Re: [SCITT] Draft WG Charter
Orie Steele <orie@transmute.industries> Wed, 13 July 2022 23:58 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AAC5C14CF05 for <scitt@ietfa.amsl.com>; Wed, 13 Jul 2022 16:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62zgLKW2JDrN for <scitt@ietfa.amsl.com>; Wed, 13 Jul 2022 16:58:26 -0700 (PDT)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D41B0C14CF01 for <scitt@ietf.org>; Wed, 13 Jul 2022 16:58:21 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id g126so392524pfb.3 for <scitt@ietf.org>; Wed, 13 Jul 2022 16:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RMQbMazbevMfYNCUDh9ZPDxlxOdOa6/kt3uUAITzSNc=; b=GmUjeXjpWf8aEeKUfGjXDuj1Fr9FIQnekUgLlcjNQZTZELGbFWdkrIOCCb1Htf8gRX iKJSyTECIOKwKnELU9DUn/2Ow7ydzd6B0BWRZntOdUS7eYm2HTAMZbO+fJ2pdnk6Ttpo d/31gvGDQzsoihGhBiMwrMS1Kf7J5xIlja9BC5sJz2Aw3tvGMz1LNU1YMYZ1fAUDsOfj 4GIErhbcVCDrHZzQOLgUDHIMBb5Fx5EAY2lYyDhIO3073Qbc7/rYWG4K9I0u3rZ5xTW2 R4f/E3mFrpRe6Qodow/FM6YvPOZzdRCW7jv++jACESyFTqKw2NHEOYw/A8BEAJv3bWcz jokQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RMQbMazbevMfYNCUDh9ZPDxlxOdOa6/kt3uUAITzSNc=; b=zv+RZ0jihX2bGumBnJthkLLbnku+rJPW+IGDUX48TsQVCbRsRQkhfxM3RtiFVLRE6X VzraE9A4kS3g//c/OEbIb3Zk/3WXvITrNd7TvnulrAuhTWVVz6OfXuVhKiTG3kQofcM5 F11JzpLMf3Oe/YE6XCLlmwA6hmUnJQOIwkB/8RPFZPlpsRGFqwYQr2Y1ETqx+tzHo4IW 4HpYE5Ty9WMaYUe5w7ZS+oRljJw5q5wgtgwRljN/RTwHijRO2X0MIx2+GZ5tAs8C0QdD ZhD00Rvb+qzIbm6aVpvPSx8j4/N7IOU0TFTTCf7ebZqnNC3k9PEXL3PDtlzJ4RzFur1N a78w==
X-Gm-Message-State: AJIora8buIVxp3xdPhupgXHXE68k/O+ikM8VUbRwHlLzdf3I97ksGb02 2dA8U1IBqQ2e0+VRyqlc4TFJ78xGZkUUFVcBMprLqwWE9J8=
X-Google-Smtp-Source: AGRyM1tTPVXeCcJ7zQaP77RdoleyRg4oX2ei5NFIscqOg8Sfzd5mmngbJQz5gOppRIPHMRaFwNgd4y/iLI2tvvp8NKg=
X-Received: by 2002:aa7:954a:0:b0:52a:bd44:d15a with SMTP id w10-20020aa7954a000000b0052abd44d15amr5547778pfq.35.1657756700755; Wed, 13 Jul 2022 16:58:20 -0700 (PDT)
MIME-Version: 1.0
References: <AM6PR08MB432599AC5D4E75B1708A94DC8EBD9@AM6PR08MB4325.eurprd08.prod.outlook.com> <a14bdad6-0044-ed19-e4d6-7c1aa80d787f@lear.ch> <1F808130-3A18-4468-BCB9-968329B7DBEA@heapingbits.net>
In-Reply-To: <1F808130-3A18-4468-BCB9-968329B7DBEA@heapingbits.net>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 13 Jul 2022 18:58:08 -0500
Message-ID: <CAN8C-_LMS0=3yq3Frt7byPvXhX_Xu6c+fvyNGxxU3SX3utnKbQ@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Eliot Lear <lear@lear.ch>, Yogesh Deshpande <Yogesh.Deshpande@arm.com>, scitt@ietf.org
Content-Type: multipart/alternative; boundary="00000000000045db8705e3b88f80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/EHXL9TYss0hf7PpHq5uhRtEd0zA>
Subject: Re: [SCITT] Draft WG Charter
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 23:58:30 -0000
> The WG will standardize profiles of Transparent Registry services and document their requirements and security properties. ... > This is a fine work item, but I would drop "on multiple platforms across multiple geographical locations". ... > The WG will document ways in which Transparent Registry services can be audited for correctness against registered claims. I agree with this framing. And welcome PRs on these. Regards, OS On Wed, Jul 13, 2022, 4:48 PM Christopher Wood <caw@heapingbits.net> wrote: > I took a look at the charter. Beyond the problem statement refinement > happening in another thread, I wanted to comment on the proposed work > items. My feedback is below. I’m happy to turn some of this into one or > more PRs against the charter text if that’s helpful. > > --- > > 1. The WG will select (and potentially profile or augment) acceptable > common identity format/formats that shall be used in the SCITT ecosystem. > This will enable interoperability across geographical regions and also > trace the identity chain seamlessly when a product comprises of multiple > sub-products from multiple issuers. This includes a model of essential > actors, such as the supply chain "issuer" (one which generates supply chain > artifacts), and their duties in the ecosystem. > > I think we should strive to punt on all identity-related issues and simply > pick an abstraction that is extensible for different use cases. MLS has > some useful text in their charter on this point that we might want to > repurpose accoringly: > > While authentication is a key goal of this working group, it is not > the objective of this working group to develop new authentication > technologies. Rather, the security protocol developed by this > group will provide a way to leverage existing authentication > technologies to associate identities with keys used in the protocol, > just as TLS does with X.509. > > That would de-emphasize DID — and the baggage it carries — and allow us to > keep issues of identity separate from the rest of the work. > > 2. The WG will define the envelope and common schema for carrying supply > chain claims/endorsements. > > This is a fine work item. > > 3. The WG will standardize the Transparent Registry requirements to > generate homogeneity across multiple supply chains. > > This doesn't seem like something the IETF can do since it ultimately boils > down to policy. For example, some deployments of SCITT might choose to only > require that a transparent registry produce countersignatures over claims > without any historical data, whereas other deployments might want full the > transparency service to provide a complete (global?) view of all claims > registered with the service. There's definitely a spectrum of options here, > and the choice of what requirements make sense depend on a particular > deployment's threat model. > > I might rephrase this particular work item to something like the following: > > The WG will standardize profiles of Transparent Registry services and > document their requirements and security properties. > > 4. A standard format for authenticity data returned from the transparent > registry, such as proof, etc. The standard will enable independent > verification of supply chain claims at a (much) later point on multiple > platforms across multiple geographical locations. > > This is a fine work item, but I would drop "on multiple platforms across > multiple geographical locations". > > 5. The WG will develop standards for auditing the supply chain claims that > are introduced in the transparent registry. This will, in turn, generate > audit claims (results of the audit) which can be introduced in the same > registry. Audit information can be queried by supply chain consumers (end > customers) before making critical business decisions. > > I don't understand why it's necessary for audit claims (what is an audit > claim?) to end up in the registry. This again seems like a deployment > specific requirement. Instead, I might rephrase this to something like the > following: > > The WG will document ways in which Transparent Registry services can be > audited for correctness against registered claims. > > ... or something. The intent here is to say "we'll describe how to audit, > where auditing varies based on the service you're interacting with." > > 6. The WG will develop standards that define the notarization process and > outline the core functions/actions that a notary will perform in the supply > chain ecosystem. > > Notary isn't a concept or role in the architecture document, so it's not > clear to me what this work item intends to document. Can someone please > clarify? > > 7. Standardize request-response interactions ("external API") and > potentially other interaction models provided to various actors to interact > with the supply chain ecosystem. This includes standardizing > inter-component messages between supply chain building blocks to support > easy reference implementations of SCITT building blocks by various > organizations and easy industry-wide adaptation. > > This seems pretty vague right now, so I suggest we punt this issue out of > scope for now. To that end, I might rephrase this to something like the > following: > > The WG will discuss extensions to the protocol that can assist other > interaction models provided to various actors to interact with the supply > chain ecosystem. Where such mechanisms appear sufficiently useful, the WG > will re-charter to add relevant new work items. > > --- > > Best, > Chris > > > > On Jul 2, 2022, at 12:18 PM, Eliot Lear <lear@lear.ch> wrote: > > > > Yogesh, > > > > This is a very good starting point. I will have a few suggestions in a > PR in the coming week. I would ask that people take a look. Things to do > at this point: > > > > • Confirm that the problem statement reflects the results of our > last BoF, > > • Review the goals, non-goals, and work program > > Things not to do, at least on list: > > > > • Pick at spelling or grammar, or nitpick wording. > > Eliot > > > > On 01.07.22 11:29, Yogesh Deshpande wrote: > >> Hi all, > >> > >> SCITT BoF proponents have prepared a WG charter draft based on the > comments > >> since the last BoF (problem statement) and the discussions on list. > >> This preliminary charter draft is intended as a basis for discussion > and as > >> a preparation for the upcoming SCITT BoF at IETF 114 (preliminary > meeting details: > >> https://datatracker.ietf.org/meeting/114/session/scitt > >> ). > >> > >> The charter draft lives on github: > >> > >> > >> https://github.com/ietf-scitt/charter/blob/master/ietf-scitt-charter.md > >> > >> > >> Feel free to chime in via comments or suggestions for further > improvement > >> by creating github issues or PRs on this repository. > >> > >> Regards, > >> Yogesh > >> IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > >> > >> > > -- > > SCITT mailing list > > SCITT@ietf.org > > https://www.ietf.org/mailman/listinfo/scitt > > -- > SCITT mailing list > SCITT@ietf.org > https://www.ietf.org/mailman/listinfo/scitt >
- [SCITT] Draft WG Charter Yogesh Deshpande
- Re: [SCITT] Draft WG Charter Dick Brooks
- Re: [SCITT] Draft WG Charter Eliot Lear
- Re: [SCITT] [EXTERNAL] Re: Draft WG Charter Maik Riechert
- Re: [SCITT] [EXTERNAL] Re: Draft WG Charter Yogesh Deshpande
- Re: [SCITT] Draft WG Charter Yogesh Deshpande
- Re: [SCITT] [EXTERNAL] Re: Draft WG Charter Dick Brooks
- Re: [SCITT] [EXTERNAL] Re: Draft WG Charter Dick Brooks
- Re: [SCITT] [EXTERNAL] Re: Draft WG Charter Maik Riechert
- Re: [SCITT] [EXTERNAL] Re: Draft WG Charter Dick Brooks
- Re: [SCITT] Draft WG Charter Christopher Wood
- Re: [SCITT] Draft WG Charter Orie Steele
- Re: [SCITT] Draft WG Charter Orie Steele
- Re: [SCITT] Draft WG Charter Christopher Wood
- Re: [SCITT] Draft WG Charter Eliot Lear
- Re: [SCITT] [EXT]Re: Draft WG Charter Hart, Charlie
- Re: [SCITT] [EXT]Re: Draft WG Charter Dick Brooks
- Re: [SCITT] [EXTERNAL] Re: [EXT]Re: Draft WG Char… Roy Williams (COSINE)
- Re: [SCITT] [EXT]Re: Draft WG Charter Orie Steele
- Re: [SCITT] Draft WG Charter Orie Steele