Re: [SCITT] Constraints on unprotected data in receipt...
Dick Brooks <dick@reliableenergyanalytics.com> Fri, 12 May 2023 18:03 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A5F4C1524DE for <scitt@ietfa.amsl.com>; Fri, 12 May 2023 11:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="WvoC8bcC"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="VM0ORwn/"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SF6XxD_WBU4T for <scitt@ietfa.amsl.com>; Fri, 12 May 2023 11:03:45 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2833CC1524DD for <scitt@ietf.org>; Fri, 12 May 2023 11:03:45 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id B81995C04B1; Fri, 12 May 2023 14:03:42 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Fri, 12 May 2023 14:03:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:cc:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:reply-to:sender:subject :subject:to:to; s=fm1; t=1683914622; x=1684001022; bh=AMJn/X+eC+ 1PN5QWbIZ6j0LOq2o8KZ6v15nOzvAMaGk=; b=WvoC8bcCdwiE6nF7vwFg4Lr/do pW+UxjCpdAta4FjPzhQeQBsKL6W6Sgj6dD8FSp4+6YK0fH6lMitzzJEraYXxeFbg kS+jJyl6qhvMNir5Hai0oM00UwXRyZ5VvG9Xfm5EQZz2ggjBbKv4OzN2AxorPWZZ Zsl+0zW5InQE3Y8S98sszF1mObZO2G2AAL92t/CVb9BC24nqkPMwbCtJ8oSHwI7G 5kYvPpKUzSWSihzsiERDbpIavi1EdDgvcRMrCQjvE8Cf96HgEwJkgOwJcmblA8+b Kka2DNxGFiSHO6Qjb0ej4iw85O0iHcLGNxE6jTVjX7vJoA3Zh9QRt0SS3Pfw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1683914622; x=1684001022; bh=A MJn/X+eC+1PN5QWbIZ6j0LOq2o8KZ6v15nOzvAMaGk=; b=VM0ORwn/eB75B85js 88NNRB/NIY/qluwlvSSkYeFSYnKaWH+NAX7YbbC8CZVugVFPNjzILOwaaQEi+5vF yQjtr+iAKDMxCXA56poStJY8gW+hfhvzJ3r0owL594qlczagfYbtt8iE2ATrqL8n B4R4RWitJ2vWWSa/gVJn6H/jrgHeifdhF9XOJr49TBTD64Fot0CuBfSkcCYBsMiG wcIq3bOEYZGjOcyNH7KIjpvOaZvyl5glk3kZsw1sCbxSn5G3MZHOPZPowE1d99jB PTz7kaO48+GSHYPL34wA0humphtWdcOcgWIFqOPMdZQ49jF1vElDo2rcDvi6g8jS JVm0Q==
X-ME-Sender: <xms:fn9eZLeNyrUT8WNhbefOtwIqpwXe1bt7fcl89Lgn1flYu8r-KnQFBw> <xme:fn9eZBPdOgFYCs9YuDnLNLiHizsYbtfnipc50X-GUXPvsvINqh3SPz2kBbtGa7F0l mgSIs_fultt-_23Qw>
X-ME-Received: <xmr:fn9eZEiLk6cw-X6FiT7JgNVAGIWQdlfGY_O3Tp6gZd681JVxitqpRBI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeehtddguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpehrhffvvehfjgfuffhokfggtgfothesrhdtghepvddtjeenucfhrhhomhep fdffihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrg hnrghlhihtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepgfekvedvudduheelleel tefggfffteekfefgtdfhffehgfekgeeftedtgfetfeelnecuffhomhgrihhnpehgihhthh husgdrtghomhdprhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomhdp thhrrghnshhprghrvghntgihrdguvghvpdgrphhplhgvrdgtohhmpdiguggrqdguvghvvg hlohhpvghrshdrtghomhdpmhhitghrohhsohhfthdrtghomhdprhhftgdqvgguihhtohhr rdhorhhgpdhirghnrgdrohhrghdpihgvthhfrdhorhhgpdhtrhgrnhhsmhhuthgvrdhinh guuhhsthhrihgvshenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl fhhrohhmpeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtg homh
X-ME-Proxy: <xmx:fn9eZM9pOASPz8YyQS3orHfMPNXxS5u4DGL35QM-RHGJjipqIj4m1w> <xmx:fn9eZHvLLMQRBzwRio4m94uHzL3TBXmCRR6J4Rm7B61dnNuv3v-Gyg> <xmx:fn9eZLHBLYa4fbeP-BKzwNAaub0En055miTgl6T1pU9peGHZ-S1Y2A> <xmx:fn9eZA6tuaYXuGjgH5G6mTiU_GbPFl35V-xa9Quy6yMYPTlq_W7N1Q>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 12 May 2023 14:03:42 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Orie Steele' <orie@transmute.industries>, 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>
Cc: 'Ray Lutz' <raylutz@citizensoversight.org>, scitt@ietf.org
References: <5b797713-0618-1eb2-1b74-ecee65af423b@citizensoversight.org> <70a90ae7-7460-262b-ec47-9b59fae757c5@gmx.net> <CAN8C-_+0G8N8XdsWUJxV_kX0K=yzHODkt3dDckgksZOFeOrV_A@mail.gmail.com>
In-Reply-To: <CAN8C-_+0G8N8XdsWUJxV_kX0K=yzHODkt3dDckgksZOFeOrV_A@mail.gmail.com>
Date: Fri, 12 May 2023 14:03:39 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <09fb01d984fc$1629e650$427db2f0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_09FC_01D984DA.8F1957C0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGrduGvj8ngmE/1ScJSZ4SC0ElmTwH5Kc7hAsAzRU2vjT3m8A==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/K-5gc1_IkKgX6PR07TKG130e0Tw>
Subject: Re: [SCITT] Constraints on unprotected data in receipt...
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2023 18:03:50 -0000
Orie nailed it. The CA’s are working on a new revocation process that will revoke a key/certificate if it has been used to sign malware. This is an improvement over today’s process and is covered in our first use case when we say “and is still valid” when referring to the signing key/cert. See section 4.9.1: https://github.com/cabforum/code-signing/pull/17/files#diff-904962f0e52198f4a232d6ef6732d57ccb47433d4bba47b3472d681405360e31 A CA MUST revoke a Code Signing Certificate in any of the four circumstances: (1) the Application Software Supplier requests revocation, (2) the subscriber requests revocation, (3) a third party provides information that leads the CA to believe that the certificate is compromised or is being used for Suspect Code, or (4) the CA otherwise decides that the certificate should be revoked. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: SCITT <scitt-bounces@ietf.org> On Behalf Of Orie Steele Sent: Friday, May 12, 2023 11:10 AM To: Hannes Tschofenig <hannes.tschofenig@gmx.net> Cc: Ray Lutz <raylutz@citizensoversight.org>; scitt@ietf.org Subject: Re: [SCITT] Constraints on unprotected data in receipt... I think Ray is interested in the issuer, not the specific key the issuer is using... But I could be mistaken. How do you know a given key was authoritative for an issuer, when the signature was produced? In OIDC, you can discover current signing keys, but not previous signing keys for the authorization server (unless you make the historic keys for the AS transparent somehow). Same thing is true of certificates, perhaps review https://certificate.transparency.dev <https://certificate.transparency.dev/> The purpose of scitt is to do this for software artifacts, and I think what we are all slowly learning is that software artifacts include identity and key material... - https://www.apple.com/certificateauthority/ - https://www.xda-developers.com/android-14-root-certificates-updatable/ - https://learn.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store The idea behind scitt is that it can be used to secure any opaque content types, by leveraging the `cty` / `content-type` header property of cose sign1 envelopes: https://www.rfc-editor.org/rfc/rfc8152#section-3.1 Here are a few content types related to issuer identity, or establishing it: - https://www.iana.org/assignments/media-types/application/jwk+json - https://www.iana.org/assignments/media-types/application/jwk-set+json - https://www.iana.org/assignments/media-types/application/pem-certificate-chain - https://www.iana.org/assignments/media-types/application/pgp-keys - https://www.iana.org/assignments/media-types/application/pkcs10 Next consider the registration policy for any of these content types might require the signature to come from a previously accepted key, or with a chain of trust that terminates in a previously registered key. The specifics of those policies are out of scope for SCITT, but if your transparency service is managing binaries for mobile apps, it might be managing certificates that are authorized for developers. How you configure your policies, what identity solutions you support, and what content type you accept for registration is all out of scope for scitt. The part that is in scope (currently) is the architecture, the signed statement and transparent statement formats, and the REST API for interoperability. Regards, OS On Fri, May 12, 2023 at 5:38 AM Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> > wrote: Hi Ray, before I share my view I have a few questions > The question is: Should the public key appear in the unprotected portion of the receipt, or can it be an id of the public key. Which public key are we talking about? The receipt is signed by the transparency service. Are you talking about the public key of the transparency service? It could also be the public key of the issuer? Or both? What do you mean by "id of the public key"? Are you trying to stay that there could also be a reference to the public key (in comparison to sending the public key directly)? Why would the public key be included in the receipt? Convenience for the recipient? Does it need to be the public key? Could be the hash of the public key? Could be a certificate or even a certificate chain? Ciao Hannes -- SCITT mailing list SCITT@ietf.org <mailto:SCITT@ietf.org> https://www.ietf.org/mailman/listinfo/scitt -- ORIE STEELE Chief Technical Officer www.transmute.industries <https://www.transmute.industries/>
- [SCITT] Constraints on unprotected data in receip… Ray Lutz
- Re: [SCITT] Constraints on unprotected data in re… Orie Steele
- Re: [SCITT] Constraints on unprotected data in re… Hannes Tschofenig
- Re: [SCITT] Constraints on unprotected data in re… Orie Steele
- Re: [SCITT] Constraints on unprotected data in re… Dick Brooks
- Re: [SCITT] Constraints on unprotected data in re… Ray Lutz
- Re: [SCITT] Constraints on unprotected data in re… Ray Lutz
- [SCITT] Fwd: Constraints on unprotected data in r… Ray Lutz