Transformation and processing sections needed for attest key and identity key triples #330
Comments
Added sections for key verification triples including updates to external representations, transformation section and processing section. Issue #330 also describes issue related to key type specific verification and how to represent it in internal representation.
|
There is a thread related to the semantics of what it means for a key to belong to an environment. The next snippet shows an identity-triple that matches the keys that were named above as measurements and instructs the verifier to do key verification. If the private key for base64_cert_path_X was used to authenticate the Attester to the Verifier. The verifier also has PoP that the private key is indeed on the Attester. The above RV claim asserts that the private key is in the environment named ...39. The identity-key triple is almost a no-op since it did the key verification on key _X already. It just needs to add it to the endorsement record that will be added to the ACS. The Verifier can also check key _Y, but since it wasn't used earlier, it has to do the cert path validation, crl check. It can't do the PoP check unless there the conveyance protocol exposes an interface for that (out of scope for this spec). Note, the Verifier has the option of creating richer endorsements that might indicate the variety of key verifications checks that were applied and the result for each. That might require breaking out each _X and _Y keys into separate triples entries so they can have different verifier asserted key verification results (or the verifier might just generate an audit log with that information in it). |
|
So identity-triple and attest-key-triple both get processed the same way (perform checks before associating keys to environment), and there isn't any requirement to verify a certificate path in cryptokeys if in evidence, since the claim itself means the keys have been verified by the attester? Ah, and that's why the Verifier is the authority when processing identity-triple and attest-key-triple. But after translating both of these triples to the same internal representation, for what reason are there two triples for the same thing? It looks like they imply some meaning, but if you drop that meaning in the transformation prior to giving the ACS to your policy engine, I don't know what the point is of keeping them separate. |
DICE certs and TPM keys distinguish between keys intended for use to sign evidence vs. signing an authentication challenge. The Verifier presumably will check this. We talked about merging the triples, but that would require parameterizing it in some way. Since the convention has been that the predicate part is implicit (not in CDDL) if there are semantic differences that would require parameterization, we decided to avoid that by creating a different triple. However, if the triples are restricted to using crypto-key-type-choice forms that have certs (or require the verifier to do path construction), then the key type is in the certificate (or the key object itself). It doesn't need to be a parameter of the triple (I don't think?). The wording in the transformation and processing sections imply that the key type / usage restrictions are part of the crypto-key-type-choice object already as the internal representation doesn't parameterize on key type / usage. Assuming others agree, I think the key verify triples could be merged. |
Added sections for key verification triples including updates to external representations, transformation section and processing section. Issue #330 also describes issue related to key type specific verification and how to represent it in internal representation.
* Added sections for key verification triples Added sections for key verification triples including updates to external representations, transformation section and processing section. Issue #330 also describes issue related to key type specific verification and how to represent it in internal representation. * Update attest-key-triple-record.cddl Update external representations to include authority and mkey as optional but useful condition information. * Update identity-triple-record.cddl Updated to include optional but useful condition information. * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md revert plural to singular voice * Update draft-ietf-rats-corim.md reverted text * change the order of fields in the record Avoids conflicts with exsiting fields. * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Apply suggestions from code review Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update cddl/attest-key-triple-record.cddl Co-authored-by: Henk Birkholz <[email protected]> * Added conditions map Added map containing mkey and authorized-by conditions. * Update comid-5.diag added examples for identity and attest-key triples that exercises the optional conditions map * Update spec to reflect cddl changes Added option map to attest-key and identity triples to include conditions for mkey and authorized-by * Update comid-5.diag Added section for reference-values triple that identifies keys as being measurements. A subsequent identity-triple example matches it so that key verify process will be applied. * Apply suggestions from code review * Create intrep-key.cddl add file to define typed keys * Create intrep-start.cddl added start file for intrep * Update corim-frags.mk added intrep-start.cddl and intrep-key.cddl to corim-frags.mk * Update corim-frags.mk Added frags to enable intrep autogen to build * Update intrep-ect.cddl Modified ECT to use code points as the alternative wouldn't build * Update intrep-key.cddl Created extension to measurement-values-map to support attest and identity key types. * Update intrep-start.cddl created a start cddl file to focus testing on ECT * ECT examples created Created examples to test ECT structure * Update Makefile Added target for internal representation examples * Update intrep-3.diag changed cmtype to be endorsements * Update intrep-key.cddl Added 's' to intrep-key to indicate it is a list of keys. * Updated key verification sections ...to reflect use of internal representation of attest-keys and identity-keys. * Update Makefile Fixing a tooling error * Update Gemfile Changed to use latest cddl version * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md Co-authored-by: Thomas Fossati <[email protected]> * Update draft-ietf-rats-corim.md restructured identity and attest key triples to accommodate Dionna's feedback and to improve readability. Updated Phase 5 wording to be less prescriptive and more conceptual. * revert intrep-ect.cddl Signed-off-by: Thomas Fossati <[email protected]> * intrep-key changes to follow convention Changed intrep-key to follow internal representation convention that uses text keys instead of numeric. --------- Signed-off-by: Thomas Fossati <[email protected]> Co-authored-by: Dionna Amalie Glaze <[email protected]> Co-authored-by: Yogesh Deshpande <[email protected]> Co-authored-by: Henk Birkholz <[email protected]> Co-authored-by: Thomas Fossati <[email protected]>
Also relates to #314
A transformation section is needed for attest key and identity key triples that describes how attest/identity key triples are transformed into an internal representation.
A processing section is needed that describes how the internal representation is processed. For example, it might impact phase 3 where a negative result of the AKT prevents the reference values from being added to the ACS.
Note: Given verifier behavior differs based on the type of key (identity vs. attest), there needs to be a way to represent the key type across external to internal processing. One approach is to modify the internal representation to include
key-typeinfo along with the$crypto-key-type-choicekey.The text was updated successfully, but these errors were encountered: