-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need to define the namespace scoping for Environment #176
Comments
My assumption is that the attester and/or the evidence collection protocol defines the |
Do you mean "the attester and/or the evidence collection protocol developer defines the The consideration is that these values have to be defined at manufacturing time so that Ref Vals use the same environment identifiers. If the identifiers are not globally unique values, there is potential for collision from an unrelated supplier which could confuse verifiers (unless there is some other scoping context). The other issues having to do with groups potentially are impacted because an
Requiring use of If the schema constrains the |
Environment includes both The existing prose for If Environments are required to have global scope, then it is impossible (absent malicious intent) for environment-A to be confused with environment-B due to name collision. If it is impractical to expect environments will have global scope, the rules for local scoping need to be defined. At one point, there was wording in a PR that suggested namespace scope could be localized by placing an environment inside a grouping construct such as a 'domain' or 'bundle'. This may be a reasonable approach to support locally scoped namespaces, but is there a use case that motivates it? If the spec mandates environments to have global scope, and there happen to be namespace collisions (e.g.: vendor-X and vendor-Y choose the same vendor string "Solutions-R-us" then Verifiers may give incorrect results unknowingly (as there is not test that can be applied to determine if a combination of attributes is indeed globally unique and I presume CoRIM doesn't intended to require use of a registry that guarantees global uniqueness. If environments are presumed globally unique, then grouping for the purpose of making something become globally unique doesn't make sense. This may simplify the grouping context discussions. |
part of the requirement addressed via currently open #227 |
fixed by #227 |
An Attester can be from multiple vendors though, the Elements of Class Identifier are Optional Elements like
Vendor, Model, Class-ID etc.
This leaves the scope for a user to only add a Model, which could collide with other Vendor Models.
Need to define the usage of Class Identifier that should be unique across Multiple Vendors and Multiple Attesters belonging to the same Vendor. Specification needs some clarification about usage on Class Identifier, been how to mint it as a Unique Identifier!
The text was updated successfully, but these errors were encountered: