What to do if no CoRIM are selected? #356
Comments
|
As I said here there can/should be at least two specifications:
|
|
Originally corim was "just" a format spec, but questions were raised about whether or not the appraisal process would work. Maybe something was missing or something was extraneous. This led to the internal representation schema and the transformation layer etc. Now that this is in place possibly it makes sense to separate them? However, they are tightly coupled in terms of the cddl that is used, so you would need to progress them in lock step if separate. Separating them would require WG adoption which will add a procedural component for not much benefit. |
|
Agree with Ned here. The TCG spec for DICE endorsements coming to IETF to specify general endorsements significantly delayed the spec due to expanded scope. A new I-D for a general attestation verifier independent of CoRIM has the risk of a similar feature creep and delay. |
|
If that's the case then there are two specifications in one, and care should be taken to clearly delineate CoRIM-as-a-file-format and the Verifier. For the most part that's already in place but it's good to be aware of it. In addition the abstract and introduction should be expanded to include the Verifier portion. In particular it is now more than
|
|
I think, we need to add suitable section to Verifier processing where absence of CoRIM use case is also adequately covered! |
|
The short answer is Evidence claims end up in ACS. If nothing else is added as a result of no Reference Values or Endorsements. The ACS is what it is as it enters Phase 5+. |
|
Yes, we need to cover that case, where Policy may just dictate : |
We should be clear about the interface between the CoRIM verifier and the rest of the Appraisal stages. Then, we can re-introduce a normative sentence explaining what is expected in such case.
Originally posted by @deeglaze in #355 (comment)
The text was updated successfully, but these errors were encountered: