Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / RATS Architecture Design Team / 26 Jun 2020
Internet Engineering Task Force / RATS Architecture Design Team / 26 Jun 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: RATS Architecture Design Team, 2020-06-26

Description

RATS Architecture Design Team, 2020-06-26

A

um Greg you've been on a bunch of calls, but you could introduce yourself again if you like, not seen dave yet or hank. Oh hank is here.

B

um Yeah I'm greg costell. I work at microsoft. I work with dave thaler. uh In the last six months, I've been working on the microsoft attestation service in azure.

C

All right, dennis matune also happened.

D

To be at microsoft,.

C

But in an entirely different area uh in in microsoft, research uh working on uh security and privacy topics right now um within a particular focus on iot, but it's industry-wide.

C

I am representing microsoft and tcg as the workgroup chair for the dice work group and as a co-chair of the attestation work group along with ned and hank yeah,.

A

Thanks that was dennis right, yep.

A

Anyone else want to introduce themselves.

D

Hi, this is bill solton with cisco, I'm in in our security and trust group uh uh representing cisco, also at trusted computing group in a couple of the work groups.

A

There.

A

Find it really disconcerting that the webex sorts it alphabetically, except it always puts your name at the top.

E

That's on purpose, so you can easily mute yourself in some of the old web interfaces.

A

Yeah, I guess so, but it's just them like it just it just confuses me because I I think it's not sorted, then I realize it is sorted.

E

Here's an interesting uh fact about webex, which which I believe to be true. I I know that people have shouted out in the past, but they kind of tweak the user interface all the time. So you don't get used to it, and that keeps you a lot more rare to.

A

Change, I'm sorry, but it sounds just like ux designers who don't want to get laid off.

E

Well, you know it sounds that way, but I found it in actual practice that that it kind of works.

A

All right so king on someone.

F

Didn't see.

A

Dave yet um and there's a couple other regular suspects, ned uh that I don't see yet um so I'm not jumping up and down to start, but let's, uh let's, let's, let's, let's start on some stuff. uh So one of the items that I think was uh open last time was the hardware watchdog, we're gonna we're gonna, give people a chance to read it.

A

uh Let me change text, so you're asked me to add the tcg reference.

A

And I did that here and I'm wondering if there's any objections at this point, there's.

A

Sarah.

A

Any objections to the text, this text.

A

Hi ned.

G

Hey, how are you.

A

Good we're missing dave at this point and I I I hope he understood we were meeting today, but I'm not sure he did in the end after all, uh but let's try to make some progress without him. uh Any objections to the hardware watchdog case.

F

Dave it's very hard to say, but I think he was not those were. This was those contentious items. They were only editorial.

A

I'm going to oh, we have a conflicting files now all right, so that has to be uh remerged. um Okay. So let's talk about uh this is that item? So let's not talk about that. uh Those proposed checks is 106.

A

uh definition of verifier.

F

Owner.

F

So I think, of course, yes, it is. um This uh is a little bit aligned with hannes's um comment. Do we really need all this and I think dave and some other participants established last time? Yes, that we need that, but uh this is a comment because it was in kathleen's list of first batch of yeah basically uh feedback, so it's here, but if it's not contested, I would still assume that this is needed and therefore the answer is yes.

A

Okay, so it should just close this under the yes really retain this definition.

A

Right all right, so next issue. uh So first let me come back and ask whether uh we have everyone. We need to make some progress on freshness and time reorganization. I don't see any up. If you press e5, you will.

F

Because I, in the very last minute, updated pr8, I hope maybe I did not push it.

F

Push something let me check that.

F

um I'm in more time considerations I push something for more time, cons times, considerations.

F

Yeah.

E

And that's interesting so.

D

Yeah, that should be, it should be something.

F

So I put stuff to the example in appendix uh I don't know. Example: three independence.

F

Which, apparently, did not I ten minutes ago, I'm looking? Oh, is it okay.

A

So these are the changes you've just pushed, so do you want to just do you want to run us through that, or do you want to um so I think.

F

The contentious stuff is actually the the table above, so the text is now better using the table, um so there's additions to the table in uh in one of the combats yes, that is it so so this is the contentious stuff. There is a test awareness year and dave was not sure. If that is required.

F

uh Dave said it is not used. uh So now it's used of course, so that is the text that that the text is now reflecting. uh So this initial comment is basically addressed, but my assumption is unfortunately he's not here. um That dave is not sure that a tester awareness is needed.

F

One of the things that he said was this is never traversing over the wire, for example, value generation also does not evidence generation, of course does, and there is something relayed which we should call conveyance at some point or convey because that's the terminology we use, but that's only a minor net.

F

um So the thing is that he said that everything that is associated with the timestamp here is at some point conveyed over the wire or the internet or whatever, and that is effectively not the case because at the very least value generation is not, and so um because only it processed internally, it's also only processed uh internally, but without him I'm not sure we can uh move this forward. Actually.

E

I should probably comment. I certainly think aaa is is useful, so I can put that on the front.

G

You you is in a use case.

E

Oh yeah yeah, absolutely um you know when you have a central time generation or a key that can't be distributed until a certain time. So this is similar to tuta, but just the idea that the attester can't become aware of something because they don't have any possible way to get the nonce until a certain date or a certain time.

G

Did the text for value generation change, it seems like the sentence doesn't make sense.

G

This grammatically strange.

F

It's I was not my intent to change it. I'm not sure why it shows a chain has changed here, maybe because it was in moved in between or something but the text actually did not change. I did not touch.

F

Oh.

A

There's a period there's a period on this one.

G

Oh building period, even the old one, seems the grammar.

F

Seems weird yeah, so I think I think that is something yeah. So, for example, I think also evidence relate is not the terminology we use. I think it's evidence conveyed, but uh these are myths. These are other. uh I think there should be another editorial pass over the table that fixes the description language by not altering its meaning and also the names here event names. uh That is all not to the point here right now. I think it is more about the uh contested uh contentious content.

F

That is a a and I think there is a use case, and I think eric was agreeing with that right now, but but um so most certainly, I think that it is um sometimes, for example, for boot, integrity and runtime integrity, but times between value generation and evidence generation is is huge, and that has an impact on the meaning, of course.

F

So whenever the system gets aware of that and then actually starts to collect them or don't have to collect them, because it's already aware of it is a lot of workflows, a fundamental trigger point for lots of pro cards. I assume so that's why awareness is here now.

A

Well, I don't have a problem with putting uh tags into the document, particularly now um that um we think we're going to need in in in a protocol definition, but it turns out if it turns out, we don't need it well, we take it out of the document at a in a future uh revision.

A

um That's the difference between proposed standard and internet standard. After all, um so I don't have a problem with with it and if, if I hear a couple people saying that they're happy with the that thing with having it there, um if the text is not perfect, I think we should still merge it at this point.

F

This and uh bash the text for me, we can always revisit this and bash the text. We can.

A

Fix it again, and we have a working group last call that has to start very soon so um that if someone really objects to it, then that will come out.

F

Of a timeline.

A

That I'm not aware well, we kind of would like to get. I think, there's some thought that we would like to get this document into the isg hands by the end of the summer. um Okay, because that's.

F

All the time.

A

I mean so that if you work backwards, that means that we need to have a working group call last call. We need to give our 80 time to write it up. Who is our 80 anyway? It's roman, okay.

A

um I know that ben is very backlogged on a lot of things in like six months on some things, so.

F

That's super quick, I'm actually helping ben. Sometimes so that's funny, um yeah. Okay, uh I think, for the sake of the time we can, if there's no objections here, we can merge it now, but I don't. I think, because I wrote it, but there's any opinion about this. So uh literally that would be like bro.

F

I have to take a step back or something here. I think.

A

Okay, so all right, so that's merged. Oh okay,.

A

Let's go on to other.

F

Wait dude.

A

um So.

A

Let's, uh okay, so what about freshness can we do anything with that today?.

F

I hope I think well, thomas is not on call, unfortunately, but he provided a lot of feedback and maybe we can even we can look it through. I think that's worth a while. uh I think he hit a lot of it again. Dave was awesome yeah, so I don't know.

F

Thomas and dave can at least read the comments of the line.

F

There's a grammar suggestion here.

F

What are.

A

You doing oh, what am I doing right now? I'm just stopped at the text right now. That's the big block. Okay, we're looking at comments, but, okay.

F

But I think it right now: we text uh you scroll by a comment from thomas. Maybe we go back up and address that.

F

Yes, yeah.

A

He says I'm posing this right, so he dealt with dealt with. That part is what the.

F

Point.

G

Don't see it.

A

Okay, so let's come back down to here to this comment from william.

A

um

F

The test part here that addresses your.

A

Call solely just wish there was a suggestion here so and might be suitable, for example,.

A

So we need to take this plus this reliable clock is that the right part.

A

Did not work.

A

Says when it says solely on the appraising.

A

Party.

A

uh So the current seems when it says solely: it should instead say yes.

F

Anyway, are you able to comment on.

H

Here think I I don't think the second uh is very good. um I went to cause uh the remote attestation protocol initiator. Is it well well, this be too complex.

G

Right, it's a new thing. Why? Wouldn't we just.

G

Say.

A

I I really don't quite understand the problem in the first place, um so I think that the point was that the attester can't cover the case where the relying party sends the nods- and he says you're right- it's not limited to the attester, but the solution doesn't seem to be right, so he's offering us two solutions and might be suitable. For example, in the case the attester does not have does not have. I guess, then it goes to relying have a reliable clock.

A

And then he has a second suggestion, which is this larger piece.

F

Yes, the one that tries to address base comment and the second one is an implication of fixes.

F

This is not basically uh to the point.

H

I think the second part is isn't uh from my my comment. um The first part can the first situation. You know uh he suggests uh to add. For example, I think this can address my comment and the second. uh uh I don't think it's from my comment. I think it's um his own comment.

F

It's like an hour thought when he was trying to list your points. He came up with the second item, so um but okay, so it's the.

A

Most right, so so it's just puts in the the the first point is we just put in, for example, I I understand that now it's very hard for me to see that that's all he did on there. uh The second phrase where it says solely on the praising it either verifier or evidence solely on the remote attestation protocol initiator, so he's suggesting that instead of saying the the verifier that we have to say this, and I think it's not an improvement.

F

Increase the scope on on who triggers what, which is, of course, I don't think that's the right place to put it.

A

Okay, so uh just do do you want? Does anyone want a chance to read through this block of text, uh or uh do you think we've been through this enough times.

F

So I think the text itself- fine, are there other comments on the on the current text that we could we ever.

F

Otherwise, actually went through it quite often, so this is on the next level. Probably please yeah exactly yeah.

F

But a lot of work went through this so again, michael other bigger comments in this apr. Yet.

A

No, there is no other, no other comments.

F

Actually match this gift, I think capture the example um proposal of uh thomas in one item here, because it will be lost in close pr space, just merchant or uh so raise another issue on this uh item after we have merged it, so uh that we can, we will not and uh thomas is a propos, an example here.

H

I'm.

A

Okay, no, these are all closed items or things. um Anybody.

F

Has a strong opinion about this, otherwise,.

G

No, I don't, it seems fine to me.

F

uh Here today, that is really uh we tried to somewhere. I don't know, there's someone from microsoft here that is working with with dave. Do you know why it's blocked.

G

Title.

B

I don't know.

A

Either just wait didn't wake up or something else.

F

Yeah, okay, but I think you can be able to check the comments.

F

So.

A

Okay,.

A

huh I'm making an issue for based on this text: yeah, okay, excellent yeah- I'm doing that doing that right now and uh I want thomas I'm gonna assign it to him good and then we will commit the rest of it.

A

The bottom here all right, so it has a conflict, so we need. I need to pull and commit it all right. So, let's move on to the next something else. Do you want to pick.

F

Something uh is lawrence on the call, I think so. Okay, then lawrence the cpr, probably we gonna do.

F

I'm gonna have to drop actually.

F

Yeah thanks for your time, yeah.

F

Yeah, I think we cannot proceed with either of these, because all of us are not here.

A

All right, so we need to figure something out all right, so uh I believe dave did figure out that. Oh, we have other changes to freshness crap.

A

um I don't know what they are.

A

Gonna have to go through the whole paragraph.

A

We made some other edit to the freshness area since and say no.

F

What was that conflict right now? Because I didn't think it commercial.

A

Conflict yeah yeah, maybe I'm just waiting for you to pick some things. So it sounds like we don't have.

B

Anything that.

A

We can do what.

D

About the list.

A

Of issues.

A

What are the risks of role.

A

Issues.

B

um I raised number 92 a handful of three weeks ago, or so I don't know. If there's any discussion on it, I was not around for any meetings where there were.

A

Yeah, I think we were.

B

Hoping for more.

A

Conversation with you, yeah, hey. We talked about this actually on tuesday, um so I remember what we did with it. What do we talk about this? This became a okay, so, first of all we did. We did create an issue in eat based upon this text. um It's somewhere.

I

uh Yeah.

A

Yeah.

I

I guess I get confused by this. My uh michael, why are these? If so, would is so? Would the verifier create an attestation on behalf of its own security state and just happened to append the attestation evidence, along with it or just be carrying devastation evidence, as kind of like a a blob, a an opaque payload, fully signed and on to the relying party you know, for you know as part of this, it wasn't really clear to me: what was the intention?

I

How would you like to see it done here.

B

Are you asking me the the person who created it or somebody else.

I

Oh, who, who created it sorry, I thought it was michael who created who created.

B

I I I created, I created the issue, um not responded, or I wasn't present when all the responses happened.

A

Right and.

B

I I.

A

I copied this topic because it seems to be specific about eat.

A

um I copied it to the eat repo, as this issue number 63, okay um here, so I simply copied it over to this to the correct uh github uh repo, so that.

D

Okay,.

A

Dealt with as an eat issue, if there's an eat, eat discussion that has to happen yeah.

B

I I was looking. I was essentially looking for a little more ammunition before I went to eat I wanted. I was looking for the architecture spec to clearly state that, if appropriate, right, you know that verifiers may have to act as attesters to relying parties uh and once that was clearly stated, then go to eat and say you know: do you have any guidance on on how we want this to kind of be standardized or not? I mean that's a very real uh thing that we do in that.

A

And I think that that's where we took your topic one and two right: um uh we understood that that was maybe the case, and then we sought thought the topic. Three was more about the the mechanics of how does this work.

B

Yeah that, yes.

I

Yeah and so okay, so just kind of as a meta comment, you know it's one thing where they, where the attester communicates and attestation. Sorry, not the the verifier, communicates an out of state station token on its own behalf to the relying party and that's fine, I think, that's a perfect legitimate use case. The verifier is basically verified, confirming its security state to the relying party, so the lying party can trust it.

I

It's another thing when the test of when the verifier conveys the attestation evidence from whatever the remote device is in the context of an eat into to the relying party that almost seems like uh embedding a protocol on top of the uh within the attestation. Token, that's not that's, maybe a little bit beyond scope, I would say: yeah go ahead.

B

I'm specifically, I'm I'm I'm talking about the first one, I'm that that's what's in my head.

E

They.

B

Didn't communicate well, but that's that's what I'm talking about.

E

Okay, in terms.

I

Of the second one.

E

In terms of the second one I just put in the chat window, an example of how that could be done from a draft that I posted, so it's a cup, it shows a attestation results vector that includes results plus evidence.

E

So I think that uh that if you want an example of how that is relevant, then you know I'll post it here to the to the um issue as well. But this is an example of how to how a vector from attestation results might include the information being described. In this example,.

I

All right, I mean I'll, take a look at that error. I think that I think the thing you know I'm like I I assume one model would be that the verifier would first convey its security state to the relying party and then the verifying relying party would establish a secure channel between the between each other. Then, after that, the verifier would just send out a station evidence uh by itself over to the uh over to the lying party, but yeah.

E

There could be other ones yeah, there are other models, and one of the reasons you might do this is the attestation results might be a one-time event which gets signed and then stored on the attester to be forwarded over later to the um to the relying party. So the idea of having to build a secure channel later either might not be an option or it might not be scalable for the solution.

E

So the idea of adding extra information on the attested results um that includes some of the original evidence is a valid means to scale uh the verifier quite well.

I

Okay,.

B

Yeah, I I think from my perspective, the the the first part was. I was just looking for text and I still haven't seen it in the doc that basically use the word. You know when talking about establishing trust with the relying party you know use the verbiage of of of giving it uh um no I'll miss my terms here, the the let me find my architecture, diagram.

B

The evidence right the uh that attempt that a tester would give and yeah. Thank you, the um so. The the the text in the in the trust bottle section of the dock when it's talking about establishing trust between the verifier and the relying party never uses that term uh acting as an attester or providing evidence. It talks in more vague terms. Yet when it's talking about establishing trust between the verifier and the endorser or verifier owner, it does speak in those very specific terms.

B

So I I I don't understand why the the terms being used aren't uh the same essentially.

A

So greg, would you like to propose a text change specifically because I I you pointed at two places here where you thought there was some missing words yeah. I.

B

I could I'm not sure about processes, I'm very new to working with.

A

Yeah, well, your choices, your your your choices are to email text to send a pull request um and it goes down to with github. Now uh you can, literally, uh you can literally click on this document and hit this edit, this file thing and it will create a pull request for you.

C

Okay,.

A

um Just the beginning is a little bit not marked down-ish, because it's got this yaml stuff in it, but the rest of it is just marked down.

I

Yeah.

B

I I can certainly do that if, if uh you know, if that's what's appropriate to the next step, absolutely okay.

A

Oh I mean, or even your ticket you can even suggest text there. If that's what you specifically and we'll turn it into a pull request.

B

Okay sounds perfect.

A

Okay,.

A

So I'm going to find it back to you here we go.

A

uh All right.

A

Issues.

A

Hank this issue you opened some time ago. Oh I signed it to you.

A

Any memory of what it was there's this probably merged, maybe.

D

The food closed.

A

Yeah, maybe this is this merged, so maybe it's it's closable now.

F

Because of outdated issue um yeah, this is not on my radar, I have to admit. Okay, you have to look if it's outdated.

A

It might.

F

Not exist anymore yeah, it might not exist.

A

Anymore,.

A

So message lawrence, we assigned it to him, signed it to him, uh preferred serialization format. uh I think we did something with this. Didn't we maybe I dropped the ball on that one. What are roll compositions.

A

We ned did drop out of the call didn't he yeah okay, so we can't bother him to. I know what he just said: there not a very successful uh grouping here: security considerations for implicit trust model. I wrote that note to myself. I haven't done anything with it uh that was greg's confusing. That was a question or responding with question. Freshness may not be inclusive enough. That's the one! I just opened! Okay! Well, um that's about it! I would say three days ago, open three days ago: oh wait a minute. Okay,.

F

Oh yeah, that is the text uh day for um past, with uh creating.

F

Yeah try to do it the same day. That's why I probably is apologetic here right now, so he right and he immediately.

A

Just slips, so I had only one problem with it, which is that um he created this term verifying relying party, and I just felt that we should put a slash or something in it.

A

That was my only complaint.

F

It would be an appraising party, verifying is good, um so it would be an appraising or relying party if we want to stick with our terminology or focusing it back on roles. So you're.

A

Saying because the verifier appraises the evidence, it's in a phrasing.

F

That's that's the case, okay, so that would be the first time we are using the words appraising party here. So maybe just I don't know the text a little bit. You can go back to roles with me, but also this is just I'm. Okay with this.

F

We also re-verify on the uh probably not really.

A

Means all right, uh so I'm just going to write here.

F

um Also the term in general, so they are.

F

Sometimes I'm sorry about this. I did not write any comments, but I thought also therefore here um so I don't like. I really. I didn't think we should abstain to a test, a testing.

F

That is, I think, a document global policy. Unfortunately dave used the term test again, so um I like to have that in the document with this choice of terminology, meaning is good, so semantically defined with everything here.

F

So where does this word show.

I

Up thing.

F

I don't remember I could control find the term a test. It's basically face a test space, something like that.

A

Require the relying party owner attest to it.

F

Oh, that's a difference. Okay, that's nothing! The wrong test, so uh a test main first test here here this one and then I verify.

A

First,.

F

Yes, pure interesting, so uh because the the remote attestation is the whole thing and then uh the verify it tests. This hurts assume what.

A

About this one relying a test to it, yeah, so what is it you would say? Instead.

F

That it asserts, or something involved.

F

Because the attestation.

E

Is such a big word.

A

You want to try.

F

To avoid it actually yeah.

A

So relying party assert to it that would make you happy.

F

No, not no, no, no, no, not in all cases, because if it's just asserting it, I'm not sure what what powerfulness means, maybe maybe the maybe the relying party has to be an attacher here and it creates evidence about it. So, but I assume that this is correct. I don't have to have another look at this means literally to correct evidence about this as a relying party which would make uh render the blind party also taking on role of a tester here, which we already had as another topic here today.

F

So I'm not sure what they've really intended here. But I think this is the way. This phrase is confusing.

A

Yeah exactly verify first, a test to it.

F

Yeah, I don't know what it's just confusing. So that's my second comment on this.

A

Okay, all right all right with that, I'm gonna close. I think we should close the meeting.

A

Anything else.

F

That we can do today, we can do that.

F

Which does not seem to be the case.

A

No other business all right. Thank you to all.

A

Enjoy your weekend.

E

Thank.

B

You.