Internet Engineering Task Force 108, 29 Jul 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF108-RATS-20200729-1100

Description

RATS meeting session at IETF108
2020/07/29 1100

https://datatracker.ietf.org/meeting/108/proceedings/

A

All right by my clock, it is four a.m sharp. We are ready to begin um welcome to the second session for the remote attestations and procedures working group fondly known as rats. um I've got my co-chairs with me, um as this is a formal ietf session. The notewell applies.

A

I don't think I need to go through, as I think I noticed. Most of the participants have been here before it's noted here.

A

Great, I think we've got our notetakers I'll, keep an eye on the chat I'm going to bypass the second hum test, just to make sure that we give ourselves time for all of the presentations we have um and we've got the links, um but hopefully you guys are all on here already we had a full agenda on tuesday and now for today, um we're gonna go through um the architecture.

A

Lawrence wanted to go through um the taxonomy for keys and key provisioning in relation to the eat draft.

A

I don't see lawrence on the call, but hopefully he will join um eric awesome you're on you'll be going through the trusted path. Routing hank will go through um the suit evidence and attestation claims followed by the unprotected seabot claims and then thomas you're on to present your new draft on restful, attested resources and then, given that we've got new drafts, one of them dropped off. um I thought it was important for us to go through the milestones, as we also need to update them.

A

So with that any comments on the agenda feedback going once going twice. Excellent. So hank are you on.

A

B

um Yes, I am hi sorry acute. I should have just spoken.

A

Out, okay, let me go back okay, so are you going to be the one speaking on the rats architecture.

B

A

Great, so you are on, you got um 15 minutes.

B

Yeah I tried to not to rush through this uh document like yesterday. That was a little bit hasty and some points I think got lost in that rush, so my name is hank burkholtz, I'm one of the individuals, as you can see here on the first slide that are molding the architecture document.

B

At the moment um I will uh just as I mentioned before, I will try to uh end or include questions in these slides. So it's okay in this presentation to uh chime in. uh I will give time much various moments there to to join so next slide. Please.

B

No problem, so there were only five names on the uh title slide, but effectively we have a uh a lot of people uh that are weighing in on creating consensus here on the regular basis. So this is a big list, as you can see. Most of these listed here are uh joining on a regular basis on tuesdays. 10 a.m. Est luckily not 4 a.m. Pst is right now, I'm very sorry nc, and so um so we had uh 24 meetings uh since the um it106.

B

Now uh we created a lot of issues 39 in case 780, pull requests were actually uh addressed. Four are still open, so this uh group here and again these are more people effectively than on this list. These are only regular participants, really really uh do some wordsmithing here next slide, please.

B

So this is actually the list of everything that is still open. Issues and pull requests are merged here. At some point, you see it's suddenly triple digit thingies again, these are the four pull requests. uh They range from very contested items uh that are really under discussion, which will I come back to uh with other slides today and end up with things that are open only for logistic reasons. Like 72, what are role compositions, these terms, don't even exist anymore.

B

We now have roles and entities and really really explain in a very simple manner how all the architectural constituents that we describe here work together. This is just an overview where we stand so this list is getting smaller next styles, please.

B

So we did uh actually text molding um and and crunching and smithing and and effectively. When you look at the diffs between the uh versions, the amount of changes reduces effectively uh the volume uh that is due to the fact that we are going to details now and are now in the polish phase. I think there are only a few big items open again. I will come to this later um the address and thank you kathleen for extensive comments.

B

You made the biggest list of comments we have received so far in the existence of this document. Yet uh we tried to address all of them. Some of them were discarded, it's all captured in the issues. Most of them were addressed, uh not all of them completely, so everything that was not contentious was addressed as a pull request immediately and we went through all of our stuff with uh issues here.

B

uh Same goes with hannes hannes made a, um I think, was rattling the box a little bit, but that is, of course very okay uh asking uh you are defining terms here. Do you really need them? It might be way simpler than it is, but we have this group in there and harness was not actually joining that.

B

So we have a standing on the um point of view that that we minimize terms already, we are still bickering, so to speak on a few terms that are still open, but I think this is the minimal set uh everything the ad now is convenience, or maybe uh highlighting some caveats still that you might run into if you create protocols here, but I think we arrived at a rather stable. That's the first point and minimal set of items. um There is a new section on the trust model.

B

I would everybody, of course, if we draft the case recommend to read that one, but trust is a very essential piece here, not only in the security area, but also in the rats working group. um Hand in hand with trust cause, the significant improvement of freshness. These two sections, I think of most importance here that are undergoing biggest changes, we're currently working on, as always in the end with privacy and considerations for the moment. um Are there any questions about this?

B

I do not assume I'm looking at the chat, but that doesn't seem to be the case and then I think we can go back to the next slide please. This is now getting into the meat of it. We have two bigger topics. uh Here's part one- um and that is, I was thinking thinking um initiated by lawrence, who, unfortunately, is not with us at the moment.

B

Oh well, okay, um there is the notion that we have phasing here in the red's charter. The things we are focusing on today is the live data flow between the active actors that are relying parties that want to establish some soft stress decision. There are testers the target of aviation that has to create all this evidence and the verifier that takes care of the burden of the appraisal of the biggest chunks of it if it's too complicated for a simple cell phone, for example.

B

So all of these flows are very established and defined at the charter, but there is a very important bureaucracy upstairs. That is the endorser role. The endorser role basically could be something in a supply chain. It could be the vendor that creates the a tester in the first place and also that a testing service need information from in the end, the verifier in this case, um so uh there were attempts to simplify this and also um say yeah.

B

It could be just everything that goes from the endorser to the verifier should be a conceptual message here. We are a little more specific. That is an ongoing discussion, but I think and again sorry that lawrence is not here at the moment. There is this question about key provisioning.

B

Provisioning, most certainly is a part of the next phase of the red strata was specifically excluded right now, but we were looking at the charter and there might have been some loopholes that do not explicitly exclude talking about key provisioning, we're talking about not talking about knowing good values and how to get it there.

B

The architecture may, though- and that is our point here right now- so um there are probably more messages than we highlight here- that are created by the endorser role and they are not just the stuff that gets sent to the verifier, and I think, if you are interested in creating supply chain integration for reds here at some point or are interested in how to create something that would facilitate it by rats like the endorsement.

B

That is the things that the attester cannot create evidence about, because at some point you have this roots of trust they're there. You cannot create evidence about us. This has to be taken on by another role. That's external! That's the endorser! This is basically, I don't want to call it evidence, but it's like evidence, but about the things inside the tester. The tester itself cannot talk about, and so that's the open topic we are currently discussing. If you are interested in this either join or if you are and again lawrence would have had something here.

B

I guess uh opinions about this. um um We could have a small discussion here. Is there anyone in this group that has a question about what I just said or some advice or comments.

B

And yes, dave it's in the next presentations a little bit, but I didn't see that one coming first, okay, this might be quicker than I thought so, um please there is this opportunity to join in the calls on tuesday. So if you are integrator, if you are a service provider domain of point of view, this might be of interest to you.

B

I will go to the next slide, which is our next contentious topic. I think.

B

Yeah and that's the time keeping so maybe I have a little more time to talk about time. At the moment, um coincidentally, uh hannes wrote an email to the list asking about the age claim and eat, which is a good hook to get something. So this is a current topic apparently, and um so at the moment we define in an appendix of the architecture, a set of quite important points in time.

B

They call them events, and this is captured in the section called time considerations and just to give you an example here, it's about time spans between generations of values, for example. So you generate a value on a target environment of a tester, that's important because it has to go into evidence, but the spawning of a byte value in some register, for example, does not make evidence. Yet you have to generate the evidence from that and there is an interval between that spawning the value generation and the effective re.

B

Let's call it reporting the evidence generation in the assumption, under the assumption, you will send it out quite in time, so that is, of course, okay, but there are intermediate steps there, and there is discussion going on so hannah's question was what about the collection and uh what we could refer to and then reply was yeah. Well, we have better value generation, but you might not always get a explicit time stamp from that.

B

Sometimes things spawn in your system and the system that creates it or the software component does not always provide a timestamp for that, so it's just there and then collection or awareness or something that's all the topics we are talking about and won't want to go into details. This is something we are currently addressing as a final part of the uh yeah, basically finalization of the architecture. That is the biggest next chunk we have. There are pull requests about this and a lot of comments.

B

If you are interested in how to create protocols and solutions in the end or are planning for a solution in your domain again, it might be a good point of time to join the calls on tuesdays. At the moment there are interested parties. I think there are issues on the list. This all can be looked up. Is anybody here in this group or in this session right now? That has a question about time, keeping or the time tables that might have been already reviewed by someone here.

B

Okay, nancy: I can maybe save you some time here. So these are the big two things again. This document is now uh internally, as you saw the list of names with the who and when- and there is an informal. uh Let's call it trend um that we try not to open more can of worms here right now. We want to carry this document to the finish line, and so we have the two um items here, part one and part, two that I highlighted a small nits. Probably reviews are always upcoming.

B

Welcome, so we will open new issues when reviews are coming in. But aside of that, um we are pretty in a pretty good shape to to put a lid on the document effectively, which also means that we have uh uh we that there might be a light at the end of the tunnel for a group last call and okay, something dave is on the queue. Oh yeah, I'm not seeing the queue. Sorry dave, I'm talking on and on yeah.

C

Yeah, so uh I think my question is uh so I think the answer. My personal answer is yes to the questions, but I don't understand the second question: can you rephrase or whatever what you mean by the? What is the impact question? What does that? One ask you to actually talk about.

B

uh On this slide here right now, okay, the second question is um uh sometimes you're, not sending yeah. So, okay, um there are examples in the appendix next to this event thing. So we have this time cut so for everybody that we have this time uh points of time. This events defined and the examples elaborate on them. So you can understand how and in which context these events timestamps are important to you when are they going over the wire and when they are just times on a entity, for example that triggers something?

B

So um all these examples use nonsense. All of them there's not a uh a specific one. That says- and this is just a timestamp- please dave correct me: if I'm wrong right now, I think you're wrong. Is it time the time.

C

B

Is the one with the the time stamps? Is that correct.

C

Yeah, what the appendix does right now, or at least what it does to me, um is that it shows that there's multiple ways that you can accomplish freshness you can accomplish freshnet freshness purely by using nonsense. And so let's say you have a constrained device that has no clock whatsoever.

C

You can still build a solution right and it shows how you can construct a protocol using nonces that does not require even having any type of real-time clock in your device. There's another section that says: oh well, if you have say time synchronization, then you can do things without having to exchange without a without a nonce challenge right. You can construct a protocol that uh assumes synchronized clocks and you get a much simpler protocol in the in this layer at the expense of having a different protocol for time synchronization.

C

So it just covers that you could do it with nonces. You can do with time stamps and so uh there's multiple ways to accomplish freshness and it's giving multiple sort of independent examples of ways that you can have solutions that that solve freshness, while still highlighting here's the freshness problem to be solved without trying to dictate which way you solve it, because it shows multiple uh in subsequent sections. Here's a here's, an example that only uses nonsense and no clocks.

C

Here's an example that uses synchronized clocks without nonsense and so on, and so that's what it's doing right now is it's saying here's trying to illustrate what the freshness problem is that there exists multiple ways to solve it and giving more than one example of a way to solve what that might be uh useful in different, say: application: contexts if you're designing a solution for that application context.

B

Well, that actually sounds excellent, so the the subset of the question that now remains is: is this a set of examples? uh Good enough? I think there are four right now. So uh four examples are there and they they they apparently not all based on nonsense. Sorry about that. So um that's that's already a big improvement, and um so uh the the final question is: do you find something as in this group or basically on the list extension?

B

um Is there anything that you want to uh build, or did you need for for, for your sake, argument to say this maps to rats and is of relevance here that might not be captured in the examples? It's a small read only it's the appendix a.

C

Yeah my personal opinion is that I don't think that the architecture document needs to be complete with all possible ways of doing it. It has four in there right now, as you mentioned right, which is a two by two matrix right. One is a because we said there's two classic models between passport and background check right.

C

If one of those is more along your way of thinking, then there's two examples of each so one one axis is background check versus um uh passport, and the other axis is using time stamps for synchronized clocks versus using nonces without any requirement for having a clock in the first place right. So that's the two by two matrix, but that is not, of course, the only possible ways of doing it. My opinion is, we don't have to enumerate, or we shouldn't try to enumerate all possible ways of doing it.

C

We just have to have enough that anybody else can um draw sufficient understanding from it to be able to construct an actual solution document.

B

Yeah, I think you're absolutely right we're not you're not trying to have an exhaustive list here. That is absolutely correct. I just wanted to highlight that I think.

D

This one is exhaustive enough.

B

Exactly exactly so, but I also don't want to uh I like the idea of this. This is tetra lemma, like 2x2. It has a certain elegance to it, but I would not make this the reason to to constrain somebody to to point out something that might be of interest. Maybe it's good enough so to speak, and I'm just mentioning this because we're closing this soon so speak up now or be happy with it. So these are the two alternatives effectively and yeah.

B

I just want to make sure that uh we are not steering something in a certain direction by choosing examples with with unwitting buyers or something that is important. I think, uh if there's no comments on this and everybody's, like yeah sure I get this, I think that's also a very fine outcome.

C

So I guess the one thing and I'm trying to be fair to uh your opinions, um because, uh on the on the uh design team meetings right, there's been uh one of the open, plural requests. Hank said was contentious and I just want to highlight that what the ongoing discussion is since uh tuda is not on the agenda right now and so I'll give uh hank a free shout out here. um One of the open questions has to do with the extent to which handle distribution should appear in the architecture.

C

Document right handle distribution is discussed in uh things like. I think it's roughly mentioned in the interaction models document that hank talked about yesterday, but it didn't come up in the discussion yesterday. It's in the document, although my reading of that document is, is a little bit confusing, although it just refers to the tuta document for more details, I think that's what the more details are, but that was not a working group document yet um and so to what extent should this other discussion be part of it?

C

I'm personally I I was arguing that discussion just to be um uh transparent to all the rest of the working group that wasn't there. um I was arguing that the architecture document shouldn't put in concepts that don't appear in working group documents, and so, if trudeau were to be adopted as a working group document, we could have that discussion, but otherwise I was arguing to keep with the current 2x2, although other people might like to have them be in there and that's kind of blocked on that larger issue.

C

But since we're trying to be done with the architecture document again right now, my stance is: uh it should focus on the things that are in working group documents as a whole, and I personally believe that the discuss that the examples using nonces and time stamps are sufficient to let people uh draw their own conclusions as they read other documents that might be future documents or individual submission documents or vendor specific documents.

A

Okay, I'm going to have to call I'm going to have to call time because we've already gone 25 minutes into this, and we can discuss some of the documented options during the milestones discussion. I have a lot of 15 minutes for that.

A

The one thing I did want to raise for this one is: I noted that there was an ipr statement issued against this draft so um and I think it was done by somebody at huawei, so if they can clarify the nature of that um and what parts of the architecture or is it the whole architecture um that's covered under there and what we might have to do to react to.

E

E

He's probably uh addressing this so go ahead. Please yeah.

A

F

Yeah, I can send the details in the mailing list. It's about the composite device section. It's not about hold draft.

A

Okay, so if you can clarify that on the mail list, that'd be great okay, we need to move on um lawrence. Are you on.

G

Yes, hey I'm on hello.

A

There you go okay, so you're on next, I'm sharing your slides.

G

Okay, so this is about the attestation key material, the verification keys, how it should be, how keys should be identified in eat and how some relation to how the keys are discussed in the architecture document. So next slide. Please.

G

So I'm going back to very basics of attestation here and in this diagram I think it's important to be clear about what the primary point here is. So the the primary point of attestation is for the relying party to know something about the tester which relates directly to the manufacturer.

G

Sometimes sometimes the manufacturer shows up as endorser in the diagrams, so this diagram shows who trusts who and how and why. So um the uh solid arrows are kind of more direct to trust.

G

So we start out really with the relying party has to trust the verifier, um and you know we don't specify in the architecture or you know how that that trust is established, uh but there's basically a direct trust relationship between the relying party and the verifier. For example, it could be the same role or they could be an https connection or something like that. They could be the same entity.

G

The verifier underlying party, the the verifier, has to trust the manufacturer because that's where it gets the information about the attester, so those are direct trust relationships.

G

The the trust the relying party has in the tester or in the device is comes uh transitively through the verifier and the manufacturer. So it's not a direct relationship. It's the relying party is told by the verifier whether they can trust the attester or not.

G

Again, the verifier comes to trust the attester in a transitive way through the manufacturer. The verifier gets information from the manufacturer to know how to whether or not to trust the attester.

G

So this this diagram, you know is, is I I consider this the basic trust flow of uh in attestation and kind of to a large degree, the core of attestation um there's a secondary trust flow. I believe, which is- I don't want to go into here, but but that's got more to do with uh privacy and pii, which is kind of the reverse of this, because but that's and that's discussion in the architecture document, but I'm not going to that here, I'm focusing on the the main primary trust flow.

G

So, basically, if this stress flow doesn't work, attestation doesn't work.

G

Okay, so uh next slide. Please.

A

Okay, so lawrence, I'm just going to ask real quick when you say manufacturer, it doesn't necessarily have to be a manufacturer because they could be claims about a piece of software which, I guess are you going to clarify that in the next few slides.

G

I'll clarify now so manufacturer I mean you could call it a supply chain, you could call it a software vendor, you could call it. uh I mean it could be some sort of a third party. You could call it endorser.

E

G

uh Yeah so so I I mean I'm using.

E

H

G

um Okay, the the uh the architecture uses the term endorser.

A

Yeah endorser would seem to be more clear and consistent. I guess with the architecture well,.

G

I mean I, I I find the the definition of endorsement and endorser unclear so far. So that's one reason: I'm I'm kind of trying to work through this here.

G

um Part of this is that I'm coming at this from the tee and iot android and fido point of view. Endorser is clear in the tpm world, but it's not a term that's used in the te world or android or fido or any other other use cases that have billions of devices.

G

So I'm trying to this is maybe that maybe this is the the non-tpm part of the of the rats discussion today. um Okay, so uh next slide, please.

A

Okay, so rich just provided something on the chat, saying potentially provider, but I mean we should move on, but he suggested provider. um The mention of supply chain he believes, is important.

G

Yeah, okay, okay, uh so this is uh looks a lot more like the um kind of mapping to the um the the standard diagram in the architecture um which shows the attestation result, attestation, evidence and, and all that this. So this is now similar to the previous diagram, showing the different messages and I'm picking this um to highlight where the attestation key material is and how that works.

G

So that's the the the um the key material is in kind of the pink and red. So so the only way we have that unless there's some. The only way we know for and a tester to prove itself to a verifier is using cryptography.

G

I don't think there's any other way for an attester. You know if, if they're not the same an entity, then that's a possibility, but attestation has to work when they are not the same entity when the verifier is very distinct.

G

Entity very far away from the attester.

G

The only way you can prove that you're in a tester is with cryptography, so the attester has to have a some sort of a secret in it that it can use to sign something or authenticate something to prove it is this particular tester. You know to prove it's the uh you know the device made by acme corporation uh version 2.0 or something or to prove it's a a tpm chip or to prove it. It's this particular te or it's this. This particular chip, if you just it, has the secret that proves it's that particular chip.

G

Another chip has a different secret group that proves it's another different chip, so that that key material, the signing keys shown here, has to be put in by the manufacturer or the endorser or somebody something like that.

G

um And then the verifier has to have verification, keys, to be able to verify that and and usually there's there has to be a nods so dave. We.

E

Have dave in the queue I'm assuming he wanted to ask something right on that. I.

C

Just wanted to comment on at least my understanding of signing keys and verify. That's the same as your understanding here and I'm looking at the line that goes from your manufacturer down to your tester.

C

If you're talking about what keys the a tester actually signs, I mean it's private key that it signs evidence with that might not be generated by the manufacturer in any sense other than you know you, some of the cases the tester itself uh generates its own key inside the device that even the manufacturer, you know the humans, the provisioning systems, don't have any knowledge of.

C

It may just extract out the public key out of the tester and first boot and then generate a certificate, and in that sense it's the certificate that signs the attester's public key. That is what is what will go in your signing keys box.

G

Yeah yeah yeah, I I that is an alternate flow that I agree: yeah, okay,.

C

You label this key material up top and sure I might call a certificate, be key material, but the signing keys is not necessarily going from the manufacturer into the attester and maybe just only ever in the tester. So that's just one way to do it. I just.

G

Want to verify.

C

That yeah yeah.

G

Your understanding is okay,.

C

G

C

G

The verification.

C

Key is just providing the manufacturer's public key to the verifier, so we can use it to check signatures. Correct.

G

Right so so yeah um yeah, so that verification key, um I mean the verification key um that still hauls, even in that scenario, so there's still some sort of some verification care material. That's transferred from the manufacturer, endorser supply chain to the verifier and the verifier cannot do its job. Absolutely, it cannot do its job without that key material.

G

So the point of this is there has to be key material here. There's just no other way to do this. um Okay, next slide.

G

um So now some some taxonomy about this key material and how it gets from the manufacturer endorser supply chain to the verifier, so the key material could be public keys, which is typically what's done with tpms and generally preferred because of their their characteristics, but not not always it could be symmetric, key material.

G

The main reason to do this symmetric key material is cost, particularly low-cost. Iot devices can't afford to do the public key stuff in some ways, just because of the the number of fuses on the chip or something like that.

G

um Another option is that the manufacturer, endorser supply chain runs a verification service and doesn't actually transfer key material, so I'll go into that a little more then. So, that's one axis of the taxonomy another axis of the taxonomy is how frequent this interaction happens. So the interaction could happen uh between this is between the manufacturer and the verifier could be infrequent, such as the transfer of a a route of trust, or they could be done in batches or quarterly, or something like that or the interaction could be per verification.

G

Every time the verifier performs a verification, it could go back to the uh to the manufacturer, the sort of origin and ask for help in some in some fashion, so two axes there. So next slide.

G

So this um I I won't claim this is exhaustive, um but it covers, I think, a lot of the uh the cases here um so uh in the cat in the category of starting with the um upper left.

G

The the one everybody's most familiar with is is that that the manufacturer transfers a trust anchor to the verifier so like a root certificate.

G

The so the the trust anchor is sent. um Perhaps the per device attestation key is actually in attestation evidence and the in a certificate and the verifier walks up the the chain to the trust anchor to verify it. um You can do that.

G

Another possibility is that the um there is no hierarchy, there's just a database of keys, perhaps millions of them. If there's a million devices, there's a million keys and the manufacturer sends this entire database of public keys to the verifier.

G

They do this, perhaps periodically quarterly or annually or once or something like that, um and there's a look up by key id, so the there's no certificates involved, you just you just take the key id out of the uh the eat message, some some sort of a identifier and then look up the public key and use that to verify this is real. um Two fortune 500 companies uh interact this way today. I know of an implementation that actually does this um for for a firmware, tpm implementation. This is not. This is not a hypothetical.

G

um Down on per verification, um the manufacturer in this case maintains the key database, but it never sends all the keys, which is what happens. Every is every time the verifier wants to verify something the manufacturer or the the verifier asks uh the manufacturer for a key uh by um key id. Of course, there has to be a trust relationship there. So perhaps it's over uh tls, you know. Trust has been established over tls so that it knows that the keys it's getting are trustworthy keys.

G

So that's a set of public key-based ways to do it from a symmetric, key basis.

G

You can do this all with kdfs, so the transfer from the manufacturer to the verifier is a master symmetric key and the per device keys are derived using a kdf um perfectly reasonable thing to do. Of course, um in this case, the transfer of the key material to the verifier has to be done with confidentiality.

G

That's not the case with public keys, it is with symmetric keys, so you, but you don't have to with a master key. Instead again, there could be a database of keys, um and uh so, if there's a million devices, there's a million keys, the manufacturer sends the entire database of symmetric keys to the verifier, maybe quarterly or periodically, or something like that. It's infrequent and there's a lookup by key id um and then similarly, you can do symmetric heat lookup, where the manufacturer retains the database doesn't give it out to anybody.

G

The verifier asks the every time it does a verification. It asks the manufacturer for a key by by some key id again, the point of symmetric keys is low cost. I know of uh implementations at a couple. Different uh companies that are doing this for real, so uh symmetric keys are a real thing, so you know it's you know. Symmetric planning is supported uh by cose, uh you know with hmac and all that, so um I think this has to be part of rats.

G

The board of symmetric keys. A third option is a verification service. um In this case, you have to do it per verification. You can't do any kind of you know, one-time transfer of a root or an anchor or a master key. In this case, the manufacturer retains the keys.

G

In this case the verifier sends a hash of the two big verified bytes and a key id, and the manufacturer responds with a yay or nay.

G

So I think the one other thing I want to mention here is ecdaa or some sort of a daa architecture. In that case, I think that basically fits into the public key uh category. It's it's similar. It's not just a key. It's the it's, the the basis for the the daa, which is a little more complicated than a key, but essentially boils down to something similar uh dave go ahead. Dave.

C

We're just having a quick conversation in the chat room, we're just going to report it out here. This is a great slide. Thank you. um My since we've already discussed that the term manufacturer could mean a whole bunch of different things. um My take is that this slide is actually not specific to rats. This. This slide is actually more generally useful.

C

It surveys a bunch of techniques that be used for any time that you need to configure or use keys between any two entities, given the manufacturer could be anything right: the the provider and the consumer of that key configuration and trust model, and so the suggestion would be because I think this slide is quite useful. I like this one other than maybe we changed the term manufacturer or clarified, or something like that, but this taxonomy is great.

C

I'm suggesting that this be in a maybe a general security area document that could be referenced from multiple working groups, because I don't think this is just useful for rats. I think it's useful for just about any working group that uses keys. You know teep and rats and other ones, so I would love to see this particular slide expanded into a draft that can be put into a general security area document that can be consumed by multiple working groups. So thanks for putting this together and we have russ hasley.

A

And um I'm going to cut the cue there, because I notice lawrence is only in slide five, so lawrence uh your time runs out in one minute I'll, give you an extra minute or two, but I just wanted to give you that time check go ahead. Russ.

I

Okay, so I like the slide two, but I think that if we were to build that document, we need to talk about the security consequences, such as the right hand, lower right hand corner.

I

You have to have integrity on the communications channel when you get that dna back, otherwise, you can be spoofed and in the middle you're, actually getting the keying material necessary to pretend to be the uh a tester. So you know these kind of consequences need to also be discussed, but I I think this is a great taxonomy.

G

Okay, thank you um really, my only guy, I only have a minute left. I thought I thought we had one more thing.

A

You asked for 20 minutes, it's.

G

Been 20 minutes.

A

G

Okay, all right! Well, uh let me do the next slide and then I guess that will be the end of it. um I won't really complete anywhere near what I wanted to complete, but.

A

So lawrence, the suggestion on the chat from michael richardson is that you could present this. I don't know kathleen happens to be the chair for psych dispatch too. You could present it. It's like this patch they go on tomorrow morning.

G

Okay, I'm happy to do.

A

G

A

That wasn't his suggestion.

E

I don't we have the agenda all set, um send in the request and we'll see if we can move it around.

E

uh I misread it. Number nine, never.

A

E

Yeah he's covering some of it in his draft too so yeah, okay,.

G

So I'm going to take a few just a minute or two on this slide um and then we'll call it. um So next is how do you identify the key this, and this is to try and figure out what goes into eat um or similar, um so we can do it by key id, which is standard, cos a key id and that that that works and that's all fairly well understood um pretty good size efficiency works with heat. um You could do it by a uri.

G

I I don't think we've done this before or well, not as much. There is a uri in the cos a x, 509 draft, um but so so we could do a url where you can obtain the key. You look inside the the content type of the the uri, and then you find out what the key is.

G

um You can do it based on claims, so you you, you uh unpack the uh the the eat message, look at all the different claims and somewhere some combination of claims in there tells you what the key id is. So you ue id or serial number is a is a really good one to do that. This thing is great because it has no additional bytes added to the size of the attestation evidence.

G

The uh the the one thing I wonder about it is: you have to decode uh unverified data that you have to decode the payload to get at it. um The the the last thing is, you can just put the the key uh if it's a public key um in the attestation evidence itself. So this is like the you know, including the the certificate, and then you of course, have to walk it up in the chain and verify it.

G

That's that's typically, what's done in fido and and all that, so what I was going to go on was to discuss.

G

You know, ask questions and information about how we you know what kids belong in eat and suggest that we expand into not just key ids, but also endorsement ids, because endorsements carry keys, so you can identify the endorsement, and then you get a lot of information in addition to the key, um so these kind of kind of mechanisms for endorsements, so all right I'll end. There.

A

Okay, so lawrence, my suggestion is to bring it up to the list and if you want, you can create a side meeting um where we can discuss it, but yeah. Sorry we're out of time. Yeah.

G

I know I miscalculated on my part so.

A

All right, um thank you for that. Next we have trusted path, routing eric hi there can you.

J

Hear me today: yes, we can all right, I'm going to talk about trusted path, routing. This is a follow-on to a previous set of drafts, which was uh actually trusted path. Routing was really trustworthy because we split out a number of things and put them in a different draft that we talked about yesterday. Next slide.

J

The overall objective of trusted path, routing, is to build a uh trusted topology and a tested topology, which spans a network and different levels of trustworthiness can be appraised on different devices, resulting in paths of enhanced security going through a set of routers or switches.

J

The idea is that you can avoid the routers that are either potentially compromised or maybe have uh risks that are associated with it. Next slide.

J

Now this draft follows on to some of the other drafts we talked about uh yesterday and today, with the architecture, the yang models, the profiles for routers, all of them uh feed down and the mechanisms, including the yang models, are used for the definition of this draft and the solution. It's based on next slide.

J

One of the key things that this document defines are yang identities for trustworthiness levels. These effectively are claims and they could also be encoded as ease, but we used yang here because we're talking to routers and those claims can be made about uh from a verifier about a router about a testing router. These include things like hardware, authenticity or failures, identities, unique identities, boot integrities file, system integrities.

J

These can also be expanded now, just because you have a pass fail claim, there is also the option for making no claim at all, and that is very familiar for people who are also working at eat.

J

The idea- and the most important part of this is that the levels themselves are externally actionable in other places, you'll find things like trustworthiness scores which is a number from zero to 100 and they're nice, but they don't actually return something that's easily actionable rather than classified states, and so the level is um a very important thing here and then the question is: do we want to generalize levels uh across the working group, or should we keep on just trying to work with these levels as something that is specific to routers and switches?

J

We'll ask this question again at the end, but that's the biggest task I have of people. Do we want to have at the station results that are generic across transports and I see kathleen in the queue.

E

So set up the labels, but then we could leave definitions to some other entity, like um kind of in the way that the certificate policies were done for pki, where you set out the general definitions.

E

But then how they're implemented like the procedures and guidelines to meet specific levels are left to some other entity because we don't get into that um typically. But it's just an option.

J

Absolutely and there's other people who are on this rat's call who have means of trying to find ways of proving various levels. So I think that we need some kind of stake in the ground personally. That allows us to kind of link claims to prove abilities. There's a lot of potential here and again, I'm trying to raise the question to see if it has applicability beyond rallying next slide.

J

Now, at least in the trusted path, routing what we do is we create something called a trust vector which is a set of claims which are determined over time and, let's say boot, things can be clean, then you might find a problem and then you might later find the devices fully compromised.

J

In the end, the goal is to have multiple trustworthies levels assigned during an appraisal cycle, and then what we do is we sign the results from the verifier and return them back down to the router next slide.

J

What allows us to do is, after we've got the signed results from the verifier when a new peer, router connects or re-authenticates, you can take the latest measurements from a tpm and add it into those appraisal, results and then use the compare.

J

The current um results from a tpm with the signed results and, at the far end, you're able to determine whether the ground you're connected with is in the same state that uh was appraised previously at least some elements of this state and from there you can get determined, whether you add a link to a global routing table or an attested topology, and we use regular routing protocol distribution to go ahead and pass that determination of appraisal and the link status throughout a topology that allows you to go ahead and automatically construct various networks.

J

Topologies based on trust next slide.

J

So, in the end, what we have here, we have a trust vector which is returned and maintained on routers, and you can have different policies for different topologies, such as a validated boot integrity across a set of devices or a validated boot integrity, and I'm not taking any other level of failure that I've found in the claim. And so you can do grades of trust across a network based on at least a standardization to some degree of the attestation results which come back down to the network next slide and that's pretty much it.

J

The open questions uh that I see are: does the working group want to generalize and standardize appraisal results and encodings? uh That's something, I'm hoping that either people have comments now or have them on the list. We do have another thing that we're trying to do with defining the payload to get the information of appraisal results over existing things like 802.1x or maxsec, and I guess the open question beyond the appraisal. Results is.

J

Are people interested in this kind of solution and it may be eventual adoption, and these are the things that I'm throwing out there to see. If people have any comments on, and I see a question from.

I

Russ eric this is very interesting to me um when you say carried by traditional routing protocols. uh Are you talking about bgb communities? What are you talking about? I'm just trying to understand the whole system.

J

Okay, uh we have done some of this in the lab. We've done it with isis flex algo, so that in igb community you pass it around. We have tests underway to do it with bgp, so you can pass this across inner domain boundaries. That means that you can pass the information uh from one carry to another without ever actually connecting to the verifier, and it will allow you to assert the trustworthiness of a link based on that, so so igp and bgp both can be supported.

J

As long as you have an understanding of what the levels are on either.

J

C

Oh day, taylor, so uh uh I don't know whether I understand uh the trustworthiness vectors enough, but from what I do understand is uh that, in the context of trusted path, routing you're using it as a way to provide finer, grained error cases right. If everything was green, then just you don't need them per se, because it's equivalent to saying your attestation result is okay right, you're, using that to provide finer grains of failure that may be soft fill your feeds of. That is what I'm understanding my opinion on the standardization question is.

C

I am not yet convinced that there's anything that's generalizable outside the scope of trusted path, routing, I don't have any opinion as to whether it's useful to standardize in routing the answer might be. Maybe I don't have enough knowledge there, but outside of that, I think there's too much heterogeneity to to at least from what I can tell so far to say what types of soft failures are interesting in general and that's because you have composite devices, you have layered attestation.

C

You have uh different types of attestation that have different leafs. So, for example, it goes all the way, an application that starts long after boot. So it's not boot integrity. It's you know what is the leaf of your chain. Is that data? Is it um an application so on so across different use cases? I think there's enough heterogeneity that the set of interesting soft failures may vary too much and so right now. I don't think that it's useful to standardize outside of a very limited use case, and so I don't have any opinions.

C

If you want to standardize with the routing, I don't have it. I don't have an opinion on that. So.

J

All right, I think those are very legitimate. um We have a general cases which are hardware software fail. You know those kind of things, um the specifics and the details. You know the legitimate question: is it reasonable enough to have general categories when we have specifics also needed yeah? Definitely an open question.

A

Okay, since you're asking the question um dave, I'm hearing you don't see this draft being adopted here at rats. Is that correct.

J

What's your question well I'll insert first I mean it could be adopted here because we're really just using the yang yang chera model and the you know as definitions and extending it, the question of, is it general for a attestation language spanning beyond routers, I heard dave say not beyond routers, but adopting four routers could be here. We have other stuff adopted four routers. I don't know where else it would go if it uh you know, if it wasn't here.

A

Okay, so now I'm running you over go ahead. Dave he's got another response.

C

No opinion on the question of whether this draft should be in this working group as long as it's scooped to routing it is a uh I'm not going to advocate for it nor object to it. So I know if you hung for.

H

C

Not come either way, so I I'm. I was only saying islam that generalizing it I don't think, is appropriate at this point, but I have no comments on the current draft that it's open.

A

Great, um so let me ask um okay, sorry um eric we're out of time, I'm already eight minutes over from the agenda. So why don't we post this in the group? I was going to ask if there were people on the call who have read the draft, um because we need to have at least a few people before we can put the question, but I can just put the question, or one of the chairs can put the question um in the mail list um or interest for adoption.

A

Okay, thank you all right, yep! Thank you! All right! Who's next shoot t claims that would be hank.

A

Hank, are you on.

B

Yeah figuring with buttons, uh I think I'm figuring it out hi.

A

Okay, so try and be quick, please because we're running over.

B

I can just talk faster okay now I can do this, so uh that was an interesting discussion, because uh yeah this presentation is called trustworthiness vectors, because I stole that term from um from eric's initial draft and uh we apply it to the uh to the world of suit and we'll talk about how suit can be the source for evidence and attestation results in the end also for rats brandon will present something complementary and suit. I am doing this here so next slide. Please.

B

Yeah so um apparently- um and this is no match to michael- these- are rodents and formal wear rats. A tester can of course be a entity that consumes a suit manifest and when your consumers to manifest, you typically want to update your, uh for example, iot device.

B

It could be larger, but let's say it's a constraint, node, environment device right now, and so uh what we talked about uh ages ago, I think a year ago was when I think, when dave came up with the uh passport and uh um background check uh terminology, um that uh there is uh that we could uh have uh a suit manifest being being uh processed by a suit workflow on a tester and then evidence is created, and the verifier asserts appraises effectively that the iot device is not in a sufficiently updated state and therefore non-compliant.

B

Now a remediation action which is again going through a suit manifest update. That's hopefully fixes that and then you can create evidence again and now, oh finally, oh this is now uh appraiser policy.

B

Compliant uh evidence uh tells you uh that uh this device is now in the compliance state and that's basically the story of how suit update procedures work and in order to accommodate that, on the suit side of things, we now have uh suit records that have this um like the trustworthiness levels, decision thingies that are basically pass or fail in a suit report.

B

This is always before and after an update, that's easy, but I will come to this on the next slide.

B

Next slide, please so um there are so called. I would call them on the easy side of the suit uh claims we talked about here, uh a suit manifest naturally brings with you gripping so that claims about hardware and software, because an update only applies to a certain. I don't know vendor model type uh conglomerates and there's probably some software already installed, maybe at the factory default. So these are the system property claims. They are very, very similar to the claims in it. They are only relatively specific in suit.

B

So uh that's an interesting thing to highlight here. Maybe we should map that at some point, because each, for example, has the vendor claim in an oem id claim and such- and this is closely related to similar uh values defined in a suit manifest. So a mapping here would be an order. The id that I'm talking about here this is about the claims coming from to be consumed in reds or to be used and reds is talking not at all about the existing claims, yet just list them to have a starting point.

B

It's a zero, zero draft, um but now uh next to that, that's the other would call them like the more well-known sets of claims that we create in evidence. We now have this update procedure and this actually looks uh quite like the um uh flow chart I uh eric presented. So so there are now uh command sequence in the manifest how a uh um receiver of the manifest manifests.

B

Sorry recipient of the manifest should um should process the update, and some of these uh things are um conditions they may fail, but it's not it's not harmful, necessarily, and then there are um uh so-called um directions. I think- um uh and these are a hard failure. So if these fail, probably you cannot uh proceed with the update, so this is again a chain of trustworthiness levels.

B

So that's the thing I stole first terminology-wise here and you you chain them in a sequence and even if some of them fail because they're conditions, they are still being like a red x in your trust within this um vector here, and that is basically the same thing as in the other slide. We just saw next step. Please.

B

Yeah so- um and these vectors are now uh interesting because I heard a lot of people always say: um why do you need verifier and harness put it very very, very uh in a nutshell, I think um you only need a verifier when the output that is in the evidence is too complex for hidden party. uh So in this case uh the output is already very much refined. It's like a gps card. In it I mean you, don't tinker with the values there. It's it's a gps card. What you're going to do with it?

B

They are either in scope or out of scope, but you don't have a complicated appraisal procedure that is the taking ton of memory to understand that uh like like, for example, the contour example would be a secure boot where I don't know hundreds of measurements. If you have to appraise very carefully in order to access, if this is an authenticated device, so here's the same thing.

B

The complicated part is already done by the interpreter and the suit realm, and what you get is a relatively high level finely fine refined output that can be, of course, has to be conveyed as evidence in the first place, but those doesn't necessarily uh requires uh very complicated appraisal policies now and could be a subset of this could be actually be directly uh transferred to the attestation results uh for the relying party here.

B

So it's it's uh first of all, fine-grained outputs and I see that lawrence is on the queue and I can just say, hi laurence lawrence go ahead.

G

To say, I think the the reason to verify or exist, separate from relying party is one to hide key material for business models, perhaps for privacy. So it's not just the complexity. There's a lot of other reasons. There.

B

Yeah, absolutely okay: I was oversimplifying you're, absolutely correct. All of your cases are applicable here and these uh from from case to case basis. Whatever factors are relevant to you, you can. You can create subsets from these evidences and now my dear expert is on the queue and I would like to talk.

K

Hi uh yeah, as as this is brendan on the mic, uh as hank pointed out, uh there are essentially two channels here. uh The the first channel is uh system properties, and that's something that I would expect a relying party to be able to comprehend um without too much difficulty and the second sort of channel that comes out of uh suit is the uh the suit reports.

K

The results of the command sequences and those the evidence in that particular channel is going to be a little bit more complex, and I I can see where a verifier would be beneficial in that kind of workflow.

B

Thank you, brandon yeah. I could put it better for it. So yes, there's this. This new part here is the output that are the interpreter record claims and and that that's that's also probably uh can be associated with this binary pass and fail. uh It might be scopes again, like gps coordinates, might be a volume not just a inside outside.

B

We can talk about that. It's a zero, zero uh draft right now and it lists all the things that can be potentially produced by a suit report today and I think that's relevant to to rats most certainly, and as I realize now, it is relevant to um dave's question. I think, maybe even because he was asking well, I don't know if this valid outside the scope of routers and by accident.

B

Yes, I think, there's at least one other domain, and and probably there are more if this is worth being generalized or has this just be two sets of drafts that define additional claims? I don't know yet, but maybe that is over time worth actually the discussion here and I think that's the last slide here, I'm relatively sure, oh and dave is also on the queue. So then I would uh open up the line for follow-up questions. Dave.

A

Hold on, I need to recognize him. Okay, go ahead.

C

Dave time for a comment, um I think, um in the context of suit uh trump trustworthiness may be the wrong term right. If the point is to say that failure of uh particular suit commands, you want to be able to report failures and act on failures in different ways. There are some directives that might not affect trustworthiness in the classic sense. That may still be interesting, and so maybe it's the wrong term, and so that is my comment on eric's, where it is specific to trustworthiness.

B

um That is true you, but uh you do. This is.

C

True for the it's not a great analogy, I'm saying there's a significant difference. As I understand what you're doing my understanding could be wrong, but my understanding is your. The the suit stuff is not specific to trust and uh the the trusted path. Routing is.

B

um um Yeah, I I have- I have only ten minutes here, so uh there are other things uh that we're able to highlight. Maybe about suit, manifests here. Update procedures and boot procedures are very alike in the very constrained node realm.

B

So if you look at the suit manifest draft closely, there's a boot procedure section there, but also would fall under the system, property claim section and that most certainly is about trustworthiness and transitioning. These would be a violation of trustworthiness into a state of not being trustworthy anymore, so the update might improve being neutral on or even uh we have a detriment on on the trustworthiness of a device um being it consciously uh like like a deliberate purpose or like an attack.

B

You don't know um updates are a remediation procedure, but they are also sometimes the first time uh without rats that you realize that something is wrong. So I would not say it's not about trustworthiness per se, always maybe we have to deliberately especially highlight uh which subsets of this suit report generated is about trustworthiness and which might not be reliably about trustworthiness, an association I guess, but maybe that's up to future work.

A

Okay, I'm going to call time um dave just put on the chat. The slide is about update procedure and, like the first bullet, not the boot procedure.

B

Yeah, I know I didn't put that in here. Sorry.

A

Okay, failure of a particular update procedure directive does not necessarily degrade trust per se.

B

Exactly that is why you need a verifier here.

A

Yeah, okay, so um let's move on.

A

Okay, again try to go fast.

B

Yeah, this is an update. I can. I can run through this one. That's fine um yeah, there is uh just a recap: uh un endorsed tokens is a gp as a global platform term. uh What we define here is cwts that are not signed. That is not a cwt anymore, so it's a uccs.

B

It's an unprotected cwd claims set next slide. Please I'm not going to tell you the story um I was going to, but this is basically not the interest of time. So, let's go with the title here. um If you omit a signature of let's say evidence, you must take care.

B

The thing that you put in place of the now omitted signature has to be as good as the signature and as you are conveying stuff in this ide, and this is therefore always. The omission therefore, is always is application specific, never just stand alone without context, you cannot just generately omit a signature. Our omission of signature with using uccs has an initial use case that is important to understand why it's like the perception prescription of a medicine. We do this next slide.

B

Please um so we bundle this. uh There were no. There was a notion of why? Don't you just define the tag for a claim set?

B

Put it in front of it, create an id it's four pages long and be done with it, because the answer here- and it's implied already by my small elaboration before we need a user scenario to understand what the security implementation of these are in this case, we want to, for example, convey evidence or ratification results, endorsements and so in this scope, omission of signature has to replace some things that are, for example, implied or defined in the red architecture.

B

In other scopes, the omission of a signature might have totally different implications, so every use of a uccs has to come with a uh description and and as a security consideration that is very specific to the application of omitting a signature and creating a uccs, and in this case, as we're doing this here. First, our selection was tech creation specification.

B

Then the red's user scenario for conveyance of conceptual messages and creating required text about recreating the climates of the secure channels conveys that this is basically a reasoning. Why the document looks like it does now. We are doing this not in the uh pull from thin air, so to speak, all the involved parties from global partners um that were working working on endorsed, unendorsed, sorry, tokens of course involved, and we had some some improvement.

B

That's basically what this slide is effectively about um on the privacy preserving part here, because of course, authenticity of one party is very relevant. For example, if you're talking about endorsements like in reds, probably the party that sends you something unsigned- we are a tls channel, I'm not pulling stuff from thin air should be authenticated you. On the other hand, the receiver might not always have to be, and so this this is uh the scope of questions. We are elaborating on the text right now. uh If you're interested, please have a look.

B

um This is more of an update. Maybe maybe it's also raising questions to the group, so I want to give the last two minutes I have. I hope I was fast enough uh to the group, if not in nancy, you can have some time back.

D

Okay lawrence has a question.

G

I'm a fan of the very short uccs without the the extensive discussion of sort of rats attestation evidence to me that uh the security considerations for rat statistician evidence should be a rats document. Uccs has used use uh far beyond rats, um it's just a general data format, so I mean I've written extensively on this and and kind of been voted down, but I thought I would just mention it.

B

Here yeah, thank you lawrence. uh Thank you for speaking out. I see I see your point as a uccs can be applied, of course, beyond the scope of rats, but uh we we pulled in security.

B

Individuals here are on purpose, because we want to have an understanding how we frame this work and at the moment we still are on leaning quite on the side that that we have creative context for the security considerations here always, but maybe we can have a compromise uh on how to phrase it like the first draft that you don't have to text clone stuff into other drafts, and maybe that would help you with uh using it in other other spaces, yeah.

G

So so uccs gets used for as annotation evidence attestation results probably for endorsements. You can. I don't think you want to write the security considerations for all of those in the uccs document, but they have to be written somewhere. um That's what that's it seems like. It gets too tweaked and torqued. If you go down the path and then you know you could be using uh tpm signatures, you might be using tls for securing uccs. It just seems like it snowballs. If you really do a thorough job of it and it gets very context, sensitive.

B

Yeah, but that is security unfortunately is um that is our problem. We were talking about what would happen if we're not doing this and we could imagine catastrophe so to speak. So uh so we are very, very very careful here. If you can play out, there is uh have to be multiple documents in in reds, for example, due to the uh rechartering uh when we go from from attestation evidence workflows to education, provisioning workflows, maybe actually, yes, we might have to write a second document, maybe align with your very nice taxonomy. There, probably.

K

B

I'm handing over the mic.

E

uh How many people have read this draft? It's the third time it's been presented so first, how many people have read the draft? If you could maybe put yourself in the queue or a note in the chat, the chat might be even better. So one two.

E

A

E

I think patrick was twice. Let me look at the chat okay, so four people have read the.

E

E

Maybe five: no, I think it was four.

B

Yeah sorry that was me, I was pressing from button.

E

Okay, um do we have other people willing to read the draft? You had eric added on the chat, so it is five. Okay, all right are there other people um planning to read it very soon?

E

Thank you, russ. Anyone else, great thanks, jess anyone else.

E

I'll read it but I'm a chair, so I'm not going to count specially since nancy's on the author list.

E

Anyone else bueller.

E

Okay, we'd like to figure out if this is ready for working group adoption um we've had five people read it so of those that have read it. um I I'm debating. If the hum tool is well, I guess for those who have read it, can you just make a comment in the chat if you think it's ready for adoption, just since we're short on time.

E

And then we'll obviously bring it to the list um and give jess and russ a chance to read it, and hopefully more people.

E

So is this ready for adoption.

E

And adoption doesn't mean it's perfect means it's just ready for the working group to develop it further. Okay, so yes,.

E

E

All right, so we have a few saying so far. We have all yeses saying it's ready for adoption, um we'll take it to the list, um I'll just check with russ and jess to see how much time they need to read the draft and um have that time period extended so that um they have enough time to read it to weigh in on whether it's ready for adoption and provide their feedback to help improve it. Thank you. Everyone.

A

Thank you and thank you for giving a minute back. Hank.

A

Thomas, you are up next.

L

Can you hear me? Yes, okay, cool, thank you, um okay, so maybe next um I'm gonna next slice, please um gonna, try and present the main ideas in in draft to show raspberry, um because the feedback we received was the documents not super easy to parse, so I'll, try and click and clarify at least the main points. um The hope is that the the ideas may be useful to others who are looking at the same problem space looking at how to instantiate the rats architecture using some well-known um two in the atf toolbox.

L

um We also want to gauge whether there's interest for a generic substrate either this or something like this in the area of what the charter calls interoperable protocols for uh for assertions uh conveyance next, please so, uh okay use cases first um context is you have some kind of operators that provides an input into your system and that it is.

L

It is critically important to to evaluate the security state of the operators before you can act upon its stimulus, and typically this is the case in critical infrastructure, say the dam railway power plant et cetera, but it could, but it could also be the case in in some industrial iot scenarios. um Okay, so for the sake of argument, let's take the example of a dam and see how the tested resource concept would fit in there.

L

So in a dam, you, you have a water level sensor that feeds into the logic of the spillway gate controller and the objective of the system is to control the inflow and the outflow balance by regulating the behavior um of the of the spillway.

L

So so the idea in this scenario is that the water level sensor would be exposed as an untested resource that the spirit controller can create regular intervals or maybe subscribe um and and decide whether anything needs to be done to keep the watering and outflows in balance uh and clearly and clearly uh uh the spillway controller needs to trust the water level sensor. Otherwise, you know horrible things may happen downstream and that's where the a tested part of an attested resource comes in handy yeah.

L

Next, please next piece, okay, so what is the value proposition here? What doesn't a tested resource provide? First, uh obviously, the resource representation in the use case we are discussing here. This would be your water level uh reading uh and second, the evidence about the security state of yosting platform in the form of an attestation report of evidence, as the architecture draft calls it and third a freshness indicator either from the color or the colleen.

L

We made both options available and obviously freshness is super important here, because we want the sensor reading to reflect the current state of the dam and not and not it to be some stale value, that's been say, replied by an attacker right, so an attested resource is essentially a way to securely bundle these three ingredients together, so that a relying party, in our case, this uh hypothetical spillway gate controller, can assess the trustworthiness of the platform that hosts the sensor before it decides to use the signal that is provided by the sensor to open or close the spillway gate or whatever the actuator job is right.

L

Okay! Next, please.

L

Okay, so for for this, we need to define the interaction model which, in our case, is sort of dictated by the client server pattern that underlies rest, although when, when using co-app instead of http, the observed pattern is also available for bitly for building trigger-based interactions, and then we need a compounded format to put together resource attestation, data and freshness indicators.

L

And, lastly, and more critically, I would say we want a secure mixing function. That meshes is meshes the the inputs together in a way that cannot be subverted by an active attacker. So someone who could play cut and paste or other kinds of manipulation tricks on the exchange of payloads needs to be detected next, please and so um okay. So our draft defines what and tested resources and together with that, it describes a basic restful interface to access it.

L

I say basic because it's not the full a to us machinery, but just the essentials, so you have request methods, response codes and mime types for both http and co-app, plus an optional discovery, interface based on the core source directory.

L

um We go a bit further than that and and also provide an interface to the verifier that is very similar to the tested resource as it's built on the same principles in particular. The mixing function is the same same thing. There same construct, um and we do so mainly because it's critical to have that in the password topology where, where, where get tested forwards, data produced by the verifier, and so we need some sort of common format there. So it's not required in background check topology, where you don't need that level of interac internal coherence.

L

um So there you could have completed a couple interfaces but um but for passport is absolutely needed. Next, please, okay! So this is the implementation model we envisage. The hosting platform has a rich execution environment based on, say, linux or zephyr, or embed os, and a trusted execution environment parallel to death, say tfm on top of trust zone um and the ree hosts the uh rest front end so either an hdp or a clap server, or maybe a dual stack app.

L

I don't know, and and and the front end is coupled with the trusted app in the te- that a controls, the data source, uh the critical data source and b uh as access to an attestation service, uh and the idea is that the trusted app is able to produce the attested resource representation by combining the data source and the attestation report into the expected mime type and and pass it back to the front end for delivery.

L

Next, please, okay! So before we hinted at this combining function and its security, critical job, so the mixing function is is a core component in the tested resource game because it provides a fundamental security guarantee, which is that the resource and the platform security state for uh for a given transaction cannot be separated without breaking the verification process. So this is what prevents an attacker to splice together at the station and and the resource representation from different transactions into something that becomes acceptable um to to the verifier and the ingredients.

L

For this are three n and an optional challenge provided by the protocol initiator by the client t an optional time stamp that is provided by the protocol. Responder. The server and r, which is the naked resource, representation and and the mixing, is simply the hash of the concatenation of the three right with length indicators to for robustness um and and and and the result of this competition is then assigned to the norm's claim in the associated attestation report and therefore it gets signed by the platform attestation key okay.

L

So, basically you take this blob uh um out of the mixing function that captures the current resource state, plus uh the transaction, identifiers or freshness indicators. However, you want to call them um and make it a piece of the attestation report, so this is this is um how the chaining between the resource and data station works, so so this is how the tested resource is built um and note that in this process we stressed about the semantics of the nodes of the noun's claim that is described in in the x-back.

L

um This seemed like a sensible use of the nouns claim when we started this, but uh yeah, I don't know, I will discuss this with lawrence, because um I'm not sure this is still the case. One one could as well mint a new adult claim for that. It's not a critical thing. um Next, please.

A

So there was a question on the chat from dave taylor. Why the nonce, rather than a separate claim.

L

Yeah, that's that's exactly what uh what I was saying um initially, it seemed like the nouns would have compatible semantics, but I'm I'm not sure yet about this. So I want to discuss this more but, as I said we could, we could have a separate claim, um it's pretty natural to do that. In fact,.

L

But yeah I'd like to discuss this further.

L

Thank you dave for following a question: okay, so yeah.

A

No separate claim is better, in my opinion, yeah anything okay, thank you um check, um thomas. Yes, your 15 minutes will be up in a minute. I can give you four minutes. Okay, uh I need time so that we can go over the milestone. So I'll give you four minutes and then I'll. I need to cut you off.

L

Okay, thank you. No worries, okay, so uh the absolute interfaces uh first, the tester so x here is typically the um relying party which initiates the transaction and supplies the optional challenge. Nx, the tester answers um with the tested resource that is composed of r the resource representation itself and the optional test. Mta is a snapshot of the local clock and the attestation report. Capital e, which, by means of the mixing function that we discussed just two slides above, depends on the freshness indicators and the current resource state optionally.

L

If, if a previously computed station result, capital r over capital e is available, for example, this is the case in passport topologies that can also be attached to the reply. Next, please another the verifier. Why is the client? It can be the relying party in background check or in a tester in passport mode? Why sends the evidence to be verified and an optional nonce, and why the verifier does you know the verification and responds with an optional stamp tv again, a snapshot of the local clock and capital r.

L

um The attestation result, which, by means of the same mixing function discussed, depends on the freshness indicators and in this case the verified evidence next, please, okay, so these two abstract interfaces can be composed in different ways, I'll give at least a couple of examples next, please.

L

So this is background check with norms-based freshness, drp requests the attested resource, sending a challenge nx the tester provides the compound resource imagination. Evidence drp can check at this point in time whether the attested resource has been manipulated in transit, if not a drp strips the resource, representation and and and just forwards. The evidence to the verifier, the verifier returns the decision results, which depends on e by means of the mixing function. At this point, the rp has all the elements to decide whether to trust a or not.

L

L

Okay, this uh so that that thing maps into this following instantiation on the rpa tester lag. You have the rp, sending a co-op post uh to the tested resource uri on on device.example, the the the tester node uh with the nodes encoded with the right mime type and carried in the code. Payload and and quantum negotiation done uh by via the accept option as usual and assuming everything is, is all right. And then then um the attester replies with a co-app to one response with the tested resource that is wrapped up in the right content.

L

Format, which is made of the uh embedded resource presentation. Note that it includes the type of the naked resource um and detestation evidence in each format, encoded as base64 for readability, which is variability.

L

On the rp at the very fire side with positive verifier is offering the interface over http, so drp will send an http post to the verification resource uri, supplying the evidence to be verified using the intel domain type content, negotiation, yada, yada verifier replies with an http 201, which means success, widgetization resulting format again.

L

um Next, please.

L

This one instead is a passport, a topology with freshness based on time stamps. Here the tester snapshots that tested resource at the time ta sends the computed evidence to the verifier, which provides an attestation result- capital r, uh when us at a subsequent point in time, the relying party requests the attested resource, uh the tester replies with the tested resource previously computed and the attestation results that he got from the verifier.

L

At this point, erp has all the information it needs to apply his appraisal policy and determining whether the platform which produce produces are can be trusted and are can therefore be safely used. Next, please.

A

I'm gonna give you one last minute, thomas.

L

Okay, so we can skip over this. This is very similar to the previous acceptors read more stuff in the response from your tester skip. Keep this please last thing is discovery. I think one can discover whether I know the hosts in a tested resource using the core resource directory. Okay, in this completely made up example, node one is a hurt. A heart rate monitor uh that advertises in an in a tested resource with a uri path that is slash, sensors, leisure, tested, heart rate.

L

The fact it is in a it's a tested resource is indicated by the content type ct equals uh rather tested resource, uh while the interface uh iaf equals rats. If timestamp says that the tester will provide a timestamp, so if you happen to trust its clock, you may as well decide uh not to supply unknowns uh in the initial query, of course, you may expect an attestation report too using this interface.

L

This also says that the inner content ibc ict is zero, which is the co-op code point for the text, content format uh and uh as long as soon as the tool one is received. So the the the registration was successful. um The any client of the rd can discover the tested resource and its properties by firing. You know the appropriate queries to drd interface.

L

Next, please, I'm done. I think. Yes,.

A

Can you uh yeah a.

L

Couple of discussion points: is there an appetite for a generic substrate either this thing or something similar? um Should we go forward with this effort? I mean with the conceptual thing it seems to be, you know um baked, but uh but there's a ton of things in terms of you know, registering code points and and and and defining a bit of more of the machinery that okay, if needed, I mean.

A

So, thomas, since we're out of time, my suggestion would be to bring this up to the mail list: okay and get feedback that way.

L

A

H

A

You're welcome to come back at the next session and you know present an update and findings. Okay, sure, okay, thank you. Thank you all right, so I have three minutes left, I'm hoping meet, echo won't cut my time um or that we can cover this quickly. So we need to update our milestones, so this is literally a cut and paste for what we submitted um and updated many months ago.

A

um Oh thanks roman. So hopefully I have seven or eight minutes. um So what I did ah thank you. So what I did was I put this on the spreadsheet um to cover just given that there's more drafts for those who who have drafts, who are you're not seeing this here, don't panic! Yet um what I wanted to do was at least first update what we currently have and reflect that so going through this, um I think, we've um we've, we've gotten good use out of the use case. Documentation fed that into the architecture draft.

A

The architecture draft has been adopted, as has the yang module, which is now referred to as as chara and looking at this. um The question is: um why did I put this as I'm not awake? Yet my apologies um okay, so I added the new one for the char draft and so for the authors there.

A

um I'm presuming that that draft is maturing. I haven't seen a whole lot of comments of late, and so the question is whether you feel it's close enough that we could do a um working group last call for it um next month in august.

A

If we can, then the soonest we can put it to publication would be in december.

A

Okay, who's on the queue hank.

B

Yeah hi, um I think that, while it is uh ambitious, uh my assumption is yes, we can do this, that there will be a review process in any case, so uh the time is not the waiting time. So yes, I think we can target that if we fail it will be another month. But yes,.

A

Okay, so um let me know when we can issue the module, but as far as the milestones go, I can leave it as august.

A

The question is whether you think we'll be ready for iesg publication in december. I just put that, as as an up, you know best scenario.

B

Yeah, I'm I'm. I have vacation august, I just realized, so no maybe make it september because otherwise effectively it would be like two weeks, and that is just unrealistic.

A

So chara would be september.

B

Yeah yeah september.

A

Okay, I'm getting a sense that december may be too too regressive for publication, so maybe put it to march 21.

B

Yeah depends on isg feedback in general yeah, but yes well. It.

A

Depends on the feedback of the the last call right and how quickly you can react.

A

Okay, so I'll update that to be march, 2020. um Sorry about the things here: okay, so the interaction models. We actually need to do a call for adoption, um which we took an action to go through that um the token bind draft geary removed it. So I'm going to take that off of our our milestones list.

A

Don't know what you wanted to do. Well, let me get to the eat draft so for the eat draft lawrence. We also need to add a a working group last call before we could submit it for publication. So question is to its maturity.

A

You've talked about the key which we discussed earlier, as potentially not really being in eat, potentially being a separate draft, so for the e-draft itself um as far as maturity, and when we can issue a working group last call: do you have a sense for that and and others who have been participating in the discussions.

A

um What I meant was uh yeah, I'm missing an item here to put it for working last call and then after that, um adding at least three months, if not six for publication.

A

Okay, let me look at the check. I think the.

G

Eat draft has a way to go yet um it needs to discuss um the software and part and the public keys, and I was also trying to get to key id and endorsement id today. So I think it has a ways to go. um There's also.

G

I think it also should should discuss attestation results and there's there's some still, I'm still trying to get some stuff sorted out with architecture and like what's in eat and what's in architecture, still is still up in the air in some ways in my mind, and so I'm trying to get some things into the architecture document about endorsements clarified. So I know what to put in eat.

A

Okay, um we do need to make make good progress on it, so um I will put it in to I'm trying to think. um Do you think december is too aggressive.

A

For a working group last call.

G

A

Seems like a reasonable.

G

Goal: um okay,.

A

Let's, let's update it for december and then I'll tack on six months, um which may put it to the july 21 for isg, submission um and roman did correct me. Yes, roman, I didn't mean for and I'll update it, not necessarily for publication, but just submitting it to to iesg um okay, so that takes care of the eat.

A

um We haven't talked about tuda for a while so hank, not sure and and authors of tuda, not sure what and where that draft is going to go.

A

Dave am I. You are audible.

B

Okay, excellent because it doesn't show micro, my uh as well, so uh um I think this is um the list here shows that the sequence better, I think interaction model should go first. Riv and yangchara rely on it, so that should be the focus on adoption. Tudor also relies on the interx model, of course, but I think if you go in sequence, we should focus on interaction model. First, we can do interaction, model and tudor in a bundle. I guess uh I'm not uh I'm not against that, but we should adopt yeah because.

A

That is a blocker.

B

For dave also, I think.

A

Yeah, given that you haven't presented it in a while, I'm not sure that I can do a call for adoption. Yet that.

B

Is fine, but actually is the thing I'm really really uh working around right now.

A

Okay, dave, you had a comment.

C

um Yeah so remember on the interaction models. There was the pull on the list. There was the you know, options one two, three and four, and so far the presumed answer that I've seen anyway is there's more people for option two, which is all interaction models in the same document. One could argue that tuta is elaboration of a particular type of interaction model, and so there's the open question is: should those two things be combined or not? And so this is a long way of saying.

C

I think you should remove the two to milestone, because you can always have a working group choose to take a particular milestone and meet it with multiple documents. And so, if you remove the two to draft and just say interaction models, and you know, adopt a draft or drop one or more drafts on interaction models. I think that's a better way to craft the milestones like.

A

Something, well, I can't say one or more because in the milestone trackers, they want me to map it to a draft. So.

C

um All I'm saying is that there is an open question as to whether tuda should merge into the interaction models, especially given the option too. Okay, uh no, no, no.

B

Don't make them as.

C

Being separate documents in the milestones, that's.

B

All I'm saying.

C

Yeah yeah yeah.

B

Interaction model, first to the next time. Fine with me.

A

Yes, okay, um so the if we can move on from from two to an interaction models. I think I've got that one covered with the architecture draft. We didn't. I need to add another milestone for iesg before I. I am not awake. My apologies for the architecture draft. We need to do a working group last call hank in your presentation. It seemed like you still had some issues to discuss. I I, as I was tracking all of the issues. I thought you guys were getting close.

B

Yeah yeah concerted efforts will make this happen until, as I would say, as aggressive, but I would say end of september and we should be done. We should really focus on end of september and then and then you shouldn't scold us.

A

Well, I mean I I'm not opposed to doing multiple working group last calls just to shake out more more feedback too. So, let's for september, just let me know let the chairs know sorry, um so that we can. We can start that last call, and then uh the question is whether we think three months is too aggressive for iesg publication.

A

Well, I'm going to be conservative and I'm going to give it um six months, so I'm going to put it to march 2021 for iesg submission um for that one, okay, moving on um for the riv document, that is a newly added one, so um I don't need to add the call for adoption, because we've already adopted it.

A

Guy, I I saw you ask, and I saw that you had some comments provided to the draft.

A

The question is uh whether you think we can be ready to issue a working group last call.

A

For the draft at the end of august.

H

uh Yeah, okay,.

A

H

The end by the end of august, I think yeah.

A

Okay, so what I'm going to do is in the next few days, I'm going to send a request to make sure that we're ready- because I haven't seen in the mail list some of those comments. So I will do that um barring that then we can issue a working group last call in august um and then the question is whether you'll be able to react to all the feedback so that we can submit it for publication in december, because that was the proposal. So.

E

You know the room is going to open for the next group soon in about two minutes.

A

Yes, I realized that this is the last one kathleen.

H

So nancy I at this point I'd assume. Yes, but uh you know, let me know offline. If you see issues.

A

Okay, well, we can update it um on that. Okay, so for the other drafts um for those authors just post to the mail list, your intent for adoption- and um you know we can continue that discussion um on the list and as they get adopted, we'll add them to the milestones.

A

With that. um We are well over time and, as kathleen said, the next sessions will be starting soon. So thank you. Everyone for the participation one last piece of administrative um is that we'd like to hold two interim meetings between now and the november um and again in the interest of time um we can post that in the list and um if there's approval we can, um we can set up doodle polls on timing. For that.

A

Any last they have to be really important. Closing remarks going once going twice all right. Thank you, everyone for your participation and um we'll continue discussions on the mail list and then on the next virtual intern. Thank you. Everyone.

H

L

A

B

Thanks bye-bye.

A

Okay, thank you.

E

Thank you, nancy.

A

Thank you kathleen.

A