Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditional endorsement series triple section reworded #326

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 32 additions & 13 deletions cddl/examples/comid-series.diag
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,12 @@
[
{ / *** measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ ver / 0 : {
/ version / 0 : "1.0.0",
/ version-scheme / 1 : 16384 / semver /
/ comid.flags / 3 : {
/ configured / 0 : true
}
},
/ authorized-by / 2 : [
/ tagged-pkix-base64-key-type / 554("base64_key_X")
/ tagged-pkix-base64-key-type / 554("base64_key_ACME_signer")
yogeshbdeshpande marked this conversation as resolved.
Show resolved Hide resolved
]
}
]
Expand All @@ -40,16 +39,17 @@
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ digests / 2 : [[
/ hash-alg-id / 6, / sha-256-32 /
/ hash-value / h'ABCDEF01' ]]
/ ver / 0 : {
/ version / 0 : "2.0.0"
},
/ comid.svn / 1 : 552(3)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_ACME_777"
/ name / 11: "-NO_CVE-"
}
}
]
Expand All @@ -58,17 +58,36 @@
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ digests / 2 : [[
/ hash-alg-id / 6, / sha-256-32 /
/ hash-value / h'BCDEF01A' ]]

/ ver / 0 : {
/ version / 0 : "1.0.0"
},
/ comid.svn / 1 : 552(2)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_ACME_555"
/ name / 11: "CVE_WARNING"
}
}
]
],
[ / conditional-series-record #2 /
nedmsmith marked this conversation as resolved.
Show resolved Hide resolved
[
{ / *** ref-val measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ ver / 0 : {
/ version / 0 : "1.0.0"
},
/ comid.svn / 1 : 552(1)
}
}
],
[
{ / *** endv-measurement-map *** /
/ mval / 1 : / measurement-values-map / {
/ name / 11: "CVE_VULNERABLE"
}
}
]
Expand Down
7 changes: 5 additions & 2 deletions draft-ietf-rats-corim.md
Original file line number Diff line number Diff line change
Expand Up @@ -1165,7 +1165,9 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi

#### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series}

[^issue] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/310
The Conditional Endorsement Series Triple is used to assert endorsed values conditional on various sets of possible measurement values.
Each series entry describes a different possible set of values.
Series entries are ordered so that the set describing the most trustworthy state is evaluated first and least trustworthy state last.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ordering leads to negative conditions in the head of the rule still. The possible evaluation inconsistency from Issue #321 remains.

If the conditions are mutually-exclusive, then there's no need to order them and the triple is syntactic sugar for multiple normal conditions.
If the conditions are not mutually-exclusive, then you need a way to stratify condition matching to regain logical consistency.

Given that you haven't stated any condition, I don't know what your intention is here.


The Conditional Endorsement Series Triple has the following structure:

Expand All @@ -1188,7 +1190,8 @@ The `conditional-series-record` has the following parameters:
To process a `conditional-endorsement-series-record` the `conditions` are compared with existing Evidence, corroborated Evidence, and Endorsements.
If the search criteria are satisfied, the `series` tuples are processed.

The `series` array contains a list of `conditional-series-record` entries.
The `series` array contains an ordered list of `conditional-series-record` entries.
Evaluation order begins at list position 0.

For each `series` entry, if the `selection` criteria matches an entry found in the `condition` result, the `series` `addition` is combined with the `environment-map` from the `condition` result to form a new Endorsement entry.
The new entry is added to the existing set of Endorsements.
Expand Down