Re: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
Alexander Stein <ajstein.standards@gmail.com> Fri, 05 April 2024 23:05 UTC
Return-Path: <ajstein.standards@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33809C17C89D for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 16:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.084
X-Spam-Level:
X-Spam-Status: No, score=-7.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUOmLMQ0ioLP for <scitt@ietfa.amsl.com>; Fri, 5 Apr 2024 16:05:34 -0700 (PDT)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5653EC16A126 for <scitt@ietf.org>; Fri, 5 Apr 2024 16:05:34 -0700 (PDT)
Received: by mail-qt1-x841.google.com with SMTP id d75a77b69052e-430ddb1a227so14128111cf.3 for <scitt@ietf.org>; Fri, 05 Apr 2024 16:05:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712358333; x=1712963133; darn=ietf.org; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=b5TzDvlj8DgfytLlauB42jRv9FIdd5BZ5q3IsYHu5is=; b=YQe0n13/900KVA/Ywojwjq/5lMi6feQBCb2xB6VCgP6UypdtuGSfaRpWkWWNcRcnM6 mQzHbdUt5o3hjMJf+qs4VeIXJzSZwp0jqBRjvDRFQTZpzzyC18TsWItWzggTTObMJWbK 8I3/iiJk2vdEzBf3sw1fSStbbUKx/Z8Sfl2DlgEQlWvDRIDw+f/mAQ29IPvbuianvi1Q C0enfnAMhbiE8P+90sDxj6iKbUGNsHngD2o4CFIrfqav3+3JYXkmfw4/RqMaPkCZFphr uRX+EoR0jP7Ht3TClGS2SuK0S+bBFSEMPodMKABtXrGMCFr9j0hDxdP+c/prTQRcpc7g 06bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712358333; x=1712963133; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=b5TzDvlj8DgfytLlauB42jRv9FIdd5BZ5q3IsYHu5is=; b=NGLFKpd2KjfJ4jkpvGczviX0AM6Ee3mi+3BxOmJLQuOxYxiD4Ud5KLnizeGzb5H0Ux PJBuVhCWBzcWsxw2zVd7EHb2LBVOJYqgAN3Xuzbak2NB/uqnERWCGQv9e+HOkJnJIWiM erLoHo3uzthums1oOo9f/Bz+ywfBXFe9KWWWipNVSZQ/3+GQVNLA0Bu1XPY3Ww5JE8p0 pY19HeNE+kOYMvDRvP9nNBrdMPuGkydm+L+RaQVgeiSjlU26VkJm+PXNEvPbeiBcSC7M 2Vtd590k3lp8OQEy99POrzdQl7iwdd2FeTVbLni5Endi3Da3xcZu94HEWlskPxVFj2ft Aa5g==
X-Forwarded-Encrypted: i=1; AJvYcCX+QGXD6xAqxZcIuMLO0BCj8goXAGMpIivO02YTzHZ1oZ24ToEpWASS6jw+FycP8vdLQBEQrWqBflBSUlSbag==
X-Gm-Message-State: AOJu0YwbUTWaFM437IBpQsYpk9llluVuLuZ3G3Bnn0Gkd5gGiup8pkVu n/y8ZkVxY/UaZe2TEkvtxj9IETvp4fcWws6WMFIzTksd1kDWoNho
X-Google-Smtp-Source: AGHT+IHrU+ww4NhCOBmNp+GdDODeIR+YcSbhQnafS9/jm6qYlV7iw9Mj425VhbwyGL8C/Od2URbABA==
X-Received: by 2002:a05:622a:53cf:b0:434:6ea0:498a with SMTP id ef15-20020a05622a53cf00b004346ea0498amr251639qtb.33.1712358332749; Fri, 05 Apr 2024 16:05:32 -0700 (PDT)
Received: from [10.67.58.14] ([185.156.46.159]) by smtp.gmail.com with ESMTPSA id fk27-20020a05622a559b00b00433a3cc3652sm1186770qtb.59.2024.04.05.16.05.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 05 Apr 2024 16:05:32 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------wzolbDS0wneWzIdbEPS0l722"
Message-ID: <a8dd19b3-64dc-412a-bf28-914baf7ec97e@gmail.com>
Date: Fri, 05 Apr 2024 19:05:31 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Steve Lasker <StevenLasker@hotmail.com>, Ray Lutz <raylutz@citizensoversight.org>, "scitt@ietf.org" <scitt@ietf.org>
References: <c6ac0e2a-947c-416d-b39c-7fce98a27832@citizensoversight.org> <SJ0PR17MB43344796C1D419E164972E04D2032@SJ0PR17MB4334.namprd17.prod.outlook.com>
Content-Language: en-US
From: Alexander Stein <ajstein.standards@gmail.com>
In-Reply-To: <SJ0PR17MB43344796C1D419E164972E04D2032@SJ0PR17MB4334.namprd17.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/gH3sy018gfPdHq5NO-V5_2XWIQk>
Subject: Re: [SCITT] CISA: Repository for Software Attestations and Artifacts (RSAA)
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 23:05:38 -0000
On 4/5/24 6:37 PM, Steve Lasker wrote: > > Good timing, Ray, > > A.J. was going to facilitate the SCITT Community Meeting next week, > and the Software Attestations was his first topic. > > Reminder: Community meetings restart on April 8th 4 PM UTC (groups.io) > <https://groups.io/g/scitt-community/message/73> > > --> Does this actually do anything to improve software by having > producers say they do everything right? > Steve speaks the truth. Just a reminder: the SCITT Community group site, content, and meetings are necessarily related to the IETF specs, but where I intended (for a while) to discuss SCITT implementations and related technology. I hope others, not just me, can discuss their answers to this question, and perspectives to all kinds of related questions. They are very much outside the scope of the Architecture and SCRAPI docs though, hence I try to keep it separate. So on that note, happy to see compare and contrast points about the spec here, but for all other details less interesting to IETF spec authors, see you over there in the mailing list, meeting info, and community repos linked above. :-)
- [SCITT] CISA: Repository for Software Attestation… Ray Lutz
- Re: [SCITT] CISA: Repository for Software Attesta… Steve Lasker
- Re: [SCITT] CISA: Repository for Software Attesta… Dick Brooks
- Re: [SCITT] CISA: Repository for Software Attesta… Alexander Stein