Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditional endorsement series triple section reworded #326

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Conditional endorsement series triple section reworded #326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
e005e5b
Updated condition series description
nedmsmith Oct 15, 2024
d1d58bc
Update comid-series.diag
nedmsmith Oct 15, 2024
4be98c0
Update comid-series.diag
nedmsmith Oct 15, 2024
c2f9811
Update comid-series.diag
nedmsmith Oct 15, 2024
707ab32
Update comid-series.diag
nedmsmith Oct 15, 2024
5c19de3
Update cddl/examples/comid-series.diag
nedmsmith Oct 16, 2024
9834a8c
Merge branch 'main' into cond-series-wording
nedmsmith Oct 24, 2024
9d86b6d
Update Gemfile
nedmsmith Dec 5, 2024
71174c7
Update Makefile
nedmsmith Dec 5, 2024
12a743b
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
01570df
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
14f8b8f
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
b5d009d
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
9534013
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
1b19146
Merge branch 'main' into cond-series-wording
nedmsmith Dec 5, 2024
2b2b5ed
Merge branch 'main' into cond-series-wording
nedmsmith Dec 11, 2024
1d7ce2f
Update draft-ietf-rats-corim.md
nedmsmith Dec 11, 2024
64d496e
Updated condition series triple section
nedmsmith Dec 12, 2024
dfc1954
updated conditional series prose
nedmsmith Dec 13, 2024
2196c49
minor rewording
nedmsmith Dec 13, 2024
0793e3d
improved wording
nedmsmith Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 32 additions & 13 deletions cddl/examples/comid-series.diag
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,12 @@
[
{ / *** measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ ver / 0 : {
/ version / 0 : "1.0.0",
/ version-scheme / 1 : 16384 / semver /
/ comid.flags / 3 : {
/ configured / 0 : true
}
},
/ authorized-by / 2 : [
/ tagged-pkix-base64-key-type / 554("base64_key_X")
/ tagged-pkix-base64-key-type / 554("base64_key_ACME_signer")
yogeshbdeshpande marked this conversation as resolved.
Show resolved Hide resolved
]
}
]
Expand All @@ -40,16 +39,17 @@
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ digests / 2 : [[
/ hash-alg-id / 6, / sha-256-32 /
/ hash-value / h'ABCDEF01' ]]
/ ver / 0 : {
/ version / 0 : "2.0.0"
},
/ comid.svn / 1 : 552(3)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_ACME_777"
/ name / 11: "-NO_CVE-"
}
}
]
Expand All @@ -58,17 +58,36 @@
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ digests / 2 : [[
/ hash-alg-id / 6, / sha-256-32 /
/ hash-value / h'BCDEF01A' ]]

/ ver / 0 : {
/ version / 0 : "1.0.0"
},
/ comid.svn / 1 : 552(2)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_ACME_555"
/ name / 11: "CVE_WARNING"
}
}
]
],
[ / conditional-series-record #3 /
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ ver / 0 : {
/ version / 0 : "1.0.0"
},
/ comid.svn / 1 : 552(1)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_VULNERABLE"
}
}
]
Expand Down
27 changes: 14 additions & 13 deletions draft-ietf-rats-corim.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1183,15 +1183,15 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi

#### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series}

A Conditional Endorsement Series triple uses a "stateful environment" that identifies a Target Environment plus the measurements that have matching Evidence.
The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match.
Every `conditional-series-record` selection MUST select the same `mkey`s where
every selected `mkey`'s corresponding set of keys (i.e., `mval`._key_) MUST be the same across each `conditional-series-record`.
For example, if a selection matches on 3 `measurement-map` statements; `mkey` is the same for all 3 statements
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"a selection" and "3 measurement-map statements" seems like the wrong way of describing it, since a list of measurement-map with the same mkey is ill-formed. You can only have one measurement-map with a specific mkey in a list of measurement-map.

I think you mean there are 3 conditional-series-record, and for each record, they have 1 measurement-map in their list each, and that measurement map has the same mkey, and an mval of the form you state below. That would be fine. It would also be fine for each record to have more than 1 measurement-map, such as

[[mkey: 0, mval: {A: _variable-X_, B: _variable-Y_, C: _variable-Z_ }], [mkey: 1, mval: {D: _variable-W_}]]

I don't think "mval contains" is appropriate either, since the first mval also contains "A=variable-X" without the closure. You need to state that mval contains exactly those 3 key/value pairs and no more.

and `mval` contains only A= _variable-X_, B= _variable-Y_, and C= _variable-Z_ respectively for every `conditional-series-record` in the series.

The series object is an array of `conditional-series-record` that has both Reference and Endorsed Values.
Each conditional-series-record record is evaluated in the order it appears in the series array.
The Endorsed Values are accepted if the series condition in a `conditional-series-record` matches the attester's actual state.
The first `conditional-series-record` that successfully matches an attester's actual state terminates the matching and the corresponding Endorsed Values are accepted.
If none of the series conditions match the attester's actual state, the triple is not matched, and no Endorsed values are accepted.

More clarification about the usage and matching order will be resolved by: [^tracked-at] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/321
These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process.
Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last.
The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state.

The Conditional Endorsement Series Triple has the following structure:

Expand All @@ -1214,7 +1214,8 @@ The `conditional-series-record` has the following parameters:
To process a `conditional-endorsement-series-record` the `conditions` are compared with existing Evidence, corroborated Evidence, and Endorsements.
If the search criteria are satisfied, the `series` tuples are processed.

The `series` array contains a list of `conditional-series-record` entries.
The `series` array contains an ordered list of `conditional-series-record` entries.
Evaluation order begins at list position 0.

For each `series` entry, if the `selection` criteria matches an entry found in the `condition` result, the `series` `addition` is combined with the `environment-map` from the `condition` result to form a new Endorsement entry.
The new entry is added to the existing set of Endorsements.
Expand Down Expand Up @@ -1994,7 +1995,7 @@ The selected tags are mapped to an internal representation, making them suitable
{: cett-enum}
* The signer of the Conditional Endorsement conceptual message is copied to the `ev`.`addition`.`authority` field.

* If the Endorsement conceptual message has a profile, the profile is copied to the `ev`.`addition`.`profile` field.
* If the Conditional Endorsement conceptual message has a profile, the profile is copied to the `ev`.`addition`.`profile` field.

##### Conditional Endorsement Triple Transformation {#sec-end-trans-cest}

Expand Down Expand Up @@ -2028,9 +2029,9 @@ The selected tags are mapped to an internal representation, making them suitable
> > **copy**(e.`conditional-series-record`.`addition`.`measurement-map`, `evs`.`series`.`addition`.`element-list`.`element-map`)

{: cestt-enum}
* The signer of the Conditional Endorsement conceptual message is copied to the `evs`.`series`.`addition`.`authority` field.
* The signer of the Conditional Endorsement Series conceptual message is copied to the `evs`.`series`.`addition`.`authority` field.

* If the Endorsement conceptual message has a profile, the profile is copied to the `evs`.`series`.`addition`.`profile` field.
* If the Conditional Endorsement Series conceptual message has a profile, the profile is copied to the `evs`.`series`.`addition`.`profile` field.

##### Key Verification Triples Transformation {#sec-end-trans-kvt}

Expand Down Expand Up @@ -2237,7 +2238,7 @@ where for each `evs` entry, the `condition` ECT is compared with an ACS ECT, whe
If the ECTs match ({{sec-match-condition-ect}}), the `evs` `series` array is iterated,
where for each `series` entry, if the `selection` ECT matches an ACS ECT,
the `addition` ECT is added to the ACS.
Series processing terminates when the first series entry matches.
Series iteration terminates after the first matching series entry is processed or when no series entries match.

#### Processing Key Verification Endorsements {#sec-process-keys}

Expand Down
Loading