--- 1/draft-ietf-rats-reference-interaction-models-03.txt 2021-07-26 09:13:15.915882616 -0700 +++ 2/draft-ietf-rats-reference-interaction-models-04.txt 2021-07-26 09:13:15.963883813 -0700 @@ -1,22 +1,22 @@ RATS Working Group H. Birkholz Internet-Draft M. Eckel Intended status: Informational Fraunhofer SIT -Expires: 14 January 2022 W. Pan +Expires: 27 January 2022 W. Pan Huawei Technologies E. Voit Cisco - 13 July 2021 + 26 July 2021 Reference Interaction Models for Remote Attestation Procedures - draft-ietf-rats-reference-interaction-models-03 + draft-ietf-rats-reference-interaction-models-04 Abstract This document describes interaction models for remote attestation procedures (RATS). Three conveying mechanisms -- Challenge/Response, Uni-Directional, and Streaming Remote Attestation -- are illustrated and defined. Analogously, a general overview about the information elements typically used by corresponding conveyance protocols are highlighted. @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 14 January 2022. + This Internet-Draft will expire on 27 January 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -275,23 +275,25 @@ information elements are required by any kind of scalable remote attestation procedure using one or more of the interaction models provided. Authentication Secret IDs ('authSecIDs'): _mandatory_ A statement representing an identifier list that MUST be associated with corresponding Authentication Secrets used to protect Claims included in Evidence. - Each Authentication Secret is uniquely associated with a - distinguishable Attesting Environment. Consequently, an - Authentication Secret ID also identifies an Attesting Environment. + Each distinguishable Attesting Environment has access to a + protected capability that provides an Authentication Secret + associated with that Attesting Environment. Consequently, an + Authentication Secret ID can also identify an Attesting + Environment. Handle ('handle'): _mandatory_ A statement that is intended to uniquely distinguish received Evidence and/or determine the freshness of Evidence. A Verifier can also use a Handle as an indicator for authenticity or attestation provenance, as only Attesters and Verifiers that are intended to exchange Evidence should have knowledge of the corresponding Handles. Examples include Nonces or signed @@ -543,21 +544,21 @@ clocks, such as tick-counters) of Attesters and Verifiers MUST be cryptographically bound to fresh Handles received from the Handle Distributor. This binding provides a proof of synchronization that MUST be included in all produced Evidence. Correspondingly, conveyed Evidence in this model provides a proof that it was fresh at a certain point in time. While periodically pushing Evidence to the Verifier, the Attester only needs to generate and convey evidence generated from Claim values that have changed and new Event Logs entries since the - previous conveyance. This updates reflecting the differences are + previous conveyance. These updates reflecting the differences are called "delta" in the sequence diagram above. Effectively, the Uni-Directional model allows for a series of Evidence to be pushed to multiple Verifiers simultaneously. Methods to detect excessive time drift that would mandate a fresh Handle to be received by the Handle Distributor as well as timing of Handle distribution are out-of-scope of this document. 7.3. Streaming Remote Attestation .----------. .----------. @@ -780,21 +781,21 @@ [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, June 2019, . 12.2. Informative References [DAA] Brickell, E., Camenisch, J., and L. Chen, "Direct Anonymous Attestation", page 132-145, ACM Proceedings of - the 11rd ACM conference on Computer and Communications + the 11th ACM conference on Computer and Communications Security, 2004. [I-D.birkholz-rats-tuda] Fuchs, A., Birkholz, H., McDonald, I. E., and C. Bormann, "Time-Based Uni-Directional Attestation", Work in Progress, Internet-Draft, draft-birkholz-rats-tuda-05, 12 July 2021, . [I-D.ietf-rats-architecture]