Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure identifiers for hardware and software in vehicles #230

Open
jhdalek55 opened this issue Dec 17, 2021 · 8 comments
Open

Secure identifiers for hardware and software in vehicles #230

jhdalek55 opened this issue Dec 17, 2021 · 8 comments
Milestone

Comments

@jhdalek55
Copy link
Contributor

jhdalek55 commented Dec 17, 2021

There has been considerable efforts over the past few years to develop consistent and appropriate identifiers for both hardware and software components. Traditionally, a supplier-name-prefixed serial numbers, such as a VIN number, has been used to identify ECUs, but this method does not acknowledge the differing nature of ECUs. Given that not all ECUs share the same resources (as @iramcdonald observed, "an ECU that does nothing but adjust the seat belt does not need symmetric cryptography"), what does an identifier actually need to share? In the software realm, the use of IETF Standard for Concise Software Identification Tags that are more secure than current supplier/OEM proprietary software version info is becoming commonplace. Concise SWID (CoSWID) tags, according to IETF's Datatracker (https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/), "supports a similar set of semantics and features as SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory efficient format."

This issue does not call for immediate action, but serves as a reminder to stay abreast of emerging standards and regulations looking at the issue of hardware and software identifiers, and to make the appropriate changes to the Standard and or the Deployment pages once a clearer consensus on secure identifiers emerges. (i.e.pending developments in evolving standards).

Note that with opening of this issue, I will be removing Issue #s 86 and 87 on the Deployment pages. The relevant content requested to answer these issues was added to Deployment Best Practices with PR #117.

@jhdalek55
Copy link
Contributor Author

jhdalek55 commented Dec 17, 2021

Can someone give this the milestone label "future"? @mnm678 perhaps?

@mnm678 mnm678 added this to the Future milestone Dec 21, 2021
@tkfu
Copy link
Member

tkfu commented May 10, 2022

As discussed in the 2022/05/10 standards meeting call:

  • ECU serial numbers are definitely a question for deployment considerations. It's not clear, though, what should be added there, or what challenges need to be addressed. This would be a good topic for the USA industry workshop.
  • CoSWID tags, however, are an excellent idea that could easily be included in the standard as a SHOULD. But exactly where and how in the Targets metadata the CoSWID tags are included should be a question for each specific implementation. This could be specified in the implementation's POUF.

@jhdalek55
Copy link
Contributor Author

jhdalek55 commented Oct 11, 2022

This issue was discussed at the 10/11 Uptane meeting. The consensus was we follow the suggestion in the second bullet point of @tkfu comments from 5/10 and make a place in the Standard to discuss the use of CoSWID tags as a SHOULD. The milestone can then be set for this portion of the issue for V. 2.1.0 A Pull Request to make these changes is requested. Can we get a volunteer?

@mnm678 mnm678 modified the milestones: Future, 2.1.0 Oct 11, 2022
@jhdalek55
Copy link
Contributor Author

Still seeking a volunteer to draft a PR for this.

@iramcdonald
Copy link

iramcdonald commented Nov 16, 2022 via email

@jhdalek55
Copy link
Contributor Author

@iramcdonald ...thanks for the input.

@jhdalek55
Copy link
Contributor Author

jhdalek55 commented Jan 31, 2023

At the 1/31/23 Standards meeting, it was agreed that we would set the milestone for 2.2 because the IETF is not immediately publishing a CoSWID RFC. Can someone change this milestone? thanks.

@jhdalek55
Copy link
Contributor Author

Repeating my request from 1/31/23, can someone change the milestone to 2.2.0. We might as well wait till later in the year when we might be able to add the information from IETF about CoSWID RFC.

@mnm678 mnm678 modified the milestones: 2.1.0, 2.2.0 Apr 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants