Re: [SCITT] Question regarding Transparency Service query results and registration policy
Dick Brooks <dick@reliableenergyanalytics.com> Mon, 19 February 2024 18:32 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47409C14F73E for <scitt@ietfa.amsl.com>; Mon, 19 Feb 2024 10:32:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="hE7avKxR"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="M/iW9jcd"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JVOjZDmPVqnz for <scitt@ietfa.amsl.com>; Mon, 19 Feb 2024 10:32:40 -0800 (PST)
Received: from wfout5-smtp.messagingengine.com (wfout5-smtp.messagingengine.com [64.147.123.148]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD8EFC14F736 for <scitt@ietf.org>; Mon, 19 Feb 2024 10:32:40 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfout.west.internal (Postfix) with ESMTP id 7866C1C000AB; Mon, 19 Feb 2024 13:32:37 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 19 Feb 2024 13:32:37 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:cc:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:reply-to:subject:subject:to :to; s=fm1; t=1708367556; x=1708453956; bh=TgMPHT6pqjvB/PohV3Cx0 giOSz2wHpzzhDcTcW7Qz+Q=; b=hE7avKxRBoZOd9gObzx1wtnEquQGnJZ7yZFHx dhpckDyO+I8+MkzJ7mOirVVTNSc5nbcr0CGOPR2EUJV8qxfv6vdTU/jsWGo92WSw 9JVRTJYYKWLZ31q1KZiKkkeWakyJK44BdTHEyMpNzAApj/iPW5oZ6ECqjz33O6A+ 5RroyRBq3OhLSAaMsmv+pnmusHzSq9anskpBQBOt01F2tYJIjOMyAi212bjvj3h8 1HIKMaGigkiAUmjJL5eK7Xqxts6k6g6X3i9X0Fb4e/ge4xyidPxkg6fyJWsSdvLB YsLiMh+zwBQ+hZXrD2aBN8SziDYBZA5evrFXy7goPm0pV/3yQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1708367556; x=1708453956; bh=TgMPHT6pqjvB/ PohV3Cx0giOSz2wHpzzhDcTcW7Qz+Q=; b=M/iW9jcdkqfDK0FoseiQfc7+FrOaI vzKexbGXOlB+c1S/uIDzHc3jSt88TMOOJmTWFHpKDOAOdGAuJVfJeXA8Z+n0jGCR A8l2K7lHB33tujoj1R9ZLdD3dZi4p4OxSgRq1B/JIPZK5pkuJU0PCmmqUqgsq4e6 c1LUD4PJ97FB+0Ok6VzOAYnfreUAs/8gC1xCtV1z4ZiiE8OxH20jA5rCj5F8lECN Lo+QKcNPSXt2Pgq2Z1FyuWY51Swws0XlRZPVOtcNpYrPNCYHiclTd07BYrsWnZYr aCgD3XGfpbY1QtNg6p9KyBXu0ynO6R12diR7EOgszP6eZJpZ3okTALhxQ==
X-ME-Sender: <xms:xJ7TZZNEMiMC67LCF-ZrD0YBbyMYCrcm-WF5O5BuZVzKj3G6za-HUQ> <xme:xJ7TZb9gfR9FAaS7AobVdaa-43XobLhpCAYEaNKTMCDK1wPxjzth9lyZ-NvIFu7ce VyKRlQF2AnrKgT53g>
X-ME-Received: <xmr:xJ7TZYQjwtbKdQget0IyY_hyNznIpbJ2X6gHG8rm6I1FRgcLzwsoX9k>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdekgdduuddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheprhfhvfevfhgjufffohfkgggtofhtsehrtderpedvtdejnecuhfhrohhmpedf ffhitghkuceurhhoohhkshdfuceoughitghksehrvghlihgrsghlvggvnhgvrhhghigrnh grlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpedtveevgeefvefhjeehhedt ffffgeehleduvdfgiefhueegteeuhfduieevudevffenucffohhmrghinheprhgvlhhirg gslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomhdpihgvthhfrdhorhhgpdgrrdgv gigrmhhplhgvpdhsohhfthifrghrvggrshhsuhhrrghntggvghhurghrughirghnrdgtoh hmpdhtrhgrnhhsmhhuthgvrdhinhguuhhsthhrihgvshdphhhtthhprghpihdrihgunecu vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepughitghkse hrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:xJ7TZVsjJVclPrMPnZndJYUK3z0hdoEK_gj8Ba9d1SBt98BaazHI6g> <xmx:xJ7TZReUuzbRZmdscol5oxjRRt_LhceSL3aJvYiESAgXXb7V41wiXQ> <xmx:xJ7TZR1UBc3ALUTDjJiofpHYFqWuyJryaitoIal4BmVoTEAWhjtflg> <xmx:xJ7TZSptRvwINpD2lv7SzoQMvOXzgGuIadv9cXs23hol1fmitiS6vkp-37A>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 19 Feb 2024 13:32:36 -0500 (EST)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Orie Steele' <orie@transmute.industries>
Cc: scitt@ietf.org
References: <1196501da634f$be7c6300$3b752900$@reliableenergyanalytics.com> <CAN8C-_+VpiPcJvPBvT-Xud=pk08pcyboDnsyYjy_-PyNCcMksw@mail.gmail.com> <1230f01da6353$86924820$93b6d860$@reliableenergyanalytics.com> <CAN8C-_LCcTJ8W+LC4aFCmbVijw6hiYYBwwK_gV8CMYo-TDwzRA@mail.gmail.com> <12c4f01da635a$6c793460$456b9d20$@reliableenergyanalytics.com> <CAN8C-_+Y-tYAmRY0EhuWidYys21hi0NRUkC6dYsYFN6Y8=Xi=A@mail.gmail.com> <12d9f01da635e$72878290$579687b0$@reliableenergyanalytics.com> <CAN8C-_JsfVLvU9rKDXkQxmLxWRqTyRUsGZWE0jDG-ESXizbS9A@mail.gmail.com>
In-Reply-To: <CAN8C-_JsfVLvU9rKDXkQxmLxWRqTyRUsGZWE0jDG-ESXizbS9A@mail.gmail.com>
Date: Mon, 19 Feb 2024 13:32:33 -0500
Organization: Reliable Energy Analytics LLC
Message-ID: <12fbf01da6362$02995900$07cc0b00$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_12FC0_01DA6338.19C748A0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKHMN+KBwBLXc0WkMzR9cT4RtGe9gFZBnmXAdLQaJUClc420AGXXlkkAIfqZ0EA5cUp2QIwhMFfr2CobkA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/-G_uak0yz5UocdRrzc-K9Wzbv3Q>
Subject: Re: [SCITT] Question regarding Transparency Service query results and registration policy
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 18:32:45 -0000
Orie, Thanks for clarifying. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: Orie Steele <orie@transmute.industries> Sent: Monday, February 19, 2024 1:30 PM To: dick@reliableenergyanalytics.com Cc: scitt@ietf.org Subject: Re: [SCITT] Question regarding Transparency Service query results and registration policy A "registration policy" is the policy a vendor sets for deciding what criteria a "signed statement" must meet, in order for the vendor to provide a receipt. For example, a vendor might require the COSE Sign1 to be signed by issuers or certificates that are in a specific PKI (Public, Private), or that are about a specific subject, such as a product identified by a PURL, or any other product identifier. A registration policy is not a place to "define APIs". The registration policy is expected to be applied to every message that is sent to a SCITT API Endpoint that "accepts signed statements and produces receipts". However, the provisioning, maintenance and definition of the policy is out of scope for SCITT. AFAIK, the current SCITT API endpoints are not mandatory to implement at all, meaning there is no assurance of interoperability or conformance to a specific set of HTTP endpoints for SCITT. Some vendors might choose to never implement any of these SCITT HTTP APIs and instead expose the "scitt registration apis" over gRPC, Kafka, or some other transport. If vendors do advertise compatibility with https://datatracker.ietf.org/doc/draft-ietf-scitt-scrapi/ Then the normative requirements of that document apply, and those requirements are what enable interoperability over that specific HTTP API. I'd stress that SCRAPI is just "one HTTP" API, and since it's not mandatory to implement, it may provide little to no interoperability. OS On Mon, Feb 19, 2024 at 12:07 PM Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote: I am not suggesting that every vendor produce a trust score. I’m asking a question “Should SCITT vendors be expected to define their API’s in a Registration Policy” OR will the SCITT API define the specific API’s that need to be supported by each vendor? Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: Orie Steele <orie@transmute.industries> Sent: Monday, February 19, 2024 12:50 PM To: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> Cc: scitt@ietf.org <mailto:scitt@ietf.org> Subject: Re: [SCITT] Question regarding Transparency Service query results and registration policy Are you suggesting that some vendors who build products on SCITT, might require a "trust score" as part of their registration policy? Seems like they are allowed to do that today. If you are asserting that all registration policies should mandate such a check, I can imagine that might produce objections. As a general rule, vendor or domain specific registration policies seem to be out of scope for SCITT, although there is still debate about what is "in scope" for "mandatory to implement" registration policies. OS On Mon, Feb 19, 2024 at 11:38 AM Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote: Orie, I agree: Seems to me that something *like* this might be a better fit for the current SCITT APIs: My question is: Will SCITT define the API interfaces and return results of will this be a matter for the “Registration Policy” to address? I’m not proposing any interface standards, just trying to understand how this functionality will be accommodated by SCITT; in the spec or in the registration policy, or some other method?. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: Orie Steele <orie@transmute.industries> Sent: Monday, February 19, 2024 12:30 PM To: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> Cc: scitt@ietf.org <mailto:scitt@ietf.org> Subject: Re: [SCITT] Question regarding Transparency Service query results and registration policy I don't see APIs like this in any of the IETF documents. Do you feel this API is essential to SCITT protocol interoperability? Can you explain why it would help Vendors A and B to agree to host such API endpoints, and how they might be used in a "federation" use case? Seems to me that something *like* this might be a better fit for the current SCITT APIs: GET https://vendor.a.example/receipts/urn:...ietf:scitt:signed-statement:sha256:base64url:<hash of signed statement> ~> proof that a vendor recorded a signed statement regarding a "trust score for a product" in their log. The "signed statement part", would be a COSE Sign1 over the JSON payload your current API is returning as a result. The use case for this would be, in the event of an incident, the response team could forward the receipt to the vendor who issues the receipt, when asserting that a product was "known to have a low score", and that its potentially the entry point of an exploit chain. OS On Mon, Feb 19, 2024 at 10:48 AM Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote: Thanks Orie. Here is an example of a “Transparency Service” query, that I’m thinking of for scrapi: I’m thinking a “Transparency Service” will need to describe it’s API service interfaces and results returned, including errors. Query API: https://softwareassuranceguardian.com/SAGCTR_inquiry/getSAGScore?FileHash=48E0EEB4C538BCD65514D68DDA5E1B41BE9F38AAB3A9B4108F056A27BE1F379A JSON Results Returned: [{"SAGScore": 88.65, "current_date": "2024-02-19", "SourceSupplierName": "Reliable Energy Analytics LLC", "ProductName": "SAG-PM (TM)", "ProductVersion": "1.2.2", "Label Type": "SAG Trusted Software", "Product Category": "Desktop Software Application"}] Here is an example of an error result: https://softwareassuranceguardian.com/SAGCTR_inquiry/getSAGScore?FileHash= JSON Results Returned: {"SAGresult":"Invalid Request"} Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: Orie Steele <orie@transmute.industries> Sent: Monday, February 19, 2024 11:41 AM To: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> Cc: scitt@ietf.org <mailto:scitt@ietf.org> Subject: Re: [SCITT] Question regarding Transparency Service query results and registration policy https://datatracker.ietf.org/wg/scitt/documents/ ^ unless it's in one of these documents, or an issue in one of the repositories for working on them, or a thread on this list that is clearly showing consensus to do something. It's not a thing the IETF WG is developing. I think the answer to your question is "No", but having the IETF documents not define this, does not preclude vendors from developing products that build on SCITT that do this. One way to think about what should be done in the IETF documents vs in products build on the IETF documents is to answer this question: Is interoperability at this layer essential to solving the problem we are chartered to solve. Some examples of what you mean by "API Query Results" might make it easier for the list to answer this question. Regards, OS On Mon, Feb 19, 2024 at 10:22 AM Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote: Will a Transparency Service specify it’s “API query results” within the registration policy OR will SCITT require a Transparency Service to provide a catalog of supported API’s and their interface definitions? Or both? Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -- SCITT mailing list SCITT@ietf.org <mailto:SCITT@ietf.org> https://www.ietf.org/mailman/listinfo/scitt -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries/> -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries/> -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries/> -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries/>
- Re: [SCITT] Question regarding Transparency Servi… Dick Brooks
- [SCITT] Question regarding Transparency Service q… Dick Brooks
- Re: [SCITT] Question regarding Transparency Servi… Orie Steele
- Re: [SCITT] Question regarding Transparency Servi… Orie Steele
- Re: [SCITT] Question regarding Transparency Servi… Dick Brooks
- Re: [SCITT] Question regarding Transparency Servi… Orie Steele
- Re: [SCITT] Question regarding Transparency Servi… Dick Brooks
- Re: [SCITT] Question regarding Transparency Servi… Orie Steele
- Re: [SCITT] Question regarding Transparency Servi… Dick Brooks