IETF Logo Mail Archive

Re: [Rats] [sacm] CoSWID and EAT and CWT

Adrian Shaw <Adrian.Shaw@arm.com> Wed, 27 November 2019 17:13 UTC

Return-Path: <Adrian.Shaw@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B68120A4F; Wed, 27 Nov 2019 09:13:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=7gqSv9fv; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=RXk3wlyp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvlZ2FK4xo8W; Wed, 27 Nov 2019 09:13:34 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03on0631.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe08::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CFE2120809; Wed, 27 Nov 2019 09:13:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aqA2/yE21Bf5R6KR/eu64RAlXnakBgeiZCe+DBq1V70=; b=7gqSv9fvSqS34DwqlyI/52oMvQi2QIpiwwB+0rEWrk9GaDEoGbxUqi9/7UAqeSik4OS1zpqCghus6Ewxu+LZykZXSsOjorsmTJHef+34k2f3p5DC+IFAez+8QaCy72IKdrK3n5XlX1DWuRYsUvDeXU5tK7yhEqct7cfCN5phaow=
Received: from VI1PR0801CA0088.eurprd08.prod.outlook.com (2603:10a6:800:7d::32) by VI1PR08MB5488.eurprd08.prod.outlook.com (2603:10a6:803:137::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Wed, 27 Nov 2019 17:13:31 +0000
Received: from AM5EUR03FT024.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::200) by VI1PR0801CA0088.outlook.office365.com (2603:10a6:800:7d::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18 via Frontend Transport; Wed, 27 Nov 2019 17:13:31 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT024.mail.protection.outlook.com (10.152.16.175) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17 via Frontend Transport; Wed, 27 Nov 2019 17:13:31 +0000
Received: ("Tessian outbound d825562be5de:v37"); Wed, 27 Nov 2019 17:13:30 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 6ac5ad6db8a95147
X-CR-MTA-TID: 64aa7808
Received: from e2e40245f3ba.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3A60E691-8587-440C-829A-ACDE8011CF5C.1; Wed, 27 Nov 2019 17:13:24 +0000
Received: from FRA01-MR2-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e2e40245f3ba.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 27 Nov 2019 17:13:24 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V71AnhHp2mpndwY+Mx3h5H+hh82NVVmsWSSZzsJmIxT6N40944j4HmNZopnNxfu8eHdfJaTRrgkfUT0FYevtYtf2hyVEgAvsP2FsggNTYAsuDCnNqvpjdiNwQjJntr1Z0GVdD68IW8e6zdrxFaAXVKSBKCTL8aGte+SBpwQLfWiRc3DlDCaPvbA243qLzlncL+tdLyaylLNecnTw+OjJI8k9hiw4fGpgDuTxsiQSKzlx2MVTfljrm1ZOeKl6AxGkLIzMREpKhxktFcAux9kkOL8uOM4r5j5uPlEQhwwHryT5xxtMG5uK6HJirRGL/eL4oEvbTrl/U+f4xCG3If8grQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yQ3hZ/3CL24NTxWSjbjt8hg+f5aWsJkxTW6GkR5ICJA=; b=TLUm8T7kX2iC2RiYywZhkoVID3D7I0q6g1is9plaKJDdeM62/UwVGNCET+FIPH+FgiopADlfsS7wRhxd6nBZPsKSgiH04IA4/0VRuKPZv92c/jLWBnCm2lu4VCsAb8Egj1n1sFev95Y7dhMFL+bAW1hAx6o8detsmv2wrhKhXIomivDfApG6SpoxiIdb/W/BLV2doXbSHtZMgAWo94vrflPDQKvXmU2/E5q/wLeIoEupZOfx0SY2XW8rWywZxmTMr1Ts7Q4/k6nyumNhcJPlmWR5xbPPmgWLqfDxLMPsVAoYSt55oJz95Q+3hn7TRcOy5Pb9VM5U5auzSitiC/D/Kw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yQ3hZ/3CL24NTxWSjbjt8hg+f5aWsJkxTW6GkR5ICJA=; b=RXk3wlypip92XnLrXOoKtMZ+3OUdr35Tt4mCvgvF7Ubi5uHcMy+2pQyk90u1ML/XlPpETH/Pq70j8gcPnexNoYFY/Z5jh4M+K/CcooNtALhrVq80Rc0iZgPWEP1bqipxrGvS27w971jp12w9BIyfltBG06I0hTr8D0F1wnjTuE8=
Received: from PR2PR08MB4811.eurprd08.prod.outlook.com (52.133.109.146) by PR2PR08MB4860.eurprd08.prod.outlook.com (52.133.109.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Wed, 27 Nov 2019 17:13:23 +0000
Received: from PR2PR08MB4811.eurprd08.prod.outlook.com ([fe80::f0c1:35ae:f450:eaac]) by PR2PR08MB4811.eurprd08.prod.outlook.com ([fe80::f0c1:35ae:f450:eaac%6]) with mapi id 15.20.2495.014; Wed, 27 Nov 2019 17:13:22 +0000
From: Adrian Shaw <Adrian.Shaw@arm.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>
CC: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Laurence Lundblade <lgl@island-resort.com>, "sacm@ietf.org" <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] [sacm] CoSWID and EAT and CWT
Thread-Index: AQHVpSYV+X7HT1pqSkuRj6hkFbWi5qefPcIAgAAD4wA=
Date: Wed, 27 Nov 2019 17:13:22 +0000
Message-ID: <BB362412-1C0B-4BF6-99FF-6BE210C939B5@arm.com>
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com> <b5bca8a7-7e7c-4432-a1be-6cf1fc21c352@sit.fraunhofer.de> <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com>
In-Reply-To: <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Adrian.Shaw@arm.com;
x-originating-ip: [217.140.106.53]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 43c02920-e748-41c0-ed36-08d7735d208e
X-MS-TrafficTypeDiagnostic: PR2PR08MB4860:|PR2PR08MB4860:|VI1PR08MB5488:
X-MS-Exchange-PUrlCount: 1
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR08MB5488013DC393FA8E7CD65F23F9440@VI1PR08MB5488.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:2201;OLM:2201;
x-forefront-prvs: 023495660C
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(376002)(366004)(136003)(346002)(39860400002)(396003)(40434004)(199004)(189003)(51444003)(51914003)(229853002)(76176011)(66476007)(66556008)(25786009)(478600001)(5660300002)(71190400001)(71200400001)(305945005)(966005)(36756003)(14454004)(2906002)(316002)(6862004)(7736002)(8676002)(256004)(86362001)(14444005)(6306002)(81166006)(81156014)(6246003)(3846002)(4326008)(99286004)(54906003)(37006003)(91956017)(26005)(6486002)(6436002)(186003)(561944003)(102836004)(76116006)(11346002)(2616005)(446003)(6506007)(66066001)(6636002)(53546011)(8936002)(64756008)(66446008)(5024004)(33656002)(66946007)(6116002)(6512007); DIR:OUT; SFP:1101; SCL:1; SRVR:PR2PR08MB4860; H:PR2PR08MB4811.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 4mmGI01thhOOH6vAcX0xwpl2Cmq76iYi6a3guHOQWPGeCswCN3lXZCBedWtUU2l8GHOQGXv6wsEnLBdS0DBeLZymkpCH4PwCcJH8QtYVvWAEgfVFUmv8BSy3R4MzQuoJdA5M3dJS2UGMqefdoAUULsiR4z9qlPyaJYrc5spLYk1zB9txAiWsK1c6kTTKAP6lsGuwK1KRNY0ZddnY/CLP6Ao4oCBDu4ftvVliK8Hv7YPDPV39aOUY2Kb1ToxNR6rwk2u9S2ypFtNoPz7A5PqDUjUb6mKM0On8QLnvrZ27qEvQnPArZASeWnkJNKYySRPHoR42Y7b9GuxqbncIyJ/k99yHfqScBKgAxMEdqdn2Cwy3aCfHktkjh29sYozV/2X1hqvYJ+kWo5LRdcAvhGLZWj0vD/Mj653lze4exkLP7lEhHIVd3sr+cKGtlIZSJqCKHVxZ5WjByZGX0GiVgEZmNA7UJw6wEoUIzxOdV7t4V2U=
Content-Type: text/plain; charset="utf-8"
Content-ID: <B4E96644C3A05E44A3DD9CD1395704E6@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR2PR08MB4860
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Adrian.Shaw@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT024.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(136003)(376002)(346002)(51914003)(189003)(199004)(40434004)(51444003)(478600001)(6636002)(54906003)(26826003)(102836004)(76176011)(6506007)(14444005)(66066001)(446003)(25786009)(99286004)(2486003)(5660300002)(11346002)(2616005)(23676004)(336012)(966005)(14454004)(6486002)(2906002)(6306002)(436003)(6512007)(6116002)(186003)(229853002)(3846002)(53546011)(50466002)(47776003)(76130400001)(6862004)(8936002)(70206006)(33656002)(70586007)(4326008)(316002)(36756003)(450100002)(26005)(86362001)(22756006)(8676002)(36906005)(356004)(5024004)(305945005)(7736002)(106002)(6246003)(37006003)(81156014)(81166006)(561944003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB5488; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: d15a3089-363b-4736-2b15-08d7735d1b96
X-Forefront-PRVS: 023495660C
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OvBFxmm4SYhEE6SutMWeC+0Oy3ZbSXcPhdfa+PiZC4UbM8Mupc0O3G41PR06e8cXpo6ssYjsCAdFLa7vlWgUygpXfDUX3surjUgCUD25NFRUyGeYhk/DwP6j8by89EbLZn3lO08GiNH/YRuJDcrO3+1npxOwvKCPhTsdgrsuaByCk2S+PIJrcXU3spo+tPIVi/PWwHkpUZiukFBlLagntpHaN8tR7lHEDlYziajxmTIYG07K5WLGirsW46SbE+0p6KYvNGGTkcRPoNhUKfxsGT1Xc0cPqRjt7zVV6ORpm2L49bzRJx+MAhXpX+F3pl1OlUBvlER8fO306AJBPSUPTg28ksKLEJBIrqvDf20ECNNUbvTzFite9nwNYzRYMUq6YSc+QlH8hacN/PF8eblQCOPDha76xtvTiU1RPOHMsakrpbtpi1KDnyGRZghYlmXBWUmeZxV9MEmKa0X7UbAHd4tqmNXLmbeXLp9CHydJI2I=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Nov 2019 17:13:31.0804 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 43c02920-e748-41c0-ed36-08d7735d208e
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5488
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/nvcbQ_Qkntenc-0qmpviVBdjGaE>
Subject: Re: [Rats] [sacm] CoSWID and EAT and CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 17:13:38 -0000

While there is some synergy with the SUIT definition, I’m unconvinced that it should be the way to express a software component metadata. Firstly, there are legacy systems without SUIT that would want to use EAT, and such a dependency would make it hard for incremental adoption. Secondly, not all the data from the SUIT manifest is needed for this claim.

Adrian

> On 27 Nov 2019, at 16:59, Thomas Fossati <Thomas.Fossati@arm.com> wrote:
>
> Hi Henk
>
> Thanks very much for your input.
>
> On 27/11/2019, 13:24, "Henk Birkholz" <henk.birkholz@sit.fraunhofer.de> wrote:
>> yes there are ways to deal with firmware in SWID, namely the resource
>> type (index 19) in the set of SWID resource-collection [1] in
>> combination with the rel type (index 40) entries.
>>
>> This way, you would not have to use filesystem-items, but this way is
>> also a bit clunky and would require an informational guidance document
>> describing how to use *SWID for that.
>
> That's interesting because initially I also tried to use the resource
> type -- which looked like the less wrong among all the available types
> in the resource collection.  However it wasn't clear to me how to
> associate a checksum to the component, hence I went for the
> filesystem-item.  Maybe I was just looking in the wrong place or maybe,
> as you say, there's a magic firmware recipe that's worth documenting
> here.
>
>> There are some quite smart ways to do that actually with
>> filesystem-items, but I think it is more feasible to use a SUIT
>> manifest here to describe everything relevant to the "firmware thingy"
>> and then put a CoSWID into the SUIT manifest's outer wrapper [2] that
>> then represents the rest of the semantics that is not covered by the
>> manifest but by CoSWID. This method is fine, as the COSE envelope
>> around the EAT will make tempering with the outer wrapper of the SUIT
>> Manifest evident.
>>
>> I think that is a more elegant way to do it, actually, and the reason
>> why issue #46 in the EAT repo proposes to define a Claim to include a
>> SUIT Manifest in an EAT, too.
>
> I'll look into this, thanks for the pointer.
>
> Stepping back for a second and looking from the perspective of my
> immediate requirement (i.e., "Is it possible to translate PSA's software
> component claim using purely EAT constructs?"), ideally I'd like to have
> something that is expressive enough to encode my semantics (i.e.: SW
> component name, version, signer and measurement) without being overly
> complex.
>
> So my knee-jerk reaction is if that implies pulling a dependency on
> SUIT maybe it's a bit too much?  But I confess haven't yet looked at
> the details of your proposal nor I can claim enough SUIT-foo to really
> grok the complexity involved.  As said, I'll have a look shortly.
>
> cheers!
>
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email