Language for signer inheritance #377
Conversation
With the proposed additions to CMW, this fixes Issue ietf-rats-wg#358.
deeglaze
requested review from
henkbirkholz,
thomas-fossati,
yogeshbdeshpande and
nedmsmith
as code owners
draft-ietf-rats-corim.md
Outdated
| @@ -267,6 +267,8 @@ For more detail, see {{sec-corim-profile-types}}. | |||
| A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents. | |||
| When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer. | |||
| Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. | |||
| If a CoRIM is contained within a larger signed document or message, there MUST be a single signer assigned to the scope of the CoRIM as part of the document's specification or protocol conveying the message, respectively. | |||
| For example, an application may use TLS to transmit an unsigned CoRIM and specify that the signer is the public key in the Hello message. | |||
There was a problem hiding this comment.
Worth adding CMW as another example.
There was a problem hiding this comment.
I didn't want to make a circular citation since CMW references CoRIM.
There was a problem hiding this comment.
No problem with that. These are "weak" links since the references are both informative.
draft-ietf-rats-corim.md
Outdated
| @@ -267,6 +267,8 @@ For more detail, see {{sec-corim-profile-types}}. | |||
| A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents. | |||
| When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer. | |||
| Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. | |||
| If a CoRIM is contained within a larger signed document or message, there MUST be a single signer assigned to the scope of the CoRIM as part of the document's specification or protocol conveying the message, respectively. | |||
There was a problem hiding this comment.
I would phrase the statement something like this.
`A CoRIM can be used without signature protection (please see unsigned-corim-map),
For example, an application may use TLS to transmit an unsigned CORIM and specify that the signer
is the public key in the Certificate Message.
Alternatively an unsigned CoRIM can be a part of a RATS Message which itself is signed (example a signed CMW).
In such cases the authority of CoRIM is delegated to the signer encapsulating the CoRIM.`
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
Co-authored-by: Thomas Fossati <[email protected]>
draft-ietf-rats-corim.md
Outdated
| If a CoRIM is contained within a larger signed document or message, there MUST be a single signer assigned to the scope of the CoRIM as part of the document's specification or protocol conveying the message, respectively. | ||
| For example, an application may use TLS to transmit an unsigned CoRIM and specify that the signer is the public key in the Certificate message. |
There was a problem hiding this comment.
| If a CoRIM is contained within a larger signed document or message, there MUST be a single signer assigned to the scope of the CoRIM as part of the document's specification or protocol conveying the message, respectively. | |
| For example, an application may use TLS to transmit an unsigned CoRIM and specify that the signer is the public key in the Certificate message. | |
| For example, an application may use TLS to transmit an unsigned CORIM and specify that the signer is the public key in the Certificate Message. | |
| Alternatively an unsigned CoRIM can be a part of a RATS Message which itself is signed (example a signed CMW). | |
| In such cases the authority of CoRIM is delegated to the signer encapsulating the CoRIM. |
| @@ -266,7 +266,7 @@ For more detail, see {{sec-corim-profile-types}}. | |||
|
|
|||
| A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents. | |||
| When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer. | |||
| Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. | |||
| Alternatively, an unsigned CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel and maintain a notion of a CoRIM signer ({{sec-conveyed-signer}}). | |||
There was a problem hiding this comment.
| Alternatively, an unsigned CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel and maintain a notion of a CoRIM signer ({{sec-conveyed-signer}}). | |
| Alternatively, an unsigned CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel where the CoRIM signer authority is inherited from the secure channel credential. (See {{sec-conveyed-signer}}). |
There was a problem hiding this comment.
Are the parentheses necessary for the pointer?
There was a problem hiding this comment.
I'm not certain of the convention. It appears that if a capital "See" is used then there are not parens, but if a lower case "see" is used it is inside of parens. Probably correct to remove the parens.
| In both cases, there is a method of integrity protection that relies on some authentication. | ||
| The role of "the CoRIM signer" MUST be specified in both cases, with the same constraint on the signed CoRIM that there is a single signer. |
There was a problem hiding this comment.
| In both cases, there is a method of integrity protection that relies on some authentication. | |
| The role of "the CoRIM signer" MUST be specified in both cases, with the same constraint on the signed CoRIM that there is a single signer. | |
| The CoRIM signer authority is taken from the authenticated credential of the same entity that originates the CoRIM. | |
| A CoRIM role entry that contains the `manifest-signer` role MUST be added to `corim-entity-map`. |
There was a problem hiding this comment.
The role MUST be added? By the sender or receiver? This will be hard to enforce. Anyone transmitting a CoRIM has to transform it first?
There was a problem hiding this comment.
The role MUST be added? By the sender or receiver? This will be hard to enforce. Anyone transmitting a CoRIM has to transform it first?
I'm trying to reflect the normative that applies to corim-signer-map which is not optional when COSE-sign1-corim is used. The corim author (typically is also the signer). If "sender" means author, then those are the semantics I was envisioning. The corim author can modify the corim.entities normally. Originally, only corim.entities contained manifest-signer property but was removed when we defined COSE-sign1-corim. Given we're supporting other signature formats, it makes sense to put it back in. However, the CDDL doesn't make it mandatory so we need normative prose. It wouldn't be incorrect if manifest signer role info was always populated, even if COSE-sign1-corim was used. But it would be in two places at that point. A COSE-sign1-corim signer could remove manifest-signer from corim.entities if an upstream process supplied it (to remove unnecessary bytes).
If the manifest-creator knows who the manifest-signer is supposed to be then the manifest creator can populate corim.entities. If the signer is a COSE-sign1-corim entity, then they can choose to remove the rundundant bytes or just layer on the corim-meta-map as part of the COSE header.
If the manifest creator doesn't know the manifest signer yet, then I don't see an alternative other than for the signer to modify the image. Possibly, the implementation has to define a template structure that pre-allocates space for the fix up?
There was a problem hiding this comment.
If we have multiple builders all authenticated to an orchestrator and builders send unsigned reference values over a secure channel to the orchestrator, then the orchestrator sends the collection of reference values in a CMW to a signer, then it seems like I'm breaking your MUST rule because of the two hops. Is that an intentional restriction?
There was a problem hiding this comment.
Is that an intentional restriction?
I don't think so. The first hop sounds more like authoring activity, in which case there might be multiple role entities added before it gets to the orchestrator. Since the orchestrator is the last to touch it before it goes to the Verifier that seems closest to original intent. The original discussions assumed COSE signing and stopped short of trying to capture deep suppy chain workflow use cases. Basically, if the orchestrator is the last stop before handing it over to a Verfier, then any of the other entities that may have been involved can be listed as entities but the signer is trusted to assemble the list of entities. Doing supply chain provenance (aka in-toto) was a non-goal).
BTW: I'm interpreting your use of "CMW to a signer" as meaning to a Verifier. If you meant "signer" to be part of the supply chain before the CMW arrives at a Verifier, then the "signer" fills in the entities list based on the defined roles reserving the manifest-signer role for itself.
There was a problem hiding this comment.
I don't like the requirement to modify the internals of the map. It's unnecessary in the case of my bundle use, where the signature must be a COSE envelope and must use the corim-meta statement.
There was a problem hiding this comment.
The primary objective is that the ACS ECT authority is populated correctly. If the information isn't inside the corim then the downstream network has to maintain state across parsing layers that strip off various layers. I think it is easier to talk about how to construct the message than how to maintain ancillary state post parsing.
Added manifest-signer role to the roles.
Added example that tests use of manifest-signer role in an unsigned-corim
|
Push 5df10ee adds the manifest-signer role so that an unsigned-corim can contain the signer entity information when the COSE-Sign1-corim form of signing isn't available. |
Co-authored-by: Ned Smith <[email protected]>
Co-authored-by: Ned Smith <[email protected]>
| ### CoRIM bundles | ||
|
|
||
| A method of signing a bundle of CoRIMs together is through a signed RATS Conceptual Message Wrapper (CMW) {{-cmw}}. | ||
| Let `tag:{{&SELF}}:bundle` name a collection type that when signed MUST include the `corim-meta` protected header. |
There was a problem hiding this comment.
| Let `tag:{{&SELF}}:bundle` name a collection type that when signed MUST include the `corim-meta` protected header. | |
| The COSE_Sign1 signature format can be used with a CMW collection. The COSE protected header can include a CMW collection type name. | |
| The collection type name SHALL be of the form: `tag:{{&SELF}}:bundle`. | |
| The signing operation MUST include the `corim-meta` in the COSE_Sign1 `protected-header` parameter. |
There was a problem hiding this comment.
"The CMW collection signature structure" sounds strange to me, since it's the COSE signing structure.
| Let `tag:{{&SELF}}:bundle` name a collection type that when signed MUST include the `corim-meta` protected header. | ||
| The `corim-meta` header ensures that each CoRIM in the bundle has an identified signer. | ||
|
|
||
| The CMW MAY use any label for its CoRIMs. |
There was a problem hiding this comment.
The following section seems too terse to follow. Possibly, more of the CDDL context is needed?
Co-authored-by: Ned Smith <[email protected]>
Also change the TN() tagged data to the 2-ary array, as Laurence wants to remove that from the CMW spec.
cddl/examples/cmw-corim-bundle.diag
Outdated
| / cbor-collection / { | ||
| "__cmwc_t": "tag:{{&SELF}}:bundle", | ||
| "adee8cd4-4e47-461f-b341-2aba3ae4cbda": | ||
| / cbor-cmw / 1668546975(<< / tagged-corim-map / 501({ |
There was a problem hiding this comment.
I suggest using a record CMW with type "application/rim+cbor" instead.
cddl/examples/cmw-corim-bundle.diag
Outdated
| "https://example.com/369a6688451240b9b74905b1dd5fae9f.corim" | ||
| ]}]}) >>), | ||
| "51a5f633-71c0-45f5-855e-43e8254c1806": | ||
| / cbor-cmw / 1668546975(<< / tagged-corim-map / 501({ |
With the proposed additions to CMW, this fixes Issue #358.