draft-ietf-sacm-coswid-06.txt   draft-ietf-sacm-coswid-07.txt 
SACM Working Group H. Birkholz SACM Working Group H. Birkholz
Internet-Draft Fraunhofer SIT Internet-Draft Fraunhofer SIT
Intended status: Standards Track J. Fitzgerald-McKay Intended status: Standards Track J. Fitzgerald-McKay
Expires: January 4, 2019 Department of Defense Expires: April 26, 2019 Department of Defense
C. Schmidt C. Schmidt
The MITRE Corporation The MITRE Corporation
D. Waltermire D. Waltermire
NIST NIST
July 03, 2018 October 23, 2018
Concise Software Identifiers Concise Software Identifiers
draft-ietf-sacm-coswid-06 draft-ietf-sacm-coswid-07
Abstract Abstract
This document defines a concise representation of ISO/IEC This document defines a concise representation of ISO/IEC
19770-2:2015 Software Identification (SWID) tags that are 19770-2:2015 Software Identification (SWID) tags that are
interoperable with the XML schema definition of ISO/IEC 19770-2:2015 interoperable with the XML schema definition of ISO/IEC 19770-2:2015
and augmented for application in Constrained-Node Networks. Next to and augmented for application in Constrained-Node Networks. Next to
the inherent capability of SWID tags to express arbitrary context the inherent capability of SWID tags to express arbitrary context
information, Concise SWID (CoSWID) tags support the definition of information, Concise SWID (CoSWID) tags support the definition of
additional semantics via well-defined data definitions incorporated additional semantics via well-defined data definitions incorporated
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2019. This Internet-Draft will expire on April 26, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 42 skipping to change at page 2, line 42
2.7.2. The resource-collection Group . . . . . . . . . . . . 20 2.7.2. The resource-collection Group . . . . . . . . . . . . 20
2.7.3. The payload Object . . . . . . . . . . . . . . . . . 22 2.7.3. The payload Object . . . . . . . . . . . . . . . . . 22
2.7.4. The evidence Object . . . . . . . . . . . . . . . . . 23 2.7.4. The evidence Object . . . . . . . . . . . . . . . . . 23
2.8. Full CDDL Definition . . . . . . . . . . . . . . . . . . 24 2.8. Full CDDL Definition . . . . . . . . . . . . . . . . . . 24
3. CoSWID Indexed Label Values . . . . . . . . . . . . . . . . . 29 3. CoSWID Indexed Label Values . . . . . . . . . . . . . . . . . 29
3.1. Version Scheme . . . . . . . . . . . . . . . . . . . . . 29 3.1. Version Scheme . . . . . . . . . . . . . . . . . . . . . 29
3.2. Entity Role Values . . . . . . . . . . . . . . . . . . . 29 3.2. Entity Role Values . . . . . . . . . . . . . . . . . . . 29
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30
4.1. SWID/CoSWID Version Schema Values Registry . . . . . . . 30 4.1. SWID/CoSWID Version Schema Values Registry . . . . . . . 30
4.2. SWID/CoSWID Entity Role Values Registry . . . . . . . . . 31 4.2. SWID/CoSWID Entity Role Values Registry . . . . . . . . . 31
5. Security Considerations . . . . . . . . . . . . . . . . . . . 32 4.3. Media Type Registration . . . . . . . . . . . . . . . . . 32
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 4.3.1. swid+cbor Media Type Registration . . . . . . . . . . 32
7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.4. CoAP Content-Format Registration . . . . . . . . . . . . 33
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 36 4.5. CBOR Tag Registration . . . . . . . . . . . . . . . . . . 34
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 5. Security Considerations . . . . . . . . . . . . . . . . . . . 34
9.1. Normative References . . . . . . . . . . . . . . . . . . 36 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36
9.2. Informative References . . . . . . . . . . . . . . . . . 37 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 36
Appendix A. CoSWID Attributes for Firmware (label 60) . . . . . 38 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 38
Appendix B. Signed Concise SWID Tags using COSE . . . . . . . . 44 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 38
Appendix C. CoSWID used as Reference Integrity Measurements 9.1. Normative References . . . . . . . . . . . . . . . . . . 39
(CoSWID RIM) . . . . . . . . . . . . . . . . . . . . 45 9.2. Informative References . . . . . . . . . . . . . . . . . 40
Appendix D. CBOR Web Token for Concise SWID Tags . . . . . . . . 45 Appendix A. CoSWID Attributes for Firmware (label 60) . . . . . 41
Appendix B. Signed Concise SWID Tags using COSE . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45
1. Introduction 1. Introduction
SWID tags have several use-applications including but not limited to: SWID tags have several use-applications including but not limited to:
o Software Inventory Management, a part of the Software Asset o Software Inventory Management, a part of the Software Asset
Management [SAM] process, which requires an accurate list of Management [SAM] process, which requires an accurate list of
discernible deployed software components. discernible deployed software components.
skipping to change at page 24, line 26 skipping to change at page 24, line 26
? patch, ? patch,
? supplemental, ? supplemental,
swid-name, swid-name,
? software-version, ? software-version,
? version-scheme, ? version-scheme,
? media, ? media,
? software-meta-entry, ? software-meta-entry,
entity-entry, entity-entry,
? link-entry, ? link-entry,
? ( payload-entry // evidence-entry ), ? ( payload-entry // evidence-entry ),
? any-element-entry, * $$coswid-extension
} }
any-uri = text any-uri = text
label = text / int label = text / int
any-attribute = ( any-attribute = (
label => text / int / [ 2* text ] / [ 2* int ] label => text / int / [ 2* text ] / [ 2* int ]
) )
any-element-map = {
global-attributes,
* label => any-element-map / [ 2* any-element-map ],
}
global-attributes = ( global-attributes = (
? lang, ? lang,
* any-attribute, * any-attribute,
) )
resource-collection = ( resource-collection = (
? directory-entry, ? directory-entry,
? file-entry, ? file-entry,
? process-entry, ? process-entry,
? resource-entry ? resource-entry
skipping to change at page 25, line 41 skipping to change at page 25, line 37
global-attributes, global-attributes,
type, type,
} }
entity = { entity = {
global-attributes, global-attributes,
entity-name, entity-name,
? reg-id, ? reg-id,
role, role,
? thumbprint, ? thumbprint,
extended-data, * $$entity-extension,
} }
evidence = { evidence = {
global-attributes, global-attributes,
resource-collection, resource-collection,
? date, ? date,
? device-id, ? device-id,
* $$evidence-extension * $$evidence-extension
} }
link = { link = {
global-attributes, global-attributes,
? artifact, ? artifact,
href, href,
? media ? media
? ownership, ? ownership,
rel, rel,
? media-type, ? media-type,
? use, ? use,
} }
skipping to change at page 26, line 47 skipping to change at page 26, line 42
* $$payload-extension * $$payload-extension
} }
tag-id = (0: text) tag-id = (0: text)
swid-name = (1: text) swid-name = (1: text)
entity-entry = (2: entity / [ 2* entity ]) entity-entry = (2: entity / [ 2* entity ])
evidence-entry = (3: evidence) evidence-entry = (3: evidence)
link-entry = (4: link / [ 2* link ]) link-entry = (4: link / [ 2* link ])
software-meta-entry = (5: software-meta / [ 2* software-meta ]) software-meta-entry = (5: software-meta / [ 2* software-meta ])
payload-entry = (6: payload) payload-entry = (6: payload)
any-element-entry = (7: any-element-map / [ 2* any-element-map ])
corpus = (8: bool) corpus = (8: bool)
patch = (9: bool) patch = (9: bool)
media = (10: [ + [ media-expression, media = (10: [ + [ media-expression,
? [ media-operation, ? [ media-operation,
media-expression, media-expression,
] ]
] ]
]) ])
media-operation = text media-operation = text
media-expression = media-environment / [ media-prefix, media-expression = media-environment / [ media-prefix,
skipping to change at page 27, line 21 skipping to change at page 27, line 15
media-attribute, media-attribute,
media-value, media-value,
] ]
media-prefix = text media-prefix = text
media-environment = text media-environment = text
media-attribute = text media-attribute = text
media-value = text media-value = text
supplemental = (11: bool) supplemental = (11: bool)
tag-version = (12: integer) tag-version = (12: integer)
software-version = (13: text) software-version = (13: text)
version-scheme = (14: text / int) version-scheme = (14: version-schemes / extended-value)
version-schemes = multipartnumeric / multipartnumeric-suffix / alphanumeric / decimal / semver
multipartnumeric = 1
multipartnumeric-suffix = 2
alphanumeric = 3
decimal = 4
semver = 16384
lang = (15: text) lang = (15: text)
directory-entry = (16: directory / [ 2* directory ]) directory-entry = (16: directory / [ 2* directory ])
file-entry = (17: file / [ 2* file ]) file-entry = (17: file / [ 2* file ])
process-entry = (18: process / [ 2* process ]) process-entry = (18: process / [ 2* process ])
resource-entry = (19: resource / [ 2* resource ]) resource-entry = (19: resource / [ 2* resource ])
size = (20: integer) size = (20: integer)
file-version = (21: text) file-version = (21: text)
key = (22: bool) key = (22: bool)
location = (23: text) location = (23: text)
fs-name = (24: text) fs-name = (24: text)
root = (25: text) root = (25: text)
path-elements = (26: { * file-entry, path-elements = (26: { * file-entry,
* directory-entry, * directory-entry,
} }
) )
process-name = (27: text) process-name = (27: text)
pid = (28: integer) pid = (28: integer)
type = (29: text) type = (29: text)
extended-data = (30: any-element-map / [ 2* any-element-map ])
entity-name = (31: text) entity-name = (31: text)
reg-id = (32: any-uri) reg-id = (32: any-uri)
role = (33: roles / [ 2* roles ] / text / [ 2* text ]) role = (33: roles / extended-value / [ 2* roles / extended-value ] )
extended-value = text / uint
roles= aggregator / distributor / licensor / software-creator / tag-creator roles= aggregator / distributor / licensor / software-creator / tag-creator
aggregator=0 aggregator=0
distributor=1 distributor=1
licensor=2 licensor=2
software-creator=3 software-creator=3
tag-creator=4 tag-creator=4
thumbprint = (34: [ hash-alg-id: int, thumbprint = (34: [ hash-alg-id: int,
hash-value: bstr, hash-value: bstr,
] ]
) )
date = (35: time) date = (35: time)
device-id = (36: text) device-id = (36: text)
artifact = (37: text) artifact = (37: text)
href = (38: any-uri) href = (38: any-uri)
ownership = (39: shared / private / abandon) ownership = (39: shared / private / abandon / extended-value )
shared=0 shared=0
private=1 private=1
abandon=2 abandon=2
rel = (40: rels / [ 2* rels ]) rel = (40: rels / extended-value )
rels = ancestor / component / feature / installationmedia / packageinstaller / parent / patches / requires / see-also / supersedes / rel-supplemental rels = ancestor / component / feature / installationmedia / packageinstaller / parent / patches / requires / see-also / supersedes / rel-supplemental
ancestor=0 ancestor=0
component=1 component=1
feature=2 feature=2
installationmedia=3 installationmedia=3
packageinstaller=4 packageinstaller=4
parent=5 parent=5
patches=6 patches=6
requires=7 requires=7
see-also=8 see-also=8
supersedes=9 supersedes=9
rel-supplemental=10 rel-supplemental=10
media-type = (41: text) media-type = (41: text)
use = (42: optional / required / recommended) use = (42: optional / required / recommended / extended-value )
optional=0 optional=0
required=1 required=1
recommended=2 recommended=2
activation-status = (43: text) activation-status = (43: text)
channel-type = (44: text) channel-type = (44: text)
colloquial-version = (45: text) colloquial-version = (45: text)
description = (46: text) description = (46: text)
edition = (47: text) edition = (47: text)
entitlement-data-required = (48: bool) entitlement-data-required = (48: bool)
entitlement-key = (49: text) entitlement-key = (49: text)
skipping to change at page 32, line 40 skipping to change at page 32, line 40
| | | | | | | |
| 5 | licensor | See Section 3.2 | | 5 | licensor | See Section 3.2 |
| | | | | | | |
| 6-49 | Unassigned | | | 6-49 | Unassigned | |
| | | | | | | |
| 50-225 | Unassigned | | | 50-225 | Unassigned | |
| | | | | | | |
| 225-255 | Reserved for Private Use | | | 225-255 | Reserved for Private Use | |
+---------+--------------------------+-----------------+ +---------+--------------------------+-----------------+
4.3. Media Type Registration
4.3.1. swid+cbor Media Type Registration
Type name: application
Subtype name: swid+cbor
Required parameters: none
Optional parameters: none
Encoding considerations: Must be encoded as using [RFC7049]. See
RFC-AAAA for details.
Security considerations: See Section 5 of RFC-AAAA.
Interoperability considerations: Applications MAY ignore any key
value pairs that they do not understand. This allows backwards
compatible extensions to this specification.
Published specification: RFC-AAAA
Applications that use this media type: The type is used by Software
asset management systems, Vulnerability assessment systems, and in
applications that use remote integrity verification.
Fragment identifier considerations: Fragment identification for
application/swid+cbor is supported by using fragment identifiers as
specified by RFC-AAAA. [Section to be defined]
Additional information:
Magic number(s): first five bytes in hex: da 53 57 49 44
File extension(s): coswid
Macintosh file type code(s): none
Macintosh Universal Type Identifier code: org.ietf.coswid conforms to
public.data
Person & email address to contact for further information: Henk
Birkholz <henk.birkholz@sit.fraunhofer.de>
Intended usage: COMMON
Restrictions on usage: None
Author: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Change controller: IESG
4.4. CoAP Content-Format Registration
IANA is requested to assign a CoAP Content-Format ID for the CoSWID
media type in the "CoAP Content-Formats" sub-registry, from the "IETF
Review or IESG Approval" space (256..999), within the "CoRE
Parameters" registry [RFC7252]:
+-----------------------+----------+-------+-----------+
| Media type | Encoding | ID | Reference |
+-----------------------+----------+-------+-----------+
| application/swid+cbor | - | TBDcf | RFC-AAAA |
+-----------------------+----------+-------+-----------+
Table 1: CoAP Content-Format IDs
4.5. CBOR Tag Registration
IANA is requested to allocate a tag in the CBOR Tags Registry,
preferably with the specific value requested:
+------------+----------+-------------------------------------------+
| Tag | Data | Semantics |
| | Item | |
+------------+----------+-------------------------------------------+
| 1398229316 | map | Concise Software Identifier (CoSWID) |
| | | [RFC-AAAA] |
+------------+----------+-------------------------------------------+
5. Security Considerations 5. Security Considerations
SWID and CoSWID tags contain public information about software SWID and CoSWID tags contain public information about software
components and, as such, do not need to be protected against components and, as such, do not need to be protected against
disclosure on an endpoint. Similarly, SWID tags are intended to be disclosure on an endpoint. Similarly, SWID tags are intended to be
easily discoverable by applications and users on an endpoint in order easily discoverable by applications and users on an endpoint in order
to make it easy to identify and collect all of an endpoint's SWID to make it easy to identify and collect all of an endpoint's SWID
tags. As such, any security considerations regarding SWID tags focus tags. As such, any security considerations regarding SWID tags focus
on the application of SWID tags to address security challenges, and on the application of SWID tags to address security challenges, and
the possible disclosure of the results of those applications. the possible disclosure of the results of those applications.
skipping to change at page 34, line 22 skipping to change at page 36, line 9
this, SWID tags can be created by any party and the SWID tags this, SWID tags can be created by any party and the SWID tags
collected from an endpoint could contain a mixture of vendor and non- collected from an endpoint could contain a mixture of vendor and non-
vendor created tags. For this reason, tools that consume SWID tags vendor created tags. For this reason, tools that consume SWID tags
ought to treat the tag contents as potentially malicious and should ought to treat the tag contents as potentially malicious and should
employ input sanitizing on the tags they ingest. employ input sanitizing on the tags they ingest.
6. Acknowledgments 6. Acknowledgments
7. Change Log 7. Change Log
Changes from version 06 to version 07:
o Added version-scheme definitions
o Added stubs for additional extension points
o Added value registry request
o Added media type registration request
o Added content format registration request
o Added CBOR tag registration request
o Fixed any-element-map
o Removed RIM appedix to be addressed in complementary draft
o Removed CWT appendix
o Flagged firmware resource colletion appendix for revision
Changes from version 05 to version 06: Changes from version 05 to version 06:
o Improved quantities o Improved quantities
o Included proposals for implicet enumerations that were NMTOKENS o Included proposals for implicet enumerations that were NMTOKENS
o Added extension points o Added extension points
o Improved exemplary firmware-resource extension o Improved exemplary firmware-resource extension
skipping to change at page 37, line 18 skipping to change at page 39, line 29
<https://www.rfc-editor.org/info/rfc4108>. <https://www.rfc-editor.org/info/rfc4108>.
[RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
September 2009, <https://www.rfc-editor.org/info/rfc5646>. September 2009, <https://www.rfc-editor.org/info/rfc5646>.
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
October 2013, <https://www.rfc-editor.org/info/rfc7049>. October 2013, <https://www.rfc-editor.org/info/rfc7049>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017, RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/info/rfc8152>. <https://www.rfc-editor.org/info/rfc8152>.
[SAM] "Information technology - Software asset management - Part [SAM] "Information technology - Software asset management - Part
skipping to change at page 38, line 8 skipping to change at page 40, line 28
9.2. Informative References 9.2. Informative References
[I-D.birkholz-tuda] [I-D.birkholz-tuda]
Fuchs, A., Birkholz, H., McDonald, I., and C. Bormann, Fuchs, A., Birkholz, H., McDonald, I., and C. Bormann,
"Time-Based Uni-Directional Attestation", draft-birkholz- "Time-Based Uni-Directional Attestation", draft-birkholz-
tuda-04 (work in progress), March 2017. tuda-04 (work in progress), March 2017.
[I-D.ietf-cbor-cddl] [I-D.ietf-cbor-cddl]
Birkholz, H., Vigano, C., and C. Bormann, "Concise data Birkholz, H., Vigano, C., and C. Bormann, "Concise data
definition language (CDDL): a notational convention to definition language (CDDL): a notational convention to
express CBOR data structures", draft-ietf-cbor-cddl-02 express CBOR and JSON data structures", draft-ietf-cbor-
(work in progress), February 2018. cddl-05 (work in progress), August 2018.
[I-D.ietf-sacm-rolie-softwaredescriptor] [I-D.ietf-sacm-rolie-softwaredescriptor]
Waltermire, D. and S. Banghart, "Definition of the ROLIE Banghart, S. and D. Waltermire, "Definition of the ROLIE
Software Descriptor Extension", draft-ietf-sacm-rolie- Software Descriptor Extension", draft-ietf-sacm-rolie-
softwaredescriptor-02 (work in progress), March 2018. softwaredescriptor-03 (work in progress), July 2018.
[I-D.ietf-sacm-terminology] [I-D.ietf-sacm-terminology]
Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and
A. Montville, "Security Automation and Continuous A. Montville, "Security Automation and Continuous
Monitoring (SACM) Terminology", draft-ietf-sacm- Monitoring (SACM) Terminology", draft-ietf-sacm-
terminology-15 (work in progress), June 2018. terminology-15 (work in progress), June 2018.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, DOI 10.17487/RFC4122, July 2005,
skipping to change at page 38, line 38 skipping to change at page 41, line 12
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228, Constrained-Node Networks", RFC 7228,
DOI 10.17487/RFC7228, May 2014, DOI 10.17487/RFC7228, May 2014,
<https://www.rfc-editor.org/info/rfc7228>. <https://www.rfc-editor.org/info/rfc7228>.
Appendix A. CoSWID Attributes for Firmware (label 60) Appendix A. CoSWID Attributes for Firmware (label 60)
NOTE: this appendix is subject to revision based potential
convergence of:
o draft-moran-suit-manifest, and
o draft-birkholz-suit-coswid-manifest
The ISO-19770-2:2015 specification of SWID tags assumes the existence The ISO-19770-2:2015 specification of SWID tags assumes the existence
of a file system a software component is installed and stored in. In of a file system a software component is installed and stored in. In
the case of constrained-node networks [RFC7228] or network equipment the case of constrained-node networks [RFC7228] or network equipment
this assumption might not apply. Concise software instances in the this assumption might not apply. Concise software instances in the
form of (modular) firmware are often stored directly on a block form of (modular) firmware are often stored directly on a block
device that is a hardware component of the constrained-node or device that is a hardware component of the constrained-node or
network equipment. Multiple differentiable block devices or network equipment. Multiple differentiable block devices or
segmented block devices that contain parts of modular firmware segmented block devices that contain parts of modular firmware
components (potentially each with their own instance version) are components (potentially each with their own instance version) are
already common at the time of this writing. already common at the time of this writing.
skipping to change at page 39, line 26 skipping to change at page 42, line 8
To address the specific characteristics of firmware, the extension To address the specific characteristics of firmware, the extension
points "$$payload-extension" and "$$evidence-extension" are used to points "$$payload-extension" and "$$evidence-extension" are used to
allow for an additional type of resource description--firmware- allow for an additional type of resource description--firmware-
entry--thereby increasing the self-descriptiveness and flexibility of entry--thereby increasing the self-descriptiveness and flexibility of
CoSWID. The optional use of the extension points "$$payload- CoSWID. The optional use of the extension points "$$payload-
extension" and "$$evidence-extension" in respect to firmware MUST extension" and "$$evidence-extension" in respect to firmware MUST
adhere to the following CDDL data definition. adhere to the following CDDL data definition.
<CODE BEGINS> <CODE BEGINS>
$$payload-extension //= (firmware-entry,) $$payload-extension //= (suit.manifest-entry,)
$$evidence-extension //= (firmware-entry,) $$evidence-extension //= (suit.manifest-entry,)
firmware-manifest = {
firmware-manifest-id,
firmware-manifest-creation-timestamp,
firmware-manifest-version,
firmware-manifest-description,
firmware-manifest-nonce,
? firmware-manifest-aliases,
? firmware-manifest-dependencies,
firmware-target-device-identifier,
firmware-payload-entry,
? simple-firmware-manifest-extensions,
$$firmware-manifest-extensions,
}
firmware-payload = { suit-manifest = {
firmware-payload-id, suit.manifest-version,
? firmware-package-identifier, suit.digest-info,
firmware-payload-description, suit.text-reference,
firmware-payload-format, suit.nonce,
firmware-payload-size, suit.sequence-number,
? firmware-payload-simple-version, ? suit.pre-condition,
? firmware-payload-version, ? suit.post-condition,
firmware-payload-digests, ? suit.directives,
? firmware-target-component-index, ? suit.resources,
firmware-target-storage-identifier, ? suit.processors,
firmware-payload-conditions, ? suit.targets,
? firmware-payload-directives, ? suit.extensions,
? firmware-target-dependency,
? firmware-target-minimal-version,
? firmware-payload-relationships,
firmware-payload-package,
? simple-firmware-payload-extensions,
$$firmware-payload-extensions,
} }
firmware-entry = (59: firmware-manifest / [ 2* firmware-manifest ]) suit.manifest-entry = (59: suit-manifest / [ 2* suit-manifest ] )
firmware-payload-entry = (60: firmware-payload / [ 2* firmware-payload ]) suit.manifest-version = (60: 1)
firmware-payload-id = (61: bytes / text / uint) suit.digest-info = (61: [ suit.digest-algorithm,
firmware-package-identifier = (62: text) ? suit.digest-parameters,
firmware-manifest-id = (63: bytes / text / int) ]
firmware-manifest-creation-timestamp = (64: time) )
firmware-manifest-version = (65: uint) suit.digest-algorithm = uint
firmware-manifest-description = (66: text) suit.digest-parameters = bytes
firmware-manifest-nonce = (67: bytes) suit.text-reference = (62: bytes)
firmware-manifest-dependencies = (68: resource-reference) suit.nonce = (63: bytes)
firmware-manifest-aliases = (69: resource-reference) suit.sequence-number = (64: uint)
resource-reference = [ + [ resource-reference-uri: uri, suit.pre-condition = (suit.id-condition // suit.time-condition // suit.image-condition // suit.custom-condition)
resource-reference-digest: bytes, suit.post-condition = (suit.image-condition // suit.custom-condition)
], suit.id-condition = (65: [ + [ suit.vendor / suit.class / suit.device,
] suit.uuid,
firmware-payload-description = (70: text) ]
firmware-payload-format = (71: { firmware-payload-format-type, ]
? firmware-payload-format-guidance, )
} suit.vendor = 0
) suit.class = 1
firmware-payload-format-type = (72: int) suit.device = 2
firmware-payload-format-guidance = (73: bytes) suit.uuid = bstr .size 16
firmware-payload-size = (74: uint) suit.time-condition = (66: [ + [ suit.install-after / suit.best-before,
firmware-payload-package = (75: { ? firmware-package-compression-type, suit.timestamp,
? firmware-package-compression-guidance, ]
firmware-package, ]
}
)
firmware-package-compression-type = (76: text / int)
firmware-package-compression-guidance = (77: bytes)
firmware-package = (78: bytes)
firmware-target-component-index = (79: text)
firmware-target-storage-identifier = (80: bytes / text / int)
firmware-target-dependency = (81: [ ? { firmware-target-major-version,
version-comparison,
required-version,
},
? { firmware-target-minor-version,
version-comparison,
required-version,
},
? { firmware-target-revision-version,
version-comparison,
required-version,
},
? { firmware-target-build-version,
version-comparison,
required-version,
},
]
)
firmware-payload-relationships = (82: [ + { firmware-payload-relationship-type,
firmware-payload-ids,
},
]
)
firmware-payload-ids = (83: [ + ( bytes / text / int )])
firmware-payload-relationship-type = (84: $firmware-payload-relationship-types)
$firmware-payload-relationship-types /= patches-firmware
$firmware-payload-relationship-types /= requires-firmware
$firmware-payload-relationship-types /= supersedes-firmware
patches-firmware = 1
requires-firmware = 2
supersedes-firmware = 3
firmware-target-device-identifier = (85: { firmware-target-vendor-identifier,
? firmware-target-type-identifier,
firmware-target-model-identifier,
? firmware-target-class-identifier,
? firmware-target-rfc4122-identifier,
? firmware-target-8021AR-identifier,
$$firmware-target-identifier-extensions,
}
)
firmware-target-vendor-identifier = (86: text)
firmware-target-type-identifier = (87: text)
firmware-target-model-identifier = (88: text)
firmware-target-class-identifier = (89: text)
firmware-target-rfc4122-identifier = (90: text)
firmware-target-8021AR-identifier = (91: bytes)
firmware-target-minimal-version = (92: { firmware-target-major-version,
firmware-target-minor-version,
? firmware-target-revision-version,
? firmware-target-build-version,
? firmware-target-storage-identifier,
}, )
) suit.install-after = 0
firmware-target-major-version = (93: uint) suit.best-before = 1
firmware-target-minor-version = (94: uint) suit.timestamp = uint .size 8
firmware-target-revision-version = (95: uint) suit.image-condition = (67: [ + [ suit.current-content / suit.not-current-content,
firmware-target-build-version = (96: uint) suit.storage-identifier,
firmware-payload-digests = (97: [ + { firmware-digest-type, ? suit.digest,
? firmware-digest-config-guidance,
firmware-digest,
},
] ]
) ]
firmware-digest-type = (98: $firmware-digest-types) )
$firmware-digest-types /= raw-payload-digest suit.current-content = 0
$firmware-digest-types /= installed-payload-digest suit.not-current-content = 1
$firmware-digest-types /= ciphertext-digest suit.digest = bytes
$firmware-digest-types /= pre-image-digest suit.storage-identifier = bytes
raw-payload-digest = 1 suit.custom-condition = (68: [ nint,
installed-payload-digest = 2 suit.condition-parameters,
ciphertext-digest = 3 ]
pre-image-digest = 4 )
firmware-digest-config-guidance = (99: bytes) suit.condition-parameters = bytes
firmware-digest = (100: bytes) suit.directives = (69: { + int => bytes } )
firmware-payload-conditions = (101: [ + { firmware-payload-condition-type, suit.resources = (70: [ + [ suit.resource-type,
firmware-payload-condition-parameters, suit.uri-list,
}, suit.digest,
] suit.onode,
) ? suit.size,
firmware-payload-condition-parameters = (102: bytes) ]
firmware-payload-condition-type = (103: $firmware-payload-condition-types) ]
$firmware-payload-condition-types /= vendor-id-condition )
$firmware-payload-condition-types /= class-id-condition suit.resource-type = suit.payload / suit.dependency / suit.key / suit.alias
$firmware-payload-condition-types /= device-id-condition suit.payload = 0
$firmware-payload-condition-types /= best-before-condition suit.dependency = 1
vendor-id-condition = 1 suit.key = 2
class-id-condition = 2 suit.alias = 3
device-id-condition = 3 suit.uri-list = { + int => text }
best-before-condition = 4 suit.size = uint
firmware-payload-directives = (104: [ + { firmware-payload-directive-type, suit.onode = bytes
firmware-payload-directive-parameters, suit.processors = (71: [ + [ suit.decrypt / suit.decompress / suit.undiff / suit.relocate / suit.unrelocate,
}, suit.parameters,
] suit.inode,
) suit.onode,
firmware-payload-directive-parameters = (105: bytes) ]
firmware-payload-directive-type = (106: $firmware-payload-directive-types) ]
$firmware-payload-directive-types /= apply-immediately-directive )
$firmware-payload-directive-types /= apply-after-directive suit.decrypt = 0
apply-immediately-directive = 1 suit.decompress = 1
apply-after-directive = 2 suit.undiff = 2
firmware-payload-simple-version = (107: uint) suit.relocate = 3
firmware-payload-version = (108: { firmware-payload-major-version, suit.unrelocate = 4
firmware-payload-minor-version, suit.parameters = bytes
? firmware-payload-revision-version, suit.inode = bytes
? firmware-payload-build-version, suit.targets = (72: [ + [ suit.component-id,
} suit.storage-identifier,
) suit.inode,
firmware-payload-major-version = (109: uint) ? suit.encoding,
firmware-payload-minor-version = (110: uint) ]
firmware-payload-revision-version = (111: uint) ]
firmware-payload-build-version = (112: uint) )
version-comparison = (113: eq / ne / lt / le / gt / ge) suit.component-id = [ + bytes ]
required-version = (114: uint) suit.encoding = bytes
simple-firmware-manifest-extensions = (115: { + int => bytes }) suit.extensions = (73: { + int => bytes } )
simple-firmware-payload-extensions = (116: { + int => bytes })
eq = 0
ne = 1
lt = 2
le = 3
gt = 4
ge = 5
<CODE ENDS> <CODE ENDS>
The members of the firmware group that constitutes the content of the The members of the firmware group that constitutes the content of the
firmware-entry is based on the metadata about firmware Described in firmware-entry is based on the metadata about firmware Described in
[RFC4108]. As with every semantic differentiation that is supported [RFC4108]. As with every semantic differentiation that is supported
by the resource-collection type, the use of firmware-entry is by the resource-collection type, the use of firmware-entry is
optional. It is REQUIRED not to instantiate more than one firmware- optional. It is REQUIRED not to instantiate more than one firmware-
entry, as the firmware group is used in a map and therefore only entry, as the firmware group is used in a map and therefore only
allows for unique labels. allows for unique labels.
skipping to change at page 45, line 4 skipping to change at page 45, line 34
* label => values, * label => values,
} }
COSE-Sign1-coswid = [ COSE-Sign1-coswid = [
protected: bstr .cbor protected-signed-coswid-header, protected: bstr .cbor protected-signed-coswid-header,
unprotected: unprotected-signed-coswid-header, unprotected: unprotected-signed-coswid-header,
payload: bstr .cbor concise-software-identity, payload: bstr .cbor concise-software-identity,
signature: bstr, signature: bstr,
] ]
<CODE ENDS> <CODE ENDS>
Appendix C. CoSWID used as Reference Integrity Measurements (CoSWID
RIM)
A vendor supplied signed CoSWID tag that includes hash-values for the
files that compose a software component can be used as a RIM
(reference integrity measurement). A RIM is a type of declarative
guidance that can be used to assert the compliance of an endpoint by
assessing the installed software. In the context of remote
attestation based on an attestation via hardware rooted trust, a
verifier can appraise the integrity of the conveyed measurements of
software components using a CoSWID RIM provided by a source, such as
[I-D.ietf-sacm-rolie-softwaredescriptor].
RIM Manifests (RIMM): A group of SWID tags about the same
(sub-)system, system entity, or (sub-)component (compare
[RFC4949]). A RIMM manifest is a distinct document that is
typically conveyed en-block and constitutes declarative guidance
in respect to a specific (target) endpoint (compare
[I-D.ietf-sacm-terminology]).
If multiple CoSWID compose a RIMM, the following CDDL data definition
SHOULD be used.
RIMM = [ + concise-software-identity / signed-coswid ]
Appendix D. CBOR Web Token for Concise SWID Tags
A typical requirement regarding specific instantiations of endpoints
- and, as a result, specific instantiations of software components -
is a representation of the absolute path of a CoSWID tag document in
a file system in order to derive absolute paths of files represented
in the corresponding CoSWID tag. The absolute path of an evidence
CoSWID tag can be included as a claim in the header of a CBOR Web
Token [I-D.ietf-ace-cbor-web-token]. Depending on the source of the
token, the claim can be in the protected or unprotected header
portion.
<CODE BEGINS>
CDDL TBD
<CODE ENDS>
Authors' Addresses Authors' Addresses
Henk Birkholz Henk Birkholz
Fraunhofer SIT Fraunhofer SIT
Rheinstrasse 75 Rheinstrasse 75
Darmstadt 64295 Darmstadt 64295
Germany Germany
Email: henk.birkholz@sit.fraunhofer.de Email: henk.birkholz@sit.fraunhofer.de
Jessica Fitzgerald-McKay Jessica Fitzgerald-McKay
Department of Defense Department of Defense
9800 Savage Road 9800 Savage Road
Ft. Meade, Maryland Ft. Meade, Maryland
USA USA
Email: jmfitz2@nsa.gov Email: jmfitz2@nsa.gov
Charles Schmidt Charles Schmidt
The MITRE Corporation The MITRE Corporation
 End of changes. 32 change blocks. 
264 lines changed or deleted 251 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/