Script updating gh-pages from 523583c. [ci skip]

draft-ietf-scitt-architecture.html

@@ -22,7 +22,7 @@
 <meta content="draft-ietf-scitt-architecture-latest" name="ietf.draft">
 <!-- Generator version information:
   xml2rfc 3.23.2
-    Python 3.12.6
+    Python 3.12.7
     ConfigArgParse 1.7
     google-i18n-address 3.1.1
     intervaltree 3.1.0
@@ -1036,7 +1036,7 @@
 </tr></thead>
 <tfoot><tr>
 <td class="left">Birkholz, et al.</td>
-<td class="center">Expires 11 April 2025</td>
+<td class="center">Expires 18 April 2025</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@@ -1049,12 +1049,12 @@
 <dd class="internet-draft">draft-ietf-scitt-architecture-latest</dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2024-10-08" class="published">8 October 2024</time>
+<time datetime="2024-10-15" class="published">15 October 2024</time>
     </dd>
 <dt class="label-intended-status">Intended Status:</dt>
 <dd class="intended-status">Standards Track</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2025-04-11">11 April 2025</time></dd>
+<dd class="expires"><time datetime="2025-04-18">18 April 2025</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
@@ -1123,7 +1123,7 @@ <h2 id="name-status-of-this-memo">
         time. It is inappropriate to use Internet-Drafts as reference
         material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 11 April 2025.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 18 April 2025.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
@@ -1773,9 +1773,10 @@ <h5 id="name-mandatory-registration-chec">
 <p id="section-4.1.1.1-1">During Registration, a Transparency Service <span class="bcp14">MUST</span>, at a minimum, syntactically check the Issuer of the Signed Statement by cryptographically verifying the COSE signature according to <span>[<a href="#RFC9052" class="cite xref">RFC9052</a>]</span>.
 The Issuer identity <span class="bcp14">MUST</span> be bound to the Signed Statement by including an identifier in the protected header.
 If the protected header includes multiple identifiers, all those that are registered by the Transparency Service <span class="bcp14">MUST</span> be checked.<a href="#section-4.1.1.1-1" class="pilcrow">¶</a></p>
-<p id="section-4.1.1.1-2">In essence, when using X.509 Signed Statements, the Transparency Service <span class="bcp14">MUST</span> build and validate a complete certificate chain from the Issuer's certificate identified by <code>x5t</code> located in the protected header of the COSE_Sign1 Envelope, to one of the root certificates most recently registered as a trust anchor of the Transparency Service.
-An <code>x5chain</code> with a leaf certificate that corresponds to the <code>x5t</code> value <span class="bcp14">MAY</span> be included in the unprotected header.<a href="#section-4.1.1.1-2" class="pilcrow">¶</a></p>
-<p id="section-4.1.1.1-3">The Transparency Service <span class="bcp14">MUST</span> apply the Registration Policy that was most recently added to the Append-only Log at the time of Registration.<a href="#section-4.1.1.1-3" class="pilcrow">¶</a></p>
+<p id="section-4.1.1.1-2">In essence, when using X.509 Signed Statements, the Transparency Service <span class="bcp14">MUST</span> build and validate a complete certification path from an Issuer's certificate to one of the root certificates most recently registered as a trust anchor by the Transparency Service.<a href="#section-4.1.1.1-2" class="pilcrow">¶</a></p>
+<p id="section-4.1.1.1-3">The protected header of the COSE_Sign1 Envelope <span class="bcp14">MUST</span> include either the Issuer's certificate as <code>x5t</code> or the chain including the Issuer's certificate as <code>x5chain</code>.
+If <code>x5t</code> is included in the protected header, an <code>x5chain</code> with a leaf certificate corresponding to the <code>x5t</code> value <span class="bcp14">MAY</span> be included in the unprotected header.<a href="#section-4.1.1.1-3" class="pilcrow">¶</a></p>
+<p id="section-4.1.1.1-4">The Transparency Service <span class="bcp14">MUST</span> apply the Registration Policy that was most recently added to the Append-only Log at the time of Registration.<a href="#section-4.1.1.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="sec-auditability-of-registration">
@@ -1895,19 +1896,19 @@ <h3 id="name-signed-statements">
 <p id="section-4.2-8">Multiple Issuers can make different, even conflicting Statements, about the same Artifact.
 Relying Parties can choose which Issuers they trust.<a href="#section-4.2-8" class="pilcrow">¶</a></p>
 <p id="section-4.2-9">Multiple Issuers can make the same Statement about a single Artifact, affirming multiple Issuers agree.<a href="#section-4.2-9" class="pilcrow">¶</a></p>
-<p id="section-4.2-10">At least one identifier representing one credential <span class="bcp14">MUST</span> be included in the protected header of the COSE Envelope, as one of <code>x5t</code> or <code>kid</code>.
+<p id="section-4.2-10">At least one identifier representing one credential <span class="bcp14">MUST</span> be included in the protected header of the COSE Envelope, as one of <code>x5t</code>, <code>x5chain</code> or <code>kid</code>.
 Additionally, <code>x5chain</code> that corresponds to either <code>x5t</code> or <code>kid</code> identifying the leaf certificate in the included certification path <span class="bcp14">MAY</span> be included in the unprotected header of the COSE Envelope.<a href="#section-4.2-10" class="pilcrow">¶</a></p>
 <ul class="normal">
 <li class="normal" id="section-4.2-11.1">
-            <p id="section-4.2-11.1.1">When using x.509 certificates, support for <code>x5t</code> is <span class="bcp14">REQUIRED</span> to implement.<a href="#section-4.2-11.1.1" class="pilcrow">¶</a></p>
+            <p id="section-4.2-11.1.1">When using x.509 certificates, support for either <code>x5t</code> or <code>x5chain</code> in the protected header is <span class="bcp14">REQUIRED</span> to implement.<a href="#section-4.2-11.1.1" class="pilcrow">¶</a></p>
 </li>
           <li class="normal" id="section-4.2-11.2">
             <p id="section-4.2-11.2.1">Support for <code>kid</code> in the protected header and <code>x5chain</code> in the unprotected header is <span class="bcp14">OPTIONAL</span> to implement.<a href="#section-4.2-11.2.1" class="pilcrow">¶</a></p>
 </li>
         </ul>
-<p id="section-4.2-12">When <code>x5t</code> is present, <code>iss</code> <span class="bcp14">MUST</span> be a string that meets URI requirements defined in <span>[<a href="#RFC8392" class="cite xref">RFC8392</a>]</span>.
+<p id="section-4.2-12">When <code>x5t</code> or <code>x5chain</code> is present in the protected header, <code>iss</code> <span class="bcp14">MUST</span> be a string that meets URI requirements defined in <span>[<a href="#RFC8392" class="cite xref">RFC8392</a>]</span>.
 The <code>iss</code> value's length <span class="bcp14">MUST</span> be between 1 and 8192 characters in length.<a href="#section-4.2-12" class="pilcrow">¶</a></p>
-<p id="section-4.2-13">The <code>kid</code> header parameter <span class="bcp14">MUST</span> be present when <code>x5t</code> is not present.
+<p id="section-4.2-13">The <code>kid</code> header parameter <span class="bcp14">MUST</span> be present when neither <code>x5t</code> nor <code>x5chain</code> is present in the protected header.
 Key discovery protocols are out-of-scope of this document.<a href="#section-4.2-13" class="pilcrow">¶</a></p>
 <p id="section-4.2-14">The protected header of a Signed Statement and a Receipt <span class="bcp14">MUST</span> include the <code>CWT Claims</code> header parameter as specified in <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-cose-cwt-claims-in-headers-10#section-2" class="relref">Section 2</a> of [<a href="#CWT_CLAIMS_COSE" class="cite xref">CWT_CLAIMS_COSE</a>]</span>.
 The <code>CWT Claims</code> value <span class="bcp14">MUST</span> include the <code>Issuer Claim</code> (Claim label 1) and the <code>Subject Claim</code> (Claim label 2) <span>[<a href="#IANA.cwt" class="cite xref">IANA.cwt</a>]</span>.<a href="#section-4.2-14" class="pilcrow">¶</a></p>
@@ -2403,7 +2404,7 @@ <h3 id="name-normative-references">
 <dd class="break"></dd>
 <dt id="I-D.draft-ietf-cose-merkle-tree-proofs">[I-D.draft-ietf-cose-merkle-tree-proofs]</dt>
         <dd>
-<span class="refAuthor">Steele, O.</span>, <span class="refAuthor">Birkholz, H.</span>, <span class="refAuthor">Delignat-Lavaud, A.</span>, and <span class="refAuthor">C. Fournet</span>, <span class="refTitle">"COSE Receipts"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-cose-merkle-tree-proofs-05</span>, <time datetime="2024-06-18" class="refDate">18 June 2024</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-cose-merkle-tree-proofs-05">https://datatracker.ietf.org/doc/html/draft-ietf-cose-merkle-tree-proofs-05</a>&gt;</span>. </dd>
+<span class="refAuthor">Steele, O.</span>, <span class="refAuthor">Birkholz, H.</span>, <span class="refAuthor">Delignat-Lavaud, A.</span>, and <span class="refAuthor">C. Fournet</span>, <span class="refTitle">"COSE Receipts"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-cose-merkle-tree-proofs-06</span>, <time datetime="2024-10-09" class="refDate">9 October 2024</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-cose-merkle-tree-proofs-06">https://datatracker.ietf.org/doc/html/draft-ietf-cose-merkle-tree-proofs-06</a>&gt;</span>. </dd>
 <dd class="break"></dd>
 <dt id="IANA.cwt">[IANA.cwt]</dt>
         <dd>

draft-ietf-scitt-architecture.txt

@@ -5,13 +5,13 @@
 SCITT                                                        H. Birkholz
 Internet-Draft                                            Fraunhofer SIT
 Intended status: Standards Track                      A. Delignat-Lavaud
-Expires: 11 April 2025                                        C. Fournet
+Expires: 18 April 2025                                        C. Fournet
                                                       Microsoft Research
                                                             Y. Deshpande
                                                                      ARM
                                                                S. Lasker
                                                               DataTrails
-                                                          8 October 2024
+                                                         15 October 2024
 
 
  An Architecture for Trustworthy and Transparent Digital Supply Chains
@@ -66,7 +66,7 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 11 April 2025.
+   This Internet-Draft will expire on 18 April 2025.
 
 Copyright Notice
 
@@ -532,12 +532,15 @@ Table of Contents
    by the Transparency Service MUST be checked.
 
    In essence, when using X.509 Signed Statements, the Transparency
-   Service MUST build and validate a complete certificate chain from the
-   Issuer's certificate identified by x5t located in the protected
-   header of the COSE_Sign1 Envelope, to one of the root certificates
-   most recently registered as a trust anchor of the Transparency
-   Service.  An x5chain with a leaf certificate that corresponds to the
-   x5t value MAY be included in the unprotected header.
+   Service MUST build and validate a complete certification path from an
+   Issuer's certificate to one of the root certificates most recently
+   registered as a trust anchor by the Transparency Service.
+
+   The protected header of the COSE_Sign1 Envelope MUST include either
+   the Issuer's certificate as x5t or the chain including the Issuer's
+   certificate as x5chain.  If x5t is included in the protected header,
+   an x5chain with a leaf certificate corresponding to the x5t value MAY
+   be included in the unprotected header.
 
    The Transparency Service MUST apply the Registration Policy that was
    most recently added to the Append-only Log at the time of
@@ -665,23 +668,24 @@ Table of Contents
    affirming multiple Issuers agree.
 
    At least one identifier representing one credential MUST be included
-   in the protected header of the COSE Envelope, as one of x5t or kid.
-   Additionally, x5chain that corresponds to either x5t or kid
+   in the protected header of the COSE Envelope, as one of x5t, x5chain
+   or kid.  Additionally, x5chain that corresponds to either x5t or kid
    identifying the leaf certificate in the included certification path
    MAY be included in the unprotected header of the COSE Envelope.
 
-   *  When using x.509 certificates, support for x5t is REQUIRED to
-      implement.
+   *  When using x.509 certificates, support for either x5t or x5chain
+      in the protected header is REQUIRED to implement.
 
    *  Support for kid in the protected header and x5chain in the
       unprotected header is OPTIONAL to implement.
 
-   When x5t is present, iss MUST be a string that meets URI requirements
-   defined in [RFC8392].  The iss value's length MUST be between 1 and
-   8192 characters in length.
+   When x5t or x5chain is present in the protected header, iss MUST be a
+   string that meets URI requirements defined in [RFC8392].  The iss
+   value's length MUST be between 1 and 8192 characters in length.
 
-   The kid header parameter MUST be present when x5t is not present.
-   Key discovery protocols are out-of-scope of this document.
+   The kid header parameter MUST be present when neither x5t nor x5chain
+   is present in the protected header.  Key discovery protocols are out-
+   of-scope of this document.
 
    The protected header of a Signed Statement and a Receipt MUST include
    the CWT Claims header parameter as specified in Section 2 of
@@ -1284,9 +1288,9 @@ Table of Contents
    [I-D.draft-ietf-cose-merkle-tree-proofs]
               Steele, O., Birkholz, H., Delignat-Lavaud, A., and C.
               Fournet, "COSE Receipts", Work in Progress, Internet-
-              Draft, draft-ietf-cose-merkle-tree-proofs-05, 18 June
+              Draft, draft-ietf-cose-merkle-tree-proofs-06, 9 October
               2024, <https://datatracker.ietf.org/doc/html/draft-ietf-
-              cose-merkle-tree-proofs-05>.
+              cose-merkle-tree-proofs-06>.
 
    [IANA.cwt] IANA, "CBOR Web Token (CWT) Claims",
               <https://www.iana.org/assignments/cwt>.

index.html

@@ -24,6 +24,14 @@ <h1>Editor's drafts for main branch of <a href="https://github.com/ietf-wg-scitt
         <td></td>
       </tr>
     </table>
+    <h2>Preview for branch <a href="remove-unclear-text">remove-unclear-text</a></h2>
+    <table id="branch-remove-unclear-text">
+      <tr>
+        <td><a href="remove-unclear-text/draft-ietf-scitt-architecture.html" class="html draft-ietf-scitt-architecture" title="An Architecture for Trustworthy and Transparent Digital Supply Chains (HTML)">SCITT Architecture</a></td>
+        <td><a href="remove-unclear-text/draft-ietf-scitt-architecture.txt" class="txt draft-ietf-scitt-architecture" title="An Architecture for Trustworthy and Transparent Digital Supply Chains (Text)">plain text</a></td>
+        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/draft-ietf-scitt-architecture.txt&amp;url_2=https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/remove-unclear-text/draft-ietf-scitt-architecture.txt" class="diff draft-ietf-scitt-architecture">diff with main</a></td>
+      </tr>
+    </table>
     <h2>Preview for branch <a href="268-figure-1-description">268-figure-1-description</a></h2>
     <table id="branch-268-figure-1-description">
       <tr>
@@ -49,14 +57,6 @@ <h2>Preview for branch <a href="steve/268">steve/268</a></h2>
         <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/draft-ietf-scitt-architecture.txt&amp;url_2=https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/steve/268/draft-ietf-scitt-architecture.txt" class="diff draft-ietf-scitt-architecture">diff with main</a></td>
       </tr>
     </table>
-    <h2>Preview for branch <a href="remove-unclear-text">remove-unclear-text</a></h2>
-    <table id="branch-remove-unclear-text">
-      <tr>
-        <td><a href="remove-unclear-text/draft-ietf-scitt-architecture.html" class="html draft-ietf-scitt-architecture" title="An Architecture for Trustworthy and Transparent Digital Supply Chains (HTML)">SCITT Architecture</a></td>
-        <td><a href="remove-unclear-text/draft-ietf-scitt-architecture.txt" class="txt draft-ietf-scitt-architecture" title="An Architecture for Trustworthy and Transparent Digital Supply Chains (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/draft-ietf-scitt-architecture.txt&amp;url_2=https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/remove-unclear-text/draft-ietf-scitt-architecture.txt" class="diff draft-ietf-scitt-architecture">diff with main</a></td>
-      </tr>
-    </table>
     <script>
 window.onload = function() {
   var referrer_branch = 'main';