IETF Logo Mail Archive

Re: [SCITT] Draft WG Charter

Christopher Wood <caw@heapingbits.net> Wed, 13 July 2022 21:48 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4D1BC15790C for <scitt@ietfa.amsl.com>; Wed, 13 Jul 2022 14:48:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.127
X-Spam-Level:
X-Spam-Status: No, score=-7.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=gkT5SnmS; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=QBe8Elk6
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlpVXPjA1RUx for <scitt@ietfa.amsl.com>; Wed, 13 Jul 2022 14:48:40 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40035C14F747 for <scitt@ietf.org>; Wed, 13 Jul 2022 14:48:40 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 76FB75C00FE; Wed, 13 Jul 2022 17:48:39 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Wed, 13 Jul 2022 17:48:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1657748919; x= 1657835319; bh=XKVCfCjABSL91lNnAQQUx/7xF2HeDcVq3Tfgu6kPNzM=; b=g kT5SnmSTuWt+TCRYd537x/EsJyWSJyxKfY+cDVOix3iu1LUb0+H2n8bZio3EBesF FVqDAjB0qghYha4gtn4VmOUhIKUXbr8aNsEEuMCjDA5kdkyk6UarzB7jRrqTgY/g xUAAb5qqVukSsuWgD3l4IaOhjpMvUH9qFmOUeLlHriUVoK387+3M4jibcg5I5UNO IZhhiap7djNaxkJ0QmL171li+HbB8XIyboLmJ1QtcqvFo1flzmNWD0U4h1NaQ6IZ pV1v0kC8WbbzJDXSid20mXBtqhXPImmH0DDIgnaVVTsIi0u80+NlRv85HQLIkhaY VB9G3VMETSM2cQ5jCEK9Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1657748919; x= 1657835319; bh=XKVCfCjABSL91lNnAQQUx/7xF2HeDcVq3Tfgu6kPNzM=; b=Q Be8Elk6uTjUVKe+ggwOeppTgtsjgBHhjh9uYCZV3M8+pe+FWEXj8iDcjqOkgSxct Xz4KJ6IWGLizaOara/stKBAqI9Cil/nHra5ZlxfVCJ0V8QgVARxbKKO5mzykTqnx ofZbDypPF6oXxbHdFqhWNO1P5rNO6shG0309f3QWQw8FFmjlW67O10yV91HzWuux Dxlyogtkkt8/kDzyN1qV8riwy4Eiux9nctpiOMbu8rlsfh2i13Nbzy1hZ05/U74I UuDPqDJIF+Jztmv2PgMAxvk7ZgV3Y+K7uDlCoYJuNTn8EtyZHW9qtX5wCXPFr8ha NFPp9EGf2l7u+IP/W1ikw==
X-ME-Sender: <xms:tz3PYgxoaw6il7hcW73LdhmxqA450V2T-vEXWN_hGhY-0XgfrprMRg> <xme:tz3PYkQxPD77k0vf-_8Pt5vp3sqoGhVMfdzUmRFmj136LlwRUPCQJX7XsGyomk9Tj lEw4gb4177gJQAjl6k>
X-ME-Received: <xmr:tz3PYiVq9O2wuUyMS0_eU2FbQCAr9skBg4uZDAk5KhvHkhY15DuuykPI51rzqufL1SwGCMbiGsCpDUJytcdHTWY04wbClPzFBEA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudejkedgtddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeevhhhr ihhsthhophhhvghrucghohhougcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucggtffrrghtthgvrhhnpeffkeeuheegueehfeeijefgueehhfdtvdekuefghfekveev udefteefgeehleetvdenucffohhmrghinhepihgvthhfrdhorhhgpdhgihhthhhusgdrtg homhdpihgvthhfqdhstghithhtqdgthhgrrhhtvghrrdhmugenucevlhhushhtvghrufhi iigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghith hsrdhnvght
X-ME-Proxy: <xmx:tz3PYujbbR3pGHpYYecjyJAADiKi7feJBS9xTGtJ79ZdLBkTQY08AQ> <xmx:tz3PYiDWfGE8D2oTvfYiDn6k0RCh9Gqo-7K4ARGATxctEDsadMexMg> <xmx:tz3PYvKH7lBtrycS35QvsKKM2_jOVJjIGFPz1korLhMhw9x0eaJoeg> <xmx:tz3PYj58nQLkXJTOzjf7E-j3PjH62uQBSnTIM_JwqmM8RPp2BaRNTg>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 13 Jul 2022 17:48:38 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <a14bdad6-0044-ed19-e4d6-7c1aa80d787f@lear.ch>
Date: Wed, 13 Jul 2022 17:48:36 -0400
Cc: Yogesh Deshpande <Yogesh.Deshpande@arm.com>, "scitt@ietf.org" <scitt@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1F808130-3A18-4468-BCB9-968329B7DBEA@heapingbits.net>
References: <AM6PR08MB432599AC5D4E75B1708A94DC8EBD9@AM6PR08MB4325.eurprd08.prod.outlook.com> <a14bdad6-0044-ed19-e4d6-7c1aa80d787f@lear.ch>
To: Eliot Lear <lear@lear.ch>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/EfJVCOOK0I7JMMI4Hv7iOVLxCKU>
Subject: Re: [SCITT] Draft WG Charter
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 21:48:44 -0000

I took a look at the charter. Beyond the problem statement refinement happening in another thread, I wanted to comment on the proposed work items. My feedback is below. I’m happy to turn some of this into one or more PRs against the charter text if that’s helpful.

---

1. The WG will select (and potentially profile or augment) acceptable common identity format/formats that shall be used in the SCITT ecosystem. This will enable interoperability across geographical regions and also trace the identity chain seamlessly when a product comprises of multiple sub-products from multiple issuers. This includes a model of essential actors, such as the supply chain "issuer" (one which generates supply chain artifacts), and their duties in the ecosystem.

I think we should strive to punt on all identity-related issues and simply pick an abstraction that is extensible for different use cases. MLS has some useful text in their charter on this point that we might want to repurpose accoringly:

   While authentication is a key goal of this working group, it is not
   the objective of this working group to develop new authentication
   technologies. Rather, the security protocol developed by this
   group will provide a way to leverage existing authentication
   technologies to associate identities with keys used in the protocol,
   just as TLS does with X.509.

That would de-emphasize DID — and the baggage it carries — and allow us to keep issues of identity separate from the rest of the work.

2. The WG will define the envelope and common schema for carrying supply chain claims/endorsements.

This is a fine work item.

3. The WG will standardize the Transparent Registry requirements to generate homogeneity across multiple supply chains.

This doesn't seem like something the IETF can do since it ultimately boils down to policy. For example, some deployments of SCITT might choose to only require that a transparent registry produce countersignatures over claims without any historical data, whereas other deployments might want full the transparency service to provide a complete (global?) view of all claims registered with the service. There's definitely a spectrum of options here, and the choice of what requirements make sense depend on a particular deployment's threat model. 

I might rephrase this particular work item to something like the following:

   The WG will standardize profiles of Transparent Registry services and document their requirements and security properties.

4. A standard format for authenticity data returned from the transparent registry, such as proof, etc. The standard will enable independent verification of supply chain claims at a (much) later point on multiple platforms across multiple geographical locations.

This is a fine work item, but I would drop "on multiple platforms across multiple geographical locations".

5. The WG will develop standards for auditing the supply chain claims that are introduced in the transparent registry. This will, in turn, generate audit claims (results of the audit) which can be introduced in the same registry. Audit information can be queried by supply chain consumers (end customers) before making critical business decisions.

I don't understand why it's necessary for audit claims (what is an audit claim?) to end up in the registry. This again seems like a deployment specific requirement. Instead, I might rephrase this to something like the following:

   The WG will document ways in which Transparent Registry services can be audited for correctness against registered claims.

... or something. The intent here is to say "we'll describe how to audit, where auditing varies based on the service you're interacting with."

6. The WG will develop standards that define the notarization process and outline the core functions/actions that a notary will perform in the supply chain ecosystem.

Notary isn't a concept or role in the architecture document, so it's not clear to me what this work item intends to document. Can someone please clarify?

7. Standardize request-response interactions ("external API") and potentially other interaction models provided to various actors to interact with the supply chain ecosystem. This includes standardizing inter-component messages between supply chain building blocks to support easy reference implementations of SCITT building blocks by various organizations and easy industry-wide adaptation.

This seems pretty vague right now, so I suggest we punt this issue out of scope for now. To that end, I might rephrase this to something like the following:

   The WG will discuss extensions to the protocol that can assist other interaction models provided to various actors to interact with the supply chain ecosystem. Where such mechanisms appear sufficiently useful, the WG will re-charter to add relevant new work items.

---

Best,
Chris


> On Jul 2, 2022, at 12:18 PM, Eliot Lear <lear@lear.ch> wrote:
> 
> Yogesh,
> 
> This is a very good starting point.  I will have a few suggestions in a PR in the coming week.  I would ask that people take a look.  Things to do at this point:
> 
> 	• Confirm that the problem statement reflects the results of our last BoF,
> 	• Review the goals, non-goals, and work program
> Things not to do, at least on list:
> 
> 	• Pick at spelling or grammar, or nitpick wording.
> Eliot
> 
> On 01.07.22 11:29, Yogesh Deshpande wrote:
>> Hi all,
>> 
>> SCITT BoF proponents have prepared a WG charter draft based on the comments
>> since the last BoF (problem statement) and the discussions on list.
>> This preliminary charter draft is intended as a basis for discussion and as
>> a preparation for the upcoming SCITT BoF at IETF 114 (preliminary meeting details: 
>> https://datatracker.ietf.org/meeting/114/session/scitt
>> ).
>> 
>> The charter draft lives on github:
>> 
>> 
>> https://github.com/ietf-scitt/charter/blob/master/ietf-scitt-charter.md
>> 
>> 
>> Feel free to chime in via comments or suggestions for further improvement
>> by creating github issues or PRs on this repository.
>> 
>> Regards,
>> Yogesh
>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>> 
>> 
> -- 
> SCITT mailing list
> SCITT@ietf.org
> https://www.ietf.org/mailman/listinfo/scitt

v2.23.0 | Report a Bug | By Email