[SCITT] Re: some comments on architecture and use case documents
Henk Birkholz <henk.birkholz@ietf.contact> Tue, 02 July 2024 14:44 UTC
Return-Path: <henk.birkholz@ietf.contact>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9100C1519AC for <scitt@ietfa.amsl.com>; Tue, 2 Jul 2024 07:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.461
X-Spam-Level:
X-Spam-Status: No, score=-7.461 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.355, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ietf.contact
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-AxubV0jpS2 for <scitt@ietfa.amsl.com>; Tue, 2 Jul 2024 07:44:43 -0700 (PDT)
Received: from smtp01-ext2.udag.de (smtp01-ext2.udag.de [62.146.106.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FDB1C18DB83 for <scitt@ietf.org>; Tue, 2 Jul 2024 07:44:13 -0700 (PDT)
Received: from [134.102.156.255] (eduroam-pool12-1279.wlan.uni-bremen.de [134.102.156.255]) by smtp01-ext2.udag.de (Postfix) with ESMTPA id 93BB1E02C0; Tue, 2 Jul 2024 16:44:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ietf.contact; s=uddkim-202310; t=1719931451; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ku1rNusGeGUEZaeZtTvACzxn8B+vEhNjMiEQDKyV2KY=; b=P00qXi1zpYUsB9eU+cnNqMGk1lvaTx7wlPpgwfYUlLxmgflyavlNYy0CoQa61qNa1w5AEr LgwZv3jwlMcAl0fUmslcK953I/1ltztx0dQQgoClO+HYyB+ulKIHTlde6Y1RD9tTI31p9q +WnsNWlLRbyszOwWwq5aDqPKxCQ0dZThR6d+R10BMu9zx+ynlORq3iKDGj1duN2Nxnku77 Trs7aCahx0AP+Nw+rqsZKnSwsDBywU0xdKwdbzoMUw9uojJPmDJyd2jG0oFiXE6RJtA85c QJ9eGpgRDwS992iGM+oPjYPndnFp9uIVw9IetsSe/85Cmy2VBQ5aUNlgHgV/kg==
Message-ID: <96eba99e-f711-5db1-c32a-93700a889b4b@ietf.contact>
Date: Tue, 02 Jul 2024 16:44:09 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: "A.J. Stein" <ajstein.standards@gmail.com>, Orie Steele <orie@transmute.industries>
References: <24424.1719432944@obiwan.sandelman.ca> <CAN8C-_+eMmj=o8MoJZMZLoNkBq_8275iGFtftO87x6cpNjg9nQ@mail.gmail.com> <CAMvBLPLM5McPu1Yr3=MYhvfCTffth9XKwrSMGhMG+ZvVzu4iEQ@mail.gmail.com>
From: Henk Birkholz <henk.birkholz@ietf.contact>
In-Reply-To: <CAMvBLPLM5McPu1Yr3=MYhvfCTffth9XKwrSMGhMG+ZvVzu4iEQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: smtp01-ext2.udag.de; auth=pass smtp.auth=henk.birkholz@ietf.contact smtp.mailfrom=henk.birkholz@ietf.contact
Message-ID-Hash: D5GCDKMJ5WHFXZPHPCEJS6NPU4CQXTEN
X-Message-ID-Hash: D5GCDKMJ5WHFXZPHPCEJS6NPU4CQXTEN
X-MailFrom: henk.birkholz@ietf.contact
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, scitt <scitt@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [SCITT] Re: some comments on architecture and use case documents
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/UCi8Ztx7hps-S9VD_eQ56KXepsQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>
Hi all, focusing on "where does the CDDL go". The cddl definitions in the architecture (i.e., how a statement is signed, how a receipt is signed) are limited to the core of interoperability in SCITT. SCRAPI is a reference API (a specific pattern to register a statement and to retrieve the corresponding receipt) that can be used to implement application code that can actually handle Software-Supply-Chain related protocol interactions (w.g., some use case we started from, such as: give me all CVEs you registered about this software component that you registered). I understand the intuitive impulse to move cddl for signed statements and receipts to SCRAPI, as it is about messages and messages are related to APIs. But as these message layouts (the signing of statements and the receipts) are not specific to SCRAPI, as they can be added to, for example, any existing challenge response interaction model. I really think that SCRAPI is a specific pattern used as a reference how to implement scitt and that the cddl in the arch shows the (pretty concise) generic pattern that all "SCITT interoperable" systems have to use. Does that make sense? Viele Grüße, Henk On 29.06.24 18:19, A.J. Stein wrote: > I had started a reply but had not finished and sent it along. Inline > comments tacking on to Orie's reply. > > On Sat, Jun 29, 2024 at 4:45 AM Orie Steele <orie@transmute.industries> > wrote: > > Media type belongs in the SCRAPI document. > > I agree with the comment about CDDL, that could also move to SCRAPI > potentially. > > > I can also agree to its relocation. > > > I made similar comments a while back. > > I think I would slightly prefer to keep the architecture high level, > and move the protocol, data model and interface specification to a > single document like SCRAPI that references the architecture. > > But I don't feel strongly about this. > > > I am also supportive of this and do not feel strongly either. > > Question: if we get consensus on this, does this proposed change mean > that the protocol would only be represented as only a HTTP-based REST > API and additional representations/implementations/what have you could > and should be added later? I do not know if this was discussed by other > prior. > . > > > https://www.ietf.org/archive/id/draft-ietf-scitt-software-use-cases-03.html#lifecycle-threats <https://www.ietf.org/archive/id/draft-ietf-scitt-software-use-cases-03.html#lifecycle-threats> > Is a great diagram. I think that there probably needs to be > more explanation > about what each step is. Probably dumb it down a bit, and then > explain what > failure at each step is being exploited. > > > Agree to this, I have not re-read or reviewed it in a long time. > > Box one shows: > Code -> Compromise source control > > but, really, it's not compromising the source code control, it's > compromising > the source. For instance, an attack here might be via loading a > module into > an IDE that inserts _system("nc localhost 9981 | bash")_ at the > top of main(), > but conceals it from the programmer. The developer's desktop > has been compromised. > > Box two shows: > Commit -> Malicious plug-ins; Malicious commit > > I'm not sure what is being plug-in here, I guess something in > the source code > control system. (i.e. .git/hooks)... I would put that in box one. > A malicious commit is really what I think this box intends, and > that does not > mean compromising a developer's desktop. > > Tampering with the build cache (e.g., "ccache") is a pretty > sophisticated attack. > (it's very subtle, and it's what I'd do!), but the words on > their own > probably do not inform people, it probably needs a reference. > > In general, I'd redo this diagram to have words that explain > what each step > does (when running correctly), and then in text afterwards, > explain the > attacks. > At which point, I think I'd move that *ENTIRE* section to the > Architecture document. > > > This suggestion is interesting. > > I think we have to date tried to keep the architecture use case > agnostic, despite SCITT being only chartered to address software > supply chain use cases. > > Perhaps by keeping the architecture use case agnostic we've weakened > its applicability. > > I wouldn't object if authors decided to internalize more software > use cases, but I don't feel strongly about it. > > > Do we mean hear properly identify misuse cases/attacks that could occur > at one or more resources at different life cycle steps in the diagram? I > too think it could be beneficial. > > > I found section 2.10, about components for a Smart car very > specific, in a > section that was otherwise pretty abstract. Perhaps it's just > the title of > the section which is the problem. Perhaps the example of a > smart-car just > needs to be text that gives the specifics for one case. > My very limited understanding of the Boeing 737MAX stall sensor > failures are > partly the result of poor integration process (each party > thought the other > party would be dealing with failure of a sensor). If someone had > corroborating details and references, that might make a better > example. > (This is an example of provenance failures unrelated to a > malicious act) > > > I wonder if we could generalize this to a use case for consideration. > > I would not put such a physical supply chain scenario in the > architecture. > > Agreed, but when we talk of "physical supply chain scenarios," I often > think SCITT is really about the digitalization of statements in supply > chain(s), whether or not the software is "on the metal" and deployed > with a physical device (autonomous vehicle like in 2.10) or container > for use in a virtualized cloud environment (even if there is hardware > there, we wave our hands and rightfully leave that out of scope in > design and operation of those systems). > > Is there some way to convey that in the architecture and use case > documents, or am I in fact stepping outside the scope of the charter? I > have thought this is the scope, but we do not clarify this sufficiently > but correctly emphasize physical supply chain scenarios are out of scope. >
- [SCITT] some comments on architecture and use cas… Michael Richardson
- [SCITT] Re: some comments on architecture and use… Orie Steele
- [SCITT] Re: some comments on architecture and use… A.J. Stein
- [SCITT] Re: some comments on architecture and use… Dick Brooks
- [SCITT] Re: some comments on architecture and use… Henk Birkholz
- [SCITT] Re: some comments on architecture and use… Dick Brooks
- [SCITT] Re: some comments on architecture and use… A.J. Stein
- [SCITT] Re: some comments on architecture and use… Michael Richardson