support for composite attesters

[thomas-fossati]

In a composite device evidence is assembled from multiple independent sources.

An example is the Arm CCA attestation token, which consists of separate (and separately signed) pieces of evidence glued together in an EAT collection.

A use case that we want to support is that of a verifier which will not be able to single-handedly appraise the whole thing and will instead carry out a partial appraisal and pass what it's done to the relying party with a clear indication of what remains to be done. This is not unusual in confidential computing scenarios where the platform verifier can be separate from the workload verifier and they need to be part of a coordinated verification process.

The current structure does not cope well with that situation

EAR = {
  ear.status => $ar4si.trust-tier
  eat_profile => "tag:github.com,2022:veraison/ear"
  ? ear.trustworthiness-vector => ar4si.trustworthiness-vector
  ? ear.raw-evidence => ear-bytes
  iat => int
  ? ear.appraisal-policy-id => text
  * $$ear-extension
}

because there's only one "global" trustworthiness vector.

One way to address the issue is to split the EAR into two: a "core" object harbouring the trustworthiness vector associated to a specific piece of evidence (alongside other contextual stuff that makes sense on a per-evidence basis), and an outer container that will group the information with "global" scope:

EAR-core = {
  ear.status => $ar4si.trust-tier
  ? ear.trustworthiness-vector => ar4si.trustworthiness-vector
  ? ear.appraisal-policy-id => text
  * $$ear-core-extension
}

and

EAR = {
  eat_profile => "tag:github.com,2022:veraison/ear"
  iat => int
  ? eat_nonce = nonce-type
  ear.verifier-id => ear-verifier-id
  ? ear.raw-evidence => ear-bytes
  submods-label => {
    + text => EAR-core ; the submod name is an identifier for the portion of appraised evidence
  }
  * $$ear-extension
}

---

• 01/12/2023 Edited as per support for composite attesters #10 (comment)

---

[yogeshbdeshpande]

This is very much inline with what we discussed today (12/01). One thing though, I think, it still has value, if the in the outer EAR Wrapper we relay the complete raw evidence as is, in line with the current design of relaying the raw evidence.

Please note it is quite different from inner raw-evidence which pertains to individual (core) sub-attester evidence.

[thomas-fossati]

This is very much inline with what we discussed today (12/01). One thing though, I think, it still has value, if the in the outer EAR Wrapper we relay the complete raw evidence as is, in line with the current design of relaying the raw evidence.

Thanks for checking if my memory dump effectively matched the whiteboard :-)

You are right, raw-evidence pertains to the outer scope. I'll update the data model sketch above.

[ericvoit]

Adding text from email. We should track what is below.

we have a predefined/standardized system-wide tag so
that a Relying Party doesn’t have to guess that the appraisal spans
the whole system?

Sounds good to me. Do you have a proposal?

And if I read this right, we likely should be tracking an issue which
talks about the relationship between the system-wide appraisals, and
the appraisals for any actual subsystems.