ev-coswid-triple-record undefined in CoRIM draft?

[deeglaze]

The accepted claims set type description uses the variable ev-coswid-triple-record without definition. I noticed this is also used in the Intel Profile for CoRIM, but there it references the TCG specification for concise evidence for DICE (https://trustedcomputinggroup.org/wp-content/uploads/TCG-DICE-Concise-Evidence-Binding-for-SPDM-Version-1.0-Revision-53_1August2023.pdf). Given the specificity to DICE, this seems overly specific for the CoRIM specification given that evidence is expected to be profile-specific, so I wonder what this hanging reference is meant to mean.

[nedmsmith]

accepted-claims-set technically is mythical as it intends to describe the Verifier's "internal representation" which is out of scope for this specification. We discussed whether or not using CDDL to describe an internal representation would be confusing. We also defined abstract terminology for the verifier in section 5.1 which is used to describe an "internal representation".

There are times when the prose needs to be specific about certain compare operations where having accepted-claims-set CDDL is a helpful abstraction. Other prose seems appropriate for more conceptual explanations.

I'm not convinced the accepted-claims-set CDDL is entirely correct, I think we're in a mode of working through use cases and identifying gaps in accepted-claims-set.

One challenge with using the same CDDL as is used to describe Verifier inputs, to describe Verifier outputs (or nearly Verifier outputs) is it assumes the Verifier's other inputs such as Appraisal Policy for Evidence and RP context isn't additive.

Specifically, the case of coswid, the coswid tags are additional inputs beyond the core comid schema. As such, you might expect these inputs should affect Verifier output. ev-coswid-triple-record is an example. Nevertheless, it models a Verifier output using an Evidence schema input.

Since it is a non-goal of CoRIM to define an Attestation Result format, it seems using CDDL to define accepted-claims-set implies an alternative to other drafts that do this. Technically, it isn't part of the CoRIM schema.

If there is a way to document the "internal representation" with as much precision as CDDL, but without using CDDL (or something similar) then that would be interesting prose to read.

[nedmsmith]

The TCG has published [https://trustedcomputinggroup.org/wp-content/uploads/TCG-DICE-Concise-Evidence-Binding-for-SPDM-Version-1.0-Revision-54_pub.pdf] which is the most recent publication of concise-evidence. The CoRIM spec, Section 5.5, contains subsections that describe mapping of evidence formats to an internal representation (aka ACS). Possibly, it makes sense to include a sub-section for concise-evidence that details the mapping semantics?