IETF Logo Mail Archive

Re: [SCITT] Intel is taking the lead on a Trust Service Registry

"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Tue, 18 July 2023 09:11 UTC

Return-Path: <hannes.tschofenig@siemens.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5910CC151096 for <scitt@ietfa.amsl.com>; Tue, 18 Jul 2023 02:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l7jO2xHroJiS for <scitt@ietfa.amsl.com>; Tue, 18 Jul 2023 02:11:37 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2070.outbound.protection.outlook.com [40.107.7.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E02CC151066 for <scitt@ietf.org>; Tue, 18 Jul 2023 02:11:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GWOy5pEneFQcbjoBydXfgoafVNtvQMgLx+rS7B1tbKoe4ARadj9oxFTvFArynAjQ3AUQlbbaCNvZ3a203OQ22Edp3gYjezl8wmfG18Sxjf91gEMpgkbuGBAR5zydZZ94XGodW+uOsRcgoMhqSjweGQzx6IgEmrD1CEWVSgacrXTBV8z9vsHyMPCPC97WvztLoqt2ffzRjYaCCxNhr8ho7d8PNVjEEXKMX9MzQXXPTI2G2+OjJbQrwxvNNrR6XXYMFiasfpR6ZbPQiJsYKxJ6t7bwm+o43Wzjic6F4QQWvgc1I2Qs2AI0VdsNtusnysyj2vg9hfFz73ChvLmOCbh9sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9kibWBv+Zu+QqY3DcD8KsBvR2jnR6Vwr4BFc1xpCylE=; b=hl5z19zGkfBUwlGE9vEYcA3ROuzPdV75DCcfn7gtMMsNpYsslKcC4kJGFwKz6qZTFdwX/L+d6jMOwLpVpzXQYPp1x20aTChhqbV6+0UzK4okUNJmBtbhEFkUPsaWl4ynmyOSpV5ieqAxVVx9QJsEJbnigPjxeoyov5yRdWQ6xX/gURLPjQtCLrSnGsVdzIFp/Evy2tzYvY0NJkwglwY7+GDeHyqF+2M88d3VXrN7L3+c/GQedfEOSNcCq33ijEzsECWUn1d4zEBpFkWUu81iMSIst3MYSa98Hklm1X6Bsg2nofH+OYMZ9k4TMydazQvAaruFY/799Wn12/KaRHziaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9kibWBv+Zu+QqY3DcD8KsBvR2jnR6Vwr4BFc1xpCylE=; b=OLS4tlE3BWooMnH1+3fKTefyhbTPj0q7pNjrbkbKklw6TpAlPui/12yYVXKM1gom1sF+c6ryhL/Acimc3Dq1g1/f9LlEBhrrqYkbl/i/o6RmYBl6LKhTgWPeMQre3zv9hmBol+/KG+4cOFySnC6qZR8LLXTSNDLFwa/E36ek23X//P/8NGFT4uwIEQ6/jvxJV2/kQf7NLGzUYxaUI+NM1lu1WJhxDyBfQLPHvPjI3RGGxcxFf2BPbGTypzis10fAZZp1G0HsMxj+mHjdU2bWFJqs9r0enr1curqiuuXcxkKD2nZiTZlxaecjVpJMUDidbhevrq3uYlCAcxjMltDq5w==
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5ab::22) by DU0PR10MB5897.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3ba::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.31; Tue, 18 Jul 2023 09:11:33 +0000
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::d2e9:efb4:5e60:2c60]) by AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::d2e9:efb4:5e60:2c60%5]) with mapi id 15.20.6588.031; Tue, 18 Jul 2023 09:11:32 +0000
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: John Andersen <johnandersenpdx@gmail.com>, "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>
CC: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "scitt@ietf.org" <scitt@ietf.org>
Thread-Topic: [SCITT] Intel is taking the lead on a Trust Service Registry
Thread-Index: AQGtoQ4c+B6TqAZxglWuG/ovVVgzAwJd05bjAr2KISsB5lXH8QKSsrIoAT9qvQMBUTYIGq+unnnggAAKxICAA2BkgIAEOGjw
Date: Tue, 18 Jul 2023 09:11:32 +0000
Message-ID: <AS8PR10MB7427F0FDD8294AFD81E150CAEE38A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
References: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com> <CAPFAYiVeq0Y+4U=yjia6CvpsXEC6HbtunHkj07SMp2X+Mz+ZfA@mail.gmail.com> <242d01d990bd$f8423ed0$e8c6bc70$@reliableenergyanalytics.com> <CAPFAYiVMA+HSFjBbXOd8F9VdRYiMcVPqobc2AyX79zekUz5MTw@mail.gmail.com> <246501d990c3$9d1fa6e0$d75ef4a0$@reliableenergyanalytics.com> <CAPFAYiX+arF6HMBfkGRAU==NJnK-KrSYqefQKh_wjOUVw9eQ0w@mail.gmail.com> <CAPFAYiXbzyL=+3u_8TV8B7icwFJq1DT5wjqGCbNi10Wa7uNNjw@mail.gmail.com> <012001d9b585$9daae200$d900a600$@gmx.net> <01cc01d9b589$cad87270$60895750$@reliableenergyanalytics.com> <CAPFAYiUAw=gV80rP+1jFSmi6mrsfzgcNL1JLbzBjkQExNw7buQ@mail.gmail.com>
In-Reply-To: <CAPFAYiUAw=gV80rP+1jFSmi6mrsfzgcNL1JLbzBjkQExNw7buQ@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-07-18T09:11:32Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=a0f98a81-3693-449b-9451-a95646802738; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR10MB7427:EE_|DU0PR10MB5897:EE_
x-ms-office365-filtering-correlation-id: ef9cb7ce-37df-460d-4493-08db876efae7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Qf4r/Qvt8V9D4nJTpya7sYWQfdLfc2ziyAcvHQzbWk486fYlwaeKEMw75ZNWL7m4zizSBrAe+v3ow6gToAxRBDeRjmtk/yigNUxDqI0UOxnhsDO77W0eF/F+dzxaNx/XeBlZm5fEIdkE7B3uFNSRzQHgpp7axGkYuEKxkU1XKoQCe4BQLLEF82802DoWdQgpdoUIhTfyJddEH+WgcGcR1JdMZGguCqABZ5jIetiQ3G4UM54M4eAjMMEpMx7eynNskBmtdNRCz7Tt0l73viX/kaouBcaPkBTaAyiqG8yNpbV8kIprGij2hFEo/hd0i5MaYn1WqrEzTwAKKCJZkZWuBZknlfKYOBIxnQskxhP5xkwfls/LOSV17lW0XFhknZRbbUFTQ0FYZ32HQ9wM4FIjNAzIefiC9TPTHqGxyTG47KypbRphTC9SpmqzJH5rxfrARgI99c8s4ThjLP4yaoWXAawVVLjRYaxyyCXFBnbiLb+AExJMEmsnu82vMtDhcFHyUChzq6+wB3YUOp0YGv4pAk0n9L2DxfxJA1mJxwQuA7PQcti3OIQY84ODYWKa9l+yXnxJvP6ZXz9tIKn6zJiWrkv/AkOoNMHBboVGIDihRiI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(39860400002)(366004)(136003)(346002)(376002)(451199021)(54906003)(478600001)(71200400001)(7696005)(110136005)(966005)(6506007)(53546011)(186003)(99936003)(316002)(2906002)(30864003)(76116006)(9686003)(4326008)(52536014)(66446008)(66946007)(66476007)(41300700001)(5660300002)(8676002)(8936002)(122000001)(82960400001)(64756008)(166002)(38100700002)(26005)(86362001)(38070700005)(83380400001)(55016003)(33656002)(40140700001)(66556008)(559001)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mLoN21jIDgITY8eTVuAeFu8YHHuzoHFtBGeDT2p/OpFkaqHPZIG483uGJA8jxiq/1aqNyK0zaNWT+DpmIeGRYfEObsW7LESSmWHD5Mo6P53FH0pUDHwziE9aBDzLCj1zwGUQDHnB9+0/zrOvGHQWOOffqGXz//owohJ7KzH/NV/cFT7iB2hlNCParUNWmSHdCHZe8voLR2Xkdaciu+iGUSQ05K4DMzYHMGdsPCrjladHgWS7GSYFTa6GqnAsYLrrLCVJHhMQWiSAk4MALg/P/MtMKOwjlUEXYk+e3+s79evE29N7KVXnbrhgELLEVHUtK3NecdgKIfE5p9dsjD8mOTT2o6rCwvQGR33e2QvYwwnl92BNwwzFok3VVBwrKfowOa6Pog7m5fiOCP0pQKCKWpdN8jM8GgIDUzNaPu5x7vNLFzAXAbOTUG52usUBfPWxLsucV0qOq8/NPeHF7EKfRrVeeTYNaZZ9LtjfwlP3JR590zkYj5TJyTxsuA1T3IlYGJ/jpV+3NVNtDT92dvvVYMAFNJPTCUdOt5Tz+XDHilFxkiMuCaKO5GUj6nxfmcxuJTtEpXLEhtrsxW6ojEb/M/a6nsLPpJ8lpcjVi64miXBxJOxI6yG/iHPAb1WvOkIjh4OdGDmIY5YPi4UXjkKK/2fDNi6W3U6wXt7eeR+F2/1mHcITJOaDs2L347qLB320U2cNgpm8dO6+Ue9cXYK1suXTErGHkCNMVm2bmKOd+YaI5ZmPqgrnoFirU0eA9/55h4j5yEK3Ei+g6lpv8vayn+OCHjrFAc20evmPhXprf0qt07qhbCXFuMOhqmQ2uGza9aULXr74OgsI1VxG7bUaEY6Bne4MMyFMQOnVSXH1TrwMhJzRouOYVbOqKTe7qvgFyMpD+aEC7IUnnNnqprQUs7QK+NwbaZvc0/Btu91A9vv/ae/0fdHNwVhVJU0kpqRF2Ioixya4+jX7uTsN6NCrcPIFzX9M8sratPbJYaUwYfO1qjg+nrjevVsncjWzLW5oBjxPD+PgAfqZ/xx6EenZ4SKjIYvFfniMctVCFHoYJk4zIgqQDnK6q5lN615OhOsyXHGLpWJ0PFz3JuYAlRaIp5pB7lwbsFxwDawXorCcPBD2ui8/E/RIYNpPCCcLWrnt14H7lIN5XvCy48DTLr2iqGlSgRtkINlvJHvagdD/sP4O3oUA78UqFlCZ3TOwJmPwD7Z/H6hHgBVqZQwhTDbxmshhnUW8yjp7SvbKb5gy6CcpAlnkY+REi9O0UNyK69gs5SAvEdzAsJCNghcHTzS+XAGX0M0Zk5BJQXMJ14Zsj9Ms4aQzoAlFkN24JE/fbla1mahRqui/qgxWFl+J17yJqCj/4fNJUoj8t+GtwN2yWyaErzAZY05UQI5rRHydCDtuN9kB9eRJ+0AP7RB/Fuon+Ex9LOgrXLbbJSb2KVj8Z0vLO6pp+HOPWLzf7FaEEHfMzl/ChhEfLkd/enrH7JStpvEw0GbVTkevLS8GnKS83j0kjDD7fw2npvUr6436M9vkD0efxC0PvwZgotmy+GHQSrVx7aJvrSW3YQu9EYkxDFd8iFtRnxq3vlIdH39erlHDelimyMFUBerjLuuADGe5iQ==
Content-Type: multipart/related; boundary="_005_AS8PR10MB7427F0FDD8294AFD81E150CAEE38AAS8PR10MB7427EURP_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ef9cb7ce-37df-460d-4493-08db876efae7
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2023 09:11:32.8384 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DlwHA9/li4rXT/vHODzJW1UGN+A4MnfCVGFQR4jMgxKxvNbt4rTo79EeKcVHu/kjbrXFuXp54VnsmDnZeTi8FRrfsV+4jR3Coehz80ytM/4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB5897
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/LKSJ2LfM8Gs6KXugH6ymQkiVinA>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2023 09:11:42 -0000

Hi John,

do you think your use case is covered in the list of use cases from draft-ietf-scitt-software-use-cases-00:

*             3.1.  Verification that Signing Certificate is Authorized by Supplier
*             3.2.  Multi Stakeholder Evaluation of a Released Software Product
*             3.3.  Security Analysis of a Software Product
*             3.4.  Promotion of a Software Component by multiple entities
*             3.5.  Post-Boot Firmware Provenance
*             3.6.  Auditing of Software Product
*             3.7.  Authentic Software Components in Air-Gapped Infrastructure
*             3.8.  Firmware Delivery to large set of constrained IoT Devices
*             3.9.  Software Integrator assembling a software product for a smart car

If it is not covered in this list, what text would need to be added?

Ciao
Hannes


Von: SCITT <scitt-bounces@ietf.org> Im Auftrag von John Andersen
Gesendet: Samstag, 15. Juli 2023 18:33
An: dick@reliableenergyanalytics.com
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; scitt@ietf.org
Betreff: Re: [SCITT] Intel is taking the lead on a Trust Service Registry

Thanks guys,

We're trying to outline a methodology for securing a rolling release across a poly repo development topology. Amber is a piece which can fit into that methodology. S2C2F recommends rebuilding OSS and mirroring. When pulling directly from upstream without org specific patches, this results in duplication of builds across the industry, lots of wasted compute. By leveraging artifact upload admission control policy engines running in attested environments we can enable trusted cross org data sharing. As build systems build software and store the content addresses of the BOMs and associated metadata in transparency services, they enable downstream users to verify when third parties are running that specific software within attestation enabled environments.

Just as builds of OSS are attested, we can attest to the trust we have in that OSS via the same mechanisms, by running projects like OpenSSF scorecard within the same style of environment we use to build packages.

Federation of built package and trust attestations via transparency services enables peer to peer (or org to org) communication of what we expect software to be when built (SLSA) and if we think one should use the software (Scorecard). This also forms the basis for a sort of review system.

I know this is fairly abstract, but once again, from the definition of the reference entity perspective we can about the methodology for trusting components. Confidential compute and attestations from image builds within those environments are one way we can facilitate decentralization of communication of data related to trustworthiness. This is because we potentially (future looking) can tie attestations back to arbitrary hardware roots of trust. Obviously that's not the current setup, but independent verification leveraging end user defined sets of hardware rooted public keys could potentially facilitate true decentralized communication in a trustworthy manner. That's the hope at least, please shoot holes in that until it's solid or falls over.

Thank you,
John

On Thu, Jul 13, 2023 at 05:59 Dick Brooks <dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>> wrote:
John,

Here's the link to the Project Amber story that Hannes is referring to:
https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html

Thanks,

Dick Brooks
[cid:image001.png@01D9B967.16E840B0]  [cid:image002.png@01D9B967.16E840B0]
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership

Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> (tm)
http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>
Email: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Tel: +1 978-696-1788


From: Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>>
Sent: Thursday, July 13, 2023 8:29 AM
To: 'John Andersen' <johnandersenpdx@gmail.com<mailto:johnandersenpdx@gmail.com>>; dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Cc: scitt@ietf.org<mailto:scitt@ietf.org>
Subject: AW: [SCITT] Intel is taking the lead on a Trust Service Registry

Thanks for pointing us to your work, John.

Project Amber, as pointed out by Dick, is an attestation verification service (the verifier in the IETF RATS terminology). Intel has ben operating such a service in the past for prior Intel attestation technologies.

How is your project on "Rolling Alice" related to Project Amber?

Ciao
Hannes

Von: SCITT <scitt-bounces@ietf.org<mailto:scitt-bounces@ietf.org>> Im Auftrag von John Andersen
Gesendet: Samstag, 27. Mai 2023 20:36
An: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Cc: John Whiteman <john.whiteman@owasp.org<mailto:john.whiteman@owasp.org>>; ofcio@omb.eop.gov<mailto:ofcio@omb.eop.gov>; scitt@ietf.org<mailto:scitt@ietf.org>; scrm-nist <scrm-nist@nist.gov<mailto:scrm-nist@nist.gov>>; swsupplychain-eo <swsupplychain-eo@nist.gov<mailto:swsupplychain-eo@nist.gov>>
Betreff: Re: [SCITT] Intel is taking the lead on a Trust Service Registry

This talk is the foundation for this work:
https://gist.github.com/07b8c7b4a9e05579921aa3cc8aed4866#file-rolling_alice_progress_report_0003_down_the_dependency_rabbit_hole_bsides_portland_2019-md

Progress is slow but steady. The goal is to bake as much of the methology's risk analysis and reaction capabilities into existing tooling, processes, formats, and infrastructure as possible.

Thank you,
John

On Sat, May 27, 2023 at 11:19 John Andersen <johnandersenpdx@gmail.com<mailto:johnandersenpdx@gmail.com>> wrote:
I wholeheartedly agree with you!!!

Hence the pursuit of Alice Intelligence (AI, John W gets credit for that acronym)
https://mailarchive.ietf.org/arch/msg/scitt/iEAhuuicVxgoXJiAZIGmpZOctcc/

Thank you,
John

On Sat, May 27, 2023 at 10:49 Dick Brooks <dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>> wrote:
Thanks, John.

I'm doubtful that open source, volunteer, software maintainers will want to invest their energies doing the tedious work of analyzing software supply chain risk assessment data and preserve tamper-proof evidence that can be presented in a lawsuit or audit, and support/operate an online, reliable service to answer consumer queries like "Is this software product vulnerable as of right now?". It's a lot of tedious work, that must be done in order to operate a credible, legitimate "Trust Registry" Service, that also costs money to operate.

But I've been wrong before, I never thought anyone would buy a "pet rock" but some did.
https://en.wikipedia.org/wiki/Pet_Rock

Thanks,

Dick Brooks
[cid:image001.png@01D9B967.16E840B0]  [cid:image002.png@01D9B967.16E840B0]
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership

Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> (tm)
http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>
Email: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Tel: +1 978-696-1788


From: John Andersen <johnandersenpdx@gmail.com<mailto:johnandersenpdx@gmail.com>>
Sent: Saturday, May 27, 2023 1:32 PM
To: John Whiteman <john.whiteman@owasp.org<mailto:john.whiteman@owasp.org>>; dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Cc: ofcio@omb.eop.gov<mailto:ofcio@omb.eop.gov>; scitt@ietf.org<mailto:scitt@ietf.org>; scrm-nist <scrm-nist@nist.gov<mailto:scrm-nist@nist.gov>>; swsupplychain-eo <swsupplychain-eo@nist.gov<mailto:swsupplychain-eo@nist.gov>>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry

Hi Dick,

Thanks for sending those and looping them into this discussion. Sections 2.1.1 and 3.2 respectively look related to the high level goals of the use case doc. We plan to leverage threat models heavily (https://m.youtube.com/watch?v=TMlC_iAK3Rg) to assist with risk determination and further sharing of vuln details including how much data to share about the architecture of the system context in question for the triggering event.

We want to enable OSS maintainers, and the secure software forges to have these same capabilities.

Thank you,
John

On Sat, May 27, 2023 at 10:09 Dick Brooks <dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>> wrote:
Thanks, John.

I'm not familiar with the vuln sharing goals of OpenSSF stream 8, but I am familiar with the NIST Vulnerability Disclosure concepts in SP 800-216 and C-SCRM SP 800-161:
https://csrc.nist.gov/publications/detail/sp/800-216/final

This document recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.

The SP 800-216 framework is also in harmony with SP 800-161 RA-5 Vulnerability Disclosure Reports, where software suppliers provide consumers with software product vulnerability disclosures, at the SBOM component level:
https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final


Thanks,

Dick Brooks
[cid:image001.png@01D9B967.16E840B0]  [cid:image002.png@01D9B967.16E840B0]
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership

Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> (tm)
http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>
Email: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Tel: +1 978-696-1788


From: John Andersen <johnandersenpdx@gmail.com<mailto:johnandersenpdx@gmail.com>>
Sent: Saturday, May 27, 2023 12:58 PM
To: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Cc: ofcio@omb.eop.gov<mailto:ofcio@omb.eop.gov>; scitt@ietf.org<mailto:scitt@ietf.org>; scrm-nist <scrm-nist@nist.gov<mailto:scrm-nist@nist.gov>>; swsupplychain-eo <swsupplychain-eo@nist.gov<mailto:swsupplychain-eo@nist.gov>>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry

WIP but related:
https://github.com/ietf-scitt/use-cases/pull/18

Have been mocking up how we can run SCITT within TEEs which leverage the Amber attestation environment to attest to validity of insert policy run (https://github.com/scitt-community/scitt-api-emulator/pull/27#issuecomment-1528073552
) within hermetic builds. This facilitates a recursive trust relationship which enables dependency review (trust propagation) of OSS. Results are federated across the decentralized network of software forges.

This work is in pursuit of the vuln sharing goals of OpenSSF stream 8.

Thank you,
John

On Sat, May 27, 2023 at 08:11 Dick Brooks <dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>> wrote:
Hello Everyone,

This announcement from Intel is further proof that a "Trust Service" is becoming a foundational requirement for trustworthy computing.
A Trust Service Startup Inside the Chip Company
https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html

Amen to this: ""Attestation is the ability for you to prove that something is what it says it is," Yeluri explains. "And that is really the ground truth in confidential computing. If you can't attest and say it is truly what it is, confidential computing is immaterial."

"Before taking that big step, Yeluri and team checked with a couple dozen customers - banks, manufacturers, telecommunications services - and received votes of support."

The following observation is "spot on" based on REA's experience operating the SAG Community Trust Registry (tm) (SAG-CTR (tm)):

"A few suggested Intel just build it as open source. But Yeluri and team believed that while the core attestation primitives can be open sourced, a solution could only succeed "as a turnkey service. That means somebody has to operate it at scale," he says, "and we think we can do that."

REA agrees with the above statement, operating a reliable, trustworthy "trust service" at scale, like REA's SAG-CTR, is a lot of work that requires the analysis, storage and maintenance of evidence that is trustworthy and can be presented during a lawsuit or audit, that cannot be properly operated by open source volunteers.

https://www.einpresswire.com/article/545051889/announcing-the-sag-ctr-tm-community-trust-registry-for-digitally-signed-software

Thanks,

Dick Brooks
[cid:image001.png@01D9B967.16E840B0]  [cid:image002.png@01D9B967.16E840B0]
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership

Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> (tm)
http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>
Email: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>
Tel: +1 978-696-1788


--
SCITT mailing list
SCITT@ietf.org<mailto:SCITT@ietf.org>
https://www.ietf.org/mailman/listinfo/scitt

v2.23.0 | Report a Bug | By Email