You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: framework/commitment-policy.md
+30-11Lines changed: 30 additions & 11 deletions
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,13 @@
5
5
6
6
## Version
7
7
8
-
0.2.0
8
+
0.3.0
9
+
10
+
### Changelog
11
+
12
+
- 0.3.0
13
+
14
+
- Add commitment policy for DBE.
9
15
10
16
## Implementations
11
17
@@ -28,17 +34,17 @@ It is important that all messages that could be sent to a host can be decrypted
28
34
A top level client makes such settings [hard to misuse](https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/tenets.md#hard-to-misuse)
29
35
because anything a client encrypts can be decrypted by the same client.
30
36
31
-
## Supported Library Commitment Policy ENUM
37
+
## Supported Format Commitment Policy ENUM
32
38
33
39
The following tables include the commitment policies
34
40
supported by the Material Providers Library
35
-
for each [supported library](./algorithm-suites.md#supported-libraries).
41
+
for each [supported format](./algorithm-suites.md#supported-formats).
36
42
37
43
The Material Providers Library MUST provide
38
-
a distinct commitment policy ENUM for each library.
39
-
The `Library` Commitment Policy ENUM, where `Library`
40
-
is a value from [supported library short name](./algorithm-suites.md#supported-libraries).
41
-
This ENUM can be used by each library to configured
44
+
a distinct commitment policy ENUM for each format.
45
+
The `Format` Commitment Policy ENUM, where `Format`
46
+
is a value from [supported format short name](./algorithm-suites.md#supported-formats).
47
+
This ENUM can be used to configure
42
48
which Commitment Policies it supports.
43
49
44
50
| ESDK Commitment Policy ENUM |
@@ -47,23 +53,28 @@ which Commitment Policies it supports.
47
53
| REQUIRE_ENCRYPT_ALLOW_DECRYPT |
48
54
| REQUIRE_ENCRYPT_REQUIRE_DECRYPT |
49
55
56
+
| DBE Commitment Policy ENUM |
57
+
| ------------------------------- |
58
+
| REQUIRE_ENCRYPT_REQUIRE_DECRYPT |
59
+
50
60
## Supported Commitment Policy ENUM
51
61
52
62
The Material Providers Library also MUST provide
53
63
a union ENUM for all distinct commitment policy ENUMs
54
64
called the Commitment Policy ENUM.
55
65
In this specification this union Commitment Policy ENUM
56
-
will be denoted as `Library.LibraryENUM`
57
-
to uniquely identify an Commitment Policy ENUM across all supported libraries.
66
+
will be denoted as `Format.FormatENUM`
67
+
to uniquely identify an Commitment Policy ENUM across all supported formats.
58
68
For example `ESDK.FORBID_ENCRYPT_ALLOW_DECRYPT`
59
-
is the Commitment Policy ENUM for the ESDK Commitment Policy ENU`FORBID_ENCRYPT_ALLOW_DECRYPT`.
60
-
This means that different libraries MAY have duplicate Library Commitment Policy ENUM.
69
+
is the Commitment Policy ENUM for the ESDK Commitment Policy ENUM`FORBID_ENCRYPT_ALLOW_DECRYPT`.
70
+
This means that different formats MAY have duplicate Format Commitment Policy ENUM.
61
71
62
72
| Algorithm Suite ENUM |
63
73
| ------------------------------------ |
64
74
| ESDK.FORBID_ENCRYPT_ALLOW_DECRYPT |
65
75
| ESDK.REQUIRE_ENCRYPT_ALLOW_DECRYPT |
66
76
| ESDK.REQUIRE_ENCRYPT_REQUIRE_DECRYPT |
77
+
| DBE.REQUIRE_ENCRYPT_REQUIRE_DECRYPT |
67
78
68
79
#### ESDK.FORBID_ENCRYPT_ALLOW_DECRYPT
69
80
@@ -88,3 +99,11 @@ When the commitment policy `ESDK.REQUIRE_ENCRYPT_REQUIRE_DECRYPT` is configured:
88
99
-`05 78` MUST be the default algorithm suite
89
100
-[Get Encryption Materials](./cmm-interface.md#get-encryption-materials) MUST only support algorithm suites that have a [Key Commitment](./algorithm-suites.md#algorithm-suites-encryption-key-derivation-settings) value of True
90
101
-[Decrypt Materials](./cmm-interface.md#decrypt-materials) MUST only support algorithm suites that have a [Key Commitment](./algorithm-suites.md#algorithm-suites-encryption-key-derivation-settings) value of True
102
+
103
+
#### DBE.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
104
+
105
+
The commitment policy `ESDK.REQUIRE_ENCRYPT_REQUIRE_DECRYPT` is always configured for DBE,
106
+
and results in the following requirements:
107
+
108
+
-[Get Encryption Materials](./cmm-interface.md#get-encryption-materials) MUST only support algorithm suites that have a [Key Commitment](./algorithm-suites.md#algorithm-suites-encryption-key-derivation-settings) value of True
109
+
-[Decrypt Materials](./cmm-interface.md#decrypt-materials) MUST only support algorithm suites that have a [Key Commitment](./algorithm-suites.md#algorithm-suites-encryption-key-derivation-settings) value of True
Copy file name to clipboardExpand all lines: framework/required-encryption-context-cmm.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ This set of keys MUST
22
22
23
23
- Exist in the encryption context of all [Encryption Materials Requests](./cmm-interface.md#encryption-materials-request).
24
24
- Exist in the [required encryption context keys](./structures.md#required-encryption-context-keys) for returned [encryption materials](./structures.md#encryption-materials)
25
-
so that [supported libraries](./algorithm-suites.md#supported-libraries) will not serialize these values.
25
+
so that these values will not be serialized into the [supported formats](./algorithm-suites.md#supported-formats).
26
26
- Exist the reproduced encryption context of all [Decrypt Materials Requests](#decrypt-materials-request).
0 commit comments