CoRIM SFR Profile and Example

[attzonko]

No description provided.

[thomas-fossati]

I have checked the extension CDDL and the associated example: LGTM!

A couple of suggestions:

1. Having both checked for correctness automatically by the CI would make it more robust in the face of change, especially if the change is accidental.

2. The CoRIM CDDL is released as an artefact of the CoRIM pipeline at each version drop (e.g.: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/releases/tag/cddl-draft-ietf-rats-corim-08). While it’s under development, you might want to simplify tracking the alignment somewhat automatically (see for example what we do in CoSERV: https://github.com/rats-endorsements-distribution/draft-howard-rats-coserv/tree/main/cddl/comid.mk)

BTW, it’s great to see CoRIM being used more widely 👍

[thomas-fossati]

nice!

I left a couple of (FYI) comments. Feel free to ignore them.

[attzonko]

I have checked the extension CDDL and the associated example: LGTM!

A couple of suggestions:

1. Having both checked for correctness automatically by the CI would make it more robust in the face of change, especially if the change is accidental.
2. The CoRIM CDDL is released as an artefact of the CoRIM pipeline at each version drop (e.g.: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/releases/tag/cddl-draft-ietf-rats-corim-08). While it’s under development, you might want to simplify tracking the alignment somewhat automatically (see for example what we do in CoSERV: https://github.com/rats-endorsements-distribution/draft-howard-rats-coserv/tree/main/cddl/comid.mk)

BTW, it’s great to see CoRIM being used more widely 👍

Thanks for lookin this over @thomas-fossati I have addressed your two points by adding a simple workflow, once the repo admins enable GitHub Actions with some Runners...we should be able to test it out. In the meantime could you take a quick look and sanity check the workflow?

[fdamato]

• We evaluated the need for IANA registration of the CoRIM SFR extension and determined it is not required if the extension is only used within our specific CoRIM profile.

• We confirmed that, similar to EAT, we can register an OID profile for CORIM SAFE through OCP and use a private (negative) number for the SFR extension, scoped to our SFR CoRIM profile.

• We can control the OCP registry for our profile and update the extension value accordingly. @ericeilertson @attzonko

[attzonko]

@ericeilertson @nickhummel from my side this is ready to get squashed and merged. If we need additional work on the CoRIM profile specification we can open a new PR for that.

Thank you all for the help getting this done!

[rob-tetrel]

+1

[thomas-fossati]

Great stuff!

It’d be super if someone could provide the SFR serialisation/deserialisation code for veraison/corim (and/or veraison/corim-rs). Then, one could use the stock cocli to parse SRF CoRIMs, which would be awesome! 😄

[attzonko]

Here is one possible schema for JIL, can we get some JIL experts input?

jil-scheme = {
  // --- Identification Phase Factors  ---
  // (Effort to create the attack and demonstrate it)
  &(elapsed-time-id: 0) => tstr
  &(expertise-id: 1) => tstr
  &(knowledge-toe-id: 2) => tstr
  &(access-toe-id: 3) => tstr
  &(equipment-id: 4) => tstr
  &(open-samples-id: 5) => tstr

  // --- Exploitation Phase Factors  ---
  // (Effort to achieve the attack on another TOE instance) 
  &(elapsed-time-ex: 6) => tstr
  &(expertise-ex: 7) => tstr
  &(knowledge-toe-ex: 8) => tstr
  &(access-toe-ex: 9) => tstr
  &(equipment-ex: 10) => tstr

  // --- Optional Factor Adjustments ---
  // (Extra points for package removal effort, added to Access to TOE) 
  ? &(package-removal-id: 11) => tstr
  ? &(package-removal-ex: 12) => tstr
  // (Extra point for Multiple Specialized equipment)
  ? &(multiple-specialized-id: 13) => tstr
  ? &(multiple-specialized-ex: 14) => tstr

  // --- Calculated Results ---
  &(identification-subtotal: 15) => tstr
  &(exploitation-subtotal: 16) => tstr
  // (Final score = identification + exploitation) 
  &(attack-potential-total: 17) => tstr
  // (e.g., "Basic", "Moderate", "High") 
  &(resistance-rating: 18) => tstr

  // --- Metadata ---
  // (e.g., "3.2.1") 
  ? &(jil-version: 19) => tstr
}

[attzonko]

@ericeilertson @nickhummel I propose we go forward with the current latest version of the profile without adding the JIL assessment, if we need to add it later we can mint a new OID to be able to easily distinguish the profiles.

[fdamato]

LGTM