IETF Logo Mail Archive

[SCITT] My initial thoughts and comments on Use Case Document

Yogesh Deshpande <Yogesh.Deshpande@arm.com> Mon, 16 January 2023 17:57 UTC

Return-Path: <Yogesh.Deshpande@arm.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1218C1516E1 for <scitt@ietfa.amsl.com>; Mon, 16 Jan 2023 09:57:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="hunh7fhH"; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="hunh7fhH"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCi3-mYIxowh for <scitt@ietfa.amsl.com>; Mon, 16 Jan 2023 09:57:17 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on2049.outbound.protection.outlook.com [40.107.15.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402DBC14CE3B for <scitt@ietf.org>; Mon, 16 Jan 2023 09:57:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L15TEExI6Ape5whHf1q+Iy+hWfiwkWkUZQ8oC8xN0g0=; b=hunh7fhHg8abp8s8PsyNkwTkRUo23iVoRktLlRUzFL8luSCZ3T9l1t3QxOg3CLgcU4R1A+RnETlSiRPXUvz1ZpDwsik54KFXtvykP8p5C3BYOgfG0JEqkQj1mTufm3nYmyzEJLWFoA1VxGE3PUiJdTM7LPvAzG2cbGQF+OAlaNw=
Received: from DB9PR01CA0011.eurprd01.prod.exchangelabs.com (2603:10a6:10:1d8::16) by PA4PR08MB7434.eurprd08.prod.outlook.com (2603:10a6:102:2a5::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.23; Mon, 16 Jan 2023 17:57:12 +0000
Received: from DBAEUR03FT062.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:1d8:cafe::db) by DB9PR01CA0011.outlook.office365.com (2603:10a6:10:1d8::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.19 via Frontend Transport; Mon, 16 Jan 2023 17:57:12 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DBAEUR03FT062.mail.protection.outlook.com (100.127.142.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Mon, 16 Jan 2023 17:57:11 +0000
Received: ("Tessian outbound 43b0faad5a68:v132"); Mon, 16 Jan 2023 17:57:11 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 02503ba20553bbc4
X-CR-MTA-TID: 64aa7808
Received: from a93709d1eaf5.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id D7EBBA84-D7B4-4D59-8518-80A073DF23A1.1; Mon, 16 Jan 2023 17:57:04 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a93709d1eaf5.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 16 Jan 2023 17:57:04 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=exTQzJMig9JOD+j/e3B9MpFnboRZmlBYM9jzmssHDpvSkXxTGXyAcDu8PdeVXSrd0fbWFV8pBM25TRFm5UKx5Jry9JXa2abglB2OoJFLwY36W2RaXKAVhcpxF/VIYlcd3X/ayi2BnCab7hy6sCS9IWe2zk2PYowtKhnBvUK3wjgCAmNwInkaq4yIFGfOb+FTOZYtqXxqHR4KGE4ttoG1EeU+5ygLtUqij2HlDQAY42DBGUVbZxcLQRS4wH3aI7xMLx3pXiGG3Ctb/dW41fFxGTXqtG0X/K0niyfnU9kEMmnV/l6AQU7zBQ/MsJBBzJqH6UfIDPHbj8DDAhjsSdevGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=L15TEExI6Ape5whHf1q+Iy+hWfiwkWkUZQ8oC8xN0g0=; b=iS7rb80gpGIVEE4fOCMKXUsGWa/hfMgSl6VeyZcY3EkOVEarSbaXAYPvolIB+Poe/5bLgPySUqXVL0zFeAN0hpbEYvsXJOLsm3n931xW4Cj5+UESdYTeAudqD77dhsXO5GIfRfxPdCWBb2jq1mwi5sIY/X5mZ66Bh52obfa8OtjeimLH1infJYmGgZi2ryUYonMo04yIcUOcjacX79jl2CQQFlNesxwWhzs44iJDvty1bmL8ufN+CXWLycgvAfwyzq66ADk0HYA6JLLj1B4Q6EbhcO2QMDD13+XtDCIPHCPKc9NxxAbCb/JmFumSmkLvt7sH1lYMXGwasu60O7MkVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L15TEExI6Ape5whHf1q+Iy+hWfiwkWkUZQ8oC8xN0g0=; b=hunh7fhHg8abp8s8PsyNkwTkRUo23iVoRktLlRUzFL8luSCZ3T9l1t3QxOg3CLgcU4R1A+RnETlSiRPXUvz1ZpDwsik54KFXtvykP8p5C3BYOgfG0JEqkQj1mTufm3nYmyzEJLWFoA1VxGE3PUiJdTM7LPvAzG2cbGQF+OAlaNw=
Received: from AM6PR08MB4325.eurprd08.prod.outlook.com (2603:10a6:20b:71::14) by AM8PR08MB5604.eurprd08.prod.outlook.com (2603:10a6:20b:1d5::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.12; Mon, 16 Jan 2023 17:57:02 +0000
Received: from AM6PR08MB4325.eurprd08.prod.outlook.com ([fe80::c162:effb:f73d:f491]) by AM6PR08MB4325.eurprd08.prod.outlook.com ([fe80::c162:effb:f73d:f491%7]) with mapi id 15.20.5986.023; Mon, 16 Jan 2023 17:57:02 +0000
From: Yogesh Deshpande <Yogesh.Deshpande@arm.com>
To: "scitt@ietf.org" <scitt@ietf.org>
Thread-Topic: My initial thoughts and comments on Use Case Document
Thread-Index: Adkp08IlwxxRifVATUex587vJQAItQ==
Date: Mon, 16 Jan 2023 17:57:01 +0000
Message-ID: <AM6PR08MB43254F3F7F978817913895A48EC19@AM6PR08MB4325.eurprd08.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: AM6PR08MB4325:EE_|AM8PR08MB5604:EE_|DBAEUR03FT062:EE_|PA4PR08MB7434:EE_
X-MS-Office365-Filtering-Correlation-Id: 70077cda-b2ad-4293-d3ee-08daf7eb17e0
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: KECywm8n4zpXbm138vryGHXGx1+E/IzEebaU1HCrHuB9KIjJES3eZovaM/nGZUNaS8KQBN9numSF6t+HVQt4LoUgwS5P8dU+sLmqGEFjsBg4iarLf2+LmRng7nlRobvgHKIvpJ5VpuBBw7EZ7LNVDaAXCYzzEmN6456FCVC/3soEp1P39ITDU7cnERQTg7SP5EgqeNGvZ2HdBFLgHnTwVbfG4CpRJ/RO/R/Dgwb/f6zP6s+czEpdE2P5Lf+fPAAz8NnUsqDMmObbyRWuZBHoQje+XrwkYG2c0TSOQ0eejHnt1GBBZ7RUIYlWxIbQ3XgJqYlU2SFxWvS7g172A1jqH6RZIsY1vAQ4uruyh3xDWlM8BVvHDy3tN4DAZl9VJvqU7wgJ8BUMV/bc4z5h7xTihjZDMmgMVQDFz0t9flFcZXbads28mmCD34s+SFhSK2JO3s6+9RPLiSWtZTjF08D+HyA0GAZkbOwO0hVVFR2ycfLHCwBM/PRacARvoifAhFVHvHT80fzh5bnUgNcLMs31WLi/OduY1LD43/FayYdboR3PrV4AmLyXIL1EwVXHrl4jWC2+NV5lcrOpoxbRf9C3oraAzPCrdk8Xi20CxTqNug9jwcRVF752NPzGtIYi9nynJy5WVI18uOdbStNXLdcGA/27bphjaQf7OxcI6HwAQSRZ4DjEWexdEt/lGDDxPP3zJo6xROC5bp89RlYePzzhilC/VRrXwgDhcJK1Gr0UlAk=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4325.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(346002)(136003)(396003)(39860400002)(376002)(366004)(451199015)(33656002)(966005)(71200400001)(316002)(7696005)(478600001)(2906002)(83380400001)(166002)(122000001)(38100700002)(38070700005)(6506007)(9686003)(55016003)(66574015)(6916009)(52536014)(64756008)(8676002)(5660300002)(41300700001)(66476007)(66556008)(9326002)(8936002)(66946007)(76116006)(186003)(66446008)(86362001); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB43254F3F7F978817913895A48EC19AM6PR08MB4325eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5604
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT062.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: fa8de6db-94e0-4a3b-0301-08daf7eb122a
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: V4B7gG5QJciFox1tMrN7Q5amoYdp/VbEc49shruT7/hBGMOTQE7mXiD2tsgGW+r+7uW7sEDZCx680CTadLJTmvyZPvY3DMTkDYTvA+dOUcay/VmC0hOU3I82Tf/CbpDLcGuNk/v9kkCdjL9EdxyXfqy+/CGYuFTC20TYdVBNOPnatNLB8A8xkxPeUGEowKHeXMKucse+yIo0jWikAKhFB7hve6gRplaaBTGfsP23pGbyRL4UOEvnIY8myJ6m1rxakQeouaZLHhqKB57VpvCNEAAzvPZNy18I7yF6tRTLJ11XB4dRnRMrzKxXXEisR810xhttTe/EUhMOwRREV2GFkulsrGhaHXjqy0J+StL7KU4jIcyazxRno9vYPE4YmwXd6TTH7X2yOGwg7luWpfVdwIiZylpsBpB0xBTUZB1WPACoU2pDtUxyF2QFq+PWLQ7k5hSWjjcq3pL4pGz8fF43NncmR56iYQg29N5r9hKvpyRBZ5YNmPH0YKLs59lyfQTB9+jDmSjL1Q3eNaE4D8633BiOXvkW6iDMWfyicuomAmKQQKQYAYJqxppt/V0n0jY1T5tjA/y4z2sU9R0B63o7BcjE70Joa7AY+Rb+oP193OWCtMljzVD0myx8XT+iWOA5jDUKAyez9NO+DJXgHMXe3rgq9FBGcvQvwl4SoO3c9hF413YjaWfcze9+KdqOwmYkyqTICErEhV77OW4AashRUykcOv7twuVwuN3m/RYGo1k=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230022)(4636009)(346002)(136003)(39860400002)(396003)(376002)(451199015)(40470700004)(46966006)(36840700001)(55016003)(40480700001)(33656002)(40460700003)(47076005)(66574015)(41300700001)(8676002)(70586007)(70206006)(9326002)(52536014)(186003)(83380400001)(8936002)(478600001)(336012)(9686003)(26005)(966005)(6506007)(6916009)(316002)(7696005)(82310400005)(5660300002)(86362001)(356005)(2906002)(36860700001)(82740400003)(81166007)(166002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jan 2023 17:57:11.6332 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 70077cda-b2ad-4293-d3ee-08daf7eb17e0
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT062.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR08MB7434
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/U44F76_YeVNYeWwlJU5fllNZ59c>
Subject: [SCITT] My initial thoughts and comments on Use Case Document
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2023 17:57:19 -0000

Hi All,
My initial comments looking at the overall state of the Use Case Document:
https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/blob/main/draft-birkholz-scitt-software-use-cases.md

(Please note that I will make these comments on github also).

General Comment:
We need to harmonize the format so that the shape and style of description of each use case looks similar.

Specific Comments:

Use Case 1: Trust Bond between Package Supplier and the Signing Authority


  1.  Missing bits: Needs to map the problem with real use case in hand? The use case starts more with a problem rather than describing a proper industry use case.
  2.  Remove the usage of word Trust and Trustworthiness but use lack of information on aspects that can be assertively verified by the end user, so that the trust factor is "implicitly"  established.

Use Case 2: Scalable Determination of Trustworthiness in Multi-Stakeholder Ecosystems
(a)   Title is very mis-leading: There is no scalability again in Trustworthiness. There is incremental mechanism of further deeper verification that grows the trust.
(b)   Need to re-write the title taking specific industry and its use case built into it.
(c)   Again need to highlight a real use case and then come to the problem what the use case exposes.

Use Case 3: I think UC #2 and UC #3 can be easily combined? There is a lot of duplication, the statements and "N" statements, Use Case 3 only adds a factor of time, into multiplicity.

Use Case 4:  This use case is not clear to me at all??  Specifically, the comment:
 Over time, there has been an increasing amount of providers of the same version of the software component source over the Internet ==> How can the same version of the software component source is produced by multiple vendors ?
Need to re-write the use case completely.
Use Case 5: Checking the History of Statements about Software by Auditors
Again, Better to demonstrate a real world example use case rather than jumping into the problem domain.

I propose, I will work with individual authors who originally proposed these sections to understand the real use case and the problem they see and tidy up the document.

Please let me know if anyone wants to provide help in this effort. I am more than happy to coordinate.

Regards,
Yogesh
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email