Re: [Cwt-reg-review] Request to register set of claims for Arm CCA Attestation

[Michael Jones <michael_b_jones@hotmail.com>]

I'm sorry that I missed seeing this request before.  Thanks for resending it to bring it to my attention.

First, to register the claims, there needs to be an IANA Considerations section in the document describing the registrations to be made.  The contents of the required IANA Considerations section are specified at https://www.rfc-editor.org/rfc/rfc8392.html#section-9.1.1.  I suggest adding this to https://developer.arm.com/documentation/den0137/latest.  Also, it would probably be better to cite a specific immutable version of the registering document, rather than "latest".

>From what registry are the Realm Hash Algorithm values taken?  From the IANA Named Information Hash Algorithm Registry https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg?  I would have expected you to use hash algorithm numbers from https://www.iana.org/assignments/cose/cose.xhtml#algorithms.

The same comments apply to the Realm Public Key Hash Algorithm Identifier claim.

I expected the Realm Public Key Claim to be a COSE_Key - not 97 bytes with unspecified contents.  Please correct that.

Please likewise review the definitions of the other claims to ensure that their contents are fully specified.

                                                       Best wishes,
                                                       -- Mike

From: Cwt-reg-review <cwt-reg-review-bounces@ietf.org> On Behalf Of Simon Frost
Sent: Thursday, August 10, 2023 6:01 AM
To: cwt-reg-review@ietf.org
Subject: [Cwt-reg-review] Request to register set of claims for Arm CCA Attestation

Dear CWT claims registry experts,

Please find below a submission to register a set of claims for the CWT registry. I hope that I have followed the instructions & template from RFC8392 satisfactorily, please let me know if any updates or clarifications are required.

The background to this request is that the Arm Confidential Compute Architecture supports the creation of attestation tokens. The construction of these tokens uses CWT construction and follows the IETF EAT draft (https://datatracker.ietf.org/doc/draft-ietf-rats-eat/) for attestation tokens. The work extends the set of claims previously registered as psa_* and claims requested for registration as part of EAT standardization. This request adds additional claims specific to the CCA attestation target. The reference implementation of Arm CCA attestation only produces a CBOR encoded token and as such there are not matched requests in the JWT registry.

I have specified the Change Controller for all of these claims as being the support.developer.arm.com website rather than an individual email address as that should be more resilient. The DEN0137 specification document, being common to all these requests, contains information on how to provide feedback using that site.

1. Platform Config Claim
Note: The Arm CCA Platform Attestation token reuses Claim Keys already in the CWT IANA registry in the PSA range (currently 2394 - 2400). This claim is logically grouped with those other platform claims and hence requests a consecutive value.
Claim Name: psa-platform-config
Claim Description: encoding of the implementation options of the hardware platform
JWT Claim Name: N/A
Claim Key: (requested value) 2401
Claim Value Type(s): byte string
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3.2.5


2. CCA Platform Token
Note: There are a group of related claims use in Arm CCA Attestation. This claim forms the base of a new consecutive range for those claim keys. The choice for the base of this range was intended to keep away from other related sets previously registered (and key value starts at 0xACCA). Further claims for future developments of the architecture would be requested consecutive to this range.
Claim Name: cca-platform-token
Claim Description: byte string encoding of the Arm CCA platform token
JWT Claim Name: N/A
Claim Key: (requested value) 44234
Claim Value Type(s): byte string
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3

3. CCA Realm Personalisation Value
Note that 'Realm' is the name used for a Confidential VM executing within an Arm CCA system
Claim Name: cca-realm-personalization-value
Claim Description: data personalization value provided at Realm creation time
JWT Claim Name: N/A
Claim Key: (requested value) 44235
Claim Value Type(s): byte string
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3.1.2


4. CCA Realm Hash Algorithm
Claim Name: cca-realm-hash-algo-id
Claim Description: identity of the hash algm used for values in the CCA Realm attestation token
JWT Claim Name: N/A
Claim Key: (requested value) 44236
Claim Value Type(s): text
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3.1.5


5. CCA Realm Public Key
Claim Name: cca-realm-public-key
Claim Description: identity of the key used to sign the CCA Realm attestation token
JWT Claim Name: N/A
Claim Key: (requested value) 44237
Claim Value Type(s): byte string
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3.1.6

6. CCA Realm Initial Measurement
Claim Name: cca-realm-initial-measurement
Claim Description: measurment of the Realm at activation
JWT Claim Name: N/A
Claim Key: (requested value) 44238
Claim Value Type(s): byte string
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3.1.3

7. CCA Realm Extensible Measurements
Claim Name: cca-realm-extensible-measurements
Claim Description: extensible measurement set for Realm values
JWT Claim Name: N/A
Claim Key: (requested value) 44239
Claim Value Type(s): array
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3.1.4

8. CCA Realm Public Key Hash Algorithm ID
Claim Name: cca-realm-public-key-hash-algo-id
Claim Description: algorithm used to calculate hash of key from cca-realm-public-key
JWT Claim Name: N/A
Claim Key: (requested value) 44240
Claim Value Type(s): array
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3.1.7


9. CCA Realm Delegated Token
Claim Name: cca-realm-delegated-token
Claim Description: byte string encoding of the Arm CCA delegated model Realm attestation token
JWT Claim Name: N/A
Claim Key: (requested value) 44241
Claim Value Type(s): array
Change Controller: https://support.developer.arm.com<https://support.developer.arm.com/>
Specification Document: https://developer.arm.com/documentation/den0137/latest Section A7.2.3





Best Regards
Simon

Simon Frost
Senior Principal Systems Solution Architect, ATG, Arm
Mob: +44 7855 265691

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.