Re: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property)
Jon Geater <jon.geater@datatrails.ai> Sun, 14 April 2024 13:23 UTC
Return-Path: <jon.geater@datatrails.ai>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC7AEC14F694 for <scitt@ietfa.amsl.com>; Sun, 14 Apr 2024 06:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jitsuin.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhPwcJXaLnov for <scitt@ietfa.amsl.com>; Sun, 14 Apr 2024 06:23:36 -0700 (PDT)
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2109.outbound.protection.outlook.com [40.107.121.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4728BC14F6A5 for <scitt@ietf.org>; Sun, 14 Apr 2024 06:23:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jKTN/L4EIV+nZkbtcJfWFB4MQ58RiU5juXJxbjcvIEMVxGpKgPQPJp2QduXNkIwQwlMzStKNXVLaBP16lOIe/OTtYH/04xsoLlX3bmyj/rLIa8xJCZkOe/Ulqi0jlPD52Yd789If6jOS2n7DxNeFc2ubKXjMQODDM+7pIQ6pSfsPv6rNyGgXdhkN0AKZTGbd3fy8d0qlehGd1UcU7e2dOp0pLm2cBqxPounh+xiMfuNDKiN0EZRCnn2F7mRzW8B2FEIozD0i/OiWNhr4dvU1ynBbNAoQcoYkyNYYtAjSl5f8r9IkQBjaL67hn3nLVyuRqcncJufyJeiynqEFBSUdNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Pkva+DU84T84OG0q8LFgcVwWO1JF2m6SVISrIOuL2xA=; b=PfasHZ/tTlKTr6w3SbWKGzddFgKCdtxZnwM3W/1X3Gb6gC4YxDAjLJZYFba2wIh1N/a5VZik/4QCNYbjK048e+2wFxaJDRYOMXDKJTqdMAYFXqVQPLGl1nAyY93rGlAwNPig7MohBrfu4qu60DcRMBjNqn+1Gqs+49sOSN7Jx0EwDdlaeY8QEUvo1dIFvuaiISUUmyg8pdtecRIMXIE3W1GbmAjcR7VKlH7uTSs2TPm9u9UpAdCa4e4SiI5dxPfrRTwry1AnNJSK4eeQCbHnvZKeC5HLTyCdXQ5w5yWwLR83vNh+cKReVG3C8IPDMBH9a+LgbW71yp8bYAyukONgEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=datatrails.ai; dmarc=pass action=none header.from=datatrails.ai; dkim=pass header.d=datatrails.ai; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jitsuin.onmicrosoft.com; s=selector1-jitsuin-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pkva+DU84T84OG0q8LFgcVwWO1JF2m6SVISrIOuL2xA=; b=T9xqa5wB/If/D/zj68Fmal4Xy0jDZo3tO4Xnc0WIv6Ia1Ehjq7eFxvW9UL5DfiQgnkdJUkNMJp5OFX895YCBKiBa4HDK9trkcU8mJPEVIIdZ7E6EEmlmnzYKUsfIXCATUPgDVLXt8wRSZhBuTdUx0Rc4XmH1VM1oyxZqvbU3KOEtrJ9UlkjPiuEB/gpyWJOAKb/diHbPwfCm0JRHBIEPV4zrutsYcDY7QfcSJ9CUyf/A+wgqMHkzpPF+gYx7b3ROT2NdkmTEIp5svgjwMYqpDC7AmsqF+JF7zWH+m6wh/Tf6tuB2bSK/wLaGkpSbn78FVkYpgRXMbn42l5d9IdsshQ==
Received: from CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1a8::6) by CWLP265MB5772.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1b2::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Sun, 14 Apr 2024 13:23:14 +0000
Received: from CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM ([fe80::aee6:7ac:447a:a665]) by CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM ([fe80::aee6:7ac:447a:a665%6]) with mapi id 15.20.7452.049; Sun, 14 Apr 2024 13:23:14 +0000
From: Jon Geater <jon.geater@datatrails.ai>
To: "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>, "scitt@ietf.org" <scitt@ietf.org>
Thread-Topic: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property)
Thread-Index: AdqOYagUu25OKxySSGajGYMfpk5mFgADGJn5
Date: Sun, 14 Apr 2024 13:23:14 +0000
Message-ID: <CWXP265MB576637898D18130868458E90980A2@CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM>
References: <1792a01da8e63$24605350$6d20f9f0$@reliableenergyanalytics.com>
In-Reply-To: <1792a01da8e63$24605350$6d20f9f0$@reliableenergyanalytics.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=datatrails.ai;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CWXP265MB5766:EE_|CWLP265MB5772:EE_
x-ms-office365-filtering-correlation-id: d126689f-20d0-4c62-b369-08dc5c860a23
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4eYCgLbqVBeT3s8EMuERSh01wQvSn7bA08hQCcXv4srNX2SZE8LrEs7HGwozDIj9PzPTIXHUr7CgNdzFSAUeXRi/bIqzpqQPUl7W28Bv80UO+oWt0ARetw0bPQ27Q48Tt8XcPgsNjRpbgCZNiuaWdyC1SzQWHP4gh0acjsS5h3VI+Lo4LsHw/uSorjeLl20QPILQ7QIk6am+s4vAfXJDoUakkPyvdIJb4H3L8HyKAwg6sSrkBlpI7DMCwHpbdqXjj1xjF3H3bwPVsNjuutpVvDzSy127+2xuBLaStqHZb01D1aWMXT7XzOrufk6BHHs2eKHn0qb+/OXGwUnjYDyOoT10ACtVVfnnjMlk40uW68R8G/tDiwSZ876PWEXMfF2RHox+an3mi9mt1u+/8itHBtDfzrWSQ9ONdQ21GYMeY4mWG2dnugojBvXZIcjegrdeiC4EBJKRsSHkBhgkjlaAM7B3mGvCDxRECQd7NrE1xUCUUOQBwPgPISCvUvbXylzuinF1jS2sSGRTvsLcKVJXzTEnf/Zd7Ej0vzMKiSeO/K+ddxiJyJA2g/6t+zfE+oz44m1TjkIJTov3aJWjlZn7nGF/R3/OkWG2M+Q1BPVYSrnp38bLDRnfEZSmEo9HIjckcNHTl/e9ZHrp12dBglqyU2oYpePikjlY6Ivn1rdv83s=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(376005)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: h6AiwPoagfJfFOD1/GJCOWj1QnrvJ6EEvNvF44Yw3VoexzNnidk9wlSN5ZvxMdXCnPUDZ+GrMjw7KXYS4R/EQQK3RGiJQj4TmZQEGqE+0YSi6GAX5SPSnSlrJkguCfpfnst/7dJuY3r8UUXJa6MOvCIBX6KTYSsjw+JmeE1EoXDFwvA5PXASB9VLdrtHpyn0AMaAojcLnBFjonrGXs8Tapf/RKJ8w304Q/c6lV68G/BP4+1Egr2aHIdeXOqcYglOcUB2MCeYlCjSuoiA8XMfjiaxo6xMf6mGdAv32Pcb5ppHvAEaZ3aEtu0nel4uyhcqmknLz01hRiloKz5rF8DeqJUSz4S6IxHDLcHXOYt7ZiHvS7kOPCPyM5jnDzDJY7rqje7a6X6Uh9ls5MnXft5Ibjcy59Z9wdxOH58trxxg5DFv2Fa4k8Y8Uferl3JV221B/G+TUuC2y5pvQZ9aeghDN0NZXii4QoVe0v0SyiOv+iNAIGNt/SAXha+bq7JAE5k7gesipXc0e2CUgiM0DYq26nuumskN9DAjwQFN2EBLBpsZ4bHAMYuKSw852a5zRVDugvl6LSsERounbtg8hJIbfiG03yicI0/DjL9f4hkZMCCk00JTww9epWwoFDLlRCPJFYX7hKm2ihS5be0PB8Gy+YeYa6yNPpTWiM6PwEwD0HeOnA7lC/AQrXSZQc2Cl7YnCpr3TuPxXCYaYGyjm7Se0dm4zF4kIrjSpULCfXVOP96LDswnk/yTDGbJv0u4sCmkHhIWU2nKYy4r9TIFoFA/C3LfRJzGgh+Yg7houfLlaI76EJ6xl1F1mQPv0Y4vxaGoyAUeXDEpM4PVvsTs3Pf6HpsojeZFtEyuEGlWg1VfKetT52ozXWsCNM46qSeucZHBb7hqE55kFsd/m942LMRVRS6ckANNkIZ382eOr/OGN9swARSzLl6r3sH5td1REs4jSIJTEwf/K45m6lApFzraILXum5oP+7emj+aUaiaIuEd0+Xnl07KHQG9oRcwDJRimlpa/xn+8pWXzyXoT1mjrT8Y7GlnUFV8Nt9T/lLnuqUsIW5M67GPEt5nA8TGFtt62oXcRp81AO7ieiEW/ybbTGK1McQ4iYYe0Obh5PjO+NBQ/jxiahx2+NtrjudAdDp3R0tACSygnxIOIwU0Q2NYnZ56yGRqPPEM5DWDvQ+vqWQHw4UPjtV9l9eBcQmlzWL+70sDApwhBryZkDNQuH1UVERPq+UT+sg+LEq2+TJAuECfIVfD2qenM7yDt+ql/1WAztKGPqeIlHENjJ9V1Ih1ULU8B9SeqSto+Ue6XeyTPZ1f4StFagAwD94KnTIoZXnddyLX5tuZWVJBk5JT3XzrE4CB1qTd8wBbpZzkMci+Zq0Y4hBWTOEPrs96HpvA6NQA5rR7D9Od400ybEvnUlE3+MxfykX86UUOFN/Co5UijP6KEOauh/WFSxkKqIFQlzqT1DpsEPVBBgHvbQKO9DjhZPRejUwxAbNrWXK4eRjk2Gcf8SRPAUjkB2fNZC2lY+jNOM8eOpNFfLEvKBr+IFVOgjGxwyr++RkeU35l5EaVYVQYZfqO26Z44nDuKrskW7ZnYd1AxOyK2BPFP/A47sdVKnA==
Content-Type: multipart/related; boundary="_005_CWXP265MB576637898D18130868458E90980A2CWXP265MB5766GBRP_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: datatrails.ai
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB5766.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d126689f-20d0-4c62-b369-08dc5c860a23
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2024 13:23:14.5173 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e6cd7cbd-4331-4942-b28d-a327d99a088a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GP1ysU3OHXs2Fg43Lg/hTmk7wLPzFHCkFd41cb05HsZo+PlCgWTgvIgM5hewqTOrkCGAtY21Yj7kvuYh/gg5hZGhGaYr1BYNlPTD/UiohZY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP265MB5772
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/iA79ywRADEj8Hk27q1GArEiAp0E>
Subject: Re: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property)
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2024 13:23:39 -0000
Hi Dick, Thanks for your continued efforts in testing and promoting SCITT in these very practical arenas. Good luck with your presentation. With respect the VRF, since it’s not an officially adopted work item there’s no very formal change control in place or necessary. Much like the emulator code that was developed at the same time it provides a good example artifact and the demo we did was great proof of SCITT, but all of that is strictly in service of getting the 3 official pieces of work right: the use cases; the architecture; and SCRAPI. All of which to say I think your suggestion sounds sensible and you should make the change if you want to. If it materially affects the demo from 117 then it probably would be good to raise a PR against the emulator repo to commit the new version. Jon — Jon Geater Chief Product & Technology Officer, DataTrails ________________________________ From: SCITT <scitt-bounces@ietf.org> on behalf of Dick Brooks <dick@reliableenergyanalytics.com> Sent: Sunday, April 14, 2024 1:58:57 PM To: scitt@ietf.org <scitt@ietf.org> Subject: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property) Hello Everyone, I will be presenting to a US Government Agency tomorrow showing how a software supplier can satisfy the new US Government secure software attestation requirements using CISA’s RSAA repository and the “Secure Software Attestation Form”. The process I will demonstrate includes the uploading of the attestation form along with other artifacts including SBOM’s VDR’s and a Vendor Response File, like the one we demo’d in SF at IETF 117. I will share my slides after the presentation on 4/15, if anyone is interested, please email me directly – I will not post the slides on the IETF list. One item that appears to be missing from the VRF, under the “Product” section (see XML schema for VRF structure) is a “DescriptionURL”, which contains a link to a product description. Would there be any objection to adding a “DescriptionURL” to the VRF Schema within the Product structure? Thanks, Dick Brooks [cid:image001.png@01DA8E40.FD4639A0] [cid:image004.png@01DA8E41.9A7CCEA0] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/> Email: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com> Tel: +1 978-696-1788