WGLC review of draft 11

[muhammad-usama-sardar]

General questions:

1. What is the real motivation of this draft?
2. The flows represent only boot time measurements. What about runtime measurements (e.g., RTMR in TDX or REM in CCA)?
3. There is no discussion on how deep the nonce goes in the Layered Attester. What is the assumption here?
4. What is the exact difference between recentness and freshness?
5. What is the exact difference between the Endorsements and Reference Values?
6. Which certain types of relay attacks can scrambling avoid?

Specific questions/comments:

Sec. 1 "The reference models defined can also be applied to the conveyance of other Conceptual Messages in RATS."
Sec. 1 "the methods described can also be applied to the conveyance of, for example, Endorsements or Attestation Results."
Sec. 7 "the intention of this document is in support of future work that applies the presented models to the conveyance of other Conceptual Messages, namely Attestation Results, Endorsements, Reference Values, or Appraisal Policies."

This is repeated at least 3 times in the draft. Can you justify this claim by presenting at least one example for each of those?

Sec. 2.1: "This conveyance can also be "Local", if the Verifier role is part of the same entity as the Attester role"

So your definition of "Local Attestation" is independent of where the Relying Party is?

Sec. 3: "prevent inconsistencies ..."
Sec 3: "avoid text clones and to avoid the danger of subtle discrepancies"

With some interesting stuff out of scope, is it really the only motivation to write this draft? The draft is at such a high level of abstraction, I wonder if there are really any subtle discrepancies/inconsistencies this draft can help avoid. Can you give some examples of such subtle discrepancies?

Sec. 4: "integral"

What is it? Can you point me to a reference which uses "integral" in the sense of integrity?

Sec. 4: "The signature may be symmetric, such as an HMAC"

MAC is not a signature!

Sec. 4: "This (authentication) ... may be achieved by using a confidential channel by means of encryption."

Encryption by itself does not provide authentication.

Sec. 5: "Evidence Protection"

This seems redundant. With "Attestation Evidence Authenticity", why is it required?

Sec. 6: "(a) determining recentness, (b) determining freshness, or (c) provide replay protection. Examples include:
Nonces that are used to protect from replay attacks"

What is the exact difference between recentness and freshness? Can you give clear examples of cases when one of them holds while the other one does not? I think nonces provide all of them. Why do you specifically mention replay protection only?

Sec. 6: "This specific type of Claims is used to appraise Claims incorporated in Evidence."

Something seems to be missing here

Sec. 6: "For example, Reference Values MAY be Reference Integrity Measurements (RIM) or assertions that are implicitly trusted because they are signed by a trusted authority (see Endorsements in [RFC9334])."

This seems to say that Endorsements are also Reference Values: is this what you mean here? What is the exact difference between the Endorsements and Reference Values?

Sec. 6: "Claim Selection"

seems a misnomer as well as wrongly defined term. Isn't is something desired/requested by the Verifier?

Sec. 10: "This extra information can be used to scramble the Nonce in order to
counter certain types of relay attacks."

Which certain types of relay attacks and how? Give more details.

Editorial

• Sec 1: Second paragraph is basically useless. There is no need to have a summary of a single paragraph just presented.
• Introduction could already introduce the three types of Interaction Models. They are currently only introduced in Sec. 7 which is too late.

[henkbirkholz]

    Sec. 1 "The reference models defined can also be applied to the conveyance of other Conceptual Messages in RATS."
    Sec. 1 "the methods described can also be applied to the conveyance of, for example, Endorsements or Attestation Results."
    Sec. 7 "the intention of this document is in support of future work that applies the presented models to the conveyance of other Conceptual Messages, namely Attestation Results, Endorsements, Reference Values, or Appraisal Policies."

This is repeated at least 3 times in the draft. Can you justify this claim by presenting at least one example for each of those?

This has been reduced to an initial description in Section 1 and only very lightweight reference later on.

[henkbirkholz]

Sec. 2.1: "This conveyance can also be "Local", if the Verifier role is part of the same entity as the Attester role"

So your definition of "Local Attestation" is independent of where the Relying Party is?

No. This is not about "local attestation" this is about the relativity of what "remote" means. We added a reference to RATS Section 6 to make it clearer that very "close" things still might need conveyance protocols.

[henkbirkholz]

Sec. 3: "prevent inconsistencies ..."
Sec 3: "avoid text clones and to avoid the danger of subtle discrepancies"

With some interesting stuff out of scope, is it really the only motivation to write this draft? The draft is at such a high level of abstraction, I wonder if there are really any subtle discrepancies/inconsistencies this draft can help avoid. Can you give some examples of such subtle discrepancies?

Yes, that is the reason. A subtle difference is, for example, the difference between a nonce and an epoch marker including a nonce like structure. Another example would be the difference between an unsolicited push (as can be facilitated by time-based remote attestation) and a solicited push (as can be facilitated by streamed attestation).

[henkbirkholz]

Sec. 4: "integral"

What is it? Can you point me to a reference which uses "integral" in the sense of integrity?

That was some awkward phrasing that has been improved since the last update. Thanks!

[henkbirkholz]

Sec. 4: "The signature may be symmetric, such as an HMAC"

MAC is not a signature!

Admittedly, not the best example. Moving the example to PSA TF-M.

[muhammad-usama-sardar]

Thanks for considering the comments.

This is repeated at least 3 times in the draft. Can you justify this claim by presenting at least one example for each of those?

This has been reduced to an initial description in Section 1 and only very lightweight reference later on.

My thought here was that if the plan is to use the same models for Endorsements and Ref Values, it may make sense to put them in the same draft. If not, they may need a separate draft.

[henkbirkholz]

Sec. 4: "This (authentication) ... may be achieved by using a confidential channel by means of encryption."

Encryption by itself does not provide authentication.

Yes. Secure Channel (as in UCCS) + an extra mentioning of authentication (in an authentication section...) is now in.

[henkbirkholz]

Sec. 5: "Evidence Protection"

This seems redundant. With "Attestation Evidence Authenticity", why is it required?

Thanks. Merged Evidence Protection into Attestation Evidence Authenticity.

[henkbirkholz]

Sec. 6: "(a) determining recentness, (b) determining freshness, or (c) provide replay protection. Examples include:
Nonces that are used to protect from replay attacks"

What is the exact difference between recentness and freshness? Can you give clear examples of cases when one of them holds while the other one does not? I think nonces provide all of them. Why do you specifically mention replay protection only?

The Handle Section underwent a significant rewrite, which should also address this comment.

[henkbirkholz]

Sec. 6: "This specific type of Claims is used to appraise Claims incorporated in Evidence."

Something seems to be missing here

The Reference Value Section underwent significant re-write and is now the Verifier Inputs Section, which should also address this comment.

[henkbirkholz]

Sec. 6: "For example, Reference Values MAY be Reference Integrity Measurements (RIM) or assertions that are implicitly trusted because they are signed by a trusted authority (see Endorsements in [RFC9334])."

This seems to say that Endorsements are also Reference Values: is this what you mean here? What is the exact difference between the Endorsements and Reference Values?

Same as above.

[henkbirkholz]

Sec. 6: "Claim Selection"

seems a misnomer as well as wrongly defined term. Isn't is something desired/requested by the Verifier?

The description includes your proposal already: For example, a Verifier could send a Claim Selection, among other elements, to an Attester. Not sure how to take this comment into account.

[henkbirkholz]

Sec. 10: "This extra information can be used to scramble the Nonce in order to
counter certain types of relay attacks."

Which certain types of relay attacks and how? Give more details.

There is now a more detailed subsection. I am trying to trace back where the "scrambling" part comes from and am leaning towards removing that paragraph as I am also uncertain what it brings to the table, tbh. Maybe during WGLC?

[henkbirkholz]

Sec 1: Second paragraph is basically useless. There is no need to have a summary of a single paragraph just presented

Should already addressed by previous re-writes. Some minor redundancy remains for the sake of readability.

[henkbirkholz]

Introduction could already introduce the three types of Interaction Models. They are currently only introduced in Sec. 7 which is too late.

Done! Thanks

[henkbirkholz]

Sec. 10: "This extra information can be used to scramble the Nonce in order to
counter certain types of relay attacks."

Which certain types of relay attacks and how? Give more details.

There is now a more detailed subsection. I am trying to trace back where the "scrambling" part comes from and am leaning towards removing that paragraph as I am also uncertain what it brings to the table, tbh. Maybe during WGLC?

And it's gone.

[henkbirkholz]

@muhammad-usama-sardar, could you review #63?

[muhammad-usama-sardar]

@muhammad-usama-sardar, could you review #63?

Thanks for all the updates. There seems to be several other changes beyond PR 63 since my last review, which makes it difficult to judge whether all comments have been addressed. Unfortunately, this week is very busy for me. I have three presentations as well as meetings, and we are trying to get two new I-Ds before cut-off. Review seems unlikely before the cutoff but I will try my best. If I don't get to it, feel free to merge and I will go through the whole draft once again.

To avoid another cycle, one general comment I have is that the figures with 3 parties are very hard to read. I am not sure if you fixed them already in your updates. Particularly, in some figures with 3 parties, it was unclear who is the originator of the message (I think this was in Sec. 7.1). Please consider clarifying that by using a consistent mechanism throughout the draft and writing it out explicitly for the readers. Also, please make sure all symbols used in figures are defined in the text.

[henkbirkholz]

We can fix the remaining issues via a WGLC, I think. The Figures went through quite some polish, but I think the readability issue that your bring up is a new one. I'll submit and start the process and we can fix remaining issues along the way.