On 28.05.21 17:31, Toerless Eckert wrote:
On Fri, May 28, 2021 at 07:24:45AM +0200, Eliot Lear wrote:Explain to me how this work flow would allow for the registrar to decide whether to and/or what certificate to give to the pledge via EST based on SBOM information.
Well, in that case, if the registrar has the iDevID of the pledge, it can retrieve the MUD file, which points to an SBOM. My guess is that such an SBOM would have to live off device, because there is no trust yet between pledge and registrar. And so if trust is required to retrieve the SBOM, then it has to be between the registrar and the manufacturer.
This having been said, I think you may be applying the right policy at the wrong time. It may make more sense to first establish trust, but limit access to the device until you have the SBOM. In fact you want to do it that way, because at any time the posture of a device can be found to be wanting.
Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
