-
Notifications
You must be signed in to change notification settings - Fork 10
Update Trust Model with Implicit Trust Example #60
Conversation
draft-ietf-rats-architecture.md
Outdated
@@ -610,6 +610,14 @@ for by hardware or by ROM code, especially if such hardware is | |||
physically resistant to hardware tampering. The component that is | |||
implicitly trusted is often referred to as a Root of Trust. | |||
|
|||
Implicit trust can also be tied to the communications link over which | |||
the attestation evidence is conveyed. As an example, if the device and Verifier |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
evidence -> Evidence
the device -> Attester
draft-ietf-rats-architecture.md
Outdated
Implicit trust can also be tied to the communications link over which | ||
the attestation evidence is conveyed. As an example, if the device and Verifier | ||
communicate over a link that is established using a Root of Trust (e.g. cellular | ||
communications link where authentication is tied to the presence of a secure element), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the Attester and Verifier different entities? If they are different, how can the Verifier know the Attester has a secure element?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dave Thaler asks for rewording to make the Implicit Trust more clear, the secure session is necessary, but not sufficient for this. MCR asks for the example to not be parenthetical.
draft-ietf-rats-architecture.md
Outdated
then the Verifier may be able to trust the attestation evidence from the device without | ||
an additional endorsement or even a cryptographically-verifiable signature of the | ||
evidence. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you mean the Evidence isn't signed or encrypted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Endorsements are signed (integrity protected and authenticated) by supply chain entity such as a vendor or manufacturer. Evidence is signed by an attestation key that is on the attesting device. The roles architecture distinguishes between Endorsers and Attesters for good reasons even though there can be cases where it isn't that clear that they are different. I don't think this section is trying to draw attention to one of those corner cases. Therefore, it appears the term Endorsement was used by mistake when Evidence was intended.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That wasn't really the intention behind the cited text. If the communications link is already trusted, then an endorsement may have been used in establishing the communications link. In that case, an additional endorsement for attestation evidence is not required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with the three sentences above.
I think the text at line 616 may be what is the problem because it presumes knowledge of the secure element context is existential. The Verifier needs to be told that the root-of-trust / secure element environment exists. It can happen manually, such as an IT department physically issuing a smart card or smart device with a SE to a user, generating the key pair, update the Verifier to trust the public that was generated. Manual approaches work in IT environments where employees are subject to IT procedures. Manual processes may not scale to Internet ecosystems. Remote attestation is trying to go beyond manual processes by generating keys in devices by manufacturers and issuing machine certs that establish that a key is protected by a secure element. This seems like a basic idea that if it isn't clear might belong in the introduction?
draft-ietf-rats-architecture.md
Outdated
Implicit trust can also be tied to the communications link over which | ||
the attestation evidence is conveyed. As an example, if the device and Verifier | ||
communicate over a link that is established using a Root of Trust (e.g. cellular | ||
communications link where authentication is tied to the presence of a secure element), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should use the term "secure element" in lower case, as it's ambiguous whether we mean Secure Element (per GP) or something more generic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes to "enclave" as per RFC 4949
communicate over a link that is established using a Root of Trust (e.g. cellular | ||
communications link where authentication is tied to the presence of a secure element), | ||
then the Verifier may be able to trust the attestation evidence from the device without | ||
an additional endorsement or even a cryptographically-verifiable signature of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the word endorsement is accurate here. Perhaps you mean signature? (Which is already after the "or") so recommend deleting the endorsement phrase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The use of 'endorsement' is deliberate. Any endorsement would be applied to assertions associated with the communications link, not the attestation evidence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That wasn't obvious from "additional". Need to reword.
There's another bit that probably deserves a small paragraph here, related to the implication of session security being "ephemeral", i.e., what happens to the evidence once the secure session goes away? |
Tried to address the comments in PR mod's: a) @dthaler - separated out example and tried to make it better-defined |
is over a cellular link, where the link is established by the Attester leveraging a secure | ||
element (e.g. SIM card). The Verifier may have esablished the communications link and verified | ||
the preence of the Root-of-Trust in doing so, or may have received evidence that the communications | ||
link is anchored to a Root of Trust from an entity that established the communications link. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need more explanation about what "anchored to a Root of Trust" means. To trust the evidence, you have to have some assurance that the evidence is correct, and wasn't just fed to the communication link endpoint by some untrusted party.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about the following:
"... or may have received evidence that the communications link is anchored to a Root of Trust from an entity that established the communications link. In the latter case, anchoring the communications link to a Root of Trust would mean that this entity only established a communications link with the attesting device after verifying that the device had a Root of Trust."
Co-Authored-By: Dave Thaler <dthaler@microsoft.com>
Co-Authored-By: Dave Thaler <dthaler@microsoft.com>
Co-Authored-By: Dave Thaler <dthaler@microsoft.com>
Co-Authored-By: Dave Thaler <dthaler@microsoft.com>
Co-Authored-By: Dave Thaler <dthaler@microsoft.com>
Co-Authored-By: Dave Thaler <dthaler@microsoft.com>
Closed in favour of PR #82. |
Starting point for #59