Remote ATtestation ProcedureS C. Wallace Internet-Draft Red Hound Intended status: Standards Track R. Housley Expires: 24 December 2022 Vigil Security 22 June 2022 Concise TA Stores (CoTS) draft-wallace-rats-concise-ta-stores-00 Abstract Trust anchor (TA) stores may be used for several purposes in the Remote Attestation Procedures (RATS) architecture including verifying endorsements, reference values, digital letters of approval, attestations, or public key certificates. This document describes a Concise Reference Integrity Manifest (CoRIM) extension that may be used to convey optionally constrained trust anchor stores containing optionally constrained trust anchors in support of these purposes. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-wallace-rats-concise-ta- stores/. Discussion of this document takes place on the rats Working Group mailing list (mailto:rats@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/rats/. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 24 December 2022. Wallace & Housley Expires 24 December 2022 [Page 1] Internet-Draft CoTS June 2022 Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Constraints . . . . . . . . . . . . . . . . . . . . . . . 4 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 3. Trust anchor management for RATS . . . . . . . . . . . . . . 5 3.1. TA and CA conveyance . . . . . . . . . . . . . . . . . . 5 3.1.1. The concise-ta-stores Container . . . . . . . . . . . 6 3.1.2. The concise-ta-store-map Container . . . . . . . . . 6 3.1.3. The cas-and-tas-map Container . . . . . . . . . . . . 8 3.2. Environment definition . . . . . . . . . . . . . . . . . 9 3.2.1. The environment-group-list Array . . . . . . . . . . 9 3.2.2. The abbreviated-swid-tag-map Container . . . . . . . 10 3.2.3. The named-ta-store Type . . . . . . . . . . . . . . . 11 3.3. Constraints definition . . . . . . . . . . . . . . . . . 11 3.3.1. The $$tas-list-purpose Type . . . . . . . . . . . . . 11 3.3.2. Claims . . . . . . . . . . . . . . . . . . . . . . . 12 3.4. Processing a concise-ta-stores RIM . . . . . . . . . . . 12 3.5. Verifying a concise-ta-stores RIM . . . . . . . . . . . . 12 4. CDDL definitions . . . . . . . . . . . . . . . . . . . . . . 12 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6. Security Considerations . . . . . . . . . . . . . . . . . . . 23 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 7.1. CoRIM CBOR Tag Registration . . . . . . . . . . . . . . . 23 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 8.1. Normative References . . . . . . . . . . . . . . . . . . 23 8.2. Informative References . . . . . . . . . . . . . . . . . 24 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Wallace & Housley Expires 24 December 2022 [Page 2] Internet-Draft CoTS June 2022 1. Introduction The RATS architecture [I-D.draft-ietf-rats-architecture] uses the definition of a trust anchor from [RFC6024]: "A trust anchor represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative." In the context of RATS, a trust anchor may be a public key or a symmetric key. This document focuses on trust anchors that are represented as public keys. The Concise Reference Integrity Manifest (CoRIM) [I-D.draft-birkholz-rats-corim] specification defines a binary encoding for reference values using the Concise Binary Object Representation (CBOR) [RFC8949]. Amongst other information, a CoRIM may include key material for use in verifying evidence from an attesting environment (see section 3.11 in [I-D.draft-birkholz-rats-corim]). The extension in this document aims to enable public key material to be decoupled from reference data for several reasons, described below. Trust anchor (TA) and certification authority (CA) public keys may be less dynamic than the reference data that comprises much of a reference integrity manifest (RIM). For example, TA and CA lifetimes are typically fairly long while software versions change frequently. Conveying keys less frequently and indepedent from reference data enables a reduction in size of RIMs used to convey dynamic information and may result in a reduction in the size of aggregated data transferred to a verifier. CoRIMs themselves are signed and some means of conveying CoRIM verification keys is required, though ultimately some out-of-band mechanism is required at least for bootstrapping purposes. Relying parties may verify attestations from both hardware and software sources and some trust anchors may be used to verify attestations from both hardware and software sources, as well. The verification information included in a CoRIM optionally includes a trust anchor, leaving trust anchor management to other mechanisms. Additionally, the CoRIM verification-map structure is tied to CoMIDs, leaving no simple means to convey verification information for CoSWIDs [I-D.draft-ietf-sacm-coswid]. This document defines means to decouple TAs and CAs from reference data and adds support for constraining the use of trust anchors, chiefly by limiting the environments to which a set of trust anchors is applicable. This constraints mechanism is similar to that in [fido-metadata] and [fido-service] and should align with existing attestation verification practices that tend to use per-vendor trust anchors. TA store instances may be further constrained using coarse- grained purpose values or a set of finer-grained permitted or Wallace & Housley Expires 24 December 2022 [Page 3] Internet-Draft CoTS June 2022 excluded claims. The trust anchor formats supported by this draft allow for per-trust anchor constraints, if desired. Conveyance of trust anchors is the primary goal, CA certificates may optionally be included for convenience. 1.1. Constraints This document aims to support different PKI architectures including scenarios with various combinations of the following characteristics: * TA stores that contain a TA or set of TAs from a single organization * TA stores that contain a set of TAs from multiple organizations * TAs that issue certificates to CAs within the same organiation as the TA * TAs that issue certificates to CAs from multiple organizations * CAs that issue certificates that may be used to verify attestations or certificates from the same organization as the TA and CA * CAs that issue certificates that may be used to verify attestations or certificates from multiple organizations Subsequent specifications may define extensions to express constraints as well as processing rules for evaluating constraints expressed in TA stores, TAs, CA certificates and end entity (EE) certificates. Support for constraints is intended to enable misissued certificates to be rejected at verification time. Any public key that can be used to verify a certificate is assumed to also support verification of revocation information, subject to applicable constraints defined by the revocation mechanism. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Wallace & Housley Expires 24 December 2022 [Page 4] Internet-Draft CoTS June 2022 3. Trust anchor management for RATS Within RATS, trust anchors may be used to verify digital signatures for a variety of objects, including entity attestation tokens (EATs), CoRIMs, X.509 CA certificates (possibly containing endorsement information), X.509 EE certificates (possibly containing endorsement or attestation information), other attestation data, digital letters of approval [dloa], revocation information, etc. Depending on context, a raw public key may suffice or additional information may be required, such as subject name or subject public key identifier information found in an X.509 certificate. Trust anchors are usually aggregated into sets that are referred to as "trust anchor stores". Different trust anchor stores may serve different functional purposes. Historically, trust anchors and trust anchor stores are not constrained other than by the context(s) in which a trust anchor store is used. The path validation algorithm in [RFC5280] only lists name, public key, public key algorithm and public key parameters as the elements of "trust anchor information". However, there are environments that do constrain trust anchor usage. The RPKI uses extensions from trust anchor certificates as defined in [RFC3779]. FIDO provides a type of constraint by grouping attestation verification root certificates by authenticator model in [fido-metadata]. This document aims to support each of these types of models by allowing constrained or unconstrained trust anchors to be grouped by abstract purpose, i.e., similar to traditional trust anchor stores, or grouped by a set of constraints, such as vendor name. 3.1. TA and CA conveyance An unsigned concise TA stores object is a list of one or more TA stores, each represented below as a concise-ta-store-map element. concise-ta-stores concise-ta-store-map #1 ... concise-ta-store-map #n Each TA store instance identifies a target environment and features one or more public keys. Optional constraints on usage may be defined as well. Wallace & Housley Expires 24 December 2022 [Page 5] Internet-Draft CoTS June 2022 concise-ta-store-map language store-identity target environment abstract coarse-grained constraints on TA store usage concrete fine-grained constraints on TA store usage public keys (possibly included per-instance constraints) The following sections define the structures to support the concepts shown above. 3.1.1. The concise-ta-stores Container The concise-ta-stores type is the root element for distrbuting sets of trust anchor stores. It contains one or more concise-ta-store-map elements where each element in the list identifies the environments for which a given set of trust anchors is applicable, along with any constraints. concise-ta-stores = [+ concise-ta-store] The $concise-tag-type-choice [I-D.draft-birkholz-rats-corim] is extended to include the concise-ta-stores structure. As shown in Section 4 of [I-D.draft-birkholz-rats-corim], the $concise-tag-type- choice type is used within the unsigned-corim-map structure, which is used within COSE-Sign1-corim structure. The COSE-Sign1-corim provides for integrity of the CoTS data. CoTS structures are not intended for use as stand-alone, unsigned structures. The signature on a CoTS instance SHOULD be verified using a TA associated with the cots purpose (Section 3.3.1). $concise-tag-type-choice /= #6.TBD(bytes .cbor concise-ta-stores) 3.1.2. The concise-ta-store-map Container A concise-ta-store-map is a trust anchor store where the applicability of the store is established by the tastore.environment field with optional constraints on use of trust anchors found in the tastore.keys field defined by the tastore.purpose, tastore.perm_claims and tastore.excl_claims fields. Wallace & Housley Expires 24 December 2022 [Page 6] Internet-Draft CoTS June 2022 concise-ta-store-map = { ? tastore.language => language-type ? tastore.store-identity => tag-identity-map tastore.environments => environment-group-list ? tastore.purposes => [+ $$tas-list-purpose] ? tastore.perm_claims => [+ $$claims-set-claims] ? tastore.excl_claims => [+ $$claims-set-claims] tastore.keys => cas-and-tas-map } ; concise-ta-store-map indices tastore.language = 0 tastore.store-identity = 1 tastore.environment = 2 tastore.purpose = 3 tastore.perm_claims = 4 tastore.excl_claims = 5 tastore.keys = 6 The following describes each member of the concise-ta-store-map. tastore.language: A textual language tag that conforms with the IANA Language Subtag Registry [IANA.language-subtag-registry]. tastore.store-identity: A composite identifier containing identifying attributes that enable global unique identification of a TA store instance across versions and facilitate linking from other artifacts. The tag-identity-map type is defined in [I-D.draft-birkholz-rats-corim]. tastore.environment: A list of environment definitions that limit the contexts for which the tastore.keys list is applicable. If the tastore.environment is empty, TAs in the tastore.keys list may be used for any environment. tastore.purpose: Contains a list of purposes (Section 3.3.1) for which the tastore.keys list may be used. When absent, TAs in the tastore.keys list may be used for any purpose. This field is simliar to the extendedKeyUsage extension defined in [RFC5280]. The initial list of purposes are: cots, corim, comid, coswid, eat, key-attestation, certificate tastore.perm_claims: Contains a list of claim values (Section 3.3.2) [I-D.draft-ietf-rats-eat] for which tastore.keys list MAY be used to verify. When this field is absent, TAs in the tastore.keys list MAY be used to verify any claim subject to other restrictions. Wallace & Housley Expires 24 December 2022 [Page 7] Internet-Draft CoTS June 2022 tastore.excl_claims: Contains a list of claim values (Section 3.3.2) [I-D.draft-ietf-rats-eat] for which tastore.keys list MUST NOT be used to verify. When this field is absent, TAs in the tastore.keys list may be used to verify any claim subject to other restrictions. tastore.keys: Contains a list of one or more TAs and an optional list of one or more CA certificates. The perm_claims and excl_claims constraints MAY alternatively be expressed as extensions in a TA or CA. Inclusion of support here is intended as an aid for environments that find CBOR encoding support more readily available than DER encoding support. 3.1.3. The cas-and-tas-map Container The cas-and-tas-map container provides the means of representing trust anchors and, optionally, CA certificates. trust-anchor = [ format => $pkix-ta-type data => bstr ] cas-and-tas-map = { tastore.tas => [ + trust-anchor ] ? tastore.cas => [ + pkix-cert-data ] } ; cas-and-tas-map indices tastore.tas = 0 tastore.cas = 1 ; format values $pkix-ta-type /= tastore.pkix-cert-type $pkix-ta-type /= tastore.pkix-tainfo-type $pkix-ta-type /= tastore.pkix-spki-type tastore.pkix-cert-type = 0 tastore.pkix-tainfo-type = 1 tastore.pkix-spki-type = 2 ; certificate type pkix-cert-data = bstr The tastore.tas element is used to convey one or more trust anchors and an optional set of one or more CA certificates. TAs are implicitly trusted, i.e., no verification is required prior to use. Wallace & Housley Expires 24 December 2022 [Page 8] Internet-Draft CoTS June 2022 However, limitations on the use of the TA may be asserted in the corresponding concise-ta-store-map or within the TA itself. The tastore.cas field provides certificates that may be useful in the context where the corresponding concise-ta-store-map is used. These certificates are not implicitly trusted and MUST be validated to a trust anchor before use. End entity certificates SHOULD NOT appear in the tastore.cas list. The structure of the data contained in the data field of a trust- anchor is indicated by the format field. The pkix-cert-type is used to represent a binary, DER-encoded X.509 Certificate as defined in section 4.1 of [RFC5280]. The pkix-key-type is used to represent a binary, DER-encoded SubjectPublicKeyInfo as defined in section 4.1 of [RFC5280]. The pkix-tainfo-type is used to represent a binary, DER- encoded TrustAnchorInfo as defined in section 2 of [RFC5914]. The $pkix-ta-type provides an extensible means for representing trust anchor information. It is defined here as supporting the pkix-cert- type, pkix-spki-type or pkix-tainfo-type. The pkix-spki-type may be used where only a raw pubilc key is necessary. The pkix-cert-type may be used for most purposes, including scenarios where a raw public key is sufficient and those where additional information from a certificate is required. The pkix-tainfo-type is included to support scenarios where constraints information is directly associated with a public key or certificate (vs. constraints for a TA set as provided by tastore.purpose, tastore.perm_claims and tastore.excl_claims). The pkix-cert-data type is used to represent a binary, DER-encoded X.509 Certificate. 3.2. Environment definition 3.2.1. The environment-group-list Array In CoRIM, "composite devices or systems are represented by a collection of Concise Module Identifiers (CoMID) and Concise Software Identifiers (CoSWID)". For trust anchor management purposes, targeting specific devices or systems may be too granular. For example, a trust anchor or set of trust anchors may apply to multiple device models or versions. The environment-map definition as used in a CoRIM is tightly bound to a CoMID. To allow for distribution of key material applicable to a specific or range of devices or software, the envrionment-group-list and environment-group-map are defined as below. These aim to enable use of coarse-grained naturally occurring values, like vendor, make, model, etc. to determine if a set of trust anchors is applicable to an environment. Wallace & Housley Expires 24 December 2022 [Page 9] Internet-Draft CoTS June 2022 environment-group-list = [* environment-group-list-map] environment-group-list-map = { ? tastore.environment_map => environment-map, ? tastore.concise_swid_tag => abbreviated-swid-tag, ? tastore.named_ta_store => named-ta-store, } ; environment-group-list-map indices tastore.environment_map = 0 tastore.abbreviated_swid_tag = 1 tastore.named_ta_store = 2 An environment-group-list is a list of one or more environment-group- list-map elements that are used to determine if a given context is applicable. An empty list signifies all contexts SHOULD be considered as applicable. An environment-group-list-map is one of environment- map[I-D.draft-birkholz-rats-corim], abbreviated-swid-tag-map (Section 3.2.2) or named-ta-store (Section 3.2.3). As defined in [I-D.draft-birkholz-rats-corim], an envirionment-map may contain class-map, $instance-id-type-choice, $group-id-type- choice. QUESTION: Should the above dispense with environment_map and concise_swid_tag and use or define some identity-focused structure with information common to both (possibly class-map from [I-D.draft-birkholz-rats-corim])? If not, should a more complete CoMID representation be used (instead of environment_map)? 3.2.2. The abbreviated-swid-tag-map Container The abbreviated-swid-tag-map allows for expression of fields from a concise-swid-tag [I-D.draft-ietf-sacm-coswid] with all fields except entity designated as optional, compared to the concise-swid-tag definition that requires tag-id, tag-version and software-name to be present. Wallace & Housley Expires 24 December 2022 [Page 10] Internet-Draft CoTS June 2022 abbreviated-swid-tag-map = { ? tag-id => text / bstr .size 16, ? tag-version => integer, ? corpus => bool, ? patch => bool, ? supplemental => bool, ? software-name => text, ? software-version => text, ? version-scheme => $version-scheme, ? media => text, ? software-meta => one-or-more, entity => one-or-more, ? link => one-or-more, ? payload-or-evidence, * $$coswid-extension, global-attributes, } 3.2.3. The named-ta-store Type This specification allows for defining sets of trust anchors that are associated with an arbitrary name instead of relative to information typically expressed in a CoMID or CoSWID. Relying parties MUST be configured using the named-ta-store value to select a corresponding concise-ta-store-map for use. named-ta-store = tstr 3.3. Constraints definition 3.3.1. The $$tas-list-purpose Type The $$tas-list-purpose type provides an extensible means of expressions actions for which the corresponding keys are applicable. For example, trust anchors in a concise-ta-store-map with purpose field set to eat may not be used to verification certification paths. Extended key usage values corresponding to each purpose listed below (except for certificate) are defined in a companion specification. $$tas-list-purpose /= "cots" $$tas-list-purpose /= "corim" $$tas-list-purpose /= "coswid" $$tas-list-purpose /= "eat" $$tas-list-purpose /= "key-attestation" $$tas-list-purpose /= "certificate" $$tas-list-purpose /= "dloa" Wallace & Housley Expires 24 December 2022 [Page 11] Internet-Draft CoTS June 2022 TODO - define verification targets for each purpose. QUESTION - should this have a registry? 3.3.2. Claims A concise-ta-store-map may include lists of permitted and/or excluded claims [I-D.draft-ietf-rats-eat] that limit the applicability of trust anchors present in a cas-and-tas-map. A subsequent specification will define processing rules for evaluating constraints expressed in TA stores, TAs, CA certificates and end entity certificates. 3.4. Processing a concise-ta-stores RIM When verifying a signature using a public key that chains back to a concise-ta-stores instance, elements in the concise-ta-stores array are processed beginning with the first element and proceeding until either a matching set is found that serves the desired purpose or no more elements are available. Each element is evaluated relative to the context, i.e., environment, purpose, artifact contents, etc. For example, when verifying a CoRIM, each element in a triples-group MUST have an environment value that matches an environment-group- list-map element associated with the concise-ta-store-map containing the trust anchor used to verify the CoMID. Similarly, when verifying a CoSWID, the values in a abbreviated-swid-tag element from the concise-ta-store-map MUST match the CoSWID tag being verified. When verifying a certificate with DICE attestation extension, the information in each DiceTcbInfo element MUST be consistent with an environment-group-list-map associated with the concise-ta-store-map. 3.5. Verifying a concise-ta-stores RIM [I-D.draft-birkholz-rats-corim] defers verification rules to [RFC8152] and this document follows suit with the additional recommendation that the public key used to verify the RIM SHOULD be present in or chain to a public key present in a concise-ta-store-map with purpose set to cots. 4. CDDL definitions The CDDL definitions present in this document are provided below. Definitions from [I-D.draft-birkholz-rats-corim] are not repeated here. Wallace & Housley Expires 24 December 2022 [Page 12] Internet-Draft CoTS June 2022 concise-ta-stores = [+ concise-ta-store-map] $concise-tag-type-choice /= #6.TBD(bytes .cbor concise-ta-stores) concise-ta-store-map = { ? tastore.language => language-type ? tastore.store-identity => tag-identity-map tastore.environments => environment-group-list ? tastore.purposes => [+ $$tas-list-purpose] ? tastore.perm_claims => [+ $$claims-set-claims] ? tastore.excl_claims => [+ $$claims-set-claims] tastore.keys => cas-and-tas-map } ; concise-ta-store-map indices tastore.language = 0 tastore.store-identity = 1 tastore.environment = 2 tastore.purpose = 3 tastore.perm_claims = 4 tastore.excl_claims = 5 tastore.keys = 6 trust-anchor = [ format => $pkix-ta-type data => bstr ] cas-and-tas-map = { tastore.tas => [ + trust-anchor ] ? tastore.cas => [ + pkix-cert-type ] } ; cas-and-tas-map indices tastore.tas = 0 tastore.cas = 1 ; format values $pkix-ta-type /= tastore.pkix-cert-type $pkix-ta-type /= tastore.pkix-tainfo-type $pkix-ta-type /= tastore.pkix-spki-type tastore.pkix-cert-type = 0 tastore.pkix-tainfo-type = 1 tastore.pkix-spki-type = 2 ; certificate type pkix-cert-data = bstr Wallace & Housley Expires 24 December 2022 [Page 13] Internet-Draft CoTS June 2022 environment-group-list = [* environment-group-list-map] environment-group-list-map = { ? environment-map => environment-map, ? concise-swid-tag => abbreviated-swid-tag, ? named-ta-store => named-ta-store, } abbreviated-swid-tag = { ? tag-version => integer, ? corpus => bool, ? patch => bool, ? supplemental => bool, ? software-name => text, ? software-version => text, ? version-scheme => $version-scheme, ? media => text, ? software-meta => one-or-more, ? entity => one-or-more, ? link => one-or-more, ? payload-or-evidence, * $$coswid-extension, global-attributes, } named-ta-store = tstr $tas-list-purpose /= "cots" $tas-list-purpose /= "corim" $tas-list-purpose /= "comid" $tas-list-purpose /= "coswid" $tas-list-purpose /= "eat" $tas-list-purpose /= "key-attestation" $tas-list-purpose /= "certificate" $tas-list-purpose /= "dloa" 5. Examples The following examples are isolated concise-ta-store-map instances shown as JSON for ease of reading. The final example is an ASCII hex representation of a CBOR-encoded concise-ta-stores instance containing each example below (and using a placeholder value for the concise-ta-stores tag). The TA store below contains a TA from a single organization ("Zesty Hands, Inc,") that is used to verify CoRIMs for that organization. Because this TA does not verify certificates, a bare public key is appropriate. Wallace & Housley Expires 24 December 2022 [Page 14] Internet-Draft CoTS June 2022 { "environments": [ { "environment": { "class": { "vendor": "Worthless Sea, Inc." } } } ], "purposes": [ "corim" ], "keys": { "tas": [ { "format": 2, "data": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErYoMAdqe2gJT3CvCcifZxyE9+ N8T6Jy5zbeo5LYtnOipmi1wXA9/gNtlwAbRCRQitH/GEcvUaGlzPZxIOITV/g==" } ] } } The TA store below features three TAs from different organizations grouped as a TA store with the name "Miscellaneous TA Store". The first TA is an X.509 certificate. The second and third TAs are TrustAnchorInfo objects containing X.509 certificates. Though not shown in this example, constraints could added to the TrustAnchorInfo elements, i.e., to restrict verification to attestations asserting a specific vendor name. { "environments": [ { "namedtastore": "Miscellaneous TA Store" } ], "keys": { "tas": [ { "data": " MIIBvTCCAWSgAwIBAgIVANCdkL89UlzHc9Ui7XfVniK7pFuIMAoGCCqGSM49BAMCMD4 xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIF RydXN0IEFuY2hvcjAeFw0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMD4xCzAJB gNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0 Wallace & Housley Expires 24 December 2022 [Page 15] Internet-Draft CoTS June 2022 IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABONRqhA5JAekvQN8oLwRVND nAfBnTznLLE+SEGks677sHSeXfcVhZXUeDiN7/ fsVNumaiEWRQpZh3zXPwL8rUMyjPzA9MB0GA1UdDgQWBBQBXEXJrLBGKnFd1xCgeMAV SfEBPzALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/ zAKBggqhkjOPQQDAgNHADBEAiALBidABsfpzG0lTL9Eh9b6AUbqnzF+ koEZbgvppvvt9QIgVoE+bhEN0j6wSPzePjLrEdD+PEgyjHJ5rbA11SPq/1M=" }, { "format": 1, "data": " ooICtjCCArIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXz21w12owQAx58euratY WiHEkhxDU9MEgetrvAtGYZxNnkfLCsp9vLcw8ISXC8tL97k9ZCUtnr0MzLw37XKRABB T22tHlEou/DenpU0Ozccb3/+ fibjCCAj0wUjELMAkGA1UEBgwCVVMxGjAYBgNVBAoMEVplc3R5IEhhbmRzLCBJbmMuM ScwJQYDVQQDDB5aZXN0eSBIYW5kcywgSW5jLiBUcnVzdCBBbmNob3KgggHlMIIBi6AD AgECAhQL3EqgUXlQPljyddVSRnNHvK+ 1MzAKBggqhkjOPQQDAjBSMQswCQYDVQQGDAJVUzEaMBgGA1UECgwRWmVzdHkgSGFuZH MsIEluYy4xJzAlBgNVBAMMHlplc3R5IEhhbmRzLCBJbmMuIFRydXN0IEFuY2hvcjAeF w0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMFIxCzAJBgNVBAYMAlVTMRowGAYD VQQKDBFaZXN0eSBIYW5kcywgSW5jLjEnMCUGA1UEAwweWmVzdHkgSGFuZHMsIEluYy4 gVHJ1c3QgQW5jaG9yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl89tcNdqMEAMef Hrq2rWFohxJIcQ1PTBIHra7wLRmGcTZ5HywrKfby3MPCElwvLS/e5PWQlLZ69DMy8N+ 1ykQKM/MD0wHQYDVR0OBBYEFPba0eUSi78N6elTQ7Nxxvf/5+ JuMAsGA1UdDwQEAwIChDAPBgNVHRMBAf8EBTADAQH/ MAoGCCqGSM49BAMCA0gAMEUCIB2li+ f6RCxs2EnvNWciSpIDwiUViWayGv1A8xks80eYAiEAmCez4KGrolFKOZT6bvqf1sYQu JBfvtk/y1JQdUvoqlg=" }, { "format": 1, "data": " ooIC1TCCAtEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATN0f5kzywEzZOYbaV23O3 N8cku39JoLNjlHPwECbXDDWp0LpAO1z248/hoy6UW/TZMTPPR/ 93XwHsG16mSFy8XBBSKhM/ 5gJWjvDbW7qUY1peNm9cfYDCCAlwwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2 JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluY y4gVHJ1c3QgQW5jaG9yoIIB+jCCAZ+gAwIBAgIUEBuTRGXAEEVEHhu4xafAnqm+ qYgwCgYIKoZIzj0EAwIwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEF wcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3 QgQW5jaG9yMB4XDTIyMDUxOTE1MTMwOFoXDTMyMDUxNjE1MTMwOFowXDELMAkGA1UEB gwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nu b2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yMFkwEwYHKoZIzj0CAQYIKoZ Izj0DAQcDQgAEzdH+ZM8sBM2TmG2ldtztzfHJLt/ SaCzY5Rz8BAm1ww1qdC6QDtc9uPP4aMulFv02TEzz0f/d18B7BtepkhcvF6M/ MD0wHQYDVR0OBBYEFIqEz/ mAlaO8NtbupRjWl42b1x9gMAsGA1UdDwQEAwIChDAPBgNVHRMBAf8EBTADAQH/ Wallace & Housley Expires 24 December 2022 [Page 16] Internet-Draft CoTS June 2022 MAoGCCqGSM49BAMCA0kAMEYCIQC2cf43f3PPlCO6/dxv40ftIgxxToKHF72UzENv7+ y4ygIhAIGtC/r6SGaFMaP7zD2EloBuIXTtyWu8Hwl+YGdXRY93" } ] } } The TA Store below features one TA with an environment targeting CoSWIDs with entity named "Zesty Hands, Inc," and one permitted EAT claim for software named "Bitter Paper". Wallace & Housley Expires 24 December 2022 [Page 17] Internet-Draft CoTS June 2022 { "environments": [ { "swidtag": { "entity": [ { "entity-name": "Zesty Hands, Inc.", "role": "softwareCreator" } ] } } ], "permclaims": [ { "swname": "Bitter Paper" } ], "keys": { "tas": [ { "data": " MIIB5TCCAYugAwIBAgIUC9xKoFF5UD5Y8nXVUkZzR7yvtTMwCgYIKoZIzj0EAwI wUjELMAkGA1UEBgwCVVMxGjAYBgNVBAoMEVplc3R5IEhhbmRzLCBJbmMuMScwJQ YDVQQDDB5aZXN0eSBIYW5kcywgSW5jLiBUcnVzdCBBbmNob3IwHhcNMjIwNTE5M TUxMzA3WhcNMzIwNTE2MTUxMzA3WjBSMQswCQYDVQQGDAJVUzEaMBgGA1UECgwR WmVzdHkgSGFuZHMsIEluYy4xJzAlBgNVBAMMHlplc3R5IEhhbmRzLCBJbmMuIFR ydXN0IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJfPbXDXajBADH nx66tq1haIcSSHENT0wSB62u8C0ZhnE2eR8sKyn28tzDwhJcLy0v3uT1kJS2evQ zMvDftcpECjPzA9MB0GA1UdDgQWBBT22tHlEou/DenpU0Ozccb3/+ fibjALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/ zAKBggqhkjOPQQDAgNIADBFAiAdpYvn+ kQsbNhJ7zVnIkqSA8IlFYlmshr9QPMZLPNHmAIhAJgns+Chq6JRSjmU+ m76n9bGELiQX77ZP8tSUHVL6KpY" } ] } } The ASCII hex below represents a signed CoRIM that features a concise-ta-stores containing the three examples shown above. Wallace & Housley Expires 24 December 2022 [Page 18] Internet-Draft CoTS June 2022 D2 84 58 5D A3 01 26 03 74 61 70 70 6C 69 63 61 74 69 6F 6E 2F 72 69 6D 2B 63 62 6F 72 08 58 41 A2 00 A2 00 74 41 43 4D 45 20 4C 74 64 20 73 69 67 6E 69 6E 67 20 6B 65 79 01 D8 20 74 68 74 74 70 73 3A 2F 2F 61 63 6D 65 2E 65 78 61 6D 70 6C 65 01 A2 00 C1 1A 61 CE 48 00 01 C1 1A 69 54 67 80 A0 59 0B 10 A3 00 50 70 2F 47 5D E6 6B 4F 61 A5 8E 3C EF 3C CD 6E 44 01 81 59 0A E8 D9 01 FB 83 A2 01 81 A1 01 A1 00 A1 01 73 57 6F 72 74 68 6C 65 73 73 20 53 65 61 2C 20 49 6E 63 2E 05 A1 00 81 82 02 58 5B 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 AD 8A 0C 01 DA 9E DA 02 53 DC 2B C2 72 27 D9 C7 21 3D F8 DF 13 E8 9C B9 CD B7 A8 E4 B6 2D 9C E8 A9 9A 2D 70 5C 0F 7F 80 DB 65 C0 06 D1 09 14 22 B4 7F C6 11 CB D4 68 69 73 3D 9C 48 38 84 D5 FE A2 01 81 A1 03 76 4D 69 73 63 65 6C 6C 61 6E 65 6F 75 73 20 54 41 20 53 74 6F 72 65 05 A1 00 83 82 01 59 02 7E A2 82 02 7A 30 82 02 76 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 E3 51 AA 10 39 24 07 A4 BD 03 7C A0 BC 11 54 D0 E7 01 F0 67 4F 39 CB 2C 4F 92 10 69 2C EB BE EC 1D 27 97 7D C5 61 65 75 1E 0E 23 7B FD FB 15 36 E9 9A 88 45 91 42 96 61 DF 35 CF C0 BF 2B 50 CC 04 14 01 5C 45 C9 AC B0 46 2A 71 5D D7 10 A0 78 C0 15 49 F1 01 3F 30 82 02 01 30 3E 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 10 30 0E 06 03 55 04 0A 0C 07 45 78 61 6D 70 6C 65 31 1D 30 1B 06 03 55 04 03 0C 14 45 78 61 6D 70 6C 65 20 54 72 75 73 74 20 41 6E 63 68 6F 72 A0 82 01 BD 30 82 01 64 A0 03 02 01 02 02 15 00 D0 9D 90 BF 3D 52 5C C7 73 D5 22 ED 77 D5 9E 22 BB A4 5B 88 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 3E 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 10 30 0E 06 03 55 04 0A 0C 07 45 78 61 6D 70 6C 65 31 1D 30 1B 06 03 55 04 03 0C 14 45 78 61 6D 70 6C 65 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 1E 17 0D 32 32 30 35 31 39 31 35 31 33 30 37 5A 17 0D 33 32 30 35 31 36 31 35 31 33 30 37 5A 30 3E 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 10 30 0E 06 03 55 04 0A 0C 07 45 78 61 6D 70 6C 65 31 1D 30 1B 06 03 55 04 03 0C 14 45 78 61 6D 70 6C 65 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 E3 51 AA 10 39 24 07 A4 BD 03 7C A0 BC 11 54 D0 E7 01 F0 67 4F 39 CB 2C 4F 92 10 69 2C EB BE EC 1D 27 97 7D C5 61 65 75 1E 0E 23 7B FD FB 15 36 E9 9A Wallace & Housley Expires 24 December 2022 [Page 19] Internet-Draft CoTS June 2022 88 45 91 42 96 61 DF 35 CF C0 BF 2B 50 CC A3 3F 30 3D 30 1D 06 03 55 1D 0E 04 16 04 14 01 5C 45 C9 AC B0 46 2A 71 5D D7 10 A0 78 C0 15 49 F1 01 3F 30 0B 06 03 55 1D 0F 04 04 03 02 02 84 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 47 00 30 44 02 20 0B 06 27 40 06 C7 E9 CC 6D 25 4C BF 44 87 D6 FA 01 46 EA 9F 31 7E 92 81 19 6E 0B E9 A6 FB ED F5 02 20 56 81 3E 6E 11 0D D2 3E B0 48 FC DE 3E 32 EB 11 D0 FE 3C 48 32 8C 72 79 AD B0 35 D5 23 EA FF 53 82 01 59 02 BA A2 82 02 B6 30 82 02 B2 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 97 CF 6D 70 D7 6A 30 40 0C 79 F1 EB AB 6A D6 16 88 71 24 87 10 D4 F4 C1 20 7A DA EF 02 D1 98 67 13 67 91 F2 C2 B2 9F 6F 2D CC 3C 21 25 C2 F2 D2 FD EE 4F 59 09 4B 67 AF 43 33 2F 0D FB 5C A4 40 04 14 F6 DA D1 E5 12 8B BF 0D E9 E9 53 43 B3 71 C6 F7 FF E7 E2 6E 30 82 02 3D 30 52 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1A 30 18 06 03 55 04 0A 0C 11 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 31 27 30 25 06 03 55 04 03 0C 1E 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 A0 82 01 E5 30 82 01 8B A0 03 02 01 02 02 14 0B DC 4A A0 51 79 50 3E 58 F2 75 D5 52 46 73 47 BC AF B5 33 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 52 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1A 30 18 06 03 55 04 0A 0C 11 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 31 27 30 25 06 03 55 04 03 0C 1E 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 1E 17 0D 32 32 30 35 31 39 31 35 31 33 30 37 5A 17 0D 33 32 30 35 31 36 31 35 31 33 30 37 5A 30 52 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1A 30 18 06 03 55 04 0A 0C 11 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 31 27 30 25 06 03 55 04 03 0C 1E 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 97 CF 6D 70 D7 6A 30 40 0C 79 F1 EB AB 6A D6 16 88 71 24 87 10 D4 F4 C1 20 7A DA EF 02 D1 98 67 13 67 91 F2 C2 B2 9F 6F 2D CC 3C 21 25 C2 F2 D2 FD EE 4F 59 09 4B 67 AF 43 33 2F 0D FB 5C A4 40 A3 3F 30 3D 30 1D 06 03 55 1D 0E 04 16 04 14 F6 DA D1 E5 12 8B BF 0D E9 E9 53 43 B3 71 C6 F7 FF E7 E2 6E 30 0B 06 03 55 1D 0F 04 04 03 02 02 84 30 0F 06 03 Wallace & Housley Expires 24 December 2022 [Page 20] Internet-Draft CoTS June 2022 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45 02 20 1D A5 8B E7 FA 44 2C 6C D8 49 EF 35 67 22 4A 92 03 C2 25 15 89 66 B2 1A FD 40 F3 19 2C F3 47 98 02 21 00 98 27 B3 E0 A1 AB A2 51 4A 39 94 FA 6E FA 9F D6 C6 10 B8 90 5F BE D9 3F CB 52 50 75 4B E8 AA 58 82 01 59 02 D9 A2 82 02 D5 30 82 02 D1 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 CD D1 FE 64 CF 2C 04 CD 93 98 6D A5 76 DC ED CD F1 C9 2E DF D2 68 2C D8 E5 1C FC 04 09 B5 C3 0D 6A 74 2E 90 0E D7 3D B8 F3 F8 68 CB A5 16 FD 36 4C 4C F3 D1 FF DD D7 C0 7B 06 D7 A9 92 17 2F 17 04 14 8A 84 CF F9 80 95 A3 BC 36 D6 EE A5 18 D6 97 8D 9B D7 1F 60 30 82 02 5C 30 5C 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1F 30 1D 06 03 55 04 0A 0C 16 53 6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63 2E 31 2C 30 2A 06 03 55 04 03 0C 23 53 6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 A0 82 01 FA 30 82 01 9F A0 03 02 01 02 02 14 10 1B 93 44 65 C0 10 45 44 1E 1B B8 C5 A7 C0 9E A9 BE A9 88 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 5C 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1F 30 1D 06 03 55 04 0A 0C 16 53 6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63 2E 31 2C 30 2A 06 03 55 04 03 0C 23 53 6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 1E 17 0D 32 32 30 35 31 39 31 35 31 33 30 38 5A 17 0D 33 32 30 35 31 36 31 35 31 33 30 38 5A 30 5C 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1F 30 1D 06 03 55 04 0A 0C 16 53 6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63 2E 31 2C 30 2A 06 03 55 04 03 0C 23 53 6E 6F 62 62 69 73 68 20 41 70 70 61 72 65 6C 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 CD D1 FE 64 CF 2C 04 CD 93 98 6D A5 76 DC ED CD F1 C9 2E DF D2 68 2C D8 E5 1C FC 04 09 B5 C3 0D 6A 74 2E 90 0E D7 3D B8 F3 F8 68 CB A5 16 FD 36 4C 4C F3 D1 FF DD D7 C0 7B 06 D7 A9 92 17 2F 17 A3 3F 30 3D 30 1D 06 03 55 1D 0E 04 16 04 14 8A 84 CF F9 80 95 A3 BC 36 D6 EE A5 18 D6 97 8D 9B D7 1F 60 30 0B 06 03 55 1D 0F 04 04 03 02 02 84 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 49 00 30 46 02 21 00 B6 71 Wallace & Housley Expires 24 December 2022 [Page 21] Internet-Draft CoTS June 2022 FE 37 7F 73 CF 94 23 BA FD DC 6F E3 47 ED 22 0C 71 4E 82 87 17 BD 94 CC 43 6F EF EC B8 CA 02 21 00 81 AD 0B FA FA 48 66 85 31 A3 FB CC 3D 84 96 80 6E 21 74 ED C9 6B BC 1F 09 7E 60 67 57 45 8F 77 A3 01 81 A1 02 A1 02 A2 18 1F 71 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 18 21 02 03 81 A1 19 03 E6 6C 42 69 74 74 65 72 20 50 61 70 65 72 05 A1 00 81 82 00 59 01 E9 30 82 01 E5 30 82 01 8B A0 03 02 01 02 02 14 0B DC 4A A0 51 79 50 3E 58 F2 75 D5 52 46 73 47 BC AF B5 33 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 52 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1A 30 18 06 03 55 04 0A 0C 11 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 31 27 30 25 06 03 55 04 03 0C 1E 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 1E 17 0D 32 32 30 35 31 39 31 35 31 33 30 37 5A 17 0D 33 32 30 35 31 36 31 35 31 33 30 37 5A 30 52 31 0B 30 09 06 03 55 04 06 0C 02 55 53 31 1A 30 18 06 03 55 04 0A 0C 11 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 31 27 30 25 06 03 55 04 03 0C 1E 5A 65 73 74 79 20 48 61 6E 64 73 2C 20 49 6E 63 2E 20 54 72 75 73 74 20 41 6E 63 68 6F 72 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 97 CF 6D 70 D7 6A 30 40 0C 79 F1 EB AB 6A D6 16 88 71 24 87 10 D4 F4 C1 20 7A DA EF 02 D1 98 67 13 67 91 F2 C2 B2 9F 6F 2D CC 3C 21 25 C2 F2 D2 FD EE 4F 59 09 4B 67 AF 43 33 2F 0D FB 5C A4 40 A3 3F 30 3D 30 1D 06 03 55 1D 0E 04 16 04 14 F6 DA D1 E5 12 8B BF 0D E9 E9 53 43 B3 71 C6 F7 FF E7 E2 6E 30 0B 06 03 55 1D 0F 04 04 03 02 02 84 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45 02 20 1D A5 8B E7 FA 44 2C 6C D8 49 EF 35 67 22 4A 92 03 C2 25 15 89 66 B2 1A FD 40 F3 19 2C F3 47 98 02 21 00 98 27 B3 E0 A1 AB A2 51 4A 39 94 FA 6E FA 9F D6 C6 10 B8 90 5F BE D9 3F CB 52 50 75 4B E8 AA 58 04 A2 00 C1 1A 61 CE 48 00 01 C1 1A 69 54 67 80 58 40 84 64 A5 CC 98 98 9E 1F 72 CD 14 97 99 78 47 BE 03 E4 C8 61 34 A5 B4 43 91 AA D7 55 EC 31 3A 2E 15 41 EC E2 E4 58 7F 5A B3 59 C7 F4 FF 0C 27 61 A6 FB 90 75 F9 0E 9C CD 13 9A F1 F9 31 E7 01 06 Wallace & Housley Expires 24 December 2022 [Page 22] Internet-Draft CoTS June 2022 6. Security Considerations As a profile of CoRIM, the security considerations from [I-D.draft-birkholz-rats-corim] apply. As a means of managing trust anchors, the security considerations from [RFC6024] and [RFC5934] apply. a CoTS signer is roughly analogous to a "management trust anchor" as described in [RFC5934]. 7. IANA Considerations 7.1. CoRIM CBOR Tag Registration IANA is requested to allocate tags in the "CBOR Tags" registry [IANA.cbor-tags], preferably with the specific value requested: +=====+==============+====================================+ | Tag | Data Item | Semantics | +=====+==============+====================================+ | 507 | tagged array | Concise Trust Anchor Stores (CoTS) | +-----+--------------+------------------------------------+ Table 1 8. References 8.1. Normative References [I-D.draft-birkholz-rats-corim] Birkholz, H., Fossati, T., Deshpande, Y., Smith, N., and W. Pan, "Concise Reference Integrity Manifest", Work in Progress, Internet-Draft, draft-birkholz-rats-corim-02, 26 January 2022, . [I-D.draft-ietf-rats-eat] Lundblade, L., Mandyam, G., and J. O'Donoghue, "The Entity Attestation Token (EAT)", Work in Progress, Internet- Draft, draft-ietf-rats-eat-13, 20 May 2022, . [I-D.draft-ietf-sacm-coswid] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. Waltermire, "Concise Software Identification Tags", Work in Progress, Internet-Draft, draft-ietf-sacm-coswid-21, 7 March 2022, . Wallace & Housley Expires 24 December 2022 [Page 23] Internet-Draft CoTS June 2022 [IANA.cbor-tags] IANA, "Concise Binary Object Representation (CBOR) Tags", . [IANA.language-subtag-registry] IANA, "Language Subtag Registry", . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor Format", RFC 5914, DOI 10.17487/RFC5914, June 2010, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, . 8.2. Informative References [dloa] GlobalPlatform, "GlobalPlatform Card - Digital Letter of Approval Version 1.0", November 2015, . [fido-metadata] FIDO Alliance, "FIDO Metadata Statement", May 2021, . Wallace & Housley Expires 24 December 2022 [Page 24] Internet-Draft CoTS June 2022 [fido-service] FIDO Alliance, "FIDO Metadata Service", May 2021, . [I-D.draft-ietf-rats-architecture] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote Attestation Procedures Architecture", Work in Progress, Internet-Draft, draft-ietf-rats-architecture- 18, 14 June 2022, . [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, . [RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor Management Protocol (TAMP)", RFC 5934, DOI 10.17487/RFC5934, August 2010, . [RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management Requirements", RFC 6024, DOI 10.17487/RFC6024, October 2010, . [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, July 2017, . Acknowledgments TODO acknowledge. Authors' Addresses Carl Wallace Red Hound Software United States of America Email: carl@redhoundsoftware.com Russ Housley Vigil Security, LLC 516 Dranesville Road Herndon, VA 20170 United States of America Email: housley@vigilsec.com Wallace & Housley Expires 24 December 2022 [Page 25]