IETF Logo Mail Archive

Re: [SCITT] Draft WG Charter

Christopher Wood <caw@heapingbits.net> Tue, 19 July 2022 15:31 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52A5EC18872E for <scitt@ietfa.amsl.com>; Tue, 19 Jul 2022 08:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.83
X-Spam-Level:
X-Spam-Status: No, score=-2.83 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=KTdTTIko; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=vE3xmgR3
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7PUmzVieAEA for <scitt@ietfa.amsl.com>; Tue, 19 Jul 2022 08:31:27 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77234C13C51F for <scitt@ietf.org>; Tue, 19 Jul 2022 08:31:27 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 513C85C00FB; Tue, 19 Jul 2022 11:31:24 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute2.internal (MEProxy); Tue, 19 Jul 2022 11:31:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1658244684; x= 1658331084; bh=kwuq6kAzpnLLc0uAHcZ8ra4KY0xICpH5HYMPOUfiS7Y=; b=K TdTTIkoRDVmZxcQp1bfboWCAXhj97GKR1f3Q3zF0MDiv8i7q2/Tf298wn6CLF3g0 gHhHy8ODzHlZcmrE4fM/G6rQXK53VjrJbkb2GokRs2N7fC0I6Z8aczERzpuCyydS EuydFeHW3Oht262vhVSkBnnkiuH0qweopSQXW/RwIAufH0VP5cmNFZms1qalFnsy m/+NW2007U8GqQReL88tulFJwpStHRZUQYcHK7ZPZA2BlCk7wTtrgZGfPWDUA80e Xj5TYzUTvEy5Lb8XI3BcqQsAyuYF3p9KjWP3ep57r6rL6pnRQBey3h1ebOfbb135 X7A7WQyqlx5nqI6IGq/bg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1658244684; x= 1658331084; bh=kwuq6kAzpnLLc0uAHcZ8ra4KY0xICpH5HYMPOUfiS7Y=; b=v E3xmgR3v1c/zrPQrEsnPrI1Fgh75EEkl+UTNpWz4gEfoSQkdKDpgymRsB1gSnOzP zEE6ycMkdRc6BhFV+BZpE6JSGE8blNtD3UgfsqLqSilwVmBfQPDHWghI8buDVGFl 04RJSFYEARIOi/tkxrYLpeEnmiNP1L6/mc+FMteW1sfSX45+WWzXsZPaOA5nz5SF /EjioVhGdeLnDtYWEb9G3wbbeiCR+MZemJs3V5NqLH37VEYYRrQDMQmU8Tu6oRH/ xeVP/wvqlk0Yi88RCPGM9tw0gY+JriUi9sZD8iSmAZDfEKleDBhzY1ptTcuKGyy9 ly+FOfAiHFx5FTwv/hTRg==
X-ME-Sender: <xms:S87WYkuNbsfzK_CJq471Ugutiu4Puy4LYD-LC-J1ijf1dBjcwxOhEw> <xme:S87WYhenHdCNoprTpGBmlENztDoSPlKdGgeAZa70e16tgLu-91TrkswNR642qsFnu SWbuXmnHdoYrT9V_4M>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudeltddgkeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdev hhhrihhsthhophhhvghrucghohhougdfuceotggrfieshhgvrghpihhnghgsihhtshdrnh gvtheqnecuggftrfgrthhtvghrnhepleevleefueetieeuffetffejgfevvdehueehhfeg ffduudeuhfekvdevlefgtdeknecuffhomhgrihhnpehivghtfhdrohhrghdpghhithhhuh gsrdgtohhmpdhivghtfhdqshgtihhtthdqtghhrghrthgvrhdrmhgunecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhngh gsihhtshdrnhgvth
X-ME-Proxy: <xmx:S87WYvwmUzMKGFnrzTj0LTg4LV2GbRaO_2liNAETsaGboqfuV2kDGw> <xmx:S87WYnNtoUxW6jZgpJHp3s2l558I_hy_RqELr4rPKyMKWwNjR-wtDQ> <xmx:S87WYk-wWIXsP3CTCf5Xc2ofNsxTP7v8KEiMawG0Q273eFuE8CBqcQ> <xmx:TM7WYimUv31cky0gNVqGKsFcR0FM-zbvNTikaamPNTMs1ZNPDncxMg>
Feedback-ID: i2f494406:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 5F3F22340077; Tue, 19 Jul 2022 11:31:23 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-755-g3e1da8b93f-fm-20220708.002-g3e1da8b9
Mime-Version: 1.0
Message-Id: <296a878f-ee1f-4d29-b109-c452517f28a7@www.fastmail.com>
In-Reply-To: <CAN8C-_+PyTE2JL3k-F=VXCGHztpcxYMCRH=_hUO=X3bQaawwPQ@mail.gmail.com>
References: <AM6PR08MB432599AC5D4E75B1708A94DC8EBD9@AM6PR08MB4325.eurprd08.prod.outlook.com> <a14bdad6-0044-ed19-e4d6-7c1aa80d787f@lear.ch> <1F808130-3A18-4468-BCB9-968329B7DBEA@heapingbits.net> <CAN8C-_+PyTE2JL3k-F=VXCGHztpcxYMCRH=_hUO=X3bQaawwPQ@mail.gmail.com>
Date: Tue, 19 Jul 2022 11:30:59 -0400
From: Christopher Wood <caw@heapingbits.net>
To: Orie Steele <orie@transmute.industries>
Cc: Eliot Lear <lear@lear.ch>, Yogesh Deshpande <Yogesh.Deshpande@arm.com>, scitt@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/EPz6i2X84TSKkwehRVq6mUpWeaU>
Subject: Re: [SCITT] Draft WG Charter
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 15:31:32 -0000

Hi Orie,

Apologies for the delayed response. Please see inline below.

On Wed, Jul 13, 2022, at 7:42 PM, Orie Steele wrote:
>> I think we should strive to punt on all identity-related issues and simply pick an abstraction that is extensible for different use cases.
>
> DIDs are one such abstraction, x509 is another... In the threads 
> regarding COSE envelopes, I've endeavored to support your proposed 
> approach by focusing on COSE, keys and signatures instead of DIDs, keys 
> and signatures... But I wonder, if you have any concrete proposals for 
> this extensible abstraction?

Sure -- I propose we approach this exactly the same way that MLS did. That means two things:

1. Update the charter text to be clear on how we'll treat identity, e.g.:

   While authentication is a key goal of this working group, it is not
the objective of this working group to develop new authentication
technologies. Rather, the security protocol developed by this
group will provide a way to leverage existing authentication
technologies to associate identities with keys used in the protocol,
just as TLS does with X.509.

2. In the protocol, adopt something that lets us slot in new formats as needed, e.g., as was done in https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-16#section-6.3.

Does this clarify?

> Given establishing the identity of software components, authors and 
> CVEs is fundamental to all existing SBOM formats I am aware of, I don't 
> see how we can punt on "all identity-related issues".
>
> When you have signatures or authentication, you have identity, and 
> likely an identity related abstraction with baggage such as x509, JWT, 
> CWT or DID.
>
> I'm not sure limiting this field via the charter, before the WG is 
> formed is strategic.

I think it's important to focus the efforts of this group on work that can be feasibly accomplished. To that end, I think we ought to make sure that we shape the protocol and architecture to work with different identity formats (as needed for different deployments), but not discuss anything else about how those identities are obtained, validated, etc. As a point of comparison, TLS basically punts on how X.509 certificates are authenticated, and I think we ought to do the same thing here.

Best,
Chris

>
> Regards, 
>
> OS
>
> On Wed, Jul 13, 2022, 4:48 PM Christopher Wood <caw@heapingbits.net> wrote:
>> I took a look at the charter. Beyond the problem statement refinement happening in another thread, I wanted to comment on the proposed work items. My feedback is below. I’m happy to turn some of this into one or more PRs against the charter text if that’s helpful.
>> 
>> ---
>> 
>> 1. The WG will select (and potentially profile or augment) acceptable common identity format/formats that shall be used in the SCITT ecosystem. This will enable interoperability across geographical regions and also trace the identity chain seamlessly when a product comprises of multiple sub-products from multiple issuers. This includes a model of essential actors, such as the supply chain "issuer" (one which generates supply chain artifacts), and their duties in the ecosystem.
>> 
>> I think we should strive to punt on all identity-related issues and simply pick an abstraction that is extensible for different use cases. MLS has some useful text in their charter on this point that we might want to repurpose accoringly:
>> 
>>    While authentication is a key goal of this working group, it is not
>>    the objective of this working group to develop new authentication
>>    technologies. Rather, the security protocol developed by this
>>    group will provide a way to leverage existing authentication
>>    technologies to associate identities with keys used in the protocol,
>>    just as TLS does with X.509.
>> 
>> That would de-emphasize DID — and the baggage it carries — and allow us to keep issues of identity separate from the rest of the work.
>> 
>> 2. The WG will define the envelope and common schema for carrying supply chain claims/endorsements.
>> 
>> This is a fine work item.
>> 
>> 3. The WG will standardize the Transparent Registry requirements to generate homogeneity across multiple supply chains.
>> 
>> This doesn't seem like something the IETF can do since it ultimately boils down to policy. For example, some deployments of SCITT might choose to only require that a transparent registry produce countersignatures over claims without any historical data, whereas other deployments might want full the transparency service to provide a complete (global?) view of all claims registered with the service. There's definitely a spectrum of options here, and the choice of what requirements make sense depend on a particular deployment's threat model. 
>> 
>> I might rephrase this particular work item to something like the following:
>> 
>>    The WG will standardize profiles of Transparent Registry services and document their requirements and security properties.
>> 
>> 4. A standard format for authenticity data returned from the transparent registry, such as proof, etc. The standard will enable independent verification of supply chain claims at a (much) later point on multiple platforms across multiple geographical locations.
>> 
>> This is a fine work item, but I would drop "on multiple platforms across multiple geographical locations".
>> 
>> 5. The WG will develop standards for auditing the supply chain claims that are introduced in the transparent registry. This will, in turn, generate audit claims (results of the audit) which can be introduced in the same registry. Audit information can be queried by supply chain consumers (end customers) before making critical business decisions.
>> 
>> I don't understand why it's necessary for audit claims (what is an audit claim?) to end up in the registry. This again seems like a deployment specific requirement. Instead, I might rephrase this to something like the following:
>> 
>>    The WG will document ways in which Transparent Registry services can be audited for correctness against registered claims.
>> 
>> ... or something. The intent here is to say "we'll describe how to audit, where auditing varies based on the service you're interacting with."
>> 
>> 6. The WG will develop standards that define the notarization process and outline the core functions/actions that a notary will perform in the supply chain ecosystem.
>> 
>> Notary isn't a concept or role in the architecture document, so it's not clear to me what this work item intends to document. Can someone please clarify?
>> 
>> 7. Standardize request-response interactions ("external API") and potentially other interaction models provided to various actors to interact with the supply chain ecosystem. This includes standardizing inter-component messages between supply chain building blocks to support easy reference implementations of SCITT building blocks by various organizations and easy industry-wide adaptation.
>> 
>> This seems pretty vague right now, so I suggest we punt this issue out of scope for now. To that end, I might rephrase this to something like the following:
>> 
>>    The WG will discuss extensions to the protocol that can assist other interaction models provided to various actors to interact with the supply chain ecosystem. Where such mechanisms appear sufficiently useful, the WG will re-charter to add relevant new work items.
>> 
>> ---
>> 
>> Best,
>> Chris
>> 
>> 
>> > On Jul 2, 2022, at 12:18 PM, Eliot Lear <lear@lear.ch> wrote:
>> > 
>> > Yogesh,
>> > 
>> > This is a very good starting point.  I will have a few suggestions in a PR in the coming week.  I would ask that people take a look.  Things to do at this point:
>> > 
>> >       • Confirm that the problem statement reflects the results of our last BoF,
>> >       • Review the goals, non-goals, and work program
>> > Things not to do, at least on list:
>> > 
>> >       • Pick at spelling or grammar, or nitpick wording.
>> > Eliot
>> > 
>> > On 01.07.22 11:29, Yogesh Deshpande wrote:
>> >> Hi all,
>> >> 
>> >> SCITT BoF proponents have prepared a WG charter draft based on the comments
>> >> since the last BoF (problem statement) and the discussions on list.
>> >> This preliminary charter draft is intended as a basis for discussion and as
>> >> a preparation for the upcoming SCITT BoF at IETF 114 (preliminary meeting details: 
>> >> https://datatracker.ietf.org/meeting/114/session/scitt
>> >> ).
>> >> 
>> >> The charter draft lives on github:
>> >> 
>> >> 
>> >> https://github.com/ietf-scitt/charter/blob/master/ietf-scitt-charter.md
>> >> 
>> >> 
>> >> Feel free to chime in via comments or suggestions for further improvement
>> >> by creating github issues or PRs on this repository.
>> >> 
>> >> Regards,
>> >> Yogesh
>> >> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>> >> 
>> >> 
>> > -- 
>> > SCITT mailing list
>> > SCITT@ietf.org
>> > https://www.ietf.org/mailman/listinfo/scitt
>> 
>> -- 
>> SCITT mailing list
>> SCITT@ietf.org
>> https://www.ietf.org/mailman/listinfo/scitt

v2.23.0 | Report a Bug | By Email