Skip to content

Notes on the appraisal flow

Thomas Fossati edited this page Feb 9, 2023 · 6 revisions

CoRIM-based Evidence Verification

The verification procedure is divided into two separate phases:

  • Appraisal Context initialisation
  • Evidence appraisal

At a few well-defined points in the procedure, the Verifier behaviour will depend on the specific CoRIM profile. Each CoRIM profile SHALL fully describe the expected Verifier behaviour for each of those well-defined points.

Note that what follows is not meant to describe a real implementation. In particular, it is expected that the cost associated with the initialisation phase can be amortised across multiple appraisals. Implementers are free to do as they please, as long as the stated invariants are not broken.

In the following, if a MUST-level requirement is violated, the entire procedure is aborted.

Appraisal Context Initialisation

The goal of the initialisation phase is to load the CoRIM Appraisal Context with all and only the Reference Values, Endorsed Values, and cryptographic validation key material (e.g., raw public keys, root certificates, intermediate CA certificate chains, etc.) that will be used in the subsequent Evidence Appraisal phase.

CoRIM Selection

All available Concise Reference Integrity Manifests (CoRIMs) are collected.

CoRIMs that are not within their validity period, or that cannot be associated with an authenticated and authorised source MUST be discarded.

Other selection criteria MAY be applied. For example, if the Evidence format is known in advance, CoRIMs that do not match the expected profile can be readily discarded.

The selection process MUST yield at least one usable CoRIM.

CoBOMs Extraction

All the available Concise Bill Of Material tags (CoBOMs) are collected from the selected CoRIMs.

The collection process MUST yield, at least, one CoBOM.

Tags Identification and Validation

The CoBOM(s) are used to locate and collect the listed tags -- i.e., Concise Module Identifiers (CoMID) and/or Concise Software Identifiers (CoSWID) and/or Concise Trust Anchor Stores (CoTS) -- from the selected CoRIMs.

All the listed tags MUST be successfully located and be syntactically and semantically valid. In particular, any internal cross-reference (e.g., CoMID-CoSWID linking triples) MUST be successfully resolved.

Appraisal Context Construction

All Reference Values, Endorsed Values and cryptographic verification key material found in the listed tags are extracted and loaded into the Appraisal Context.

This concludes the initialisation phase.

Evidence Appraisal

In the Evidence Appraisal phase, a CoRIM Appraisal Context and an Evidence Appraisal Policy are used to determine the trustworthiness of the received Evidence. The outcome of the appraisal process is summarised in an Attestation Result. The Attestation Result provides a set of trust metrics associated with the appraised Evidence together with any information that can be derived by the Verifier about the Attester via supply chain endorsements. The Relying Party application uses the content of the Attestation Result to make its own policy decisions.

We make no assumptions on the specific shape of the Attestation Result, except for its optional ability to include Endorsed Values associated with the appraised Attester that the Verifier has been able to infer from Evidence and the Appraisal Context.

Cryptographic verification of Evidence

The first step in the Evidence Appraisal process is to verify the cryptographic signature over Evidence.

The exact verification mechanics depends on the specific Evidence format.

For example: In DICE, a suitable certificate chain anchored on a trusted root certificate is searched up -- e.g., based on linking information obtained from the layer 0 certificate -- in the appraisal context. If found, then usual X.509 certificate validation is performed. In PSA, the verification public key is looked up in the appraisal context using the euid claim found in the PSA claims-set. If found, COSE Sign1 verification is performed accordingly.

Independent of the specific method, the integrity of Evidence cryptographic envelope MUST be successfully verified.

A CoRIM profile MUST describe:

  • How cryptographic verification key material is conveyed (e.g., using Attestation Keys triples, or CoTS tags)
  • How key material is associated with the Attesting Environment
  • How the Attesting Environment is identified in Evidence

Matching Evidence against Reference Values

The second step consists in matching Reference Values in the Appraisal Context against Evidence.

The Target Environment associated with Evidence needs to be identified. Typically, this is done by extracting the relevant claims from the Evidence claims-set. The exact mechanics depend on the specific Evidence format.

For example: In PSA, the Verifier extracts the euid and psa-implementation-id claims from the PSA claims-set. In DICE, the Target Environment identifiers are sourced from the DiceTcbInfo X.509 extension.

The Target Environment identifier is used to lookup the relevant Reference Values from the Appraisal Context.

Evidence MUST match the identified Reference Values.

A CoRIM profile MUST describe:

  • How Reference Values are conveyed (e.g., using Reference Value triples, or CoSWID tags)
  • How Reference Values are associated with the Target Environment
  • How the Target Environment is identified in Evidence
  • How measurements from Evidence are matched against Reference Values

Matching Endorsed Values with Evidence

The third step consists in matching Endorsed Values in the Appraisal Context with Evidence.

The Target and Attested Environment associated with Evidence need to be identified.

Again, this is typically done by extracting the relevant claims from the Evidence claims-set. The exact mechanics depend on the specific Evidence format.

Alongside the environment identifiers, the matched Reference Values MAY also be used in selecting applicable Endorsed Values.

Any matched Endorsed Value can be added to the Attestation Result.

A CoRIM profile MUST describe:

  • How Endorsed Values are conveyed (e.g., using Endorsed Value triples, or Device Identity triples)
  • How Endorsed Values are associated with the Target and Attesting Environments
  • How the Target and Attesting Environments are identified in Evidence