comments on draft-ietf-lamps-key-attestation-ext
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2022 10:20:36 -0000

Inline…

 

From: Thomas Fossati <Thomas.Fossati@arm.com>
Date: Wednesday, December 21, 2022 at 1:56 PM
To: "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-key-attestation-ext@ietf.org" <draft-ietf-lamps-key-attestation-ext@ietf.org>
Subject: Two comments on draft-ietf-lamps-key-attestation-ext
Resent-From: <alias-bounces@ietf.org>
Resent-To: <carl@redhoundsoftware.com>, <sean@sn3rd.com>
Resent-Date: Wed, 21 Dec 2022 10:57:43 -0800 (PST)

 

Thanks authors for a clear and useful document.

 

Would it be possible to get an OID for CMWs [1] alongside WebAuthn?

That would help the case for passing attestation results when the RA/CA

cooperates with a separate verifier.

 

[CW] At present, the draft features a single OID for identifying attestation information sent to a CA where that information is formatted as a WebAuthn attestation statement. This format was elected to align with a similar ACME draft. In addition to this request to support RATS conceptual message wrappers, which like WebAuthn attestation statement formats is CBOR encoded, we’ve had an off-list request to support DER-encoded attestations. I’m open to adding support for a couple of additional formats to the draft. I think this would just require additional OIDs, with the content encoded as an OCTET STRING as in the current draft and the basic approach remaining be the same, i.e., language to require the public key in the attestation information to match the public key in the certificate request would be in this draft with other semantics defined in the description of the attestation format.

 

Another question I have is related to defining a symmetric cert

extension for carrying attestation evidence & results.

There is an extension that would do the job defined by the TCG.  Maybe

this document could reference it?

 

[CW] There’s nothing in the draft at present that describes how a CA signals to relying parties that it has verified an attestation but that’s probably a gap that ought be filled. In an implementation I worked on previously, this was done via certificate policies (but that does not fit every use case). I think in some currently percolating use cases the signal is more or less implicit. Adding some words re: these possibilities and a reference to something more concrete that conveys evidence or attestation results seems like a good idea. I’d not want to mandate any option though. A short additional informational section should be all that’s needed. 

 

cheers, thank you

 

[1] https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/

 

--

 

 

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.45.0 | Report a Bug | By Email | System Status