Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditional endorsement series triple section reworded #326

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Conditional endorsement series triple section reworded #326

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
e005e5b
Updated condition series description
nedmsmith Oct 15, 2024
d1d58bc
Update comid-series.diag
nedmsmith Oct 15, 2024
4be98c0
Update comid-series.diag
nedmsmith Oct 15, 2024
c2f9811
Update comid-series.diag
nedmsmith Oct 15, 2024
707ab32
Update comid-series.diag
nedmsmith Oct 15, 2024
5c19de3
Update cddl/examples/comid-series.diag
nedmsmith Oct 16, 2024
9834a8c
Merge branch 'main' into cond-series-wording
nedmsmith Oct 24, 2024
9d86b6d
Update Gemfile
nedmsmith Dec 5, 2024
71174c7
Update Makefile
nedmsmith Dec 5, 2024
12a743b
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
01570df
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
14f8b8f
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
b5d009d
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
9534013
Update draft-ietf-rats-corim.md
nedmsmith Dec 5, 2024
1b19146
Merge branch 'main' into cond-series-wording
nedmsmith Dec 5, 2024
2b2b5ed
Merge branch 'main' into cond-series-wording
nedmsmith Dec 11, 2024
1d7ce2f
Update draft-ietf-rats-corim.md
nedmsmith Dec 11, 2024
64d496e
Updated condition series triple section
nedmsmith Dec 12, 2024
dfc1954
updated conditional series prose
nedmsmith Dec 13, 2024
2196c49
minor rewording
nedmsmith Dec 13, 2024
0793e3d
improved wording
nedmsmith Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 32 additions & 13 deletions cddl/examples/comid-series.diag
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,12 @@
[
{ / *** measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ ver / 0 : {
/ version / 0 : "1.0.0",
/ version-scheme / 1 : 16384 / semver /
/ comid.flags / 3 : {
/ configured / 0 : true
}
},
/ authorized-by / 2 : [
/ tagged-pkix-base64-key-type / 554("base64_key_X")
/ tagged-pkix-base64-key-type / 554("base64_key_ACME_signer")
yogeshbdeshpande marked this conversation as resolved.
Show resolved Hide resolved
]
}
]
Expand All @@ -40,16 +39,17 @@
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ digests / 2 : [[
/ hash-alg-id / 6, / sha-256-32 /
/ hash-value / h'ABCDEF01' ]]
/ ver / 0 : {
/ version / 0 : "2.0.0"
},
/ comid.svn / 1 : 552(3)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_ACME_777"
/ name / 11: "-NO_CVE-"
}
}
]
Expand All @@ -58,17 +58,36 @@
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ digests / 2 : [[
/ hash-alg-id / 6, / sha-256-32 /
/ hash-value / h'BCDEF01A' ]]

/ ver / 0 : {
/ version / 0 : "1.0.0"
},
/ comid.svn / 1 : 552(2)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_ACME_555"
/ name / 11: "CVE_WARNING"
}
}
]
],
[ / conditional-series-record #3 /
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ ver / 0 : {
/ version / 0 : "1.0.0"
},
/ comid.svn / 1 : 552(1)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_VULNERABLE"
}
}
]
Expand Down
26 changes: 12 additions & 14 deletions draft-ietf-rats-corim.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1183,15 +1183,12 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi

#### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series}

A Conditional Endorsement Series triple uses a "stateful environment" that identifies a Target Environment plus the measurements that have matching Evidence.

The series object is an array of `conditional-series-record` that has both Reference and Endorsed Values.
Each conditional-series-record record is evaluated in the order it appears in the series array.
The Endorsed Values are accepted if the series condition in a `conditional-series-record` matches the attester's actual state.
The first `conditional-series-record` that successfully matches an attester's actual state terminates the matching and the corresponding Endorsed Values are accepted.
If none of the series conditions match the attester's actual state, the triple is not matched, and no Endorsed values are accepted.

More clarification about the usage and matching order will be resolved by: [^tracked-at] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/321
The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match.
Every `series-condition-record` selection MUST select the same `mkey`s.
Every selected `mkey`'s corresponding mentioned set of keys `mval`.key MUST be the same across each `series-condition-record`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though one to parse... I am not sure I get what you mean here. Is it that "each selected mkey MUST have the same corresponding set of mvals across all series-condition-record entries" ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Say you have 3 measurement-map in a selection. One has no mkey with mval { 0: …}. One has mkey 1 with mval: { 1: …, 4: … } and one has mkey 2 with mval {0: …, 7: …}. That has to be the same selection structure for all selections in the series.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, surely L1188 needs unpacking. I suggest reorganising it this way:

  1. make a short normative statement, followed by
  2. an example

These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process.
Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last.
The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state.

The Conditional Endorsement Series Triple has the following structure:

Expand All @@ -1214,7 +1211,8 @@ The `conditional-series-record` has the following parameters:
To process a `conditional-endorsement-series-record` the `conditions` are compared with existing Evidence, corroborated Evidence, and Endorsements.
If the search criteria are satisfied, the `series` tuples are processed.

The `series` array contains a list of `conditional-series-record` entries.
The `series` array contains an ordered list of `conditional-series-record` entries.
Evaluation order begins at list position 0.

For each `series` entry, if the `selection` criteria matches an entry found in the `condition` result, the `series` `addition` is combined with the `environment-map` from the `condition` result to form a new Endorsement entry.
The new entry is added to the existing set of Endorsements.
Expand Down Expand Up @@ -1994,7 +1992,7 @@ The selected tags are mapped to an internal representation, making them suitable
{: cett-enum}
* The signer of the Conditional Endorsement conceptual message is copied to the `ev`.`addition`.`authority` field.

* If the Endorsement conceptual message has a profile, the profile is copied to the `ev`.`addition`.`profile` field.
* If the Conditional Endorsement conceptual message has a profile, the profile is copied to the `ev`.`addition`.`profile` field.

##### Conditional Endorsement Triple Transformation {#sec-end-trans-cest}

Expand Down Expand Up @@ -2028,9 +2026,9 @@ The selected tags are mapped to an internal representation, making them suitable
> > **copy**(e.`conditional-series-record`.`addition`.`measurement-map`, `evs`.`series`.`addition`.`element-list`.`element-map`)

{: cestt-enum}
* The signer of the Conditional Endorsement conceptual message is copied to the `evs`.`series`.`addition`.`authority` field.
* The signer of the Conditional Endorsement Series conceptual message is copied to the `evs`.`series`.`addition`.`authority` field.

* If the Endorsement conceptual message has a profile, the profile is copied to the `evs`.`series`.`addition`.`profile` field.
* If the Conditional Endorsement Series conceptual message has a profile, the profile is copied to the `evs`.`series`.`addition`.`profile` field.

##### Key Verification Triples Transformation {#sec-end-trans-kvt}

Expand Down Expand Up @@ -2237,7 +2235,7 @@ where for each `evs` entry, the `condition` ECT is compared with an ACS ECT, whe
If the ECTs match ({{sec-match-condition-ect}}), the `evs` `series` array is iterated,
where for each `series` entry, if the `selection` ECT matches an ACS ECT,
the `addition` ECT is added to the ACS.
Series processing terminates when the first series entry matches.
Series iteration terminates after the first matching series entry is processed or when no series entries match.

#### Processing Key Verification Endorsements {#sec-process-keys}

Expand Down
Loading