Changes to address full EAT profile requirements #78
+18
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **Mandatory Claims (1-6)**: These claims are **REQUIRED** for all attestations | ||
| and provide the minimum necessary information for verifier appraisal policies: | ||
| and provide the minimum necessary information for verifier appraisal policies. Any attestation that fails | ||
| to include all mandatory claims **MUST** be rejected by the verifier: |
There was a problem hiding this comment.
MUST be rejected by the verifier
Why would the Verifier care? Especially for the non-verifiable claims. I am not sure the production Verifier itself is the right place to (always) check evidence for compliance / conformance to an EAT profile. That could be a separate tool. Maybe @laurencelundblade has an opinion.
There was a problem hiding this comment.
The profile shouldn`t enforce policy for the verifiers, however we can clarify that Mandatory Claim is what the Verifier would expect from a EAT that use this profile
fdamato
approved these changes
Oct 24, 2025
fdamato
reviewed
Oct 24, 2025
| size constraints apply: | ||
|
|
||
| * The complete CWT token (including the certificate chain in the unprotected header) **SHALL NOT** exceed 64kB. This limitation aligns with the SPDM Measurement block size limit, as most OCP Attesters are expected to rely on SPDM for EAT conveyance. | ||
| * The complete CWT token (including the certificate chain in the unprotected header) **SHALL NOT** exceed 64kB (post-encoding). This limitation aligns with the SPDM Measurement block size limit, as most OCP Attesters are expected to rely on SPDM for EAT conveyance. |
There was a problem hiding this comment.
remove this, as it may creates more confusion
fdamato
reviewed
Oct 24, 2025
|
|
||
| Implementations **MUST** account for the following signature size | ||
| implications when calculating total CWT size against the 64kB limit: | ||
| implications when calculating total (post-encoding) CWT size against the 64kB limit: |
gmandyam
force-pushed
the
EAT_full_profile_changes
branch
from
69b3351 to
1acfe25
Compare
Addressing opencomputeproject#64 Signed-off-by: Giridhar Mandyam <[email protected]>
gmandyam
force-pushed
the
EAT_full_profile_changes
branch
from
1acfe25 to
99599a9
Compare
fdamato
approved these changes
Oct 24, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addressing #64