Re: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property)
Dick Brooks <dick@reliableenergyanalytics.com> Sun, 14 April 2024 13:26 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A4CCC14F5F4 for <scitt@ietfa.amsl.com>; Sun, 14 Apr 2024 06:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="SFJXpunQ"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="lP3v6G+V"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VgKHOrq3my4h for <scitt@ietfa.amsl.com>; Sun, 14 Apr 2024 06:26:14 -0700 (PDT)
Received: from fout4-smtp.messagingengine.com (fout4-smtp.messagingengine.com [103.168.172.147]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 260F0C14F61C for <scitt@ietf.org>; Sun, 14 Apr 2024 06:26:13 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailfout.nyi.internal (Postfix) with ESMTP id D49C613800AA; Sun, 14 Apr 2024 09:26:12 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Sun, 14 Apr 2024 09:26:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:reply-to:subject:subject:to:to; s=fm3; t= 1713101172; x=1713187572; bh=8VihCkoTBg1C4M/vgSpnYDhl38VAo4PHTvs kZmqgoNM=; b=SFJXpunQhYdMNZEvqXvRD3OGU4XgFHLz7QlEh4WxATh3/vLuEDS yC0V0scQc9fRFbih9YLRzmVeaWxPnmFKbq5pin0C3/dofNX3lsRRHMrndMaFhsne PM54WCCQLcM0N5W8rQxZ3SxG67Mk4wu7YhTtmxuJlOpaOJHiqPCupEPMSqDRKmY7 O+1STLmwRrEFlBwVLbCRQLb+oWVd99+O4HK3JZaNEVjXcgUJarHSTqZ6Cx3+9zn7 m02ZrVglUwmD4jaHKevEgYzL/Cc3Wm1MEuQpjda4zt/pbNiHm+8au5cYxGE0rhcr wMxJ7IcpxZecb3rQB3BKVqQy579iwPnfydQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1713101172; x=1713187572; bh=8VihCkoTBg1C4 M/vgSpnYDhl38VAo4PHTvskZmqgoNM=; b=lP3v6G+VKN3ZaJFY0XJ74uZ9k8M3k UKCSRyWaUIZgPIl8ERDNcUImFKoV5iCHq8q+f4vJIhXe8xUtZgrCgoxDCrHbVn15 pvPOZD09vl4c86LwvIthHSMiErkPg3j9GKUG6r0xGSQLpYweBvXv15rHHXPrN3EN QQZsEBQ3poiu2nKy5rD/pm3eF1K0/I9nwTlJlqBUiuKRPIj9p5av10WZFapTigoz YhhLo9soKFJQlKMngwi+KMI1pb2O7xjFZ6lObzKqCZKhZLmC5VGtbGOu+UN4DcR3 zxzajPlXWf+9oN4sTTGDPlNPWlwshfp7SWySPGwckghzgF+u7rRbO3qYA==
X-ME-Sender: <xms:dNkbZuyDd_4Uqr90MHEz9Hxac42JOBwib9iGTj-6Bv5rg-4hLG_Quw> <xme:dNkbZqRP70Z2dL-bmDqFp-3Rf7IaaSqJIhM-dPOi5nsLdVv9jo622LZIKxi7_KJwy geUDo0bKx8RTg5-CA>
X-ME-Received: <xmr:dNkbZgWZAtCTyclf-WBH8dS1Sblbqts_vlDC_WVpk85ZLVO1Wogjn1Y>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeiledgieeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheprhfhvfhfjgfuffhokfggtgfothesrhdtreepvddtvdenucfhrhhomhepfdff ihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrg hlhihtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepleejjefhueekjeejfffffeei keekgeehleetgfegtdetudelffekvdegheevudfgnecuffhomhgrihhnpehrvghlihgrsg hlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepughitghksehrvghlihgrsghlvggvnhgvrh hghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:dNkbZkgRFZJ1ERLwm3CMxvUF8vbxhhmJiw2nUE6kzqNaYWSQClCMyw> <xmx:dNkbZgDQIrtdJ20100SREIfCSImBGZd-5XDyup5m7y11a8j_J5R6pQ> <xmx:dNkbZlIsmTWGzWRrLy0iUw_WpRupKVY6awsBYBmSzLEGr_Sqwg164g> <xmx:dNkbZnAcP9rY69x6IB12Hw4S0M9kkWfaSr72nO4Xwi5Dr41RPoQnzg> <xmx:dNkbZjPdd4t2TbgTSUfVLd04VJBa0LWITLqIjeplLU7QM6LPkcegIoUX>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 14 Apr 2024 09:26:12 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Jon Geater' <jon.geater@datatrails.ai>, scitt@ietf.org
References: <1792a01da8e63$24605350$6d20f9f0$@reliableenergyanalytics.com> <CWXP265MB576637898D18130868458E90980A2@CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM>
In-Reply-To: <CWXP265MB576637898D18130868458E90980A2@CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM>
Date: Sun, 14 Apr 2024 09:26:07 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <17eb301da8e6f$51936860$f4ba3920$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_17EB4_01DA8E4D.CA82B2C0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG8GY6ttdwzFRwwpkkdpc0US5omSwIZsexIsZPdUwA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/c2rN9FaPISKEjDenWfS1tjCgII8>
Subject: Re: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property)
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2024 13:26:19 -0000
Thanks for clarifying, Jon. I'll go forward and make this change given the VRF's "not official" status within the IETF. Thanks for the quick response. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: Jon Geater <jon.geater@datatrails.ai> Sent: Sunday, April 14, 2024 9:23 AM To: dick@reliableenergyanalytics.com; scitt@ietf.org Subject: Re: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property) Hi Dick, Thanks for your continued efforts in testing and promoting SCITT in these very practical arenas. Good luck with your presentation. With respect the VRF, since it's not an officially adopted work item there's no very formal change control in place or necessary. Much like the emulator code that was developed at the same time it provides a good example artifact and the demo we did was great proof of SCITT, but all of that is strictly in service of getting the 3 official pieces of work right: the use cases; the architecture; and SCRAPI. All of which to say I think your suggestion sounds sensible and you should make the change if you want to. If it materially affects the demo from 117 then it probably would be good to raise a PR against the emulator repo to commit the new version. Jon - Jon Geater Chief Product & Technology Officer, DataTrails _____ From: SCITT <scitt-bounces@ietf.org <mailto:scitt-bounces@ietf.org> > on behalf of Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > Sent: Sunday, April 14, 2024 1:58:57 PM To: scitt@ietf.org <mailto:scitt@ietf.org> <scitt@ietf.org <mailto:scitt@ietf.org> > Subject: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property) Hello Everyone, I will be presenting to a US Government Agency tomorrow showing how a software supplier can satisfy the new US Government secure software attestation requirements using CISA's RSAA repository and the "Secure Software Attestation Form". The process I will demonstrate includes the uploading of the attestation form along with other artifacts including SBOM's VDR's and a Vendor Response File, like the one we demo'd in SF at IETF 117. I will share my slides after the presentation on 4/15, if anyone is interested, please email me directly - I will not post the slides on the IETF list. One item that appears to be missing from the VRF, under the "Product" section (see XML schema for VRF structure) is a "DescriptionURL", which contains a link to a product description. Would there be any objection to adding a "DescriptionURL" to the VRF Schema within the Product structure? Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788