IETF Logo Mail Archive

Re: [SCITT] Draft WG Charter

Orie Steele <orie@transmute.industries> Tue, 19 July 2022 16:26 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFDBCC14CEFC for <scitt@ietfa.amsl.com>; Tue, 19 Jul 2022 09:26:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhollidkmlZB for <scitt@ietfa.amsl.com>; Tue, 19 Jul 2022 09:26:03 -0700 (PDT)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FFBBC14F743 for <scitt@ietf.org>; Tue, 19 Jul 2022 09:26:03 -0700 (PDT)
Received: by mail-pj1-x1032.google.com with SMTP id n4-20020a17090a73c400b001f1e87432c2so3520552pjk.3 for <scitt@ietf.org>; Tue, 19 Jul 2022 09:26:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9dTMamT9bLQZA6dgDuBkq1YwYgnktu+2JF9RtXt7HUI=; b=JjSkIrsJgjIu7+q0HEc57ayud1eCV8UVxNrgnfpb1Jm2uRDppAwti3LL/m1iH45MiB ytROaPWnC9x3kVHtD0Z/KpHCrm3Ox6b4ANFpREY4FhG0iog9K9WTt7ty4pqnSx+j2zFU mCM84Eaxdxx1wIwGgGQ/QfdAUpAXzdGgn2kjR0ZyCGzcrT0iGWaxPqMME8k4yuTduD2Q We6FFwRZDaOEaKl1ekK/2oZL9cpGr7A4NnCqpPxIDP168ALpYesVGZUscmHpfc8dHtxh rKxMLcDuoC5bpakPCVLEyJ2VCAuKn1jOll0sNzfB0ZyQq0b36GWimF7W61n/4uOaEOD+ /gIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9dTMamT9bLQZA6dgDuBkq1YwYgnktu+2JF9RtXt7HUI=; b=fsPuFe6rshknqyzA+BGsw1DzOgD80iCGc46nlAPbOo/jpvGaOvoEw2I+lLYlLyF/F2 GJrC4pufXRoKpQGoaYa/pL9LL6n1GHUgukOWSRDKxdeBuUGkyyFFJSLrcPj428s+Da+5 fJKQrMK9peeofFSnk/oU0F6N34gaVL3MSMjFIueOfsavkp7N9/zVD2wp8O+a5taA3mpO id2Ht2YH0vZGm4JzAnS6yoYj2CwesZTzsPyi1tz9jGoAQpGHz8sXRTZBQ1Lv05zZTnLg pYpAddIqQbw3wr6aOWaTBZ7gTZRtMTyAifn/6iB3BZS1jlVBXoZdF+wPis3SIKtQCuyV QgEQ==
X-Gm-Message-State: AJIora88E5yGh1u1N1NbwbnyenKiChHhnX3NCoYPxXm00GjsGGGlDSB+ V8c9lsZAVzrVzwPDUmjP8PSXsil36NliCRYeg1DE5Q==
X-Google-Smtp-Source: AGRyM1snXkfKoQVXc1+Eiqc18+dEdhulB4LSOXfXxx3ZCPOKzYPD4WzKDP9Z0uPlCRcjDDLfmVXicudJDqpNkDV2TWE=
X-Received: by 2002:a17:902:f805:b0:16b:e0d6:b474 with SMTP id ix5-20020a170902f80500b0016be0d6b474mr34461281plb.165.1658247963043; Tue, 19 Jul 2022 09:26:03 -0700 (PDT)
MIME-Version: 1.0
References: <AM6PR08MB432599AC5D4E75B1708A94DC8EBD9@AM6PR08MB4325.eurprd08.prod.outlook.com> <a14bdad6-0044-ed19-e4d6-7c1aa80d787f@lear.ch> <1F808130-3A18-4468-BCB9-968329B7DBEA@heapingbits.net> <CAN8C-_+PyTE2JL3k-F=VXCGHztpcxYMCRH=_hUO=X3bQaawwPQ@mail.gmail.com> <296a878f-ee1f-4d29-b109-c452517f28a7@www.fastmail.com>
In-Reply-To: <296a878f-ee1f-4d29-b109-c452517f28a7@www.fastmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 19 Jul 2022 11:25:52 -0500
Message-ID: <CAN8C-_KDAT7runxbd5bHz8Hom4HHw60xrWMgC_RnxhPSRxoM2w@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Eliot Lear <lear@lear.ch>, Yogesh Deshpande <Yogesh.Deshpande@arm.com>, scitt@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c97dcc05e42af0c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/1GA3JylEfMHodBIJNHNFZxoLP7Y>
Subject: Re: [SCITT] Draft WG Charter
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 16:26:07 -0000

I think I agree with your intention.

On Tue, Jul 19, 2022 at 10:31 AM Christopher Wood <caw@heapingbits.net>
wrote:

> Hi Orie,
>
> Apologies for the delayed response. Please see inline below.
>
> On Wed, Jul 13, 2022, at 7:42 PM, Orie Steele wrote:
> >> I think we should strive to punt on all identity-related issues and
> simply pick an abstraction that is extensible for different use cases.
> >
> > DIDs are one such abstraction, x509 is another... In the threads
> > regarding COSE envelopes, I've endeavored to support your proposed
> > approach by focusing on COSE, keys and signatures instead of DIDs, keys
> > and signatures... But I wonder, if you have any concrete proposals for
> > this extensible abstraction?
>
> Sure -- I propose we approach this exactly the same way that MLS did. That
> means two things:
>
> 1. Update the charter text to be clear on how we'll treat identity, e.g.:
>
>    While authentication is a key goal of this working group, it is not
> the objective of this working group to develop new authentication
> technologies. Rather, the security protocol developed by this
> group will provide a way to leverage existing authentication
> technologies to associate identities with keys used in the protocol,
> just as TLS does with X.509.
>
> 2. In the protocol, adopt something that lets us slot in new formats as
> needed, e.g., as was done in
> https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-16#section-6.3
> .
>
> Does this clarify?
>

yes.


>
> > Given establishing the identity of software components, authors and
> > CVEs is fundamental to all existing SBOM formats I am aware of, I don't
> > see how we can punt on "all identity-related issues".
> >
> > When you have signatures or authentication, you have identity, and
> > likely an identity related abstraction with baggage such as x509, JWT,
> > CWT or DID.
> >
> > I'm not sure limiting this field via the charter, before the WG is
> > formed is strategic.
>
> I think it's important to focus the efforts of this group on work that can
> be feasibly accomplished. To that end, I think we ought to make sure that
> we shape the protocol and architecture to work with different identity
> formats (as needed for different deployments), but not discuss anything
> else about how those identities are obtained, validated, etc. As a point of
> comparison, TLS basically punts on how X.509 certificates are
> authenticated, and I think we ought to do the same thing here.
>

Yes, IMO this aligns with the threads on applying COSE to envelopes.

The question is whether it works for the other sections that are not
specific to the envelope format... Such as querying / auditing, etc...

Thats the area where I feel we should refine further ( in your CR, you also
noted this:
https://github.com/ietf-scitt/draft-birkholz-scitt-architecture/pull/15/files#diff-1812d688e87fa061cf31763fd9aa9d2426e327c292d4b3f03d604f7975220b79R88
 )

Thanks for your comments on this!

OS


> Best,
> Chris
>
> >
> > Regards,
> >
> > OS
> >
> > On Wed, Jul 13, 2022, 4:48 PM Christopher Wood <caw@heapingbits.net>
> wrote:
> >> I took a look at the charter. Beyond the problem statement refinement
> happening in another thread, I wanted to comment on the proposed work
> items. My feedback is below. I’m happy to turn some of this into one or
> more PRs against the charter text if that’s helpful.
> >>
> >> ---
> >>
> >> 1. The WG will select (and potentially profile or augment) acceptable
> common identity format/formats that shall be used in the SCITT ecosystem.
> This will enable interoperability across geographical regions and also
> trace the identity chain seamlessly when a product comprises of multiple
> sub-products from multiple issuers. This includes a model of essential
> actors, such as the supply chain "issuer" (one which generates supply chain
> artifacts), and their duties in the ecosystem.
> >>
> >> I think we should strive to punt on all identity-related issues and
> simply pick an abstraction that is extensible for different use cases. MLS
> has some useful text in their charter on this point that we might want to
> repurpose accoringly:
> >>
> >>    While authentication is a key goal of this working group, it is not
> >>    the objective of this working group to develop new authentication
> >>    technologies. Rather, the security protocol developed by this
> >>    group will provide a way to leverage existing authentication
> >>    technologies to associate identities with keys used in the protocol,
> >>    just as TLS does with X.509.
> >>
> >> That would de-emphasize DID — and the baggage it carries — and allow us
> to keep issues of identity separate from the rest of the work.
> >>
> >> 2. The WG will define the envelope and common schema for carrying
> supply chain claims/endorsements.
> >>
> >> This is a fine work item.
> >>
> >> 3. The WG will standardize the Transparent Registry requirements to
> generate homogeneity across multiple supply chains.
> >>
> >> This doesn't seem like something the IETF can do since it ultimately
> boils down to policy. For example, some deployments of SCITT might choose
> to only require that a transparent registry produce countersignatures over
> claims without any historical data, whereas other deployments might want
> full the transparency service to provide a complete (global?) view of all
> claims registered with the service. There's definitely a spectrum of
> options here, and the choice of what requirements make sense depend on a
> particular deployment's threat model.
> >>
> >> I might rephrase this particular work item to something like the
> following:
> >>
> >>    The WG will standardize profiles of Transparent Registry services
> and document their requirements and security properties.
> >>
> >> 4. A standard format for authenticity data returned from the
> transparent registry, such as proof, etc. The standard will enable
> independent verification of supply chain claims at a (much) later point on
> multiple platforms across multiple geographical locations.
> >>
> >> This is a fine work item, but I would drop "on multiple platforms
> across multiple geographical locations".
> >>
> >> 5. The WG will develop standards for auditing the supply chain claims
> that are introduced in the transparent registry. This will, in turn,
> generate audit claims (results of the audit) which can be introduced in the
> same registry. Audit information can be queried by supply chain consumers
> (end customers) before making critical business decisions.
> >>
> >> I don't understand why it's necessary for audit claims (what is an
> audit claim?) to end up in the registry. This again seems like a deployment
> specific requirement. Instead, I might rephrase this to something like the
> following:
> >>
> >>    The WG will document ways in which Transparent Registry services can
> be audited for correctness against registered claims.
> >>
> >> ... or something. The intent here is to say "we'll describe how to
> audit, where auditing varies based on the service you're interacting with."
> >>
> >> 6. The WG will develop standards that define the notarization process
> and outline the core functions/actions that a notary will perform in the
> supply chain ecosystem.
> >>
> >> Notary isn't a concept or role in the architecture document, so it's
> not clear to me what this work item intends to document. Can someone please
> clarify?
> >>
> >> 7. Standardize request-response interactions ("external API") and
> potentially other interaction models provided to various actors to interact
> with the supply chain ecosystem. This includes standardizing
> inter-component messages between supply chain building blocks to support
> easy reference implementations of SCITT building blocks by various
> organizations and easy industry-wide adaptation.
> >>
> >> This seems pretty vague right now, so I suggest we punt this issue out
> of scope for now. To that end, I might rephrase this to something like the
> following:
> >>
> >>    The WG will discuss extensions to the protocol that can assist other
> interaction models provided to various actors to interact with the supply
> chain ecosystem. Where such mechanisms appear sufficiently useful, the WG
> will re-charter to add relevant new work items.
> >>
> >> ---
> >>
> >> Best,
> >> Chris
> >>
> >>
> >> > On Jul 2, 2022, at 12:18 PM, Eliot Lear <lear@lear.ch> wrote:
> >> >
> >> > Yogesh,
> >> >
> >> > This is a very good starting point.  I will have a few suggestions in
> a PR in the coming week.  I would ask that people take a look.  Things to
> do at this point:
> >> >
> >> >       • Confirm that the problem statement reflects the results of
> our last BoF,
> >> >       • Review the goals, non-goals, and work program
> >> > Things not to do, at least on list:
> >> >
> >> >       • Pick at spelling or grammar, or nitpick wording.
> >> > Eliot
> >> >
> >> > On 01.07.22 11:29, Yogesh Deshpande wrote:
> >> >> Hi all,
> >> >>
> >> >> SCITT BoF proponents have prepared a WG charter draft based on the
> comments
> >> >> since the last BoF (problem statement) and the discussions on list.
> >> >> This preliminary charter draft is intended as a basis for discussion
> and as
> >> >> a preparation for the upcoming SCITT BoF at IETF 114 (preliminary
> meeting details:
> >> >> https://datatracker.ietf.org/meeting/114/session/scitt
> >> >> ).
> >> >>
> >> >> The charter draft lives on github:
> >> >>
> >> >>
> >> >>
> https://github.com/ietf-scitt/charter/blob/master/ietf-scitt-charter.md
> >> >>
> >> >>
> >> >> Feel free to chime in via comments or suggestions for further
> improvement
> >> >> by creating github issues or PRs on this repository.
> >> >>
> >> >> Regards,
> >> >> Yogesh
> >> >> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> >> >>
> >> >>
> >> > --
> >> > SCITT mailing list
> >> > SCITT@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/scitt
> >>
> >> --
> >> SCITT mailing list
> >> SCITT@ietf.org
> >> https://www.ietf.org/mailman/listinfo/scitt
>


-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

v2.23.0 | Report a Bug | By Email