"Policy" as defined by the RATS architecture1, and, therefore, the ear.appraisal-policy-id entry n EAR2, maps onto the combination of attestation scheme and policy in Veraison.
This means that, when a policy is not used, the ear.appraisal-policy-id field should be set to reflect the attestation scheme. If a policy is used, the field should be set to reflect both, the scheme and the policy.
Additionally, up to this point, the policy manager allowed only one active policy per tenant. Differentiation between schemes, if necessary, could be performed within the policy rules. This commit changes this so that the polices are now managed based on both, the tenant and the scheme. This means that policies for different schemes can be updated independently by the tenant.
Note: in that issue, the examples are incorrect in that they show the sheme to be encoded in the authority. This implementation follows the text (and the intent) of the proposal, and the scheme is encoded in the first path segement. Further, this additionally specifies that the path is rootless.
"Policy" as defined by the RATS architecture1, and, therefore, the ear.appraisal-policy-id entry n EAR2, maps onto the combination of attestation scheme and policy in Veraison.
This means that, when a policy is not used, the ear.appraisal-policy-id field should be set to reflect the attestation scheme. If a policy is used, the field should be set to reflect both, the scheme and the policy.
Additionally, up to this point, the policy manager allowed only one active policy per tenant. Differentiation between schemes, if necessary, could be performed within the policy rules. This commit changes this so that the polices are now managed based on both, the tenant and the scheme. This means that policies for different schemes can be updated independently by the tenant.
This resolves: https://github.com/veraison/services/issues/101
Note: in that issue, the examples are incorrect in that they show the sheme to be encoded in the authority. This implementation follows the text (and the intent) of the proposal, and the scheme is encoded in the first path segement. Further, this additionally specifies that the path is rootless.