IETF
teep
teep@jabber.ietf.org
Wednesday, March 10, 2021< ^ >
Rich Salz has set the subject to: TEEP AT IETF 106
Room Configuration
Room Occupants

GMT+0
[11:40:52] Meetecho joins the room
[11:50:06] Tobia Castaldi_web_102 joins the room
[11:50:06] Nancy Cam-Winget_web_154 joins the room
[11:50:06] Aurelio Schellenbaum_web_759 joins the room
[11:50:06] Michael Jenkins_web_551 joins the room
[11:50:06] Tirumaleswar Reddy.K_web_875 joins the room
[11:50:06] Hannes Tschofenig_web_541 joins the room
[11:50:06] Akira Tsukamoto_web_551 joins the room
[11:50:34] Tsukasa OI_web_342 joins the room
[11:50:47] <Nancy Cam-Winget_web_154> Good morning!
[11:51:10] Yoshifumi Atarashi_web_440 joins the room
[11:51:26] <Akira Tsukamoto_web_551> good day
[11:51:56] Adam Wiethuechter_web_313 joins the room
[11:52:12] <Akira Tsukamoto_web_551> I hear you
[11:52:15] <Tsukasa OI_web_342> I can hear you :)
[11:52:59] Masashi Kikuchi_web_702 joins the room
[11:53:09] Kuniyasu Suzaki_web_866 joins the room
[11:54:43] Kuniyasu Suzaki_web_866 leaves the room
[11:54:51] akira.tsukamoto_ joins the room
[11:54:57] Dave Thaler_web_165 joins the room
[11:54:58] akira.tsukamoto_ leaves the room
[11:55:07] akira.tsukamoto joins the room
[11:55:10] Kuniyasu Suzaki_web_853 joins the room
[11:56:34] Jonathan Hammell_web_951 joins the room
[11:56:34] Satoru Kanno_web_928 joins the room
[11:57:51] <Hannes Tschofenig_web_541> Hi all
[11:58:13] David Brown_web_212 joins the room
[11:58:14] Jianfei(Jeffrey) HE_web_604 joins the room
[11:58:16] Kuniyasu Suzaki_web_853 leaves the room
[11:58:32] Kuniyasu Suzaki_web_771 joins the room
[11:58:35] Thomas Hardjono_web_961 joins the room
[11:58:42] Tero Kivinen_web_579 joins the room
[11:58:43] Jiri Novotny_web_860 joins the room
[11:58:49] Jiri Novotny_web_860 leaves the room
[11:58:52] Jiri Novotny_web_389 joins the room
[11:58:53] Ken Takayama_web_633 joins the room
[11:59:06] cw-ietf joins the room
[11:59:11] Andreas Ruest_web_398 joins the room
[11:59:14] Andreas Ruest_web_398 leaves the room
[11:59:17] Takahiko Nagata_web_557 joins the room
[11:59:21] Marco Tiloca_web_865 joins the room
[11:59:28] Robin Wilton_web_627 joins the room
[11:59:33] Andreas Ruest_web_572 joins the room
[11:59:44] Göran Selander_web_139 joins the room
[11:59:55] Thomas Fossati_web_382 joins the room
[12:00:16] <Robin Wilton_web_627> Hi everyone
[12:00:16] Brendan Moran_web_765 joins the room
[12:00:21] Christian Amsüss_web_123 joins the room
[12:00:23] Kohei Isobe_web_880 joins the room
[12:00:23] Russ Housley_web_485 joins the room
[12:00:45] Anthony Faust_web_451 joins the room
[12:00:55] <Robin Wilton_web_627> I can take notes
[12:01:16] Dave Robin_web_926 joins the room
[12:01:42] Yutaka Oiwa_web_349 joins the room
[12:01:48] Robin Wilton_web_627 leaves the room
[12:01:51] Robin Wilton_web_305 joins the room
[12:01:57] <Dave Thaler_web_165> do we have anyone talking about the SUIT interaction issues?
[12:02:12] <akira.tsukamoto> I will in my talk
[12:02:20] Benjamin Kaduk_web_552 joins the room
[12:02:27] Hendrik Brockhaus_web_884 joins the room
[12:02:35] kaduk@jabber.org/barnowl joins the room
[12:02:41] Dominique Barthel_web_284 joins the room
[12:02:43] Sorin Faibish_web_800 joins the room
[12:03:02] Alex Huang Feng_web_220 joins the room
[12:03:03] Quynh Dang_web_800 joins the room
[12:03:03] Mohit Sethi_web_852 joins the room
[12:03:14] Erik Nordmark_web_978 joins the room
[12:03:15] Daniel Migault_web_311 joins the room
[12:03:23] <Robin Wilton_web_305> Yes, slides flickering for me too, intermittently
[12:03:25] <kaduk@jabber.org/barnowl> We've had some people report blinking slides in other sessions as well
[12:03:26] Alex Huang Feng_web_220 leaves the room
[12:03:39] Robin Wilton_web_305 leaves the room
[12:03:42] Robin Wilton_web_988 joins the room
[12:03:43] Thomas Fossati_web_382 leaves the room
[12:03:47] Thomas Fossati_web_881 joins the room
[12:03:53] Koen Zandberg_web_357 joins the room
[12:04:00] Jim Reid_web_434 joins the room
[12:04:02] Robin Wilton_web_988 leaves the room
[12:04:05] Robin Wilton_web_557 joins the room
[12:04:23] A Paventhan_web_917 joins the room
[12:05:14] Yutaka Oiwa_web_349 leaves the room
[12:05:40] Yutaka Oiwa_web_988 joins the room
[12:05:51] Rich Salz_web_186 joins the room
[12:06:05] Rikard Höglund_web_587 joins the room
[12:07:08] Christian Amsüss_web_123 leaves the room
[12:07:16] Jianfei(Jeffrey) HE_web_604 leaves the room
[12:08:36] Laurent Toutain_web_745 joins the room
[12:09:15] Wei Pan_web_840 joins the room
[12:14:04] <Hannes Tschofenig_web_541> I have focused on the security implementation of the TEEP protocol. I put some hackathon slides together: https://github.com/IETF-Hackathon/ietf110-project-presentations/blob/main/hackathon-presentation-firmware-encryption.pptx
[12:14:13] Koen Zandberg_web_357 leaves the room
[12:14:17] Koen Zandberg_web_545 joins the room
[12:14:35] <Kohei Isobe_web_880> (off topic) In this hackathon, we used wireguard as VPN. that's very easy and comfort to connect each participants.
[12:20:10] Taiji Kimura_web_392 joins the room
[12:20:49] <Dave Thaler_web_165> Brendan has the suit manifest generator been updated to allow delete somehow yet?
[12:22:05] <Brendan Moran_web_765> No, the specifics haven't been agreed with the suit wg yet. I want to at least have a discussion before I go implement it.
[12:24:36] <kaduk@jabber.org/barnowl> This scenario where a TC binary has device-specific ("serial number")
information in it, and is to be distributed by an independent TAM,
makes me wonder about privacy considerations where TAM and TC vendor
have to collaborate to "track users (or devices)"
[12:25:04] <Brendan Moran_web_765> There's a mechanism in SUIT for encrypted manifests to deal with that issue.
[12:27:48] Guy Fedorkow_web_917 joins the room
[12:28:49] <Rich Salz_web_186> Brendan, that should end up in the security considerations of some document.
[12:29:43] <Hannes Tschofenig_web_541> I was wondering whether this information should go into the TEEP document, SUIT manifest document, or in both
[12:30:11] <Hannes Tschofenig_web_541> I hope the SUIT chairs give me a few minutes during the SUIT WG session to talk about the topic of firmware encryption
[12:30:34] <Rich Salz_web_186> +1!
[12:31:05] tim costello_web_652 joins the room
[12:31:11] <Brendan Moran_web_765> Rich, I believe it's covered in the Information Model, which is a giant security considerations document.
[12:31:26] <Rich Salz_web_186> thanks.  time to re-read that.
[12:31:40] Dave Thaler_web_165 leaves the room
[12:31:45] Dave Thaler_web_154 joins the room
[12:31:49] Ken Takayama_web_633 leaves the room
[12:31:49] Taiji Kimura_web_392 leaves the room
[12:31:55] Ken Takayama_web_873 joins the room
[12:31:56] Taiji Kimura_web_307 joins the room
[12:32:47] <Dave Thaler_web_154> hannes/chairs, are you presenting your teep related stuff right after Akira?
[12:32:49] daniel.bernier@bell.ca_web_153 joins the room
[12:33:00] daniel.bernier@bell.ca_web_153 leaves the room
[12:33:11] <kaduk@jabber.org/barnowl> Rich: note that suit-information-model is approved by the IESG pending
edits
[12:33:17] Anthony Faust_web_451 leaves the room
[12:33:58] Koen Zandberg_web_545 leaves the room
[12:34:00] <Nancy Cam-Winget_web_154> @Dave: Hannes isn't presenting after Akira (in TEEP)
[12:34:17] Anthony Faust_web_420 joins the room
[12:34:18] <Dave Thaler_web_154> should he? (we have time, yes?)
[12:34:26] <Nancy Cam-Winget_web_154> Yes we have time
[12:35:14] <Rich Salz_web_186> thanks ben.  i was less interested in changing the info-model doc and more about if it's necessary to add things to the other docs
[12:35:23] <Brendan Moran_web_765> @rich: https://tools.ietf.org/html/draft-ietf-suit-information-model-09#section-4.2.14
[12:37:46] Marco Tiloca_web_865 leaves the room
[12:39:53] <Dave Thaler_web_154> most are open source in github
[12:40:10] <Dave Thaler_web_154> links were in the 109 hackathon report I think?
[12:40:22] <Tsukasa OI_web_342> tamproto: https://github.com/ko-isobe/tamproto
[12:40:27] <Dave Thaler_web_154> mine (Microsoft) are GitHub.com/dthaler/teep
[12:40:34] <Daniel Migault_web_311> maybe sharing the links on the mailing list would be helpful.
[12:40:42] <Dave Thaler_web_154> URL changed since last meeting (I renamed the repo from OTrP to deep)
[12:40:44] <Dave Thaler_web_154> teep
[12:41:09] <Kohei Isobe_web_880> libteep https://github.com/yuichitk/libteep
[12:42:42] <Thomas Fossati_web_881> thanks!
[12:42:59] <Rich Salz_web_186> The doc is much shorter than I was worried about, thanks @Brendan
[12:43:03] <Rich Salz_web_186> :)
[12:43:34] <Brendan Moran_web_765> You bet! :)
[12:43:48] <Daniel Migault_web_311> https://github.com/IETF-Hackathon/ietf110-project-presentations/blob/main/hackathon-presentation-firmware-encryption.pptx
[12:45:21] <Tsukasa OI_web_342> Now it's working.
[12:48:12] <kaduk@jabber.org/barnowl> I can't point to why, but I assumed that the COSE spec was intended to
be something that you only pick a subset of to use
[12:48:16] <Dave Thaler_web_154> hannes: so you didn't find anything that needs changes to any TEEP draft, correct? just want to confirm
[12:48:51] <Dave Thaler_web_154> (I agree this is important to TEEP, e.g., for personalization data)
[12:51:05] <Jim Reid_web_434> I thought the TLS WG planned  deprecate static DH?
[12:51:51] <kaduk@jabber.org/barnowl> TLS is a "live" protocol, though -- COSE is asynchronous so you always
have at least one static DH share
[12:53:43] <Jim Reid_web_434> OK. Thanks Ben
[12:53:54] <kaduk@jabber.org/barnowl> I think Hannes was not the only one confused about what *exactly* that
presentation was proposing to do :)
[12:54:01] <Dave Thaler_web_154> seeing a black screen projected
[12:54:05] Dave Robin_web_926 leaves the room
[12:54:08] Dave Robin_web_100 joins the room
[12:54:22] <Brendan Moran_web_765> +1 for static DH in SUIT
[12:54:29] <Jim Reid_web_434> Indeed. I'm still confused...
[12:55:06] <Hannes Tschofenig_web_541> I think the folks giving the presentation to the TLS WG need to offer a clarification about what they want to rule out and why
[12:55:07] <kaduk@jabber.org/barnowl> Part of the problem with static DH in TLS is that it's only defined
for pre-TLS-1.3, and in the older protocol versions the protocol spec
requires that you strip leading zeros from the shared secret.  This
leads to a side-channel attack (the "racoon" named attack,
specifically) which is the immediate impetus for the TLS proposal
[12:55:28] <kaduk@jabber.org/barnowl> I think there has been some amount of clarification ongoing on the TLS
list
[12:55:40] <Hannes Tschofenig_web_541> Ok. I need to check the list.
[12:56:13] <kaduk@jabber.org/barnowl> (but further clarification may still be required; I'm not fully caught
up, either)
[12:56:40] Guy Fedorkow_web_917 leaves the room
[12:57:07] Michael Richardson_web_930 joins the room
[12:59:51] Hendrik Brockhaus_web_884 leaves the room
[13:01:30] A Paventhan_web_917 leaves the room
[13:05:14] <Russ Housley_web_485> Why did you make the issuer "joe"?  Clearly, it should be "dave"  ;-)
[13:05:24] <kaduk@jabber.org/barnowl> This discussion of when to add new error code values echos what we had
in LAKE yesterday :)
[13:05:30] Benjamin Kaduk_web_552 leaves the room
[13:05:33] Benjamin Kaduk_web_129 joins the room
[13:06:14] Nancy Cam-Winget_web_154 leaves the room
[13:06:18] Nancy Cam-Winget_web_322 joins the room
[13:08:22] <kaduk@jabber.org/barnowl> Removing the IANA registry forces us to be the custodian of any new
protocol work, which is maybe okay but maybe risks codepoint
squatting.  A specification-required policy with strong guidance to
the experts might be worth considering.
[13:09:58] <Daniel Migault_web_311> which I interpret as the expert needs to maintain a private registry.
[13:10:36] <Daniel Migault_web_311> private meaning non public.
[13:11:44] Simon Hicks_web_978 joins the room
[13:13:58] <kaduk@jabber.org/barnowl> I am not sure there would even be experts in the proposed scenario?
[13:16:51] Satoru Kanno_web_928 leaves the room
[13:16:56] Satoru Kanno_web_260 joins the room
[13:17:53] Satoru Kanno_web_260 leaves the room
[13:18:13] Hendrik Brockhaus_web_689 joins the room
[13:18:20] Satoru Kanno_web_574 joins the room
[13:18:46] Dave Robin_web_100 leaves the room
[13:18:47] <kaduk@jabber.org/barnowl> I would have expected KMAC to be the more popular non-HMAC MAC, rather
than GMAC :)
[13:18:49] Dave Robin_web_497 joins the room
[13:18:51] Hendrik Brockhaus_web_689 leaves the room
[13:19:17] Satoru Kanno_web_574 leaves the room
[13:19:52] Satoru Kanno_web_272 joins the room
[13:20:34] <Brendan Moran_web_765> What about CMAC?
[13:20:46] <Jonathan Hammell_web_951> What is the MAC used for?  The protocol draft discusses COSE_Sign1, but I don't see any reference to use of a MAC.
[13:20:50] Satoru Kanno_web_272 leaves the room
[13:23:53] <kaduk@jabber.org/barnowl> Brendan: CMAC lacks the "new and shiny" factor that makes things
trendy :)
[13:24:25] <Russ Housley_web_485> @ben, I thought that was SHAKE
[13:25:02] <Daniel Migault_web_311> I think though CMAC is used in SGX.
[13:25:11] <Brendan Moran_web_765> Ah, makes sense. For me, CMAC has the "I needed that AES engine anyway" that makes it small and therefore "IoT shiny" ;)
[13:26:04] <kaduk@jabber.org/barnowl> Dave and Russ said it correctly
[13:27:19] <Brendan Moran_web_765> If it becomes unconstrained, it probably needs an entry in the security considerations detailing how much it exposes personal information.
[13:28:25] <kaduk@jabber.org/barnowl> Back to the "where the MAC is used" question, it looks like TEEP
messages are effectively COSE_Sign1 objects; COSE_Sign1 can be done
with either a proper asymmetric signature or a symmetric-keyed MAC.
[13:28:45] <Brendan Moran_web_765> @dave: +1
[13:30:45] Geng-Da Tsai_web_886 joins the room
[13:31:40] Geng-Da Tsai_web_886 leaves the room
[13:31:54] <Jonathan Hammell_web_951> @Ben, COSE has a separate COSE_Mac0 message.  I've never seen a MAC used in COSE_Sign1, but I may be missing something.
[13:32:11] <Brendan Moran_web_765> @dave +1
[13:32:22] <Hannes Tschofenig_web_541> Makes sense to me
[13:32:38] <Sorin Faibish_web_800> +1
[13:32:46] Tomoko Nezu_web_321 joins the room
[13:33:12] <akira.tsukamoto> +1 was late
[13:34:07] <kaduk@jabber.org/barnowl> Jonathan: ah, good point.  I must be thinking of JWT...
[13:35:05] mcr joins the room
[13:35:13] Tomoko Nezu_web_321 leaves the room
[13:36:04] <mcr> not following TEEP well, of the three suggested freshness methods that RATS architecture elucidates, which one will TEEP use?... or maybe Dave is getting to that.
[13:40:18] <Göran Selander_web_139> What if Receiver encrypts a timestamp (for itself) and use as nonce? Would only require it to store a key.
[13:40:41] <Göran Selander_web_139> And keep the time
[13:41:00] <Akira Tsukamoto_web_551> Probably Dave is explaining three methods for deciding which to use in teep
[13:41:02] Wei Pan_web_840 leaves the room
[13:41:39] <Göran Selander_web_139> @Akira What I wrote would be method 2
[13:41:44] <Brendan Moran_web_765> @Göran: it turns out that keeping time in a hostile environment is tricky.
[13:42:14] <Göran Selander_web_139> @Brendan: The Receiver only needs to keep its own time
[13:42:36] <Daniel Migault_web_311> how much an additional round trip is unconvenient for attestation ?
[13:42:51] <kaduk@jabber.org/barnowl> > keeping time in a hostile environment is tricky
True, though we seem to be making progress on that front with NTS and
some of the distributed stuff that I'm forgetting the name of
[13:43:46] <Brendan Moran_web_765> @ben, Yes I agree. I'm rapidly coming to the conclusion that network time sync is probably more reliable than a local clock when under active physical attack
[13:45:07] <Daniel Migault_web_311> @dave thanks.
[13:45:17] <Thomas Fossati_web_881> @dave with regards to nonce and scalability, I guess you could make it a verifier problem rather than TAM's
[13:45:51] <Kohei Isobe_web_880> Can TAM work as handle distributor?
[13:46:33] <mcr> ps: RATS will change the term "handle" to ... probably "epoch identifier"
[13:46:48] <mcr> to avoid conflicting terminology with something else that Russ mentioned.
[13:47:33] Tadahiko Ito_web_506 joins the room
[13:47:56] <Kohei Isobe_web_880> @dave thanks
[13:48:36] <Hannes Tschofenig_web_541> The nonce was added in the TEEP protocol to support the RATS case
[13:48:43] <mcr> I think, if you have to unicast epoch IDs to TEEs, that you might as well use nonces.  I agree with Goran: they could be made stateless from the Verifier point of view.
[13:48:50] <Hannes Tschofenig_web_541> So, I think we should just use whatever RATS does
[13:49:24] <Hannes Tschofenig_web_541> But the RATS architecture discusses the stories on how to want to demonstrate liveness of their tokens
[13:49:24] <Daniel Migault_web_311> which is the one you prefer ?
[13:49:28] Mohit Sethi_web_852 leaves the room
[13:49:43] <mcr> I think of epoch IDs, as being something that arrive via satellite/GPS/or some other truly broadcast method.
[13:49:49] <akira.tsukamoto> tough choice
[13:49:53] <Sorin Faibish_web_800> I prefer the epoch for scalability reason.
[13:50:53] <Daniel Migault_web_311> @ dave thinks.
[13:51:28] <Brendan Moran_web_765> Epoch IDs raise some interesting security considerations with onpath attackers delaying delivery
[13:51:51] <mcr> but, based upon my understanding of your protocol, I don't know how you'd broadcast them.
[13:51:55] <Robin Wilton_web_557> @Dave did you see Goran's question/suggestion about using a timestamp as a nonce?
[13:52:15] Satoru Kanno_web_447 joins the room
[13:52:23] <Thomas Fossati_web_881> see https://ietf-rats-wg.github.io/architecture/draft-ietf-rats-architecture.html#name-handle-based-attestation
[13:53:04] <Brendan Moran_web_765> As an on-path attacker, you can also slow down a particular verifier, which causes some other interesting attacks.
[13:53:29] Satoru Kanno_web_447 leaves the room
[13:53:33] <kaduk@jabber.org/barnowl> There may also be some operational considerations with epoch IDs if
you end up for some reason needing to wait for the epoch duration in
order to ensure that some change is visible
[13:53:57] <mcr> @Brendan, that sounds like an agile story, "As on on-path attacker, I want to slow down a particular verifier"
[13:54:12] <Brendan Moran_web_765> @mcr: how many story points?
[13:54:38] <mcr> e^(i* pi/2)
[13:55:04] <Brendan Moran_web_765> I can't imagine what you mean ;)
[13:55:07] <akira.tsukamoto> maybe we need reasonable example of epoch, some people think it would be 1 minutes, and some people might be 1 week
[13:57:15] Dave Robin_web_497 leaves the room
[13:58:51] <akira.tsukamoto> +1 for keeping seperate
[13:59:15] cw-ietf leaves the room
[14:01:17] tim costello_web_652 leaves the room
[14:01:23] Sorin Faibish_web_800 leaves the room
[14:01:30] <Hannes Tschofenig_web_541> Was a good session.
[14:01:36] Laurent Toutain_web_745 leaves the room
[14:01:37] Rich Salz_web_186 leaves the room
[14:01:38] David Brown_web_212 leaves the room
[14:01:39] <Hannes Tschofenig_web_541> Bye
[14:01:41] Dave Thaler_web_154 leaves the room
[14:01:41] <Robin Wilton_web_557> Thanks Nancy!
[14:01:41] Thomas Hardjono_web_961 leaves the room
[14:01:42] <Thomas Fossati_web_881> cheer!
[14:01:44] Brendan Moran_web_765 leaves the room
[14:01:45] Ken Takayama_web_873 leaves the room
[14:01:45] Benjamin Kaduk_web_129 leaves the room
[14:01:46] Rikard Höglund_web_587 leaves the room
[14:01:46] Akira Tsukamoto_web_551 leaves the room
[14:01:46] Kuniyasu Suzaki_web_771 leaves the room
[14:01:46] <Kohei Isobe_web_880> thanks all
[14:01:47] Russ Housley_web_485 leaves the room
[14:01:47] Tirumaleswar Reddy.K_web_875 leaves the room
[14:01:47] Yoshifumi Atarashi_web_440 leaves the room
[14:01:47] Jonathan Hammell_web_951 leaves the room
[14:01:49] Hannes Tschofenig_web_541 leaves the room
[14:01:49] Michael Richardson_web_930 leaves the room
[14:01:51] Aurelio Schellenbaum_web_759 leaves the room
[14:01:52] Tsukasa OI_web_342 leaves the room
[14:01:52] kaduk@jabber.org/barnowl leaves the room
[14:01:56] Nancy Cam-Winget_web_322 leaves the room
[14:01:56] Thomas Fossati_web_881 leaves the room
[14:01:58] Michael Jenkins_web_551 leaves the room
[14:02:00] Tero Kivinen_web_579 leaves the room
[14:02:03] Masashi Kikuchi_web_702 leaves the room
[14:02:04] Jim Reid_web_434 leaves the room
[14:02:08] Andreas Ruest_web_572 leaves the room
[14:02:10] Takahiko Nagata_web_557 leaves the room
[14:02:13] Robin Wilton_web_557 leaves the room
[14:02:24] Göran Selander_web_139 leaves the room
[14:02:30] Tobia Castaldi_web_102 leaves the room
[14:02:30] Adam Wiethuechter_web_313 leaves the room
[14:02:30] Jiri Novotny_web_389 leaves the room
[14:02:30] Kohei Isobe_web_880 leaves the room
[14:02:30] Dominique Barthel_web_284 leaves the room
[14:02:30] Quynh Dang_web_800 leaves the room
[14:02:30] Erik Nordmark_web_978 leaves the room
[14:02:30] Daniel Migault_web_311 leaves the room
[14:02:30] Yutaka Oiwa_web_988 leaves the room
[14:02:30] Taiji Kimura_web_307 leaves the room
[14:02:31] Anthony Faust_web_420 leaves the room
[14:02:31] Simon Hicks_web_978 leaves the room
[14:02:31] Tadahiko Ito_web_506 leaves the room
[14:04:08] Meetecho leaves the room
[14:05:00] mcr leaves the room
[15:33:44] akira.tsukamoto leaves the room