search

ietf-rats-wg / draft-ietf-rats-corim

Other
6 stars 6 forks source link

Extract a common core between reference and evidence #237

Open deeglaze opened 2 months ago

deeglaze commented 2 months ago

In PR#232 the addition "CoRIM data structures may be used by Evidence and Attestation Results that wish to describe overlapping structure" is particularly concerning. I've seen Ned describe the desire to avoid needing to define new translations between all new evidence formats by declaring that industry evidence formats are just always going to use CoRIM triples. That's not at all decided, and I think there are phase distinction concerns to address when trying to blend the provisioning+signing time and run time representations of both expectations and raw evidence.

Given that, just saying that "CoRIM data structures may be used" is certainly a possibility, but it's too hypothetical to solidify in the standard. When another entity decides their message representation, they are of course well within their rights to reuse CoRIM encodings, but without a standard to describe the common core between evidence, attestation results, and CoRIMs, it's too early to muddy the waters. A concrete example of the bleeding between reference and evidence is the mkey https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/230, and I don't think that it belongs there in the reference structure.

nedmsmith commented 2 months ago

The internal representation reuses ECTs for everything from evidence to endorsement to attestation results. The semantics of ECTs overlaps all the various conceptual messages. Hence, the idea of a schema that "overlaps" or in other words is multi-purpose isn't out of the question.

The TCG specs that define concise-evidence, DiceTcbInfo, and SPDM formats overlap portions of the CoRIM schema on purpose to ensure a mapping to the internal representation is (ideally) non-lossy. The definition of evidence that borrows some of the CDDL in CoRIM nevertheless relies on different CBOR tagging that distinguishes it as Evidence vs Reference or Endorsed Values (which is what the CBOR tagging in CoMID distinguish.

The language in section 8 is in the context of a description of appraisal processing where all the inputs are transformed into internal representations. This text is setting the stage for use of ECTs.

henkbirkholz commented 2 months ago

Maybe referencing TCG concise-evidence as an example in the context of Dionna's proposed ""CoRIM data structures may be used" is good enough?

deeglaze commented 2 months ago

That still seems unguided. Is the goal not to converge on an industry standard attestation evidence format? Without that goal, we can see diverging uses of CoRIM CDDL codepoints.