Merge pull request #219 from ietf-rats-wg/tidyup-triples

Merge MEC and conditional endorsements triples
ietf-rats-wg · Jul 5, 2024 · 0032f83 · 0032f83
2 parents 8a150bb + 8b169ef
commit 0032f83
Show file tree

Hide file tree

Showing 6 changed files with 97 additions and 89 deletions.
diff --git a/cddl/conditional-endorsement-triple-record.cddl b/cddl/conditional-endorsement-triple-record.cddl
@@ -1,5 +1,4 @@
 conditional-endorsement-triple-record = [
-  stateful-environment-record,
-  ; endorsed values
-  measurement-values-map
+  conditions: [ + stateful-environment-record ]
+  endorsements: [ + endorsed-triple-record ]
 ]
diff --git a/cddl/corim-frags.mk b/cddl/corim-frags.mk
@@ -6,15 +6,14 @@ COMID_FRAGS += class-map.cddl
 COMID_FRAGS += comid-entity-map.cddl
 COMID_FRAGS += comid-role-type-choice.cddl
 COMID_FRAGS += conditional-endorsement-series-triple-record.cddl
-COMID_FRAGS += conditional-endorsement-triple-record.cddl
 COMID_FRAGS += conditional-series-record.cddl
 COMID_FRAGS += cose-key.cddl
 COMID_FRAGS += cose-label-and-value.cddl
 COMID_FRAGS += coswid-triple-record.cddl
 COMID_FRAGS += crypto-key-type-choice.cddl
 COMID_FRAGS += domain-dependency-triple-record.cddl
 COMID_FRAGS += domain-membership-triple-record.cddl
-COMID_FRAGS += mec-endorsement-triple-record.cddl
+COMID_FRAGS += conditional-endorsement-triple-record.cddl
 COMID_FRAGS += domain-type-choice.cddl
 COMID_FRAGS += endorsed-triple-record.cddl
 COMID_FRAGS += entity-map.cddl

diff --git a/cddl/examples/comid-cend.diag b/cddl/examples/comid-cend.diag
@@ -1,42 +1,88 @@
-/ concise-mid-tag / {
-  / tag-identity / 1 : {
-    / tag-id / 0 : "my-ns:acme-roadrunner-supplement"
-  },
-  / entity / 2 : [ {
-    / entity-name / 0 : "ACME Inc.",
-    / reg-id / 1 : 32("https://acme.example"),
-    / role / 2 : [ 1,0,2 ] / creator, tag-creator, maintainer /
-  } ],
-  / triples / 4 : {
-    / conditional-endorsement-triples / 9 : [
+/ concise-mid-tag / {	
+  / tag-identity / 1 : {	
+    / tag-id / 0 : "my-ns:acme-roadrunner-supplement"	
+  },	
+  / entity / 2 : [ {	
+    / entity-name / 0 : "ACME Inc.",	
+    / reg-id / 1 : 32("https://acme.example"),	
+    / role / 2 : [ 1,0,2 ] / creator, tag-creator, maintainer /	
+  } ],	
+  / triples / 4 : {	
+    / conditional-endorsement-triples / 10 : [	
+    [
       [
-        [ / *** stateful-environment-record *** /
+        [ / *** stateful-environment-record -1st entry *** /	
+          / environment-map / {	
+            / class / 0 : {	
+              / class-id / 0 :	
+                / tagged-oid-type / 111(	
+                  h'5502C000'	
+                ),	
+              / vendor / 1 : "ACME Inc.",	
+              / model / 2 : "ACME RoadRunner Firmware"	
+            }	
+          },          	
+          { / *** measurement-map *** /	
+            / mval / 1 : / measurement-values-map / {	
+              / ver / 0 : {	
+                / version / 0 : "1.0.0",	
+                / version-scheme / 1 : 16384 / semver /	
+              }	
+            },	
+            / authorized-by / 2 : [	
+              / tagged-pkix-base64-key-type / 554("base64_key_X")	
+            ]	
+          }	
+        ], 
+        [ / *** stateful-environment-record -2nd entry *** /
           / environment-map / {
-            / class / 0 : {
-              / class-id / 0 :
-                / tagged-oid-type / 111(
-                  h'5502C000'
-                ),
-              / vendor / 1 : "ACME Inc.",
-              / model / 2 : "ACME RoadRunner Firmware"
-            }
-          },          
-          { / *** measurement-map *** /
-            / mval / 1 : / measurement-values-map / {
-              / ver / 0 : {
-                / version / 0 : "1.0.0",
-                / version-scheme / 1 : 16384 / semver /
-              }
-            },
-            / authorized-by / 2 : [
-              / tagged-pkix-base64-key-type / 554("base64_key_X")
+            / comid.class / 0 : {
+            / comid.class-id / 0 :
+              / tagged-uuid-type / 37(
+                h'67b28b6c34cc40a19117ab5b05911e37'
+              ),
+            / comid.vendor / 1 : "ACME Inc.",
+            / comid.model / 2 : "ACME RoadRunner",
+            / comid.layer / 3 : 1
+          }
+        },
+          / measurement-map / {
+            / comid.mval / 1 : {
+              / comid.ver / 0 : {
+                / comid.version / 0 : "1.0.0",
+                / comid.version-scheme / 1 : 16384 / semver /
+              },
+              / comid.digests / 2 : [ [
+                / hash-alg-id / 1, / sha256 /
+                / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
+              ]   
             ]
           }
-        ], /*** end stateful-environment-record ***/
-        { / * endv * / 
-          / name / 11: "CVE_ACME_789"
         }
       ]
+    ], /*** end stateful-environment-record ***/
+    [ 
+      [
+        / environment-map / {
+          / class / 0 : {	
+            / class-id / 0 :	
+              / tagged-oid-type / 111(	
+                h'5502C000'	
+              ),	
+            / vendor / 1 : "ACME Inc.",	
+            / model / 2 : "ACME RoadRunner Firmware"	
+          }
+        },
+        / measurement-map / {
+          / comid.mval / 1 : {
+            / raw-value-group /
+              / comid.raw-value / 4 : 560(h'0000000000000000'),
+              / comid.raw-value-mask / 5 : h'FFFFFFFF00000000'
+          }
+        }
+      ]
+     ]
     ]
-  }
-}
+   ]
+  }	
+}
diff --git a/cddl/mec-endorsement-triple-record.cddl b/cddl/mec-endorsement-triple-record.cddl
diff --git a/cddl/triples-map.cddl b/cddl/triples-map.cddl
@@ -15,9 +15,7 @@ triples-map = non-empty<{
     [ + coswid-triple-record ]
   ? &(conditional-endorsement-series-triples: 8) =>
     [ + conditional-endorsement-series-triple-record ]
-  ? &(conditional-endorsement-triples: 9) =>
+  ? &(conditional-endorsement-triples: 10) =>
     [ + conditional-endorsement-triple-record ]
-  ? &(mec-endorsement-triples: 10) =>
-    [ + mec-endorsement-triple-record ]
   * $$triples-map-extension
 }>
diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md
@@ -674,14 +674,10 @@ The following describes each member of the `triples-map`:
   conditional Endorsements based on the acceptance of a stateful environment. Described
   in {{sec-comid-triple-cond-series}}.
 
-* `conditional-endorsement-triples` (index 9) Triples describing conditional
-  Endorsement based on the acceptance of a stateful environment. Described
-  in {{sec-comid-triple-cond-end}}.
-
-* `mec-endorsement-triple-record` (index 10) Triples describing a series of
+* `conditional-endorsement-triples` (index 9) Triples describing a series of
   Endorsement that are applicable based on the acceptance of a series of
   stateful environment records. Described in
-  {{sec-comid-triple-mec-endorsement}}.
+  {{sec-comid-triple-cond-endors}}.
 
 ##### Environments
 
@@ -1214,48 +1210,29 @@ applies to all measurements in the triple, including `conditional-series-record`
 {::include cddl/conditional-series-record.cddl}
 ~~~
 
-#### Conditional Endorsement Triple {#sec-comid-triple-cond-end}
-
-A Conditional Endorsement triple uses a stateful environment, (i.e., `stateful-environment-record`),
-that identifies a Target Environment based on an `environment-map` plus the `measurement-map` measurements
-that have matching Evidence.
-
-The stateful Target Environment is a triple subject that MUST be satisfied before the Endorsed Values in the triple object are accepted.
-
-~~~ cddl
-{::include cddl/stateful-environment-record.cddl}
-~~~
-
-The `authorized-by` value in `measurement-map` in the stateful environment, if present,
-applies to all measurements in the triple, including those in `measurement-values-map`.
-
-~~~ cddl
-{::include cddl/conditional-endorsement-triple-record.cddl}
-~~~
+#### Conditional Endorsement Triple {#sec-comid-triple-cond-endors}
 
-#### Multi-Environment Conditional (MEC) Endorsement Triple {#sec-comid-triple-mec-endorsement}
-
-The semantics of the Multi-Environment Conditional (MEC) Endorsement Triple is as follows:
+The semantics of the Conditional Endorsement Triple is as follows:
 
 > "IF accepted state matches all `conds` values, THEN every entry in the `endorsements` is added to the accepted state"
 
 ~~~ cddl
-{::include cddl/mec-endorsement-triple-record.cddl}
+{::include cddl/conditional-endorsement-triple-record.cddl}
 ~~~
 
-A `mec-endorsement-triple-record` has the following parameters:
+A `conditional-endorsement-triple-record` has the following parameters:
 
-* `conds`: all target environments, along with a specific state, that need to match `state-triples` entries in the ACS for the endorsement(s) to apply
+* `conditions`: all target environments, along with a specific state, that need to match `state-triples` entries in the ACS for the endorsement(s) to apply
 * `endorsements`: endorsements that are added to the ACS `state-triples` if all `conds` match.
 
-The order in which MEC Endorsement triples are evaluated is important: different sorting may produce different end-results in the computed ACS.
+The order in which Conditional Endorsement triples are evaluated is important: different sorting may produce different end-results in the computed ACS.
 
-Therefore, the set of applicable MEC Endorsement triple MUST be topologically sorted based on the criterion that a MEC Endorsement triple is evaluated before another if its Target Environment and Endorsement pair is found in any of the stateful environments of the second triple.
+Therefore, the set of applicable Conditional Endorsement triples MUST be topologically sorted based on the criterion that a Conditional Endorsement triple is evaluated before another if its Target Environment and Endorsement pair is found in any of the stateful environments of the subsequent triple.
 
 Notes:
 
 * In order to give the expected result, the condition must describe the expected context completely.
-* The scope of a single MEC triple encompasses an arbitrary amount of environments across all layers in an Attester.
+* The scope of a single Conditional Endorsement triple encompasses an arbitrary amount of environments across all layers in an Attester.
 
 There are scope-related questions that need to be answered.  ([^tracked-at] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/176)
 
@@ -1958,17 +1935,10 @@ The verifier checks whether Conditional Endorsements are applicable by comparing
 
 #### Processing Conditional Endorsement Triple
 
-For each Conditional Endorsement Triple the Verifier compares the `stateful-environment-record` field in the triple against the ACS (see {{sec-match-one-se}}).
-
-If the stateful environment matches, then the Verifier MUST add an Endorsement entry to the ACS (see {{sec-add-to-acs}}).
-The Endorsement consists of the `measurement-values-map` field in the triple, plus the authority of the entity that signed the Conditional Endorsement Triple.
-
-#### Processing Multi-Environment Conditional (MEC) Endorsement Triple
-
-For each MEC Endorsement Triple the Verifier compares each of the `stateful-environment-record` fields from the `cond` field in the triple against the ACS (see {{sec-match-one-se}}).
+For each Conditional Endorsement Triple the Verifier compares each of the `stateful-environment-record` fields from the `cond` field in the triple against the ACS (see {{sec-match-one-se}}).
 
 If every stateful environment matches a corresponding ACS entry, then the Verifier MUST add an Endorsement entry to the ACS (see {{sec-add-to-acs}}) for each `endorsed-triple-record` in the `endorsements` field.
-Each Endorsement from the `endorsed-triple-record` includes the authority which signed the MEC Endorsement Triple.
+Each Endorsement from the `endorsed-triple-record` includes the authority which signed the Conditional Endorsement Triple.
 
 #### Processing Conditional Endorsement Series Triple