Added a hint to the RP. closes #70

lamps-wg · Jan 11, 2024 · 78f438d · 78f438d
1 parent b9ecfed
commit 78f438d
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/CSR-ATTESTATION-2023.asn b/CSR-ATTESTATION-2023.asn
@@ -23,6 +23,11 @@ id-aa
 FROM SecureMimeMessageV3dot1
     { iso(1) member-body(2) us(840) rsadsi(113549)
         pkcs(1) pkcs-9(9) smime(16) modules(0) msg-v3dot1(21) }
+
+GeneralName
+  FROM PKIX1Implicit-2009
+      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
   ;
 
 
@@ -66,7 +71,8 @@ EvidenceStatements ::= SEQUENCE OF EvidenceStatement
 
 EvidenceStatement ::= SEQUENCE {
    type   EVIDENCE-STATEMENT.&id({EvidenceStatementSet}),
-   stmt   EVIDENCE-STATEMENT.&Type({EvidenceStatementSet}{@type})
+   stmt   EVIDENCE-STATEMENT.&Type({EvidenceStatementSet}{@type}),
+   hint   GeneralName OPTIONAL
 }
 
 id-aa-evidenceStatement OBJECT IDENTIFIER ::= { id-aa TBDAA }

diff --git a/draft-ietf-lamps-csr-attestation.md b/draft-ietf-lamps-csr-attestation.md
@@ -243,9 +243,22 @@ EvidenceStatements ::= SEQUENCE OF EvidenceStatement
 
 EvidenceStatement ::= SEQUENCE {
    type   EVIDENCE-STATEMENT.&id({EvidenceStatementSet}),
-   stmt   EVIDENCE-STATEMENT.&Type({EvidenceStatementSet}{@type})
+   stmt   EVIDENCE-STATEMENT.&Type({EvidenceStatementSet}{@type}),
+   hint   GeneralName OPTIONAL
 }
+~~~
+
+The type is on OID indicating the format of the data contained in stmt.
 
+The hint is intended for an Attester to indicate to the Relying Party
+which Verifier should be invoked to parse this statement. In many cases,
+the type OID will already uniquely indicate which Verifier to invoke, but
+in some cases it may still be ambiguous, or the type may indicate
+another layer of conceptual message wrapping in which case it is helpful
+to the RP to bring this hint outside of the statement. The contents of
+the hint are out of scope for this document.
+
+~~~
 EvidenceBundles ::= SEQUENCE OF EvidenceBundle
 
 EvidenceBundle ::= SEQUENCE
@@ -269,7 +282,7 @@ ext-evidence EXTENSION ::= {
 }
 ~~~
 
-The Extension version is intended only for use within CRMF CSRs and MUST NOT be used within X.509 certificates due to the privacy implications of publishing Evidence about the end entity's hardware environment. See {{security-considerations}} for more discussion.
+The Extension variant is intended only for use within CRMF CSRs and MUST NOT be used within X.509 certificates due to the privacy implications of publishing Evidence about the end entity's hardware environment. See {{security-considerations}} for more discussion.
 
 The `certs` contains a set of certificates that
 may be needed to validate the contents of an Evidence statement