IETF Logo Mail Archive

Re: [SCITT] Draft WG Charter

Orie Steele <orie@transmute.industries> Wed, 13 July 2022 23:58 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AAC5C14CF05 for <scitt@ietfa.amsl.com>; Wed, 13 Jul 2022 16:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62zgLKW2JDrN for <scitt@ietfa.amsl.com>; Wed, 13 Jul 2022 16:58:26 -0700 (PDT)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D41B0C14CF01 for <scitt@ietf.org>; Wed, 13 Jul 2022 16:58:21 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id g126so392524pfb.3 for <scitt@ietf.org>; Wed, 13 Jul 2022 16:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RMQbMazbevMfYNCUDh9ZPDxlxOdOa6/kt3uUAITzSNc=; b=GmUjeXjpWf8aEeKUfGjXDuj1Fr9FIQnekUgLlcjNQZTZELGbFWdkrIOCCb1Htf8gRX iKJSyTECIOKwKnELU9DUn/2Ow7ydzd6B0BWRZntOdUS7eYm2HTAMZbO+fJ2pdnk6Ttpo d/31gvGDQzsoihGhBiMwrMS1Kf7J5xIlja9BC5sJz2Aw3tvGMz1LNU1YMYZ1fAUDsOfj 4GIErhbcVCDrHZzQOLgUDHIMBb5Fx5EAY2lYyDhIO3073Qbc7/rYWG4K9I0u3rZ5xTW2 R4f/E3mFrpRe6Qodow/FM6YvPOZzdRCW7jv++jACESyFTqKw2NHEOYw/A8BEAJv3bWcz jokQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RMQbMazbevMfYNCUDh9ZPDxlxOdOa6/kt3uUAITzSNc=; b=zv+RZ0jihX2bGumBnJthkLLbnku+rJPW+IGDUX48TsQVCbRsRQkhfxM3RtiFVLRE6X VzraE9A4kS3g//c/OEbIb3Zk/3WXvITrNd7TvnulrAuhTWVVz6OfXuVhKiTG3kQofcM5 F11JzpLMf3Oe/YE6XCLlmwA6hmUnJQOIwkB/8RPFZPlpsRGFqwYQr2Y1ETqx+tzHo4IW 4HpYE5Ty9WMaYUe5w7ZS+oRljJw5q5wgtgwRljN/RTwHijRO2X0MIx2+GZ5tAs8C0QdD ZhD00Rvb+qzIbm6aVpvPSx8j4/N7IOU0TFTTCf7ebZqnNC3k9PEXL3PDtlzJ4RzFur1N a78w==
X-Gm-Message-State: AJIora8buIVxp3xdPhupgXHXE68k/O+ikM8VUbRwHlLzdf3I97ksGb02 2dA8U1IBqQ2e0+VRyqlc4TFJ78xGZkUUFVcBMprLqwWE9J8=
X-Google-Smtp-Source: AGRyM1tTPVXeCcJ7zQaP77RdoleyRg4oX2ei5NFIscqOg8Sfzd5mmngbJQz5gOppRIPHMRaFwNgd4y/iLI2tvvp8NKg=
X-Received: by 2002:aa7:954a:0:b0:52a:bd44:d15a with SMTP id w10-20020aa7954a000000b0052abd44d15amr5547778pfq.35.1657756700755; Wed, 13 Jul 2022 16:58:20 -0700 (PDT)
MIME-Version: 1.0
References: <AM6PR08MB432599AC5D4E75B1708A94DC8EBD9@AM6PR08MB4325.eurprd08.prod.outlook.com> <a14bdad6-0044-ed19-e4d6-7c1aa80d787f@lear.ch> <1F808130-3A18-4468-BCB9-968329B7DBEA@heapingbits.net>
In-Reply-To: <1F808130-3A18-4468-BCB9-968329B7DBEA@heapingbits.net>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 13 Jul 2022 18:58:08 -0500
Message-ID: <CAN8C-_LMS0=3yq3Frt7byPvXhX_Xu6c+fvyNGxxU3SX3utnKbQ@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Eliot Lear <lear@lear.ch>, Yogesh Deshpande <Yogesh.Deshpande@arm.com>, scitt@ietf.org
Content-Type: multipart/alternative; boundary="00000000000045db8705e3b88f80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/EHXL9TYss0hf7PpHq5uhRtEd0zA>
Subject: Re: [SCITT] Draft WG Charter
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 23:58:30 -0000

> The WG will standardize profiles of Transparent Registry services and
document their requirements and security properties.

...

> This is a fine work item, but I would drop "on multiple platforms across
multiple geographical locations".

...

> The WG will document ways in which Transparent Registry services can be
audited for correctness against registered claims.

I agree with this framing.

And welcome PRs on these.

Regards,

OS

On Wed, Jul 13, 2022, 4:48 PM Christopher Wood <caw@heapingbits.net> wrote:

> I took a look at the charter. Beyond the problem statement refinement
> happening in another thread, I wanted to comment on the proposed work
> items. My feedback is below. I’m happy to turn some of this into one or
> more PRs against the charter text if that’s helpful.
>
> ---
>
> 1. The WG will select (and potentially profile or augment) acceptable
> common identity format/formats that shall be used in the SCITT ecosystem.
> This will enable interoperability across geographical regions and also
> trace the identity chain seamlessly when a product comprises of multiple
> sub-products from multiple issuers. This includes a model of essential
> actors, such as the supply chain "issuer" (one which generates supply chain
> artifacts), and their duties in the ecosystem.
>
> I think we should strive to punt on all identity-related issues and simply
> pick an abstraction that is extensible for different use cases. MLS has
> some useful text in their charter on this point that we might want to
> repurpose accoringly:
>
>    While authentication is a key goal of this working group, it is not
>    the objective of this working group to develop new authentication
>    technologies. Rather, the security protocol developed by this
>    group will provide a way to leverage existing authentication
>    technologies to associate identities with keys used in the protocol,
>    just as TLS does with X.509.
>
> That would de-emphasize DID — and the baggage it carries — and allow us to
> keep issues of identity separate from the rest of the work.
>
> 2. The WG will define the envelope and common schema for carrying supply
> chain claims/endorsements.
>
> This is a fine work item.
>
> 3. The WG will standardize the Transparent Registry requirements to
> generate homogeneity across multiple supply chains.
>
> This doesn't seem like something the IETF can do since it ultimately boils
> down to policy. For example, some deployments of SCITT might choose to only
> require that a transparent registry produce countersignatures over claims
> without any historical data, whereas other deployments might want full the
> transparency service to provide a complete (global?) view of all claims
> registered with the service. There's definitely a spectrum of options here,
> and the choice of what requirements make sense depend on a particular
> deployment's threat model.
>
> I might rephrase this particular work item to something like the following:
>
>    The WG will standardize profiles of Transparent Registry services and
> document their requirements and security properties.
>
> 4. A standard format for authenticity data returned from the transparent
> registry, such as proof, etc. The standard will enable independent
> verification of supply chain claims at a (much) later point on multiple
> platforms across multiple geographical locations.
>
> This is a fine work item, but I would drop "on multiple platforms across
> multiple geographical locations".
>
> 5. The WG will develop standards for auditing the supply chain claims that
> are introduced in the transparent registry. This will, in turn, generate
> audit claims (results of the audit) which can be introduced in the same
> registry. Audit information can be queried by supply chain consumers (end
> customers) before making critical business decisions.
>
> I don't understand why it's necessary for audit claims (what is an audit
> claim?) to end up in the registry. This again seems like a deployment
> specific requirement. Instead, I might rephrase this to something like the
> following:
>
>    The WG will document ways in which Transparent Registry services can be
> audited for correctness against registered claims.
>
> ... or something. The intent here is to say "we'll describe how to audit,
> where auditing varies based on the service you're interacting with."
>
> 6. The WG will develop standards that define the notarization process and
> outline the core functions/actions that a notary will perform in the supply
> chain ecosystem.
>
> Notary isn't a concept or role in the architecture document, so it's not
> clear to me what this work item intends to document. Can someone please
> clarify?
>
> 7. Standardize request-response interactions ("external API") and
> potentially other interaction models provided to various actors to interact
> with the supply chain ecosystem. This includes standardizing
> inter-component messages between supply chain building blocks to support
> easy reference implementations of SCITT building blocks by various
> organizations and easy industry-wide adaptation.
>
> This seems pretty vague right now, so I suggest we punt this issue out of
> scope for now. To that end, I might rephrase this to something like the
> following:
>
>    The WG will discuss extensions to the protocol that can assist other
> interaction models provided to various actors to interact with the supply
> chain ecosystem. Where such mechanisms appear sufficiently useful, the WG
> will re-charter to add relevant new work items.
>
> ---
>
> Best,
> Chris
>
>
> > On Jul 2, 2022, at 12:18 PM, Eliot Lear <lear@lear.ch> wrote:
> >
> > Yogesh,
> >
> > This is a very good starting point.  I will have a few suggestions in a
> PR in the coming week.  I would ask that people take a look.  Things to do
> at this point:
> >
> >       • Confirm that the problem statement reflects the results of our
> last BoF,
> >       • Review the goals, non-goals, and work program
> > Things not to do, at least on list:
> >
> >       • Pick at spelling or grammar, or nitpick wording.
> > Eliot
> >
> > On 01.07.22 11:29, Yogesh Deshpande wrote:
> >> Hi all,
> >>
> >> SCITT BoF proponents have prepared a WG charter draft based on the
> comments
> >> since the last BoF (problem statement) and the discussions on list.
> >> This preliminary charter draft is intended as a basis for discussion
> and as
> >> a preparation for the upcoming SCITT BoF at IETF 114 (preliminary
> meeting details:
> >> https://datatracker.ietf.org/meeting/114/session/scitt
> >> ).
> >>
> >> The charter draft lives on github:
> >>
> >>
> >> https://github.com/ietf-scitt/charter/blob/master/ietf-scitt-charter.md
> >>
> >>
> >> Feel free to chime in via comments or suggestions for further
> improvement
> >> by creating github issues or PRs on this repository.
> >>
> >> Regards,
> >> Yogesh
> >> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> >>
> >>
> > --
> > SCITT mailing list
> > SCITT@ietf.org
> > https://www.ietf.org/mailman/listinfo/scitt
>
> --
> SCITT mailing list
> SCITT@ietf.org
> https://www.ietf.org/mailman/listinfo/scitt
>

v2.23.0 | Report a Bug | By Email