From f6cd1c3523f202408cbf8ba5dab59ae5b8906ba5 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Fri, 15 Mar 2024 14:37:42 -0400 Subject: [PATCH 1/3] Add missing anchor for IANA considerations section --- draft-moriarty-attestationsets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-moriarty-attestationsets.md b/draft-moriarty-attestationsets.md index 5145fcd..54d5c94 100644 --- a/draft-moriarty-attestationsets.md +++ b/draft-moriarty-attestationsets.md @@ -108,7 +108,7 @@ Examples of measurement and policy sets that could be defined in EAT profiles in Scale, ease of use, full automation, and consistency for customer consumption of a remote attestation function or service are essential toward the goal of consistently securing systems against known threats and vulnerabilities. Mitigations may be baked into policy. Claim sets of measurements and policy verified to meet or not meet Endorsed values [I-D.ietf-rats-eat] are conveyed in an Entity Attestation Token made available to a RESTful -interface in aggregate for the systems managed. The Measurement or Policy Set may be registered in the IANA registry [created in this document], detailing the specific configuration policies and measurements required to adhere or prove compliance to the associated document. Levels (e.g. high, medium, low, 1, 2, 3) or vendor specific instances of the policy defined in code required to verify the policy and measurements would be registered using a name for the policy set, that would also be used in the reporting EAT that includes the MPS along with other artifacts to prove compliance. +interface in aggregate for the systems managed. The Measurement or Policy Set may be registered in the IANA registry [created in this document](#iana), detailing the specific configuration policies and measurements required to adhere or prove compliance to the associated document. Levels (e.g. high, medium, low, 1, 2, 3) or vendor specific instances of the policy defined in code required to verify the policy and measurements would be registered using a name for the policy set, that would also be used in the reporting EAT that includes the MPS along with other artifacts to prove compliance. # Conventions and Definitions @@ -169,7 +169,7 @@ The contents of the benchmarks and controls are out of scope for this document. This establishes an architectural pattern whereby a remote attestation could be issued for a complete set of benchmarks or controls as defined and grouped by external entities, preventing the need to send over individual attestations for each item within a benchmark or control framework. This document does not add security consideration over what has been described in the EAT, JWT, or CWT specifications. -# IANA Considerations +# IANA Considerations {#iana} Draft section - authors know more work is needed to properly define the registry and claims. This section is here now to assist in understandign the concepts. From 14f3dc39022f0706a7fd3df899d3e886315b8dbc Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Fri, 15 Mar 2024 14:40:21 -0400 Subject: [PATCH 2/3] Correct spelling typos --- draft-moriarty-attestationsets.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-moriarty-attestationsets.md b/draft-moriarty-attestationsets.md index 54d5c94..8867bd9 100644 --- a/draft-moriarty-attestationsets.md +++ b/draft-moriarty-attestationsets.md @@ -117,7 +117,7 @@ interface in aggregate for the systems managed. The Measurement or Policy Set ma # Policy and Measurement Set Definitions This document defines EAT claims in the JWT [RFC7519] and CWT [RFC8392] registries to provide attestation to a set of verified claims within a defined grouping. -The trustworthiness will be conveyed on original verified evidence as well as the attestation on the grouping. The claims provide the additional information needed for an EAT to convey complaince to a defined policy or measurement set to a system or application collecting evidence on policy and measurement assurance, for instance a governance, risk, and complaince (GRC) system. +The trustworthiness will be conveyed on original verified evidence as well as the attestation on the grouping. The claims provide the additional information needed for an EAT to convey compliance to a defined policy or measurement set to a system or application collecting evidence on policy and measurement assurance, for instance a governance, risk, and compliance (GRC) system. | Claim | Long Name | Claim Description | Format | |-------|----------------------------|----------------------------------|--------| @@ -171,9 +171,9 @@ This document does not add security consideration over what has been described i # IANA Considerations {#iana} -Draft section - authors know more work is needed to properly define the registry and claims. This section is here now to assist in understandign the concepts. +Draft section - authors know more work is needed to properly define the registry and claims. This section is here now to assist in understanding the concepts. -This document requests the creation of a Measurement and Policy Set (MPS) registry. The MPS registry will contain the names of the Benchmarks, Policy sets, DISA STIGS, controls, or other groupings as a policy and measurement set that MAY correlate to standards documents containing assurance guidelines, compliance requireemnts, or other defined claim sets for verification of posture assessment to that MPS. The MPS registry will include the policy definition for specific levels of MPS assurance to enable interoperability between assertions of compliance (or lack thereof) and reporting systems. +This document requests the creation of a Measurement and Policy Set (MPS) registry. The MPS registry will contain the names of the Benchmarks, Policy sets, DISA STIGS, controls, or other groupings as a policy and measurement set that MAY correlate to standards documents containing assurance guidelines, compliance requirements, or other defined claim sets for verification of posture assessment to that MPS. The MPS registry will include the policy definition for specific levels of MPS assurance to enable interoperability between assertions of compliance (or lack thereof) and reporting systems. | MPS Name | MPS Description | File with MPS definition | |---------------|-----------------------------------------|------------------------------| From 7520d6ef8d016cc93d6d46e5741e3a0928c91176 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Fri, 15 Mar 2024 14:42:03 -0400 Subject: [PATCH 3/3] Use `make fix-lint` and correct whitespacing --- draft-moriarty-attestationsets.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-moriarty-attestationsets.md b/draft-moriarty-attestationsets.md index 8867bd9..bb26e41 100644 --- a/draft-moriarty-attestationsets.md +++ b/draft-moriarty-attestationsets.md @@ -185,13 +185,13 @@ The MPS name includes versions or level information, allowing for distinct polic This document requests the following JWT claims per the specification requirement required for the JSON Web Token (JWT) registry defined in RFC7519. -| Claim | Long Name | Claim Description | +| Claim | Long Name | Claim Description | |-------|----------------------------|----------------------------------| | MPS | Measurement or Policy Set | Name for the MPS | -| LEM | Log Evidence of MPS | Log File or URI | -| PCR | TPM PCR Values | URI | -| FMA | Format of MPS Attestations | Format of included attestations | -| HSH | Hash Value/Message Digest | Hash value of claim-set | +| LEM | Log Evidence of MPS | Log File or URI | +| PCR | TPM PCR Values | URI | +| FMA | Format of MPS Attestations | Format of included attestations | +| HSH | Hash Value/Message Digest | Hash value of claim-set | ## MPS (Measurement or Policy Set) Claim