IETF Logo Mail Archive

Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk and Charles (#45)

David Waltermire <notifications@github.com> Mon, 18 October 2021 13:49 UTC

Return-Path: <noreply@github.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A41CE3A13D4 for <sacm@ietfa.amsl.com>; Mon, 18 Oct 2021 06:49:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.551
X-Spam-Level:
X-Spam-Status: No, score=-3.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fwmUFlxbHWCV for <sacm@ietfa.amsl.com>; Mon, 18 Oct 2021 06:49:47 -0700 (PDT)
Received: from smtp.github.com (out-22.smtp.github.com [192.30.252.205]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94C863A13D0 for <sacm@ietf.org>; Mon, 18 Oct 2021 06:49:47 -0700 (PDT)
Received: from github-lowworker-39b4a70.va3-iad.github.net (github-lowworker-39b4a70.va3-iad.github.net [10.48.16.66]) by smtp.github.com (Postfix) with ESMTP id E5E545604E3 for <sacm@ietf.org>; Mon, 18 Oct 2021 06:49:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1634564986; bh=EuDxSs4jkrSjvF/i48wy8eS3JleqtIk2yrns9N5oBI0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=sD4RVhP1GI8SYS/14nn1RhZB89tEgqggcKLwTHZNrUELUom3gtleOUbvzleOFVteB bkyWzIvbcaoQauaDfs6rhD+Pfdzj7P7cmi7juu3Gvs7ZfN7pVdY8hA4rwWu+TL3YTo dVe1f7BOHQJfT9Vzur3luIjDWeU5ERUW/AHyE3rE=
Date: Mon, 18 Oct 2021 06:49:46 -0700
From: David Waltermire <notifications@github.com>
Reply-To: sacmwg/draft-ietf-sacm-coswid <reply+ACTMJUIHTD5PQDSICRIT3WF7PFOHVEVBNHHD2PDRD4@reply.github.com>
To: sacmwg/draft-ietf-sacm-coswid <draft-ietf-sacm-coswid@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <sacmwg/draft-ietf-sacm-coswid/pull/45/review/782083397@github.com>
In-Reply-To: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
References: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_616d7b7ad7307_6338c71040484"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: david-waltermire-nist
X-GitHub-Recipient: sacm
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: sacm@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/H15sTM6xQoHMld1dgzrlrVChji8>
Subject: Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk and Charles (#45)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 13:49:51 -0000

@david-waltermire-nist commented on this pull request.



> @@ -1641,28 +1639,30 @@ A signed CoSWID tag (see {{coswid-cose}}) whose signature has been validated can
 
 When an authoritative tag is signed, the originator of the signature can be verified. A trustworthy association between the signature and the originator of the signature can be established via trust anchors. A certification path between a trust anchor and a certificate including a public key enabling the validation of a tag signature can realize the assessment of trustworthiness of an authoritative tag. Verifying that the software provider is the signer is a different matter. This requires an association between the signature and the tag's entity item associated corresponding to the software provider. No mechanism is defined in this draft to make this association; therefore, this association will need to be handled by local policy.
 
+Loss of control of signing credentials used to sign CoSWID tags would create doubt about the authenticity and integrity of any CoSWID tags signed using the compromised keys. In such cases, the legitimate tag signer (namely, the software provider for an authoritative CoSWID tag) can simply employ uncompromised signing credentials to create a new signature on the original tag. The tag version number would not be incremented since the tag itself was not modified. Consumers of CoSWID tags would need to validate the tag using the new credentials and would also need to revoke certificates associated with the compromised credentials to avoid validating tags signed with them. The process for doing this is beyond the scope of this specification.

This doesn't sound simple, so removing simple here would be better.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/45#discussion_r730941942

v2.8.7 | Report a Bug | By Email