Grouping Triples into MTI and OTI #353
Conversation
Signed-off-by: Thomas Fossati <[email protected]>
henkbirkholz
requested review from
deeglaze,
nedmsmith,
thomas-fossati,
yogeshbdeshpande and
andrew-draper
henkbirkholz
changed the title
| * `conditional-endorsement-triples` (index 10): Triples describing a series of | ||
| Endorsement that are applicable based on the acceptance of a series of | ||
| stateful environment records. | ||
| * `conditional-endorsement-triples` (index 10): Triples describing a series of conditional Endorsements based on the acceptance of a stateful environment. |
There was a problem hiding this comment.
We should be consistent in stating either stateful environment or stateful environment records between conditional-endorsement-series-triples and conditional-endorsement-triples
There was a problem hiding this comment.
Should this spec define a process for reclassifying OTI triples as MTI? For example, that a newer RFC could update an older RFC reclassifying from OTI to MTI or deprecating something (or is that obvious)?
There was a problem hiding this comment.
We should be consistent in stating either
stateful environmentorstateful environment recordsbetweenconditional-endorsement-series-triplesandconditional-endorsement-triples
I don't understand the significance. Isn't it sufficient to refer to the triples based on the name used in triples-map?
There was a problem hiding this comment.
Should this spec define a process for reclassifying OTI triples as MTI? For example, that a newer RFC could update an older RFC reclassifying from OTI to MTI or deprecating something (or is that obvious)?
A CoRIM profile can prescribe its own MTIs. It cannot makre MTI from the base spec OTI, but it can make existing OTI from the base spec MTI. I am not certain how to deal with MTI from profiles, but I assume that a profile can inherit triple semantics from other profiles as is or redefine them MTI or OTI.
There was a problem hiding this comment.
A CoRIM profile can prescribe its own MTIs. It cannot makre MTI from the base spec OTI, but it can make existing OTI from the base spec MTI. I am not certain how to deal with MTI from profiles, but I assume that a profile can inherit triple semantics from other profiles as is or redefine them MTI or OTI.
I interpreted Ned's question to be about whether we should create a process here to regulate how MTI and OTI classes are allowed to move.
My answer is no, we don't. Let the future selves and fellow RATS decide how to deal based on accumulated wisdom.
draft-ietf-rats-corim.md
Outdated
| @@ -487,18 +487,28 @@ A CoMID defines several types of Claims, using "triples" semantics. | |||
| At a high level, a triple is a statement that links a subject to an object via a predicate. | |||
| CoMID triples typically encode assertions made by the CoRIM author about Attesting or Target Environments and their security features, for example measurements, cryptographic key material, etc. | |||
|
|
|||
| The set of triples is extensible. | |||
| The following triples are currently defined: | |||
| This specification defines two sets of triples. | |||
There was a problem hiding this comment.
In general looks good to me!
draft-ietf-rats-corim.md
Outdated
| The set of triples is extensible. | ||
| The following triples are currently defined: | ||
| This specification defines two sets of triples. | ||
| The first set of triples is essential to the fundamental principles of Evidence appraisal as illustrated in {{-rats-arch}} and {{-rats-endorsement}} and is mandatory to implement (MTI). |
There was a problem hiding this comment.
| The first set of triples is essential to the fundamental principles of Evidence appraisal as illustrated in {{-rats-arch}} and {{-rats-endorsement}} and is mandatory to implement (MTI). | |
| The MTI class of triples is essential for basic appraisal processing as illustrated in {{-rats-arch}} and {{-rats-endorsement}}. |
|
|
||
| * Reference Values triples: containing Reference Values that are expected to match Evidence for a given Target Environment ({{sec-comid-triple-refval}}). | ||
| * Endorsed Values triples: containing "Endorsed Values", i.e., features about an Environment that do not appear in Evidence. Specific examples include testing or certification data pertaining to a module ({{sec-comid-triple-endval}}). | ||
| * Conditional Endorsement triples: describing one or more conditions that, once matched, result in augmenting the Attester's actual state with the supplied Endorsed Values ({{sec-comid-triple-cond-endors}}). | ||
| * CoMID-CoSWID linking triples: associating a Target Environment with existing CoSWID Payload tags ({{sec-comid-triple-coswid}}). |
There was a problem hiding this comment.
Why is coswid mandatory? CoSWID has its own tag type and can be processed as part of corim without impacting comid. There is significant work required to create a comid-to-coswid mapping. Processing of coswids could be done independent from processing of comids.
There was a problem hiding this comment.
There was some comment about it being in the base set of CoRIM contents: CoBOM, CoMID, CoSWID.
That's why I put it in there. The requirements might be external to the CoMID structure. The editors have to figure that out in the next meeting.
There was a problem hiding this comment.
The requirements might be external to the CoMID structure.
Inclusion of different (from CoMID) tags in a corim doesn't obviate the need to map the other tags to CoMID. There can be a separate discussion (not necessarily in the CoRIM draft) for how to translate the external representation into an internal representation that doesn't have to be intrep. However, could be intrep too. That would be the topic for a design team to wrestle with. The coswid triples in comid could be lower priority to work on now since a mapping between a coswid internal representation with a comid internal representation would be useful pretext. It seems this sort of thing doesn't meet the criteria of something that is "base" capability for a comid engine.
| * Device Identity triples: containing cryptographic credentials - for example, an IDevID - uniquely identifying a device ({{sec-comid-triple-identity}}). | ||
| * Attestation Key triples: containing cryptographic keys that are used to verify the integrity protection on the Evidence received from the Attester ({{sec-comid-triple-attest-key}}). | ||
| * Domain dependency triples: describing trust relationships between domains, i.e., collection of related environments and their measurements ({{sec-comid-triple-domain-dependency}}). | ||
| * Domain membership triples: describing topological relationships between (sub-)modules. For example, in a composite Attester comprising multiple sub-Attesters (sub-modules), this triple can be used to define the topological relationship between lead- and sub- Attester environments ({{sec-comid-triple-domain-membership}}). | ||
| * CoMID-CoSWID linking triples: associating a Target Environment with existing CoSWID tags ({{sec-comid-triple-coswid}}). | ||
|
|
||
| The set of triples is extensible and this document specifies an extension mechanism via profiles (see {{sec-extensibility}}). While the use of profiles can also define constraints that limit the types of triples processed by a Verifier, every Verifier MUST nevertheless implement and support triples specified as MTI in this document. |
There was a problem hiding this comment.
| The set of triples is extensible and this document specifies an extension mechanism via profiles (see {{sec-extensibility}}). While the use of profiles can also define constraints that limit the types of triples processed by a Verifier, every Verifier MUST nevertheless implement and support triples specified as MTI in this document. | |
| CoMID triples are extensible ({{sec-comid-triples}}). Triples added via the extensibility feature MUST be OTI class triples. This document specifies profiles (see {{sec-extensibility}}). OTI triples MAY be reclassified as MTI using a profile. Profiles MUST NOT reclassify MTI triples as OTI. |
There was a problem hiding this comment.
"OTI triples MAY be reclassified as MTI using a profile."
May be misinterpreted to say that a profile can reclassify an OTI to MTI globally.
I'd rather say: "Within the context of a profile, OTI triples MAY be reclassified as MTI."
There was a problem hiding this comment.
"Profiles MUST NOT reclassify MTI triples as OTI."
OK, but also "Profiles can decide not to use MTI triples."
There was a problem hiding this comment.
OK, but also "Profiles can decide not to use MTI triples."
Yes. I think that is unavoidable, but also see below.
| * `conditional-endorsement-triples` (index 10): Triples describing a series of | ||
| Endorsement that are applicable based on the acceptance of a series of | ||
| stateful environment records. | ||
| * `conditional-endorsement-triples` (index 10): Triples describing a series of conditional Endorsements based on the acceptance of a stateful environment. |
There was a problem hiding this comment.
Should this spec define a process for reclassifying OTI triples as MTI? For example, that a newer RFC could update an older RFC reclassifying from OTI to MTI or deprecating something (or is that obvious)?
| * `conditional-endorsement-triples` (index 10): Triples describing a series of | ||
| Endorsement that are applicable based on the acceptance of a series of | ||
| stateful environment records. | ||
| * `conditional-endorsement-triples` (index 10): Triples describing a series of conditional Endorsements based on the acceptance of a stateful environment. |
There was a problem hiding this comment.
We should be consistent in stating either
stateful environmentorstateful environment recordsbetweenconditional-endorsement-series-triplesandconditional-endorsement-triples
I don't understand the significance. Isn't it sufficient to refer to the triples based on the name used in triples-map?
Fix build errors and update Gemfile with latests cddl command
Co-authored-by: Ned Smith <[email protected]>
Co-authored-by: Ned Smith <[email protected]>
Co-authored-by: Thomas Fossati <[email protected]>
Co-authored-by: Thomas Fossati <[email protected]>
| * Device Identity triples: containing cryptographic credentials - for example, an IDevID - uniquely identifying a device ({{sec-comid-triple-identity}}). | ||
| * Attestation Key triples: containing cryptographic keys that are used to verify the integrity protection on the Evidence received from the Attester ({{sec-comid-triple-attest-key}}). | ||
| * Domain dependency triples: describing trust relationships between domains, i.e., collection of related environments and their measurements ({{sec-comid-triple-domain-dependency}}). | ||
| * Domain membership triples: describing topological relationships between (sub-)modules. For example, in a composite Attester comprising multiple sub-Attesters (sub-modules), this triple can be used to define the topological relationship between lead- and sub- Attester environments ({{sec-comid-triple-domain-membership}}). | ||
| * CoMID-CoSWID linking triples: associating a Target Environment with existing CoSWID tags ({{sec-comid-triple-coswid}}). | ||
|
|
||
| The set of triples is extensible and this document specifies an extension mechanism via profiles (see {{sec-extensibility}}). While the use of profiles can also define constraints that limit the types of triples processed by a Verifier, every Verifier MUST nevertheless implement and support triples specified as MTI in this document. |
There was a problem hiding this comment.
| The set of triples is extensible and this document specifies an extension mechanism via profiles (see {{sec-extensibility}}). While the use of profiles can also define constraints that limit the types of triples processed by a Verifier, every Verifier MUST nevertheless implement and support triples specified as MTI in this document. | |
| CoMID triples are extensible ({{sec-comid-triples}}). | |
| Triples added via the extensibility feature MUST be OTI class triples. | |
| This document specifies profiles (see {{sec-extensibility}}). | |
| OTI triples MAY be reclassified as MTI using a profile. | |
| Conversely, profiles can choose not to _use_ certain MTI triples. | |
| Profiles MUST NOT reclassify MTI triples as OTI. |
There was a problem hiding this comment.
This is Ned's proposal + L517 as per my comment.
There was a problem hiding this comment.
@thomas-fossati line 513 usage of MTI triples in a profile is contradictory to usage supported on Line 517 of your suggested text. We need to polish the language that
- Introduces generic text to say that it is required that Verifiers MUST implement MTI Triples.
However certain profile may choose to not implement certain MTI Triples, as per their own Appraisal policy!
There was a problem hiding this comment.
Add a clarification: That Profiles cannot dictate an MTI behviour for all the Verifiers! (in a more clear way)
| The following triples are currently defined: | ||
| This specification defines two classes of triples, the Mandatory to Implement (MTI) and the Optional to Implement (OTI). | ||
| The MTI triples are essential to basic appraisal processing as illustrated in {{-rats-arch}} and {{-rats-endorsements}}. | ||
| Every CoRIM Verifier MUST support the MTI triples. |
There was a problem hiding this comment.
| Every CoRIM Verifier MUST support the MTI triples. | |
| Every CoRIM Verifier MUST implement the MTI triples. |
This is a "first draft", which I am not marking as a draft so it can be bashed early and ferociously.