Re: [sacm] [Rats] CoSWID and EAT and CWT

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 27 November 2019 13:25 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A13E1208BB; Wed, 27 Nov 2019 05:25:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZM9LPRtaCgx; Wed, 27 Nov 2019 05:24:59 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33A4C12004E; Wed, 27 Nov 2019 05:24:58 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xARDOr9F007810 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 27 Nov 2019 14:24:54 +0100
Received: from [192.168.178.8] (134.102.43.219) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 27 Nov 2019 14:24:48 +0100
To: Thomas Fossati <Thomas.Fossati@arm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Laurence Lundblade <lgl@island-resort.com>, "sacm@ietf.org" <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <b5bca8a7-7e7c-4432-a1be-6cf1fc21c352@sit.fraunhofer.de>
Date: Wed, 27 Nov 2019 14:24:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.219]
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/eNLMGBUQGEvzValOrFsWnLEAbqU>
Subject: Re: [sacm] [Rats] CoSWID and EAT and CWT
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 13:25:01 -0000

Hello Thomas,

yes there are ways to deal with firmware in SWID, namely the resource 
type (index 19) in the set of SWID resource-collection [1] in 
combination with the rel type (index 40) entries.

This way, you would not have to use filesystem-items, but this way is 
also a bit clunky and would require an informational guidance document 
describing how to use *SWID for that. There are some quite smart ways to 
do that actually with filesystem-items, but I think it is more feasible 
to use a SUIT manifest here to describe everything relevant to the 
"firmware thingy" and then put a CoSWID into the SUIT manifest's outer 
wrapper [2] that then represents the rest of the semantics that is not 
covered by the manifest but by CoSWID. This method is fine, as the COSE 
envelope around the EAT will make tempering with the outer wrapper of 
the SUIT Manifest evident.

I think that is a more elegant way to do it, actually, and the reason 
why issue #46 in the EAT repo proposes to define a Claim to include a 
SUIT Manifest in an EAT, too.

Viele Grüße,

Henk

[1] https://tools.ietf.org/html/draft-ietf-sacm-coswid-13#section-2.9.2
[2] https://tools.ietf.org/html/draft-ietf-suit-manifest-02#section-7.2

On 27.11.19 00:51, Thomas Fossati wrote:
> At least this would be my interpretation of the CoSWID draft.  I'm a bit
> unsure whether a "filesystem" item is the most appropriate payload for a
> firmware thingy.  Surely Henk can suggest something better.