Re: [SPICE] [saag] Call for consensus on SPICE charter
Ira McDonald <blueroofmusic@gmail.com> Fri, 23 February 2024 15:10 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: spice@ietfa.amsl.com
Delivered-To: spice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0196C151088; Fri, 23 Feb 2024 07:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pxgOwUUfoGn; Fri, 23 Feb 2024 07:10:19 -0800 (PST)
Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E05C14F68C; Fri, 23 Feb 2024 07:10:18 -0800 (PST)
Received: by mail-vk1-xa35.google.com with SMTP id 71dfb90a1353d-4c01076b9faso572376e0c.2; Fri, 23 Feb 2024 07:10:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708701018; x=1709305818; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=c2LlRCQp1YMwPk3mn26iG5yZwt0zr1FkQLtxWKQF9jc=; b=KvuVVMX72CTMqxTtMM0qcNVCPYsFfVlylqIi7pPuwUhCZjgHtT2cQ5aTA7WswIFGCC j9EUph4w+B91DzVk8pXNeRSuPApY/ochSEcTrWOtE1AbtqNJ4YRI+j+YV89WVF5Bh18d 4icYBMwctaCWuWX4ogovb84LPdOWzfjwi0Evgex4ShDpoqwYDVk3Ls9i7QYcYDSVH60R TO2B3VM6MsU4urHw+wItxkfOIuFykjOoZmLUfwykxe5iQv9kNeFJwx9530I5P9pnrKNx izfP3uL7KtWSARepzYFkIfbzH7R8246W4bT5ihbTMk8aQR3wFpH5WRrjJOOCPJoe3uvR 7zqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708701018; x=1709305818; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c2LlRCQp1YMwPk3mn26iG5yZwt0zr1FkQLtxWKQF9jc=; b=uh9lCvsBiQKDUU4fmEHterwUWxUw6JsumulH8QvXInZ2mtLaFcDmkWvgIMegXdy622 bfj3pgDhiMBpBjsGdmNtHhM/x3RoXIaNrZPmQp+in7jSH2GZGKk22X9NTKXGLSE6W7dD TKrjhKiKlGVo4jSwIuBCecw/RKWCc7WZoYEOeT717fq+i0QlnUnJpubtbzBNYFQKb3HM QSz1XaeBj/W5u1B6vJwB/i5BLm78S8GlO1MQJzu7GA/AGC6Pg9Xqch7RgGp/z77HAF6r /iHjopYPgow02GO+9+hGvijNsq5uaBL9N6S46LlqPC+HumCvb+Of7hnpDaHpuHRAZhD2 H6oA==
X-Forwarded-Encrypted: i=1; AJvYcCXTLrqwqC8k4ItKuPbc54J59+V+78U1tr1PEs+JniyhNaTy8yoSSedmePxYnJH/SDnMqwaiohCItsHNiEla
X-Gm-Message-State: AOJu0YzyuAB5KBIKyltzJOZ++YejLAd7GRXxFEX2VFsGT7q6Aq6Tx+wJ 7uhTVZU/ECbq7bbBEEAvZ1zSgFZSjwYJl7SXPoVw6R+9J4cQjkVezKAiJWYaeepzwdCuEeyLYhF Q2JsuwCkY3WhYS4T/ZMdkqVtE+bdtb8pjtv4=
X-Google-Smtp-Source: AGHT+IHLeGUJjE4ASD5aJKPEUBAKtLXTAQdvFAC0k7GXRB6BWA1dxjFxCptJcv8rcUx4ICAeAu8NTaakrYYXRwNMnNI=
X-Received: by 2002:a1f:d403:0:b0:4c8:8d45:5325 with SMTP id l3-20020a1fd403000000b004c88d455325mr133031vkg.7.1708701017698; Fri, 23 Feb 2024 07:10:17 -0800 (PST)
MIME-Version: 1.0
References: <SJ0PR02MB74391502B5451B27457FE12DB74E2@SJ0PR02MB7439.namprd02.prod.outlook.com> <B85451AF-814D-4FFE-A593-E733572FA3EB@gmail.com> <e68d0218-82d0-b21a-a048-8cd7ad38e0cf@free.fr> <CAN40gSuU94OEKdueKd48oMsycLk2e3g2RTgpNPbRKpR8DitDeg@mail.gmail.com> <94765b81-2285-fa3c-4ab0-27a777725807@free.fr> <CAN40gSvNjOGELBn0_mmDXbJ5kxdfE0ZNJ6s8oPtQdyStmG8Tig@mail.gmail.com> <c21e1627-3ae2-3b2f-eedb-0091fb88c5d7@free.fr>
In-Reply-To: <c21e1627-3ae2-3b2f-eedb-0091fb88c5d7@free.fr>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Fri, 23 Feb 2024 10:09:59 -0500
Message-ID: <CAN40gSsn3F2iTnoD2VmoDYj1nyB4SjYBCb_4xY17YTu8yTdNMA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>, Ira McDonald <blueroofmusic@gmail.com>
Cc: spice@ietf.org, saag <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002ff84e06120df5f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spice/APJ_e3RtVG0KoAJ8VL5Th9blnAs>
Subject: Re: [SPICE] [saag] Call for consensus on SPICE charter
X-BeenThere: spice@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Patterns for Internet CrEdentials <spice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spice>, <mailto:spice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spice/>
List-Post: <mailto:spice@ietf.org>
List-Help: <mailto:spice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spice>, <mailto:spice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Feb 2024 15:10:22 -0000
Hi Denis, Yes I would support the TEEP addition to the charter. Cheers, - Ira On Fri, Feb 23, 2024 at 10:07 AM Denis <denis.ietf@free.fr> wrote: > Hi Ira, > > As a regular participant to the SPICE BoF video conferences each weak, I > am aware of RATS and of the EAT I-D, > and so are the other participants. > > Henk, the main editor of RFC 9334, is an active participant of the SPICE > BoF and hence we don't need to "inform ourselves" once more. > > The liaison with RATS is currently included in the draft charter, but not > the liaison with TEEP. Take a look at the following change proposal: > > Below the two bullets, there is the following sentence: > > The SPICE WG, coordinates with *RATS*, OAuth, JOSE, COSE and SCITT > working groups that develop documents related to the identity and > credential space. > > The TEEP (Trusted Execution Environment Provisioning) WG has been omitted, > and should be added since "Trusted Application Managers" are important. > In particular, the following document should be considered: > draft-ietf-teep-protocol-17 > > Change into: > > The SPICE WG, coordinates with *RATS, **TEEP*, OAuth, JOSE, COSE and > SCITT working groups that develop documents related to the identity and > credential space. > > I suppose that you would support this addition. > > Denis > > Hi Denis, > > Thanks. I stand corrected. > > I still suggest that SPICE folks inform themselves about IETF RATS WG > activities and documents, > including of course EAT (Entity Attestation Token) in the RFC Editor queue > since December 2023. > https://datatracker.ietf.org/doc/draft-ietf-rats-eat/ > > RATS operations, terminology, and architecture are already in use in IETF > SUIT WG (S/W Update), > IETF TEEP WG (TEE Provisioning, spanning several CPU architectures), and > others, for claims > that include identity and evidence about validity. > > Cheers, > - Ira > > *Ira McDonald (Musician / Software Architect)* > > *Chair - SAE Trust Anchors and Authentication TF * > *Co-Chair - TCG Trusted Mobility Solutions WG* > > *Co-Chair - TCG Metadata Access Protocol SG * > > > On Fri, Feb 23, 2024 at 9:31 AM Denis <denis.ietf@free.fr> wrote: > >> Hi Ira, >> >> FYI, the word "Verifier" as used in RFC 9334 does not map to the >> "Verifier" role as currently used in the three roles model: >> i.e., Holder, Issuer and Verifier, e.g., in VCDM 2.0 from W3C. >> >> You wrote: >> >> "A Verifier who never verifies anything is not a useful term". >> >> A verifier never verifies, nor validates, digital *credentials*, since it >> only verifies digital *presentations*. >> >> Please read again the following sentence: >> >> A "verifier", an application running in a trusted environment that *verifies >> digital presentations* received from a holder. >> >> This sentence does use the verb "verify". >> Denis >> >> Hi Denis, >> >> Conflating verification with validation is not helpful. A Verifier who >> never verifies anything is not >> a useful term. >> >> It would be appropriate, given the five years of prior work quite close >> to the apparent topic of >> SPICE, if people read and thought about the terminology already widely >> used in IETF working >> drafts from RATS Architecture (RFC 9334). >> >> Cheers, >> - Ira >> >> >> On Fri, Feb 23, 2024 at 6:37 AM Denis <denis.ietf@free.fr> wrote: >> >>> Margaret, >>> >>> I have the same problem as yourself, .... and many more. See my email >>> from yesterday. >>> https://mailarchive.ietf.org/arch/msg/spice/eRxcl2xXJEgIYiKWPATZKPuBVcI/ >>> >>> I wrote: >>> >>> Furthermore, there is a confusion in the proposed text between "digital >>> credentials" and "digital presentations". >>> >>> Replace by: >>> >>> An "issuer", an application running in a trusted environment that issues >>> digital credentials to its *subscribers **and takes care of their >>> validity statu*s. >>> >>> A "holder", an application running in a trusted environment under the >>> control of a user that requests digital credentials to one or more issuers, >>> store them and builds from them digital presentations that are then >>> communicated to a verifier. >>> >>> A "verifier", an application running in a trusted environment that >>> verifies digital presentations received from a holder. >>> >>> When the digital credential issuer sends back to the holder a digital >>> credential (after a digital credential request), >>> the holder needs to verify that the digital credential it receives >>> matches with its request. >>> >>> A verifier never verifies, nor validates, digital credentials. >>> >>> A verifier receives a digital *presentation* (derived from a digital >>> credential) that he needs to validate. >>> >>> There is no need to introduce a "validator". >>> >>> >>> IMO, in order to be approved, the charter will need to be corrected in >>> several places. >>> >>> >>> Denis >>> >>> I strongly support the creation of this WG, and my answers to the formal >>> consensus questions are listed below. >>> >>> However, I do have one comment on the charter text…. >>> >>> > A "verifier", an entity (person, device, organization, >>> > or software agent) that verifies and validates secured >>> > digital credentials. >>> >>> I question the assumption that the credential will be verified and >>> validated by the same entity. I would prefer to see these broken out into >>> separate roles. I think that in some cases a credential may be issued and >>> verified by the same entity and verified by another entity. Or in some >>> cases, all three roles could be separate. >>> >>> For instance, a student at a university could present a digital >>> University ID. The credential could be issued by, and perhaps even >>> verified by, the university. However, if the holder needed to validate >>> that the issuer was a properly-accredited, US university, a third-party >>> validation could be needed to confirm that fact. >>> >>> So, I would prefer to see the verifier and the validator listed as >>> separate roles. >>> >>> However, this is a comment on the text, not an objection to WG formation. >>> >>> Margaret >>> >>> >>> (1) Do you support the charter text? Or do you have objections or >>> blocking concerns (please describe what they might be and how you would >>> propose addressing the concern)? >>> >>> mrc> Yes, with one comment, above. >>> >>> If you do support the charter text: >>> (2) Are you willing to author or participate in the developed of the WG >>> drafts? >>> >>> mrc> Yes >>> >>> (3) Are you willing to review the WG drafts? >>> >>> mrc> Yes >>> >>> (4) Are you interested in implementing the WG drafts? >>> >>> mrc> interested? Yes! But as consultants and operators, we’d be more >>> likely to deploy and operate an open source implementation of this >>> technology for someone else, which we would be eager to do. >>> >>> _______________________________________________ >>> saag mailing listsaag@ietf.orghttps://www.ietf.org/mailman/listinfo/saag >>> >>> >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >>> >> >> >
- [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Jones
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Jones
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] [OAUTH-WG] FW: Call for consensus on … Mahmoud Alkhraishi
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] [OAUTH-WG] FW: Call for consensus on … Brent Zundel
- Re: [SPICE] Call for consensus on SPICE charter Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Giuseppe De Marco
- Re: [SPICE] Call for consensus on SPICE charter Jon Geater
- Re: [SPICE] Call for consensus on SPICE charter Justin Richer
- Re: [SPICE] Call for consensus on SPICE charter Michael Jones
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Christopher Allen
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] [OAUTH-WG] FW: Call for consensus on … Denis
- Re: [SPICE] Call for consensus on SPICE charter Margaret Cullen
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Ira McDonald
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Ira McDonald
- Re: [SPICE] Call for consensus on SPICE charter Nick Doty
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Alexander Stein
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Nick Doty
- Re: [SPICE] [saag] FW: Call for consensus on SPIC… Denis
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- [SPICE] Fwd: [OAUTH-WG] FW: Call for consensus on… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Leif Johansson
- Re: [SPICE] Call for consensus on SPICE charter Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Christopher Allen
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Ira McDonald
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Heather Flanagan
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Denis
- [SPICE] 00-01 charter comments (was Re: Call for … Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Tschofenig, Hannes
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Tschofenig, Hannes
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Brent Zundel
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Alexander Stein
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock