Closed nedmsmith closed 2 months ago
thomas-fossati
commented
3 months ago Maybe a different approach would be to explain that AE's have attestation keys that authenticate evidence and that provenance of attestation keys is needed to build trust in the AEs?
Yes, that's exactly the core point. If it's not clear, we need to improve the prose.
dthaler
commented
2 months ago I've filed PR #33 to address some of this, though I didn't author this section so another co-author might have other things to do.
dthaler
commented
2 months ago Fixed in draft-03
dthaler
commented
2 months ago I believe this is fixed in the latest draft. Please reopen (with explanation of what is remaining) if you disagree.
I find section 4 difficult to read. The heading "Endorsing Evidence Provenance" is not an intuitive concept. The authors must explain what it means first.
The first paragraph seems to describe that Evidence should be authenticated. This could be stated more plainly.
The second paragraph seems to make the same statement, but in a contra indicated way. There is a DICE example in Section 2, that could be referenced as it seems to describe layering. But it isn't clear how paragraph 2 (section 4) pertains to "provenance" or "endorsement".
For example: "Such a certificate need not be stored by the Verifier when the Endorsement can be resolved on demand or passed to the Verifier along with the Evidence" The concept of "Endorsement resolution" is not described in the I-D. The reader is assumed to know what this entails. It's relevance to "provenance" is not obvious. I believe the first sentence of the 3rd paragraph is actually incorrect: "No particular algorithm or cryptographic protocol is assumed for the verification of the Attester." A verifier must implement the algorithm/protocol that authenticates the Attester / AE otherwise the integrity of the evidence is suspect.
"Evidence typically contains an identifier for the Attester (e.g., [I-D.ietf-rats-eat] ueid) in a claim, sometimes termed an "identity claim", that can be used by the Verifier to look up its verification key for the Attester." The 4th paragraph is not typical as Evidence often describes a class of devices rather than a specific instance of a device. Instead, it is typical for a lead Attester to have authentication credentials that identifies an instance of a device. However, this is also is contradicted by I-D:daa-attestation where a group key maintains the class nature of evidence while also authenticating the evidence.
The fifth paragraph seems to take a circumlocutions approach to saying that Evidence must be authenticated (restating what the first paragraph is saying) and that Evidence authentication should be the first step before applying other appraisal steps. Maybe this could be said more directly?
The last paragraph seems to be summarizing the steps that a verifier might follow, but seems out of place in a section on evidence provenance.
It is still unclear to me if the goal of the section is to assert that Evidence provenance means Evidence should be authenticated, if this is giving general (cherry picked) advice to verifiers, or if this is aimed at Endorsers who may need to do something (???) in order to ensure Endorsements have "provenance" (e.g., sign endorsement claims?).
Maybe a different approach would be to explain that AE's have attestation keys that authenticate evidence and that provenance of attestation keys is needed to build trust in the AEs? This is what the PKIX Consortium refers to as "key attestation". Maybe the authors are saying that AEs' attestation keys should be backed by key attestation?