IETF Logo Mail Archive

Re: [Suit] Draft-ietf-suit-manifest encryption use

Brendan Moran <Brendan.Moran@arm.com> Thu, 03 June 2021 09:29 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467F33A3188 for <suit@ietfa.amsl.com>; Thu, 3 Jun 2021 02:29:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2JRvP8uW; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2JRvP8uW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFNX3ptxqhkK for <suit@ietfa.amsl.com>; Thu, 3 Jun 2021 02:29:39 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2071.outbound.protection.outlook.com [40.107.22.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B3E3A3187 for <suit@ietf.org>; Thu, 3 Jun 2021 02:29:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wH5Z0/EBx0wc/FtzP3XrudVbVZnbZlK1H2+y/fOyaIA=; b=2JRvP8uWaLGqPSrmJQec2i1ixQ08iWMyvH3Wj0Ejf5K8y5D2GEFr0nUlqpyLMlQOOX/K0SFEg0IBB45uGdc3Xdol9DND8gq2AQBlpeAub151Hf1q1GFYGhSgk3+7m8IEgMc+xuqezp5nS2JIvHuitqO7Bs4JWUoX9/QrnjLsMjo=
Received: from AM6P192CA0085.EURP192.PROD.OUTLOOK.COM (2603:10a6:209:8d::26) by VE1PR08MB5134.eurprd08.prod.outlook.com (2603:10a6:803:110::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.22; Thu, 3 Jun 2021 09:29:36 +0000
Received: from AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:8d:cafe::f6) by AM6P192CA0085.outlook.office365.com (2603:10a6:209:8d::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.22 via Frontend Transport; Thu, 3 Jun 2021 09:29:35 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT021.mail.protection.outlook.com (10.152.16.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.21 via Frontend Transport; Thu, 3 Jun 2021 09:29:34 +0000
Received: ("Tessian outbound cce4cc55b7ee:v93"); Thu, 03 Jun 2021 09:29:34 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: ee99e949488a772a
X-CR-MTA-TID: 64aa7808
Received: from bb9102abc460.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id CC382332-4606-459C-95A5-DB3ABF3D04D7.1; Thu, 03 Jun 2021 09:29:24 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id bb9102abc460.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 03 Jun 2021 09:29:24 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LDo2J6qlVhWayHXzQykvB7GuUVfhmPZCKNj17i+zaC/A3zh9LwSSqYctKR3CMKmUAfIg9Y2OoQqgE/MBi//yEnRb96hzkkDPzxAKWynI+xjInPwEeBZBF+N8h0lIpWSKGC6qouGwISKLNYUFbQBxsZ4lsoaQz7DDhD6oU98KsImeXi6bFeXL+YIcWd3wwUtGEzp1n5dG0N6IG3X3ENEc1WUOGXTwkMIRr/3hRLOcwx85TsUNPWrWvoDUYChyehGxgPDftjnbYSJoRj7Bn0qvZjUALDyr2G0weP+lkczqDFrR3kBR3YMUpfpF4qZjTobmbtYqqIAyjwt+kxnRrCuNmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wH5Z0/EBx0wc/FtzP3XrudVbVZnbZlK1H2+y/fOyaIA=; b=C4bjFb8nvBH0jIAmuo/2S0a+kxKAm7E9gfLGZ8aNWW2t7iIRJ6v7hCm2IeM8folRPxhOw9L6pz/3PnDOzNUrl5QgQsS97S6OQ+NJE+8kt8qx2xmDu24cSnC3SnHvwvr+4tmeyn5F0cIdpf7GPbLU4GCj+EAturLFZGDXyRewHsGc8DlINiRaUz3GXp3AolGSmjgmTPScO+UZr/nqb8H/S6wppGLegPlteN7eCK5Pv8G0hT+zeNb4uKDwLUNCw4dZdIP2ioT/bEV6X08xH7cutzVkTypNggs6QjWfTfEwbXw3pAagjqjwEqKaPuVEspdtqy5mOPn0RSjofKgtdSkNZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wH5Z0/EBx0wc/FtzP3XrudVbVZnbZlK1H2+y/fOyaIA=; b=2JRvP8uWaLGqPSrmJQec2i1ixQ08iWMyvH3Wj0Ejf5K8y5D2GEFr0nUlqpyLMlQOOX/K0SFEg0IBB45uGdc3Xdol9DND8gq2AQBlpeAub151Hf1q1GFYGhSgk3+7m8IEgMc+xuqezp5nS2JIvHuitqO7Bs4JWUoX9/QrnjLsMjo=
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com (2603:10a6:10:1ae::11) by DB8PR08MB4185.eurprd08.prod.outlook.com (2603:10a6:10:aa::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.23; Thu, 3 Jun 2021 09:29:22 +0000
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::488c:be63:d9fe:b0e0]) by DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::488c:be63:d9fe:b0e0%7]) with mapi id 15.20.4195.022; Thu, 3 Jun 2021 09:29:21 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: Russ Housley <housley@vigilsec.com>
CC: suit <suit@ietf.org>
Thread-Topic: [Suit] Draft-ietf-suit-manifest encryption use
Thread-Index: AQHXV5X1DruL1AE+EEKJHhYnJRVx26sBJH6AgADiMYA=
Date: Thu, 03 Jun 2021 09:29:21 +0000
Message-ID: <0165D555-B04F-485E-9C9B-2996BC9A57BC@arm.com>
References: <478F1F04-9299-4F4E-9B72-15051DBD2975@arm.com> <D04FAE7E-FEC3-48E0-9159-B57C68C8B2F7@vigilsec.com>
In-Reply-To: <D04FAE7E-FEC3-48E0-9159-B57C68C8B2F7@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.100.0.2.22)
Authentication-Results-Original: vigilsec.com; dkim=none (message not signed) header.d=none; vigilsec.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.7.184.196]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 2a191a2b-d577-4cd6-1528-08d9267219c9
x-ms-traffictypediagnostic: DB8PR08MB4185:|VE1PR08MB5134:
X-Microsoft-Antispam-PRVS: <VE1PR08MB513490FD21CF5EB76AE9714CEA3C9@VE1PR08MB5134.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: Q6G+JCnpTsfuL9eO4FHeQlVxzTcpmxrf0rWUBrhXU/YrSDKW/ojzmuVNDbgAJ7Lt7PKs3rSKWS8eEMrf9a0seNGCJ8YWRwwhowh6+BbAXzsFAVdJg7n63Yh+n8/OFelx00x1Ksb57ol+ZUkXkA8PaDkKMrQsAqmTblaqVdsTWme2J02YfdBbZzgJV/gzsZW1o8QP2xuAOqkHIulwmUvBdaxWKljr4Dz3WuUjzfkxThn6qPB4pHFfL5dzx847iuL9oRKZi6cvX1/j3qFCWjWHh+O+zvIyUTzK8Qx756JS5W7DyJEHuf894BPfjX1QW4Iy8TqpWXBf2B7OLqDqqNL44HIE7KSy1dU8+d8JDOfmI6kLg4q21s9kln0E3D0+ER1OtFWFLCI63GB3FXgolbVjN+8uBIbmv0J7YxadZuOLDAUhCYBm8qPvngwmOjzzravZ6ca4OI0Mp8Kz4Dyx/j1f7vXSQfddrNyJInmqb2bXKbUmOBrLtK+uq02FDaPjMUXZ/mlNlenUjIJoJ2YWVZmZiew1Pm2Jhok6u350MnBDl7q36zzJEekKg0iEZYH11/OKWRjDJrvZJR62czsiP+uNjS/TRIfLd8/p287LaZO0MuB/2OMFEpB6UdB94j6yrkBAqc8Sv7+QOgE278WLutWtHNLwTeoiJFvFFeLF1f6dBxEVAxsTx8TS4/XrgXLfy+T/HJdRazek9oA9VYv7pYZ/oC+5SoYqCBIFTEBMa4vfcwbJRdu5rp9jZ5T5yQgzf4bnkqp0XWJQsXhjQLQ7Q0d2fg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR08MB5576.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(346002)(39860400002)(366004)(376002)(19627235002)(6916009)(36756003)(5660300002)(33656002)(2616005)(2906002)(6512007)(6486002)(86362001)(53546011)(38100700002)(6506007)(966005)(122000001)(71200400001)(186003)(26005)(76116006)(91956017)(316002)(64756008)(66556008)(66476007)(66946007)(83380400001)(4326008)(8676002)(66446008)(8936002)(478600001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: WwHDpuHNg4PvC98h5qJSzAYOOVmtWsPSNHZBjw9pU7o2400x6R/jjaotECQph1qwrUP5ibfmMgh6gTJV2fZpXJeViCsWVAvZTqXmy5RBFgxOgqyeECeZYWOU15g1ho9tkF67btLbutTX8TchSTdIv9RRsGtADgOPDbToD+j/sNxl8L10IwfjGYA6ryzrvR7QPatixPdX+ohKDDj9N5fGmSnLv1irXctMi2J4DN9v5sZRsSxu++OCj0bA/uddoD+nyQCCGuEB0l2GgmJdDskyRipusKRhrLU6oYHYssg6phTYCctyIEGH09nFBCAOuBHT+xjgoDXlsFOvQalcIfZ6CXKm10Sq8zipDHcn7Kk7gjXemXymvB2SYm6COymo3TiWZ00atbFT0ThSYr8L76VVInCAsrhDnBVXIxiY+c7akodGIFfvKp7b3KWz0qRi5STthhS0oXOaNkU2oXRm8BOnbh+zKlJUyJBKjXYXUnM3AGQKKGfIorD492VfPGnRJveFV9yHiam4ABiKnfgj5QhNy1rTI4iKK2YGrWSVfwGuOBcnn4gnLXDvO2YNXvLd56mUXdXgaZjnEJElvl5vkdXCho6uKx7SZlXZghgeXlut9uJvPewS8Ij5qHiO521/p0tecqHHxhZjvTOMEdeNl4tktlFHt+O7YbXDj6B74TDx7A7TIqaByopuF4y9p39tnmHE53VymeKyypkUsIikDGqJluAUZbSJWO0PlFVbU8iScuRfvzeHaJcI5nF6yZJekRx1qx69rJWaaxKe15zKDIQnay5v2QaSo2HhRU3xHwILqcyBO2rsYQAlyTxvjzmfXo3xvUXjLN0rdS5CUz9ciG5jTDJA5mlLZsIkXR6h3xzC0boQvFY+GF+07LKLq9DQytKyJm/OvvH1DuDaEcxQntXlYvZMr+B7bwkQOC5zZuMfAprUm5CmW/iA5dO47AbXBnVoO74VxhNiAhz7iz0erlp3zHmgJ/S94r3Gz/vTN5E3t2kCyltGeWhGUuAYuDIjDclOSJB8WllCpmbxGzM0aM9iim1o75VrCSQsm6XZn/CTe9rPQn252CG+xSnhRO4CcLeKM+JQ1eX9DVJOMY9NG22tksjf5A2sLsJs64wtMoqArgziVMgBomhmJLH6rgiOBDvvmPf4nzCySSYS+HnBjHT0Eeajfz2K06/UwxM4dtEPk5vlX998uQ0pwwj8FEk96mNp12oX0zi/dijtJAod9H0WspiaHrgiHyQMe7wfGl/h2r+we0Tl6hV5uUIL779rsEZnU9TlfyP9fxBkQltsjxFUbUQmkb0PxycIMwlrmUIpueCnGyzfZb9oMQoPQXmps+6+
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <533B3DEF891D294A8A12EDE8004448D1@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4185
Original-Authentication-Results: vigilsec.com; dkim=none (message not signed) header.d=none; vigilsec.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 17b6086b-fcef-4518-66e7-08d9267211cb
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 4NZ8v88Cru3ZDcpI8QcoE5hccfHEY1ge30v2GGzSyU+95SzjbXb0Ba9bnVrc+16ZzFPFIsxFOu3kTyoxXdjt0HLLLIl1Wav0yIqnZPFjw/4tD3hd/qYsFRWSmyfUcHZ1d3467hptyqjpRD6BaKj/vgr9hn3jk6DHfSdvptSup1Tmg8pwdS6Qhre6OAcWoDExnZF1nYIQKYdE00lO7H1h6tNGmumkIfAjCKYfRHn586uvGb19fjf1t8a/qXmNhzSS1GifYKOh1K9mhLJIf37iWtcLkvJuu3ei7GwWeAmF5pPeeWOvsH9suJvkg+s1zUo1DGdT5tc7pdeiSdg3KOlh3F9rQ4mCqLPNlb0RCSlQfYPl1CGHi694XMVs/dF/IgzpxDv49hPVJQ9JcLacajtrmjJk7bw6alfP50XTK2PQnPAL/GIuoadRyqentyc7dJbEsqrWCRKJZODRzqbDgCbZ0fZul49l1U+TPNadHfu18IBLSc3LABNNwD6A400PVhaT5KT1LiTgCWRgUdsFbUEMTJf40ROxQ8XrNNhB1R7jneYAEHAdQ0bBOI9S5zinAHKEGgS9aO86pGBVUeeJaXV19U6vx28ePgFpv/SLGPjfrJZkjtfdMHcSYGA1HfZ9cJs+l8FuD5im0MSXjlAhO1ywA8bz4FegdbAUFtHhPxtG3xSlkjEiNu1zN8aKlCbrtSxZ9oSooHkct+TXHVpJIYP2bKjXZ7aV371+DT/Uyvq5f6HbGjym/sJxMUwn5j86mLyX6WNtRa0WFp7MlU/FUK/jNg==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(396003)(136003)(39860400002)(376002)(46966006)(36840700001)(53546011)(6506007)(356005)(6486002)(186003)(8936002)(2906002)(478600001)(5660300002)(86362001)(6512007)(19627235002)(966005)(36860700001)(8676002)(82740400003)(316002)(4326008)(6862004)(83380400001)(2616005)(70586007)(81166007)(70206006)(336012)(33656002)(47076005)(26005)(36756003)(82310400003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jun 2021 09:29:34.9791 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a191a2b-d577-4cd6-1528-08d9267219c9
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB5134
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/4LIHmWD-Ddyl5dQS_oH-xjsEY3o>
Subject: Re: [Suit] Draft-ietf-suit-manifest encryption use
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jun 2021 09:29:44 -0000

Hi Russ,

> I thought we talked about moving the whole COSE_Encrypt structure so that it was not covered by the signature.  That would allow a party in the distribution path to change the COSE_Recipients without damage to the signature.  Since we a re using detached payload, the implementation needs to remember the resulting CEK.  Which is still needed in your proposal, I believe.

I realise that I wasn’t explicit about this.

> 2. The manifest references encryption information by URI. The typical approach is to place the encryption info in the SUIT_Envelope, then reference it by a numeric reference.

This was meant to indicate that COSE_Encrypt is placed in the SUIT_Envelope, which is not covered by signature. I’ll work up an example ASAP.

Brendan


>
>> On Jun 2, 2021, at 5:59 AM, Brendan Moran <Brendan.Moran@arm.com> wrote:
>>
>> During the virtual interim, we raised the point that the COSE_Recipients for a COSE_Encrypt should not be covered by a signature or digest. This prevents a management system from sending each recipient only the COSE_Recipient structure that pertains to it. This is not ideal for the structure of the manifest.
>>
>> I can see several ways forward:
>> 1. Key agreement is explicitly out-of-band. The manifest uses COSE_Encrypt0 exclusively. No changes are needed to the manifest. The kid header parameter is used to distinguish between keys for different payloads.
>>
>> 2. The manifest references encryption information by URI. The typical approach is to place the encryption info in the SUIT_Envelope, then reference it by a numeric reference. (e.g. 12 for key 12 in the current SUIT_Envelope). This approach permits the distributor to edit the COSE_Recipients, which allows a firmware author to include all recipients. The distributor can then remove all but the intended recipient. Federated distributors are also possible, where the COSE_Recipients is reduced at each level of distribution.
>>
>> 3. Break COSE’s existing conventions: set COSE_Recipients to nil in order to represent that COSE_Recipients is detached. This is problematic for two reasons: first, it means that we break compatibility with existing COSE libraries, since they will not expect a detached COSE_Recipients; second, it leaves no way to indicate where to find COSE_Recipients. Instead of ’nil’ we could use an int.
>>
>> I think we should probably discard Option 3. I worry that Option 2 exposes a number of options for tampering with the COSE_Encrypt. It also means that the parser has to advance past the manifest in order to locate the COSE_Encrypt blocks. The envelope should not contain an enormous number of elements, so it may be acceptable to simply hold a table in memory of the key, start, end of each element of the envelope.
>>
>> We could enable both 1 and 2 by changing the current SUIT Parameter:
>> ORIGINAL:
>>       SUIT_Encryption_Info = COSE_Encrypt_Tagged/COSE_Encrypt0_Tagged
>> PROPOSED:
>>       SUIT_Encryption_Info = int / COSE_Encrypt_Tagged/COSE_Encrypt0_Tagged
>>
>>
>> Alternatively, we could enable both 1 and 2 by adding a new parameter:
>>
>> SUIT_Parameters //= (suit-parameter-encryption-ref
>>   => int)
>>
>> Best Regards,
>> Brendan
>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>> _______________________________________________
>> Suit mailing list
>> Suit@ietf.org
>> https://www.ietf.org/mailman/listinfo/suit
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email