Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tasks assigned to Henk and Charles #45

Merged
merged 8 commits into from
Jan 19, 2022
Merged

tasks assigned to Henk and Charles #45

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
539483a
tasks assigned to Henk
henkbirkholz Oct 15, 2021
86c988d
adding Charles' output to this branch
henkbirkholz Oct 15, 2021
179e2c1
fixed author email
henkbirkholz Oct 15, 2021
58c42ea
Update draft-ietf-sacm-coswid.md
henkbirkholz Oct 18, 2021
819952b
Update draft-ietf-sacm-coswid.md
henkbirkholz Oct 18, 2021
74c4f92
addressing tag-id collisions in security considerations
david-waltermire Jan 19, 2022
b3b5e24
fixed the incorrect use of private value ranges in IANA tables
david-waltermire Jan 19, 2022
9f635f4
removed editorial todos
david-waltermire Jan 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion draft-ietf-sacm-coswid.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1639,7 +1639,7 @@ A signed CoSWID tag (see {{coswid-cose}}) whose signature has been validated can

When an authoritative tag is signed, the originator of the signature can be verified. A trustworthy association between the signature and the originator of the signature can be established via trust anchors. A certification path between a trust anchor and a certificate including a public key enabling the validation of a tag signature can realize the assessment of trustworthiness of an authoritative tag. Verifying that the software provider is the signer is a different matter. This requires an association between the signature and the tag's entity item associated corresponding to the software provider. No mechanism is defined in this draft to make this association; therefore, this association will need to be handled by local policy.

Loss of control of signing credentials used to sign CoSWID tags would create doubt about the authenticity and integrity of any CoSWID tags signed using the compromised keys. In such cases, the legitimate tag signer (namely, the software provider for an authoritative CoSWID tag) can simply employ uncompromised signing credentials to create a new signature on the original tag. The tag version number would not be incremented since the tag itself was not modified. Consumers of CoSWID tags would need to validate the tag using the new credentials and would also need to revoke certificates associated with the compromised credentials to avoid validating tags signed with them. The process for doing this is beyond the scope of this specification.
Loss of control of signing credentials used to sign CoSWID tags would create doubt about the authenticity and integrity of any CoSWID tags signed using the compromised keys. In such cases, the legitimate tag signer (namely, the software provider for an authoritative CoSWID tag) can employ uncompromised signing credentials to create a new signature on the original tag. The tag version number would not be incremented since the tag itself was not modified. Consumers of CoSWID tags would need to validate the tag using the new credentials and would also need to revoke certificates associated with the compromised credentials to avoid validating tags signed with them. The process for doing this is beyond the scope of this specification.

CoSWID tags are intended to contain public information about software components and, as
such, the contents of a CoSWID tag does not need to be protected against unintended disclosure on an endpoint.
Expand Down