Eliot Lear <[email protected]> wrote: > This having been said, I think you may be applying the right policy at > the wrong time. It may make more sense to first establish trust, but > limit access to the device until you have the SBOM. In fact you want > to do it that way, because at any time the posture of a device can be > found to be wanting.
No, it's the right time. We specifically designed the voucher flow such that it could contain attestation artifacts (evidence). Max was quite articulate about that! The evidence is communicated through the registrar to the MASA. This is identically the background check flow from the RATS architecture. The MASA is the Verifier. The Verifier is who needs access to the SBOM, and conveniently, that's also the manufacturer. The Registrar is the Relying Party. What we didn't document is how we do freshness for the evidence. There are a number of choices. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
