Re: [Suit] Delegation chains
hannes.tschofenig@gmx.net Wed, 08 November 2023 17:21 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5285C151989 for <suit@ietfa.amsl.com>; Wed, 8 Nov 2023 09:21:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ptm3XbNYquEN for <suit@ietfa.amsl.com>; Wed, 8 Nov 2023 09:21:50 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81002C14CE47 for <suit@ietf.org>; Wed, 8 Nov 2023 09:21:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1699464106; x=1700068906; i=hannes.tschofenig@gmx.net; bh=gk0fhNFeyKtW+p4YJ1CtQDFZ19jRACegow01VehoIWk=; h=X-UI-Sender-Class:From:To:References:In-Reply-To:Subject:Date; b=WjdYPR7q7dm2pbXtj4TK1Q9aKvRKmUIjIJ38MZ9SgQGwwOg3LErZGG8mRTkxtuMk rLKiabJ2xLCD/F1lvnkX22j54Wpl0rOGTv7OxuuFsQRclpCALXlbBzl7XnKYJsj+Z UzGOn7I+Dx36ClLpqC6APDYExDP0rCWvP3gF5TAQrUSShMg+lJoRr5TbaCqIhbNzs OSbxRQg/i28fszChyNJH0VbLzLa7o0EwXuimzaGVGYkcPYsr2CgqhupMQgWlH+twg sOLN94c3lG61LdS6OxrdJCgGIfzMeSBZLhCjF6u64LTnTiwB4B4p0SEi4aOK0wqE0 RZy5xfq+eFihxjQsDw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from Surface ([31.133.136.139]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Md6Mj-1rZ0bR38pX-00aFty; Wed, 08 Nov 2023 18:21:46 +0100
From: hannes.tschofenig@gmx.net
To: 'Brendan Moran' <brendan.moran.ietf@gmail.com>, 'suit' <suit@ietf.org>
References: <CAPmVn1ML10ea-20ahRUEbRO=EnCPECOX3bWKXDoT95kfGR_7pw@mail.gmail.com>
In-Reply-To: <CAPmVn1ML10ea-20ahRUEbRO=EnCPECOX3bWKXDoT95kfGR_7pw@mail.gmail.com>
Date: Wed, 08 Nov 2023 18:21:45 +0100
Message-ID: <014c01da1268$0cd734a0$26859de0$@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFtIE3IyiLhYmUrep4xZ4EBCqDdJrFKjiKQ
Content-Language: de-at
X-Provags-ID: V03:K1:6YUIgebq7FCFULUJDR+iG1gfZ2sHQwWJP71biD+t9NlA9WUONB5 iW9by6cj1Eelz+zQLPM2nRtlhEG82MM/RA0jt2XwHGQTR+IaHOGURTCqudTTf6dVNnyK98U yrN0LijS7AlExEiS60CjBypcMC1nnIX3pO9b2cUwJqWCkybkyz47eMgEOe3gtpK187ugW1C ISnTxp2fmgeZz2+Vhl+Tg==
UI-OutboundReport: notjunk:1;M01:P0:IoGponUKdRY=;0XfmKewxDH0xuQ5J7Uc8ogHzY5G eKxffDrMnMHbGK89XjQhrYvE5zSz3LrojRYsGm6254HLBUkGzLNPpGwTBJdOjTWiu7l9uigEy hveCpqPpp8Z93ZyNZHHyTYbDuZccYf4gpD5DNJTR1kcKXRdMOCh8qXONvpOFWxE9pLge94iGl mdnFu42or+AcHIxPKhVi/2ReuKczM9IpgxYXthjitR504NT5phcRz3qUByb83es+aCyj45MLE T6BeI+ytktrBCxPivLe/hBghoqcOtHKLKK7bQI/66wEFNGeBJxyqLy16co01Nz3EqQVHmRoO+ sbUfJmlB5TNPdjG80r3dkM68re3UxDv4feKQ3Ns9Khn2c4mUz1Kox2rCzHx5VDjUi6LgfLGa6 jy+w6zwpBe9SZkbApmBrRu2uQFCOQorp2s9PM4MCvgA3TEK/eEe//NVhnmfgQrHN6AtkA4hOb iS5hUB7Cc2CZB+2PP8T305cv2/jwV/i/zJDRNKjidfjEfe75qdz1/aq42ce+lEH4eWf13sN8s lCmdQOAU9ExyvkWxuM27XN5Y9zJ7oyEs6h5b/pFRCu3dOUOKHQbowkL34YZL9rY0kH0I9lEMo YTZek4ihmLbPrIIUQN0yiC5n2n+4JiYz8G1cCtOh8hmDnY1Zkbdh3S8R2vTSFORVho2N9ZRlE tzxqI/aHiGF9SG497F98OFCHzHoOHmgbEceW52AJdMJwHqNH4eomFrnhFHHdSFBoBxx/icYKn OaIuloJJwKbdEb1EV4EGa2Asq9bsY3jtgW78hSV+BzJLnkO4r64Y57Wd7/9/Utu55JDM0+8Xi /x9/tsdpP1ESWGqf11op3MJc27Nv3keGU4+6vmOYqarwm6A3DehLRMNj6sJy84RVWDMtGLzHw K4dq4OW9fVnRxi52oxnbe64itRM559ikbV/CEEGO5fct2PKekpFNdPCcc6lAYtkdkEie3m2Fa l3/XZOgyJtZWC687IDN6zKwWeJ8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/-MNDf8QByrehWO-MM03WAt8oKEQ>
Subject: Re: [Suit] Delegation chains
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 17:21:50 -0000
Hi Brendan, Hi all, I took a quick look at the draft and my comments sent to the draft earlier this year (see https://mailarchive.ietf.org/arch/msg/suit/FmbtMoZSHlYEtLU_MKEb7GOo_Vw/) still hold. David Brown has responded to my remarks as well, see https://mailarchive.ietf.org/arch/msg/suit/j2-RjRjPdaO8fxrWg2cox9NIVFI/ I would remove the "delegation" functionality from the draft. We can always work on it later and define it better. The issue is that we have to align it with the work in COSE, use the PKIX terminology and do some prototyping efforts. By removing that functionality, we can also change the title of the document so that it describes the bulk of the functionality, namely the dependency management. This is also the feature we need in TEEP and in the SUIT firmware encryption draft. Ciao Hannes -----Original Message----- From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran Sent: Montag, 23. Oktober 2023 17:25 To: suit <suit@ietf.org> Subject: [Suit] Delegation chains The current design in draft-ietf-suit-trust-domains defines that a delegation chain is a sequence of CWTs, each bearing a proof of possession claim, where the first CWT bears a subject public key that can authenticate the manifest, each subsequent CWT bears a subject public key that can authenticate the previous CWT, and the last CWT can be authenticated by a trust anchor accessible to the Manifest Processor. There is an open question as to whether this is an adequate delegation scheme. If you have any insight into this question, we would appreciate your feedback. Best Regards, Brendan _______________________________________________ Suit mailing list Suit@ietf.org https://www.ietf.org/mailman/listinfo/suit
- [Suit] Delegation chains Brendan Moran
- Re: [Suit] Delegation chains hannes.tschofenig