From e005e5b16980ac1965367359a03167705cdaca4a Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Tue, 15 Oct 2024 12:05:34 -0700 Subject: [PATCH 01/18] Updated condition series description Added text to address issue #310 for conditional series triple and issue #321 --- draft-ietf-rats-corim.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 835e05a0..eb87d4f0 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1165,7 +1165,9 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi #### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series} -[^issue] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/310 +The Conditional Endorsement Series Triple is used to assert endorsed values conditional on various sets of possible measurement values. +Each series entry describes a different possible set of values. +Series entries are ordered so that the set describing the most trustworthy state is evaluated first and least trustworthy state last. The Conditional Endorsement Series Triple has the following structure: @@ -1188,7 +1190,8 @@ The `conditional-series-record` has the following parameters: To process a `conditional-endorsement-series-record` the `conditions` are compared with existing Evidence, corroborated Evidence, and Endorsements. If the search criteria are satisfied, the `series` tuples are processed. -The `series` array contains a list of `conditional-series-record` entries. +The `series` array contains an ordered list of `conditional-series-record` entries. +Evaluation order begins at list position 0. For each `series` entry, if the `selection` criteria matches an entry found in the `condition` result, the `series` `addition` is combined with the `environment-map` from the `condition` result to form a new Endorsement entry. The new entry is added to the existing set of Endorsements. From d1d58bc5d5a27d6371dfc9a8f6fbbdab9b100e5e Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Tue, 15 Oct 2024 12:06:11 -0700 Subject: [PATCH 02/18] Update comid-series.diag Modified cond series example to better highlight motivating use case. --- cddl/examples/comid-series.diag | 48 +++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/cddl/examples/comid-series.diag b/cddl/examples/comid-series.diag index 241612db..439adf0f 100644 --- a/cddl/examples/comid-series.diag +++ b/cddl/examples/comid-series.diag @@ -24,13 +24,13 @@ [ { / *** measurement-map *** / / mval / 1 : / measurement-values-map / { - / ver / 0 : { - / version / 0 : "1.0.0", - / version-scheme / 1 : 16384 / semver / - } + / digests / 2 : [ [ + / hash-alg-id / 6, / sha-256-32 / + / hash-value / h'ABCDEF01' ] + ] }, / authorized-by / 2 : [ - / tagged-pkix-base64-key-type / 554("base64_key_X") + / tagged-pkix-base64-key-type / 554("base64_key_ACME_signer") ] } ] @@ -40,16 +40,17 @@ [ { / *** ref-val measurement-map *** / / mval / 1 : / measurement-values-map / { - / digests / 2 : [[ - / hash-alg-id / 6, / sha-256-32 / - / hash-value / h'ABCDEF01' ]] + / ver / 0 : { + / version / 0 : "2.0.0" + }, + / comid.svn / 1 : 552(3) } } ], [ { / *** endv-measurement-map *** / / mval / 1 : / measurement-values-map / { - / name / 11: "CVE_ACME_777" + / name / 11: "-NO_CVE-" } } ] @@ -58,17 +59,36 @@ [ { / *** ref-val measurement-map *** / / mval / 1 : / measurement-values-map / { - / digests / 2 : [[ - / hash-alg-id / 6, / sha-256-32 / - / hash-value / h'BCDEF01A' ]] - + / ver / 0 : { + / version / 0 : "1.0.0" + }, + / comid.svn / 1 : 552(2) + } + } + ], + [ + { / *** endv-measurement-map *** / + / mval / 1 : / measurement-values-map / { + / name / 11: "CVE_WARNING" + } + } + ] + ], + [ / conditional-series-record #2 / + [ + { / *** ref-val measurement-map *** / + / mval / 1 : / measurement-values-map / { + / ver / 0 : { + / version / 0 : "1.0.0" + }, + / comid.svn / 1 : 552(1) } } ], [ { / *** endv-measurement-map *** / / mval / 1 : / measurement-values-map / { - / name / 11: "CVE_ACME_555" + / name / 11: "CVE_VULNERABLE" } } ] From 4be98c0cd727249a66bb497525e02882236cc7a6 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Tue, 15 Oct 2024 12:19:06 -0700 Subject: [PATCH 03/18] Update comid-series.diag Fix white space --- cddl/examples/comid-series.diag | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cddl/examples/comid-series.diag b/cddl/examples/comid-series.diag index 439adf0f..e9996d44 100644 --- a/cddl/examples/comid-series.diag +++ b/cddl/examples/comid-series.diag @@ -50,7 +50,7 @@ [ { / *** endv-measurement-map *** / / mval / 1 : / measurement-values-map / { - / name / 11: "-NO_CVE-" + / name / 11: "-NO_CVE-" } } ] @@ -69,7 +69,7 @@ [ { / *** endv-measurement-map *** / / mval / 1 : / measurement-values-map / { - / name / 11: "CVE_WARNING" + / name / 11: "CVE_WARNING" } } ] @@ -88,7 +88,7 @@ [ { / *** endv-measurement-map *** / / mval / 1 : / measurement-values-map / { - / name / 11: "CVE_VULNERABLE" + / name / 11: "CVE_VULNERABLE" } } ] From c2f9811b7d8568dca68be071c8b0073f0fdc3079 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Tue, 15 Oct 2024 12:26:14 -0700 Subject: [PATCH 04/18] Update comid-series.diag More realistic use case that could result in multiple entries satisfied by the condition. --- cddl/examples/comid-series.diag | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/cddl/examples/comid-series.diag b/cddl/examples/comid-series.diag index e9996d44..13e1d001 100644 --- a/cddl/examples/comid-series.diag +++ b/cddl/examples/comid-series.diag @@ -24,10 +24,9 @@ [ { / *** measurement-map *** / / mval / 1 : / measurement-values-map / { - / digests / 2 : [ [ - / hash-alg-id / 6, / sha-256-32 / - / hash-value / h'ABCDEF01' ] - ] + / comid.flags / 3 : { + / configured / 0 : true + } }, / authorized-by / 2 : [ / tagged-pkix-base64-key-type / 554("base64_key_ACME_signer") From 707ab32dd4707345af74aaa2c3e6b2d4d70cea23 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Tue, 15 Oct 2024 12:28:54 -0700 Subject: [PATCH 05/18] Update comid-series.diag fix whitespace. --- cddl/examples/comid-series.diag | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cddl/examples/comid-series.diag b/cddl/examples/comid-series.diag index 13e1d001..bd7fc4a3 100644 --- a/cddl/examples/comid-series.diag +++ b/cddl/examples/comid-series.diag @@ -58,8 +58,8 @@ [ { / *** ref-val measurement-map *** / / mval / 1 : / measurement-values-map / { - / ver / 0 : { - / version / 0 : "1.0.0" + / ver / 0 : { + / version / 0 : "1.0.0" }, / comid.svn / 1 : 552(2) } @@ -77,8 +77,8 @@ [ { / *** ref-val measurement-map *** / / mval / 1 : / measurement-values-map / { - / ver / 0 : { - / version / 0 : "1.0.0" + / ver / 0 : { + / version / 0 : "1.0.0" }, / comid.svn / 1 : 552(1) } From 5c19de3142b4b2842af12a50c6a9b942261997b8 Mon Sep 17 00:00:00 2001 From: Ned Smith Date: Wed, 16 Oct 2024 09:54:26 -0700 Subject: [PATCH 06/18] Update cddl/examples/comid-series.diag Co-authored-by: Dionna Amalie Glaze --- cddl/examples/comid-series.diag | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cddl/examples/comid-series.diag b/cddl/examples/comid-series.diag index bd7fc4a3..9718193c 100644 --- a/cddl/examples/comid-series.diag +++ b/cddl/examples/comid-series.diag @@ -73,7 +73,7 @@ } ] ], - [ / conditional-series-record #2 / + [ / conditional-series-record #3 / [ { / *** ref-val measurement-map *** / / mval / 1 : / measurement-values-map / { From 9d86b6d800cd541fcbd135fe65fdf2aa1528318e Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 5 Dec 2024 13:17:47 -0800 Subject: [PATCH 07/18] Update Gemfile to latest cddl version --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 0a66e38e..ec2dad40 100644 --- a/Gemfile +++ b/Gemfile @@ -1,5 +1,5 @@ source 'https://rubygems.org' gem 'json_pure' -gem 'cddl', '>=0.12.5' +gem 'cddl', '>=0.12.6' gem 'cbor-diag', '>=0.8.7' From 71174c79b31261409f233542220757a77b5adec9 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 5 Dec 2024 13:18:01 -0800 Subject: [PATCH 08/18] Update Makefile fix build error for xml target --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4ffbfad1..1f9be9ab 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ include cddl/corim-frags.mk define cddl_targets -$(drafts_xml):: cddl/$(1)-autogen.cddl +$(drafts_xml): cddl/$(1)-autogen.cddl cddl/$(1)-autogen.cddl: $(addprefix cddl/,$(2)) $(MAKE) -C cddl check-$(1) From 12a743bd5000902e798f256662dd0cf1a4ae03d2 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 5 Dec 2024 13:43:39 -0800 Subject: [PATCH 09/18] Update draft-ietf-rats-corim.md Reworded to better characterize expected behavior. --- draft-ietf-rats-corim.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index c9ff2f8f..5faa570d 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1171,9 +1171,8 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi #### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series} -The Conditional Endorsement Series Triple is used to assert endorsed values conditional on various sets of possible measurement values. -Each series entry describes a different possible set of values. -Series entries are ordered so that the set describing the most trustworthy state is evaluated first and least trustworthy state last. +The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match where each series condition uses the same matching keys and where the data values are ordered. +Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last. The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state. The Conditional Endorsement Series Triple has the following structure: From 01570dffae561bdd5ff9b4c91fe13cad9f1aecbe Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 5 Dec 2024 13:51:17 -0800 Subject: [PATCH 10/18] Update draft-ietf-rats-corim.md Improved wording for how series iteration terminates. --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 5faa570d..cc019024 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -2169,7 +2169,7 @@ where for each `evs` entry, the `condition` ECT is compared with an ACS ECT, whe If the ECTs match ({{sec-match-condition-ect}}), the `evs` `series` array is iterated, where for each `series` entry, if the `selection` ECT matches an ACS ECT, the `addition` ECT is added to the ACS. -Series processing terminates when the first series entry matches. +Series iteration terminates after the first matching series entry is processed or when no series entries match. ### Examples for optional phases 5, 6, and 7 {#sec-phases567} From 14f8b8f3c76e397c9330df245d8b6632070efd2a Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 5 Dec 2024 13:56:00 -0800 Subject: [PATCH 11/18] Update draft-ietf-rats-corim.md Added "Series" to the Conditional Endorsement conceptual message. --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index cc019024..f945388a 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1993,7 +1993,7 @@ Conditional Endorsement Series Triple Transformation : > > **copy**(e.`conditional-series-record`.`addition`.`measurement-map`, `evs`.`series`.`addition`.`element-list`.`element-map`) {: cestt-enum} -* The signer of the Conditional Endorsement conceptual message is copied to the `evs`.`series`.`addition`.`authority` field. +* The signer of the Conditional Endorsement Series conceptual message is copied to the `evs`.`series`.`addition`.`authority` field. * If the Endorsement conceptual message has a profile, the profile is copied to the `evs`.`series`.`addition`.`profile` field. From b5d009d0f958e3f21507d93aa66fce12d01c77ff Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 5 Dec 2024 13:58:21 -0800 Subject: [PATCH 12/18] Update draft-ietf-rats-corim.md Minor wording improvements --- draft-ietf-rats-corim.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index f945388a..db76854d 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1959,7 +1959,7 @@ Conditional Endorsement Triple Transformation : {: cett-enum} * The signer of the Conditional Endorsement conceptual message is copied to the `ev`.`addition`.`authority` field. -* If the Endorsement conceptual message has a profile, the profile is copied to the `ev`.`addition`.`profile` field. +* If the Conditional Endorsement conceptual message has a profile, the profile is copied to the `ev`.`addition`.`profile` field. Conditional Endorsement Series Triple Transformation : @@ -1995,7 +1995,7 @@ Conditional Endorsement Series Triple Transformation : {: cestt-enum} * The signer of the Conditional Endorsement Series conceptual message is copied to the `evs`.`series`.`addition`.`authority` field. -* If the Endorsement conceptual message has a profile, the profile is copied to the `evs`.`series`.`addition`.`profile` field. +* If the Conditional Endorsement Series conceptual message has a profile, the profile is copied to the `evs`.`series`.`addition`.`profile` field. #### Evidence Tranformation From 95340138d32250f3220779958b4345c5049bd547 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 5 Dec 2024 14:05:04 -0800 Subject: [PATCH 13/18] Update draft-ietf-rats-corim.md added line break --- draft-ietf-rats-corim.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index db76854d..71a98f32 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1172,7 +1172,8 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi #### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series} The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match where each series condition uses the same matching keys and where the data values are ordered. -Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last. The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state. +Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last. +The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state. The Conditional Endorsement Series Triple has the following structure: From 1d7ce2f14e94ef285a8dc58e72f371d6a131cb54 Mon Sep 17 00:00:00 2001 From: Ned Smith Date: Wed, 11 Dec 2024 11:34:30 -0800 Subject: [PATCH 14/18] Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze --- draft-ietf-rats-corim.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 33e40e62..14a47843 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1183,7 +1183,10 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi #### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series} -The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match where each series condition uses the same matching keys and where the data values are ordered. +The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match. +Every `series-condition-record` selection MUST select the same `mkey`s. +Every selected `mkey`'s corresponding mentioned set of keys `mval`.key MUST be the same across each `series-condition-record`. +These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process. Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last. The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state. From 64d496ee09b9fc3a3d7d6d89e889241dab7c6721 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Thu, 12 Dec 2024 11:47:21 -0800 Subject: [PATCH 15/18] Updated condition series triple section Added example describing selection constraints. --- draft-ietf-rats-corim.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 14a47843..4f610486 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1186,6 +1186,14 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match. Every `series-condition-record` selection MUST select the same `mkey`s. Every selected `mkey`'s corresponding mentioned set of keys `mval`.key MUST be the same across each `series-condition-record`. +For example, if a selection has 3 matching `measurement-map` statements: + +* where `mkey` is omitted and where `mval` equals A, +* where `mkey` equals 1 and where `mval` equals B, +* where `mkey` equals 2 and where `mval` equals C. + +Then all selection statements in the series will use the same 3 matching criteria. + These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process. Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last. The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state. From dfc1954b47164458dee74a4f13f46a9495d538c8 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Fri, 13 Dec 2024 10:37:24 -0800 Subject: [PATCH 16/18] updated conditional series prose Revised example text to illustrate how normative text is to be interpreted. --- draft-ietf-rats-corim.md | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 4f610486..39959715 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1184,15 +1184,10 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi #### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series} The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match. -Every `series-condition-record` selection MUST select the same `mkey`s. -Every selected `mkey`'s corresponding mentioned set of keys `mval`.key MUST be the same across each `series-condition-record`. -For example, if a selection has 3 matching `measurement-map` statements: - -* where `mkey` is omitted and where `mval` equals A, -* where `mkey` equals 1 and where `mval` equals B, -* where `mkey` equals 2 and where `mval` equals C. - -Then all selection statements in the series will use the same 3 matching criteria. +Every `conditional-series-record` selection MUST select the same `mkey`s where +every selected `mkey`'s corresponding set of keys (i.e., `mval`._key_) MUST be the same across each `conditional-series-record`. +For example, if a selection matches on 3 `measurement-map` statements; `mkey` is the same for all 3 statements +and `mval`, for each statement, contains A= _variable-X_, B= _variable-Y_, and C= _variable-Z_ respectively for every `conditional-series-record` in the series. These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process. Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last. From 2196c494851ec89b6e6a331f8d3b0baf74e0ef07 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Fri, 13 Dec 2024 10:40:59 -0800 Subject: [PATCH 17/18] minor rewording simplify sentence structure --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 39959715..01363ea9 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1187,7 +1187,7 @@ The Conditional Endorsement Series Triple is used to assert endorsed values base Every `conditional-series-record` selection MUST select the same `mkey`s where every selected `mkey`'s corresponding set of keys (i.e., `mval`._key_) MUST be the same across each `conditional-series-record`. For example, if a selection matches on 3 `measurement-map` statements; `mkey` is the same for all 3 statements -and `mval`, for each statement, contains A= _variable-X_, B= _variable-Y_, and C= _variable-Z_ respectively for every `conditional-series-record` in the series. +and `mval` contains A= _variable-X_, B= _variable-Y_, and C= _variable-Z_ respectively for every `conditional-series-record` in the series. These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process. Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last. From 0793e3d6943b63999486c3734fc2a0bc091dc9b9 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Fri, 13 Dec 2024 13:10:26 -0800 Subject: [PATCH 18/18] improved wording added 'only' to furthur clarify --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 01363ea9..0ea59ea4 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -1187,7 +1187,7 @@ The Conditional Endorsement Series Triple is used to assert endorsed values base Every `conditional-series-record` selection MUST select the same `mkey`s where every selected `mkey`'s corresponding set of keys (i.e., `mval`._key_) MUST be the same across each `conditional-series-record`. For example, if a selection matches on 3 `measurement-map` statements; `mkey` is the same for all 3 statements -and `mval` contains A= _variable-X_, B= _variable-Y_, and C= _variable-Z_ respectively for every `conditional-series-record` in the series. +and `mval` contains only A= _variable-X_, B= _variable-Y_, and C= _variable-Z_ respectively for every `conditional-series-record` in the series. These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process. Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last.