[Teep] EAT claims needed by TEEP

Dave Thaler <dthaler@microsoft.com> Mon, 26 October 2020 22:15 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE7F33A100A; Mon, 26 Oct 2020 15:15:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8mWO_djYVufH; Mon, 26 Oct 2020 15:15:37 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam08on2105.outbound.protection.outlook.com [40.107.100.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C27773A0FFB; Mon, 26 Oct 2020 15:15:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ay93AXJ0zjDc8lE/uPhF5QsFdxzmk9vWVb7an0oj3oRTPizs0N1MMHlENfHbtL8gHs88owe7jKrxHb+97tO2+8ACPyzzQWusaBIRNbOwnstUy0d4lksX/ogkiQNZdC7dy+ygKV84oVrhXGvXzgaeWMsDx3wgB5iDEOS25cWEfhWBhLipLvmFsGHRecM2CKjVNNSJcaACbNyNEADAzhWLwSdQQ554jm4I3egIeQi5GHQYPKuPbaSThwU1Jd+e3SFqoxQnKESIa/37FGiN9gNzGmGM7UFmYVwAyVL7KbpuwikR2rUScA4Z54CSfIte/kbHArjrKTNmcSmJUzNfSsySMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uuCGj0lGfgDF78dbRzdLCj21Wnj9qOTOBLJgMtTqVAU=; b=CjwlDeWNeWWZ5scsjsCbB1H3142x5cAtWHCsQKFJf3T0vd0nHcMyrEPmXGv49yphvs8jMjb77LcqI32GzYUHbVVBUHGpBaePp2xELgbQW8ReNQk6mOLdaUdvlEuK8IS8d1wy3LB41S4Ol1dMTjmYfmlVsoRKRyqWwsJngpzlQiKqiyoOCpL5QEeD4pMVPBISYfXVlmDnA+gzlwoDNlZODGf8MT9O74rHh2ERyBBTZbauh+r5o/0Q81pabuwI3+sdCO3GX1WGCB3eeJN/A7Lv3MPiCWd9nAdcZlf49nIyhzbTxVzNOlOopo0J7i6UcnTgdC/m6F0YgIot1mQMpDOeyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uuCGj0lGfgDF78dbRzdLCj21Wnj9qOTOBLJgMtTqVAU=; b=FP/81kFheLLKxM1wQNpnoNCU/vpPiIZ6TMeE9iFFvwxkQFgXFg+w4irroX1wblTeOO76W6EhS76jzK8DLMxdWea5ThDpxga8THfK8f5JvJg42tT4w6/AqPvsAw5dbEm4Xtr2d/eS7wGklldgZKx9Kz6jh8e1XuM3f6HxW/64hA8=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (2603:10b6:207:30::33) by BL0PR2101MB1747.namprd21.prod.outlook.com (2603:10b6:207:35::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.15; Mon, 26 Oct 2020 22:15:34 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::4da:87a4:8d47:889f]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::4da:87a4:8d47:889f%6]) with mapi id 15.20.3499.017; Mon, 26 Oct 2020 22:15:34 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: "rats@ietf.org" <rats@ietf.org>
CC: teep <teep@ietf.org>
Thread-Topic: EAT claims needed by TEEP
Thread-Index: Adar5IMluvH5Xfk/TjCNoR5RTUTf2A==
Date: Mon, 26 Oct 2020 22:15:34 +0000
Message-ID: <BL0PR2101MB102770B8E03B95A44497004CA3190@BL0PR2101MB1027.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-10-26T22:15:32Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=320ab34c-2d91-46cf-8bca-ee695a1f0256; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:9780:8d0:d1a1:21ff:2932:45f9]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: baac0156-972f-4ff1-1591-08d879fca902
x-ms-traffictypediagnostic: BL0PR2101MB1747:
x-microsoft-antispam-prvs: <BL0PR2101MB17471DE87BFD9B6D6B72E20AA3190@BL0PR2101MB1747.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fYoh7+bh9NPKsU3g3PNeaK8dal9u3TkS0laUNrcHp5Ux64RRNF2HMGS7czPw12VMJMV+NhB5cDs+oipmhcqr8DL6Xqwsn6IerWmGTsV0yEEUfIzqwff5RgeIeJ/mL++zi4aHEZRwR4hEnxUAEkG4OjZU6P+sLifI2J5wUqRwFoB1nD3bKNZhOJAvMfdAIzrV7tv9utH2zVLgLMLH0GwLWE/IqVaW/Mk0nFwEcuKgaSBgeYOz8sD527SHVMgpwHlKdtcDX41eYTzRxRrfspOEpOYiw1EuixjNVHGzoWh7+oqJff84VzyH2QxJBYPQbnBHbz2rv2JLO3BWhxifLGwirg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR2101MB1027.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(39860400002)(376002)(366004)(346002)(33656002)(66446008)(316002)(2906002)(66556008)(8936002)(8990500004)(6506007)(9686003)(186003)(8676002)(6916009)(66476007)(52536014)(4326008)(76116006)(64756008)(55016002)(82960400001)(86362001)(66946007)(450100002)(82950400001)(478600001)(10290500003)(5660300002)(83380400001)(7696005)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: vi+2mBd7Eh5shCvt+oHI5o8/6WtiwPz901l1OV1R0hYZQ6m6j17YcDbGrDiITcPXiwhynhGjHge6OUssLHxAUreacd8JsSOxkZaxHgMM+T/4V+MXYil0yM+ttRFkUkjvy0Dkt3dfHmB+ejMfnkRlaj0MlnUHYjKD0UCyE++JWB1q6ARJk79DNQYWRE/of0PMbhAKGlm6vZDzVQ0Z53mYhHtfXF1hwZOfubYJDFLuJ7P6uXR8p2Cz5PcEhynRGvBgf8U/BR6p82sRqbMejt8/M6yams9mJRqs84GnshFtsIIBaPKPZjU9NpQeGqzkHxk3yB5CfsF7YDraTpU/6S8rdwmbUiP9hUDlqjilT9gIa8j/JCPTRjGFGJCQL13h1c2pmuSUPYLnhIcUhzZDjcDQs6hLRx+QAL0AfZyDw77Y/ZQI6I88UcrXTnieJ4F++Gy218usXCMW0+h8uHGD0Sfta9aPaoMRifnPvcMXHL4D61H5A++2fkATtpmVMH0zrbcvBMi47yCblAx9l7o6pMtEWIhy4wzvPI9yMq8w2Spb1QYMOZIr6+MTjUKIVUUlLe7QUWf4bfO8Dsv3eAkqT4y+eyVL7rFq09j2YF7/cnErEhUdgxJ+cc4sYvWgD+t11dAIANGyk43iFiHmrgVrwd6nNv37ez4jAi0EhUIdKyARndYa727oCCxkL6MCEGi0PozchEKbhQkKYhr7wI2DNZAjrQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR2101MB102770B8E03B95A44497004CA3190BL0PR2101MB1027_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR2101MB1027.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: baac0156-972f-4ff1-1591-08d879fca902
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2020 22:15:34.5491 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IG9JzQYJ2FQ8NR08/ExsZU1BT5J7MAxwA28LsKaywA693uTW51QJ6zjiu/IgWR6bgoxhZD4Psc9nn3TcWpw5/5XgPU2sRtiV5w7CKoUA/AQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR2101MB1747
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/2zCW2o-DQupW07a9JD_EtIF_nkg>
Subject: [Teep] EAT claims needed by TEEP
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 22:15:39 -0000

As discussed in previous IETF meetings, if there are claims beyond the base set that
other WGs need, they can be specified by the other WGs with review by RATS.

The TEEP WG needs the following in EATs and I am not sure whether they can be
covered by existing claims or whether TEEP-specific claims are needed.  From
section 7.1 of draft-ietf-teep-architecture:


Ø     -  Device Identifying Information: TEEP attestations may need to

Ø        uniquely identify a device to the TAM.  Unique device

Ø        identification allows the TAM to provide services to the device,

Ø        such as managing installed TAs, and providing subscriptions to

Ø        services, and locating device-specific keying material to

Ø        communicate with or authenticate the device.

I believe the Universal Entity ID Claim (ueid) is claim that meets the above requirement.
But the TEEP arch then goes on to say:


Ø        In some use cases it

Ø        may be sufficient to identify only the class of the device.  The

Ø        security and privacy requirements regarding device identification

Ø        will vary with the type of TA provisioned to the TEE.
Which EAT claim contains the device class? The closest thing I see is OEM Identification by IEEE (oemid)
but I am not sure that is sufficient since it's only the OEM not the device class from that OEM.
This doesn't seem like something that should be TEEP specific though, so can someone tell me how to
represent device class using the claims in the EAT spec?

Ø     -  TEE Identifying Information: The type of TEE that generated this

Ø        attestation must be identified, including version identification

Ø        information such as the hardware, firmware, and software version

Ø        of the TEE, as applicable by the TEE type.  TEE manufacturer

Ø        information for the TEE is required in order to disambiguate the

Ø        same TEE type created by different manufacturers and address

Ø        considerations around manufacturer provisioning, keying and

Ø        support for the TEE.


Similarly for this requirement, the closest thing I see is Origination Claim (origination) but I am not sure
that is sufficient since it's just the manufacturer not the "version identification information such as the
hardware, firmware, and software version of the TEE"
Should the TEEP WG define TEEP-specific claims for such information?

Dave