IETF Logo Mail Archive

Re: [Rats] [sacm] CoSWID and EAT and CWT

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 27 November 2019 17:50 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2612E1209AC; Wed, 27 Nov 2019 09:50:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8inI7EaP1iYu; Wed, 27 Nov 2019 09:50:52 -0800 (PST)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22560120900; Wed, 27 Nov 2019 09:50:52 -0800 (PST)
Received: by mail-oi1-x22d.google.com with SMTP id l136so5254973oig.1; Wed, 27 Nov 2019 09:50:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Tc4zO9sAI3bZiygULMkuiY+Es0RKl28yjYRyzLYqoGo=; b=LsJg8zVPv/w6tugFOJYXoYZSAd4VWGQUTAc64tbZ6aoH41lH3d0q+li9cGNPc4r/Sc 55Cmo9qYgeoIiTfcHiHdJ/YYaj0Ka3aefiQKmwLQcfnSJPZS1EFqfqlPUAsntEDSim5W ep0rK1SPVfpJi3R9WWiUgoABbVnT3BBOEYj/aH4bd2ao6ym2jy/Exh9KOJeuyoUXVTJM HvCrFC42F26RRMCu3ggwGvkOiCbmnkW1bFRm4tMQC1Mccik6+tq90GjJ85uDatpoXPRs FfgIix2NGh0wWghi8E22kGMniAnDL3mCkKd1L+U1BoxRxrRWd1+TrwH6Gv77DThh0Eeg RGFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Tc4zO9sAI3bZiygULMkuiY+Es0RKl28yjYRyzLYqoGo=; b=cDIQlBxDKUuNIly9Qsyvsh5QCCS/9Axsiztqwhv9loMRkqdzB7+1KlC+3p444IOfI2 yf+8i5UjAoJPzzkNgVc6mqBcYsfPGGycjfgALkIpcu4xCGYWUIi0yFq2OvrkkB2ky5O2 D9UL2hbpsmRfL8ZhmFo7aCZoMdM6dVPQ82kCoW7wvtf83iO/ENnHa0DnesludM3KepJB 5I78+cz/vGC0bQJrPR3J2BWYNwO2vHXQDUJ4GYa7XWzI+wGHp58CCzhSn2Ci02OAF8FE +Lk9/cOBdBMl5Dk2Bhub8GFUo/Ic9cpw8YrymhVgIYFZbpKa7kMQSkNczewAjkDvgA9A PheQ==
X-Gm-Message-State: APjAAAUPH2wiMvRg01ByXTdIc2Xn3NaU19VpOj0UqPqERoHXnNG6n37g FFTrbxFquu/seu64aFUULBmYaHFVcjwqiyaey50jC82V
X-Google-Smtp-Source: APXvYqz+CdMUj6uz/IWS3WAFUtfLP3n9A8mAwP8CnD+oqwUk+HaHjyMSQBxbrBnJUzmFMIOAwU4raIJsg3p7uJt+13g=
X-Received: by 2002:a05:6808:498:: with SMTP id z24mr5338124oid.114.1574877051470; Wed, 27 Nov 2019 09:50:51 -0800 (PST)
MIME-Version: 1.0
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com> <b5bca8a7-7e7c-4432-a1be-6cf1fc21c352@sit.fraunhofer.de> <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com> <BB362412-1C0B-4BF6-99FF-6BE210C939B5@arm.com>
In-Reply-To: <BB362412-1C0B-4BF6-99FF-6BE210C939B5@arm.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 27 Nov 2019 12:50:15 -0500
Message-ID: <CAHbuEH7j7_tUbai4c0j9YqxfO30_xr=m_fYb5AxLa2TjzY_iwQ@mail.gmail.com>
To: Adrian Shaw <Adrian.Shaw@arm.com>
Cc: Thomas Fossati <Thomas.Fossati@arm.com>, "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Laurence Lundblade <lgl@island-resort.com>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000037c82b059857a3fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ujbGEJfPClpVrrQbblNR7Nlr0P8>
Subject: Re: [Rats] [sacm] CoSWID and EAT and CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 17:50:54 -0000

On Wed, Nov 27, 2019 at 12:13 PM Adrian Shaw <Adrian.Shaw@arm.com> wrote:

> While there is some synergy with the SUIT definition, I’m unconvinced that
> it should be the way to express a software component metadata. Firstly,
> there are legacy systems without SUIT that would want to use EAT, and such
> a dependency would make it hard for incremental adoption. Secondly, not all
> the data from the SUIT manifest is needed for this claim.
>

Agreed, there are other standards for software update that have been
adopted and use alternate formats for manifests.  I like the idea of
SWID/CoSWID as well.

Best regards,
Kathleen

>
> Adrian
>
> > On 27 Nov 2019, at 16:59, Thomas Fossati <Thomas.Fossati@arm.com> wrote:
> >
> > Hi Henk
> >
> > Thanks very much for your input.
> >
> > On 27/11/2019, 13:24, "Henk Birkholz" <henk.birkholz@sit.fraunhofer.de>
> wrote:
> >> yes there are ways to deal with firmware in SWID, namely the resource
> >> type (index 19) in the set of SWID resource-collection [1] in
> >> combination with the rel type (index 40) entries.
> >>
> >> This way, you would not have to use filesystem-items, but this way is
> >> also a bit clunky and would require an informational guidance document
> >> describing how to use *SWID for that.
> >
> > That's interesting because initially I also tried to use the resource
> > type -- which looked like the less wrong among all the available types
> > in the resource collection.  However it wasn't clear to me how to
> > associate a checksum to the component, hence I went for the
> > filesystem-item.  Maybe I was just looking in the wrong place or maybe,
> > as you say, there's a magic firmware recipe that's worth documenting
> > here.
> >
> >> There are some quite smart ways to do that actually with
> >> filesystem-items, but I think it is more feasible to use a SUIT
> >> manifest here to describe everything relevant to the "firmware thingy"
> >> and then put a CoSWID into the SUIT manifest's outer wrapper [2] that
> >> then represents the rest of the semantics that is not covered by the
> >> manifest but by CoSWID. This method is fine, as the COSE envelope
> >> around the EAT will make tempering with the outer wrapper of the SUIT
> >> Manifest evident.
> >>
> >> I think that is a more elegant way to do it, actually, and the reason
> >> why issue #46 in the EAT repo proposes to define a Claim to include a
> >> SUIT Manifest in an EAT, too.
> >
> > I'll look into this, thanks for the pointer.
> >
> > Stepping back for a second and looking from the perspective of my
> > immediate requirement (i.e., "Is it possible to translate PSA's software
> > component claim using purely EAT constructs?"), ideally I'd like to have
> > something that is expressive enough to encode my semantics (i.e.: SW
> > component name, version, signer and measurement) without being overly
> > complex.
> >
> > So my knee-jerk reaction is if that implies pulling a dependency on
> > SUIT maybe it's a bit too much?  But I confess haven't yet looked at
> > the details of your proposal nor I can claim enough SUIT-foo to really
> > grok the complexity involved.  As said, I'll have a look shortly.
> >
> > cheers!
> >
> > IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> > _______________________________________________
> > RATS mailing list
> > RATS@ietf.org
> > https://www.ietf.org/mailman/listinfo/rats
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email