On Sat, May 29, 2021 at 04:06:29PM +0200, Eliot Lear wrote: > So this raises an interesting question, which is probably more appropriate > for RATS. What information should be shared with whom and how? The voucher > is shipped in the clear without much prompting. There are different views > about how sensitive software inventory is. This is why the draft doesn't > take a position on the subject, other than to allow for the notion that some > requests *may* need to be authenticated.
SBOM or anything else carried in a voucher can of course be encrypted, for example with the public key of the registrar. I can also imagine vouchers or bearer tokens where SBOM would be unencrypted as a statement from the manufacturer "this is the software the device had when it left the manufacturing floor". Implying "if you see any other software on it, someone else had hands on it, ... warranty void... ? " ;-) Toerless > Eliot > > On 29.05.21 00:12, Michael Richardson wrote: > > Eliot Lear <[email protected]> wrote: > > > This having been said, I think you may be applying the right policy > > at > > > the wrong time. It may make more sense to first establish trust, but > > > limit access to the device until you have the SBOM. In fact you want > > > to do it that way, because at any time the posture of a device can be > > > found to be wanting. > > > > No, it's the right time. > > > > We specifically designed the voucher flow such that it could contain > > attestation artifacts (evidence). Max was quite articulate about that! > > > > The evidence is communicated through the registrar to the MASA. This is > > identically the background check flow from the RATS architecture. > > The MASA is the Verifier. The Verifier is who needs access to the SBOM, and > > conveniently, that's also the manufacturer. > > > > The Registrar is the Relying Party. > > > > What we didn't document is how we do freshness for the evidence. > > There are a number of choices. > > > > -- > > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > > Sandelman Software Works Inc, Ottawa and Worldwide -- --- [email protected] _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
