Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change Feed label 392 to bstr, representing an opaque series of bytes #111

Closed
wants to merge 1 commit into from
Closed

Change Feed label 392 to bstr, representing an opaque series of bytes #111

wants to merge 1 commit into from

Conversation

SteveLasker
Copy link
Collaborator

@SteveLasker SteveLasker commented Oct 15, 2023
edited
Loading

This attempts to resolve the balance between a generic string and a structured string for how issuers and verifiers can identify "a sequence of Signed Statements about the same Artifact.", as currently defined

Changing to bstr enables an issuer to set the Feed to be a sub, and it also allows an issuer to use other identifier formats.

There's a great suggestion to use sub, as part of the CTW (PR #108). And at first it looks fairly simple.

CWT_Claims = {
  1 => tstr; iss, the issuer that is making statements
  2 -> tstr; sub, the subject about which the statements are made, throughout this spec, this is also called feed.
 * tstr => any
}

The challenge is a CWT_Claim is far more expressive as defined

For an issuer and a verifier to clearly identify the specific artifact they are referencing with CWT_Claims, it would be both powerful and confusing for an issuer to specify which CWT_Claims properties they were using to identify the feed.

An issuer could add:

CWT_Claims = {
  1 => tstr; iss, the issuer that is making statements
  2 -> tstr; sub, the subject about which the statements are made, throughout this spec, this is also called feed.
  256 -> bstr; ueid, The Universal Entity ID 
  260 -> array; hwversion, the Hardware Version Identifier
  2395 -> uint; psa-security-lifecycle, PSA Security Lifecycle	
   * tstr => any
}

Using the text in PR #103, changing the Feed to bstr, makes it clear the Feed is:

Feed:
: a logical collection of Statements about the same Artifact.
For any step or set of steps in a supply chain there will be multiple statements made about the same Artifact. Issuers use the Feed to create a coherent sequence of Signed Statements about the same Artifact and Verifiers use the Feed to ensure completeness and non-equivocation in supply chain evidence by identifying all Transparent Statements linked to the one(s) they are evaluating.
Fixe #11

@robinbryce
Copy link
Collaborator

LGTM

@SteveLasker SteveLasker added this to the IETF 118 milestone Oct 18, 2023
@SteveLasker SteveLasker mentioned this pull request Oct 20, 2023
Merged
2 tasks
@SteveLasker
Copy link
Collaborator Author

Closing, in lieu of #108

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OR13 OR13 OR13 approved these changes

@fournet fournet fournet approved these changes

@henkbirkholz henkbirkholz Awaiting requested review from henkbirkholz henkbirkholz is a code owner

@ad-l ad-l Awaiting requested review from ad-l ad-l is a code owner

@yogeshbdeshpande yogeshbdeshpande Awaiting requested review from yogeshbdeshpande yogeshbdeshpande is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
IETF 118
Development

Successfully merging this pull request may close these issues.
4 participants
@SteveLasker @robinbryce @fournet @OR13