More on collections security #117
Conversation
Fix #115 Signed-off-by: Thomas Fossati <[email protected]>
thomas-fossati
requested review from
hannestschofenig,
nedmsmith,
laurencelundblade and
henkbirkholz
also create separate subsection for EAT submods considerations Signed-off-by: Thomas Fossati <[email protected]>
Signed-off-by: Thomas Fossati <[email protected]>
Signed-off-by: Thomas Fossati <[email protected]>
| However, compared to CMW collections, EAT submods are limited in two ways: | ||
|
|
||
| 1. Only EAT-formatted payloads are supported, | ||
| 2. Their top-down structure does not align well with the bottom-up approach layered attesters use to build the chain of trust, making them not ideal for modelling layered attestation. |
There was a problem hiding this comment.
You can make an EAT submod a format other than EAT by defining a type for it. In CBOR-format EATs, that's just defining a new CBOR tag to identify it. Might be a bit weird to define a CBOR tag to identify an X.509 format attestation, but it is possible.
So I don't think 1. is true.
A more correct statement would be that EAT can't represent layered attestation when the topmost/outermost/lead attestation is not EAT format.
EAT seems fine for most layered attestation (see recent email to rats). Seems to me that CCA is doing rather unusual layered attestation. CCA attestation evidence spans devices, right? That's unusual for attestation IMO and beyond what I imagined anyone doing in EAT (and RATS).
EAT should not be presented as being unsuitable or bad at layered attestation.
Maybe say something like, while EAT submods are fine for most layered attestation, CMW is more flexible and can represent more complex or unusual layered attestation like a bottom-up chain of trust.
There was a problem hiding this comment.
You can make an EAT submod a format other than EAT by defining a type for it. In CBOR-format EATs, that's just defining a new CBOR tag to identify it. Might be a bit weird to define a CBOR tag to identify an X.509 format attestation, but it is possible.
So I don't think 1. is true.
This is not what I understand from reading 4.2.18. submods (Submodules). There is no mention of the possibility of incorporating non-EAT tokens/claims-sets.
Can you point me to the relevant text?
A more correct statement would be that EAT can't represent layered attestation when the topmost/outermost/lead attestation is not EAT format.
EAT seems fine for most layered attestation (see recent email to rats). Seems to me that CCA is doing rather unusual layered attestation. CCA attestation evidence spans devices, right? That's unusual for attestation IMO and beyond what I imagined anyone doing in EAT (and RATS).
EAT should not be presented as being unsuitable or bad at layered attestation.
Maybe say something like, while EAT submods are fine for most layered attestation, CMW is more flexible and can represent more complex or unusual layered attestation like a bottom-up chain of trust.
We can certainly curate the text to avoid sounding adversarial vs EAT (that's certainly not my intent, on the contrary, I think EAT and CMW are an excellent pair.)
However, I stand by my assessment that submods are not great at layered attestation because they go counter the "natural" construction of the chain of trust of the device.
Typically (e.g., DICE, Arm CCA), the layer below signs the layer above, not the opposite. As I also said on the list, it could be my bias, but this doesn't look either complex or unusual to me.
There was a problem hiding this comment.
Re: incorporating non-EAT tokens/claims-sets, I think Laurence is referring to the fact that $EAT-CBOR-Tagged-Token is extensible. The potential for adding new types is noted in section 4.2.18 as follows:
The addition of further types is accomplished by augmenting the $EAT-CBOR-Tagged-Token socket or the $JSON-Selector socket.
You are correct the text does not explicitly call out that ASN.1 types, or other, could be accommodated this way but the means to support such is there.
There was a problem hiding this comment.
Thanks for the pointer!
Would it be fair to say something like:
"* {{EAT}} allows carrying non-EAT-formatted types by augmenting the
$EAT-CBOR-Tagged-Tokensocket or the$JSON-Selectorsocket. However, these need to be specified in subsequent standard documents updating the EAT specification."
?
There was a problem hiding this comment.
Integrated in 39e1f53
There was a problem hiding this comment.
Taking this a step further, we may as well drop this and add a new subsection "Transporting CMW in EAT submods" that defines the sockets extensions:
$EAT-CBOR-Tagged-Token /= #6.TBD(cbor-CMW)
and
$JSON-Selector /= [type: "CMW", nested-token: json-CMW]
Where:
cbor-CMWandjson-CMWare defined in Appendix A of CMW6.TBDis the CBOR tag requested for CMW
@carl-wallace @laurencelundblade @gmandyam would that work?
There was a problem hiding this comment.
A preview of that is in the cmw-in-submods branch: 701013c
There was a problem hiding this comment.
Adding use of submod extensibility here seems like a good idea to me.
Signed-off-by: Thomas Fossati <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Co-authored-by: Hannes Tschofenig <[email protected]>
Due to the reflow of S3.3 I created a separate section to hold CMW/JWT-related considerations. That, in turn, necessitated moving the X.509 section to a closer place.
Fix #115