IETF Logo Mail Archive

Re: [lamps] Two comments on draft-ietf-lamps-key-attestation-ext

Thomas Fossati <Thomas.Fossati@arm.com> Sun, 08 January 2023 20:12 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA38EC14F74A; Sun, 8 Jan 2023 12:12:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IC5zA0+o; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IC5zA0+o
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUQ7M0ZNtGKe; Sun, 8 Jan 2023 12:12:35 -0800 (PST)
Received: from EUR02-VI1-obe.outbound.protection.outlook.com (mail-vi1eur02on2080.outbound.protection.outlook.com [40.107.241.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B5E3C14CEED; Sun, 8 Jan 2023 12:12:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6bWPnp8FZG+Em/JsVY7BXSlvXQYbh2Vr4z710kb+4pg=; b=IC5zA0+otobsftnrcFdwXnmb4XLnDwNW1TsgDOCPrh3mg6Z1ABdouVtj7Tp21LZ4RGClAn78mlEPJWmH5ja5e5Xy0AY0zbN/QVlCoKhi4ZzuiG+o2LnNbrm+yniOfd2rGCW/ToGutEPiSZhb6V++miKRAKhwaVaJY69RjfBeN2Q=
Received: from DB6P195CA0002.EURP195.PROD.OUTLOOK.COM (2603:10a6:4:cb::12) by DU2PR08MB10040.eurprd08.prod.outlook.com (2603:10a6:10:49f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Sun, 8 Jan 2023 20:12:18 +0000
Received: from DBAEUR03FT040.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:cb:cafe::a) by DB6P195CA0002.outlook.office365.com (2603:10a6:4:cb::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Sun, 8 Jan 2023 20:12:18 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DBAEUR03FT040.mail.protection.outlook.com (100.127.142.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Sun, 8 Jan 2023 20:12:18 +0000
Received: ("Tessian outbound 8038f0863a52:v132"); Sun, 08 Jan 2023 20:12:16 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 5a3d0fbaf4f34086
X-CR-MTA-TID: 64aa7808
Received: from 55d3bc674c99.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 23356210-1A5C-4639-B8DC-18725295AEBF.1; Sun, 08 Jan 2023 20:12:10 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 55d3bc674c99.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 08 Jan 2023 20:12:10 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W5C2ffBJWyqV3nqaje3HzyZPxvfjp+yKTuhisXzBfFdwDJHsyKzppEh0KtPbwpVvsNh/p1K085nl8A2WufexNQqyKj7uYcNptietOpjYvyb2AOJcM7vtPsWFtKFtm6OozNQqvBUtpByZy1V5r1BhrUISLez7oVN05r32i5hm5RYLUj7CPQRl0hoaH9GAQehlv1gCRKYr+FHVzneHatmJdSHxN+JQv1d7wQli/km11Anze3sC9xzki+gsf77cl9Jc4uck7b/smXl85Ej9tX+/whOVxC+ug/kpKd5wxe/JkBZgiZMNjSCWa7+T4cTXwlPmi7loMbB5EHRbSo5Zhn4Exg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6bWPnp8FZG+Em/JsVY7BXSlvXQYbh2Vr4z710kb+4pg=; b=GsUR7Af+mcfcuoJkk78uyJVUqiEY1z/PioEyeKW1Ljh5CTHoVBQkl9vR/zggGZjnIDAH7MQsvBk43uYujZreS28ljvS4BUQ8aaFNsg7P3tY5hcUhXyoniVutkuwk4IhRNvibFbWFbcyYmMkfwZH8ct0lQxLCEq302CMygYeGY4bcmvGDkVRXGsQXGmFEJs4z8JYbgJLv134Znin1vXzs14QiWVSnDk7b32myyaM98wq6WVWbPH0lv2EMRe9Qj29vUb93d/P1nruo6g/XvwntTKrm0nB+noNvnNCbh3yjQJZY3Vn+WJ9IDPKKkW/w7kZvRUd3mURG/tLqYAntXOejzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6bWPnp8FZG+Em/JsVY7BXSlvXQYbh2Vr4z710kb+4pg=; b=IC5zA0+otobsftnrcFdwXnmb4XLnDwNW1TsgDOCPrh3mg6Z1ABdouVtj7Tp21LZ4RGClAn78mlEPJWmH5ja5e5Xy0AY0zbN/QVlCoKhi4ZzuiG+o2LnNbrm+yniOfd2rGCW/ToGutEPiSZhb6V++miKRAKhwaVaJY69RjfBeN2Q=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by PAVPR08MB9604.eurprd08.prod.outlook.com (2603:10a6:102:31b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Sun, 8 Jan 2023 20:11:59 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::e715:bfac:5ba3:22ee]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::e715:bfac:5ba3:22ee%3]) with mapi id 15.20.5986.018; Sun, 8 Jan 2023 20:11:58 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Carl Wallace <carl@redhoundsoftware.com>, "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-key-attestation-ext@ietf.org" <draft-ietf-lamps-key-attestation-ext@ietf.org>
CC: "Smith, Ned" <ned.smith@intel.com>
Thread-Topic: Two comments on draft-ietf-lamps-key-attestation-ext
Thread-Index: AQHZFW2mv8XeWoZFtUKWFVmq7k+jN655sy0AgBtcNtM=
Date: Sun, 08 Jan 2023 20:11:20 +0000
Message-ID: <DB9PR08MB652435B2909D3EA48A0FCAE69CF99@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <DB9PR08MB652423A4D0BA4C58C9A08ECD9CEB9@DB9PR08MB6524.eurprd08.prod.outlook.com> <4A88E7BA-9341-4ED1-8CC7-5BF7D241020C@redhoundsoftware.com>
In-Reply-To: <4A88E7BA-9341-4ED1-8CC7-5BF7D241020C@redhoundsoftware.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: DB9PR08MB6524:EE_|PAVPR08MB9604:EE_|DBAEUR03FT040:EE_|DU2PR08MB10040:EE_
X-MS-Office365-Filtering-Correlation-Id: 3a37c0e8-bdd9-448c-bb18-08daf1b4a45f
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: xIIDiJQJkU0KCbaNZC2LVv1y9mjJLBXGtg+xDk6dmovD3suKzERpS6b3qlrIGh3/Q+f4vJJeTi+8Hy65a0GDxx9SBTjwj1yUTFE6b8X0bYvAV5otUUb9oeEpiH5itN+k0iolqo/lEG24sK+fNecYOUuzHmBxFEFz7AIXoIrVMHdcudXh987UoEtL6GkzYuKj8vImHd+OQlQg4yWRnL2jKN3t8MyymcbeQxLvxcJvIFgAMusCfBPcnpcpSXkNE8FogM+CdDW04vM59IAciQoBk06G1a4MlScl/7gztHVBSxpuW8/U4tr1nqDQ/HzAtgI7hIviXeJ8OT+gaN7Aj6sn6msotSx/L/30V5sug8YH6ZYkQMnb/zoTI5MSqoEYlMkBDkqSdgkwlLe4No99Ivgxl+Wcohphta2RI+w7S7KNhuWeuI57nQ2OFTJKrbGtPtNm2NXvwVt9NwuKH7Cx3weLP6HayA+qjZEXKLm+B01eT4W1uZn1gholsOyq25HFGtuYT7kqdOw1LLe5jBNrqVHUFtYijEh9g9dp9z1vgJS5xz7FQb0UKjXVZPzihYS3B4CEaRlU4gp0VcmZBXa0BNSl/ylQ8cAO7SEplh1ZTj2EvoAMPnj8UwYZ3ro2Va+MaLQZYv7wzknH9bZypFABTJ02uZygwagMpyFz9daPXxZv1oP4amH36XW3YiwnL0w7DoxoF02XPeKteJIIOJSZut+lBCeY7Smynq5SmbRM7o/M3ts=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(346002)(366004)(39850400004)(396003)(376002)(451199015)(5660300002)(8936002)(52536014)(9326002)(41300700001)(110136005)(2906002)(83380400001)(38070700005)(91956017)(8676002)(76116006)(66476007)(316002)(66556008)(66446008)(66946007)(64756008)(4326008)(33656002)(71200400001)(7696005)(26005)(9686003)(186003)(478600001)(966005)(6506007)(53546011)(6666004)(86362001)(55016003)(122000001)(38100700002); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB652435B2909D3EA48A0FCAE69CF99DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAVPR08MB9604
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT040.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 92a6eb11-66bd-44b3-89c5-08daf1b497fb
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: WJXZc5NYG7HTZ+r13275ukgT1d5iJmKgKgJNa5f0hHFuGhh6R79G2gm9K4ujwzdGRMupzstd4Ud/9BPxjjcIkMoh8EQ34jK3D4z/r0oh6+/CfnHOJ3hSkWSInMpuLB0bqAAwhAGH1vPyrHiLfkUObVlZQRrLWpXUJCWMPuFHdq3BUxRucNZc43GTtdW9zCQgO777n/ZkcvjNKirnsJoN1mO62ezl4KSdSWfrxT9fdgrYskaw5+yqjKretILyuGj7YN1c8eGOYQkXWEogSAsk9IaFgszuzUh+EMgtKnM8IGxMnO6uTvfqwqJaaw1KtOzA0fmBOdXor76yOpiCVejIGwXs6QPtG0NtDRFLANEfOBA8aH2LFqTeYvLCgo1XqCjJr7DbpE5ddSl9IVBtR8VrrlVj2dhK73onZvadWpCH2vPeM23qvZLjbeIN9kQuCUVAtQpsMJdjYbCPKA9GqFPCWmAev0mnMd1UpzEO8n36jUbhmBC3qaB21Rds8AicQx5lXb0CDCYtc03mffBcpuXwFXibcT8lwZr3qHyV77oewOP0T7ZkYc9ZvCeSdwxffB2ow8V3xib8OI+xaIV3IKcfxjXo1i1erLsg33ghxHDClSRgm6N4BbbjbNnPbjshvHZWgzLqBO1YkNghBm1iNxDWfOi64h7arB8TvHKoJtkpNFccFa1d44ym3YlOSiRSiFL+
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230022)(4636009)(39850400004)(396003)(376002)(136003)(346002)(451199015)(46966006)(36840700001)(26005)(186003)(2906002)(356005)(9686003)(81166007)(478600001)(41300700001)(450100002)(966005)(7696005)(110136005)(52536014)(9326002)(8936002)(316002)(40480700001)(82310400005)(83380400001)(5660300002)(55016003)(33656002)(107886003)(6666004)(6506007)(8676002)(86362001)(4326008)(70206006)(70586007)(82740400003)(47076005)(336012)(53546011)(36860700001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jan 2023 20:12:18.0334 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a37c0e8-bdd9-448c-bb18-08daf1b4a45f
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT040.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2PR08MB10040
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vaDcspnV1U-vmrqZlvn1TTW-yLE>
Subject: Re: [lamps] Two comments on draft-ietf-lamps-key-attestation-ext
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2023 20:12:37 -0000

Hi Carl,

Apologies for the belated reply (I hit "send" and left for a long trip…)

On 22/12/2022, 10:20, "Carl Wallace" <carl@redhoundsoftware.com> wrote:
> > Thanks authors for a clear and useful document.
> >
> > Would it be possible to get an OID for CMWs [1] alongside WebAuthn?
> > That would help the case for passing attestation results when the
> > RA/CA cooperates with a separate verifier.
> >
> [CW] At present, the draft features a single OID for identifying
> attestation information sent to a CA where that information is
> formatted as a WebAuthn attestation statement. This format was elected
> to align with a similar ACME draft. In addition to this request to
> support RATS conceptual message wrappers, which like WebAuthn
> attestation statement formats is CBOR encoded, we’ve had an off-list
> request to support DER-encoded attestations. I’m open to adding
> support for a couple of additional formats to the draft.

Cool.

> I think this would just require additional OIDs, with the content
> encoded as an OCTET STRING as in the current draft and the basic
> approach remaining be the same, i.e., language to require the public
> key in the attestation information to match the public key in the
> certificate request would be in this draft with other semantics
> defined in the description of the attestation format.

Yes!

> > Another question I have is related to defining a symmetric cert
> > extension for carrying attestation evidence & results.  There is an
> > extension that would do the job defined by the TCG.  Maybe this
> > document could reference it?
>
> [CW] There’s nothing in the draft at present that describes how a CA
> signals to relying parties that it has verified an attestation but
> that’s probably a gap that ought be filled. In an implementation I
> worked on previously, this was done via certificate policies (but that
> does not fit every use case). I think in some currently percolating
> use cases the signal is more or less implicit. Adding some words re:
> these possibilities and a reference to something more concrete that
> conveys evidence or attestation results seems like a good idea. I’d
> not want to mandate any option though. A short additional
> informational section should be all that’s needed.

Awesome.  We need to coordinate this with the relevant TCG people -- Ned
is CC'd -- but this can be taken offline until we converge on a concrete
proposal.  Is there a public repo for the draft where we can send a PR?

cheers, t

> > cheers, thank you
> >
> > [1] https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/
> >

--

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.45.0 | Report a Bug | By Email | System Status