Re: [Suit] [Rats] [sacm] CoSWID and EAT and CWT

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Sun, 24 November 2019 15:44 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E88B120052; Sun, 24 Nov 2019 07:44:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGiU4hXIEvsN; Sun, 24 Nov 2019 07:44:22 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46181120043; Sun, 24 Nov 2019 07:44:21 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xAOFiIZv024757 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Sun, 24 Nov 2019 16:44:19 +0100
Received: from [172.17.29.118] (5.148.85.20) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Sun, 24 Nov 2019 16:44:13 +0100
To: "Smith, Ned" <ned.smith@intel.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: "suit@ietf.org" <suit@ietf.org>, sacm <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>, Laurence Lundblade <lgl@island-resort.com>, Ira McDonald <blueroofmusic@gmail.com>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
References: <BN7PR09MB2819D797B89183218BEFA823F04E0@BN7PR09MB2819.namprd09.prod.outlook.com> <922EA164-FB96-4245-A46C-6520809E6311@gmail.com> <01f09bc9-bd79-89da-243d-cd766f297a5b@sit.fraunhofer.de> <CAHbuEH7uEjYK8obQ78B4paaB426Xrhuh+E7SJGsXNi_cRDYYAg@mail.gmail.com> <65CFC5E3-1B46-4235-B4F4-692F475AC80F@intel.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <93390196-dd6a-131a-afe8-4bea845d6648@sit.fraunhofer.de>
Date: Sun, 24 Nov 2019 16:44:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <65CFC5E3-1B46-4235-B4F4-692F475AC80F@intel.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [5.148.85.20]
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/pp2MZxxRLmqMoCGCie1wlKRuMJM>
Subject: Re: [Suit] [Rats] [sacm] CoSWID and EAT and CWT
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2019 15:44:26 -0000

Hi Ned,

"Evidence" and "Payload" are two of the four pre-defined (and 
extensible) types of resource-collection defined by ISO/IEC 
19770-2:2015, CoSWID and NISTIR 8060:2016, respectively.

They are defined here:

> https://tools.ietf.org/html/draft-ietf-sacm-coswid-13#section-2.3

Fortunately, Evidence is semantically very well aligned with the meaning 
of Evidence in the context of RATS, it is effectively created by an 
Attesting Environment of an Attester as a measurement:

>    o  evidence-entry (index 3): This item can be used to record the
>       results of a software discovery process used to identify untagged
>       software on an endpoint or to represent indicators for why
>       software is believed to be installed on the endpoint.  In either
>       case, a CoSWID tag can be created by the tool performing an
>       analysis of the software components installed on the endpoint.
>       Described in Section 2.9.4.

In general, Payload lists the files that may be installed with a 
software product, and could be a superset of those files. Semantically, 
they are the equivalent to Appraisal Policies (formerly know as 
Reference Values). This differs from the use of Evidence, which is used 
to store results from a scan that indicate why the product is believed 
to be installed:

>    o  payload (index 6): This item represents a collection of software
>       artifacts (described by child items) that compose the target
>       software.  For example, these artifacts could be the files
>       included with an installer for a corpus tag or installed on an
>       endpoint when the software component is installed for a primary or
>       patch tag.  The artifacts listed in a payload may be a superset of
>       the software artifacts that are actually installed.  Based on user
>       selections at install time, an installation might not include
>       every artifact that could be created or executed on the endpoint
>       when the software component is installed or run.  Described in
>       Section 2.9.3.

Viele Grüße,

Henk

On 22.11.19 20:39, Smith, Ned wrote:
> Regarding issue 46 (link below), the proposed (9) claims distinguish 
> between Evidence, “Payload” and SUIT Manifest variations. Evidence is 
> defined by RATS architecture, SUIT Manifest by SUIT WG, but not sure 
> where “Payload” is defined and how it differs from Evidence. Possibly 8 
> claims can be collapsed into 4?
> 
> *From: *RATS <rats-bounces@ietf.org> on behalf of Kathleen Moriarty 
> <kathleen.moriarty.ietf@gmail.com>
> *Date: *Friday, November 22, 2019 at 10:27 AM
> *To: *Henk Berkholz <henk.birkholz@sit.fraunhofer.de>
> *Cc: *"suit@ietf.org" <suit@ietf.org>rg>, sacm <sacm@ietf.org>rg>, 
> "rats@ietf.org" <rats@ietf.org>rg>, Laurence Lundblade 
> <lgl@island-resort.com>om>, Ira McDonald <blueroofmusic@gmail.com>om>, 
> "david.waltermire@nist.gov" <david.waltermire@nist.gov>
> *Subject: *Re: [Rats] [sacm] CoSWID and EAT and CWT
> 
> Hi Henk,
> 
> I am not entirely following you, so I am not stating agreement yet.
> 
> On Fri, Nov 22, 2019 at 12:06 PM Henk Birkholz 
> <henk.birkholz@sit.fraunhofer.de 
> <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
> 
>     Hi Kathleen,
>     hi SACM, SUIT & RATS list,
> 
>     the corresponding *SWID authors discussed this issue and are proposing:
> 
>      > https://github.com/ietf-rats-wg/eat/issues/46
> 
>     This includes an extended scope to include the option of SUIT Manifest
>     related Claim values, next to various *SWID Claim values. We permutated
>     "signed" & "not-signed" as well as "payload tags" and "evidence tags"
>     for *SWID tags in this proposal. The authors are convinced that the
>     "not-signed" variants are of essence (as CWT does not allow "not-signed
>     CBOR items", but also do not imply any implications to the SUIT
>     Manifest
>     Claim definition (although there are strong similarities and there
>     could
>     be some).
> 
> Can you write the above again?  Are you saying this in terms of a CWT?  
> Wouldn't the claims and the text value in a CWT be represented as-is, 
> then signed, so you'd get what you are saying is needed?
> 
> 
>     The current *SWID contributors prefer this contribution as a parallel
>     effort to the EAT I-D, SUIT Manifest I-D, the CoSWID I-D and existing
>     ISO XML SWID standard. This proposal includes the primitive to not
>     delay
>     corresponding IETG I-D in their respective WGs.
> 
> Are you saying you don't want to add text stating the use of a CWT is a 
> possible alternative, as that is what was requested.  I offered to write 
> a separate document to put the CoSWID in a CWT in SACM as I think that's 
> the right home, referencing EAT work.
> 
> 
>     Having said that, we would like to get feedback for the proposal
>     references above.
> 
>     If there is no dissent or push-back on either the SUIT, SACM, and RATS
>     lists, our proposed way forward is a unified creation of EAT Claim Sets
>     in the RATS WG that enables the use of various *SWID variants & the
>     SUIT
>     Manifest as payloads for RATS via the RATS EAT I-D.
> 
> I think this should be in SACM.  And I've offered to help.  I do think 
> that a little text saying it's possible should be in the CoSWID draft 
> and will provide that soon as not to delay progress of the CoSWID document.
> 
> Best regards,
> 
> Kathleen
> 
> 
>     In summary, we would like to create this interop I-D in concert and
>     welcome every joint effort in this domain.
> 
>     Viele Grüße,
> 
>     Henk
> 
>     On 21.11.19 12:37, Kathleen Moriarty wrote:
>      >
>      >
>      > Sent from my mobile device
>      >
>      >> On Nov 20, 2019, at 11:29 PM, Waltermire, David A. (Fed)
>      >> <david.waltermire@nist.gov <mailto:david.waltermire@nist.gov>>
>     wrote:
>      >>
>      >>
>      >> It sounds like having a CWT claim that contains an entire CoSWID
>     is a
>      >> path forward. It may also make sense to do something similar for
>     ISO
>      >> SWID tags.
>      >>
>      >> Am I right in thinking that this CWT work can be done in RATS,
>      >> referencing CoSWID once it is published as a normative
>     reference? This
>      >> would allow CoSWID to go forward to the IESG, while the CoSWID CWT
>      >> claim is worked in parallel in RATS.
>      >>
>      >> Kathleen, if this is true, does this way forward address your
>      >> CWT-related comments?
>      >
>      > Hi Dave,
>      >
>      > I think the signature may have to be on the CWT as opposed to on the
>      > claim that is the CoSWID or SWID.  We can define it fully in another
>      > draft, but should state it here so that option is understood. 
>     It’s a
>      > simple write up, I think.
>      >
>      > Thank you,
>      > Kathleen
>      >>
>      >> Regards,
>      >> Dave
>      >>
>      >>
>      >>
>      >>
>      >>
>      >>
>     ------------------------------------------------------------------------
>      >> *From:* sacm <sacm-bounces@ietf.org
>     <mailto:sacm-bounces@ietf.org>> on behalf of Kathleen Moriarty
>      >> <kathleen.moriarty.ietf@gmail.com
>     <mailto:kathleen.moriarty.ietf@gmail.com>>
>      >> *Sent:* Wednesday, November 20, 2019 9:10 PM
>      >> *To:* Ira McDonald <blueroofmusic@gmail.com
>     <mailto:blueroofmusic@gmail.com>>
>      >> *Cc:* rats@ietf..org <mailto:rats@ietf.org> <rats@ietf.org
>     <mailto:rats@ietf.org>>; sacm <sacm@ietf.org
>     <mailto:sacm@ietf.org>>; Laurence
>      >> Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>>
>      >> *Subject:* Re: [sacm] [Rats] CoSWID and EAT and CWT
>      >> Great, thanks Laurence.  If that's easier I think having the
>     CoSWID in
>      >> one claim should be ok and would have the same result as the
>      >> suggestion I made.  Changing the CoSWID format is a big enough
>     process
>      >> that it shouldn't happen very often.
>      >>
>      >> Best regards,
>      >> Kathleen
>      >>
>      >> On Wed, Nov 20, 2019 at 8:00 PM Ira McDonald
>     <blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com>
>      >> <mailto:blueroofmusic@gmail.com
>     <mailto:blueroofmusic@gmail.com>>> wrote:
>      >>
>      >>     Hi Laurence,
>      >>
>      >>     That seems like a good suggestion for a simple way to integrate
>      >>     CoSWID content
>      >>     into EAT.
>      >>
>      >>     Cheers,
>      >>     - Ira
>      >>
>      >>     Ira McDonald (Musician / Software Architect)
>      >>     Co-Chair - TCG Trusted Mobility Solutions WG
>      >>     Co-Chair - TCG Metadata Access Protocol SG
>      >>     Chair - Linux Foundation Open Printing WG
>      >>     Secretary - IEEE-ISTO Printer Working Group
>      >>     Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
>      >>     IETF Designated Expert - IPP & Printer MIB
>      >>     Blue Roof Music / High North Inc
>      >> http://sites.google.com/site/blueroofmusic
>      >>   
>       <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fblueroofmusic&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=GDIVVIesvqqXnuU6TtLbK7GJ4eI1b1EcYSPoXsHlj04%3D&reserved=0>
>      >> http://sites.google.com/site/highnorthinc
>      >>   
>       <https://gcc01.safelinks.protection..outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fhighnorthinc&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=7z%2BoMcYSSFD8hAYHmELqNoyGAxTBE9gknbV6kAzKWX8%3D&reserved=0 <http://outlook.com/?url=http%3A%2F%2Fsites.google.com%2Fsite%2Fhighnorthinc&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070417006&sdata=7z%2BoMcYSSFD8hAYHmELqNoyGAxTBE9gknbV6kAzKWX8%3D&reserved=0>>
>      >>     mailto: blueroofmusic@gmail.com
>     <mailto:blueroofmusic@gmail.com> <mailto:blueroofmusic@gmail.com
>     <mailto:blueroofmusic@gmail.com>>
>      >>     PO Box 221  Grand Marais, MI 49839  906-494-2434
>      >>
>      >>
>      >>
>      >>     On Wed, Nov 20, 2019 at 7:35 PM Laurence Lundblade
>      >>     <lgl@island-resort.com <mailto:lgl@island-resort.com>
>     <mailto:lgl@island-resort.com <mailto:lgl@island-resort.com>>> wrote:
>      >>
>      >>         Hi,
>      >>
>      >>         I’m not on the SACM list, but did look at the archive.
>      >>         Hopefully I’m not out of sync.
>      >>
>      >>         My thought is to register one claim for CWT that is an
>     entire
>      >>         CoSWID (in CDDL the concise-swid-tag).
>      >>
>      >>         That way CoSWID can grow and develop on its own without lots
>      >>         of adds and subtracts to the CWT registry. It has its
>     own IANA
>      >>         registry with its own experts and such. Seems like the
>      >>         coupling / factoring is about right.
>      >>
>      >>         This would also be the way I’d like to have it in EAT
>      >>         attestation. We’ve done a mini version of this with the
>      >>         location claim
>      >>       
>       <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-rats-eat-01%23section-3.8&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070426961&sdata=%2Fhi008Am2dlY6tBQHdPVVGZzEcWNmqd5MvgPOM14jE8%3D&reserved=0>.
>      >>
>      >>         Then if you just want to sign a CoSWID CWT style, this works
>      >>         pretty well too. It has a slight overhead compared to having
>      >>         all the CoSWID data items as direct CWT claims in that
>     it will
>      >>         have an additional map layer, but that is only about
>     three bytes.
>      >>
>      >>         LL
>      >>
>      >>         _______________________________________________
>      >>         RATS mailing list
>      >> RATS@ietf.org <mailto:RATS@ietf.org> <mailto:RATS@ietf.org
>     <mailto:RATS@ietf.org>>
>      >> https://www.ietf..org/mailman/listinfo/rats
>     <https://www.ietf.org/mailman/listinfo/rats>
>      >>       
>       <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Frats&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070426961&sdata=fdpXMIU%2BNkMSn3RJ4X5AsSuMU7pbokHXltsX8ZYP9E0%3D&reserved=0>
>      >>
>      >>     _______________________________________________
>      >>     sacm mailing list
>      >> sacm@ietf.org <mailto:sacm@ietf.org> <mailto:sacm@ietf.org
>     <mailto:sacm@ietf.org>>
>      >> https://www.ietf.org/mailman/listinfo/sacm
>      >>   
>       <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C92a2dcbadd8d47661b9608d76e282847%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637098991070436893&sdata=okSPAqVHj9KBxPtViQdnffsfhlMF4t0%2F87PXXY78fA0%3D&reserved=0>
>      >>
>      >>
>      >>
>      >> --
>      >>
>      >> Best regards,
>      >> Kathleen
>      >
>      > _______________________________________________
>      > sacm mailing list
>      > sacm@ietf.org <mailto:sacm@ietf.org>
>      > https://www.ietf.org/mailman/listinfo/sacm
>      >
> 
> 
> -- 
> 
> Best regards,
> 
> Kathleen
>