Re: [Suit] AD Review of draft-ietf-suit-mud-04
Roman Danyliw <rdd@cert.org> Tue, 10 October 2023 21:45 UTC
Return-Path: <rdd@cert.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9DEC151076 for <suit@ietfa.amsl.com>; Tue, 10 Oct 2023 14:45:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIQu9izUtwun for <suit@ietfa.amsl.com>; Tue, 10 Oct 2023 14:44:59 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0133.outbound.protection.office365.us [23.103.208.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B57BEC14CE40 for <suit@ietf.org>; Tue, 10 Oct 2023 14:44:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=eKC7tTniQNiunPTLSoK4EGBN5+M92hRo5s0qGaxR+a91dpHp3KUM1+71iq6kWIAGmaJCCuknzR5rU8oeUN80jKMXEdXB1fzEE4D+MC2RMvQqh6s8Y/LRss2wrGHURxIH16tmO6rd0NHqtROW5xOnhE1YYy5PooY4rS8n9YUtJC+RENPbxr0RfzCH69H+B5oHpoXD7bOkGarY69ul+0UXEN/6kTFTCjXJiRFExs+p5JGYwDmU1bG/1ZZiXx8C6kJcww1olYoSBXqzPtr15OGmSHXqUkSw/KV+on6WrQjDfFwaRr9WdyHfNJCsm0FDUCg0POxXEDsXbjzV+3GOyYeGtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KlYN7HHDqR9ApITMjbZ+Ks0eQTMNebwb1dP/SZK4V74=; b=QMl0GRXSi3jZeSPvbTApGU6/Awt7PLrdjL4mwIxQHGdImEB3P143JZqCPLbemR6r0Qdb/OQPGc9RHS+E5Ed4uYymeE+HZvGZEKuV7slG3CUXamXRltegeRBJyQwUeukFTdTxVGNNDbhzIF0ilL8KuNOA4tSTuhN9v6HQGiZo/lLXWBpWPYc6O+DNqX3YNtBj3GQwZjDgZAPTTJ0hgOo8XXCmgXX9gi387J5urZLhZGUfVxz5o+YISBX5orYfQPxHz6N8/1sBInEe/Hruj4c1FWY9ekCOGr0vztv2WNESPAaQkFuLnHjDZhGP+sWsVfhCo9F3Uv/j14KVYLCwiZKvmw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KlYN7HHDqR9ApITMjbZ+Ks0eQTMNebwb1dP/SZK4V74=; b=G2nSEbtsRxYRZ2AtXUymdoD1L+Hc7J6Knw7nw4itVVmhABLX4SYboRogrubi5bfIRMS3z6c7fVkbZGAV9MwbGyg6fM+SK54AeAK5AuCD0WIFgcvagGjsqOcRZsyQGFpWi9sLBfbGqlV/0pm8MP3x8RyA6Atw2fxMR6csi4g0mKo=
Received: from PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:174::12) by PH1P110MB1345.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:18c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.35; Tue, 10 Oct 2023 21:44:57 +0000
Received: from PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM ([fe80::7984:e577:9961:dfb0]) by PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM ([fe80::7984:e577:9961:dfb0%5]) with mapi id 15.20.6813.035; Tue, 10 Oct 2023 21:44:56 +0000
From: Roman Danyliw <rdd@cert.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] AD Review of draft-ietf-suit-mud-04
Thread-Index: AdnjWXCh1bhNF44LQcy86ydzllpIBwAndKyAAmueRgAAK27wgANbPM5Q
Date: Tue, 10 Oct 2023 21:44:56 +0000
Message-ID: <PH1P110MB11169EC0F949A37A877633C5DCCDA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB1107855C16B88C7F809FAA53DCECA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <316958dd-341c-3b52-af9b-b8a71ab64101@gmx.net> <BN2P110MB1107B68DE1124C5B571D06CEDCFFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <00be016c-4af2-4412-b589-00901767406f@gmx.net>
In-Reply-To: <00be016c-4af2-4412-b589-00901767406f@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH1P110MB1116:EE_|PH1P110MB1345:EE_
x-ms-office365-filtering-correlation-id: 82cf729a-f634-494f-3eec-08dbc9da254e
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xmIpetHUMpd26t4dr1UZ1bdFyU77YNigElfJa1Q8Ueuxx9e9s/dsr+jZIGfWHBVoP1CVqvvvoMFk0TEjNpYfBF4l+zqq8pk7ml/4idfi7HcuTsftB/9l6X6WE8WbhZV/+ZkkxFUc8waZolgOQ7SFmUK01dxq9jgWYhHTd6cHxRjakjQaP5oY2tfZcM0A2ttxWdcF+wG2hve1nnKOr+2Lc/Bmx+C495zNetsloz23X59w6nHF0FWADzUK9JSwRaX4agUwDqqWBTVuEhaM3OQqsV/MHy7HKUY4tTqvBvLx81R6Ta0bFaR4xK/oozPXavmKEVG8wU8lyJMk0GB8pmOM4J9AyItIdESNDvjG5XfitCKp4nsE39rR53HMak7hdlDmns7Ey3us4f/vOYd+srN97Qxsk0UtUYHq7EG2GI+WOwmbygtKbqk27HXrmYRxeBCRgRSz0gU1phaB3RouCPsxRreTu9iX1hmvdHhEtqeA0qLU/Zj5HaR5zomUegi7aaO4GGgggzFYvtIRVNQ7w7eG645yUUWOc63VrYGqVO74ovbHFGjCcxT7XqGqfOI06tf6+6ONnUT7oP/vZIYFDoAlYNVyN6ZA1gbuxxwFQzxgAm4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(136003)(396003)(39830400003)(366004)(230922051799003)(186009)(451199024)(64100799003)(1800799009)(41320700001)(71200400001)(508600001)(83380400001)(122000001)(26005)(7696005)(9686003)(55016003)(966005)(6506007)(86362001)(38070700005)(53546011)(2906002)(66446008)(66556008)(82960400001)(38100700002)(66946007)(52536014)(66476007)(76116006)(110136005)(33656002)(8936002)(41300700001)(8676002)(64756008)(30864003)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: A5/zLHZgg9X90o6Ix1mlFpEJbCHRLSLIRDce/92uID+/7wIyxmekg0ZB8aqczqRjytCtLixuwOVkT/sZq0eFX0pe7dwIlR+uzJOZOiZgt6w61YAg81vmBdtEQPWueNA5G4vxZi/cuUNT9YZi++UNlJN/827Onwds8np8REupPldheDXO78kiWO0zKCrO6LRm12QAbYJxrQBRuiB7iuJxq4NcWQe/mDKfGlv2B7tMYZX0MCM+P73KS+PpyrPKl45Osk68IIhV9AMMHCx7nZjPqjkF4nakzkLhnePbV7FISx9iFY59In0qOgGBDxzXAywEMNzFxnK0uwM0VmFhGOtwmsrocALV03srhOLkimtdyTDWbabKrh3pvs4DZWrKLjNLQRI2k/POof5akFEqrQC/N+d3fbASu9yoLbexNPrpFoM=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 82cf729a-f634-494f-3eec-08dbc9da254e
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2023 21:44:56.8565 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH1P110MB1345
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/5gH26neCFdSMFvbK-9hIVVn0j80>
Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2023 21:45:04 -0000
Hi Hannes! > -----Original Message----- > From: Suit <suit-bounces@ietf.org> On Behalf Of Hannes Tschofenig > Sent: Saturday, September 23, 2023 3:24 PM > To: Roman Danyliw <rdd@cert.org>; suit@ietf.org > Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04 > > Hi Roman, > > > thanks for the extra feedback. Responses inline: > > > Am 23.09.2023 um 00:41 schrieb Roman Danyliw: > > Hi Hannes! > > > > Thanks so much for publishing -05. My remaining line of feedback is around > my original questions about Section 3 –- the normative guidance around the > workflow. The new text in Section 3 on the steps in the workflow are much > clearer, and I very much appreciated the pro/con write-up of the design in > Section 4. Not many specifications will write-up the cons. > > > > If I read things correctly, the Section 3 workflow is trying to mirror a new > MUD conveyance approach like DHCP or LLDP. What I’m grappling with is how > interoperable is this attestation step as currently scoped? EAT is cited > normatively, but there are no other normative details on how this attestation > should occur. > > > > Are there any requirements other than an “EAT token with a manifest claim is > somehow passed”? > > > > Is there any guidance on conveyance? For example, EAP is mentioned (as an > example). Is there a pointer on how an EAT can be carried by an EAP method? > > Currently, this attestation step is not interoperable. While there is the need to > convey an EAT token in an EAP method exchange, I haven't seen such an EAP > method yet. > > Theoretically, one could argue that the work in <draft-fossati-tls-attestation> > could be applied to an EAP-TLS-based method but nobody has done this work > yet. If we both agree that the current guidance is not interoperable, then it isn't clear how it can be normatively required. As written, it seems underspecified. I'm assert that it is "normatively required" because [I-D.ietf-rats-eat] is cited normatively. Would it be acceptable to the WG to suggest a workflow using attestation but not normatively describe? For example: OLD The intended workflow is as follows: * At the time of onboarding, devices report their manifest in use to the MUD Manager via attestation evidence in the Entity Attestation Token (EAT) [I-D.ietf-rats-eat]. - Among other claims, the device will report its software digest(s), and the manifest URI in the EAT "manifests" claim to the MUD Manager. This approach assumes that attestation evidence includes a link to the SUIT manifest via the "manifests" claim (see Section 4.2.15 of [I-D.ietf-rats-eat]) and that this evidence can be carried in either a network access authentication protocol (for eample an EAP method) or some onboarding protocol like FIDO Device Onboard (FDO). NEW (rough text) The intended workflow is as follows, and assumes an attestation mechanism between the device and the MUD Manager: * At the time of onboarding, devices report their manifest in use to the MUD Manager via some form of attestation evidence and a conveyance protocol. The normative specification of these mechanisms is out of scope for this document. . - An example of an attestation evidence format is the Entity Attestation Token (EAT) [I-D.ietf-rats-eat]. Among other claims, the device could report its software digest(s), and the manifest URI in the EAT "manifests" claim to the MUD Manager. This approach assumes that attestation evidence includes a link to the SUIT manifest via the "manifests" claim (see Section 4.2.15 of [I-D.ietf-rats-eat]) and that this evidence can be carried in either a network access authentication protocol (for eample an EAP method) or some onboarding protocol like FIDO Device Onboard (FDO). Regards, Roman > > > > Related to what “attestation” means, is the subsequent text in Section 4: > “The device does not report the MUD URL, so the device cannot tamper with > the MUD URL.” I took that to mean that there is a distinction being made > between TEE and a REE; and the “device” here is the REE. Is that intended > interpretation? > > I think the text needs a picture. There is the underlying assumption with the > use of attestation technology that some low-level software/hardware is able to > collect measurements from about its environment. When that software > generates the attestation evidence for use with remote attestation then it > includes information about the manifest. When using the SUIT manifest, the > attester will hopefully verify also the firmware the SUIT manifest describes. > > > > > > If accurate, I recommend explicitly clarifying this. Section 1.1 of draft-ietf- > rats-eat-21 seems to lay out uses of EAT which are not TEE based. A quick scan > of draft-ietf-suit-architecture found definitions for TEE and REE, but (with using > a keyword search only) REE is never used after it is defined, and TEE is used > once in Section 6 without direct guidance on use. > > > The RATS architecture does not say where some of the functionality is > implemented. The attester-functionality needs to be provided by some low- > level software, which would be close to a TEE in the TEEP terminology. > > > To summarize, this document is something you could describe as more forward > looking than the other SUIT items. > > > Ciao > Hannes > > > > > > Thanks, > > Roman > > > >> -----Original Message----- > >> From: Suit <suit-bounces@ietf.org> On Behalf Of Hannes Tschofenig > >> Sent: Sunday, September 10, 2023 10:59 AM > >> To: Roman Danyliw <rdd@cert.org>; suit@ietf.org > >> Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04 > >> > >> Hi Roman, > >> > >> > >> those are great review comments. > >> > >> > >> I have started to address them, see > >> https://github.com/bremoran/suit-mud/pull/5 > >> > >> > >> You have certainly discovered the weakness of this proposal. It > >> relies on a number of technologies to be in place before it can > >> actually be deployed. When those conditions are met, there are > >> security and operational benefits. I made this more clear in the write-up. > >> > >> > >> Ciao > >> > >> Hannes > >> > >> > >> PS: Only the MUD URL is included in the manifest and not the MUD file > itself. > >> Your reading of the CDDL was correct. > >> > >> > >> Am 09.09.2023 um 22:18 schrieb Roman Danyliw: > >>> Hi! > >>> > >>> I performed an AD review of draft-ietf-suit-mud-04. Thanks for this > >> document. Below is my feedback. > >>> ** Section 1 and 6 assert that a MUD file can be included by > >>> reference or > >> value. How does one include a MUD file by value? Excuse my > >> familiarity with CDDL but my read of SUIT_MUD_container is that is > >> contains only a URL and associate SKI. All of the other CDDL in > >> Section 5 by my read is about integrating the SUIT_MUD_container data > >> structure so it can be as a manifest member or be severable. > >>> ** Section 3. I was confused on how to read this section. I was > >>> expecting this document to primarily discuss how to embed MUD > >>> information into a SUIT manifest. However, this section seems to > >>> define attestation behavior and functionality on the end-point that > >>> is outside the SUIT workflow and more rigorous than required in the > >>> core SUIT manifest document. Is this section normative or just an > example? > >>> [I-D.ietf-rats-eat] being cited normatively here suggests the > >>> section is also normative. If this is an example, please make that > >>> clearer and don’t make EAT a normative reference. If not, then > >>> please be more specification about these attestation mechanisms > >>> (more below) > >>> > >>> ** Section 3. > >>> > >>> * At the time of onboarding, devices report their manifest in use to > >>> the MUD manager via attestation evidence. > >>> > >>> Can a pointer please be provided on the normative mechanism for > >>> sharing > >> attestation evidence with the MUD manager? I ask because RFC8520 > >> doesn’t mention attestation as an activity done by the MUD manager. > >>> * If the SUIT_MUD_container, see Section 5, has been severed, the > >>> MUD manager can use the suit-reference-uri to retrieve the > >>> complete SUIT manifest. > >>> > >>> What happens if suit-reference-uri is not included? If my reading > >>> of draft- > >> ietf-suit-manifest-22 is correct, this field is optional. > >>> * Each time a device is updated, rebooted, or otherwise > >>> substantially changed, it will execute an attestation. > >>> > >>> Is this new requirement on any device including this MUD extension? > >>> > >>> - Among other claims in the Entity Attestation Token (EAT) > >>> [I-D.ietf-rats-eat], the device will report its software > >>> digest(s), configuration digest(s), manifest URI, and manifest > >>> digest to the MUD manager. > >>> > >>> What is the profile of the EAT claims needed? How is it conveying > >>> this EAT > >> token? > >>> * If the MUD manager does not already have a full copy of the > >>> manifest, it can be acquired using the reference URI. > >>> > >>> When the manifest was retrieved in step #2 is was verified in step > >>> #3. Here, > >> there is no explicit language about verification. > >>> * Once a full copy of the manifest is provided, the MUD manager can > >>> verify the device attestation report > >>> > >>> Wouldn’t the device have to emit the device attestation report? > >>> > >>> ** Section 5. To be clear, suit-mud-ski is the subject key > >>> identifier for the key > >> used in the MUD signature file described in Section 13.2 of RFC8520? > >> If so, editorial, I would have benefited from an explicit statement to that > effect. > >>> ** Section 6. Do any Security Considerations from suit-manifest or > >>> MUD > >> apply here? > >>> ** Reference > >>> > >>> -- [I-D.isobe-cose-key-thumbprint] is now adopted by the WG and is > >>> draft- > >> ietf-cose-key-thumbprint. Please replace it. > >>> -- feedback from idnits: > >>> == Unused Reference: 'RFC7093' is defined on line 288, but no explicit > >>> reference was found in the text > >>> > >>> ** Downref: Normative reference to an Informational RFC: RFC > >>> 7093 > >>> > >>> Please drop it. > >>> > >>> Regards, > >>> Roman > >>> _______________________________________________ > >>> Suit mailing list > >>> Suit@ietf.org > >>> https://www.ietf.org/mailman/listinfo/suit > >> _______________________________________________ > >> Suit mailing list > >> Suit@ietf.org > >> https://www.ietf.org/mailman/listinfo/suit > > _______________________________________________ > > Suit mailing list > > Suit@ietf.org > > https://www.ietf.org/mailman/listinfo/suit > > _______________________________________________ > Suit mailing list > Suit@ietf.org > https://www.ietf.org/mailman/listinfo/suit
- [Suit] AD Review of draft-ietf-suit-mud-04 Roman Danyliw
- Re: [Suit] AD Review of draft-ietf-suit-mud-04 Hannes Tschofenig
- Re: [Suit] AD Review of draft-ietf-suit-mud-04 Roman Danyliw
- Re: [Suit] AD Review of draft-ietf-suit-mud-04 Hannes Tschofenig
- Re: [Suit] AD Review of draft-ietf-suit-mud-04 Roman Danyliw
- Re: [Suit] AD Review of draft-ietf-suit-mud-04 hannes.tschofenig