IETF Logo Mail Archive

Re: [Suit] Review of draft-ietf-suit-manifest-09

Brendan Moran <Brendan.Moran@arm.com> Mon, 03 August 2020 10:05 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A48843A0D72 for <suit@ietfa.amsl.com>; Mon, 3 Aug 2020 03:05:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2kYm3v49; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2kYm3v49
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjWvGvPOt8ta for <suit@ietfa.amsl.com>; Mon, 3 Aug 2020 03:05:02 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60040.outbound.protection.outlook.com [40.107.6.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E4533A0D71 for <suit@ietf.org>; Mon, 3 Aug 2020 03:05:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/4saiT+gOQoubtjMZje4Sp+iZeezssAyH8zv/jEvyKs=; b=2kYm3v49HvetAl+cy4hMFrLsVAIFcEPIcmtDBHj8V9zfozIt3dpz69caTvdrvr9GKTcc4UXKbRrdlju+8MEcs7fARSErN3W4L2hjxBzt+hbVgNF4AkavqwVMznf9gnK8TbmgZh6EzCc2mad573ryNNkcG2cMolj0XHToIMcgeRQ=
Received: from AM0PR03CA0028.eurprd03.prod.outlook.com (2603:10a6:208:14::41) by AM0PR08MB4932.eurprd08.prod.outlook.com (2603:10a6:208:162::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16; Mon, 3 Aug 2020 10:04:59 +0000
Received: from AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com (2603:10a6:208:14:cafe::69) by AM0PR03CA0028.outlook.office365.com (2603:10a6:208:14::41) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16 via Frontend Transport; Mon, 3 Aug 2020 10:04:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT056.mail.protection.outlook.com (10.152.17.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.20 via Frontend Transport; Mon, 3 Aug 2020 10:04:59 +0000
Received: ("Tessian outbound 78bc8a1387f9:v63"); Mon, 03 Aug 2020 10:04:59 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 50167e98620d1939
X-CR-MTA-TID: 64aa7808
Received: from 32e2793c1274.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 5CF9E9A5-8712-42BC-AAA7-5AF0457B0A43.1; Mon, 03 Aug 2020 10:04:53 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 32e2793c1274.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 03 Aug 2020 10:04:53 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M2ygx0Qa0Sna/ONGrsUsDyQQm8l5Rh5hgOCI+sRu3m0PiP3WcVKEmPuuYH2LXyIkNvOD4/HKnhmjtCpqJEBDl9UjyGwwl9canMVTLPvooZzvA6Wwz4ytOj+0UJ0KOETU9OPZWrwgH3vwKv1MWBdkZh2dbv9hdaa2I1uEhiaLv/DuQHPuwgdIcSWLlTO/4PQ5U6bNCkw5f6lhzFDLPKcy7W4xXOgZTUthyQM6WNUvxiPl6RwcEzCx0ox5tF19nwUsJ5KNT9J/S3lU7LL1f/MkO7lwDUJnvCwn0kKAsCPOJK1TI0w/7LAEF6/wEMaARhxjDe7yRgHDYo+7HST2tEkgDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/4saiT+gOQoubtjMZje4Sp+iZeezssAyH8zv/jEvyKs=; b=mg9v0/XZPhVSC1eDpTYs0pCRI/9RDgUtBaZ+orx0OTq54KiPl/Tc+Cg+nOTdKaxZcL4WuuOJbERy5B8c5qGMQc2AYbnzLMcQjj7kAKW/HP944KrC3Ye0P+alFy7gGUa2t68hjv4uvwMyMOBehQacRD1tYYADwll10FrXv9492jAhxyYdKUCO8R7Ic7QEUZLFTABRqDEvz6bh0wtalRv0kOoBXiA4WlFBnNUr2G5m1LFUZWg5u1MDRKYNGLQeq2sZ47ZC9wfoSPa+StoG2YjY8EQTFedCNsqsfoeL2UaXF6w+Z+jSHG8zLcQ9iayWMrKmd5AEyEieRsC1+C5GDAFVyQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/4saiT+gOQoubtjMZje4Sp+iZeezssAyH8zv/jEvyKs=; b=2kYm3v49HvetAl+cy4hMFrLsVAIFcEPIcmtDBHj8V9zfozIt3dpz69caTvdrvr9GKTcc4UXKbRrdlju+8MEcs7fARSErN3W4L2hjxBzt+hbVgNF4AkavqwVMznf9gnK8TbmgZh6EzCc2mad573ryNNkcG2cMolj0XHToIMcgeRQ=
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com (2603:10a6:20b:cf::10) by AM6PR08MB4868.eurprd08.prod.outlook.com (2603:10a6:20b:c5::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.17; Mon, 3 Aug 2020 10:04:52 +0000
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::a98d:5ebe:dc1d:ea56]) by AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::a98d:5ebe:dc1d:ea56%3]) with mapi id 15.20.3239.021; Mon, 3 Aug 2020 10:04:52 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: suit <suit@ietf.org>
Thread-Topic: [Suit] Review of draft-ietf-suit-manifest-09
Thread-Index: AdZiCUkrB1qNrZ3lS5i4ApAjr2sBOQCGs7sAAAKNB+AAAQI/MACZy6IAAABry6QAo/WJgAAUn3uA
Date: Mon, 03 Aug 2020 10:04:52 +0000
Message-ID: <7D807988-6D37-4957-9528-32235E269C86@arm.com>
References: <BL0PR2101MB1027152EC8DAD9B3847C3E89A3770@BL0PR2101MB1027.namprd21.prod.outlook.com> <70453005-8DFA-4DBE-8C04-9882839D5005@arm.com> <BL0PR2101MB1027CB46179113E5AFF5CC3BA3720@BL0PR2101MB1027.namprd21.prod.outlook.com> <BL0PR2101MB1027E0C3AAE05FED8E057246A3720@BL0PR2101MB1027.namprd21.prod.outlook.com> <13874.1596131258@localhost> <21C2CB5D-37E1-4C74-A0FD-36623F4CCD2E@arm.com> <22685.1596413661@localhost>
In-Reply-To: <22685.1596413661@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
Authentication-Results-Original: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.20.19.206]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 70ee483d-eec8-41b0-2934-08d83794ae75
x-ms-traffictypediagnostic: AM6PR08MB4868:|AM0PR08MB4932:
X-Microsoft-Antispam-PRVS: <AM0PR08MB4932D654AA85566B3587FE16EA4D0@AM0PR08MB4932.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: ZWPMJmpLQJatSOTKwbs3gfb5SuGFXhT7vSTwCcnORfuudwtt/DHePqS2M8hcUI7aaeQv5eAZMvRPF1tFq4uroG2cnHA9bzpoIH7MhtLsytnDBqvBt1XLpYGJuG56znM6MnZMZME85tV9VgUlMa4KAEq/tKAj8oykh8pAqRTy0RUMnVrs7cYp3aB5JqjCKbtoojm/Bs1ELaKWBBIs6LTTFXGx4C5qr4Y/k07oa/h7yUHzMj+evuzDTh0LYWsDlczD6V01VACKV+/xd4LTzhBlzKlzkzlmHTTkDaBwnDOEEJDnj334QqY1zpvb1FycJb95wcfn+ib/CyDEhX6dZ6SSiA==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4738.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(396003)(376002)(366004)(136003)(66446008)(66476007)(64756008)(66556008)(6512007)(66946007)(8936002)(5660300002)(4326008)(478600001)(91956017)(83380400001)(76116006)(33656002)(86362001)(71200400001)(186003)(8676002)(316002)(53546011)(6506007)(6486002)(36756003)(2906002)(2616005)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: m3oo9MAXljQv+esLIaoci3B0J1ZZ3CB/12U4OttC47jHWJx2i8K6gyUDif2h4r2vtzjWYfCvnRdsdnxFnbVTmltBPXuPa5vB8FzWX2/dOqnhnF4wdUJNK3ERYgW6Vs7lY0pgifwjkV7k0S3V4AU4bCLO7RiYmM3haGGv9uqLJrsfPZYK5kW5E49UvJJIyTnS0e/xLNd2vX1T1rHAz6afRLPaIcQSUM/UGG9ZrcGSlB1phOuE27Q6e7zsHP6pRNIwnWH1jgKpzpt6QSIT5hfS7Ub/Ekg5xX8631b0OzUbItWWIF94bd5eIGNStkgM7Uj/fBoPHIEknMGkwOCGpFx5SFqCjykBwhJyHOYhndfLMTPACpmYcXQ8vIHNxv2apG4qrCsAfiDtPnMlr/MqTjR9fw9LpwDNLt/Ec5qjaY6bXxcDvRKJQf1FcZtbx1GyI49Ni8/lzljeJ1ioQTXPZkE5Me/Ndrs3a/guNw+ZfAOVlLjftW91hnbQI6WXpljGa68lWap2NXjghnXCgHj/i3hrOJxmhKlpnQOwqOW1RMXuFIJ6lw0a0NVf9ieiiZQVvV7jaro5tZIkAaXpnX7zBNfsHW5SbStr5GrsvISns8xW8MdrfylOcO+K726qQwVT0y0Vj1r9s0nbvM5SeSITQpuE+w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <E7A56511BE23074A99720EEA1641D520@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4868
Original-Authentication-Results: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: ee342465-3da5-4da5-80a9-08d83794aa41
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Zikw5OQAOXtiyClz5cPD47qLkaP2U5FuFOxVbOifNpw5Vb5mIPaDoTAL95WkNMDU3uxQr0Du6JJelQtz9mQsvmhRZqF25XNNG+qGo0jv0U2wgBPMlku+jnnEjTYRPgrBYQeM0M+O4bdn0auGaQGFmnCPjyBVx9qLTDNdks0TFoQ1HbGF4wlxyKseVXxFJpDgVINxmC7nUoTlatqoL7Wj6o9pwKQm7TDFKNuLj+4K76HJxJcTlGPEaI5wmK6VTUb9hpcjS8Rpf3AkPFXr6cDd9GqWIZqxK1u0DAzbGnJIrsu48lvPzoS45ME9DxO/sPsyb609NpLiw1VzGBRZ6LUpsjerAVmPzgGXyNl9xtHKecDxfSol/Gi9ka8PVTCXI0eS3G3fqc+V8mrhmbNSh2ZqRw==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(396003)(136003)(39860400002)(46966005)(53546011)(6512007)(47076004)(478600001)(81166007)(26005)(2906002)(82310400002)(356005)(6486002)(186003)(82740400003)(2616005)(6506007)(86362001)(6862004)(36906005)(316002)(70206006)(336012)(5660300002)(70586007)(33656002)(36756003)(4326008)(8936002)(83380400001)(8676002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Aug 2020 10:04:59.3926 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 70ee483d-eec8-41b0-2934-08d83794ae75
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4932
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/X462278BYLrifqx9ChBiuzR6GyA>
Subject: Re: [Suit] Review of draft-ietf-suit-manifest-09
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 10:05:05 -0000

I raised two orthogonal issues regarding PEN. I don’t think that either of them are blockers. I just want to make sure we get them right.

1) We need a way to declare sub-assignments of PENs.
2) We need a way to construct class IDs.


One fairly easy way to deal with all of this at once is to use OIDs. Then, there is no difference between vendor and class: They are arbitrary subdivisions of OID space. We can also state that the IANA PEN arc of 1.3.6.1.4.1 is always present, and omit it.

In this case, my vendor ID might be 13457.3 and my class ID might be 1.7.99. Together, these could form a single OID: 1.3.6.1.4.1.13457.3.1.7.99.

Only the PEN and sub assignments would be actually encoded: 13457.1.1.7.3. These would divided into vendor and class.

I don’t think we can reasonably make arguments about size if we leave the 16 bytes of Class ID on the table. With that in mind, I think we should probably look at Vendor ID and Class ID as relative OIDs. They can be serialised as X.690-encoded OIDs, wrapped in a bstr.

I still worry that this leaves implementors lattitude to abuse Vendor ID and Class ID, ignoring real incompatibilities for the sake of consistent naming, but the size is probably more important overall.



Because both OIDs and UUIDs are serialised as bstr, this would meant that, in order to use a UUID, it would need to be wrapped in a Tag 37, since there is not yet an OID CBOR tag. Alternatively, because a recipient really doesn’t care—it just matches a bstr expressed in the manifest to a bstr asserted by the Manifest Processor—we can leave both un-tagged. Intermediaries may care if they’re trying to present the information to a user, though that is expressly not the purpose of either the vendor ID or the class ID.

This is actually a really nice result. It means that there is no change to the CDDL. There’s a (comparatively small) change to the text to explain that either a relative OID or a UUID can be used to express a vendor ID or a class ID.



I’m fine with defining a PEN Name Space Identifier for UUIDs, provided that the input is defined to be a X.690-encoded relative OID. This means that it can handle sub assignments easily, and it matches the Vendor ID proposal above. This is only necessary in the mixed case: Vendor ID is PEN, Class ID is UUID.


A couple more comments below.


> On 3 Aug 2020, at 01:14, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> Brendan Moran <Brendan.Moran@arm.com> wrote:
>> ClassID = uuid5(uuid5(OID_NAMESPACE_UUID, encode_oid([1,3,6,1,4,1,PEN]), Class-Specific-Information)
>> But then we need to define encode_oid because RFC4122 doesn’t specify which OID encoding to use.
>
> Yeah, I see no advantage to including the OID here.

I don’t have a problem with declaring a new Name Space Identifier for PENs, provided that it can handle sub-assignments.

>> Also, we need to support sub-assignments from a PEN, since large
>> organisations may have policies that require the use of specific
>> sub-assignments.
>
> Since this is just to produce a ClassID, it seems that there could be an
> integer that could be incremented to form sub-assignments.

I think that ClassID and sub-assignments are orthogonal here. Organisations should not be restricted in their ability to specify sub-organisations for the purpose of compatibility checking.

> Second, I believe that for larger organizations, IANA will assign multiple
> PENs to e.g. "ExampleCOM Consumer Devices" vs "ExampleCOM Transportation Systems”

That is good to know, however I don’t understand the reluctance to support sub-assignment.

Brendan

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email