Re: [sacm] [Rats] CoSWID and EAT and CWT

[Henk Birkholz <henk.birkholz@sit.fraunhofer.de>]

Hi Kathleen,
hi SACM, SUIT & RATS list,

the corresponding *SWID authors discussed this issue and are proposing:

> https://github.com/ietf-rats-wg/eat/issues/46

This includes an extended scope to include the option of SUIT Manifest 
related Claim values, next to various *SWID Claim values. We permutated 
"signed" & "not-signed" as well as "payload tags" and "evidence tags" 
for *SWID tags in this proposal. The authors are convinced that the 
"not-signed" variants are of essence (as CWT does not allow "not-signed 
CBOR items", but also do not imply any implications to the SUIT Manifest 
Claim definition (although there are strong similarities and there could 
be some).

The current *SWID contributors prefer this contribution as a parallel 
effort to the EAT I-D, SUIT Manifest I-D, the CoSWID I-D and existing 
ISO XML SWID standard. This proposal includes the primitive to not delay 
corresponding IETG I-D in their respective WGs.

Having said that, we would like to get feedback for the proposal 
references above.

If there is no dissent or push-back on either the SUIT, SACM, and RATS 
lists, our proposed way forward is a unified creation of EAT Claim Sets 
in the RATS WG that enables the use of various *SWID variants & the SUIT 
Manifest as payloads for RATS via the RATS EAT I-D.

In summary, we would like to create this interop I-D in concert and 
welcome every joint effort in this domain.

Viele Grüße,

Henk

On 21.11.19 12:37, Kathleen Moriarty wrote:
> 
> 
> Sent from my mobile device
> 
>> On Nov 20, 2019, at 11:29 PM, Waltermire, David A. (Fed) 
>> <david.waltermire@nist.gov> wrote:
>>
>> 
>> It sounds like having a CWT claim that contains an entire CoSWID is a 
>> path forward. It may also make sense to do something similar for ISO 
>> SWID tags.
>>
>> Am I right in thinking that this CWT work can be done in RATS, 
>> referencing CoSWID once it is published as a normative reference? This 
>> would allow CoSWID to go forward to the IESG, while the CoSWID CWT 
>> claim is worked in parallel in RATS.
>>
>> Kathleen, if this is true, does this way forward address your 
>> CWT-related comments?
> 
> Hi Dave,
> 
> I think the signature may have to be on the CWT as opposed to on the 
> claim that is the CoSWID or SWID.  We can define it fully in another 
> draft, but should state it here so that option is understood.  It’s a 
> simple write up, I think.
> 
> Thank you,
> Kathleen
>>
>> Regards,
>> Dave
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* sacm <sacm-bounces@ietf.org> on behalf of Kathleen Moriarty 
>> <kathleen.moriarty.ietf@gmail.com>
>> *Sent:* Wednesday, November 20, 2019 9:10 PM
>> *To:* Ira McDonald <blueroofmusic@gmail.com>
>> *Cc:* rats@ietf.org <rats@ietf.org>; sacm <sacm@ietf.org>; Laurence 
>> Lundblade <lgl@island-resort.com>
>> *Subject:* Re: [sacm] [Rats] CoSWID and EAT and CWT
>> Great, thanks Laurence.  If that's easier I think having the CoSWID in 
>> one claim should be ok and would have the same result as the 
>> suggestion I made.  Changing the CoSWID format is a big enough process 
>> that it shouldn't happen very often.
>>
>> Best regards,
>> Kathleen
>>
>> On Wed, Nov 20, 2019 at 8:00 PM Ira McDonald <blueroofmusic@gmail.com 
>> <mailto:blueroofmusic@gmail.com>> wrote:
>>
>>     Hi Laurence,
>>
>>     That seems like a good suggestion for a simple way to integrate
>>     CoSWID content
>>     into EAT.
>>
>>     Cheers,
>>     - Ira
>>
>>     Ira McDonald (Musician / Software Architect)
>>     Co-Chair - TCG Trusted Mobility Solutions WG
>>     Co-Chair - TCG Metadata Access Protocol SG
>>     Chair - Linux Foundation Open Printing WG
>>     Secretary - IEEE-ISTO Printer Working Group
>>     Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
>>     IETF Designated Expert - IPP & Printer MIB
>>     Blue Roof Music / High North Inc
>>     http://sites.google.com/site/blueroofmusic
>>     <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fblueroofmusic&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=GDIVVIesvqqXnuU6TtLbK7GJ4eI1b1EcYSPoXsHlj04%3D&reserved=0>
>>     http://sites.google.com/site/highnorthinc
>>     <https://gcc01.safelinks.protection..outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fhighnorthinc&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=7z%2BoMcYSSFD8hAYHmELqNoyGAxTBE9gknbV6kAzKWX8%3D&reserved=0>
>>     mailto: blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com>
>>     PO Box 221  Grand Marais, MI 49839  906-494-2434
>>
>>
>>
>>     On Wed, Nov 20, 2019 at 7:35 PM Laurence Lundblade
>>     <lgl@island-resort.com <mailto:lgl@island-resort.com>> wrote:
>>
>>         Hi,
>>
>>         I’m not on the SACM list, but did look at the archive.
>>         Hopefully I’m not out of sync.
>>
>>         My thought is to register one claim for CWT that is an entire
>>         CoSWID (in CDDL the concise-swid-tag).
>>
>>         That way CoSWID can grow and develop on its own without lots
>>         of adds and subtracts to the CWT registry. It has its own IANA
>>         registry with its own experts and such. Seems like the
>>         coupling / factoring is about right.
>>
>>         This would also be the way I’d like to have it in EAT
>>         attestation. We’ve done a mini version of this with the
>>         location claim
>>         <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-rats-eat-01%23section-3.8&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070426961&sdata=%2Fhi008Am2dlY6tBQHdPVVGZzEcWNmqd5MvgPOM14jE8%3D&reserved=0>.
>>
>>         Then if you just want to sign a CoSWID CWT style, this works
>>         pretty well too. It has a slight overhead compared to having
>>         all the CoSWID data items as direct CWT claims in that it will
>>         have an additional map layer, but that is only about three bytes.
>>
>>         LL
>>
>>         _______________________________________________
>>         RATS mailing list
>>         RATS@ietf.org <mailto:RATS@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/rats
>>         <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Frats&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070426961&sdata=fdpXMIU%2BNkMSn3RJ4X5AsSuMU7pbokHXltsX8ZYP9E0%3D&reserved=0>
>>
>>     _______________________________________________
>>     sacm mailing list
>>     sacm@ietf.org <mailto:sacm@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/sacm
>>     <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070436893&sdata=okSPAqVHj9KBxPtViQdnffsfhlMF4t0%2F87PXXY78fA0%3D&reserved=0>
>>
>>
>>
>> -- 
>>
>> Best regards,
>> Kathleen
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>