extend the use of tagged-bytes to identifiers #188
Conversation
Fix #184 Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
thomas-fossati
requested review from
henkbirkholz,
yogeshbdeshpande and
nedmsmith
as code owners
Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
| ### Tagged Bytes Type {#sec-common-tagged-bytes} | ||
|
|
||
| An opaque, variable-length byte string. | ||
| It can be used in different contexts: as an instance, class or group identifier in an `environment-map`; as a raw value measurement in a `measurement-values-map`. |
There was a problem hiding this comment.
Agreed to omit this suggestion.
Co-authored-by: Andrew Draper <andrew.draper@intel.com>
draft-ietf-rats-corim.md
Outdated
| An opaque, variable-length byte string. | ||
| It can be used in different contexts: as an instance, class or group identifier in an `environment-map`; as a raw value measurement in a `measurement-values-map`. | ||
| Its semantics is defined by the context in which it is found, and by the overarching CoRIM profile. | ||
| When used as an identifier the responsible allocator entity SHOULD ensure uniqueness. |
There was a problem hiding this comment.
the scope of uniqueness should be defined.
There was a problem hiding this comment.
You mean something like:
"[...] ensure uniqueness within the usage scope."
There was a problem hiding this comment.
You mean something like:
"[...] ensure uniqueness within the usage scope."
OK
There was a problem hiding this comment.
cool, see 9757398
draft-ietf-rats-corim.md
Outdated
| An opaque, variable-length byte string. | ||
| It can be used in different contexts: as an instance, class or group identifier in an `environment-map`; as a raw value measurement in a `measurement-values-map`. | ||
| Its semantics is defined by the context in which it is found, and by the overarching CoRIM profile. | ||
| When used as an identifier the responsible allocator entity SHOULD ensure uniqueness. |
There was a problem hiding this comment.
You mean something like:
"[...] ensure uniqueness within the usage scope."
OK
draft-ietf-rats-corim.md
Outdated
| An opaque, variable-length byte string. | ||
| It can be used in different contexts: as an instance, class or group identifier in an `environment-map`; as a raw value measurement in a `measurement-values-map`. | ||
| Its semantics are defined by the context in which it is found, and by the overarching CoRIM profile. | ||
| When used as an identifier the responsible allocator entity SHOULD ensure uniqueness within the usage scope. |
There was a problem hiding this comment.
| When used as an identifier the responsible allocator entity SHOULD ensure uniqueness within the usage scope. | |
| When used as an identifier the responsible allocator entity SHOULD ensure global uniqueness. |
There was a problem hiding this comment.
I don't think global uniqueness is needed here. It is sufficient that the tagged bytes unambiguously identify an entity within a given scope. The same 560(h'01') may refer to instance "1" or to class "1" without ambiguity.
There was a problem hiding this comment.
The other examples of instance-id have implied global uniqueness properties. The motivation for adding bytes was that some felt ueid might not be big enough to ensure global uniqueness. The verifier doesn't have additional context to know what scope to apply to disambiguate scope-A:bytes from scope-B:bytes. We shouldn't overload class properties in instance-id since class-id is intended accommodate class-based identifiers.
The problem is there is one section for describing the semantics of the tag 560 () but it is used in all three environment-map options where each has different scope (class, instance, or group). 560 means different things depending on class, instance, or group context. Descriptive text should be specific to each context.
There was a problem hiding this comment.
Clarifying why I do not agree with Andy's suggestion: the word global to me implies across contexts, which is not what we should require from the allocator for the reason I've tried to describe above.
Descriptive text should be specific to each context.
Do you have any suggestions? ISTM that the exact semantics will be profile-specific, i.e., out-of-scope of base CoRIM -- except if DICE has anything to say about #6.560.
There was a problem hiding this comment.
Discussion today resolved that 560 is to be interpreted within the CDDL context in which it occurs. This PR proposes 3 additional contexts from the current raw-value-group context. The description of the CDDL for each context should describe the expected properties.
In the case, of environment-map there are other issue #176 observes the lack of meaningful scoping discussion for each of the fields (class, instance, group). If we resolve #176, then this thread becomes mute.
There was a problem hiding this comment.
Discussion today resolved that 560 is to be interpreted within the CDDL context in which it occurs.
Yes
This PR proposes 3 additional contexts from the current raw-value-group context.
I don't understand this.
The description of the CDDL for each context should describe the expected properties.
Yes
In the case, of
environment-mapthere are other issue #176 observes the lack of meaningful scoping discussion for each of the fields (class, instance, group). If we resolve #176, then this thread becomes mute.
WFM
Co-authored-by: Ned Smith <ned.smith@intel.com>
Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
draft-ietf-rats-corim.md
Outdated
| @@ -821,7 +832,7 @@ An instance carries a unique identifier that is reliably bound to a Target Envir | |||
| that is an instance of the Attester. | |||
|
|
|||
| The types defined for an instance identifier are CBOR tagged expressions of | |||
| UEID, UUID, or cryptographic key identifier. | |||
| UEID, UUID, variable-length opaque byte string, or cryptographic key identifier. | |||
There was a problem hiding this comment.
Please either add a reference to tagged bytes or describe profile specific behaviour dependency here!
There was a problem hiding this comment.
done in 6fee7e3
draft-ietf-rats-corim.md
Outdated
| @@ -821,7 +832,7 @@ An instance carries a unique identifier that is reliably bound to a Target Envir | |||
| that is an instance of the Attester. | |||
|
|
|||
| The types defined for an instance identifier are CBOR tagged expressions of | |||
| UEID, UUID, or cryptographic key identifier. | |||
| UEID, UUID, variable-length opaque byte string, or cryptographic key identifier. | |||
There was a problem hiding this comment.
Similar entry is needed in the class identifier as well!
Fix #184