dthaler
commented
3 months ago Section 3 seems garbled. Paragraphs 1 and 3 describe reference values interactions (possible states) in a section on actual (endorsed) states. These should probably be removed from section 3.
Paragraph 1 defines what the title of section 3 means. Paragraph 3 is essential in allowing paragraph 4 to explain the difference. I haven't heard confusion from any other readers yet.
Paragraph 2 seems to give attention to immutable vs. immutable unnecessarily. It bans use of conditionally endorsed values that are immutable.
I think this came from @thomas-fossati. Personally I have no objection to removing this ban, but Thomas do you have any technical reason to keep this?
But it is reasonable for an AE to have a serial# that is asserted by one AE while another AE asserts, say a model#. It isn't wrong if an endorsement asserts that a model# is X conditional on a serial# Y.
Paragraph 2 uses an example that isn't that intuitive as it assumes / asserts that CPU may support different features based on (mutable) firmware. This seems like an obscure example since there is no consistency across the industry regarding whether a CPU vendor's endorsement will differ based on which firmware happens to be loaded. Hence, it isn't providing intuition about the property of immutableness as it pertains to conditional endorsement.
I think the example is still useful (it certainly helped me understand it), but adding a second example like one you mention in this feedback is fine. I will try to do that.
The fourth paragraph seems to derive from the previous 3 but these all have issues, so it is unclear what property is derived. Paragraph 4 simply seems to weigh trade-offs without specifically stating the conditions being compared.
It does to me (I can't say whether it is clear to anyone else, so wordsmithing suggestions welcome. Thomas? Henk? It says that you conditionally add any appropriate claims before you determine trustworthiness based on their values.
The fifth paragraph describes the relationship between conditional endorsements and policies. But there is no such thing as appraisal policy for endorsements. Hence, it is unclear what point the author is making.
The conditional matching part is not appraisal policy per se. The intent of paragraphs 1 and 4 (taken together) are to say that.
In toto, section 3 should describe the concept of conditional endorsement
There's no "conditional endorsement" (so such term is defined or should be in my view). There are "conditionally endorsed values". The same endorsement might contain multiple conditionally endorsed values, with different conditions.
as the idea that a second endorsement state may be entered (true) conditional on a first endorsement state being true.
For example, if an AE has the serial#_X, then the CC evaluation is EAL4+.
I am adding this example (in generic wording so as to not require a reference) in a pull request.
Appraisal policy for AR might determine whether or not CC evaluation claims are relevant. But appraisal policy would (should) not negate an endorsement claim.
nedmsmith
Section 3 seems garbled. Paragraphs 1 and 3 describe reference values interactions (possible states) in a section on actual (endorsed) states. These should probably be removed from section 3.
Paragraph 2 seems to give attention to immutable vs. immutable unnecessarily. It bans use of conditionally endorsed values that are immutable. But it is reasonable for an AE to have a serial# that is asserted by one AE while another AE asserts, say a model#. It isn't wrong if an endorsement asserts that a model# is X conditional on a serial# Y.
Paragraph 2 uses an example that isn't that intuitive as it assumes / asserts that CPU may support different features based on (mutable) firmware. This seems like an obscure example since there is no consistency across the industry regarding whether a CPU vendor's endorsement will differ based on which firmware happens to be loaded. Hence, it isn't providing intuition about the property of immutableness as it pertains to conditional endorsement.
The fourth paragraph seems to derive from the previous 3 but these all have issues, so it is unclear what property is derived. Paragraph 4 simply seems to weigh trade-offs without specifically stating the conditions being compared.
The fifth paragraph describes the relationship between conditional endorsements and policies. But there is no such thing as appraisal policy for endorsements. Hence, it is unclear what point the author is making.
In toto, section 3 should describe the concept of conditional endorsement as the idea that a second endorsement state may be entered (true) conditional on a first endorsement state being true.
For example, if an AE has the serial#_X, then the CC evaluation is EAL4+.
Appraisal policy for AR might determine whether or not CC evaluation claims are relevant. But appraisal policy would (should) not negate an endorsement claim.