coswid appraisal conventions

[nedmsmith]

Coswid triple is separate from reference / endorsement triples. Coswid triple can describe evidence state natively using evidence-entry. Reference values are contained in payload-entry. The remaining values in the coswid tag can be treated as endorsed values. That is, the rest of the coswid tag values (not in payoad-entry) are accepted on the condition that the payload-entry values match evidence-entry values.

Once processed (via appraisal), these claims are added to the ACS. They can be added to the ACS logically under the measurement-values-map by extension. However, if the external representation of ACS follows the measurement-values-map structure, there needs to be code points that don't conflict with other measurement-values-map code points.

This suggests the need to identify a code point range for measurement-values-map that is dedicated to coswid claims. Alternatively, the ACS models ARs using the coswid triple and Relying Parties map the AR format to an internal format.

The coswid-triple-record doesn't include and authorized-by field. Given the current default authority is the RIM signer, and that satisfies known use cases, then the authorized-by field in the ACS schema can be used to track authorization.

However, if the default authority is insufficient. There are a couple of possible ways to model authority.

1. update coswid-triple-record to include 'authorized-by'
2. allow signed coswids in the corim schema

Option 2 is reasonable since RFC9393 defines signed-coswid which could be a $concise-tag-type-choice. If so, a signed coswid tag could provide authority that differs (or is in addition to) the RIM signer authority.

Authority delegation may not be achieved using option 2 unless the counter-signature from the RIM signature over the signed-coswid signature is interpreted as delegation.