IETF Logo Mail Archive

Re: [SCITT] Intel is taking the lead on a Trust Service Registry

Dick Brooks <dick@reliableenergyanalytics.com> Sat, 27 May 2023 17:49 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4065BC151062 for <scitt@ietfa.amsl.com>; Sat, 27 May 2023 10:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.787
X-Spam-Level:
X-Spam-Status: No, score=-2.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="DPX3a+yi"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="mSSf5wMV"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgU2DssX2-ja for <scitt@ietfa.amsl.com>; Sat, 27 May 2023 10:49:44 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42C57C14CE3F for <scitt@ietf.org>; Sat, 27 May 2023 10:49:44 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id A73665C00B5; Sat, 27 May 2023 13:49:41 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Sat, 27 May 2023 13:49:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:cc:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:reply-to:sender:subject :subject:to:to; s=fm2; t=1685209781; x=1685296181; bh=bqZDJxf0Jb DustuOhj0k6JVGWg63niPSSPCH0sTwPZ0=; b=DPX3a+yizcArpfzkY8iMJp6qZo KNtZJav9XD4CrdWBDAO5RLrU+5O/U0gQcHTgNAdbXLa0mDVRvkx1emyz1gXm888J KRxvzb3aERtdDf9cZEwWxb/WqK3x235eWTTVFqRM4QfEMISZYJXwJybkTkGD5rEc 7nTmSijkqpOA+PvbudCYNOf7R3/eNlsscdfThiFW8+vVcCsMEaoLt1ARpp6/7SrH 5JwIdILGI54Emztp6+y1gWHi3h9dZj+kTpXbqdJ+vaIII92sWGFu3B3QBlc3dlmx j6K3tCWKRYkF4Hfebk5TUQB4Wus4HgkLWZvVJCd3mPn3Z50CeDLq/1DRNptA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1685209781; x=1685296181; bh=b qZDJxf0JbDustuOhj0k6JVGWg63niPSSPCH0sTwPZ0=; b=mSSf5wMVTKUBHll74 rMXv4Wy2bkCEf4i9xa0itkVEBvMComIkNBq3Ma56A19SVy7cVZuwXgIf30y3Kz1j vBFwB+WsHVF8qP+WJB2UgHJahs4cdCxzNWdrVMI7UidlgwruUMyq4BeQmHQ9Mlhm tvyGvxGDSLRy4NMTpW7Er50GDcRjvRjV/tSmUWTw2EmlIb5tv4e5sADe6WZg0f7x QpLDYkw/BWqXvqUjJrNsnMKzQtLlME0DeEUtxtJYHxZIk3QMEPa3UWdowvBhUZxS nnHN8Mh3GCYsciBeE5RSin+BzvZ5GJa+gyGx8chpFPIJlvXN1ce9t3iDyp+XTsui R0l0g==
X-ME-Sender: <xms:tUJyZOk5kiMfRRHv0YC5Kgeq4Tc1EB7DuAvkNTb1mvyxqVfg1TvLeA> <xme:tUJyZF0aDD5qJ5MtqMWuECe0R6f7-DaRLSq9ZsNC4yoN-BhFq9OBEULf6PjFPjITF 4vnd6Bkx5uyo0pI6w>
X-ME-Received: <xmr:tUJyZMof8zWWQo3ZQAT57VyiV_b4k0u0zVj9x4rOzx3EwdD79KVJpaw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekuddgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enfghrlhcuvffnffculddqiedmnecujfgurheprhfhvfevfhgjufffohfkgggtofhtsehr tdhgpedvtdejnecuhfhrohhmpedfffhitghkuceurhhoohhkshdfuceoughitghksehrvg hlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmqeenucggtffrrghtthgv rhhnpeeljedvjedujeefgfefgeeiffdugfehtefftedutdekvdehkeejhefftdegvdevve enucffohhmrghinhepfihikhhiphgvughirgdrohhrghdprhgvlhhirggslhgvvghnvghr ghihrghnrghlhihtihgtshdrtghomhdphihouhhtuhgsvgdrtghomhdpnhhishhtrdhgoh hvpdhgihhthhhusgdrtghomhdpihhnthgvlhdrtghomhdpvghinhhprhgvshhsfihirhgv rdgtohhmpdhivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhiht ihgtshdrtghomh
X-ME-Proxy: <xmx:tUJyZClxLyalp8aaf4HWW7BAH8YbizW2n0jH5MVLAp2XvXOkZqXiJA> <xmx:tUJyZM3I7f2TYBzLGzJgZLmd2pgcg9hYySSUtToyo4KKuaIrSP_IYg> <xmx:tUJyZJtJiSREB9Oav9EW8D_VgaiiSp9xT-bTClKJveYljVb_xSuu3A> <xmx:tUJyZPSkj9lSDyo9Px1GC9bQnQmB0BZZmT-HrnigffZUHT36fKETWg>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 27 May 2023 13:49:41 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'John Andersen' <johnandersenpdx@gmail.com>, 'John Whiteman' <john.whiteman@owasp.org>
Cc: ofcio@omb.eop.gov, scitt@ietf.org, 'scrm-nist' <scrm-nist@nist.gov>, 'swsupplychain-eo' <swsupplychain-eo@nist.gov>
References: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com> <CAPFAYiVeq0Y+4U=yjia6CvpsXEC6HbtunHkj07SMp2X+Mz+ZfA@mail.gmail.com> <242d01d990bd$f8423ed0$e8c6bc70$@reliableenergyanalytics.com> <CAPFAYiVMA+HSFjBbXOd8F9VdRYiMcVPqobc2AyX79zekUz5MTw@mail.gmail.com>
In-Reply-To: <CAPFAYiVMA+HSFjBbXOd8F9VdRYiMcVPqobc2AyX79zekUz5MTw@mail.gmail.com>
Date: Sat, 27 May 2023 13:49:39 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <246501d990c3$9d1fa6e0$d75ef4a0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_2466_01D990A2.161077E0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGtoQ4c+B6TqAZxglWuG/ovVVgzAwJd05bjAr2KISsB5lXH8a+OM/rA
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/HMipwkHJRx5DpLBbLT8ai5UEH9Q>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2023 17:49:49 -0000

Thanks, John.

 

I’m doubtful that open source, volunteer, software maintainers will want to invest their energies doing the tedious work of analyzing software supply chain risk assessment data and preserve tamper-proof evidence that can be presented in a lawsuit or audit, and support/operate an online, reliable service to answer consumer queries like “Is this software product vulnerable as of right now?”. It’s a lot of tedious work, that must be done in order to operate a credible, legitimate “Trust Registry” Service, that also costs money to operate. 

 

But I’ve been wrong before, I never thought anyone would buy a “pet rock” but some did.

https://en.wikipedia.org/wiki/Pet_Rock

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™

 <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com

Email:  <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

 

From: John Andersen <johnandersenpdx@gmail.com> 
Sent: Saturday, May 27, 2023 1:32 PM
To: John Whiteman <john.whiteman@owasp.org>; dick@reliableenergyanalytics.com
Cc: ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>; swsupplychain-eo <swsupplychain-eo@nist.gov>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry

 

Hi Dick,

 

Thanks for sending those and looping them into this discussion. Sections 2.1.1 and 3.2 respectively look related to the high level goals of the use case doc. We plan to leverage threat models heavily (https://m.youtube.com/watch?v=TMlC_iAK3Rg) to assist with risk determination and further sharing of vuln details including how much data to share about the architecture of the system context in question for the triggering event.

 

We want to enable OSS maintainers, and the secure software forges to have these same capabilities.

 

Thank you,

John

 

On Sat, May 27, 2023 at 10:09 Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote:

Thanks, John.

 

I’m not familiar with the vuln sharing goals of OpenSSF stream 8, but I am familiar with the NIST Vulnerability Disclosure concepts in SP 800-216 and C-SCRM SP 800-161:

https://csrc.nist.gov/publications/detail/sp/800-216/final

 

This document recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control. 

 

The SP 800-216 framework is also in harmony with SP 800-161 RA-5 Vulnerability Disclosure Reports, where software suppliers provide consumers with software product vulnerability disclosures, at the SBOM component level:

https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final 

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™

 <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com

Email:  <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

 

From: John Andersen <johnandersenpdx@gmail.com <mailto:johnandersenpdx@gmail.com> > 
Sent: Saturday, May 27, 2023 12:58 PM
To: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> 
Cc: ofcio@omb.eop.gov <mailto:ofcio@omb.eop.gov> ; scitt@ietf.org <mailto:scitt@ietf.org> ; scrm-nist <scrm-nist@nist.gov <mailto:scrm-nist@nist.gov> >; swsupplychain-eo <swsupplychain-eo@nist.gov <mailto:swsupplychain-eo@nist.gov> >
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry

 

WIP but related: 

https://github.com/ietf-scitt/use-cases/pull/18

 

Have been mocking up how we can run SCITT within TEEs which leverage the Amber attestation environment to attest to validity of insert policy run (https://github.com/scitt-community/scitt-api-emulator/pull/27#issuecomment-1528073552
) within hermetic builds. This facilitates a recursive trust relationship which enables dependency review (trust propagation) of OSS. Results are federated across the decentralized network of software forges.

 

This work is in pursuit of the vuln sharing goals of OpenSSF stream 8.

 

Thank you,

John

 

On Sat, May 27, 2023 at 08:11 Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote:

Hello Everyone,

 

This announcement from Intel is further proof that a “Trust Service” is becoming a foundational requirement for trustworthy computing.

A Trust Service Startup Inside the Chip Company

https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html

 

Amen to this: ““Attestation is the ability for you to prove that something is what it says it is,” Yeluri explains. “And that is really the ground truth in confidential computing. If you can’t attest and say it is truly what it is, confidential computing is immaterial.”

 

“Before taking that big step, Yeluri and team checked with a couple dozen customers — banks, manufacturers, telecommunications services — and received votes of support.”

 

The following observation is “spot on” based on REA’s experience operating the SAG Community Trust Registry ™ (SAG-CTR ™):

 

“A few suggested Intel just build it as open source. But Yeluri and team believed that while the core attestation primitives can be open sourced, a solution could only succeed “as a turnkey service. That means somebody has to operate it at scale,” he says, “and we think we can do that.”

 

REA agrees with the above statement, operating a reliable, trustworthy “trust service” at scale, like REA’s SAG-CTR, is a lot of work that requires the analysis, storage and maintenance of evidence that is trustworthy and can be presented during a lawsuit or audit, that cannot be properly operated by open source volunteers.

 

https://www.einpresswire.com/article/545051889/announcing-the-sag-ctr-tm-community-trust-registry-for-digitally-signed-software 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™

 <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com

Email:  <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

 

-- 
SCITT mailing list
SCITT@ietf.org <mailto:SCITT@ietf.org> 
https://www.ietf.org/mailman/listinfo/scitt

v2.23.0 | Report a Bug | By Email