Verify key triples #341
Verify key triples #341
Conversation
nedmsmith
requested review from
henkbirkholz,
thomas-fossati and
yogeshbdeshpande
as code owners
draft-ietf-rats-corim.md
Outdated
| [^issue] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/330 | ||
|
|
||
| * If key verification succeeds, **extend**(`ev`.`addition`.`element-list`.`element-map`.`element-claims`.`measurement-values-map`.`cryptokeys`, key). |
There was a problem hiding this comment.
I'm thoroughly confused what point an attest-key-triple serves if it is exactly the same as an endorsement of a cryptokey. It loses information about the key usage for verifying evidence to just being about having some key provisioned to it.
There was a problem hiding this comment.
@yogeshbdeshpande when PSA (not CCA) has its token verified with the IAK, "the verification public key is looked up in the appraisal context using the ueid claim found in the PSA claims-set."
This appraisal context is separate from the ACS? It's some unmentioned data structure that associates an environment with the key that should be used to verify the PSA? If not, and there is an ECT representation of it, then how is the transformation in #341 that strips the attest-key-triple quality to make it just another cryptokey measurement supposed to maintain the integrity of that lookup process?
There was a problem hiding this comment.
Hi @deeglaze : Veraison started when we did not had the concept of ACS within CoRIM draft, forget matching the exact data structure! However the concept of Appraisal context is the same as ACS. I would not prefer to explain too many details about Veraison implementation here, been this is a more generic CoRIM repo, but happy to explain it in a separate issue under Veraison repository!
There was a problem hiding this comment.
Appraisal Context in this document is used as a nebulous, "stuff related to appraisal that we didn't represent in the ACS".
If we're making attest-key-triple mean something more than an endorsement of an (attesting) environment holding a key, we need to disambiguate it in the ACS to make the evidence verification section self-contained.
There was a problem hiding this comment.
The original text was actually wrong (append direction was reversed). The new text fixes this.
The other thread doesn't seem related to the cited text. Maybe it belongs somewhere else or take it to the issue instead of the PR?
There was a problem hiding this comment.
If we're making attest-key-triple mean something more than an endorsement of an (attesting) environment holding a key, we need to disambiguate it in the ACS to make the evidence verification section self-contained.
We're not. The ACS has an ECT that associates the name of the key with an environment. This exists under the authority of the RVP as well as the Attester.
The attest-key-triple asked the verifier to do key verification. As a result, the ACS has a third ECT entry identical to the first two, this time under the authority of the Endorser and the Verifier. The Endorser is the entity asking to do the key verify checks, and the Verifier is the entity that did the check.
Putting it all together:
step 1: Attester says key _X exists in environment _E.
step 2: RVP says key _X is supposed to exist in env _E. (aka step 1 is corroborated)
step 3: Endorser says key _X is supposed to be verified.
step 4: Verifier says key _X was verified.
An RP may have a policy that wants to see all 4 steps. There are entries in the ACS for all 4.
There was a problem hiding this comment.
The triples are named wrong, then. We shouldn't say anything about attesting or identity of the triple just means the signer demands a check to be done. I don't like that though, since there's still nothing that cleanly says "to get the attesting key for evidence of Target Environment E{layer n+1}, use the first cryptokey in E{layer n} (no mkey)"
A profile can of course say do something else, but as long as we're already translating everything to internal representations, I'd like to know in what senses I'm saying profile P's analog to evidence verification is "treat X as Y".
draft-ietf-rats-corim.md
Outdated
|
|
||
| Attest Key triples instruct a Verifier to perform key validation checks, such as revocation, certificate path construction & verification, or proof of possession. | ||
| The Verifier SHOULD verify keys contained in Attest Key triples. | ||
|
|
||
| Attest Key triples endorse that the keys were securely provisioned to the named (identified via an `environment-map`) Attesting Environment. | ||
| Attest Key triples endorse that the keys were securely provisioned to the named Attesting Environment. |
There was a problem hiding this comment.
I would like this to be the introductory line of the section.
There was a problem hiding this comment.
Same for the device identity key section above.
|
Additional use case background on verify-key-triple: User / Verifier will never see data / evidence signed by these keys. However, if a key is revoked, it would be useful information to a RP who is managing security risk to know if such revocation happened. This is not an architecture unique to Intel as CXL devices will have this type of key. The RefVal triple and concise-evidence triple can validate existence of the keys. However, it is up to downstream processing to determine if any of the keys pose an additional risk as the Verifier would not automatically discover existence of a compromised key. As an optional to implement triple, a verifier could step up to do these checks (possibly as a way to achieve better scalability vs. pushing it off to downstream RPs? Some other endorsement specification could be used to achieve similar objectives, but that wouldn't change the performance / security dynamics. Completely ignoring it is another option, but trades security for performance where the cost of doing the security check is easily quantifiable. It seems clear that there will be customers interested in doing the checking. The question is what role should corim play and when. |
draft-ietf-rats-corim.md
Outdated
| Validation may reveal an expired certificate. | ||
| The Verifier implementation might generate a certificate path validation exception that is handled externally, or it could generate a Claim that the certificate path is invalid. | ||
| For example, the Verifier may supply evidence freshness nonces to the Attester to be included in Evidence. | ||
| If a Verifier nonce is used, the Verifier may augment the ACS with a nonce Claim using Verifier authority. |
There was a problem hiding this comment.
What is a nonce Claim? Is this something like but isn't exactly eat_nonce? Given that the Verifier is allowed to add anything it wants with its authority, maybe we should drop this sentence and allow the reader to decide what claims they want to add.
There was a problem hiding this comment.
This is offered as an example. It is already assumed that the reader / implementer will decide what claims they want to add. Since the previous exemplary text is addressed as part of the triples, it isn't a good example. I updated the example to be less prescriptive / more conceptual.
|
I tried to build with map structure that doesn't use code points, but it failed (again). I'm using latest version of cddl. I don't see a reason to hold up this PR based on build issues. The prose in the .md file doesn't change. So it can be merged and if we want to change it to not use code points, that won't affect merged prose. |
draft-ietf-rats-corim.md
Outdated
| Validation may reveal an expired certificate. | ||
| The Verifier implementation might generate a certificate path validation exception that is handled externally, or it could generate a Claim that the certificate path is invalid. | ||
| For example, the Verifier may supply evidence freshness nonces to the Attester to be included in Evidence. | ||
| If a Verifier nonce is used, the Verifier may augment the ACS with a nonce Claim using Verifier authority. |
There was a problem hiding this comment.
This is offered as an example. It is already assumed that the reader / implementer will decide what claims they want to add. Since the previous exemplary text is addressed as part of the triples, it isn't a good example. I updated the example to be less prescriptive / more conceptual.
Added sections for key verification triples including updates to external representations, transformation section and processing section. Issue #330 also describes issue related to key type specific verification and how to represent it in internal representation.
Co-authored-by: Dionna Amalie Glaze <[email protected]>
Co-authored-by: Dionna Amalie Glaze <[email protected]>
Co-authored-by: Henk Birkholz <[email protected]>
Added map containing mkey and authorized-by conditions.
added examples for identity and attest-key triples that exercises the optional conditions map
Added option map to attest-key and identity triples to include conditions for mkey and authorized-by
Added section for reference-values triple that identifies keys as being measurements. A subsequent identity-triple example matches it so that key verify process will be applied.
add file to define typed keys
added start file for intrep
added intrep-start.cddl and intrep-key.cddl to corim-frags.mk
Added frags to enable intrep autogen to build
Modified ECT to use code points as the alternative wouldn't build
Created extension to measurement-values-map to support attest and identity key types.
created a start cddl file to focus testing on ECT
Created examples to test ECT structure
Added target for internal representation examples
changed cmtype to be endorsements
Added 's' to intrep-key to indicate it is a list of keys.
...to reflect use of internal representation of attest-keys and identity-keys.
Fixing a tooling error
Changed to use latest cddl version
Co-authored-by: Dionna Amalie Glaze <[email protected]>
Co-authored-by: Thomas Fossati <[email protected]>
restructured identity and attest key triples to accommodate Dionna's feedback and to improve readability. Updated Phase 5 wording to be less prescriptive and more conceptual.
Signed-off-by: Thomas Fossati <[email protected]>
Changed intrep-key to follow internal representation convention that uses text keys instead of numeric.
yogeshbdeshpande
force-pushed
the
verify-key-triples
branch
from
d4d4b53 to
984e952
Compare
Addresses the majority of issue #330 (but one challenge remains).
Expanded examples may be needed.