Re: [Rats] [sacm] CoSWID and EAT and CWT

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 27 November 2019 13:38 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7A7C12004E; Wed, 27 Nov 2019 05:38:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1IPip5hk5MBw; Wed, 27 Nov 2019 05:38:45 -0800 (PST)
Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 359AA1200A4; Wed, 27 Nov 2019 05:38:45 -0800 (PST)
Received: by mail-qv1-xf33.google.com with SMTP id c2so1698327qvp.12; Wed, 27 Nov 2019 05:38:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=gDKw5hr3Iv2ujk8lRHpNt9Lit5xpBoU4Vz+myufXg7Y=; b=JvDb3vIkRaAs9uvA3FeVHXF5Zv7vW4IczzSgDO3C+FNyb8YK5H1J4X4hBVExMI8RwG onH4PZbZbw4OC8djrs+lJa/uQF8FPMMasLuZ6jS449JN5RsZwOiEwbqu7AJ6yquvCef4 2xoChJOHJcF5IUtLX65NDpPkzL9oj3ZXK1Ioi/ZYz3HtCxeXzjBHgnbh5CGj/HQKyOmz i3tLduSrQyocdjFC+IKj7IPFSfPoczRo1TTNeH3RKh5Vnn0QOAKDGMcCygp8p4ZrvkYw QhFSPUdkGtn8NofaFYdkKa9amkcRHfbl3NkjraGYULhZDN/z4LDpR7KFH/ZRwKqy7wMD ZiqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=gDKw5hr3Iv2ujk8lRHpNt9Lit5xpBoU4Vz+myufXg7Y=; b=O+3cJLkquubltOX29Dx9TJNcrCsvLB85VBxPQ7UX7s5T4eXz8qsSRj5iph87iaWt/o RCB51nW/rtR22+bYsZMaeA37PqFvt39kneVnXhbTerZmmkJssWK8PfzqYbdG9suRZEh4 N62gKc+uH6AUziah/y31WG54UE/W3vi2ke6IqlnLbxYe3zvH9ohPh+nUHWbIUTMJa5x/ e6BIEav44ixOkTT5967dMuaDKWyimWMgg8rlSqnLXOj0bqig8YPZyvBFKFwLjNotJ7NX dOockgzYybxO46CnZFPM+3jaFIdFwZ5iQIr2KxUH2zvgKyar8M3h9yQ3SE5f6X5H+Luu Mflg==
X-Gm-Message-State: APjAAAXhEDj/5x2h6OQTW4vntoZJCcLcJ0JsPWWHRlfRdzKuVm0wAEa2 snxSJfiO2zewLb+iN8YZM8hEMYmHTmQ=
X-Google-Smtp-Source: APXvYqwZLI+2yIgCnQJ4MVj22QflCyMfcDXL8ug0OJMYO/Lfh/h8Gvh3Y+5lx7cXLogCBxvSabUaRQ==
X-Received: by 2002:a0c:b397:: with SMTP id t23mr4816006qve.5.1574861924035; Wed, 27 Nov 2019 05:38:44 -0800 (PST)
Received: from [192.168.1.4] (146-115-73-78.s5196.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [146.115.73.78]) by smtp.gmail.com with ESMTPSA id q35sm797850qta.19.2019.11.27.05.38.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Nov 2019 05:38:43 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 27 Nov 2019 08:38:42 -0500
Message-Id: <BE17D651-FF11-41C9-A916-62FF3A884021@gmail.com>
References: <858c7298-10d2-9efc-ca94-98dc9801e607@sit.fraunhofer.de>
Cc: Laurence Lundblade <lgl@island-resort.com>, Thomas Fossati <Thomas.Fossati@arm.com>, "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "sacm@ietf.org" <sacm@ietf.org>
In-Reply-To: <858c7298-10d2-9efc-ca94-98dc9801e607@sit.fraunhofer.de>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
X-Mailer: iPhone Mail (17A878)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/nDQRmFK_G9x8uAaSnAPJFDK38OA>
Subject: Re: [Rats] [sacm] CoSWID and EAT and CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 13:38:48 -0000


Sent from my mobile device

> On Nov 27, 2019, at 8:08 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote:
> 
> Hi Laurence, hi thomas,
> hi list,
> 
> Thomas, thank you for the nice example write-up! And Laurance, thank you for the write-up of an example of a COSE signed EAT including an unsigned payload coswid tag.
> 
> This is a write-up one option 3.) in issue #46.
> 
> Option 4.) would wrap the CoSWID map in a COSE before putting it into an EAT using another key (let's say 22 instead of 21 - that's just an example). A reason could be that an external entity, such as the SIWD role software-creator [1], created the tag and signed it. Other keys would follow for XML encoding, type of resource collection, as outlined in #46.

Having the option for both would meet the requirements for a signed or unsigned SWID/CoSWID previously discussed.

Best regards,
Kathleen 

> 
> Viele Grüße,
> 
> Henk
> 
> [1] https://tools.ietf.org/html/draft-ietf-sacm-coswid-13#section-4.2
> 
>> On 27.11.19 01:48, Laurence Lundblade wrote:
>> Looks good, Thomas
>> Here’s a signed EAT with the CoSWID as a claim with label 21.
>> In EATs with submods, there would likely be a CoSWID per submod (not shown below).
>> LL
>> 18(
>>     [
>>         / protected parameters, bstr wrapped / << {
>>             / alg / 1: -7 / ECDSA 256 /
>>         } >>,
>>         / unprotected parameters / {
>>             / kid / 4: h'4173796d6d657472696345434453413
>>                           23536' / 'AsymmetricECDSA256' /
>>         },
>>         / COSE payload, the EAT, bstr wrapped / << {
>>             / nonce  /
>>             7:h'948f8860d13a463e8e',
>>                  / UEID /
>>             8:h'0198f50a4ff6c05861c8860d13a638ea4fe2f',
>>                  / boot_state (based on the -01 draft) /
>>             12:{true, true, true, true, false},
>>                  / time stamp /
>>             6:1526542894,
>> / The CoSWID /
>> 21: {
>> / tag-id, globally unique identifier for the software component /
>>           0: "trustedfirmware.org/TF-M <http://trustedfirmware.org/TF-M>",
>>           / tag-version (here: 0, i.e. initial tag) /
>>           12: 0,
>>           / software component name /
>>           1: "TF-M",
>>           / version of the software component /
>>           13: "1.0.0-rc1+build.123",
>>           / (optional) version scheme (here: semver) /
>>           14: 16384,
>>           / entity, i.e. organizations responsible for producing or
>>        releasing
>>             the software component /
>>           2: {
>>             / entity name /
>>             31: "Linaro Limited",
>>             / entity role (here: software creator) /
>>             33: 2,
>>             / thumbprint of the entity public key (algo -- here;
>>        SHA-256 -- and value) /
>>             34: [
>>               1,
>>                      h'5e73c2e6a96be594e56b218418a3ea03f1397934a2517d781855195fe3c5916b'
>>             ]
>>       },
>>    / payload /
>>       6: {
>>    / filesystem item (name and hash) /
>>         17: {
>>    24: "tfm.bin",
>>           7: [
>>             1,
>>                h'4a039f284d8ad68ca5b4d1592977c7c964c4abb5d08d87e4a0346b80cce5c74d'
>>           ]
>>    }
>>         }
>>       }
>>    } >>,
>>        / signature / h'5427c1ff28d23fbad1f29c4c7c6a555e601d6fa29f
>>                        9179bc3d7438bacaca5acd08c8d4d4f96131680c42
>>                        9a01f85951ecee743a52b9b63632c57209120e1c9e
>>                        30'
>>    ]
>> )
>>>> On Nov 26, 2019, at 3:51 PM, Thomas Fossati <Thomas.Fossati@arm.com <mailto:Thomas.Fossati@arm.com>> wrote:
>>> 
>>> Hi Hannes,
>>> 
>>> On 22/11/2019, 00:08, Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
>>>> Hi all
>>>> 
>>>> Can someone send an example around how this would actually look like?
>>> 
>>> For something such as TF-M, it should look like this:
>>> 
>>> {
>>>  / tag-id, globally unique identifier for the software component /
>>>  0: "trustedfirmware.org/TF-M <http://trustedfirmware.org/TF-M>",
>>> 
>>>  / tag-version (here: 0, i.e. initial tag) /
>>>  12: 0,
>>> 
>>>  / software component name /
>>>  1: "TF-M",
>>> 
>>>  / version of the software component /
>>>  13: "1.0.0-rc1+build.123",
>>> 
>>>  / (optional) version scheme (here: semver) /
>>>  14: 16384,
>>> 
>>>  / entity, i.e. organizations responsible for producing or releasing
>>>    the software component /
>>>  2: {
>>>    / entity name /
>>>    31: "Linaro Limited",
>>> 
>>>    / entity role (here: software creator) /
>>>    33: 2,
>>> 
>>>    / thumbprint of the entity public key (algo -- here; SHA-256 -- and value) /
>>>    34: [
>>>      1,
>>>      h'5e73c2e6a96be594e56b218418a3ea03f1397934a2517d781855195fe3c5916b'
>>>    ]
>>>  },
>>> 
>>>  / payload /
>>>  6: {
>>>    / filesystem item (name and hash) /
>>>    17: {
>>>      24: "tfm.bin",
>>>      7: [
>>>        1,
>>>        h'4a039f284d8ad68ca5b4d1592977c7c964c4abb5d08d87e4a0346b80cce5c74d'
>>>      ]
>>>    }
>>>  }
>>> }
>>> 
>>> At least this would be my interpretation of the CoSWID draft.  I'm a bit
>>> unsure whether a "filesystem" item is the most appropriate payload for a
>>> firmware thingy.  Surely Henk can suggest something better.
>>> 
>>> Cheers!
>>> 
>>> 
>>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>>> _______________________________________________
>>> RATS mailing list
>>> RATS@ietf.org <mailto:RATS@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/rats
>>> 
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats