Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk and Charles (#45)
David Waltermire <notifications@github.com> Mon, 18 October 2021 13:49 UTC
Return-Path: <noreply@github.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id E09E53A13D2
for <sacm@ietfa.amsl.com>; Mon, 18 Oct 2021 06:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.552
X-Spam-Level:
X-Spam-Status: No, score=-3.552 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=github.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id b62HEg_uAYbs for <sacm@ietfa.amsl.com>;
Mon, 18 Oct 2021 06:49:06 -0700 (PDT)
Received: from out-28.smtp.github.com (out-28.smtp.github.com [192.30.252.211])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 5808E3A13D1
for <sacm@ietf.org>; Mon, 18 Oct 2021 06:49:05 -0700 (PDT)
Received: from github-lowworker-0f78100.ash1-iad.github.net
(github-lowworker-0f78100.ash1-iad.github.net [10.56.25.48])
by smtp.github.com (Postfix) with ESMTP id 4CF21901802
for <sacm@ietf.org>; Mon, 18 Oct 2021 06:49:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1634564944;
bh=6POjznG3PxOe+KYUsWrMry2BBHzhO8h9JQIKsUH1tm8=;
h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
List-Archive:List-Post:List-Unsubscribe:From;
b=n0AiPbBvc0PomtMo0QczJ81keuA2F08xs5OjdQniQdHBQx9F3lTX2oJYb52z8eOFU
nQ50qbbsPnmIkKtHrFticzXgbuXTetGcOV6hqfLfHezgsRmZpw2BexralEZhuOyqZW
NgMj30wfpENhBA7Gy9Dcb2cP65j8Qkz49PNnT/RM=
Date: Mon, 18 Oct 2021 06:49:04 -0700
From: David Waltermire <notifications@github.com>
Reply-To: sacmwg/draft-ietf-sacm-coswid
<reply+ACTMJUP6KPKX5Y4MQJFAZHV7PFOFBEVBNHHD2PDRD4@reply.github.com>
To: sacmwg/draft-ietf-sacm-coswid <draft-ietf-sacm-coswid@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <sacmwg/draft-ietf-sacm-coswid/pull/45/review/782082370@github.com>
In-Reply-To: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
References: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_616d7b503f66d_49e1c7102208b";
charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: david-waltermire-nist
X-GitHub-Recipient: sacm
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: sacm@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/GHwkbnnE4856AP-Kfw28Z-ppzoE>
Subject: Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk
and Charles (#45)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>,
<mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>,
<mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 13:49:11 -0000
@david-waltermire-nist commented on this pull request.
> @@ -1641,28 +1639,30 @@ A signed CoSWID tag (see {{coswid-cose}}) whose signature has been validated can
When an authoritative tag is signed, the originator of the signature can be verified. A trustworthy association between the signature and the originator of the signature can be established via trust anchors. A certification path between a trust anchor and a certificate including a public key enabling the validation of a tag signature can realize the assessment of trustworthiness of an authoritative tag. Verifying that the software provider is the signer is a different matter. This requires an association between the signature and the tag's entity item associated corresponding to the software provider. No mechanism is defined in this draft to make this association; therefore, this association will need to be handled by local policy.
+Loss of control of signing credentials used to sign CoSWID tags would create doubt about the authenticity and integrity of any CoSWID tags signed using the compromised keys. In such cases, the legitimate tag signer (namely, the software provider for an authoritative CoSWID tag) can simply employ uncompromised signing credentials to create a new signature on the original tag. The tag version number would not be incremented since the tag itself was not modified. Consumers of CoSWID tags would need to validate the tag using the new credentials and would also need to revoke certificates associated with the compromised credentials to avoid validating tags signed with them. The process for doing this is beyond the scope of this specification.
```suggestion
Loss of control of signing credentials used to sign CoSWID tags would create doubt about the authenticity and integrity of any CoSWID tags signed using the compromised keys. In such cases, the legitimate tag signer (namely, the software provider for an authoritative CoSWID tag) can employ uncompromised signing credentials to create a new signature on the original tag. The tag version number would not be incremented since the tag itself was not modified. Consumers of CoSWID tags would need to validate the tag using the new credentials and would also need to revoke certificates associated with the compromised credentials to avoid validating tags signed with them. The process for doing this is beyond the scope of this specification.
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/45#pullrequestreview-782082370
- [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assi… Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz