Concise TA Stores (CoTS)
draft-wallace-rats-concise-ta-stores-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Authors | Carl Wallace , Russ Housley | ||
| Last updated | 2022-06-22 | ||
| Replaced by | draft-ietf-rats-concise-ta-stores | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-wallace-rats-concise-ta-stores-00
Remote ATtestation ProcedureS C. Wallace
Internet-Draft Red Hound
Intended status: Standards Track R. Housley
Expires: 24 December 2022 Vigil Security
22 June 2022
Concise TA Stores (CoTS)
draft-wallace-rats-concise-ta-stores-00
Abstract
Trust anchor (TA) stores may be used for several purposes in the
Remote Attestation Procedures (RATS) architecture including verifying
endorsements, reference values, digital letters of approval,
attestations, or public key certificates. This document describes a
Concise Reference Integrity Manifest (CoRIM) extension that may be
used to convey optionally constrained trust anchor stores containing
optionally constrained trust anchors in support of these purposes.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-wallace-rats-concise-ta-
stores/.
Discussion of this document takes place on the rats Working Group
mailing list (mailto:rats@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/rats/.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 24 December 2022.
Wallace & Housley Expires 24 December 2022 [Page 1]
Internet-Draft CoTS June 2022
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Constraints . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
3. Trust anchor management for RATS . . . . . . . . . . . . . . 5
3.1. TA and CA conveyance . . . . . . . . . . . . . . . . . . 5
3.1.1. The concise-ta-stores Container . . . . . . . . . . . 6
3.1.2. The concise-ta-store-map Container . . . . . . . . . 6
3.1.3. The cas-and-tas-map Container . . . . . . . . . . . . 8
3.2. Environment definition . . . . . . . . . . . . . . . . . 9
3.2.1. The environment-group-list Array . . . . . . . . . . 9
3.2.2. The abbreviated-swid-tag-map Container . . . . . . . 10
3.2.3. The named-ta-store Type . . . . . . . . . . . . . . . 11
3.3. Constraints definition . . . . . . . . . . . . . . . . . 11
3.3.1. The $$tas-list-purpose Type . . . . . . . . . . . . . 11
3.3.2. Claims . . . . . . . . . . . . . . . . . . . . . . . 12
3.4. Processing a concise-ta-stores RIM . . . . . . . . . . . 12
3.5. Verifying a concise-ta-stores RIM . . . . . . . . . . . . 12
4. CDDL definitions . . . . . . . . . . . . . . . . . . . . . . 12
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6. Security Considerations . . . . . . . . . . . . . . . . . . . 23
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
7.1. CoRIM CBOR Tag Registration . . . . . . . . . . . . . . . 23
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
8.1. Normative References . . . . . . . . . . . . . . . . . . 23
8.2. Informative References . . . . . . . . . . . . . . . . . 24
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
Wallace & Housley Expires 24 December 2022 [Page 2]
Internet-Draft CoTS June 2022
1. Introduction
The RATS architecture [I-D.draft-ietf-rats-architecture] uses the
definition of a trust anchor from [RFC6024]: "A trust anchor
represents an authoritative entity via a public key and associated
data. The public key is used to verify digital signatures, and the
associated data is used to constrain the types of information for
which the trust anchor is authoritative." In the context of RATS, a
trust anchor may be a public key or a symmetric key. This document
focuses on trust anchors that are represented as public keys.
The Concise Reference Integrity Manifest (CoRIM)
[I-D.draft-birkholz-rats-corim] specification defines a binary
encoding for reference values using the Concise Binary Object
Representation (CBOR) [RFC8949]. Amongst other information, a CoRIM
may include key material for use in verifying evidence from an
attesting environment (see section 3.11 in
[I-D.draft-birkholz-rats-corim]). The extension in this document
aims to enable public key material to be decoupled from reference
data for several reasons, described below.
Trust anchor (TA) and certification authority (CA) public keys may be
less dynamic than the reference data that comprises much of a
reference integrity manifest (RIM). For example, TA and CA lifetimes
are typically fairly long while software versions change frequently.
Conveying keys less frequently and indepedent from reference data
enables a reduction in size of RIMs used to convey dynamic
information and may result in a reduction in the size of aggregated
data transferred to a verifier. CoRIMs themselves are signed and
some means of conveying CoRIM verification keys is required, though
ultimately some out-of-band mechanism is required at least for
bootstrapping purposes. Relying parties may verify attestations from
both hardware and software sources and some trust anchors may be used
to verify attestations from both hardware and software sources, as
well. The verification information included in a CoRIM optionally
includes a trust anchor, leaving trust anchor management to other
mechanisms. Additionally, the CoRIM verification-map structure is
tied to CoMIDs, leaving no simple means to convey verification
information for CoSWIDs [I-D.draft-ietf-sacm-coswid].
This document defines means to decouple TAs and CAs from reference
data and adds support for constraining the use of trust anchors,
chiefly by limiting the environments to which a set of trust anchors
is applicable. This constraints mechanism is similar to that in
[fido-metadata] and [fido-service] and should align with existing
attestation verification practices that tend to use per-vendor trust
anchors. TA store instances may be further constrained using coarse-
grained purpose values or a set of finer-grained permitted or
Wallace & Housley Expires 24 December 2022 [Page 3]
Internet-Draft CoTS June 2022
excluded claims. The trust anchor formats supported by this draft
allow for per-trust anchor constraints, if desired. Conveyance of
trust anchors is the primary goal, CA certificates may optionally be
included for convenience.
1.1. Constraints
This document aims to support different PKI architectures including
scenarios with various combinations of the following characteristics:
* TA stores that contain a TA or set of TAs from a single
organization
* TA stores that contain a set of TAs from multiple organizations
* TAs that issue certificates to CAs within the same organiation as
the TA
* TAs that issue certificates to CAs from multiple organizations
* CAs that issue certificates that may be used to verify
attestations or certificates from the same organization as the TA
and CA
* CAs that issue certificates that may be used to verify
attestations or certificates from multiple organizations
Subsequent specifications may define extensions to express
constraints as well as processing rules for evaluating constraints
expressed in TA stores, TAs, CA certificates and end entity (EE)
certificates. Support for constraints is intended to enable
misissued certificates to be rejected at verification time. Any
public key that can be used to verify a certificate is assumed to
also support verification of revocation information, subject to
applicable constraints defined by the revocation mechanism.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Wallace & Housley Expires 24 December 2022 [Page 4]
Internet-Draft CoTS June 2022
3. Trust anchor management for RATS
Within RATS, trust anchors may be used to verify digital signatures
for a variety of objects, including entity attestation tokens (EATs),
CoRIMs, X.509 CA certificates (possibly containing endorsement
information), X.509 EE certificates (possibly containing endorsement
or attestation information), other attestation data, digital letters
of approval [dloa], revocation information, etc. Depending on
context, a raw public key may suffice or additional information may
be required, such as subject name or subject public key identifier
information found in an X.509 certificate. Trust anchors are usually
aggregated into sets that are referred to as "trust anchor stores".
Different trust anchor stores may serve different functional
purposes.
Historically, trust anchors and trust anchor stores are not
constrained other than by the context(s) in which a trust anchor
store is used. The path validation algorithm in [RFC5280] only lists
name, public key, public key algorithm and public key parameters as
the elements of "trust anchor information". However, there are
environments that do constrain trust anchor usage. The RPKI uses
extensions from trust anchor certificates as defined in [RFC3779].
FIDO provides a type of constraint by grouping attestation
verification root certificates by authenticator model in
[fido-metadata].
This document aims to support each of these types of models by
allowing constrained or unconstrained trust anchors to be grouped by
abstract purpose, i.e., similar to traditional trust anchor stores,
or grouped by a set of constraints, such as vendor name.
3.1. TA and CA conveyance
An unsigned concise TA stores object is a list of one or more TA
stores, each represented below as a concise-ta-store-map element.
concise-ta-stores
concise-ta-store-map #1
...
concise-ta-store-map #n
Each TA store instance identifies a target environment and features
one or more public keys. Optional constraints on usage may be
defined as well.
Wallace & Housley Expires 24 December 2022 [Page 5]
Internet-Draft CoTS June 2022
concise-ta-store-map
language
store-identity
target environment
abstract coarse-grained constraints on TA store usage
concrete fine-grained constraints on TA store usage
public keys (possibly included per-instance constraints)
The following sections define the structures to support the concepts
shown above.
3.1.1. The concise-ta-stores Container
The concise-ta-stores type is the root element for distrbuting sets
of trust anchor stores. It contains one or more concise-ta-store-map
elements where each element in the list identifies the environments
for which a given set of trust anchors is applicable, along with any
constraints.
concise-ta-stores = [+ concise-ta-store]
The $concise-tag-type-choice [I-D.draft-birkholz-rats-corim] is
extended to include the concise-ta-stores structure. As shown in
Section 4 of [I-D.draft-birkholz-rats-corim], the $concise-tag-type-
choice type is used within the unsigned-corim-map structure, which is
used within COSE-Sign1-corim structure. The COSE-Sign1-corim
provides for integrity of the CoTS data. CoTS structures are not
intended for use as stand-alone, unsigned structures. The signature
on a CoTS instance SHOULD be verified using a TA associated with the
cots purpose (Section 3.3.1).
$concise-tag-type-choice /= #6.TBD(bytes .cbor concise-ta-stores)
3.1.2. The concise-ta-store-map Container
A concise-ta-store-map is a trust anchor store where the
applicability of the store is established by the tastore.environment
field with optional constraints on use of trust anchors found in the
tastore.keys field defined by the tastore.purpose,
tastore.perm_claims and tastore.excl_claims fields.
Wallace & Housley Expires 24 December 2022 [Page 6]
Internet-Draft CoTS June 2022
concise-ta-store-map = {
? tastore.language => language-type
? tastore.store-identity => tag-identity-map
tastore.environments => environment-group-list
? tastore.purposes => [+ $$tas-list-purpose]
? tastore.perm_claims => [+ $$claims-set-claims]
? tastore.excl_claims => [+ $$claims-set-claims]
tastore.keys => cas-and-tas-map
}
; concise-ta-store-map indices
tastore.language = 0
tastore.store-identity = 1
tastore.environment = 2
tastore.purpose = 3
tastore.perm_claims = 4
tastore.excl_claims = 5
tastore.keys = 6
The following describes each member of the concise-ta-store-map.
tastore.language: A textual language tag that conforms with the IANA
Language Subtag Registry [IANA.language-subtag-registry].
tastore.store-identity: A composite identifier containing
identifying attributes that enable global unique identification of
a TA store instance across versions and facilitate linking from
other artifacts. The tag-identity-map type is defined in
[I-D.draft-birkholz-rats-corim].
tastore.environment: A list of environment definitions that limit
the contexts for which the tastore.keys list is applicable. If
the tastore.environment is empty, TAs in the tastore.keys list may
be used for any environment.
tastore.purpose: Contains a list of purposes (Section 3.3.1) for
which the tastore.keys list may be used. When absent, TAs in the
tastore.keys list may be used for any purpose. This field is
simliar to the extendedKeyUsage extension defined in [RFC5280].
The initial list of purposes are: cots, corim, comid, coswid, eat,
key-attestation, certificate
tastore.perm_claims: Contains a list of claim values (Section 3.3.2)
[I-D.draft-ietf-rats-eat] for which tastore.keys list MAY be used
to verify. When this field is absent, TAs in the tastore.keys
list MAY be used to verify any claim subject to other
restrictions.
Wallace & Housley Expires 24 December 2022 [Page 7]
Internet-Draft CoTS June 2022
tastore.excl_claims: Contains a list of claim values (Section 3.3.2)
[I-D.draft-ietf-rats-eat] for which tastore.keys list MUST NOT be
used to verify. When this field is absent, TAs in the
tastore.keys list may be used to verify any claim subject to other
restrictions.
tastore.keys: Contains a list of one or more TAs and an optional
list of one or more CA certificates.
The perm_claims and excl_claims constraints MAY alternatively be
expressed as extensions in a TA or CA. Inclusion of support here is
intended as an aid for environments that find CBOR encoding support
more readily available than DER encoding support.
3.1.3. The cas-and-tas-map Container
The cas-and-tas-map container provides the means of representing
trust anchors and, optionally, CA certificates.
trust-anchor = [
format => $pkix-ta-type
data => bstr
]
cas-and-tas-map = {
tastore.tas => [ + trust-anchor ]
? tastore.cas => [ + pkix-cert-data ]
}
; cas-and-tas-map indices
tastore.tas = 0
tastore.cas = 1
; format values
$pkix-ta-type /= tastore.pkix-cert-type
$pkix-ta-type /= tastore.pkix-tainfo-type
$pkix-ta-type /= tastore.pkix-spki-type
tastore.pkix-cert-type = 0
tastore.pkix-tainfo-type = 1
tastore.pkix-spki-type = 2
; certificate type
pkix-cert-data = bstr
The tastore.tas element is used to convey one or more trust anchors
and an optional set of one or more CA certificates. TAs are
implicitly trusted, i.e., no verification is required prior to use.
Wallace & Housley Expires 24 December 2022 [Page 8]
Internet-Draft CoTS June 2022
However, limitations on the use of the TA may be asserted in the
corresponding concise-ta-store-map or within the TA itself. The
tastore.cas field provides certificates that may be useful in the
context where the corresponding concise-ta-store-map is used. These
certificates are not implicitly trusted and MUST be validated to a
trust anchor before use. End entity certificates SHOULD NOT appear
in the tastore.cas list.
The structure of the data contained in the data field of a trust-
anchor is indicated by the format field. The pkix-cert-type is used
to represent a binary, DER-encoded X.509 Certificate as defined in
section 4.1 of [RFC5280]. The pkix-key-type is used to represent a
binary, DER-encoded SubjectPublicKeyInfo as defined in section 4.1 of
[RFC5280]. The pkix-tainfo-type is used to represent a binary, DER-
encoded TrustAnchorInfo as defined in section 2 of [RFC5914].
The $pkix-ta-type provides an extensible means for representing trust
anchor information. It is defined here as supporting the pkix-cert-
type, pkix-spki-type or pkix-tainfo-type. The pkix-spki-type may be
used where only a raw pubilc key is necessary. The pkix-cert-type
may be used for most purposes, including scenarios where a raw public
key is sufficient and those where additional information from a
certificate is required. The pkix-tainfo-type is included to support
scenarios where constraints information is directly associated with a
public key or certificate (vs. constraints for a TA set as provided
by tastore.purpose, tastore.perm_claims and tastore.excl_claims).
The pkix-cert-data type is used to represent a binary, DER-encoded
X.509 Certificate.
3.2. Environment definition
3.2.1. The environment-group-list Array
In CoRIM, "composite devices or systems are represented by a
collection of Concise Module Identifiers (CoMID) and Concise Software
Identifiers (CoSWID)". For trust anchor management purposes,
targeting specific devices or systems may be too granular. For
example, a trust anchor or set of trust anchors may apply to multiple
device models or versions. The environment-map definition as used in
a CoRIM is tightly bound to a CoMID. To allow for distribution of
key material applicable to a specific or range of devices or
software, the envrionment-group-list and environment-group-map are
defined as below. These aim to enable use of coarse-grained
naturally occurring values, like vendor, make, model, etc. to
determine if a set of trust anchors is applicable to an environment.
Wallace & Housley Expires 24 December 2022 [Page 9]
Internet-Draft CoTS June 2022
environment-group-list = [* environment-group-list-map]
environment-group-list-map = {
? tastore.environment_map => environment-map,
? tastore.concise_swid_tag => abbreviated-swid-tag,
? tastore.named_ta_store => named-ta-store,
}
; environment-group-list-map indices
tastore.environment_map = 0
tastore.abbreviated_swid_tag = 1
tastore.named_ta_store = 2
An environment-group-list is a list of one or more environment-group-
list-map elements that are used to determine if a given context is
applicable. An empty list signifies all contexts SHOULD be
considered as applicable.
An environment-group-list-map is one of environment-
map[I-D.draft-birkholz-rats-corim], abbreviated-swid-tag-map
(Section 3.2.2) or named-ta-store (Section 3.2.3).
As defined in [I-D.draft-birkholz-rats-corim], an envirionment-map
may contain class-map, $instance-id-type-choice, $group-id-type-
choice.
QUESTION: Should the above dispense with environment_map and
concise_swid_tag and use or define some identity-focused structure
with information common to both (possibly class-map from
[I-D.draft-birkholz-rats-corim])? If not, should a more complete
CoMID representation be used (instead of environment_map)?
3.2.2. The abbreviated-swid-tag-map Container
The abbreviated-swid-tag-map allows for expression of fields from a
concise-swid-tag [I-D.draft-ietf-sacm-coswid] with all fields except
entity designated as optional, compared to the concise-swid-tag
definition that requires tag-id, tag-version and software-name to be
present.
Wallace & Housley Expires 24 December 2022 [Page 10]
Internet-Draft CoTS June 2022
abbreviated-swid-tag-map = {
? tag-id => text / bstr .size 16,
? tag-version => integer,
? corpus => bool,
? patch => bool,
? supplemental => bool,
? software-name => text,
? software-version => text,
? version-scheme => $version-scheme,
? media => text,
? software-meta => one-or-more<software-meta-entry>,
entity => one-or-more<entity-entry>,
? link => one-or-more<link-entry>,
? payload-or-evidence,
* $$coswid-extension,
global-attributes,
}
3.2.3. The named-ta-store Type
This specification allows for defining sets of trust anchors that are
associated with an arbitrary name instead of relative to information
typically expressed in a CoMID or CoSWID. Relying parties MUST be
configured using the named-ta-store value to select a corresponding
concise-ta-store-map for use.
named-ta-store = tstr
3.3. Constraints definition
3.3.1. The $$tas-list-purpose Type
The $$tas-list-purpose type provides an extensible means of
expressions actions for which the corresponding keys are applicable.
For example, trust anchors in a concise-ta-store-map with purpose
field set to eat may not be used to verification certification paths.
Extended key usage values corresponding to each purpose listed below
(except for certificate) are defined in a companion specification.
$$tas-list-purpose /= "cots"
$$tas-list-purpose /= "corim"
$$tas-list-purpose /= "coswid"
$$tas-list-purpose /= "eat"
$$tas-list-purpose /= "key-attestation"
$$tas-list-purpose /= "certificate"
$$tas-list-purpose /= "dloa"
Wallace & Housley Expires 24 December 2022 [Page 11]
Internet-Draft CoTS June 2022
TODO - define verification targets for each purpose. QUESTION -
should this have a registry?
3.3.2. Claims
A concise-ta-store-map may include lists of permitted and/or excluded
claims [I-D.draft-ietf-rats-eat] that limit the applicability of
trust anchors present in a cas-and-tas-map. A subsequent
specification will define processing rules for evaluating constraints
expressed in TA stores, TAs, CA certificates and end entity
certificates.
3.4. Processing a concise-ta-stores RIM
When verifying a signature using a public key that chains back to a
concise-ta-stores instance, elements in the concise-ta-stores array
are processed beginning with the first element and proceeding until
either a matching set is found that serves the desired purpose or no
more elements are available. Each element is evaluated relative to
the context, i.e., environment, purpose, artifact contents, etc.
For example, when verifying a CoRIM, each element in a triples-group
MUST have an environment value that matches an environment-group-
list-map element associated with the concise-ta-store-map containing
the trust anchor used to verify the CoMID. Similarly, when verifying
a CoSWID, the values in a abbreviated-swid-tag element from the
concise-ta-store-map MUST match the CoSWID tag being verified. When
verifying a certificate with DICE attestation extension, the
information in each DiceTcbInfo element MUST be consistent with an
environment-group-list-map associated with the concise-ta-store-map.
3.5. Verifying a concise-ta-stores RIM
[I-D.draft-birkholz-rats-corim] defers verification rules to
[RFC8152] and this document follows suit with the additional
recommendation that the public key used to verify the RIM SHOULD be
present in or chain to a public key present in a concise-ta-store-map
with purpose set to cots.
4. CDDL definitions
The CDDL definitions present in this document are provided below.
Definitions from [I-D.draft-birkholz-rats-corim] are not repeated
here.
Wallace & Housley Expires 24 December 2022 [Page 12]
Internet-Draft CoTS June 2022
concise-ta-stores = [+ concise-ta-store-map]
$concise-tag-type-choice /= #6.TBD(bytes .cbor concise-ta-stores)
concise-ta-store-map = {
? tastore.language => language-type
? tastore.store-identity => tag-identity-map
tastore.environments => environment-group-list
? tastore.purposes => [+ $$tas-list-purpose]
? tastore.perm_claims => [+ $$claims-set-claims]
? tastore.excl_claims => [+ $$claims-set-claims]
tastore.keys => cas-and-tas-map
}
; concise-ta-store-map indices
tastore.language = 0
tastore.store-identity = 1
tastore.environment = 2
tastore.purpose = 3
tastore.perm_claims = 4
tastore.excl_claims = 5
tastore.keys = 6
trust-anchor = [
format => $pkix-ta-type
data => bstr
]
cas-and-tas-map = {
tastore.tas => [ + trust-anchor ]
? tastore.cas => [ + pkix-cert-type ]
}
; cas-and-tas-map indices
tastore.tas = 0
tastore.cas = 1
; format values
$pkix-ta-type /= tastore.pkix-cert-type
$pkix-ta-type /= tastore.pkix-tainfo-type
$pkix-ta-type /= tastore.pkix-spki-type
tastore.pkix-cert-type = 0
tastore.pkix-tainfo-type = 1
tastore.pkix-spki-type = 2
; certificate type
pkix-cert-data = bstr
Wallace & Housley Expires 24 December 2022 [Page 13]
Internet-Draft CoTS June 2022
environment-group-list = [* environment-group-list-map]
environment-group-list-map = {
? environment-map => environment-map,
? concise-swid-tag => abbreviated-swid-tag,
? named-ta-store => named-ta-store,
}
abbreviated-swid-tag = {
? tag-version => integer,
? corpus => bool,
? patch => bool,
? supplemental => bool,
? software-name => text,
? software-version => text,
? version-scheme => $version-scheme,
? media => text,
? software-meta => one-or-more<software-meta-entry>,
? entity => one-or-more<entity-entry>,
? link => one-or-more<link-entry>,
? payload-or-evidence,
* $$coswid-extension,
global-attributes,
}
named-ta-store = tstr
$tas-list-purpose /= "cots"
$tas-list-purpose /= "corim"
$tas-list-purpose /= "comid"
$tas-list-purpose /= "coswid"
$tas-list-purpose /= "eat"
$tas-list-purpose /= "key-attestation"
$tas-list-purpose /= "certificate"
$tas-list-purpose /= "dloa"
5. Examples
The following examples are isolated concise-ta-store-map instances
shown as JSON for ease of reading. The final example is an ASCII hex
representation of a CBOR-encoded concise-ta-stores instance
containing each example below (and using a placeholder value for the
concise-ta-stores tag).
The TA store below contains a TA from a single organization ("Zesty
Hands, Inc,") that is used to verify CoRIMs for that organization.
Because this TA does not verify certificates, a bare public key is
appropriate.
Wallace & Housley Expires 24 December 2022 [Page 14]
Internet-Draft CoTS June 2022
{
"environments": [
{
"environment": {
"class": {
"vendor": "Worthless Sea, Inc."
}
}
}
],
"purposes": [
"corim"
],
"keys": {
"tas": [
{
"format": 2,
"data":
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErYoMAdqe2gJT3CvCcifZxyE9+
N8T6Jy5zbeo5LYtnOipmi1wXA9/gNtlwAbRCRQitH/GEcvUaGlzPZxIOITV/g=="
}
]
}
}
The TA store below features three TAs from different organizations
grouped as a TA store with the name "Miscellaneous TA Store". The
first TA is an X.509 certificate. The second and third TAs are
TrustAnchorInfo objects containing X.509 certificates. Though not
shown in this example, constraints could added to the TrustAnchorInfo
elements, i.e., to restrict verification to attestations asserting a
specific vendor name.
{
"environments": [
{
"namedtastore": "Miscellaneous TA Store"
}
],
"keys": {
"tas": [
{
"data":
"
MIIBvTCCAWSgAwIBAgIVANCdkL89UlzHc9Ui7XfVniK7pFuIMAoGCCqGSM49BAMCMD4
xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIF
RydXN0IEFuY2hvcjAeFw0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMD4xCzAJB
gNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0
Wallace & Housley Expires 24 December 2022 [Page 15]
Internet-Draft CoTS June 2022
IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABONRqhA5JAekvQN8oLwRVND
nAfBnTznLLE+SEGks677sHSeXfcVhZXUeDiN7/
fsVNumaiEWRQpZh3zXPwL8rUMyjPzA9MB0GA1UdDgQWBBQBXEXJrLBGKnFd1xCgeMAV
SfEBPzALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/
zAKBggqhkjOPQQDAgNHADBEAiALBidABsfpzG0lTL9Eh9b6AUbqnzF+
koEZbgvppvvt9QIgVoE+bhEN0j6wSPzePjLrEdD+PEgyjHJ5rbA11SPq/1M="
},
{
"format": 1,
"data":
"
ooICtjCCArIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXz21w12owQAx58euratY
WiHEkhxDU9MEgetrvAtGYZxNnkfLCsp9vLcw8ISXC8tL97k9ZCUtnr0MzLw37XKRABB
T22tHlEou/DenpU0Ozccb3/+
fibjCCAj0wUjELMAkGA1UEBgwCVVMxGjAYBgNVBAoMEVplc3R5IEhhbmRzLCBJbmMuM
ScwJQYDVQQDDB5aZXN0eSBIYW5kcywgSW5jLiBUcnVzdCBBbmNob3KgggHlMIIBi6AD
AgECAhQL3EqgUXlQPljyddVSRnNHvK+
1MzAKBggqhkjOPQQDAjBSMQswCQYDVQQGDAJVUzEaMBgGA1UECgwRWmVzdHkgSGFuZH
MsIEluYy4xJzAlBgNVBAMMHlplc3R5IEhhbmRzLCBJbmMuIFRydXN0IEFuY2hvcjAeF
w0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMFIxCzAJBgNVBAYMAlVTMRowGAYD
VQQKDBFaZXN0eSBIYW5kcywgSW5jLjEnMCUGA1UEAwweWmVzdHkgSGFuZHMsIEluYy4
gVHJ1c3QgQW5jaG9yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl89tcNdqMEAMef
Hrq2rWFohxJIcQ1PTBIHra7wLRmGcTZ5HywrKfby3MPCElwvLS/e5PWQlLZ69DMy8N+
1ykQKM/MD0wHQYDVR0OBBYEFPba0eUSi78N6elTQ7Nxxvf/5+
JuMAsGA1UdDwQEAwIChDAPBgNVHRMBAf8EBTADAQH/
MAoGCCqGSM49BAMCA0gAMEUCIB2li+
f6RCxs2EnvNWciSpIDwiUViWayGv1A8xks80eYAiEAmCez4KGrolFKOZT6bvqf1sYQu
JBfvtk/y1JQdUvoqlg="
},
{
"format": 1,
"data":
"
ooIC1TCCAtEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATN0f5kzywEzZOYbaV23O3
N8cku39JoLNjlHPwECbXDDWp0LpAO1z248/hoy6UW/TZMTPPR/
93XwHsG16mSFy8XBBSKhM/
5gJWjvDbW7qUY1peNm9cfYDCCAlwwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2
JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluY
y4gVHJ1c3QgQW5jaG9yoIIB+jCCAZ+gAwIBAgIUEBuTRGXAEEVEHhu4xafAnqm+
qYgwCgYIKoZIzj0EAwIwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEF
wcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3
QgQW5jaG9yMB4XDTIyMDUxOTE1MTMwOFoXDTMyMDUxNjE1MTMwOFowXDELMAkGA1UEB
gwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nu
b2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yMFkwEwYHKoZIzj0CAQYIKoZ
Izj0DAQcDQgAEzdH+ZM8sBM2TmG2ldtztzfHJLt/
SaCzY5Rz8BAm1ww1qdC6QDtc9uPP4aMulFv02TEzz0f/d18B7BtepkhcvF6M/
MD0wHQYDVR0OBBYEFIqEz/
mAlaO8NtbupRjWl42b1x9gMAsGA1UdDwQEAwIChDAPBgNVHRMBAf8EBTADAQH/
Wallace & Housley Expires 24 December 2022 [Page 16]
Internet-Draft CoTS June 2022
MAoGCCqGSM49BAMCA0kAMEYCIQC2cf43f3PPlCO6/dxv40ftIgxxToKHF72UzENv7+
y4ygIhAIGtC/r6SGaFMaP7zD2EloBuIXTtyWu8Hwl+YGdXRY93"
}
]
}
}
The TA Store below features one TA with an environment targeting
CoSWIDs with entity named "Zesty Hands, Inc," and one permitted EAT
claim for software named "Bitter Paper".
Wallace & Housley Expires 24 December 2022 [Page 17]
Internet-Draft CoTS June 2022
{
"environments": [
{
"swidtag": {
"entity": [
{
"entity-name": "Zesty Hands, Inc.",
"role": "softwareCreator"
}
]
}
}
],
"permclaims": [
{
"swname": "Bitter Paper"
}
],
"keys": {
"tas": [
{
"data":
"
MIIB5TCCAYugAwIBAgIUC9xKoFF5UD5Y8nXVUkZzR7yvtTMwCgYIKoZIzj0EAwI
wUjELMAkGA1UEBgwCVVMxGjAYBgNVBAoMEVplc3R5IEhhbmRzLCBJbmMuMScwJQ
YDVQQDDB5aZXN0eSBIYW5kcywgSW5jLiBUcnVzdCBBbmNob3IwHhcNMjIwNTE5M
TUxMzA3WhcNMzIwNTE2MTUxMzA3WjBSMQswCQYDVQQGDAJVUzEaMBgGA1UECgwR
WmVzdHkgSGFuZHMsIEluYy4xJzAlBgNVBAMMHlplc3R5IEhhbmRzLCBJbmMuIFR
ydXN0IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJfPbXDXajBADH
nx66tq1haIcSSHENT0wSB62u8C0ZhnE2eR8sKyn28tzDwhJcLy0v3uT1kJS2evQ
zMvDftcpECjPzA9MB0GA1UdDgQWBBT22tHlEou/DenpU0Ozccb3/+
fibjALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/
zAKBggqhkjOPQQDAgNIADBFAiAdpYvn+
kQsbNhJ7zVnIkqSA8IlFYlmshr9QPMZLPNHmAIhAJgns+Chq6JRSjmU+
m76n9bGELiQX77ZP8tSUHVL6KpY"
}
]
}
}
The ASCII hex below represents a signed CoRIM that features a
concise-ta-stores containing the three examples shown above.
Wallace & Housley Expires 24 December 2022 [Page 18]
Internet-Draft CoTS June 2022
D2 84 58 5D A3 01 26 03 74 61 70 70 6C 69 63 61
74 69 6F 6E 2F 72 69 6D 2B 63 62 6F 72 08 58 41
A2 00 A2 00 74 41 43 4D 45 20 4C 74 64 20 73 69
67 6E 69 6E 67 20 6B 65 79 01 D8 20 74 68 74 74
70 73 3A 2F 2F 61 63 6D 65 2E 65 78 61 6D 70 6C
65 01 A2 00 C1 1A 61 CE 48 00 01 C1 1A 69 54 67
80 A0 59 0B 10 A3 00 50 70 2F 47 5D E6 6B 4F 61
A5 8E 3C EF 3C CD 6E 44 01 81 59 0A E8 D9 01 FB
83 A2 01 81 A1 01 A1 00 A1 01 73 57 6F 72 74 68
6C 65 73 73 20 53 65 61 2C 20 49 6E 63 2E 05 A1
00 81 82 02 58 5B 30 59 30 13 06 07 2A 86 48 CE
3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00
04 AD 8A 0C 01 DA 9E DA 02 53 DC 2B C2 72 27 D9
C7 21 3D F8 DF 13 E8 9C B9 CD B7 A8 E4 B6 2D 9C
E8 A9 9A 2D 70 5C 0F 7F 80 DB 65 C0 06 D1 09 14
22 B4 7F C6 11 CB D4 68 69 73 3D 9C 48 38 84 D5
FE A2 01 81 A1 03 76 4D 69 73 63 65 6C 6C 61 6E
65 6F 75 73 20 54 41 20 53 74 6F 72 65 05 A1 00
83 82 01 59 02 7E A2 82 02 7A 30 82 02 76 30 59
30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48
CE 3D 03 01 07 03 42 00 04 E3 51 AA 10 39 24 07
A4 BD 03 7C A0 BC 11 54 D0 E7 01 F0 67 4F 39 CB
2C 4F 92 10 69 2C EB BE EC 1D 27 97 7D C5 61 65
75 1E 0E 23 7B FD FB 15 36 E9 9A 88 45 91 42 96
61 DF 35 CF C0 BF 2B 50 CC 04 14 01 5C 45 C9 AC
B0 46 2A 71 5D D7 10 A0 78 C0 15 49 F1 01 3F 30
82 02 01 30 3E 31 0B 30 09 06 03 55 04 06 0C 02
55 53 31 10 30 0E 06 03 55 04 0A 0C 07 45 78 61
6D 70 6C 65 31 1D 30 1B 06 03 55 04 03 0C 14 45
78 61 6D 70 6C 65 20 54 72 75 73 74 20 41 6E 63
68 6F 72 A0 82 01 BD 30 82 01 64 A0 03 02 01 02
02 15 00 D0 9D 90 BF 3D 52 5C C7 73 D5 22 ED 77
D5 9E 22 BB A4 5B 88 30 0A 06 08 2A 86 48 CE 3D
04 03 02 30 3E 31 0B 30 09 06 03 55 04 06 0C 02
55 53 31 10 30 0E 06 03 55 04 0A 0C 07 45 78 61
6D 70 6C 65 31 1D 30 1B 06 03 55 04 03 0C 14 45
78 61 6D 70 6C 65 20 54 72 75 73 74 20 41 6E 63
68 6F 72 30 1E 17 0D 32 32 30 35 31 39 31 35 31
33 30 37 5A 17 0D 33 32 30 35 31 36 31 35 31 33
30 37 5A 30 3E 31 0B 30 09 06 03 55 04 06 0C 02
55 53 31 10 30 0E 06 03 55 04 0A 0C 07 45 78 61
6D 70 6C 65 31 1D 30 1B 06 03 55 04 03 0C 14 45
78 61 6D 70 6C 65 20 54 72 75 73 74 20 41 6E 63
68 6F 72 30 59 30 13 06 07 2A 86 48 CE 3D 02 01
06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 E3 51
AA 10 39 24 07 A4 BD 03 7C A0 BC 11 54 D0 E7 01
F0 67 4F 39 CB 2C 4F 92 10 69 2C EB BE EC 1D 27
97 7D C5 61 65 75 1E 0E 23 7B FD FB 15 36 E9 9A
Wallace & Housley Expires 24 December 2022 [Page 19]
Internet-Draft CoTS June 2022
88 45 91 42 96 61 DF 35 CF C0 BF 2B 50 CC A3 3F
30 3D 30 1D 06 03 55 1D 0E 04 16 04 14 01 5C 45
C9 AC B0 46 2A 71 5D D7 10 A0 78 C0 15 49 F1 01
3F 30 0B 06 03 55 1D 0F 04 04 03 02 02 84 30 0F
06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30
0A 06 08 2A 86 48 CE 3D 04 03 02 03 47 00 30 44
02 20 0B 06 27 40 06 C7 E9 CC 6D 25 4C BF 44 87
D6 FA 01 46 EA 9F 31 7E 92 81 19 6E 0B E9 A6 FB
ED F5 02 20 56 81 3E 6E 11 0D D2 3E B0 48 FC DE
3E 32 EB 11 D0 FE 3C 48 32 8C 72 79 AD B0 35 D5
23 EA FF 53 82 01 59 02 BA A2 82 02 B6 30 82 02
B2 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08
2A 86 48 CE 3D 03 01 07 03 42 00 04 97 CF 6D 70
D7 6A 30 40 0C 79 F1 EB AB 6A D6 16 88 71 24 87
10 D4 F4 C1 20 7A DA EF 02 D1 98 67 13 67 91 F2
C2 B2 9F 6F 2D CC 3C 21 25 C2 F2 D2 FD EE 4F 59
09 4B 67 AF 43 33 2F 0D FB 5C A4 40 04 14 F6 DA
D1 E5 12 8B BF 0D E9 E9 53 43 B3 71 C6 F7 FF E7
E2 6E 30 82 02 3D 30 52 31 0B 30 09 06 03 55 04
06 0C 02 55 53 31 1A 30 18 06 03 55 04 0A 0C 11
5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63
2E 31 27 30 25 06 03 55 04 03 0C 1E 5A 65 73 74
79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 20 54 72
75 73 74 20 41 6E 63 68 6F 72 A0 82 01 E5 30 82
01 8B A0 03 02 01 02 02 14 0B DC 4A A0 51 79 50
3E 58 F2 75 D5 52 46 73 47 BC AF B5 33 30 0A 06
08 2A 86 48 CE 3D 04 03 02 30 52 31 0B 30 09 06
03 55 04 06 0C 02 55 53 31 1A 30 18 06 03 55 04
0A 0C 11 5A 65 73 74 79 20 48 61 6E 64 73 2C 20
49 6E 63 2E 31 27 30 25 06 03 55 04 03 0C 1E 5A
65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E
20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 1E 17
0D 32 32 30 35 31 39 31 35 31 33 30 37 5A 17 0D
33 32 30 35 31 36 31 35 31 33 30 37 5A 30 52 31
0B 30 09 06 03 55 04 06 0C 02 55 53 31 1A 30 18
06 03 55 04 0A 0C 11 5A 65 73 74 79 20 48 61 6E
64 73 2C 20 49 6E 63 2E 31 27 30 25 06 03 55 04
03 0C 1E 5A 65 73 74 79 20 48 61 6E 64 73 2C 20
49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F
72 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08
2A 86 48 CE 3D 03 01 07 03 42 00 04 97 CF 6D 70
D7 6A 30 40 0C 79 F1 EB AB 6A D6 16 88 71 24 87
10 D4 F4 C1 20 7A DA EF 02 D1 98 67 13 67 91 F2
C2 B2 9F 6F 2D CC 3C 21 25 C2 F2 D2 FD EE 4F 59
09 4B 67 AF 43 33 2F 0D FB 5C A4 40 A3 3F 30 3D
30 1D 06 03 55 1D 0E 04 16 04 14 F6 DA D1 E5 12
8B BF 0D E9 E9 53 43 B3 71 C6 F7 FF E7 E2 6E 30
0B 06 03 55 1D 0F 04 04 03 02 02 84 30 0F 06 03
Wallace & Housley Expires 24 December 2022 [Page 20]
Internet-Draft CoTS June 2022
55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0A 06
08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45 02 20
1D A5 8B E7 FA 44 2C 6C D8 49 EF 35 67 22 4A 92
03 C2 25 15 89 66 B2 1A FD 40 F3 19 2C F3 47 98
02 21 00 98 27 B3 E0 A1 AB A2 51 4A 39 94 FA 6E
FA 9F D6 C6 10 B8 90 5F BE D9 3F CB 52 50 75 4B
E8 AA 58 82 01 59 02 D9 A2 82 02 D5 30 82 02 D1
30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A
86 48 CE 3D 03 01 07 03 42 00 04 CD D1 FE 64 CF
2C 04 CD 93 98 6D A5 76 DC ED CD F1 C9 2E DF D2
68 2C D8 E5 1C FC 04 09 B5 C3 0D 6A 74 2E 90 0E
D7 3D B8 F3 F8 68 CB A5 16 FD 36 4C 4C F3 D1 FF
DD D7 C0 7B 06 D7 A9 92 17 2F 17 04 14 8A 84 CF
F9 80 95 A3 BC 36 D6 EE A5 18 D6 97 8D 9B D7 1F
60 30 82 02 5C 30 5C 31 0B 30 09 06 03 55 04 06
0C 02 55 53 31 1F 30 1D 06 03 55 04 0A 0C 16 53
6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C 2C
20 49 6E 63 2E 31 2C 30 2A 06 03 55 04 03 0C 23
53 6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C
2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63
68 6F 72 A0 82 01 FA 30 82 01 9F A0 03 02 01 02
02 14 10 1B 93 44 65 C0 10 45 44 1E 1B B8 C5 A7
C0 9E A9 BE A9 88 30 0A 06 08 2A 86 48 CE 3D 04
03 02 30 5C 31 0B 30 09 06 03 55 04 06 0C 02 55
53 31 1F 30 1D 06 03 55 04 0A 0C 16 53 6E 6F 62
62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E
63 2E 31 2C 30 2A 06 03 55 04 03 0C 23 53 6E 6F
62 62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49
6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72
30 1E 17 0D 32 32 30 35 31 39 31 35 31 33 30 38
5A 17 0D 33 32 30 35 31 36 31 35 31 33 30 38 5A
30 5C 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31
1F 30 1D 06 03 55 04 0A 0C 16 53 6E 6F 62 62 69
73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63 2E
31 2C 30 2A 06 03 55 04 03 0C 23 53 6E 6F 62 62
69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63
2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 59
30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48
CE 3D 03 01 07 03 42 00 04 CD D1 FE 64 CF 2C 04
CD 93 98 6D A5 76 DC ED CD F1 C9 2E DF D2 68 2C
D8 E5 1C FC 04 09 B5 C3 0D 6A 74 2E 90 0E D7 3D
B8 F3 F8 68 CB A5 16 FD 36 4C 4C F3 D1 FF DD D7
C0 7B 06 D7 A9 92 17 2F 17 A3 3F 30 3D 30 1D 06
03 55 1D 0E 04 16 04 14 8A 84 CF F9 80 95 A3 BC
36 D6 EE A5 18 D6 97 8D 9B D7 1F 60 30 0B 06 03
55 1D 0F 04 04 03 02 02 84 30 0F 06 03 55 1D 13
01 01 FF 04 05 30 03 01 01 FF 30 0A 06 08 2A 86
48 CE 3D 04 03 02 03 49 00 30 46 02 21 00 B6 71
Wallace & Housley Expires 24 December 2022 [Page 21]
Internet-Draft CoTS June 2022
FE 37 7F 73 CF 94 23 BA FD DC 6F E3 47 ED 22 0C
71 4E 82 87 17 BD 94 CC 43 6F EF EC B8 CA 02 21
00 81 AD 0B FA FA 48 66 85 31 A3 FB CC 3D 84 96
80 6E 21 74 ED C9 6B BC 1F 09 7E 60 67 57 45 8F
77 A3 01 81 A1 02 A1 02 A2 18 1F 71 5A 65 73 74
79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 18 21 02
03 81 A1 19 03 E6 6C 42 69 74 74 65 72 20 50 61
70 65 72 05 A1 00 81 82 00 59 01 E9 30 82 01 E5
30 82 01 8B A0 03 02 01 02 02 14 0B DC 4A A0 51
79 50 3E 58 F2 75 D5 52 46 73 47 BC AF B5 33 30
0A 06 08 2A 86 48 CE 3D 04 03 02 30 52 31 0B 30
09 06 03 55 04 06 0C 02 55 53 31 1A 30 18 06 03
55 04 0A 0C 11 5A 65 73 74 79 20 48 61 6E 64 73
2C 20 49 6E 63 2E 31 27 30 25 06 03 55 04 03 0C
1E 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E
63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30
1E 17 0D 32 32 30 35 31 39 31 35 31 33 30 37 5A
17 0D 33 32 30 35 31 36 31 35 31 33 30 37 5A 30
52 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1A
30 18 06 03 55 04 0A 0C 11 5A 65 73 74 79 20 48
61 6E 64 73 2C 20 49 6E 63 2E 31 27 30 25 06 03
55 04 03 0C 1E 5A 65 73 74 79 20 48 61 6E 64 73
2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63
68 6F 72 30 59 30 13 06 07 2A 86 48 CE 3D 02 01
06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 97 CF
6D 70 D7 6A 30 40 0C 79 F1 EB AB 6A D6 16 88 71
24 87 10 D4 F4 C1 20 7A DA EF 02 D1 98 67 13 67
91 F2 C2 B2 9F 6F 2D CC 3C 21 25 C2 F2 D2 FD EE
4F 59 09 4B 67 AF 43 33 2F 0D FB 5C A4 40 A3 3F
30 3D 30 1D 06 03 55 1D 0E 04 16 04 14 F6 DA D1
E5 12 8B BF 0D E9 E9 53 43 B3 71 C6 F7 FF E7 E2
6E 30 0B 06 03 55 1D 0F 04 04 03 02 02 84 30 0F
06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30
0A 06 08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45
02 20 1D A5 8B E7 FA 44 2C 6C D8 49 EF 35 67 22
4A 92 03 C2 25 15 89 66 B2 1A FD 40 F3 19 2C F3
47 98 02 21 00 98 27 B3 E0 A1 AB A2 51 4A 39 94
FA 6E FA 9F D6 C6 10 B8 90 5F BE D9 3F CB 52 50
75 4B E8 AA 58 04 A2 00 C1 1A 61 CE 48 00 01 C1
1A 69 54 67 80 58 40 84 64 A5 CC 98 98 9E 1F 72
CD 14 97 99 78 47 BE 03 E4 C8 61 34 A5 B4 43 91
AA D7 55 EC 31 3A 2E 15 41 EC E2 E4 58 7F 5A B3
59 C7 F4 FF 0C 27 61 A6 FB 90 75 F9 0E 9C CD 13
9A F1 F9 31 E7 01 06
Wallace & Housley Expires 24 December 2022 [Page 22]
Internet-Draft CoTS June 2022
6. Security Considerations
As a profile of CoRIM, the security considerations from
[I-D.draft-birkholz-rats-corim] apply.
As a means of managing trust anchors, the security considerations
from [RFC6024] and [RFC5934] apply. a CoTS signer is roughly
analogous to a "management trust anchor" as described in [RFC5934].
7. IANA Considerations
7.1. CoRIM CBOR Tag Registration
IANA is requested to allocate tags in the "CBOR Tags" registry
[IANA.cbor-tags], preferably with the specific value requested:
+=====+==============+====================================+
| Tag | Data Item | Semantics |
+=====+==============+====================================+
| 507 | tagged array | Concise Trust Anchor Stores (CoTS) |
+-----+--------------+------------------------------------+
Table 1
8. References
8.1. Normative References
[I-D.draft-birkholz-rats-corim]
Birkholz, H., Fossati, T., Deshpande, Y., Smith, N., and
W. Pan, "Concise Reference Integrity Manifest", Work in
Progress, Internet-Draft, draft-birkholz-rats-corim-02, 26
January 2022, <https://datatracker.ietf.org/doc/html/
draft-birkholz-rats-corim-02>.
[I-D.draft-ietf-rats-eat]
Lundblade, L., Mandyam, G., and J. O'Donoghue, "The Entity
Attestation Token (EAT)", Work in Progress, Internet-
Draft, draft-ietf-rats-eat-13, 20 May 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-rats-
eat-13>.
[I-D.draft-ietf-sacm-coswid]
Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
Waltermire, "Concise Software Identification Tags", Work
in Progress, Internet-Draft, draft-ietf-sacm-coswid-21, 7
March 2022, <https://datatracker.ietf.org/doc/html/draft-
ietf-sacm-coswid-21>.
Wallace & Housley Expires 24 December 2022 [Page 23]
Internet-Draft CoTS June 2022
[IANA.cbor-tags]
IANA, "Concise Binary Object Representation (CBOR) Tags",
<https://www.iana.org/assignments/cbor-tags>.
[IANA.language-subtag-registry]
IANA, "Language Subtag Registry",
<https://www.iana.org/assignments/language-subtag-
registry>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/rfc/rfc5280>.
[RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor
Format", RFC 5914, DOI 10.17487/RFC5914, June 2010,
<https://www.rfc-editor.org/rfc/rfc5914>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/rfc/rfc8949>.
8.2. Informative References
[dloa] GlobalPlatform, "GlobalPlatform Card - Digital Letter of
Approval Version 1.0", November 2015,
<https://globalplatform.org/wp-content/uploads/2015/12/
GPC_DigitalLetterOfApproval_v1.0.pdf>.
[fido-metadata]
FIDO Alliance, "FIDO Metadata Statement", May 2021,
<https://fidoalliance.org/specs/mds/fido-metadata-
statement-v3.0-ps-20210518.html>.
Wallace & Housley Expires 24 December 2022 [Page 24]
Internet-Draft CoTS June 2022
[fido-service]
FIDO Alliance, "FIDO Metadata Service", May 2021,
<https://fidoalliance.org/specs/mds/fido-metadata-service-
v3.0-ps-20210518.html>.
[I-D.draft-ietf-rats-architecture]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", Work
in Progress, Internet-Draft, draft-ietf-rats-architecture-
18, 14 June 2022, <https://datatracker.ietf.org/doc/html/
draft-ietf-rats-architecture-18>.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779,
DOI 10.17487/RFC3779, June 2004,
<https://www.rfc-editor.org/rfc/rfc3779>.
[RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor
Management Protocol (TAMP)", RFC 5934,
DOI 10.17487/RFC5934, August 2010,
<https://www.rfc-editor.org/rfc/rfc5934>.
[RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management
Requirements", RFC 6024, DOI 10.17487/RFC6024, October
2010, <https://www.rfc-editor.org/rfc/rfc6024>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/rfc/rfc8152>.
Acknowledgments
TODO acknowledge.
Authors' Addresses
Carl Wallace
Red Hound Software
United States of America
Email: carl@redhoundsoftware.com
Russ Housley
Vigil Security, LLC
516 Dranesville Road
Herndon, VA 20170
United States of America
Email: housley@vigilsec.com
Wallace & Housley Expires 24 December 2022 [Page 25]