IETF Logo Mail Archive

[Suit] Suit manifest with variable recipients

Brendan Moran <Brendan.Moran@arm.com> Mon, 12 July 2021 20:31 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47BB03A093A for <suit@ietfa.amsl.com>; Mon, 12 Jul 2021 13:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=uAaNy+r2; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=uAaNy+r2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkZ4ZqXRzTpE for <suit@ietfa.amsl.com>; Mon, 12 Jul 2021 13:31:05 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2065.outbound.protection.outlook.com [40.107.20.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 676943A0938 for <suit@ietf.org>; Mon, 12 Jul 2021 13:31:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dk+hDl+HfICK2jVHGMhWf4c+Ofbv5y9ZbbH9INyYXxQ=; b=uAaNy+r2+l+/GnppqZt7At9QoTl/6HLqMDmPDXtc4UCoT8UTmiB/ufYc+42ETvdVwVjn883sBv2JYG4XPM+heKR4WY4tYfDQ+FC1IyjFluRHQrLOQOFOzNidN5BsW8MN1t0V745aortwcLfxE+MGrd1wu9wrvrDOOahFWan8Apo=
Received: from AM6P193CA0089.EURP193.PROD.OUTLOOK.COM (2603:10a6:209:88::30) by PAXPR08MB7169.eurprd08.prod.outlook.com (2603:10a6:102:207::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.22; Mon, 12 Jul 2021 20:31:02 +0000
Received: from AM5EUR03FT053.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:88:cafe::9d) by AM6P193CA0089.outlook.office365.com (2603:10a6:209:88::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21 via Frontend Transport; Mon, 12 Jul 2021 20:31:02 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT053.mail.protection.outlook.com (10.152.16.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Mon, 12 Jul 2021 20:31:02 +0000
Received: ("Tessian outbound 329e6475aa72:v98"); Mon, 12 Jul 2021 20:31:02 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: e0fb7265a6cc0ebf
X-CR-MTA-TID: 64aa7808
Received: from c3a88a0ea3aa.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9D3B1374-1D9E-4DE6-841A-2A553F5803B9.1; Mon, 12 Jul 2021 20:30:56 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c3a88a0ea3aa.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 12 Jul 2021 20:30:56 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZceFbkUjXs37WuEim2WF9wWnMnKJdY6avKobgBNcrQOTV45mCPglc95es5yRWcL7tHQtgUjkkrP+1hQWgglsfekyCZk3g4fPHxzk32/40xGFvk3F9M5czh2SUUWcWAYDR6R1EzMdCFgLNFt9fDcb6MMxNIkEI47E/4gD0suRmLkq6ic8e7LusAuXbwcmt3HL3EEC7+9DKIvvHOxUDCD9fSveQG6bA9u7lmSPmUwhKar/1791ocs0+QREOLF0xuU49fRI6oUuy6WZxwvKVbNsCdEaP3AB7SmHv+G7wPgvQYoxIoszurVclUgEztZL1sekw+NGinUVic5zQZjxmBfJeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dk+hDl+HfICK2jVHGMhWf4c+Ofbv5y9ZbbH9INyYXxQ=; b=IX/AqvW11XKStCMS8x65JON9seDKgrpnxAN6F4kDX6cT7kj7udXPmHk7Q1HZge+MeFCU5CDPaYfSoFaLHSKe/elWAxXH8W32zSTqSJgHejVc/Fw0ex852Sk1ujMpXXWyZupVq+hrqRQm/ZnBG5X8RSNOAn9C35l9YIiNPqEK18IY5I9qrfGgaO+ENj8O+6fHEc1YUdXJmWJ7ieMoHHasEBNoRckdtIs9sGSzMP8hC+7HWOL4Jdw3HYxBMNt67zi/OI7djGc/WknFsM2Xq55po0Sdhc6dLiNyaJRr4Pw81odlmLsR9XSp13Qqw/nizF7rkqyCfdJGGdPkC7eBTKClEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dk+hDl+HfICK2jVHGMhWf4c+Ofbv5y9ZbbH9INyYXxQ=; b=uAaNy+r2+l+/GnppqZt7At9QoTl/6HLqMDmPDXtc4UCoT8UTmiB/ufYc+42ETvdVwVjn883sBv2JYG4XPM+heKR4WY4tYfDQ+FC1IyjFluRHQrLOQOFOzNidN5BsW8MN1t0V745aortwcLfxE+MGrd1wu9wrvrDOOahFWan8Apo=
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com (2603:10a6:10:1ae::11) by DBAPR08MB5862.eurprd08.prod.outlook.com (2603:10a6:10:1ac::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.23; Mon, 12 Jul 2021 20:30:49 +0000
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::3487:4e34:2e16:5521]) by DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::3487:4e34:2e16:5521%3]) with mapi id 15.20.4264.026; Mon, 12 Jul 2021 20:30:48 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: suit <suit@ietf.org>
Thread-Topic: Suit manifest with variable recipients
Thread-Index: AQHXd1zMMwqhPdzceEy7eFpXHt+PmA==
Date: Mon, 12 Jul 2021 20:30:48 +0000
Message-ID: <F51C5D05-043E-4F07-9A4C-7044646192E3@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.100.0.2.22)
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: b0062a76-1f50-4022-c3c3-08d94573f7b8
x-ms-traffictypediagnostic: DBAPR08MB5862:|PAXPR08MB7169:
X-Microsoft-Antispam-PRVS: <PAXPR08MB7169DECC938622A0905A5E38EA159@PAXPR08MB7169.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: dA5r01/z/nXHa08gnOSkEmNAp1fe4xYkVjO6iTFQIp3lEvt/cjBdv55CP7bl75VidPG8IPi0KMhFgboMgsMnh6dPx231GI1vDjHp480liACLeNZkRTrNat+GlGpsHAeB9Hme+bEFXtZ3HmAOk/D1oqe0g9hiqOyJRPkg2Iqm94DCWSfck8VbIh7SuAR0xO8idIxxPd1aNLIs25dmLMPQc4iG2ftfc1qTyabApbUNuCR/nlOGtnWbwhdWTSMjVfXmXYjX1mmW+U6fYk4EEpVJdwWz9gyRh2DrDvn8xgC1IVuhlkEGedL/R9sIWNXBeZ/Q3NY9lAHGrfWbyiYbMz5EM9EQK6HgU5W5Jts4MHLgKpzF1qMbdPZHD5C2p9sTKEIAO/G/z/OFBSCr1DgM0ta6DiM0BM4pdPaFAIHWslpmE9RBRVVgHndGrIYtcLJgnLZqC/ThcKYZUUVhIL/8AaRYsFJDBqo+CeewF9LQOX7FDV10Z2Gfyxkedr6byFV8bSzACCchY/1c7vFB8wMtOc1h2Y7ZQsbZp8wHuoqRcsXOLPxuWwmMrgXJIW4yVEmcKx5qcjFZNQ5QnNffMZBiVr1rhXs3ikWEYcY+2EZn6tjSq2Tazc9AHtN1YMv3Y/RBevuyh4Oq7SUQam3bLzym0ZFvi0CwqqFe8l7El576RQ6M5s4rjJFFU7Q/2GCDpJKOU9PidlqOtQ6w/6Ha/fHWtRR31g==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR08MB5576.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(366004)(346002)(376002)(396003)(136003)(83380400001)(76116006)(66476007)(38100700002)(66946007)(122000001)(5660300002)(64756008)(66556008)(66446008)(91956017)(316002)(2906002)(36756003)(6506007)(26005)(8676002)(6486002)(86362001)(6512007)(6916009)(478600001)(71200400001)(8936002)(2616005)(186003)(33656002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?L2d2WUc5UDFMZERiNnBGSDNySVJpUDdSQjJXbmt4aUZLN1VHcTA0c3pKelk5?= =?utf-8?B?N1B0dFBuT0FjcU41dU5VclVHb3RzVVFSMkxEdVo2R2Q3dmhXd2FhVXdtZ0ph?= =?utf-8?B?M2NnWFBUR3NBSUM1RTRzMVpWdjJMRk9PU3BGMTV0clFnQzhITXRBZG1nNjJr?= =?utf-8?B?TEY5OVdpeEJWelYyZUpHUzZmMUNCK3ErRzdyVEtNcnY1NzZyYlcxa1dkSDlo?= =?utf-8?B?ajg3SEJCeTBOdk5UaEEvK2dnKzA4bURlZWhyWkRuOEdZQnJIV1BjNjR3TmVY?= =?utf-8?B?aFRLT3BMWVFZNjVjTnllcStqWjVvZU85UXpDbUY0OUI5QXc1dlo0NzV4MGRr?= =?utf-8?B?MnovZDlPamVtclVmaFRiQ0lWYy84b3pqT3A1OE9CNXZla3BqQnpUVE1LT2dM?= =?utf-8?B?NW9TVjVyTTVMSlpGR24zZnp3cUZ3dVY5NGp0d3R2amJHM2FEQVV2a010WUVJ?= =?utf-8?B?ZU9BUGREdHBINXNhNno1alBsR3dYM3hkK0JadTlqQk9QdkJIY0EvS3hGSXRJ?= =?utf-8?B?ejJGNHdDbHBibCtFaEZ1akZSR1VQalh4R0ZJdytVYnVIa0FKODlkc01LYmNW?= =?utf-8?B?Skd6Mk9jV2ZlOXlNaGxhZFhoWlJKWEk3Y3VsNXRUWTg5MWhMVkhBcEQ2NUdR?= =?utf-8?B?MlRIdHNyODZEUmY2QU00UGVXYTRvcnFta0t4SHN3ZzU4M083emVYVE5hVlQw?= =?utf-8?B?UGFzNkoxVytyQXhYNzNZNllIV1lhNzJ1S2Qxcm9DS2JPSnNFcThUbXdvV0Vx?= =?utf-8?B?RDcrdjRodC9SQzQ1aUUrVHdDTzBadFRpcDRBK1RyUExNS1lqc0hPbHVhN0FT?= =?utf-8?B?eWh1TFBqTjBKTUl6N1Q1RVN6dHNvQmdwM3Iwd0pySEdHMCtvd09xaG50Z2JM?= =?utf-8?B?SFdjSUZXSDRoLzJyNUNRTmlTenZoNE1qeDB5cXlkMUJFWkJzN3dLaDVUeHVN?= =?utf-8?B?VGF0VDV2cGIvME5HeXFqcmVtU0RPRWY2WWhRMHk5OE8rZGJ6T2JDS2NLc1cx?= =?utf-8?B?VUUzTDFyUW95L3lzY2hqMmFOaWxoOEdWRTl1cENMTWxrQzI0bDhGUk83b2NY?= =?utf-8?B?Tmh0aTVWeUFTdzhQWE1zcGRaYWpwa1lkdisxTFNobkxWNkJKbVJTeTNPdXJQ?= =?utf-8?B?QTdGV0o3aEdDZUh5T0RkMXFORDlKYnNpTW9idVFSK1h2Smd1VThiRXlMY0hZ?= =?utf-8?B?TE9RTEcvRWpBNDgzbHVVdGFuTDBNNk1YQnpaV0dBWWlaSHVVVkNGbU5OVTBD?= =?utf-8?B?aXMrQjA1ekdjaTNrSEIwbmZ1YXp5QmJ6QlQ0ZnJDa1dLandVdzhQYkFOTVZu?= =?utf-8?B?YTFaT0p5SGJKVVk2TTZwREFrSjk4QS9MTWlvY1BaaW9aZDlKOGNRK2FQT3RJ?= =?utf-8?B?R1MvZ204eXJSRitOWkVUcUo4R2h2RUJSa0NFVnpwdnlxdk1GaHJlcjhRelFl?= =?utf-8?B?SUZiK0pyazNzenZ2MGJHbGl2aGFxVEpLNGJLZFRDS2pDVXllMXBkNjdib1Ns?= =?utf-8?B?OHpKVEQ2UGw0aUExOHhkZ0dlN0hpWnAwamV4OFNpN2RhR1U3YkZrSFA0U2lX?= =?utf-8?B?SjlTOWdqNDJDbGdFUlh6WWROMHJZYzZoSjRiNjFPVm41RDZmUEk0dG8zSHJs?= =?utf-8?B?RmhEbExSNlNFTkU4Q001MVpLY2JIcndFakQvU281OVpnMWhsTm9IOERRSll2?= =?utf-8?B?bmo5RWY5RDFtVldSU3BGVkxQZTlQckRHaG9DMitHL1oxODllRitoZDdlQld4?= =?utf-8?Q?bmZJYCUnWzdtmc7pkMhjexxyMqoe8xbGX/SXCjy?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_F51C5D05043E4F079A4C7044646192E3armcom_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR08MB5862
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT053.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2a2a9ea7-0427-48f3-ca39-08d94573ef4e
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Y9Q2tYVoK2cl4zl4gJmDF2Mof6YuhUdR1W1MibotGlvQ/fXyAfhXcecE/D0hhILqehbMAbW0X21LDpUkeZIPt08B/2ZibsI9ua+/ibei3XRWDWUA+xItmgvORTFkfCmmJScorqQX7P8cbazOYaFKvRceJVEKlFd8VDV2agE49t/9n9GkoMr7rREcnr3klcP2QLNq2fg6foBqzn73R/4KLyLDOBBC9FVFSFGTBjKgd+KzAKc8jFRydy/JXrbWpRLElpgAaYwEj230h4+mtWopiuKFpqpm9skChwuioQRXIBQJEQ1TOPY6pVF+RXJE/63+fJEOjTSt+pkBOSNOz7cf/Jej2bAOCYp62bj+Or7i3Goj2AhM9IyfuG0BH3LprAlKBak6bOjRj5ylJsGAHa1jzqFxXUxZ8gPYhZVv9Qzkigoqsj6US0jRpUP1itySt2kkA0Nq2ceXypTyfqQ6jJhRcUFTI1D/rrHc6jR/9mUiN/3rTEgZUsSYSfaR99sWcXV7mf9vb0owlQ3fLx38GApNk/QR4w2yq4h48dziar8R/ux6ULt56VX9ltU6PoShkLQVwzkfHV+wxzQoKwWukiz5e4S9HIYkq1zqCeosjwPlJI4GY/U8ojtikDU/ww0KxwzQrsMrzFJIFTDYVL3zsRrhi4NKdi5r7JHvhYJ0vY5rHSQl89Aqci5me8Q+2a4jpEtkhtOOXUDALT8JgT6FvDbZog==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(376002)(136003)(39850400004)(396003)(36840700001)(46966006)(6512007)(82310400003)(5660300002)(6486002)(47076005)(336012)(2616005)(33656002)(2906002)(81166007)(86362001)(45080400002)(316002)(186003)(82740400003)(36860700001)(70586007)(70206006)(478600001)(356005)(33964004)(6506007)(8936002)(83380400001)(26005)(6916009)(8676002)(36756003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2021 20:31:02.8552 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b0062a76-1f50-4022-c3c3-08d94573f7b8
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT053.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB7169
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/D7u378WmjOn-axONaauYHqjUCow>
Subject: [Suit] Suit manifest with variable recipients
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 20:31:11 -0000

At the virtual interim, we discussed the possibility of altering the recipients (e.g. pruning some during distribution) of a COSE_Encrypt structure in a manifest. In the current structure, a signed digest is calculated over the COSE_Encrypt, which will means any change to the recipient list will cause a change in digest, meaning that the signature of the manifest will not match.

The result is that COSE_Recipients MUST be held outside of the manifest’s chain of trust. This complicates matters somewhat. It would be better if most of the COSE_Encrypt was held under the trust umbrella while the COSE_Recipients were held outside the umbrella. However, COSE does not support detached Recipient lists. This may be a failing of COSE, and perhaps it should be discussed there. In the interim, however, SUIT needs to move forward with some solution to deploying variable recipient lists.

I can see several options:


Option 1: Place the COSE_Encrypt outside the manifest, reference it by URI (remote) or Integer (envelope)
Modify suit-parameter-encryption-info to take a tstr (URI) or integer (Envelope Reference)

This means that all devices supporting the encryption-info parameter MUST support both integrated, detached local, and detached remote modes. I don’t think this is really in the spirit of SUIT.


Option 2: Place the COSE_Encrypt outside the manifest, reference it by Integer (envelope)
Add a new suit-parameter-encryption-info-detached that takes the integer (Envelope Reference)

This has the benefit of being unambiguous. However, it creates a new problem: what happens if both the suit-parameter-encryption-info-detached and the suit-parameter-encryption-info are set? Does there need to be a rule that one explicitly unsets the other? How does that work with permissions?


Option 3: Abuse COSE slightly: Place a COSE_Encrypt0 in the manifest. Place a list of recipients outside the manifest.

This has the benefit of being what we actually want, but it probably won’t play nice with COSE libraries.




On balance, I think we should probably go with option 2. I recommend that we add the following CDDL


SUIT_Parameters //= (
  suit-parameter-encryption-info-detached => suit-encryption-info-detached-key
)

$$SUIT_Envelope_Extensions //=  (
  suit-encryption-info-detached-key => bstr .cbor COSE_Encrypt
)

suit-encryption-info-detached-key = nint / uint .ge 24


This provides an explicit parameter to use when placing the COSE_Encrypt in the envelope. It’s unambiguous and should be reasonably easy to implement. This could be added to either draft-ietf-suit-manifest or draft-ietf-suit-firmware-encryption.

Best Regards,
Brendan
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.8.7 | Report a Bug | By Email