IETF Logo Mail Archive

Re: [sacm] [Rats] CoSWID and EAT and CWT

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 27 November 2019 13:08 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A50E91208B1; Wed, 27 Nov 2019 05:08:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3go4sabj2Mj; Wed, 27 Nov 2019 05:08:21 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77A612083F; Wed, 27 Nov 2019 05:08:19 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xARD8E82006508 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 27 Nov 2019 14:08:15 +0100
Received: from [192.168.178.8] (134.102.43.219) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 27 Nov 2019 14:08:09 +0100
To: Laurence Lundblade <lgl@island-resort.com>, Thomas Fossati <Thomas.Fossati@arm.com>
CC: "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "sacm@ietf.org" <sacm@ietf.org>
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com> <46CBC5D5-C4AF-4FFD-A06E-5D8B1FFF2AE7@island-resort.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <858c7298-10d2-9efc-ca94-98dc9801e607@sit.fraunhofer.de>
Date: Wed, 27 Nov 2019 14:08:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <46CBC5D5-C4AF-4FFD-A06E-5D8B1FFF2AE7@island-resort.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.219]
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/uNvjO30P4VuNXWL3zYj66IV-OoY>
Subject: Re: [sacm] [Rats] CoSWID and EAT and CWT
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 13:08:24 -0000

Hi Laurence, hi thomas,
hi list,

Thomas, thank you for the nice example write-up! And Laurance, thank you 
for the write-up of an example of a COSE signed EAT including an 
unsigned payload coswid tag.

This is a write-up one option 3.) in issue #46.

Option 4.) would wrap the CoSWID map in a COSE before putting it into an 
EAT using another key (let's say 22 instead of 21 - that's just an 
example). A reason could be that an external entity, such as the SIWD 
role software-creator [1], created the tag and signed it. Other keys 
would follow for XML encoding, type of resource collection, as outlined 
in #46.

Viele Grüße,

Henk

[1] https://tools.ietf.org/html/draft-ietf-sacm-coswid-13#section-4.2

On 27.11.19 01:48, Laurence Lundblade wrote:
> Looks good, Thomas
> 
> Here’s a signed EAT with the CoSWID as a claim with label 21.
> 
> In EATs with submods, there would likely be a CoSWID per submod (not 
> shown below).
> 
> LL
> 
> 
> 18(
>      [
>          / protected parameters, bstr wrapped / << {
>              / alg / 1: -7 / ECDSA 256 /
>          } >>,
> 
>          / unprotected parameters / {
>              / kid / 4: h'4173796d6d657472696345434453413
>                            23536' / 'AsymmetricECDSA256' /
>          },
> 
> 
>          / COSE payload, the EAT, bstr wrapped / << {
>              / nonce  /
> 
>              7:h'948f8860d13a463e8e',
>      
> 
>              / UEID /
> 
>              8:h'0198f50a4ff6c05861c8860d13a638ea4fe2f',
>      
> 
>              / boot_state (based on the -01 draft) /
> 
>              12:{true, true, true, true, false},
>      
> 
>              / time stamp /
> 
>              6:1526542894,
> 
> / The CoSWID /
> 
> 21: {
> 
> / tag-id, globally unique identifier for the software component /
> 
>            0: "trustedfirmware.org/TF-M <http://trustedfirmware.org/TF-M>",
> 
> 
>            / tag-version (here: 0, i.e. initial tag) /
> 
>            12: 0,
> 
> 
>            / software component name /
> 
>            1: "TF-M",
> 
> 
>            / version of the software component /
> 
>            13: "1.0.0-rc1+build.123",
> 
> 
>            / (optional) version scheme (here: semver) /
> 
>            14: 16384,
> 
> 
>            / entity, i.e. organizations responsible for producing or
>         releasing
> 
>              the software component /
> 
>            2: {
> 
>              / entity name /
> 
>              31: "Linaro Limited",
> 
> 
>              / entity role (here: software creator) /
> 
>              33: 2,
> 
> 
>              / thumbprint of the entity public key (algo -- here;
>         SHA-256 -- and value) /
> 
>              34: [
> 
>                1,
> 
>               
>         h'5e73c2e6a96be594e56b218418a3ea03f1397934a2517d781855195fe3c5916b'
> 
>              ]
> 
>        },
> 
> 
>     / payload /
>        6: {
> 
>     / filesystem item (name and hash) /
>          17: {
> 
>     24: "tfm.bin",
>            7: [
>              1,
>             
>     h'4a039f284d8ad68ca5b4d1592977c7c964c4abb5d08d87e4a0346b80cce5c74d'
>            ]
> 
>     }
> 
>          }
>        }
> 
>     } >>,
> 
> 
>         / signature / h'5427c1ff28d23fbad1f29c4c7c6a555e601d6fa29f
>                         9179bc3d7438bacaca5acd08c8d4d4f96131680c42
>                         9a01f85951ecee743a52b9b63632c57209120e1c9e
>                         30'
> 
>     ]
> 
> )
> 
> 
> 
> 
> 
>> On Nov 26, 2019, at 3:51 PM, Thomas Fossati <Thomas.Fossati@arm.com 
>> <mailto:Thomas.Fossati@arm.com>> wrote:
>>
>> Hi Hannes,
>>
>> On 22/11/2019, 00:08, Hannes.Tschofenig@arm.com 
>> <mailto:Hannes.Tschofenig@arm.com>> wrote:
>>> Hi all
>>>
>>> Can someone send an example around how this would actually look like?
>>
>> For something such as TF-M, it should look like this:
>>
>> {
>>  / tag-id, globally unique identifier for the software component /
>>  0: "trustedfirmware.org/TF-M <http://trustedfirmware.org/TF-M>",
>>
>>  / tag-version (here: 0, i.e. initial tag) /
>>  12: 0,
>>
>>  / software component name /
>>  1: "TF-M",
>>
>>  / version of the software component /
>>  13: "1.0.0-rc1+build.123",
>>
>>  / (optional) version scheme (here: semver) /
>>  14: 16384,
>>
>>  / entity, i.e. organizations responsible for producing or releasing
>>    the software component /
>>  2: {
>>    / entity name /
>>    31: "Linaro Limited",
>>
>>    / entity role (here: software creator) /
>>    33: 2,
>>
>>    / thumbprint of the entity public key (algo -- here; SHA-256 -- and 
>> value) /
>>    34: [
>>      1,
>>      h'5e73c2e6a96be594e56b218418a3ea03f1397934a2517d781855195fe3c5916b'
>>    ]
>>  },
>>
>>  / payload /
>>  6: {
>>    / filesystem item (name and hash) /
>>    17: {
>>      24: "tfm.bin",
>>      7: [
>>        1,
>>        h'4a039f284d8ad68ca5b4d1592977c7c964c4abb5d08d87e4a0346b80cce5c74d'
>>      ]
>>    }
>>  }
>> }
>>
>> At least this would be my interpretation of the CoSWID draft.  I'm a bit
>> unsure whether a "filesystem" item is the most appropriate payload for a
>> firmware thingy.  Surely Henk can suggest something better.
>>
>> Cheers!
>>
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are 
>> confidential and may also be privileged. If you are not the intended 
>> recipient, please notify the sender immediately and do not disclose 
>> the contents to any other person, use it for any purpose, or store or 
>> copy the information in any medium. Thank you.
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org <mailto:RATS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/rats
>>
> 
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>

v2.23.0 | Report a Bug | By Email