IETF Logo Mail Archive

Re: [Teep] [Rats] EAT claims needed by TEEP

Dave Thaler <dthaler@microsoft.com> Tue, 09 November 2021 19:25 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1083A101B; Tue, 9 Nov 2021 11:25:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cukLJoiw0Ad8; Tue, 9 Nov 2021 11:25:03 -0800 (PST)
Received: from na01-obe.outbound.protection.outlook.com (mail-cusazon11021022.outbound.protection.outlook.com [52.101.62.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF2F3A0F22; Tue, 9 Nov 2021 11:25:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h3PZD5PU+xQxKL9oClQE6SwwBZXzk5SBBEghZTOnudfww0qtTrQzcebKlYJ/HZDkxjvOq4em+VgDsuR9l41K1RWxNY4nuuzabJcN9wl5vXQi8pyVESW9J4QM+SfDqM9apjaUaDf3DLN05atkiPKqYLT1U1tTwW7WGGodsOVTGjNhQBymnWnYrJ8rqROiVF05G+yFPm5rO5BzK06o8gVwQPAGkOgLwLeXZblMdJNTi+PznriSVmiPDIobynAd9BRihKO591E9XVMP5TOVJ/LhJU1VN9lsVX91XZWNTMf4GQHxf98R5XcH4RnN6Bjp0pBk1ZK+Oq2D0IbKIx8ilOgcGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=psu6dy+S9XZYsVS92jv5fGLpK/HG2/u7b99gcrHDkLs=; b=bt5/n+rYLJojhFER/WI9jnKuJLmgYMaILy70O7VfhePCNJJ8scWC1bI/8uasKKXLhKsyFIL1yHtOqVUdPevYJZEgExRoK/2e4SToi3AYaZJ8EZ1O3iA6VTjo8H0sYAlZAMBfZnJ3v7XFC8feyxJXCe3jJCd0FusneLGsv971d678uMpeAeRU2Wh2LGRPgjnKUvuiX/XD7aQlgZsQyyw2Ya5LJEU517JoN9OBdN+OY8GFwUXMMStG4IL4NofTp+alIndEVyHxOBH8sN947BMmOgN/bkdvmuPPEz4V+gLYF+2y7kdSBw+lmElQkLdHTXcwQwHLvgm+UqjoakCaJxZJvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=psu6dy+S9XZYsVS92jv5fGLpK/HG2/u7b99gcrHDkLs=; b=eR28U61k6PA8PhCWspYI6FUXBUqExWFmK+5REgXiSGZPhaoXr+BB7nCRm5ORhi/9r0MKgd6Rm92Ph1Pl0iYlq/F3nPWJOeAR7jRA1iB4LXWZDCjVxEzj+J0U4xg40nTNdYY2SpsTg2WXTgH69NrDWZbajfsrAI6adjVDyF2CVAs=
Received: from CH2PR21MB1464.namprd21.prod.outlook.com (2603:10b6:610:89::16) by CH2PR21MB1528.namprd21.prod.outlook.com (2603:10b6:610:80::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.1; Tue, 9 Nov 2021 19:25:00 +0000
Received: from CH2PR21MB1464.namprd21.prod.outlook.com ([fe80::9007:83c9:e722:5236]) by CH2PR21MB1464.namprd21.prod.outlook.com ([fe80::9007:83c9:e722:5236%7]) with mapi id 15.20.4713.005; Tue, 9 Nov 2021 19:25:00 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rats@ietf.org" <rats@ietf.org>, teep <teep@ietf.org>
Thread-Topic: [Rats] EAT claims needed by TEEP
Thread-Index: Adar5IMluvH5Xfk/TjCNoR5RTUTf2AAroFeAAAKv15AAARKhAAAtBI8AADYVQwAAAL1cOAABgHyAAABiwm5JodwIcAAJgbEAAAI5taAAH/wngAAHEqQAAATQRGA=
Date: Tue, 09 Nov 2021 19:25:00 +0000
Message-ID: <CH2PR21MB14643119ADAD159FEDDBE662A3929@CH2PR21MB1464.namprd21.prod.outlook.com>
References: <BL0PR2101MB102770B8E03B95A44497004CA3190@BL0PR2101MB1027.namprd21.prod.outlook.com> <7607E6BF-459C-4A32-AAE2-08117A97E06B@island-resort.com> <BL0PR2101MB1027EA205417DAF375BA7085A3160@BL0PR2101MB1027.namprd21.prod.outlook.com> <B1FDD70B-2530-454C-90AF-F44EEDC4F1F3@island-resort.com> <AM6PR08MB342916CCDD01E8698BB3C883EF170@AM6PR08MB3429.eurprd08.prod.outlook.com> <2D53BD60-4FA8-4153-B28B-585E902845AE@island-resort.com> <AM6PR08MB423141370A5CE9DEF6C732C69C140@AM6PR08MB4231.eurprd08.prod.outlook.com> <3370D92E-23C2-41C3-B86F-A65C168E9082@island-resort.com> <AM6PR08MB42311D76B24E866812171BDC9C140@AM6PR08MB4231.eurprd08.prod.outlook.com> <CH2PR21MB14640330E3DA58D2144659F7A3919@CH2PR21MB1464.namprd21.prod.outlook.com> <C9FCDB94-1734-4F6C-B6D9-DDB384827E06@island-resort.com> <CH2PR21MB146427B07435A5F36DAE5782A3919@CH2PR21MB1464.namprd21.prod.outlook.com> <27150.1636465193@localhost> <A40BE985-E12E-4B5E-8995-F4408134AEE4@island-resort.com>
In-Reply-To: <A40BE985-E12E-4B5E-8995-F4408134AEE4@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=be47fa87-1b51-4290-a999-558b13509b64; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-11-09T19:20:13Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4bc094a3-d8b8-40d4-d789-08d9a3b69f54
x-ms-traffictypediagnostic: CH2PR21MB1528:
x-microsoft-antispam-prvs: <CH2PR21MB15286C1D325DEAA8938D90F6A3929@CH2PR21MB1528.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3383;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: m4Q3hnkpd7XzKBdwDqJIpB+ugtzF9/cTxG5xhBkUXQ4RB3TKOYZtbcuj746v47nKAvINU3iTJfL4pfkKLU1BEE8Vv51a9rR7Yhdbxw2eO3BEeFU4N2ICehCmH3/MPdc7UTghseq79nk3+20ZY7znOFelhB5Tcpp2CEETWEkbcVkLrfYW9/fPwmHj2Iy7BZh8lbIIMuaFUQQ/UVflx1uNOPkIHRkmWvoESKNk949n5vLNIKiQQriRCAIHirrveMyLvkYdxvXD11hJeOXWlY7lW5EKddIgav5/1YV78eJhtJdFVvwir+DKgyxhnNhrTzsWMu9+NKcs8vyTkvKTG0YABFGgJApHDGNbmhdIM1mdR6iEHzH1744NuMwvwZ5M0DmcOah7QIgyjaAATyQhGoKOtsel+HvHQXnr/J5u6PGC2cU6I+FQ7wlyXhiW2kD2pNDziCIc7otgIIyl8xn/ldcclA3awMfGEb7fxwsVB7jQtaiJcIajGaBd5OWFv5tUMGoeNmjMtcokwy9h3HpRDIO1JR+7hr/CQFkCvMbkJfE8rOG0lfz5RAYn4C5sEe2XNBkuaca0azdPlGrgfWtp00FO7F+wyYz0nNM+d3I7IUO/CPx9Up74cDVL9ctviX8MGKiUiMRmU67xmMNqs7/z+RhjxiDaawAG0/X3bacyAUD7Krg4kAPOKuTGCBAzt8CLQ2kBPHu6ORF06tHpfS/gR9+28TbLr9ogj3rO1JyG/0bYzTucct1wNeMmM4NLBklagOP3IFSLLMiXxilSFSDoIzLpRos+znYTFyaZB+Qw0rLUNKNyRtGNLaSX4DWOWQ4kSKscvXh+xtdr4pJm6px3FlgESg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR21MB1464.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(76116006)(52536014)(966005)(508600001)(38100700002)(2906002)(7696005)(66946007)(66446008)(86362001)(110136005)(71200400001)(66556008)(83380400001)(9686003)(66476007)(54906003)(4326008)(64756008)(5660300002)(55016002)(8936002)(166002)(66574015)(53546011)(6506007)(38070700005)(316002)(8676002)(82950400001)(8990500004)(82960400001)(122000001)(33656002)(186003)(10290500003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: m/E/oSlZHY8dxHPXOoM9giNCjdzn8l6nWkQtk5o7FbjixvUOCk+QhrvLAK1/lRvtkaIEkz+vyey3CZr/+peqW0oisvJYJEArr5hOra15VDIdgcVsgLaP0F+Ufzsdi038hfAkLKjmwR1d4fl+XgyhskcClxjISluoyTZ8cfue835QleiBJMaqnRClhD8wkpEm/jGzChVHRbVXx6aQYp3Lc25F266J/olZGDqMInMc5gMsnEwVKKsYTtDuQtJV1RFdtxRUJxllRJErxoDCqyoyABuGAChPunO4zrBjzPBi0E92nBWLK1oeoVrqvWEQr0toeIVrdBu/HEnpiuJdG6nEcIy02I6rJAmAwIdet2Rn9oy6mLTUDtIG6H8WC29WYAAznZ8QHDlTFLffuhABFHGIL1imjn3Nu30/EqQ2mH528Lma/vNjSU4St51rAiTLmfrqJmsQl9tnxYdtczmDjSWda+ixJbeSIfOepjw3sZEmFde4Djue6R5EbZ6TOQJZ40ln78lOfVNkx9/wBCQUHa1zRNh7wa0kZTGkILzMK1eIzCYvBytUef68fZTUELIw2zz+Y5/7djFYoX2Sl2EaC9zWJ4RX0GAWNEyak5Qspnx+i0IDnNyJXDxSD3tGEg+SLwtYBOkbBD5dFren7dp1S6ocqZJlS1KdoIsIkM0dl6Rgwe4u67OE9ei5ycZCg5LYHwO3OkQNADUAsEX9AXoFi9ZEB8KZhMp0jjLftbx/qj6CrRpZUYMffPTmQoPNcRvC4ZJ/CX+2dubc8tACa/QOrDiVYxlxs75sS9kkHckTl29h8KiqysYyVtI7NBMIiuTMn4o1GSry/pC5Lz2YfQFEinb3QWo/pGGGbMByFoGbp2IH5JL29HUx4lr8ctHicimrEMoMI5FuTYdXTNmZxvd5SZMfgV7QUljDsV/XvaD8jVbcMIVjLEQwYE8wK6E+6oPnJ4bwLcwbxwIREExqHMw3R5qjxH8khd808736RkeOHnpTd1AGBr2PhSsQU1yS2wyWxGu2nJOWN81aF1SLlhNKj2JRJ8zIJaddfzMXvZ6RY7GxNBohHNGToXXBJDqNJrzbFgai82sthnHksrnu0c8viVw4a5Fi2DrLEoRKnf9HrvC4Zm3QtWdw0qsVutiKjzutrz5ckIPhKUCQza9fsn7ntz8YMlvCQDRHyN3QYB9w6tR/O4Gex4All7PnNNlYGH6uMi/qYC5yKlaA3te4UfNUZ7L84QnyeSZtKRPzeFIsKPYj8LtbnSSZEgtQ1qHxpybl7clCzChzbCP97UADMnLLwniBYPU71Vt4znVQRpmMRLuKSN6MNUqXIHQpqYtbMNMDnvddrEP2zBVM1XLsdFihAlFIRTvPI/nMvPtzMHRFmnaeoDQI/5BXsL8G2IVtEm20jCqgdWVaRF8NAkz5yMAPoWMbfoln3CSeDZiaHlUpvz/jFPDHRazfikGQBt7oh53eVm+kaLWnL61JVznnI/MtGJvgAvLvdda0tg83CsyW+Kmea+nCIakJD+Z2z5OV+nosceEfQYtn8IMjsWiP3KPGXkcU5hJhP4FaZeYRPMdOFSUdkOW53F18uUV4yZVz0d+2qgCc5yMsEBcANthao/s/crNnpMt6hW5WKvSX90Jiau2+VTPrQe1BObyxp4ZKwqFLXmB9GS2cezgoVvX5NRI5GgEckqpTIa+pqymdM6OOkRaX/bxcX/e1B9tBZ4BuGAYU2Fgkg75RwkE8oXXEofaMKDGkTg==
Content-Type: multipart/alternative; boundary="_000_CH2PR21MB14643119ADAD159FEDDBE662A3929CH2PR21MB1464namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR21MB1464.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4bc094a3-d8b8-40d4-d789-08d9a3b69f54
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2021 19:25:00.1023 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vUzKzbNetoUAG3x59yXYtBEOVh0mwNc1UXbctrOa0YymXsL3V73BRog6ihitognxucNjsxsvTijSzuF+YST+aCc4Q4GOxb1iiABP2kuRqMs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR21MB1528
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/cC9oaSw3EaTvVjM-zjDjtox-Vok>
Subject: Re: [Teep] [Rats] EAT claims needed by TEEP
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 19:25:09 -0000

I agree with Laurence that it is important to keep it generic.  I have no preference as to
whether EAT informatively references TEEP or any other use case as examples (definitely
not by way of limitation).

And yes I believe it is useful (whether for TEEP or non-TEEP cases like Eric's router case)
in evidence, and attestation results, and even endorsements for that matter.
It's true that TEEP use cases would need in attestation results, but whether the
Verifier gets it from evidence or endorsements or appraisal policy, it needs to get
it from somewhere.

Dave

From: RATS <rats-bounces@ietf.org> On Behalf Of Laurence Lundblade
Sent: Tuesday, November 9, 2021 9:02 AM
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: rats@ietf.org; teep <teep@ietf.org>
Subject: Re: [Rats] EAT claims needed by TEEP

Appreciate the comments.  Think it is important to keep this generic since it is going in EAT. TEEP can have specific ways it uses HW class, but don't think we should be referencing TEEP in EAT.

There's also some comments filed as issues in GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-rats-wg%2Feat%2Fpull%2F139&data=04%7C01%7Cdthaler%40microsoft.com%7Ce1fc220c743a4db6499908d9a3a2ba01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637720742769829040%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=BTwJlDuZ16IG1jxj4827FkZ9DDfCert3UUzncKGYTP4%3D&reserved=0>.

Seems like it's the concatenation of HW OEM ID, HW Class and HW Version that pin point exactly what HW you have. HW Class is kind like a model number.

LL




On Nov 9, 2021, at 5:39 AM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:


I'm reviewing the pull request at:
  https://github.com/ietf-rats-wg/eat/pull/139/files<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-rats-wg%2Feat%2Fpull%2F139%2Ffiles&data=04%7C01%7Cdthaler%40microsoft.com%7Ce1fc220c743a4db6499908d9a3a2ba01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637720742769838996%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=LfCSUvAJuk3UbPiSCIGnY25ct9Tq162%2Bq3pCyAQyWEA%3D&reserved=0>

About the hardware-class-claim.

 "There is no global scheme or format for this claim."

So I wonder how TEEP's flow will deal with this.
Forgive me if that's buried in TEEP somewhere.
If so, I think that the EAT document should perhaps refer to that informatively.

I can see how the verifier can be okay with lack of scheme: the signing key on the
evidence can index into a database of devices, and then it's a string
comparison to see if the device claimed correctly.

But, equally well, the verifier already knows, via that database, what the
value is.  The only utility I can see if that the RP is going to see this in
the Attestation Results and use it to decide what binary to ask the TAM to
load.

I'm concerned that any hardware vendor can put any value in this.
The Verifier, provided by the hardware OEM, agrees.
The only thing the RP can do is the rely on it's contract with the Verifier.
That's actually the thing the RP ever does, I think: so don't mistake me.
What I'm asking is, given that, is this claim even needed as evidence?
Maybe it's only useful as Attestation Results.

--
Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr+IETF@sandelman.ca>>   . o O ( IPv6 IøT consulting )
          Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email