This repository has been archived by the owner on Sep 19, 2024. It is now read-only.
Implicit trust #82
Merged
Implicit trust #82
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update draft-ietf-rats-architecture.md Update draft-ietf-rats-architecture.md Update draft-ietf-rats-architecture.md Co-Authored-By: Dave Thaler <dthaler@microsoft.com> Update draft-ietf-rats-architecture.md Co-Authored-By: Dave Thaler <dthaler@microsoft.com> Update draft-ietf-rats-architecture.md Co-Authored-By: Dave Thaler <dthaler@microsoft.com> Update draft-ietf-rats-architecture.md Co-Authored-By: Dave Thaler <dthaler@microsoft.com> Update draft-ietf-rats-architecture.md Co-Authored-By: Dave Thaler <dthaler@microsoft.com> Update draft-ietf-rats-architecture.md Co-Authored-By: Dave Thaler <dthaler@microsoft.com> Update draft-ietf-rats-architecture.md
mcr
commented
Apr 28, 2020
draft-ietf-rats-architecture.md
Outdated
Comment on lines
713
to
714
| As a result, the Verifier may be able to trust the attestation evidence from the device without | ||
| an additional endorsement or even a cryptographically-verifiable signature of the |
There was a problem hiding this comment.
Suggested change
| As a result, the Verifier may be able to trust the attestation evidence from the device without | |
| an additional endorsement or even a cryptographically-verifiable signature of the | |
| As a result, an Appraisal Policy for the Verifier may be possible that trusts the attestation evidence from the device without | |
| endorsement or cryptographically-verifiable signature of the |
There was a problem hiding this comment.
Maybe noun/verb mismatch? I don't think a policy trusts something, I think the Verifier trusts something based on policy.
dthaler
reviewed
May 4, 2020
draft-ietf-rats-architecture.md
Outdated
Comment on lines
702
to
703
| communicate over a link that is established using a Root of Trust. An example of such communications | ||
| is over a cellular link, where the link is established by the Attester leveraging an enclave (e.g., SIM card). The Verifier may have established the communications link and verified |
There was a problem hiding this comment.
Two sentences starting "As an example, ... An example of such ..." reads poorly.
Suggested change
| communicate over a link that is established using a Root of Trust. An example of such communications | |
| is over a cellular link, where the link is established by the Attester leveraging an enclave (e.g., SIM card). The Verifier may have established the communications link and verified | |
| communicate over a link that is established using a Root of Trust, such as a cellular link established by the Attester leveraging an enclave (e.g., SIM card). The Verifier may have established the communications link and verified |
There was a problem hiding this comment.
I can't tell if this paragraph is intended to add intuition to "Root of Trust" or to describe the duties of a Verifier that leverages a pre-existing comms session to protect the integrity of Evidence (and to ascribe the semantics of the key that the Attester 'claims' the assertions in the Evidence are accurate representation of current state of the Target environment).
dthaler
reviewed
May 4, 2020
draft-ietf-rats-architecture.md
Outdated
Comment on lines
707
to
708
| or may have received evidence that the communications link is anchored to a | ||
| Root of Trust from an entity that established the communications link. |
There was a problem hiding this comment.
Redundant with lines 704-706
draft-ietf-rats-architecture.md
Outdated
| Root of Trust from an entity that established the communications link. | ||
| In the latter case, anchoring the communications link to a Root of Trust would mean | ||
| that this entity only established a communications link with the attesting | ||
| device after verifying that the device had a Root of Trust. |
There was a problem hiding this comment.
I don't think this wording is correct. Maybe "a Root of Trust that this entity trusts"?
draft-ietf-rats-architecture.md
Outdated
| that this entity only established a communications link with the attesting | ||
| device after verifying that the device had a Root of Trust. | ||
|
|
||
| As a result, the Verifier may be able to trust the attestation evidence from the device without |
There was a problem hiding this comment.
Suggested change
| As a result, the Verifier may be able to trust the attestation evidence from the device without | |
| As a result, the Verifier may be able to trust the attestation Evidence from the Attester without |
draft-ietf-rats-architecture.md
Outdated
Comment on lines
713
to
714
| As a result, the Verifier may be able to trust the attestation evidence from the device without | ||
| an additional endorsement or even a cryptographically-verifiable signature of the |
There was a problem hiding this comment.
Maybe noun/verb mismatch? I don't think a policy trusts something, I think the Verifier trusts something based on policy.
draft-ietf-rats-architecture.md
Outdated
|
|
||
| As a result, the Verifier may be able to trust the attestation evidence from the device without | ||
| an additional endorsement or even a cryptographically-verifiable signature of the | ||
| evidence. Note that the appraisal policy employed by the Verifier may take into account the |
There was a problem hiding this comment.
Suggested change
| evidence. Note that the appraisal policy employed by the Verifier may take into account the | |
| Evidence. Note that the Appraisal Policy employed by the Verifier may take into account the |
draft-ietf-rats-architecture.md
Outdated
| an additional endorsement or even a cryptographically-verifiable signature of the | ||
| evidence. Note that the appraisal policy employed by the Verifier may take into account the | ||
| transient nature of the communications link security. For instance, once the link is torn down | ||
| then the Evidence may not be trusted until it is conveyed again over a re-established link. |
There was a problem hiding this comment.
Suggested change
| then the Evidence may not be trusted until it is conveyed again over a re-established link. | |
| then the Evidence might not be trusted until it is conveyed again over a re-established link. |
There was a problem hiding this comment.
This whole section seems to be more that of a use case that describes an architectural principle or concept than directly stating the principle or concept.
I think the principle is:
- A conveyance protocol that is authenticated and integrity protected can be used to convey unprotected Evidence IF the following properties hold:
a) The key used to authenticate and integrity protect the conveyance channel is trusted by the Verifier to speak for the Attesting Environment that collected claims about the Target Environment.
b) The Evidence in the conveyance channel is supplied by the Attesting Environment.
c) The Root of Trust protects the key and the Attesting Environment with equivalent strength.
There was a problem hiding this comment.
Agree and I like Ned's articulation above. Maybe the PR should just say what's in Ned's principle?
There was a problem hiding this comment.
I have no objection. It is concise and captures my original inten. @nedmsmith - will you be taking the lead on the PR revision.
draft-ietf-rats-architecture.md
Outdated
| @@ -697,6 +697,13 @@ for by hardware or by ROM code, especially if such hardware is | |||
| physically resistant to hardware tampering. The component that is | |||
| implicitly trusted is often referred to as a Root of Trust. | |||
|
|
|||
| A conveyance protocol that is authenticated and integrity protected can be used | |||
There was a problem hiding this comment.
I assume what is meant here is:
- evidence is protected
- remote peers are (mutually) authenticated
draft-ietf-rats-architecture.md
Outdated
| A conveyance protocol that is authenticated and integrity protected can be used | ||
| to convey unprotected Evidence, assuming the following properties exists: | ||
|
|
||
| 1. The key used to authenticate and integrity protect the conveyance channel is trusted by the Verifier to speak for the Attesting Environment that collected claims about the Target Environment. |
There was a problem hiding this comment.
keys? of at least two remote peers? We are talking about a "Secure Channel" to convey unprotected Evidence right?
Also? In theory, unprotected Evidence are just Claims?
I am not sure if we should water down evidence, in general. Evidence should be tamper-evident. In consequent, messing with evidence conveyed via "secure channel" must be evident with a similar level of assurance.
dthaler
reviewed
May 19, 2020
draft-ietf-rats-architecture.md
Outdated
| A conveyance protocol that is authenticated and integrity protected can be used | ||
| to convey unprotected Evidence, assuming the following properties exists: | ||
|
|
||
| 1. The key used to authenticate and integrity protect the conveyance channel is trusted by the Verifier to speak for the Attesting Environment that collected claims about the Target Environment. |
There was a problem hiding this comment.
"the" attesting environment and "the" target environment imply this does not apply to layered evidence or composite devices, is that intentional?
dthaler
reviewed
May 19, 2020
metadata.min.js
Outdated
| @@ -0,0 +1 @@ | |||
| async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata); | |||
mcr
commented
May 19, 2020
dthaler
reviewed
May 19, 2020
draft-ietf-rats-architecture.md
Outdated
| to convey unprotected Evidence, assuming the following properties exists: | ||
|
|
||
| 1. The key used to authenticate and integrity protect the conveyance channel is trusted by the Verifier to speak for the Attesting Environment that collected claims about the Target Environment. | ||
| 2. The Evidence in the conveyance channel is supplied by the Attesting Environment. |
There was a problem hiding this comment.
same question about "the Attesting Environment"... which Attesting Environment? Also the phrase reads as a tautology, can we wordsmith somehow?
mcr
commented
May 19, 2020
dthaler
approved these changes
May 19, 2020
mcr
commented
May 19, 2020
mcr
commented
May 19, 2020
mcr
commented
May 19, 2020
mcr
commented
May 19, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
replace pull request #60 with one we can edit.
This attempts to establish the architectural basis for implicit trust as a result of links.