DIP: Self-Describing Hash Format for Intel DCAP reportdata

[h4x3rotab]

We propose a new standard format for encoding hashes in Intel DCAP attestation reportdata, which is limited to 64 bytes. The format is:

<purpose>:<algo>:<base64url-hash>

• Purpose: short human-readable identifier (≤10 chars).
• Algo: algorithm name (e.g., sha-256).
• Digest: Base64url-encoded hash, without padding.

This format is inspired by existing practices (ni://, SRI, Docker digests), but tailored for the strict 64-byte size constraint. It is primarily intended for SHA-256, since longer digests would overflow.

Advantages:

• Self-describing (algorithm embedded).
• Compact (Base64url shorter than hex).
• Domain separation via purpose prefix.
• Reusable tooling: can leverage existing ni:// and SRI libraries for serialization/parsing.

PR: #331

[kvinwang]

I recommend naming it as dip-1.

To avoid potential collisions with other project-defined formats, we could consider adding a scope prefix like dip1:. For example:

dip1:ra-pk:sha256:FPBeUtMvvR54kqX8DSmVNzKiaLvtGPpqna9xvv6l6ws

However, to make better use of the available space (since it's less than 8 bytes for app-defined purpose name), we could move the purpose (content-type) into the payload, like so

Report Data:

dip1:sha256:FPBeUtMvvR54kqX8DSmVNzKiaLvtGPpqna9xvv6l6ws

Payload:

ratls-pubkey:ee218f44a5f0a9c3233f9cc09f0cd41518f376478127feb989d5cf1292c56a01

For applications with shorter payloads, an inline algorithm could be used to embed the payload in the report_data:

dip1:inline:ra-pk:LPJNul-wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ