Separate entity entries for CoRIM and CoMID

[henkbirkholz]

If I signed a CoRIM, I'd be rather surprised if there are other entities taking on the role of revoking my CoRIM next to me? What am I missing?

[yogeshbdeshpande]

I agree with Henk, there should not be a separate person role for xCoRIM. Only CoRIM role should be authorised to execute xCoRIM.

Any other thoughts would love to hear that!

From: Henk Birkholz @.> Sent: 13 April 2021 17:37 To: ietf-rats/ietf-corim-cddl @.> Cc: Yogesh Deshpande @.>; Author @.> Subject: Re: [ietf-rats/ietf-corim-cddl] Separate entity entries for CoRIM and CoMID (#21)

If I signed a CoRIM, I'd be rather surprised if there are other entities taking on the role of revoking my CoRIM next to me? What am I missing?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ietf-rats/ietf-corim-cddl/pull/21#issuecomment-818878550, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGKXIV4EB7RII4RLMYZIW33TIRXL3ANCNFSM423NZ23Q.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

[nedmsmith]

The signer is employing the ‘corim-signer’ role to sign the manifest and employing the ‘xcorim-signer’ to revoke the manifest. The entity and roles are not conflated. But yes, it is weird if the entity that issued the manifest was different from the entity that revoked it.

It is possible with cert chains that the entity name is a root CA while the entities that possess signing and revoking roles are different branches of the key hierarchy. So, it could be different keys that sign the manifest vs. that sign the xcorim.

Keeping them as independent entity maps doesn’t artificially limit the flexibility while still allows for the common case. We are only saving paper by conflating them.

-Ned

From: Henk Birkholz @.> Reply-To: ietf-rats/ietf-corim-cddl @.> Date: Tuesday, April 13, 2021 at 9:42 AM To: ietf-rats/ietf-corim-cddl @.> Cc: "Smith, Ned" @.>, Review requested @.***> Subject: Re: [ietf-rats/ietf-corim-cddl] Separate entity entries for CoRIM and CoMID (#21)

If I signed a CoRIM, I'd be rather surprised if there are other entities taking on the role of revoking my CoRIM next to me? What am I missing?

— You are receiving this because your review was requested. Reply to this email directly, view it on GitHubhttps://github.com/ietf-rats/ietf-corim-cddl/pull/21#issuecomment-818878550, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABPMCSGU4WW3CFI23FDH6GTTIRXL3ANCNFSM423NZ23Q.

[nedmsmith]

See reply in other thread.

From: Yogesh Deshpande @.> Reply-To: ietf-rats/ietf-corim-cddl @.> Date: Tuesday, April 13, 2021 at 9:44 AM To: ietf-rats/ietf-corim-cddl @.> Cc: "Smith, Ned" @.>, Review requested @.***> Subject: Re: [ietf-rats/ietf-corim-cddl] Separate entity entries for CoRIM and CoMID (#21)

I agree with Henk, there should not be a separate person role for xCoRIM. Only CoRIM role should be authorised to execute xCoRIM.

Any other thoughts would love to hear that!

From: Henk Birkholz @.> Sent: 13 April 2021 17:37 To: ietf-rats/ietf-corim-cddl @.> Cc: Yogesh Deshpande @.>; Author @.> Subject: Re: [ietf-rats/ietf-corim-cddl] Separate entity entries for CoRIM and CoMID (#21)

If I signed a CoRIM, I'd be rather surprised if there are other entities taking on the role of revoking my CoRIM next to me? What am I missing?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ietf-rats/ietf-corim-cddl/pull/21#issuecomment-818878550, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGKXIV4EB7RII4RLMYZIW33TIRXL3ANCNFSM423NZ23Q.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

— You are receiving this because your review was requested. Reply to this email directly, view it on GitHubhttps://github.com/ietf-rats/ietf-corim-cddl/pull/21#issuecomment-818883164, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABPMCSAJPUUQRIR2PSAMHTTTIRYGRANCNFSM423NZ23Q.

[nedmsmith]

Yes. You should be familiar with the TCG spec on xcorim as the CDDL for xcorim is patterned after the revised corim CDDL. I think the xcorim CDDL is quite stale.

From: Yogesh Deshpande @.> Reply-To: ietf-rats/ietf-corim-cddl @.> Date: Tuesday, April 13, 2021 at 10:38 AM To: ietf-rats/ietf-corim-cddl @.> Cc: "Smith, Ned" @.>, Review requested @.***> Subject: Re: [ietf-rats/ietf-corim-cddl] Separate entity entries for CoRIM and CoMID (#21)

@yogeshbdeshpande commented on this pull request.

---

In corim-code-points.cddlhttps://github.com/ietf-rats/ietf-corim-cddl/pull/21#discussion_r612650677:

+corim-id = 123 ; TBD

+tags = 97

+dependent-rims = 122; TBD

+

+; corim-meta

+signer = 98

+deny-id = 99

These are existing code points moved here, so this can be done as part of a file wide clean up?

— You are receiving this because your review was requested. Reply to this email directly, view it on GitHubhttps://github.com/ietf-rats/ietf-corim-cddl/pull/21#discussion_r612650677, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABPMCSGAEMHJN6MRK5NT4P3TIR6Q7ANCNFSM423NZ23Q.

[thomas-fossati]

what's going on with the latest comments? there is an awful lot of email noise in them they are nearly unreadable; how did that happen?

[yogeshbdeshpande]

Looks good except for comment about xCoRIM. xCoRIM should have its own entity definition since the roles are not corim creator/signer but xcorim creator/signer.

Yes, added xCoRIM CDDL Code Point file and added new entity-entry for xCoRIM to keep it separate from CoRIM