IETF Logo Mail Archive

Re: [Suit] AD Review of draft-ietf-suit-mud-04

Roman Danyliw <rdd@cert.org> Fri, 22 September 2023 22:41 UTC

Return-Path: <rdd@cert.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58D7CC151536 for <suit@ietfa.amsl.com>; Fri, 22 Sep 2023 15:41:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ThAyI2NminOr for <suit@ietfa.amsl.com>; Fri, 22 Sep 2023 15:41:51 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0101.outbound.protection.office365.us [23.103.209.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF0AEC151530 for <suit@ietf.org>; Fri, 22 Sep 2023 15:41:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=CUM/1L3ITDdNM/gPAKtuwKPjA5EQZfY7iALgSGclw8KLfocoDIZnMbBnWoBLRR5O/g3ExGyO7QqKG7bzbR7nS/EIBnLUuzO7oCr/Li/0xXvU8UQ3UaKO3MgoDzVbJOzdaERTlbD4ZMcpLmGA9SZt8k965ga9KOyb3085XD9iqqWT1yZrKmZftnQQjwkTzDXGxw1j9Er+5HliJ9C1ANeDhiABaiIYOCP4ziYv/BNlqiFiImyL2B4lB7Or4k0/Tcn6rBCmBrFbdTPshVEv0c1cIa8Cw7hZ47waybWqsXL5c+wBhEu6chdNL78jYf0YFjuXmGUQJ+lBKYIO717Iob56uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aMf2m8lyHNElTphYrQmy16CTRAHDCkF8i1RcJ8RrXHY=; b=v06placrWii8bwsW3mQgqtICYSO33wsVa8b9Wg7YiZ4Cbxdmkf29lYnzphcppuHH/L3dJJGi9Hbvnu63nAT+xHSHoJzY1QDgWn6Ux0Ae/ELAk3S7oalfDELBZOLxrt4E45eFNJwjqVBBuuevYcT4y/WqOuxt/hCUxTZopGJ2OGtZqTDyewn1mZAFv3QqpdOcaByHeCTmVmrB/I6z+vrQm6Gi+qtVfiBgKc0ZV/7C+cUwbYq8EBPmL+2+XVh4jxLLpQDNbssn5kQ08eQ0LnCHyX1Nb2wvoNVbODoXtA1J7XhnV77Y3bnF5K4uPKv7OJjqLsslfhZD8TakcMoWElBzeA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aMf2m8lyHNElTphYrQmy16CTRAHDCkF8i1RcJ8RrXHY=; b=kylDgzOuLla3EZbR/U+6r4m/ZqtwRInhffDphO+j5sojOrXcq0EU8zDYBtmYoTjRsr6k6Vwl56vYOKEwBBUsRtPqCoAGFxuHtiA+8MEDkuiq+ETvJQq+YsngQpDYxO8JFg2dmrCmexWVCg/HyoAKbJL2xfJIYswyoXkTEvuV8V4=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1653.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.31; Fri, 22 Sep 2023 22:41:48 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::e24e:62a:9291:83dd]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::e24e:62a:9291:83dd%4]) with mapi id 15.20.6792.026; Fri, 22 Sep 2023 22:41:48 +0000
From: Roman Danyliw <rdd@cert.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] AD Review of draft-ietf-suit-mud-04
Thread-Index: AdnjWXCh1bhNF44LQcy86ydzllpIBwAndKyAAmueRgA=
Date: Fri, 22 Sep 2023 22:41:48 +0000
Message-ID: <BN2P110MB1107B68DE1124C5B571D06CEDCFFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB1107855C16B88C7F809FAA53DCECA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <316958dd-341c-3b52-af9b-b8a71ab64101@gmx.net>
In-Reply-To: <316958dd-341c-3b52-af9b-b8a71ab64101@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1653:EE_
x-ms-office365-filtering-correlation-id: 7891ace9-5121-4729-b991-08dbbbbd1b1b
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aqDPbcLp1b09TeDFdPwhxPPq3hCcPu6UA+9jdKjaetdaTXlZ8wh5P8vxZ2BRsuZ+KmeSC87j4m9RY2CNBd0inm31ee7ts7G+9SYX2u+ts2EgOcqVKgzq3RWl42vli+MW8P1eaIQn6k4Q3ggnS12G01INIctfHcHnMuUicZTgn7kZOtxAGfdpr09lQmqP9PEX6zz5QpsmkiPswtZ5Aa2CltVjFK8CEyXeRa8tP2DGfwyoIh8CfGTnhojD9WElBxHxGpBfCICOD/BHhFikmeXBChKpk/A5TDYQXChevxkxE5q8eMxUonFfc5msrwsu+kBDbV7d0uy8fj8H1iZMVzdQILPPW9FEcIgFqjHYOpzSpa5yJzLAMyKlcFsQsHK2ezgRtg592QnJ6xf3q624VAe6sdV8Z2s268C0RFJYsWHr3GTXybqPNjsny146Ej+38YOshS14ZQhukG0OqHGpXdUgD/sdTZsrV7u09VtrqdOOd0arhAUhe55Q2IFT/597+bMdfP6RcvGvBz3hZ6dFZpMoBWxWklXh2tHxFWGlj6ExBi7NMRRLTCyrYgRBxL7g8CjrqfS9dENILhDrqVs5XADXtHD2iVoRRZlko4AJ62yJMVs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(366004)(136003)(396003)(186009)(1800799009)(451199024)(55016003)(71200400001)(7696005)(6506007)(82960400001)(9686003)(26005)(41300700001)(53546011)(64756008)(76116006)(66946007)(66446008)(110136005)(38070700005)(66556008)(66476007)(38100700002)(966005)(122000001)(508600001)(41320700001)(83380400001)(2906002)(5660300002)(86362001)(8676002)(52536014)(8936002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RigntXsaMFmUQ5m4/ipWJ+FpXjksyOwPigIwnkcbE8lFWPKiYs0KOcWuTeppd4XObRJSt2tXK+584OzicvHo+VR1Oh0r7EQ2ewaKCViI8AET24sHgJoUURY6XzJMhNYBMENEU7RjHY9swTChUph1CD/R/1M9O+A5TIAUN8BH/lfcUcIQWBzRjxp6ioFLneZT5nOt/py17xDYCZABJwlXa9lTz9XX6BdyQ/6s6OsOPWVRvu09AV8hX4Vls5zXKRhfTPH2pyfKv9ljd6VP4FgzsoTfsExnjqq4g06+edRcf2ZIhTk6fp3thb61Kc8sdN//6dFYHEQYJYU4oI/37wSbqEkGU9Ni+pgDmuL/4Ph94rU49WCO58QyAAnfYhsYxkXJg7/Bj38cZNlcRAkKaAXlq38LvvBIF+wmFwplxEtuddc=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 7891ace9-5121-4729-b991-08dbbbbd1b1b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Sep 2023 22:41:48.0663 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1653
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/3tZHf4HWhcMOC_nts28R-WyrxyE>
Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2023 22:41:55 -0000

Hi Hannes!

Thanks so much for publishing -05.  My remaining line of feedback is around my original questions about Section 3 –- the normative guidance around the workflow.  The new text in Section 3 on the steps in the workflow are much clearer, and I very much appreciated the pro/con write-up of the design in Section 4.  Not many specifications will write-up the cons.

If I read things correctly, the Section 3 workflow is trying to mirror a new MUD conveyance approach like DHCP or LLDP.  What I’m grappling with is how interoperable is this attestation step as currently scoped?  EAT is cited normatively, but there are no other normative details on how this attestation should occur.

Are there any requirements other than an “EAT token with a manifest claim is somehow passed”?

Is there any guidance on conveyance?  For example, EAP is mentioned (as an example).  Is there a pointer on how an EAT can be carried by an EAP method?

Related to what “attestation” means, is the subsequent text in Section 4: “The device does not report the MUD URL, so the device cannot tamper with the MUD URL.”  I took that to mean that there is a distinction being made between TEE and a REE; and the “device” here is the REE. Is that intended interpretation?

If accurate, I recommend explicitly clarifying this.  Section 1.1 of draft-ietf-rats-eat-21 seems to lay out uses of EAT which are not TEE based.  A quick scan of draft-ietf-suit-architecture found definitions for TEE and REE, but (with using a keyword search only) REE is never used after it is defined, and TEE is used once in Section 6 without direct guidance on use.

Thanks,
Roman

> -----Original Message-----
> From: Suit <suit-bounces@ietf.org> On Behalf Of Hannes Tschofenig
> Sent: Sunday, September 10, 2023 10:59 AM
> To: Roman Danyliw <rdd@cert.org>; suit@ietf.org
> Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
> 
> Hi Roman,
> 
> 
> those are great review comments.
> 
> 
> I have started to address them, see
> https://github.com/bremoran/suit-mud/pull/5
> 
> 
> You have certainly discovered the weakness of this proposal. It relies on a
> number of technologies to be in place before it can actually be deployed. When
> those conditions are met, there are security and operational benefits. I made
> this more clear in the write-up.
> 
> 
> Ciao
> 
> Hannes
> 
> 
> PS: Only the MUD URL is included in the manifest and not the MUD file itself.
> Your reading of the CDDL was correct.
> 
> 
> Am 09.09.2023 um 22:18 schrieb Roman Danyliw:
> > Hi!
> >
> > I performed an AD review of draft-ietf-suit-mud-04.  Thanks for this
> document.  Below is my feedback.
> >
> > ** Section 1 and 6 assert that a MUD file can be included by reference or
> value.  How does one include a MUD file by value?  Excuse my familiarity with
> CDDL but my read of SUIT_MUD_container is that is contains only a URL and
> associate SKI.  All of the other CDDL in Section 5 by my read is about
> integrating the SUIT_MUD_container data structure so it can be as a manifest
> member or be severable.
> >
> > ** Section 3.  I was confused on how to read this section.  I was
> > expecting this document to primarily discuss how to embed MUD
> > information into a SUIT manifest.  However, this section seems to
> > define attestation behavior and functionality on the end-point that is
> > outside the SUIT workflow and more rigorous than required in the core
> > SUIT manifest document.  Is this section normative or just an example?
> > [I-D.ietf-rats-eat] being cited normatively here suggests the section
> > is also normative.  If this is an example, please make that clearer
> > and don’t make EAT a normative reference.  If not, then please be more
> > specification about these attestation mechanisms (more below)
> >
> > ** Section 3.
> >
> >     *  At the time of onboarding, devices report their manifest in use to
> >        the MUD manager via attestation evidence.
> >
> > Can a pointer please be provided on the normative mechanism for sharing
> attestation evidence with the MUD manager?  I ask because RFC8520 doesn’t
> mention attestation as an activity done by the MUD manager.
> >
> >     *  If the SUIT_MUD_container, see Section 5, has been severed, the
> >        MUD manager can use the suit-reference-uri to retrieve the
> >        complete SUIT manifest.
> >
> > What happens if suit-reference-uri is not included?  If my reading of draft-
> ietf-suit-manifest-22 is correct, this field is optional.
> >
> >     *  Each time a device is updated, rebooted, or otherwise
> >        substantially changed, it will execute an attestation.
> >
> > Is this new requirement on any device including this MUD extension?
> >
> >        -  Among other claims in the Entity Attestation Token (EAT)
> >           [I-D.ietf-rats-eat], the device will report its software
> >           digest(s), configuration digest(s), manifest URI, and manifest
> >           digest to the MUD manager.
> >
> > What is the profile of the EAT claims needed?  How is it conveying this EAT
> token?
> >
> >     *  If the MUD manager does not already have a full copy of the
> >        manifest, it can be acquired using the reference URI.
> >
> > When the manifest was retrieved in step #2 is was verified in step #3.  Here,
> there is no explicit language about verification.
> >
> >     *  Once a full copy of the manifest is provided, the MUD manager can
> >        verify the device attestation report
> >
> > Wouldn’t the device have to emit the device attestation report?
> >
> > ** Section 5.  To be clear, suit-mud-ski is the subject key identifier for the key
> used in the MUD signature file described in Section 13.2 of RFC8520?  If so,
> editorial, I would have benefited from an explicit statement to that effect.
> >
> > ** Section 6.  Do any Security Considerations from suit-manifest or MUD
> apply here?
> >
> > ** Reference
> >
> > --  [I-D.isobe-cose-key-thumbprint] is now adopted by the WG and is draft-
> ietf-cose-key-thumbprint.  Please replace it.
> >
> > -- feedback from idnits:
> >    == Unused Reference: 'RFC7093' is defined on line 288, but no explicit
> >       reference was found in the text
> >
> >    ** Downref: Normative reference to an Informational RFC: RFC 7093
> >
> > Please drop it.
> >
> > Regards,
> > Roman
> > _______________________________________________
> > Suit mailing list
> > Suit@ietf.org
> > https://www.ietf.org/mailman/listinfo/suit
> 
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

v2.23.0 | Report a Bug | By Email