search

ietf-rats / ietf-corim-cddl

This repository is abandoned. The adopted I-D can be found at:
https://github.com/ietf-rats-wg/draft-ietf-rats-corim/
2 stars 0 forks source link

Min SVN #62

Closed nedmsmith closed 3 years ago

nedmsmith commented 3 years ago

There is a use case for a vendor specifying a maximum SVN value. If the maxsvn is reached, and if the reported svn in evidence is greater than maxsvn then the verifier should fail evidence matching.

If the endorsed svn is greater than maxsvn then that shouldn't happen and is a failure case.

Th If the reported svn greater than the endorsed svn but less than maxsvn, then possibly there was an update that bumped the svn but didn't update the endorsement tag/manifest. Possibly, a policy is used to determine if svn is acceptable?

The schema should nevertheless support a maxsvn along with current svn.

thomas-fossati commented 3 years ago 
min-svn = int
eq-svn = int
svn-type = 6.1000(eq-svn) / 6.1001(min-svn)
nedmsmith commented 3 years ago

These are the verifier rules: (CX is the Ref value and CY is the Evic d) IF CX contains ‘svn’ AND CY contains ‘svn’ with a different integer value THEN fail claims verification. e) IF CX contains ‘min-svn’ AND CY contains ‘svn’ that is less than ‘min-svn’ THEN fail claims verification.

nedmsmith commented 3 years ago

These are the verifier rules that need to be supported:

Note: CX is ref value; CY is evidence.