Account for multiplicity in conditional endorsements #277
Conversation
A conditional endorsement series is about a target environment plus additional state expectations that lead to further endorsements. I removed the undefined CBOR tag around multiple measuremnt-maps since array and map have different CBOR major tags and a custom tag is not required. Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
deeglaze
requested review from
henkbirkholz,
thomas-fossati,
yogeshbdeshpande and
nedmsmith
as code owners
| ; endorsed values that apply in case revf matches | ||
| endv: measurement-values-map | ||
| endv: [ + mkeyvalue-pair ] |
There was a problem hiding this comment.
| endv: [ + mkeyvalue-pair ] | |
| endv: [ + measurement-map] |
There was a problem hiding this comment.
We don't want to have authorized-by in the endorsed values, since it is not meaningful here.
There was a problem hiding this comment.
It is not true, Endorsements or Reference Values, all should support Authority!
There was a problem hiding this comment.
No, authority in a measurement-map in a CoRIM represents a condition. Authority in a measurement-map in an ECT represents actual authorities that signed the information. For any added measurement, the only authority is the CoRIM issuer. Given that the triple has already given two other positions for stating an authority condition, it doesn't make sense for the endv to have its own conditionality semantics.
There was a problem hiding this comment.
I understand your point, however, this has a deeper implications.
By not providing a source of Authority for Added Endorsements in the triple, has implications.
It means the supplier of Endorsements has to have an implicit authority of CoRIM Signer.
It cannot inherit the Authority from RefValue provider Authority as they may not be the same!
Which implies, that for a Env with ClassID : X, with FW running from Authority coming from FW Supplier PQR (in RefVal), the Test House is vouching for its Endorsements.
It is fine to have CoRIM as a single source of Authority in this case, in most of the cases, so we can start with that.
I was thinking as Authority is optional retaining it will provide, the flexibility to introduce endorsements coming from different authority, For an Environement, like for FW Element -1 : Authority X, FW Element 2: Authority Y
There was a problem hiding this comment.
The only integrity protection you can ensure is who signed the information. #244 affirms that authorized-by is a condition, and not part of an addition. If it's not part of the condition and is actual addition, we need to have a triple signed by the delegate that the CoRIM issuer is authorized to sign on its behalf. I don't think we should do that though. You generally do that with PKI certificate paths.
Please express your example in terms of the conditional series triple so I may understand.
| measurement-maps-type-choice = measurement-map / [ + measurement-map ] |
There was a problem hiding this comment.
We agreed with Ned's PR that is optionality is not required!
|
Is there an issue that this PR links to so that reviewers can know the problem statement that motivates this PR? If we think there are use cases that can't be supported by the current triple it would be helpful to characterize them. If the goal is to create a series triple that is more generalized, then we should start with the internal representation. Since the ECT can be mapped to the external representation readily, the CDDL for a revised series triple should be relatively straight forward. |
|
issue #288 tracks the discussion! |
A conditional endorsement series is about a target environment plus additional state expectations that lead to further endorsements.
I removed the undefined CBOR tag around multiple measuremnt-maps since array and map have different CBOR major tags and a custom tag is not required.