IETF Logo Mail Archive

[SCITT] Consistency of the registry append-only log.

Ray Lutz <raylutz@citizensoversight.org> Tue, 23 May 2023 05:20 UTC

Return-Path: <raylutz@citizensoversight.org>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B36E7C14CE55 for <scitt@ietfa.amsl.com>; Mon, 22 May 2023 22:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=citizensoversight.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhPPgbB_8y1K for <scitt@ietfa.amsl.com>; Mon, 22 May 2023 22:19:56 -0700 (PDT)
Received: from vps5.cognisys.com (vps5.cognisys.com [69.73.173.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB7E6C14F748 for <scitt@ietf.org>; Mon, 22 May 2023 22:19:55 -0700 (PDT)
Received: from [192.168.123.225] (ip174-65-13-111.sd.sd.cox.net [174.65.13.111]) by vps5.cognisys.com (Postfix) with ESMTPSA id 47A272590B for <scitt@ietf.org>; Tue, 23 May 2023 01:19:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citizensoversight.org; s=default; t=1684819194; bh=xnc0etEzvwZYTPCpZjAvdFKliJwS57ICTIdrhw0bbeU=; l=10620; h=To:From:Subject; b=kZ+FGiooCbIBX4ZWvkLkWY0oLoAwh2TAgt+MPpWXe58gnX2BiVskcmN2KKadRZBXQ AiPxAnUKUNEWPF4m4gaMonFmnec9vgkAkIRzPRcn74q4gC2h0B9EKCrYoLL0WuLIye ecpeaTek4gubLnfcb7mzb3JGemejrWYEWnKuN03Q=
Content-Type: multipart/alternative; boundary="------------0a2diMOUqZcv7LcJD3PNneu0"
Message-ID: <1dfae262-2802-6036-7382-3f5496a3e186@citizensoversight.org>
Date: Mon, 22 May 2023 22:19:52 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: "scitt@ietf.org" <scitt@ietf.org>
From: Ray Lutz <raylutz@citizensoversight.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/_FchWiKI7jmH0fslvEW9L8yemvQ>
Subject: [SCITT] Consistency of the registry append-only log.
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 05:20:01 -0000

We were talking today about how to deal with various related records 
that may be submitted at various times in the log.
I will outline some thoughts here with the caveat that I have to spend a 
night thinking about it.

I thought at first that the log could be quite brain-dead about this, 
and just accept a payload and secure it with a receipt. If the user 
wants to group them together, then the submitter can submit additional 
entries that provide the grouping. But I don't think this is good enough 
for most use cases.

First, we must admit that records related to specific supply chain 
products will not all be submitted at the same time. In the SW use case, 
there are various points in the development and release and testing 
cycle when submissions about the same product must be submitted 
separately, but thought of as a set.

For a simple sw product, there may be a release of the source code, and 
also later several related submissions, such as testing results.

For the election use case I am currently working to resolve, there 
appear to be several release stages:
1. Release of a set of all the public keys of the devices that will be 
deployed.
2. Incremental releases of cryptographic evidence related to scanning of 
ballots (without releasing the ballots or the vote).
3. Release of all the evidence for auditing and review.
4. Final release of the result of the election upon certification.
5. Submission of auditing results based on all the evidence found.

There are similar scenarios in the sw space, usually related to critical 
code that must be tested to some agreed criteria. The example I used in 
the call was of say self-driving vehicle software that must be tested to 
a standard test suite or the mfr will be liable for crashes. We can't 
trust them to tell the truth about prior submissions, that is one of the 
great things about the append-only log.

These are all logically all part of the same election, so we need a way 
to submit incrementally.
But one threat scenario is a compromised official or hacker, who may 
want to hope that we will forget about the original public keys, and 
substitute a compromised set so the results can be modified. Thus, we 
can't rely on the submitter to be honest about what was submitted, but 
must build that in.

this is a useful Chat GPT response.

The attribute you are describing is called consistency in the context of 
a registry built on an append-only log. Consistency ensures that the 
registry maintains a reliable and accurate state, where all related 
records are present and there are no additional or missing entries.

In an append-only log, new entries are added to the end of the log, 
preserving the order in which they were appended. To achieve 
consistency, the registry must adhere to certain principles:

 1. Append-only: The registry strictly follows the append-only rule,
    meaning that once a record is appended to the log, it cannot be
    modified or deleted. This ensures that the log maintains a reliable
    and immutable history of all entries.

 2. Atomicity: Operations on the registry should be atomic, meaning they
    are treated as indivisible units of work. This guarantees that each
    operation either succeeds completely or fails, preventing partial
    updates that could compromise consistency.

 3. Strong consistency guarantees: The registry should provide strong
    consistency guarantees to ensure that all related records are found
    and there are no additional or missing entries. This means that
    queries made to the registry will always reflect the most up-to-date
    state of the log, and the registry will not return stale or
    inconsistent results.

 4. Indexing and querying: The registry should support efficient
    indexing and querying mechanisms to allow users to find relevant
    entries quickly and accurately. This can be achieved through various
    techniques, such as maintaining indexes or using data structures
    optimized for querying, like balanced search trees or hash tables.

==========
The other important aspect is that the data can be transparently 
inspected. Others can check that the log isn't lying. So the consistency 
guarantee will be important, esp. bc we need to know for sure that there 
are no forgotten entries related to the product of concern.

Sure, the system could provide completely obscured usage, which would be 
fine if there were no incremental submissions for the same product.

Thus, we will need to also provide some exposed metadata with enough 
structure to at least identify the submitter and the product, when 
consistency attribute is desired.

This is not fully thought through but it is a start.

--Ray





-- 
-------
Ray Lutz
Citizens' Oversight Projects (COPs)
http://www.citizensoversight.org
619-820-5321

v2.23.0 | Report a Bug | By Email