idnits 2.17.1 draft-birkholz-rats-corim-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 10 characters in excess of 72. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (26 January 2022) is 822 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC-AAAA' is mentioned on line 2102, but not defined == Outdated reference: A later version (-22) exists of draft-ietf-rats-architecture-14 ** Downref: Normative reference to an Informational draft: draft-ietf-rats-architecture (ref. 'I-D.ietf-rats-architecture') == Outdated reference: A later version (-24) exists of draft-ietf-sacm-coswid-20 ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RATS Working Group H. Birkholz 3 Internet-Draft Fraunhofer SIT 4 Intended status: Standards Track T. Fossati 5 Expires: 30 July 2022 Y. Deshpande 6 Arm Limited 7 N. Smith 8 Intel 9 W. Pan 10 Huawei Technologies 11 26 January 2022 13 Concise Reference Integrity Manifest 14 draft-birkholz-rats-corim-02 16 Abstract 18 Remote Attestation Procedures (RATS) enable Relying Parties to put 19 trust in the trustworthiness of a remote Attester and therefore to 20 decide if to engage in secure interactions with it - or not. 21 Evidence about trustworthiness can be rather complex, voluminous or 22 Attester-specific. As it is deemed unrealistic that every Relying 23 Party is capable of the appraisal of Evidence, that burden is taken 24 on by a Verifier. In order to conduct Evidence appraisal procedures, 25 a Verifier requires not only fresh Evidence from an Attester, but 26 also trusted Endorsements and Reference Values from Endorsers, such 27 as manufacturers, distributors, or owners. This document specifies 28 Concise Reference Integrity Manifests (CoRIM) that represent 29 Endorsements and Reference Values in CBOR format. Composite devices 30 or systems are represented by a collection of Concise Module 31 Identifiers (CoMID) and Concise Software Identifiers (CoSWID) bundled 32 in a CoRIM document. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on 30 July 2022. 50 Copyright Notice 52 Copyright (c) 2022 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 57 license-info) in effect on the date of publication of this document. 58 Please review these documents carefully, as they describe your rights 59 and restrictions with respect to this document. Code Components 60 extracted from this document must include Revised BSD License text as 61 described in Section 4.e of the Trust Legal Provisions and are 62 provided without warranty as described in the Revised BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4 68 2. Concise Reference Integrity Manifests . . . . . . . . . . . . 4 69 2.1. Typographical Conventions . . . . . . . . . . . . . . . . 5 70 2.2. Prefixes and Namespaces . . . . . . . . . . . . . . . . . 6 71 2.3. Extensibility . . . . . . . . . . . . . . . . . . . . . . 7 72 2.4. Concise RIM Extension Points . . . . . . . . . . . . . . 7 73 2.5. CDDL Generic Types . . . . . . . . . . . . . . . . . . . 8 74 2.5.1. Non-Empty . . . . . . . . . . . . . . . . . . . . . . 8 75 2.5.2. One-Or-More . . . . . . . . . . . . . . . . . . . . . 8 76 3. Concise RIM Data Definition . . . . . . . . . . . . . . . . . 9 77 3.1. The signed-corim Container . . . . . . . . . . . . . . . 9 78 3.1.1. The corim-meta-map Container . . . . . . . . . . . . 9 79 3.1.2. The corim-signer-map Container . . . . . . . . . . . 10 80 3.1.3. The validity-map Container . . . . . . . . . . . . . 10 81 3.2. The corim-map Container . . . . . . . . . . . . . . . . . 11 82 3.2.1. The corim-entity-map Container . . . . . . . . . . . 12 83 3.2.2. The corim-locator-map Container . . . . . . . . . . . 12 84 3.3. The concise-mid-tag Container . . . . . . . . . . . . . . 13 85 3.4. The tag-identity-map Container . . . . . . . . . . . . . 13 86 3.5. The entity-map Container . . . . . . . . . . . . . . . . 14 87 3.6. The linked-tag-map Container . . . . . . . . . . . . . . 15 88 3.7. The triples-map Container . . . . . . . . . . . . . . . . 15 89 3.8. The environment-map Container . . . . . . . . . . . . . . 16 90 3.9. The class-map Container . . . . . . . . . . . . . . . . . 17 91 3.10. The measurement-map and measurement-values-map 92 Containers . . . . . . . . . . . . . . . . . . . . . . . 17 93 3.10.1. The version-map Container . . . . . . . . . . . . . 19 94 3.10.2. The svn-type-choice Enumeration . . . . . . . . . . 20 95 3.10.3. The raw-value-group Container . . . . . . . . . . . 20 96 3.10.4. The ip-addr-type-choice Enumeration . . . . . . . . 21 97 3.10.5. The mac-addr-type-choice Enumeration . . . . . . . . 21 98 3.11. The verification-key-map Container . . . . . . . . . . . 21 99 4. Full CDDL Definition . . . . . . . . . . . . . . . . . . . . 22 100 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 35 101 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 102 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 103 7.1. COSE Header Parameters Registry . . . . . . . . . . . . . 35 104 7.2. CoRIM Map Items Registry . . . . . . . . . . . . . . . . 36 105 7.3. CoRIM Entity-Map Items Registry . . . . . . . . . . . . . 36 106 7.4. CoRIM Entity-Types Registry . . . . . . . . . . . . . . . 37 107 7.5. CoMID Map Items Registry . . . . . . . . . . . . . . . . 38 108 7.6. CoMID Entity-Map Items Registry . . . . . . . . . . . . . 39 109 7.7. CoMID Triples-Map Items Registry . . . . . . . . . . . . 40 110 7.8. CoMID Measurement-Values-Map Items Registry . . . . . . . 41 111 7.9. CoMID Tag-Relationship-Types Registry . . . . . . . . . . 42 112 7.10. CoMID Role-Types Registry . . . . . . . . . . . . . . . . 43 113 7.11. rim+cbor Media Type Registration . . . . . . . . . . . . 44 114 7.12. CoAP Content-Format Registration . . . . . . . . . . . . 45 115 7.13. CoRIM CBOR Tag Registration . . . . . . . . . . . . . . . 46 116 7.14. CoMID CBOR Tag Registration . . . . . . . . . . . . . . . 46 117 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 47 118 8.1. Normative References . . . . . . . . . . . . . . . . . . 47 119 8.2. Informative References . . . . . . . . . . . . . . . . . 48 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 122 1. Introduction 124 The Remote Attestation Procedures (RATS) architecture 125 [I-D.ietf-rats-architecture] describes appraisal procedures for 126 attestation Evidence and Attestation Results. Appraisal procedures 127 for Evidence are conducted by Verifiers and are intended to assess 128 the trustworthiness of a remote peer. Appraisal procedures for 129 Attestation Results are conducted by Relying Parties and are intended 130 to operationalize the assessment about a remote peer and to act 131 appropriately based on the assessment. In order to enable their 132 intent, appraisal procedures consume Appraisal Policies, Reference 133 Values, and Endorsements. 135 This documents specifies a binary encoding for Reference Values using 136 the Concise Binary Object Representation (CBOR). The encoding is 137 based on three parts that are defined using the Concise Data 138 Definition Language (CDDL): 140 * Concise Reference Integrity Manifests (CoRIM), 142 * Concise Module Identifiers (CoMID), and 143 * Concise Software Identifier (CoSWID). 145 CoRIM and CoMID tags are defined in this document, CoSWID tags are 146 defined in [I-D.ietf-sacm-coswid]. CoRIM provide a wrapper 147 structure, in which CoMID tags, CoSWID tags, as well as corresponding 148 metadata can be bundled and signed as a whole. CoMID tags represent 149 hardware components and provide a counterpart to CoSWID tags, which 150 represent software components. 152 In accordance to [RFC4949], software components that are stored in 153 hardware modules are referred to as firmware. While firmware can be 154 represented as a software component, it is also very hardware- 155 specific and often resides directly on block devices instead of a 156 file system. In this specification, firmware and their Reference 157 Values are represented via CoMID tags. Reference Values for any 158 other software components stored on a file system are represented via 159 CoSWID tags. 161 In addition to CoRIM - and respective CoMID tags - this specification 162 defines a Concise Manifest Revocation that represents a list of 163 reference to CoRIM that are actively marked as invalid before their 164 expiration time. 166 1.1. Requirements Notation 168 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 169 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 170 "OPTIONAL" in this document are to be interpreted as described in 171 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 172 capitals, as shown here. 174 2. Concise Reference Integrity Manifests 176 This section specifies the Concise RIM (CoRIM) format, the Concise 177 MID format (CoMID), and the extension to the CoSWID specification 178 that augments CoSWID tags to express specific relationships to CoMID 179 tags. 181 While each specification defines its own start rule, only CoMID and 182 CoSWID are stand-alone specifications. The CoRIM specification - as 183 the bundling format - has a dependency on CoMID and CoSWID and is not 184 a stand-alone specification. 186 While stand-alone CoSWID tags may be signed [I-D.ietf-sacm-coswid], 187 CoMID tags are not intended to be stand-alone and are always part of 188 a CoRIM that must be signed. [I-D.ietf-sacm-coswid] specifies the 189 use of COSE [RFC7231] for signing. This specification defines how to 190 generate singed CoRIM tags with COSE to enable proof of authenticity 191 and temper-evidence. 193 This document uses the Concise Data Definition Language (CDDL 194 [RFC8610]) to define the data structure of CoRIM and CoMID tags, as 195 well as the extensions to CoSWID. The CDDL definitions provided 196 define nested containers. Typically, the CDDL types used for nested 197 containers are maps. Every key used in the maps is a named type that 198 is associated with an corresponding uint via a block of rules 199 appended at the end of the CDDL definition. 201 Every set of uint keys that is used in the context of the "collision 202 domain" of map is intended to be collision-free (each key is intended 203 to be unique in the scope of a map, not a multimap). To accomplish 204 that, for each map there is an IANA registry for the map members of 205 maps. 207 2.1. Typographical Conventions 209 Type names in the following CDDL definitions follow the naming 210 convention illustrated in table Table 1. 212 +========================+==================+=====================+ 213 | type trait | example | typo convention | 214 +========================+==================+=====================+ 215 | extensible type choice | int / text / ... | $NAME-type-choice | 216 +------------------------+------------------+---------------------+ 217 | closed type choice | int / text | NAME-type-choice | 218 +------------------------+------------------+---------------------+ 219 | group choice | ( 1 => int // 2 | $$NAME-group-choice | 220 | | => text ) | | 221 +------------------------+------------------+---------------------+ 222 | group | ( 1 => int, 2 => | NAME-group | 223 | | text ) | | 224 +------------------------+------------------+---------------------+ 225 | type | int | NAME-type | 226 +------------------------+------------------+---------------------+ 227 | tagged type | #6.123(int) | tagged-NAME-type | 228 +------------------------+------------------+---------------------+ 229 | map | { 1 => int, 2 => | NAME-map | 230 | | text } | | 231 +------------------------+------------------+---------------------+ 232 | flags | &( a: 1, b: 2 ) | NAME-flags | 233 +------------------------+------------------+---------------------+ 235 Table 1: Type Traits & Typographical Convention 237 2.2. Prefixes and Namespaces 239 The semantics of the information elements (attributes) defined for 240 CoRIM, CoMID tags, and CoSWID tags are sometimes very similar, but 241 often do not share the same scope or are actually quite different. 242 In order to not overload the already existing semantics of the 243 software-centric IANA registries of CoSWID tags with, for example, 244 hardware-centric semantics of CoMID tags, new type names are 245 introduced. For example: both CoSWID tags and CoMID tags define a 246 tag-id. As CoSWID already specifies tag-id, the tag-id in CoMID tags 247 is prefixed with comid. to disambiguate the context, resulting in 248 comid.tag-id. This prefixing provides a well-defined scope for the 249 use of the types defined in this document and guarantees 250 interoperability (no type name collisions) with the CoSWID CDDL 251 definition. Effectively, the prefixes used in this specification 252 enable simple hierarchical namespaces. The prefixing introduced is 253 also based on the anticipated namespace features for CDDL. 255 2.3. Extensibility 257 Both the CoRIM and the CoMID tag specification include extension 258 points using CDDL sockets (see [RFC8610] Section 3.9). The use of 259 CDDL sockets allows for well-formed extensions to be defined in 260 supplementary CDDL definitions that support additional uses of CoRIM 261 and CoMID tags. 263 There are two types of extensibility supported via the extension 264 points defined in this document. Both types allow for the addition 265 of keys in the scope of a map. 267 Custom Keys: The CDDL definition allows for the use of negative 268 integers as keys. These keys cannot take on a well-defined global 269 semantic. They can take on custom-defined semantics in a limited 270 or local scope, e.g. vendor-defined scope. 272 Registered Keys: Additional keys can be registered at IANA via 273 separate specifications. 275 Both types of extensibility also allow for the definition of new 276 nested maps that again can include additional defined keys. 278 2.4. Concise RIM Extension Points 280 The following CDDL sockets (extension points) are defined in the 281 CoRIM specification, which allow the addition of new information 282 structures to their respective CDDL groups. 284 +======================+====================================+=======+ 285 |Map Name | CDDL Socket |Defined| 286 | | |in | 287 +======================+====================================+=======+ 288 |corim-entity-map | $$corim-entity-map-extension |Section| 289 | | |3.2.1 | 290 +----------------------+------------------------------------+-------+ 291 |unsigned-corim-map | $$unsigned-corim-map-extension |Section| 292 | | |3.2 | 293 +----------------------+------------------------------------+-------+ 294 |concise-mid-tag | $$comid-extension |Section| 295 | | |3.3 | 296 +----------------------+------------------------------------+-------+ 297 |tag-identity-map | $$tag-identity-map-extension |Section| 298 | | |3.4 | 299 +----------------------+------------------------------------+-------+ 300 |entity-map | $$entity-map-extension |Section| 301 | | |3.5 | 302 +----------------------+------------------------------------+-------+ 303 |triples-map | $$triples-map-extension |Section| 304 | | |3.7 | 305 +----------------------+------------------------------------+-------+ 306 |measurement-values-map| $$measurement-values-map-extension |Section| 307 | | |3.10 | 308 +----------------------+------------------------------------+-------+ 310 Table 2: CoMID CDDL Group Extension Points 312 2.5. CDDL Generic Types 314 The CDDL definitions for CoRIM and CoMID tags use the two following 315 generic types. 317 2.5.1. Non-Empty 319 The non-empty generic type is used to express that a map with only 320 optional members MUST at least include one of the optional members. 322 non-empty = (M) .within ({ + any => any }) 324 2.5.2. One-Or-More 326 The one-or-more generic type allows to omit an encapsulating array, 327 if only one member would be present. 329 one-or-more = T / [ 2* T ] ; 2* 331 3. Concise RIM Data Definition 333 A CoRIM is a bundle of CoMID tags and/or CoSWID tags that can 334 reference each other and that includes additional metadata about that 335 bundle. 337 The root of the CDDL specification provided for CoRIM is the rule 338 corim : 340 start = corim 342 3.1. The signed-corim Container 344 A CoRIM is signed using [RFC7231]. The additional CoRIM-specific 345 COSE header member label corim-meta is defined as well as the 346 corresponding type corim-meta-map as its value. This rule and its 347 constraints MUST be followed when generating or validating a signed 348 CoRIM tag. 350 signed-corim = #6.18(COSE-Sign1-corim) 352 protected-corim-header-map = { 353 corim.alg-id => int 354 corim.content-type => "application/corim-unsigned+cbor" 355 corim.issuer-key-id => bstr 356 corim.meta => bstr .cbor corim-meta-map 357 * cose-label => cose-values 358 } 360 unprotected-corim-header-map = { 361 * cose-label => cose-values 362 } 364 COSE-Sign1-corim = [ 365 protected: bstr .cbor protected-corim-header-map 366 unprotected: unprotected-corim-header-map 367 payload: bstr .cbor tagged-corim-map 368 signature: bstr 369 ] 371 3.1.1. The corim-meta-map Container 373 This map contains the two additionally defined attributes corim- 374 signer-map and validity-map that are used to annotate a CoRIM with 375 metadata. 377 corim-meta-map = { 378 corim.signer => corim-signer-map 379 ? corim.signature-validity => validity-map 380 } 382 corim.signer: One or more entities that created and/or signed the 383 issued CoRIM. 385 corim.signature-validity: A time period defining the validity span 386 of the signature over the CoRIM. 388 3.1.2. The corim-signer-map Container 390 This map is used to identify the signer of a CoRIM via a name and an 391 optional URI. 393 corim-signer-map = { 394 corim.signer-name => $entity-name-type-choice 395 ? corim.signer-uri => uri 396 * $$corim-signer-map-extension 397 } 399 $entity-name-type-choice /= text 401 corim.signer-name: The name of the organization that signs this 402 CoRIM 404 corim.signer-uri: An URI uniquely linked to the organization that 405 signs this CoRIM 407 $$corim-signer-map-extension: This CDDL socket is used to add new 408 information elements to the corim-signer-map container. See 409 FIXME. 411 3.1.3. The validity-map Container 413 The members of this map indicate the life-span or period of validity 414 of a CoRIM that is baked into the protected header at the time of 415 signing. 417 validity-map = { 418 ? corim.not-before => time 419 corim.not-after => time 420 } 422 corim.not-before: The timestamp indicating the CoRIM's begin of its 423 validity period. 425 corim.not-after: The timestamp indicating the CoRIM's end of its 426 validity period. 428 3.2. The corim-map Container 430 This map contains the payload of the COSE envelope that is used to 431 sign the CoRIM. This rule and its constraints MUST be followed when 432 generating or validating an unsigned Concise RIM. 434 corim-map = { 435 corim.id => $corim-id-type-choice 436 corim.tags => [ + $concise-tag-type-choice ] 437 ? corim.dependent-rims => [ + corim-locator-map ] 438 ? corim.profile => [ + profile-type-choice ] 439 ? corim.rim-validity => validity-map 440 ? corim.entities => [ + corim-entity-map ] 441 * $$corim-map-extension 442 } 444 $corim-id-type-choice /= tstr 445 $corim-id-type-choice /= uuid-type 447 profile-type-choice = uri / tagged-oid-type 449 $concise-tag-type-choice /= #6.505(bytes .cbor concise-swid-tag) 450 $concise-tag-type-choice /= #6.506(bytes .cbor concise-mid-tag) 452 corim.id: Typically a UUID or a text string that MUST uniquely 453 identify a CoRIM in a given scope. 455 corim.tags: A collection of one or more CoMID tags and/or CoSWID 456 tags. 458 corim.dependent-rims: One or more services available via the 459 Internet that can supply additional, possibly dependent manifests 460 (or other associated resources). 462 corim.profile: One or more profiles that define the domain of 463 interpretation of the CoMID and/or CoSWID tags. 465 corim.rim-validity: The validity of the CoRIM expressed as a 466 validity-map. 468 corim.entities: One or more entities involved in the creation of 469 this CoRIM. 471 $$corim-map-extension: This CDDL socket is used to add new 472 information elements to the corim-map container. See FIXME. 474 3.2.1. The corim-entity-map Container 476 This Container contains qualifying attributes that provide more 477 context information about the RIM as well its origin and purpose. 478 This rule and its constraints MUST be followed when generating or 479 validating a CoRIM tag 481 corim-entity-map = { 482 corim.entity-name => $entity-name-type-choice 483 ? corim.reg-id => uri 484 corim.role => $corim-role-type-choice 485 * $$corim-entity-map-extension 486 } 488 $corim-role-type-choice /= corim.manifest-creator 490 corim.entity-name: The name of an organization that performs the 491 roles as indicated by comid.role. 493 corim.reg-id: The registration identifier of the organization that 494 has authority over the namespace for comid.entity-name. 496 corim.role: The list of roles the entity is associated with. The 497 entity that generates the CoRIM SHOULD include a $comid-role-type- 498 choice value of corim.manifest-creator. 500 $$corim-entity-map-extension: This CDDL socket is used to add new 501 information elements to the corim-entity-map container. See 502 FIXME. 504 3.2.2. The corim-locator-map Container 506 This map is used to locate and verify the integrity of resources 507 provided by external services, e.g. the CoRIM provider. 509 corim-locator-map = { 510 corim.href => uri 511 ? corim.thumbprint => hash-entry 512 } 514 corim.href: A pointer to a services that supplies dependent files or 515 records. 517 corim.thumbprint: A digest of the reference resource. 519 3.3. The concise-mid-tag Container 521 The CDDL specification for the root concise-mid-tag map is as 522 follows. This rule and its constraints MUST be followed when 523 generating or validating a CoMID tag. 525 concise-mid-tag = { 526 ? comid.language => language-type 527 comid.tag-identity => tag-identity-map 528 ? comid.entities => [ + entity-map ] 529 ? comid.linked-tags => [ + linked-tag-map ] 530 comid.triples => triples-map 531 * $$concise-mid-tag-extension 532 } 534 The following describes each member of the concise-mid-tag root map. 536 comid.language: A textual language tag that conforms with the IANA 537 Language Subtag Registry [IANA.language-subtag-registry]. 539 comid.tag-identity: A composite identifier containing identifying 540 attributes that enable global unique identification of a CoMID tag 541 across versions. 543 comid.entity: A list of entities that contributed to the CoMID tag. 545 comid.linked-tags: A lost of tags that are linked to this CoMID tag. 547 comid.triples: A set of relationships in the form of triples, 548 representing a graph-like and semantic reference structure between 549 tags. 551 $$comid-mid-tag-extension: This CDDL socket is used to add new 552 information elements to the concise-mid-tag root container. See 553 FIXME. 555 3.4. The tag-identity-map Container 557 The CDDL specification for the tag-identity-map includes all 558 identifying attributes that enable a consumer of information to 559 anticipate required capabilities to process the corresponding tag 560 that map is included in. This rule and its constraints MUST be 561 followed when generating or validating a CoMID tag. 563 tag-identity-map = { 564 comid.tag-id => $tag-id-type-choice 565 comid.tag-version => tag-version-type 566 } 568 $tag-id-type-choice /= tstr 569 $tag-id-type-choice /= uuid-type 571 tag-version-type = uint .default 0 573 The following describes each member of the tag-identity-map 574 container. 576 comid.tag-id: An identifier for a CoMID that MUST be globally 577 unique. 579 comid.tag-version: An unsigned integer used as a version identifier. 581 $$tag-identity-map-extension: This CDDL socket is used to add new 582 information elements to the tag-identity-map container. See 583 FIXME. 585 3.5. The entity-map Container 587 This Container provides qualifying attributes that provide more 588 context information describing the module as well its origin and 589 purpose. This rule and its constraints MUST be followed when 590 generating or validating a CoMID tag. 592 entity-map = { 593 comid.entity-name => $entity-name-type-choice 594 ? comid.reg-id => uri 595 comid.role => one-or-more<$comid-role-type-choice> 596 * $$entity-map-extension 597 } 599 $comid-role-type-choice /= comid.tag-creator 600 $comid-role-type-choice /= comid.creator 601 $comid-role-type-choice /= comid.maintainer 603 The following describes each member of the tag-identity-map 604 container. 606 comid.entity-name: The name of an organization that performs the 607 roles as indicated by comid.role. 609 comid.reg-id: The registration identifier of the organization that 610 has authority over the namespace for comid.entity-name. 612 comid.role: The list of roles a CoMID entity is associated with. 613 The entity that generates the concise-mid-tag SHOULD include a 614 $comid-role-type-choice value of comid.tag-creator. 616 $$entity-map-extension: This CDDL socket is used to add new 617 information elements to the entity-map container. See FIXME. 619 3.6. The linked-tag-map Container 621 A list of tags that are linked to this CoMID tag. 623 linked-tag-map = { 624 comid.linked-tag-id => $tag-id-type-choice 625 comid.tag-rel => $tag-rel-type-choice 626 } 628 $tag-rel-type-choice /= comid.supplements 629 $tag-rel-type-choice /= comid.replaces 631 The following describes each member of the linked-tag-map container. 633 comid.linked-tag-id: The tag-id of the linked tag. A linked tag MAY 634 be a CoMID tag or a CoSWID tag. 636 comid.tag-rel: The relationship type with the linked tag. The 637 relationship type MAY be supplements or replaces, as well as other 638 types well-defined by additional specifications. 640 3.7. The triples-map Container 642 A set of directed properties that associate sets of data to provide 643 reference values, endorsed values, verification key material or 644 identifying key material for a specific hardware module that is a 645 component of a composite device. The map provides the core element 646 of CoMID tags that associate remote attestation relevant data with a 647 distinct hardware component that runs an execution environment (a 648 module that is either a Target Environment and/or an Attesting 649 Environment). This rule and its constraints MUST be followed when 650 generating or validating a CoMID tag. 652 triples-map = non-empty<{ 653 ? comid.reference-triples => one-or-more 654 ? comid.endorsed-triples => one-or-more 655 ? comid.attest-key-triples => one-or-more 656 ? comid.identity-triples => one-or-more 657 * $$triples-map-extension 658 }> 659 The following describes each member of the triple-map container. 661 comid.reference-triples: A directed property that associates 662 reference measurements with a module that is a Target Environment. 664 comid.endorsed-triples: A directed property that associates endorsed 665 measurements with a module that is a Target Environment or 666 Attesting Environment. 668 comid.attest-key-triples: A directed property that associates key 669 material used to verify evidence generated from a module that is 670 an attesting environment. 672 comid.identity-triples: A directed property that associates key 673 material used to identify a module instance or a module class that 674 is an identifying part of a device(-set). 676 $$triples-map-extension: This CDDL socket is used to add new 677 information elements to the triples-map container. See FIXME. 679 3.8. The environment-map Container 681 This map represents the module(s) that a triple-map can point 682 directed properties (relationships) from in order to associate them 683 with external information for remote attestation, such as reference 684 values, endorsement and endorsed values, verification key material 685 for evidence, or identifying key material for module 686 (re-)identification. This map can identify a single module instance 687 via comid.instance or groups of modules via comid.group. Referencing 688 classes of modules requires the use of the more complex class-map 689 container. This rule and its constraints MUST be followed when 690 generating or validating a CoMID tag. 692 environment-map = non-empty<{ 693 ? comid.class => class-map 694 ? comid.instance => $instance-id-type-choice 695 ? comid.group => $group-id-type-choice 696 }> 698 $instance-id-type-choice /= tagged-ueid-type 699 $instance-id-type-choice /= tagged-uuid-type 701 $group-id-type-choice /= tagged-uuid-type 703 The following describes each member of the environment-map container. 705 comid-class: A composite identifier for classes of environments/ 706 modules. 708 comid.instance: An identifier for distinct instances of 709 environments/modules that is either a UEID or a UUID. 711 comid.group: An identifier for a group of environments/modules that 712 is a UUID. 714 3.9. The class-map Container 716 This map enables a composite identifier intended to uniquely identify 717 modules that are of a distinct class of devices. Effectively, all 718 provided members in combination are a composite module class 719 identifier. This rule and its constraints MUST be followed when 720 generating or validating a CoMID tag. This rule and its constraints 721 MUST be followed when generating or validating a CoMID tag. 723 class-map = non-empty<{ 724 ? comid.class-id => $class-id-type-choice 725 ? comid.vendor => tstr 726 ? comid.model => tstr 727 ? comid.layer => uint 728 ? comid.index => uint 729 }> 731 $class-id-type-choice /= tagged-oid-type 732 $class-id-type-choice /= tagged-uuid-type 733 $class-id-type-choice /= tagged-int-type 735 The following describes each member of the class-map container. 737 comid.class-id: TODO 739 comid.vendor TODO 741 comid.model TODO 743 comid.layer TODO 745 comid.index TODO 747 3.10. The measurement-map and measurement-values-map Containers 749 One of the targets (range) that a triple-map can point to in order to 750 associate it with a module (domain) is the measurement-map. This map 751 is used to provide reference measurements values that can be compared 752 with Evidence Claim values or Endorsements and endorsed values from 753 other sources than the corresponding CoRIM. measurement-map comes 754 with a measurement key that identifies the measured element with via 755 a OID reference or a UUID. measurement-values-map contains the actual 756 measurements associated with the module(s). Byte strings with 757 corresponding bit masks that highlights which bits in the byte string 758 are used as reference measurements or endorsement are located in raw- 759 value-group. The members of measurement-values-map provide well- 760 defined and well-scoped semantics for reference measurement or 761 endorsements with respect to a given module instance, class, or 762 group. This rule and its constraints MUST be followed when 763 generating or validating a CoMID tag. 765 measurement-map = { 766 ? comid.mkey => $measured-element-type-choice 767 comid.mval => measurement-values-map 768 } 770 $measured-element-type-choice /= tagged-oid-type 771 $measured-element-type-choice /= tagged-uuid-type 772 $measured-element-type-choice /= uint 774 measurement-values-map = non-empty<{ 775 ? comid.ver => version-map 776 ? comid.svn => svn-type-choice 777 ? comid.digests => digests-type 778 ? comid.flags => flags-type 779 ? raw-value-group 780 ? comid.mac-addr => mac-addr-type-choice 781 ? comid.ip-addr => ip-addr-type-choice 782 ? comid.serial-number => serial-number-type 783 ? comid.ueid => ueid-type 784 ? comid.uuid => uuid-type 785 ? comid.name => tstr 786 * $$measurement-values-map-extension 787 }> 789 flags-type = bytes .bits operational-flags 791 $operational-flags /= &( not-configured: 0 ) 792 $operational-flags /= &( not-secure: 1 ) 793 $operational-flags /= &( recovery: 2 ) 794 $operational-flags /= &( debug: 3 ) 795 $operational-flags /= &( not-replay-protected: 4 ) 796 $operational-flags /= &( not-integrity-protected: 5 ) 798 serial-number-type = text 800 digests-type = [ + hash-entry ] 802 The following describes each member of the measurement-map and the 803 measurement-values-map container. 805 comid.mkey: An identifier for the set of measurements expressed in 806 measurement-values-map that is either an OID or a UUID. 808 comid.ver: A version number measurement. 810 comid.svn: A security related version number measurement. 812 comid.digests: A digest (typically a hash value) measurement. 814 comid.flags: Measurements that reflect operational modes that are 815 made permanent at manufacturing time such that they are not 816 expected to change during normal operation of the Attester. 818 raw-value-group: A measurement in the form of a byte string that can 819 come with a corresponding bit mask defining the relevance of each 820 bit in the byte string as a measurement. 822 comid.mac-addr: An EUI-48 or EUI-64 MAC address measurement. 824 comid.ip-addr: An Ipv4 or Ipv6 address measurement. 826 comid.serial-number: A measurement of a serial number in text. 828 comid.ueid: A measurement of a Unique Enough Identifier (UEID). 830 comid.uuid: A measurement of a Universally Unique Identifier (UUID). 832 comid.name: TODO 834 $$measurement-values-map-extension: This CDDL socket is used to add 835 new information elements to the measurement-values-map container. 836 See FIXME. 838 3.10.1. The version-map Container 840 This map expresses reference values about version information. 842 version-map = { 843 comid.version => version-type 844 ? comid.version-scheme => $version-scheme 845 } 847 version-type = text .default '0.0.0' 849 The following describes each member of the version-map container. 851 comid.version: The version in the form of a text string. 853 comid-version-scheme: The version-scheme of the text string value as 854 defined in [I-D.ietf-sacm-coswid] 856 3.10.2. The svn-type-choice Enumeration 858 This choice defines the CBOR tagged Security Version Numbers (SVN) 859 that can be used as reference values for Evidence and Endorsements. 861 svn-type = uint 862 svn = svn-type 863 min-svn = svn-type 864 tagged-svn = #6.552(svn) 865 tagged-min-svn = #6.553(min-svn) 866 svn-type-choice = tagged-svn / tagged-min-svn 868 The following describes the types in the svn-type-choice enumeration. 870 tagged-svn: A specific SVN. 872 tagged-min-svn: A lower bound for allowed SVN. 874 3.10.3. The raw-value-group Container 876 FIXME This group can express a single raw byte value and can come 877 with an optional bit mask that defines which bits in the byte string 878 is used as a reference value, by setting corresponding position in 879 the bit mask to 1. 881 raw-value-group = ( 882 comid.raw-value => $raw-value-type-choice 883 ? comid.raw-value-mask => raw-value-mask-type 884 ) 886 $raw-value-type-choice /= #6.560(bytes) 888 raw-value-mask-type = bytes 890 The following describes the types in the raw-value-group Container. 892 comid.raw-value: FIXME Bit positions in raw-value-type that 893 correspond to bit positions in raw-value-mask-type. 895 comid.raw-value-mask: A raw-value-mask-type bit corresponding to a 896 bit in raw-value-type MUST be 1 to evaluate the corresponding raw- 897 value-type bit. 899 3.10.4. The ip-addr-type-choice Enumeration 901 This type choice expresses IP addresses as reference values. 903 ip-addr-type-choice = ip4-addr-type / ip6-addr-type 904 ip4-addr-type = bytes .size 4 905 ip6-addr-type = bytes .size 16 907 3.10.5. The mac-addr-type-choice Enumeration 909 This type choice expresses MAC addresses as reference values. 911 mac-addr-type-choice = eui48-addr-type / eui64-addr-type 912 eui48-addr-type = bytes .size 6 913 eui64-addr-type = bytes .size 8 915 3.11. The verification-key-map Container 917 One of the targets (range) that a triple-map can point to in order to 918 associate it with a module (domain). This map is used to provide the 919 key material for evidence verification (effectively signature 920 checking or a lightweight proof-of-possession of private signing key 921 material) or for identity assertion/check (where a proof-of- 922 possession implies a certain device identity). In support of 923 informed trust decisions, an optional trust anchor in the form a PKIX 924 certification path that is associated with the provided key material 925 can be included. This rule and its constraints MUST be followed when 926 generating or validating a CoMID tag. 928 verification-key-map = { 929 comid.key => pkix-base64-key-type 930 ? comid.keychain => [ + pkix-base64-cert-type ] 931 } 933 pkix-base64-key-type = tstr 934 pkix-base64-cert-type = tstr 936 The following describes each member of the verification-key-map 937 container. 939 comid.key: Verification key material in DER format base64 encoded. 940 Typically, but not necessarily, a public key. 942 comid.keychain: One or more base64 encoded PKIX certificates. The 943 certificate containing the public key in comid.key MUST be the 944 first certificate. Additional certificates MAY follow. Each 945 subsequent certificate SHOULD certify the previous certificate. 947 4. Full CDDL Definition 949 This section aggregates the CDDL definitions specified in this 950 document in a full CDDL definitions including: 952 * the COSE envelope for CoRIM: signed-corim 954 * the CoRIM document: unsigned-corim 956 * the CoMID document: concise-mid-tag 958 Not included in the full CDDL definition are CDDL dependencies to 959 CoSWID. The following CDDL definitions can be found in 960 [I-D.ietf-sacm-coswid]: 962 * the COSE envelope for CoRIM: signed-coswid 964 * the CoSWID document: concise-swid-tag 966 967 corim = #6.500($concise-reference-integrity-manifest-type-choice) 969 $concise-reference-integrity-manifest-type-choice /= #6.501(unsigned-corim-map) 970 $concise-reference-integrity-manifest-type-choice /= #6.502(signed-corim) 972 signed-corim = #6.18(COSE-Sign1-corim) 974 protected-signed-corim-header-map = { 975 corim.alg-id => int 976 corim.content-type => "application/rim+cbor" 977 corim.issuer-key-id => bstr 978 corim.meta => corim-meta-map 979 * cose-label => cose-values 980 } 982 corim-meta-map = { 983 corim.signer => [ + corim-entity-map ] 984 ? corim.validity => validity-map 985 } 987 corim-entity-map = { 988 corim.entity-name => $entity-name-type-choice 989 ? corim.reg-id => uri 990 corim.role => $corim-role-type-choice 991 * $$corim-entity-map-extension 992 } 993 $corim-role-type-choice /= corim.manifest-creator 994 $corim-role-type-choice /= corim.manifest-signer 996 validity-map = { 997 ? corim.not-before => time 998 corim.not-after => time 999 } 1001 unprotected-signed-corim-header-map = { 1002 * cose-label => cose-values 1003 } 1005 COSE-Sign1-corim = [ 1006 protected: bstr .cbor protected-signed-corim-header-map 1007 unprotected: unprotected-signed-corim-header-map 1008 payload: bstr .cbor unsigned-corim-map 1009 signature: bstr 1010 ] 1012 unsigned-corim-map = { 1013 corim.id => $corim-id-type-choice 1014 corim.tags => [ + $concise-tag-type-choice ] 1015 ? corim.dependent-rims => [ + corim-locator-map ] 1016 ? corim.profile => [ + profile-type-choice ] 1017 * $$unsigned-corim-map-extension 1018 } 1020 profile-type-choice = uri / tagged-oid-type 1022 corim-locator-map = { 1023 corim.href => uri 1024 ? corim.thumbprint => hash-entry 1025 } 1027 $concise-tag-type-choice /= #6.505(bytes .cbor concise-swid-tag) 1028 $concise-tag-type-choice /= #6.506(bytes .cbor concise-mid-tag) 1030 concise-mid-tag = { 1031 ? comid.language => language-type 1032 comid.tag-identity => tag-identity-map 1033 ? comid.entity => [ + entity-map ] 1034 ? comid.linked-tags => [ + linked-tag-map ] 1035 comid.triples => triples-map 1036 * $$concise-mid-tag-extension 1037 } 1038 language-type = text 1040 tag-identity-map = { 1041 comid.tag-id => $tag-id-type-choice 1042 ? comid.tag-version => tag-version-type 1043 } 1045 $tag-id-type-choice /= tstr 1046 $tag-id-type-choice /= uuid-type 1048 tag-version-type = uint .default 0 1050 entity-map = { 1051 comid.entity-name => $entity-name-type-choice 1052 ? comid.reg-id => uri 1053 comid.role => [ + $comid-role-type-choice ] 1054 * $$entity-map-extension 1055 } 1057 $comid-role-type-choice /= comid.tag-creator 1058 $comid-role-type-choice /= comid.creator 1059 $comid-role-type-choice /= comid.maintainer 1061 linked-tag-map = { 1062 comid.linked-tag-id => $tag-id-type-choice 1063 comid.tag-rel => $tag-rel-type-choice 1064 } 1066 $tag-rel-type-choice /= comid.supplements 1067 $tag-rel-type-choice /= comid.replaces 1069 triples-map = non-empty<{ 1070 ? comid.reference-triples => [ + reference-triple-record ] 1071 ? comid.endorsed-triples => [ + endorsed-triple-record ] 1072 ? comid.attest-key-triples => [ + attest-key-triple-record ] 1073 ? comid.identity-triples => [ + identity-triple-record ] 1074 * $$triples-map-extension 1075 }> 1077 reference-triple-record = [ 1078 environment-map ; target environment 1079 [ + measurement-map ] ; reference measurements 1080 ] 1082 endorsed-triple-record = [ 1083 environment-map ; (target or attesting) environment 1084 [ + measurement-map ] ; endorsed measurements 1085 ] 1086 attest-key-triple-record = [ 1087 environment-map ; attesting environment 1088 [ + verification-key-map ] ; attestation verification key(s) 1089 ] 1091 identity-triple-record = [ 1092 environment-map ; device identifier (instance or class) 1093 [ + verification-key-map ] ; DevID, or semantically equivalent 1094 ] 1096 pkix-base64-key-type = tstr 1097 pkix-base64-cert-type = tstr 1099 verification-key-map = { 1100 ; Verification key in DER format base64-encoded. 1101 ; Typically, but not necessarily a public key. 1102 comid.key => pkix-base64-key-type 1103 ; Optional X.509 certificate chain corresponding to the public key 1104 ; in comid.key, encoded as an array of one or more base64-encoded 1105 ; DER PKIX certificates. The certificate containing the public key 1106 ; in comid.key MUST be the first certificate. This MAY be followed 1107 ; by additional certificates, with each subsequent certificate 1108 ; being the one used to certify the previous one. 1109 ? comid.keychain => [ + pkix-base64-cert-type ] 1110 } 1112 environment-map = non-empty<{ 1113 ? comid.class => class-map 1114 ? comid.instance => $instance-id-type-choice 1115 ? comid.group => $group-id-type-choice 1116 }> 1118 class-map = non-empty<{ 1119 ? comid.class-id => $class-id-type-choice 1120 ? comid.vendor => tstr 1121 ? comid.model => tstr 1122 ? comid.layer => uint 1123 ? comid.index => uint 1124 }> 1126 $class-id-type-choice /= tagged-oid-type 1127 $class-id-type-choice /= tagged-uuid-type 1129 $instance-id-type-choice /= tagged-ueid-type 1130 $instance-id-type-choice /= tagged-uuid-type 1132 $group-id-type-choice /= tagged-uuid-type 1133 oid-type = bytes 1134 tagged-oid-type = #6.111(oid-type) 1136 tagged-uuid-type = #6.37(uuid-type) 1138 ueid-type = bytes .size 33 1139 tagged-ueid-type = #6.550(ueid-type) 1141 $measured-element-type-choice /= tagged-oid-type 1142 $measured-element-type-choice /= tagged-uuid-type 1144 measurement-map = { 1145 ? comid.mkey => $measured-element-type-choice 1146 comid.mval => measurement-values-map 1147 } 1149 measurement-values-map = non-empty<{ 1150 ? comid.ver => version-map 1151 ? comid.svn => svn-type-choice 1152 ? comid.digests => digests-type 1153 ? comid.flags => flags-type 1154 ? raw-value-group 1155 ? comid.mac-addr => mac-addr-type-choice 1156 ? comid.ip-addr => ip-addr-type-choice 1157 ? comid.serial-number => serial-number-type 1158 ? comid.ueid => ueid-type 1159 ? comid.uuid => uuid-type 1160 * $$measurement-values-map-extension 1161 }> 1163 version-map = { 1164 comid.version => version-type 1165 ? comid.version-scheme => $version-scheme 1166 } 1167 version-type = text .default '0.0.0' 1169 svn = int 1170 min-svn = int 1171 tagged-svn = #6.552(svn) 1172 tagged-min-svn = #6.553(min-svn) 1173 svn-type-choice = tagged-svn / tagged-min-svn 1175 flags-type = bytes .bits operational-flags 1177 operational-flags = &( 1178 not-configured: 0 1179 not-secure: 1 1180 recovery: 2 1181 debug: 3 1182 ) 1184 raw-value-group = ( 1185 comid.raw-value => raw-value-type 1186 ? comid.raw-value-mask => raw-value-mask-type 1187 ) 1189 raw-value-type = bytes 1190 raw-value-mask-type = bytes 1192 ip-addr-type-choice = ip4-addr-type / ip6-addr-type 1193 ip4-addr-type = bytes .size 4 1194 ip6-addr-type = bytes .size 16 1196 mac-addr-type-choice = eui48-addr-type / eui64-addr-type 1197 eui48-addr-type = bytes .size 6 1198 eui64-addr-type = bytes .size 8 1200 serial-number-type = text 1202 digests-type = [ + hash-entry ] 1204 concise-swid-tag = { 1205 tag-id => text / bstr .size 16, 1206 tag-version => integer, 1207 ? corpus => bool, 1208 ? patch => bool, 1209 ? supplemental => bool, 1210 software-name => text, 1211 ? software-version => text, 1212 ? version-scheme => $version-scheme, 1213 ? media => text, 1214 ? software-meta => one-or-more, 1215 entity => one-or-more, 1216 ? link => one-or-more, 1217 ? payload-or-evidence, 1218 * $$coswid-extension, 1219 global-attributes, 1220 } 1222 payload-or-evidence //= ( payload => payload-entry ) 1223 payload-or-evidence //= ( evidence => evidence-entry ) 1225 any-uri = uri 1226 label = text / int 1227 $version-scheme /= multipartnumeric 1228 $version-scheme /= multipartnumeric-suffix 1229 $version-scheme /= alphanumeric 1230 $version-scheme /= decimal 1231 $version-scheme /= semver 1232 $version-scheme /= int / text 1234 any-attribute = ( 1235 label => one-or-more / one-or-more 1236 ) 1238 one-or-more = T / [ 2* T ] 1240 global-attributes = ( 1241 ? lang => text, 1242 * any-attribute, 1243 ) 1245 hash-entry = [ 1246 hash-alg-id: int, 1247 hash-value: bytes, 1248 ] 1250 entity-entry = { 1251 entity-name => text, 1252 ? reg-id => any-uri, 1253 role => one-or-more<$role>, 1254 ? thumbprint => hash-entry, 1255 * $$entity-extension, 1256 global-attributes, 1257 } 1259 $role /= tag-creator 1260 $role /= software-creator 1261 $role /= aggregator 1262 $role /= distributor 1263 $role /= licensor 1264 $role /= maintainer 1265 $role /= int / text 1267 link-entry = { 1268 ? artifact => text, 1269 href => any-uri, 1270 ? media => text, 1271 ? ownership => $ownership, 1272 rel => $rel, 1273 ? media-type => text, 1274 ? use => $use, 1275 * $$link-extension, 1276 global-attributes, 1277 } 1279 $ownership /= shared 1280 $ownership /= private 1281 $ownership /= abandon 1282 $ownership /= int / text 1284 $rel /= ancestor 1285 $rel /= component 1286 $rel /= feature 1287 $rel /= installationmedia 1288 $rel /= packageinstaller 1289 $rel /= parent 1290 $rel /= patches 1291 $rel /= requires 1292 $rel /= see-also 1293 $rel /= supersedes 1294 $rel /= supplemental 1295 $rel /= -256..64436 / text 1297 $use /= optional 1298 $use /= required 1299 $use /= recommended 1300 $use /= int / text 1302 software-meta-entry = { 1303 ? activation-status => text, 1304 ? channel-type => text, 1305 ? colloquial-version => text, 1306 ? description => text, 1307 ? edition => text, 1308 ? entitlement-data-required => bool, 1309 ? entitlement-key => text, 1310 ? generator => text, 1311 ? persistent-id => text, 1312 ? product => text, 1313 ? product-family => text, 1314 ? revision => text, 1315 ? summary => text, 1316 ? unspsc-code => text, 1317 ? unspsc-version => text, 1318 * $$software-meta-extension, 1319 global-attributes, 1320 } 1322 path-elements-group = ( ? directory => one-or-more, 1323 ? file => one-or-more, 1324 ) 1326 resource-collection = ( 1327 path-elements-group, 1328 ? process => one-or-more, 1329 ? resource => one-or-more, 1330 * $$resource-collection-extension, 1331 ) 1333 file-entry = { 1334 filesystem-item, 1335 ? size => uint, 1336 ? file-version => text, 1337 ? hash => hash-entry, 1338 * $$file-extension, 1339 global-attributes, 1340 } 1342 directory-entry = { 1343 filesystem-item, 1344 ? path-elements => { path-elements-group }, 1345 * $$directory-extension, 1346 global-attributes, 1347 } 1349 process-entry = { 1350 process-name => text, 1351 ? pid => integer, 1352 * $$process-extension, 1353 global-attributes, 1354 } 1356 resource-entry = { 1357 type => text, 1358 * $$resource-extension, 1359 global-attributes, 1360 } 1362 filesystem-item = ( 1363 ? key => bool, 1364 ? location => text, 1365 fs-name => text, 1366 ? root => text, 1367 ) 1369 payload-entry = { 1370 resource-collection, 1371 * $$payload-extension, 1372 global-attributes, 1373 } 1375 evidence-entry = { 1376 resource-collection, 1377 ? date => integer-time, 1378 ? device-id => text, 1379 * $$evidence-extension, 1380 global-attributes, 1381 } 1383 integer-time = #6.1(int) 1385 tag-id = 0 1386 software-name = 1 1387 entity = 2 1388 evidence = 3 1389 link = 4 1390 software-meta = 5 1391 payload = 6 1392 hash = 7 1393 corpus = 8 1394 patch = 9 1395 media = 10 1396 supplemental = 11 1397 tag-version = 12 1398 software-version = 13 1399 version-scheme = 14 1400 lang = 15 1401 directory = 16 1402 file = 17 1403 process = 18 1404 resource = 19 1405 size = 20 1406 file-version = 21 1407 key = 22 1408 location = 23 1409 fs-name = 24 1410 root = 25 1411 path-elements = 26 1412 process-name = 27 1413 pid = 28 1414 type = 29 1415 entity-name = 31 1416 reg-id = 32 1417 role = 33 1418 thumbprint = 34 1419 date = 35 1420 device-id = 36 1421 artifact = 37 1422 href = 38 1423 ownership = 39 1424 rel = 40 1425 media-type = 41 1426 use = 42 1427 activation-status = 43 1428 channel-type = 44 1429 colloquial-version = 45 1430 description = 46 1431 edition = 47 1432 entitlement-data-required = 48 1433 entitlement-key = 49 1434 generator = 50 1435 persistent-id = 51 1436 product = 52 1437 product-family = 53 1438 revision = 54 1439 summary = 55 1440 unspsc-code = 56 1441 unspsc-version = 57 1443 multipartnumeric = 1 1444 multipartnumeric-suffix = 2 1445 alphanumeric = 3 1446 decimal = 4 1447 semver = 16384 1449 tag-creator=1 1450 software-creator=2 1451 aggregator=3 1452 distributor=4 1453 licensor=5 1454 maintainer=6 1456 shared=1 1457 private=2 1458 abandon=3 1460 ancestor=1 1461 component=2 1462 feature=3 1463 installationmedia=4 1464 packageinstaller=5 1465 parent=6 1466 patches=7 1467 requires=8 1468 see-also=9 1469 supersedes=10 1471 optional=1 1472 required=2 1473 recommended=3 1475 comid.language = 0 1476 comid.tag-identity = 1 1477 comid.entity = 2 1478 comid.linked-tags = 3 1479 comid.triples = 4 1481 comid.tag-id = 0 1482 comid.tag-version = 1 1484 comid.entity-name = 0 1485 comid.reg-id = 1 1486 comid.role = 2 1488 comid.linked-tag-id = 0 1489 comid.tag-rel = 1 1491 comid.reference-triples = 0 1492 comid.endorsed-triples = 1 1493 comid.identity-triples = 2 1494 comid.attest-key-triples = 3 1496 comid.class = 0 1497 comid.instance = 1 1498 comid.group = 2 1500 comid.class-id = 0 1501 comid.vendor = 1 1502 comid.model = 2 1503 comid.layer = 3 1504 comid.index = 4 1506 comid.mkey = 0 1507 comid.mval = 1 1509 comid.ver = 0 1510 comid.svn = 1 1511 comid.digests = 2 1512 comid.flags = 3 1513 comid.raw-value = 4 1514 comid.raw-value-mask = 5 1515 comid.mac-addr = 6 1516 comid.ip-addr = 7 1517 comid.serial-number = 8 1518 comid.ueid = 9 1519 comid.uuid = 10 1521 comid.key = 0 1522 comid.keychain = 1 1524 comid.version = 0 1525 comid.version-scheme = 1 1527 comid.supplements = 0 1529 comid.replaces = 1 1531 comid.tag-creator = 0 1532 comid.creator = 1 1533 comid.maintainer = 2 1535 corim.id = 0 1536 corim.tags = 1 1537 corim.dependent-rims = 2 1538 corim.profile = 3 1540 corim.href = 0 1541 corim.thumbprint = 1 1543 corim.alg-id = 1 1544 corim.content-type = 3 1545 corim.issuer-key-id = 4 1546 corim.meta = 8 1548 corim.not-before = 0 1549 corim.not-after = 1 1551 corim.signer = 0 1552 corim.validity = 1 1554 corim.entity-name = 0 1555 corim.reg-id = 1 1556 corim.role = 2 1558 corim.manifest-creator = 1 1560 corim.manifest-signer = 2 1561 non-empty = (M) .within ({ + any => any }) 1563 cose-label = int / tstr 1564 cose-values = any 1566 $entity-name-type-choice /= text 1568 $corim-id-type-choice /= tstr 1569 $corim-id-type-choice /= uuid-type 1571 uuid-type = bytes .size 16 1573 1575 5. Privacy Considerations 1577 Privacy Considerations 1579 6. Security Considerations 1581 Security Considerations 1583 7. IANA Considerations 1585 This document has a number of IANA considerations, as described in 1586 the following subsections. In summary, 6 new registries are 1587 established with this request, with initial entries provided for each 1588 registry. New values for 5 other registries are also requested. 1590 7.1. COSE Header Parameters Registry 1592 The 'corim metadata' parameter has been added to the "COSE Header 1593 Parameters" registry: 1595 * Name: 'corim metadata' 1597 * Label: 11 1599 * Value: corim-meta-map 1601 * Description: Provides a map of additional metadata for a CoRIM 1602 payload composed of (1) one or more entities that created or 1603 signed the corresponding CoRIM and (2) its period of validity 1605 * Reference: 'corim-meta-map' in {model-corim-meta-map} of this 1606 document 1608 7.2. CoRIM Map Items Registry 1610 This document defines a new registry titled "CoRIM Map". The 1611 registry uses integer values as index values for items in 'unsigned- 1612 corim-map' CBOR maps. 1614 Future registrations for this registry are to be made based on 1615 [RFC8126] as follows: 1617 +=========+=========================+ 1618 | Range | Registration Procedures | 1619 +=========+=========================+ 1620 | 0-127 | Standards Action | 1621 +---------+-------------------------+ 1622 | 128-255 | Specification Required | 1623 +---------+-------------------------+ 1625 Table 3: CoRIM Map Items 1626 Registration Procedures 1628 All negative values are reserved for Private Use. 1630 Initial registrations for the "CoRIM Map" registry are provided 1631 below. Assignments consist of an integer index value, the item name, 1632 and a reference to the defining specification. 1634 +=======+======================+===============+ 1635 | Index | Item Name | Specification | 1636 +=======+======================+===============+ 1637 | 0 | corim.id | RFC-AAAA | 1638 +-------+----------------------+---------------+ 1639 | 1 | corim.tags | RFC-AAAA | 1640 +-------+----------------------+---------------+ 1641 | 2 | corim.dependent-rims | RFC-AAAA | 1642 +-------+----------------------+---------------+ 1643 | 3-255 | Unassigned | | 1644 +-------+----------------------+---------------+ 1646 Table 4: CoRIM Map Items Initial Registrations 1648 7.3. CoRIM Entity-Map Items Registry 1650 This document defines a new registry titled "CoRIM Entity Map". The 1651 registry uses integer values as index values for items in 'corim- 1652 enentity-map' CBOR maps. 1654 Future registrations for this registry are to be made based on 1655 [RFC8126] as follows: 1657 +=========+=========================+ 1658 | Range | Registration Procedures | 1659 +=========+=========================+ 1660 | 0-127 | Standards Action | 1661 +---------+-------------------------+ 1662 | 128-255 | Specification Required | 1663 +---------+-------------------------+ 1665 Table 5: CoRIM Entity Map Items 1666 Registration Procedures 1668 All negative values are reserved for Private Use. 1670 Initial registrations for the "CoRIM Entity Map" registry are 1671 provided below. Assignments consist of an integer index value, the 1672 item name, and a reference to the defining specification. 1674 +=======+===================+===============+ 1675 | Index | Item Name | Specification | 1676 +=======+===================+===============+ 1677 | 0 | corim.entity-name | RFC-AAAA | 1678 +-------+-------------------+---------------+ 1679 | 1 | corim.reg-id | RFC-AAAA | 1680 +-------+-------------------+---------------+ 1681 | 2 | corim.role | RFC-AAAA | 1682 +-------+-------------------+---------------+ 1683 | 3-255 | Unassigned | | 1684 +-------+-------------------+---------------+ 1686 Table 6: CoRIM Enity Map Items Initial 1687 Registrations 1689 7.4. CoRIM Entity-Types Registry 1691 This document defines a new registry titled "CoRIM Entity Types". 1692 The registry maintains well-defined integer values as choices for 1693 '$entity-name-type-choice' CBOR uints. 1695 Future registrations for this registry are to be made based on 1696 [RFC8126] as follows: 1698 +=========+=========================+ 1699 | Range | Registration Procedures | 1700 +=========+=========================+ 1701 | 0-127 | Standards Action | 1702 +---------+-------------------------+ 1703 | 128-255 | Specification Required | 1704 +---------+-------------------------+ 1706 Table 7: CoRIM Entity Types 1707 Registration Procedures 1709 All negative values are reserved for Private Use. 1711 Initial registrations for the "CoRIM Entity Types" registry are 1712 provided below. Assignments consist of an integer value, the item 1713 name, and a reference to the defining specification. 1715 +=======+========================+===============+ 1716 | Index | Item Name | Specification | 1717 +=======+========================+===============+ 1718 | 0 | corim.manifest-creator | RFC-AAAA | 1719 +-------+------------------------+---------------+ 1720 | 1 | corim.manifest-signer | RFC-AAAA | 1721 +-------+------------------------+---------------+ 1722 | 2-255 | Unassigned | | 1723 +-------+------------------------+---------------+ 1725 Table 8: CoRIM Entity Types Initial Registrations 1727 7.5. CoMID Map Items Registry 1729 This document defines a new registry titled "CoMID Map". The 1730 registry uses integer values as index values for items in 'concise- 1731 mid-tag' CBOR maps. 1733 Future registrations for this registry are to be made based on 1734 [RFC8126] as follows: 1736 +=========+=========================+ 1737 | Range | Registration Procedures | 1738 +=========+=========================+ 1739 | 0-127 | Standards Action | 1740 +---------+-------------------------+ 1741 | 128-255 | Specification Required | 1742 +---------+-------------------------+ 1744 Table 9: CoMID Map Items 1745 Registration Procedures 1747 All negative values are reserved for Private Use. 1749 Initial registrations for the "CoMID Map" registry are provided 1750 below. Assignments consist of an integer index value, the item name, 1751 and a reference to the defining specification. 1753 +=======+====================+===============+ 1754 | Index | Item Name | Specification | 1755 +=======+====================+===============+ 1756 | 0 | comid.language | RFC-AAAA | 1757 +-------+--------------------+---------------+ 1758 | 1 | comid.tag-identity | RFC-AAAA | 1759 +-------+--------------------+---------------+ 1760 | 2 | comid.entity | RFC-AAAA | 1761 +-------+--------------------+---------------+ 1762 | 3 | comid.linked-tags | RFC-AAAA | 1763 +-------+--------------------+---------------+ 1764 | 4 | comid.triples | RFC-AAAA | 1765 +-------+--------------------+---------------+ 1766 | 5-255 | Unassigned | | 1767 +-------+--------------------+---------------+ 1769 Table 10: CoMID Map Items Initial 1770 Registrations 1772 7.6. CoMID Entity-Map Items Registry 1774 This document defines a new registry titled "CoMID Entity Map". The 1775 registry uses integer values as index values for items in 'comid- 1776 entity-map' CBOR maps. 1778 Future registrations for this registry are to be made based on 1779 [RFC8126] as follows: 1781 +=========+=========================+ 1782 | Range | Registration Procedures | 1783 +=========+=========================+ 1784 | 0-127 | Standards Action | 1785 +---------+-------------------------+ 1786 | 128-255 | Specification Required | 1787 +---------+-------------------------+ 1789 Table 11: CoMID Entity Map Items 1790 Registration Procedures 1792 All negative values are reserved for Private Use. 1794 Initial registrations for the "CoMID Entity Map" registry are 1795 provided below. Assignments consist of an integer index value, the 1796 item name, and a reference to the defining specification. 1798 +=======+===================+===============+ 1799 | Index | Item Name | Specification | 1800 +=======+===================+===============+ 1801 | 0 | comid.entity-name | RFC-AAAA | 1802 +-------+-------------------+---------------+ 1803 | 1 | comid.reg-id | RFC-AAAA | 1804 +-------+-------------------+---------------+ 1805 | 2 | comid.role | RFC-AAAA | 1806 +-------+-------------------+---------------+ 1807 | 3-255 | Unassigned | | 1808 +-------+-------------------+---------------+ 1810 Table 12: CoMID Entity Map Items Initial 1811 Registrations 1813 7.7. CoMID Triples-Map Items Registry 1815 This document defines a new registry titled "CoMID Triples Map". The 1816 registry uses integer values as index values for items in 'comid- 1817 triples-map' CBOR maps. 1819 Future registrations for this registry are to be made based on 1820 [RFC8126] as follows: 1822 +=========+=========================+ 1823 | Range | Registration Procedures | 1824 +=========+=========================+ 1825 | 0-127 | Standards Action | 1826 +---------+-------------------------+ 1827 | 128-255 | Specification Required | 1828 +---------+-------------------------+ 1830 Table 13: CoMID triples Map Items 1831 Registration Procedures 1833 All negative values are reserved for Private Use. 1835 Initial registrations for the "CoMID Triples Map" registry are 1836 provided below. Assignments consist of an integer index value, the 1837 item name, and a reference to the defining specification. 1839 +=======+==========================+===============+ 1840 | Index | Item Name | Specification | 1841 +=======+==========================+===============+ 1842 | 0 | comid.reference-triples | RFC-AAAA | 1843 +-------+--------------------------+---------------+ 1844 | 1 | comid.endorsed-triples | RFC-AAAA | 1845 +-------+--------------------------+---------------+ 1846 | 2 | comid.identity-triples | RFC-AAAA | 1847 +-------+--------------------------+---------------+ 1848 | 3 | comid.attest-key-triples | RFC-AAAA | 1849 +-------+--------------------------+---------------+ 1850 | 4-255 | Unassigned | | 1851 +-------+--------------------------+---------------+ 1853 Table 14: CoMID Triples Map Items Initial 1854 Registrations 1856 7.8. CoMID Measurement-Values-Map Items Registry 1858 This document defines a new registry titled "CoMID Measurement-Values 1859 Map". The registry uses integer values as index values for items in 1860 'comid-measurement-values-map' CBOR maps. 1862 Future registrations for this registry are to be made based on 1863 [RFC8126] as follows: 1865 +=========+=========================+ 1866 | Range | Registration Procedures | 1867 +=========+=========================+ 1868 | 0-127 | Standards Action | 1869 +---------+-------------------------+ 1870 | 128-255 | Specification Required | 1871 +---------+-------------------------+ 1873 Table 15: CoMID Measurement- 1874 Values Map Items Registration 1875 Procedures 1877 All negative values are reserved for Private Use. 1879 Initial registrations for the "CoMID Measurement-Values Map" registry 1880 are provided below. Assignments consist of an integer index value, 1881 the item name, and a reference to the defining specification. 1883 +========+======================+===============+ 1884 | Index | Item Name | Specification | 1885 +========+======================+===============+ 1886 | 0 | comid.ver | RFC-AAAA | 1887 +--------+----------------------+---------------+ 1888 | 1 | comid.svn | RFC-AAAA | 1889 +--------+----------------------+---------------+ 1890 | 2 | comid.digests | RFC-AAAA | 1891 +--------+----------------------+---------------+ 1892 | 3 | comid.flags | RFC-AAAA | 1893 +--------+----------------------+---------------+ 1894 | 4 | comid.raw-value | RFC-AAAA | 1895 +--------+----------------------+---------------+ 1896 | 5 | comid.raw-value-mask | RFC-AAAA | 1897 +--------+----------------------+---------------+ 1898 | 6 | comid.mac-addr | RFC-AAAA | 1899 +--------+----------------------+---------------+ 1900 | 7 | comid.ip-addr | RFC-AAAA | 1901 +--------+----------------------+---------------+ 1902 | 8 | comid.serial-number | RFC-AAAA | 1903 +--------+----------------------+---------------+ 1904 | 9 | comid.ueid | RFC-AAAA | 1905 +--------+----------------------+---------------+ 1906 | 10 | comid.uuid | RFC-AAAA | 1907 +--------+----------------------+---------------+ 1908 | 11-255 | Unassigned | | 1909 +--------+----------------------+---------------+ 1911 Table 16: CoMID Measurement-Values Map Items 1912 Initial Registrations 1914 7.9. CoMID Tag-Relationship-Types Registry 1916 This document defines a new registry titled "CoMID Tag-Relationship 1917 Types". The registry maintains well-defined integer values as 1918 choices for '$tag-rel-type-choice' CBOR uints. 1920 Future registrations for this registry are to be made based on 1921 [RFC8126] as follows: 1923 +=========+=========================+ 1924 | Range | Registration Procedures | 1925 +=========+=========================+ 1926 | 0-127 | Standards Action | 1927 +---------+-------------------------+ 1928 | 128-255 | Specification Required | 1929 +---------+-------------------------+ 1931 Table 17: CoMID Tag-Relationship 1932 Types Registration Procedures 1934 All negative values are reserved for Private Use. 1936 Initial registrations for the "CoMID Tag-Relationship Types" registry 1937 are provided below. Assignments consist of an integer value, the 1938 item name, and a reference to the defining specification. 1940 +=======+===================+===============+ 1941 | Index | Item Name | Specification | 1942 +=======+===================+===============+ 1943 | 0 | comid.supplements | RFC-AAAA | 1944 +-------+-------------------+---------------+ 1945 | 1 | comid.replaces | RFC-AAAA | 1946 +-------+-------------------+---------------+ 1947 | 2-255 | Unassigned | | 1948 +-------+-------------------+---------------+ 1950 Table 18: CoMID Tag-Relationship Types 1951 Initial Registrations 1953 7.10. CoMID Role-Types Registry 1955 This document defines a new registry titled "CoMID Role Types". The 1956 registry maintains well-defined integer values as choices for 1957 '$comid-role-type-choice' CBOR uints. 1959 Future registrations for this registry are to be made based on 1960 [RFC8126] as follows: 1962 +=========+=========================+ 1963 | Range | Registration Procedures | 1964 +=========+=========================+ 1965 | 0-127 | Standards Action | 1966 +---------+-------------------------+ 1967 | 128-255 | Specification Required | 1968 +---------+-------------------------+ 1970 Table 19: CoMID Role Types 1971 Registration Procedures 1973 All negative values are reserved for Private Use. 1975 Initial registrations for the "CoMID Role Types" registry are 1976 provided below. Assignments consist of an integer value, the item 1977 name, and a reference to the defining specification. 1979 +=======+===================+===============+ 1980 | Index | Item Name | Specification | 1981 +=======+===================+===============+ 1982 | 0 | comid.tag-creator | RFC-AAAA | 1983 +-------+-------------------+---------------+ 1984 | 1 | comid.creator | RFC-AAAA | 1985 +-------+-------------------+---------------+ 1986 | 2 | comid.maintainer | RFC-AAAA | 1987 +-------+-------------------+---------------+ 1988 | 3-255 | Unassigned | | 1989 +-------+-------------------+---------------+ 1991 Table 20: CoMID Role Types Initial 1992 Registrations 1994 7.11. rim+cbor Media Type Registration 1996 IANA is requested to add the following to the IANA "Media Types" 1997 registry [IANA.media-types]. 1999 Type name: application 2001 Subtype name: rim+cbor 2003 Required parameters: none 2005 Optional parameters: none 2007 Encoding considerations: Must be encoded as using [RFC8949]. See 2008 RFC-AAAA for details. 2010 Security considerations: See Section 6 of RFC-AAAA. 2012 Interoperability considerations: Applications MAY ignore any key 2013 value pairs that they do not understand. This allows backwards 2014 compatible extensions to this specification. 2016 Published specification: RFC-AAAA 2018 Applications that use this media type: The type is used by remote 2019 attestation procedures, supply chain integrity management systems, 2020 vulnerability assessment systems, and in applications that rely on 2021 trustworthy endorsements and reference values describing the intended 2022 operational state of a system. 2024 Fragment identifier considerations: Fragment identification for 2025 application/rim+cbor is supported by using fragment identifiers as 2026 specified by Section 9.5 of [RFC8949]. 2028 Additional information: 2030 Magic number(s): first five bytes in hex: 43 4f 52 49 4d 2032 File extension(s): corim 2034 Macintosh file type code(s): none 2036 Macintosh Universal Type Identifier code: org.ietf.corim conforms to 2037 public.data 2039 Person & email address to contact for further information: Henk 2040 Birkholz 2042 Intended usage: COMMON 2044 Restrictions on usage: None 2046 Author: Henk Birkholz 2048 Change controller: IESG 2050 7.12. CoAP Content-Format Registration 2052 IANA is requested to assign a CoAP Content-Format ID for the CoRIM 2053 media type in the "CoAP Content-Formats" sub-registry, from the "IETF 2054 Review or IESG Approval" space (256..999), within the "CoRE 2055 Parameters" registry [RFC7252] [IANA.core-parameters]: 2057 +======================+==========+======+===========+ 2058 | Media type | Encoding | ID | Reference | 2059 +======================+==========+======+===========+ 2060 | application/rim+cbor | - | TBD1 | RFC-AAAA | 2061 +----------------------+----------+------+-----------+ 2063 Table 21: CoAP Content-Format IDs 2065 7.13. CoRIM CBOR Tag Registration 2067 IANA is requested to allocate tags in the "CBOR Tags" registry 2068 [IANA.cbor-tags], preferably with the specific value requested: 2070 +=====+============================+===============================+ 2071 | Tag | Data Item | Semantics | 2072 +=====+============================+===============================+ 2073 | 500 | tagged array or tagged map | Concise Reference Integrity | 2074 | | | Manifest (CoRIM) [RFC-AAAA] | 2075 +-----+----------------------------+-------------------------------+ 2076 | 501 | map | unsigned CoRIM [RFC-AAAA] | 2077 +-----+----------------------------+-------------------------------+ 2078 | 502 | array | signed CoRIM [RFC-AAAA] | 2079 +-----+----------------------------+-------------------------------+ 2080 | 505 | bstr | byte string with CBOR-encoded | 2081 | | | Concise SWID tag [RFC-AAAA] | 2082 +-----+----------------------------+-------------------------------+ 2083 | 506 | bstr | byte string with CBOR-encoded | 2084 | | | Concise MID tag [RFC-AAAA] | 2085 +-----+----------------------------+-------------------------------+ 2087 Table 22: CoRIM CBOR Tags 2089 7.14. CoMID CBOR Tag Registration 2091 IANA is requested to allocate tags in the "CBOR Tags" registry 2092 [IANA.cbor-tags], preferably with the specific value requested: 2094 +=====+===========+===========================================+ 2095 | Tag | Data Item | Semantics | 2096 +=====+===========+===========================================+ 2097 | 550 | bstr | UEID with max size of 33 bytes [RFC-AAAA] | 2098 +-----+-----------+-------------------------------------------+ 2099 | 551 | int | Security Version Number [RFC-AAAA] | 2100 +-----+-----------+-------------------------------------------+ 2101 | 552 | int | lower bound of allowed Security Version | 2102 | | | Number [RFC-AAAA] | 2103 +-----+-----------+-------------------------------------------+ 2105 Table 23: CoMID CBOR Tags 2107 8. References 2109 8.1. Normative References 2111 [I-D.ietf-rats-architecture] 2112 Birkholz, H., Thaler, D., Richardson, M., Smith, N., and 2113 W. Pan, "Remote Attestation Procedures Architecture", Work 2114 in Progress, Internet-Draft, draft-ietf-rats-architecture- 2115 14, 9 December 2021, . 2118 [I-D.ietf-sacm-coswid] 2119 Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. 2120 Waltermire, "Concise Software Identification Tags", Work 2121 in Progress, Internet-Draft, draft-ietf-sacm-coswid-20, 26 2122 January 2022, . 2125 [IANA.cbor-tags] 2126 IANA, "Concise Binary Object Representation (CBOR) Tags", 2127 . 2129 [IANA.core-parameters] 2130 IANA, "Constrained RESTful Environments (CoRE) 2131 Parameters", 2132 . 2134 [IANA.language-subtag-registry] 2135 IANA, "Language Subtag Registry", 2136 . 2139 [IANA.media-types] 2140 IANA, "Media Types", 2141 . 2143 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2144 Requirement Levels", BCP 14, RFC 2119, 2145 DOI 10.17487/RFC2119, March 1997, 2146 . 2148 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 2149 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 2150 DOI 10.17487/RFC7231, June 2014, 2151 . 2153 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 2154 Application Protocol (CoAP)", RFC 7252, 2155 DOI 10.17487/RFC7252, June 2014, 2156 . 2158 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 2159 Writing an IANA Considerations Section in RFCs", BCP 26, 2160 RFC 8126, DOI 10.17487/RFC8126, June 2017, 2161 . 2163 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2164 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2165 May 2017, . 2167 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data 2168 Definition Language (CDDL): A Notational Convention to 2169 Express Concise Binary Object Representation (CBOR) and 2170 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, 2171 June 2019, . 2173 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 2174 Representation (CBOR)", STD 94, RFC 8949, 2175 DOI 10.17487/RFC8949, December 2020, 2176 . 2178 8.2. Informative References 2180 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 2181 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 2182 . 2184 Authors' Addresses 2185 Henk Birkholz 2186 Fraunhofer SIT 2187 Rheinstrasse 75 2188 64295 Darmstadt 2189 Germany 2191 Email: henk.birkholz@sit.fraunhofer.de 2193 Thomas Fossati 2194 Arm Limited 2195 United Kingdom 2197 Email: Thomas.Fossati@arm.com 2199 Yogesh Deshpande 2200 Arm Limited 2201 United Kingdom 2203 Email: yogesh.deshpande@arm.com 2205 Ned Smith 2206 Intel Corporation 2207 United States of America 2209 Email: ned.smith@intel.com 2211 Wei Pan 2212 Huawei Technologies 2214 Email: william.panwei@huawei.com