IETF Logo Mail Archive

[SCITT] Fwd: Constraints on unprotected data in receipt... [PLEASE DISREGARD THIS ONE ]

Ray Lutz <raylutz@citizensoversight.org> Mon, 15 May 2023 14:51 UTC

Return-Path: <raylutz@citizensoversight.org>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17DC8C16B5B1 for <scitt@ietfa.amsl.com>; Mon, 15 May 2023 07:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=citizensoversight.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZxwmdtc-ohf for <scitt@ietfa.amsl.com>; Mon, 15 May 2023 07:51:24 -0700 (PDT)
Received: from vps5.cognisys.com (vps5.cognisys.com [69.73.173.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFFAFC169535 for <scitt@ietf.org>; Mon, 15 May 2023 07:51:23 -0700 (PDT)
Received: from [192.168.123.225] (ip174-65-13-111.sd.sd.cox.net [174.65.13.111]) by vps5.cognisys.com (Postfix) with ESMTPSA id CD60724ADD for <scitt@ietf.org>; Mon, 15 May 2023 10:51:22 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citizensoversight.org; s=default; t=1684162283; bh=7pdDBQazz1Ds5gmbtbuCyZSXGEWnyx8zZB4XZxAjDS8=; l=7017; h=Subject:To:From; b=vkMEGQV0LAByHzTZtlDU7i6hoswfPr0DLCqx3tFBxlf8W8oJ7/g+TKjwDybFfQD6l F49AlOlO/I+gOspnQkXV0VHyABLbv4LI5NT5zURXqwffujt0g6ofJpE0nLZSmWoGF2 lBULz1oKTTPKI6henO/0Kn+uSSbdEgzkCIfq0h7I=
Content-Type: multipart/alternative; boundary="------------KmoSomAn60CjeeUmAAUluWIq"
Message-ID: <f9b2aa40-0ba0-c5c5-d4cc-f3766b71af62@citizensoversight.org>
Date: Mon, 15 May 2023 07:51:21 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1
Content-Language: en-US
References: <a79e8107-3655-771b-c9fd-da1aad62d946@citizensoversight.org>
To: "scitt@ietf.org" <scitt@ietf.org>
From: Ray Lutz <raylutz@citizensoversight.org>
In-Reply-To: <a79e8107-3655-771b-c9fd-da1aad62d946@citizensoversight.org>
X-Forwarded-Message-Id: <a79e8107-3655-771b-c9fd-da1aad62d946@citizensoversight.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/A1eqnO__GsuFIrW5FzhTMPE4E8I>
Subject: [SCITT] Fwd: Constraints on unprotected data in receipt... [PLEASE DISREGARD THIS ONE ]
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2023 14:51:28 -0000

Please disregard this email. It was an earlier draft, and then
I mistakenly thought it was my response that I forgot to send.
LOL. So this one dated 15 May you can just delete.

-------- Forwarded Message --------
Subject: 	Re: [SCITT] Constraints on unprotected data in receipt...
Date: 	Mon, 15 May 2023 07:48:31 -0700
From: 	Ray Lutz <raylutz@citizensoversight.org>
To: 	scitt@ietf.org



Sorry for my delay to answer this:

I was responding the best I could to the question posed by Henk. I could 
have not understood it.

Let me explain my simplistic understanding due to the fact that I am 
still learning a lot about a tremendous amount of good work.
But I assume that there will be a SCITT user that wishes to submit 
something to the SCITT append-only log.
This artifact may have a ton of hashes and signatures inside the 
artifact, which may or may not be included in a payload in the scitt log.
And this artifact can eventually be resolved to a single hash which 
likely is a merkle root of the data in the artifact, or the hash of the
artifact. Then, the submitter needs to submit this to the log, and in 
that transaction, use their private key to sign the submission.
Now, there is one detail here I stumble on, because this signature could 
be considered a "wet" signature if the scitt protocol includes
a nonce that must be included in the signature. Or as I have seen 
written by Orie, the signature could be "dry" and no random nonce used.

But let's put that issue aside. The scitt registry must have a set of 
policies which will screen submissions from hackers and the like.
Once the submission is accepted, then it is appended to the log.

On 5/12/2023 3:38 AM, Hannes Tschofenig wrote:
> Hi Ray,
>
>
> before I share my view I have a few questions
>
> > The question is: Should the public key appear in the unprotected
> portion of the receipt, or can it be an id of the public key.
>
>
> Which public key are we talking about? The receipt is signed by the
> transparency service. Are you talking about the public key of the
> transparency service? It could also be the public key of the issuer? Or
> both?
>
>
> What do you mean by "id of the public key"? Are you trying to stay that
> there could also be a reference to the public key (in comparison to
> sending the public key directly)?
>
>
> Why would the public key be included in the receipt? Convenience for the
> recipient? Does it need to be the public key? Could be the hash of the
> public key? Could be a certificate or even a certificate chain?
>
>
> Ciao
>
> Hannes
>
>

-- 
-------
Ray Lutz
Citizens' Oversight Projects (COPs)
http://www.citizensoversight.org
619-820-5321

v2.23.0 | Report a Bug | By Email