Comments (7)
Relates to issue #32
from architecture.
Updated architecture doc section for the definition of "Trust Anchor" to reflect the following.
- Trust Anchor fingerprint can be stored as part of Trust Anchor for unique identification
- It should be checked and used in Trust Anchor management to uniquely identify the right one.
See draft update on this.
Note a reference that RFC6024 talks about "Trust Anchor Management". It defines a Trust Anchor Format about what it should contain.
from architecture.
Addressed with pull request #40 - #40
from architecture.
Quoted the updated definition of Trust Anchor here.
"Trust Anchor: A public key in a device whose corresponding private
key is held by an entity implicitly trusted by the device. The
Trust Anchor may be a certificate or it may be a raw public key
along with additional data if necessary such as its public key
algorithm and parameters.
The Trust Anchor is normally stored in a location that resists
unauthorized modification, insertion, or replacement. The digital
fingerprint of a Trust Anchor may be stored along with the Trust
Anchor certificate or public key. The Trust Anchor fingerprint
can be part of Trust Anchor format. A device can use the
fingerprint to uniquely identify a Trust Anchor.
The Trust Anchor private key owner can sign certificates of other
public keys, which conveys trust about those keys to the device.
A certificate signed by the Trust Anchor communicates that the
private key holder of the signed certificate is trusted by the
Trust Anchor holder, and can therefore be trusted by the device.
Trust Anchors in a device may be updated by an authorized party
when a Trust Anchor should be deprecated or a new Trust Anchor
should be added."
from architecture.
All good except one sentence is confusing:
"The Trust Anchor fingerprint can be part of Trust Anchor format."
What is "Trust Anchor format"?
from architecture.
If it is a fingerprint, shall we define what fingerprint it should be and how it is represented (SHA1 or SHA2 hash of a certificate or some more)? When it is a public key, what structure should a TEE support? A Trust Anchor can consist of a public key and fingerprint (of the certificate). I was thinking of a structure we may cite from others. RFC6024 describes requirement for a Trust Anchor Format. Maybe we loosely leave the trust anchor content structure to TEE about how it will interpret a "fingerprint", a "public key", and their combined use?
By this, I will just remove that line "The Trust Anchor fingerprint can be part of Trust Anchor format.". The prior sentence has described it will be stored along with other data. The interpretation and content of a fingerprint, e.g. fingerprint algorithm, will be left to TEE.
from architecture.
Verified fixed in draft -02 and later
from architecture.
Related Issues (20)
- [Hackathon] How does Agent get unneeded TA list HOT 2
- Obsolete paragraph in intro HOT 1
- Do we want an "applicability statement"? HOT 1
- TEE OS HOT 2
- Indicate the possibility to terminate TLS in the TEE HOT 2
- Figure 4 - Improve readability HOT 1
- Clarification regarding Data Protection HOT 4
- wordsmithing on description of protections for personalization data HOT 4
- Insufficient description for compromised TAM HOT 1
- Intdir review comment: device user in complete sentence
- intdir review comment: TEEP diagram label consistency HOT 1
- Intdir comments: TAM trust by public key elaboration with constraints HOT 1
- Intdir Review comments: TEEP broker triggering and frequency to TAM calls
- Paul Kyzivat GENART review HOT 1
- Russ Housley ARTART review HOT 1
- Ines Robles IOTDIR review HOT 5
- Benjamin M. Schwartz SECDIR review HOT 7
- Lars Eggert GEN-AD Review HOT 4
- Robert Wilton Review Comments HOT 5
- Roman Danyliw Review Comments HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from architecture.