[lamps] PKIX Attestation meeting notes 2023-05-22
Mike Ounsworth <Mike.Ounsworth@entrust.com> Mon, 22 May 2023 19:16 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2179C14CEED for <spasm@ietfa.amsl.com>; Mon, 22 May 2023 12:16:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id abm1hNY1lBwU for <spasm@ietfa.amsl.com>; Mon, 22 May 2023 12:16:11 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C11C14CF18 for <spasm@ietf.org>; Mon, 22 May 2023 12:16:11 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34MIdGBD003443; Mon, 22 May 2023 14:16:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=mail1; bh=oYa9MVWugjm6RIl3RbXb9ma9h1qoCDSwkKTnQiscRj0=; b=dOogIvAIsk/9SrjjYUEL9O+lldJxlnqLCcww1iYzdrclMm/iMR9gUDSM47tU8XLvXL3i iHy29DSbeEZ00HCQvz41gEY7KrMTqmEyWS8vdjn481uDmW0SgxInfr0dxIFaUBmBIsMs wzkeW7xgN4CBDp0tBJDYcXLfG074f1ntmU/8/ZI7w2fMf+JZaZS+WhLvq+B/2ORM4DJj /Sv8zUgLrVMSBHYRwCQ/+bQBkaY/+zsJ9gdH1qK+CcPTNtOsClaPZgkseZiMDLuLOJw2 jfQe5gzf8jhHgjbLbaLF+97ML/KYg74PXWdJTMt3QP48L612KCHjEJQ6GkKz+6Ruhh8h +g==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2102.outbound.protection.outlook.com [104.47.58.102]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3qr7dt9rkx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 22 May 2023 14:16:06 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g8qqnt/hNBX7Oa06CH5yVILRSN/MSgTqf27wvBxXAsywp1HX1+vSy9DHNNw7rrKeX2xTX0wiRgE+MiPPbk+0WXl7Dtp0erufXo2Gm6bQC6JLNaaHlsQkjB8dxISeAJIK+XRfPW8vesH4RoiMVl13yLEUNSHBA9qeuz1woxZYvQhOxX07nbAvwl8lKfXfUPqnnq0P79afDHOD3qqzhp1y3D5O/nvTUSya8RXsyh1qiy0OLl5rUCeDUvw0jQqf920QBz8EFo2J+rBH+N318XjxzDJTXyH0Ozh+C8Vdmzx7koW0UK7J9F3JqNfjGXrelkFz7ke0it2Bf2jZ5I3h4tQ1Rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oYa9MVWugjm6RIl3RbXb9ma9h1qoCDSwkKTnQiscRj0=; b=gFVHZQXLrd/+2zGCrjM4x2TECdurmCHCPPXobenvbp8HpLEWwJsMpFcQDs6LiKU82Xo+E0gu6oalT2rrZZno53lvKFgdqRQkhGGJO4+5+78DYO4fDzDrcSYWeLkwZ0Z0pynKFKdY4jMamezQMxIeqJ8aFSzPBanoS0M7vGhwQ3AXjNG5wX6J6N2upn+UMPfIHR9gfppb24EidZtRTYvEHqqD74zFCRgelAkv3f70ZJ2Tc+sObXuYS2WQ3VhhSwC2o4J0xXogbz+1RmYLHzGvmSOVyD5mUL7AVq4LFwrotfsuM8tNCI0nD6VfMz3KKAMccodK9YAXcap00yJztcZC8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by LV3PR11MB8483.namprd11.prod.outlook.com (2603:10b6:408:1b0::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.27; Mon, 22 May 2023 19:16:02 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7%6]) with mapi id 15.20.6411.028; Mon, 22 May 2023 19:16:01 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: 'LAMPS' <spasm@ietf.org>
CC: Jethro Beekman <jethro@fortanix.com>, Sander Temme <sander.temme@fortanix.com>, Herman Slatman <herman@smallstep.com>, Tomas Gustavsson <tomas.gustavsson@keyfactor.com>, AMADOR Eric <eric.amador@thalesgroup.com>
Thread-Topic: PKIX Attestation meeting notes 2023-05-22
Thread-Index: AdmM3D5UonLIFh80Sca1KlRyb+U+HA==
Date: Mon, 22 May 2023 19:16:01 +0000
Message-ID: <CH0PR11MB5739C0966EC6CD6CB2F0D1039F439@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|LV3PR11MB8483:EE_
x-ms-office365-filtering-correlation-id: adfd931c-902b-45b8-412b-08db5af8fb51
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7sDxhKsoEaMqw7jnN07HCjiyqquaVR49n3HliqJ8nSywNAyWcNYXzVruKg9WoizSSBSWw1oNVxH+GfyPmwLj0weYLEUOzNk84BzO5RJfcoeEOcGeihKX/0WYF23p/D677ejhI52kd7RqqxDc066K0bXWtLfunGEJ6HFKIb37zMmpzNLPJRg82kUXGvVR519+7rNolBl7sz1iGvzqBMSwwJo3mqOM/OVAd+lLt5p9NrjCeLNhTELGms0CPscrmXR/SQCF9PwcEuBz3BI0cAM6HOHVJ+NDVg/qInN3GgK4ftn35OKE4qJidPSGzC/otUyOe6nVCygvHDnICeCIg7+aOKEiQ2wthP0R3fsVRAxVKFZ5NQeEye2fevFzJ6S37NmDghBCDoRdMviYtPsWDgwXQoLjPdIdNY363TSUOsa7y309EQmag8Wwh+4hIGxhtXAnFv8vbXJhjnsl2bkpy+obTB0+zzd6ujbXFWDhl3GehduDnENIacpVkfoth10XVKw9dswPlYdk7aoIzS0BB6vHcfmiVdvSdP4g9xZV4wXBR7yWwYFn2c2N3wG00YvuBciw3ZRvhkXj3L8C6ejchfWtTxNXAOBO/utL3dfQZ1rZ8/xbg1CnNfX8+RBouxNgxgqYaAQmn54WkQ6OsEeM0Xk8oA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(366004)(396003)(376002)(136003)(346002)(451199021)(8676002)(8936002)(52536014)(5660300002)(186003)(83380400001)(6506007)(9686003)(26005)(86362001)(122000001)(38100700002)(38070700005)(41300700001)(7696005)(71200400001)(33656002)(55016003)(966005)(66556008)(66446008)(66476007)(66946007)(76116006)(64756008)(316002)(4326008)(6916009)(478600001)(54906003)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mu3sLgnzwgIpi49ZHbPwmCcv4NhoRzwfzwlCnPhKqzsEdZ9mz4799QyGONTPeFr8Byxx3M79EaUPaX9uhH8TtMx46Hw/pmHqIMGyGQtCfL1JXCzXd2Ne6HE0U88xi6UmdPmMnv4u9S5H4dDHWhAT+kLjGFdzfO4lMs3LFdfrIqjfXinlOPWxYPnWTQW4LtteJDC1dJLeheZKI6CgaIhH1ad0Ngp9RsjRNE9gkF3XIez1SFL7erpk6i/dS+/isIo4MbQf2q72tUxnjpe4ohPDqcPJnv8l35OiXD+hgO4H192OWt3peOd9iC35KHQ9MkXo/KS+Jl+2qKcHbSVUept0A/3yZ3iu0iEcZH7i3mli5eeiBwL5a22UnJNZ63kwflH/cufl/NJTqNxsE1Kk9uQ50wQBcVKAC7qvQdw32IhdGR3HpNc2+N22EXVIjL1Ld/fH0JPuBRgs3lT9GzR3UAPmnlrGJFp4AUKWdH1V2Oj5Y+bHrDz7DaM6sDCqibArrsL8ZGAT1zBVtxOVtNwc8npkeai7KUWI8AGiUyEDAQRBdGaXynIM0vSYjQ1vNXuwTwctVvneSsebLC1dBpGKJIBhRlswcX2IBKEPEvqa0op2wZzUgbgya1WFRuNJJTPbvk0CAueUUyQfl9rREOr+C/3xJm47qfB2w92zbP6qBFL2dMTSSYVerN3NRiiqwdA0M0IdVGsAkLk1c741tfPxHVeN6e/mmvMyyEaGS11kkBl6BTzZPvKmFJDfzqxVqtB6AEHARkvIB9SLPOMbzvUQAWyYeaa1RV4VMdoeCBXor1afsYztKxLzGSJk3W+fUZaLvdy2SyP6eQXLEl4w3tR3vu8OaTmoZhnfnvxXRxkGmGHjRxffkRPW+Bif9GuTid8efy8oKjisr1znWZsYgwW3KSd7RtK0aSfPtH/nhqRjHgfmJK6+XX+K4zyok7VBpY9v7769YuoHiffNE/XgtpoYWBoLT2h++3G5d0AdwyuIIiYcnUw20Y+1SoSH6pGMSFLU/ynIbNSxrOmYgrx0riatuRLqEz5U5nSRdsxFUNVNSm6NubIyxDStKKeUmfTIuD7uM+wAy8XLu1Uuw2MSyqyEF/9Jfa+T1fNYmwb3gcV4B6oVW7cHjUAtDXARtn+XpKvaaI8RBTQQz2qHurq9WBfz+alu3I0Ja0agHGf1jgAGnliGgcPP0YMVdAy9l3t2wfH+lNUWq0oWuTAjtg59z+XaBNNwa5nydbSeKQp8FDjRYKR7Xdx4JyfWFxLo+m1xt8yM5NoCgdKd4ZycV3ELPidOdvYV5lyyNNrknZAvCA7KLpkI8am/L7mUdt6DbP2FmGEEQQX/hiMph9fOqPzQEK6ydXS5JD/sjfQRGL7mp1psgPF6qHK4MdXqpQG23FRaITcO8dCyOM97vdnvmb7zMEUkQKVE0xWEG/VbZBKZ3B6YIEDCkIHdC1su1kPdSnFu7YWSyDlkV1q20PbbEIjtcIxcvDCCQ1OpvgnpSLx93cehfCAIAsImWAnBqYeYWI1LVz/LFYd4HDvR0WtOxl4otY9G+/xGJ8V4BqW0xwDieaNaYzFwTZ/tQp8mwFleHhquZ9dYhdS2
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: adfd931c-902b-45b8-412b-08db5af8fb51
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2023 19:16:01.7647 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HT+uUHNVnpFhL8Q5Drkb7T6IKptDNevSxCxrYtM8Cik9U83mnDTgzK+Khvx4GAJThL1jCfXjtiImuKgA7aY8ijqa6CfymOdKzoBPulr1CNs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR11MB8483
X-Proofpoint-GUID: K0tvSVa1j6-QBwWyzUx4pufrGp3K6D-4
X-Proofpoint-ORIG-GUID: K0tvSVa1j6-QBwWyzUx4pufrGp3K6D-4
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-22_14,2023-05-22_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 malwarescore=0 mlxlogscore=373 mlxscore=0 suspectscore=0 priorityscore=1501 clxscore=1011 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305220162
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xcHBN9GHJmbD3LlZowvBlqpHrJM>
Subject: [lamps] PKIX Attestation meeting notes 2023-05-22
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 19:16:15 -0000
Full meeting notes are in github [0]. Today we agreed to a slight change in direction for this group: We will pause working on a vendor-agnostic key attestation format and focus first on defining a CSR attribute that allows key attestations that exist today Yes Russ, this draft is mean to include and replace draft-ietf-lamps-key-attestation-ext. We spent the meeting going through MSJ's ASN.1 for CSR attributes (in the file 2023-05-22-msj.isn in github [1]). The general model we envision in the short-term for the CSR attribute is that a CA should be able to "forklift out" a proprietary key attestation blob and hand it to a command-line utility provided by a vendor that will validate the attestation and return the subject public key for comparison against the CSR. To this end, we think the structures defined in draft-stjohns-csr-attest will do the trick since they allow for the following full use-cases For full details, see the meeting notes in github [0]. 1. Existing proprietary key attestation formats: just register yourself an OID, for example id-at-keyattest-entrust with a type OCTET STRING and you can put that into AttestStatement, ignoring the optional values. 2. We can later define a fully-ASN.1 statement format and assign it an OID. (this is the work Carl would want done in RATS) 3. MSJ will define a TPMAttestAttribute ASN.1 structure and OID to include in this document. 4. MSJ will define a WebAuthnOpaqueAttestAttribute ASN.1 structure and OID to include in this document. Next Steps --------------- * ACTION: MSJ and MikeO to update draft-stjohns-csr-attest to match -- mainly means adding the ASN.1 module and tweaking some of the text with short-term and long-term goals. [0]: meeting notes: https://github.com/EntrustCorporation/draft-ounsworth-pkix-key-attestation/blob/master/meetingNotes/2023-05-22.md [1]: msj.asn: https://github.com/EntrustCorporation/draft-ounsworth-pkix-key-attestation/blob/master/meetingNotes/2023-05-22-msj.asn --- Mike Ounsworth Software Security Architect, Entrust Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [lamps] PKIX Attestation meeting notes 2023-05-22 Mike Ounsworth
- Re: [lamps] PKIX Attestation meeting notes 2023-0… Michael Richardson