an in-band profile indicator for CoMID

[thomas-fossati]

Motivation: As a verifier that needs to support different ecosystems (not just PSA), I want to know what kind of profile of CoMID (if any) a supply chain entity is using to talk to me.

Proposed solution: add an optional "profile" field.

[yogeshbdeshpande]

Couple of ideas/thoughts I want to discuss when addressing this issue:

(a) As an Endorser packs CoMID and CoSWID in a top level bag known as CoRIM, this can be absorbed as part of CoRIM. Benefits of this approach: If an Endorser had a specific profile which affects both CoMID and CoSWID then it does not need to report the same in CoMID and also extend the CoSWID to indicate such profile.

(b) Could such an information between an Endorser and Verifier be exchanged during Endorser Registration. Verifier can indicate the support of number of profiles and Endorser chooses a profile it would use, for provisioning. Any subsequent Provisioning with the Endorser then has an agreed profile to use, without the need for explicit indication in each CoMID/CoRIM Message?

This then removes the requirement of coupling the profile to Endorsement Information Model as well?

Would like to debate on these options when evaluating "Profiles"..

[nedmsmith]

Is your point (question?) that profiles should not be specific to a type of endorsement structure (e.g. swid vs. comid vs. EAT) but that it should potentially relate possible endorsement structures specifying when to use one over the other?

[yogeshbdeshpande]

The point I am trying to convey that the knowledge of a profile ( which defines a specific flavor of a generic CoMID, with extensions specific to a particular ecosystem like PSA) , does not need to be defined in a generic information model containers (like CoMID) and could be negotiated earlier (at registration) between an Endorser and a Verifier, so that the profile indicator can be avoided from been carried in every CoMID/CoRIM. For example: Prior negotiation between Verifier - ABC is and Endorser-X has established that Endorser -X will use PSA Profile and also Endorser-X is aware that Verifier - ABC supports PSA profile. This thus avoid needs for profile indicator from CoMID.

[thomas-fossati]

ACTION: @thomas-fossati provide text for the profile claim

[thomas-fossati]

@nedmsmith here's a first attempt:

The profile defines the verification context in which endorsements are to be evaluated.

This may include:

• Details about the verification algorithm;
• Expectations regarding the Endorsement structure;
• Mappings between Evidence claims and Endorsements field.

The syntax of the profile is a unique identifier, either a URI or an OID.

[thomas-fossati]

Done in #104