Skip to content

CoRIM

IETF sponsors the Remote ATtestation ProcedureS (RATS) Working Group1 which standardizes formats that support attestation. A Concise RIM2 (CoRIM), as defined by the IETF RATS WG, is a device Reference Integrity Manifest (RIM) to be published by a device vendor.

Details

A CoRIM comprises metadata that establishes information about the CoRIM itself and various attributes (including creator, signer, etc.), in addition to a list of tags.

As shown in a diagram3 of a CoRIM produced by the RATS WG, a CoRIM tag list can contain one or more CoSWID, Concise Module Identifier (CoMID), or Concise Tag List (CoTL) tags. For the RIM Tool's create command, the use of the --rim-type parameter is used to denote which CoRIM tag option is used.

Note

Currently, the RIM Tool only supports CoSWID (corim_coswid) and CoMID (corim_comid) options for CoRIMs.

Signing

CoRIMs are signed using COSE4 digital signatures, requiring specific fields in the COSE protected header.

Of interest is the context parameter, which is defined as "application/rim+cbor" for CoRIMs (as opposed to "application/swid+cbor" when signing a standalone CoSWID tag). This helps the parser determine the type of data found in the payload.

  1. See IETF RATS WG charter here

  2. See IETF CoRIM specification here

  3. See CoRIM text diagram on ietf-rats-wg GitHub here

  4. Stands for CBOR Object Signing and Encryption, defined in RFC 9052