Open MikeCamel opened 6 months ago
Thanks @MikeCamel.
Using RATS terminology, I interpret 1. as "trusting evidence" based on endorsements, such as those from the supply chain. Adn I interpret 2. as "trusting attestation results," meaning trusting the verifier, usually by knowing and trusting its signing key.
Re: 3. and 4. I interpret 3. as "verifying that the expected transitive trust relationships are in place", and 4. as a generalisation of 3, where instead of a linear chain, the trust relationships are modelled as a graph.
I think 1 and 2 are particularly within CMW's scope, whilst 3 and 4 seem very relevant. Especially when CMWs are used to describe layered attesters (case 3) or composite devices (case 4).
These are clearly different trust contexts, but people don't understand very well that contexts must be separated, so we should call this out and ensure that the semantics we're creating support them from the very initial version and any implementation (or people will combine them, and implementations will allow combinations to support previous versions, which is a Bad Thing[tm]).