[SCITT] Intel Corporation pursuing SCITT interoperability via Open Architecture / Alice
John Andersen <johnandersenpdx@gmail.com> Mon, 22 August 2022 16:54 UTC
Return-Path: <johnandersenpdx@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F200C14CF14 for <scitt@ietfa.amsl.com>; Mon, 22 Aug 2022 09:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28cFkVcWeO-b for <scitt@ietfa.amsl.com>; Mon, 22 Aug 2022 09:54:15 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D288AC14CF0E for <scitt@ietf.org>; Mon, 22 Aug 2022 09:54:15 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id n23-20020a7bc5d7000000b003a62f19b453so5057688wmk.3 for <scitt@ietf.org>; Mon, 22 Aug 2022 09:54:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc; bh=OtGOB46yHQhN7tBrF+XVdyity+jdAtzckNzGoAUCKnA=; b=eKW43IU1cSB5Rr3VeqwWGp4G5fsLcjY3uETrji4+MTzB2WOvHdigzTCftxI2T3seNh daE9xqx/3FOzHNxJBgqlYdtIS+HDPTwF01f5OfA4Gl5L9qHCktjbppJcwiN+WWZsSbee Km/GRrj4Us5KU8ddC7IoH1Lq8caThIe2U94fErCu9Y/7SGPk8AI3OQdHUo+pqUsFK4tx 4wrIdfWYlLIsxBA4qSjpqcrVPck52XoIYDCG5fzQjBhZC97jRDc69AKHdqCWVOhA7fpm BsBmC0YQA8hSiyXVvtP4BJT0ne5w8igaNhkahzEwucF4gfdglzAgCPdc0X/329wOH1st 42WA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc; bh=OtGOB46yHQhN7tBrF+XVdyity+jdAtzckNzGoAUCKnA=; b=XTcblPPWH4E8ZhF4nIO8b+NnYf5ZGBJm1/QT8nmdUq0FeHMeTUiB/IPwUFJPmYZfep fKqHdyhIpYvOJWuPKZTMzlLLF8mYXZAdh0T3ZnlOGAxRUu1rhtKq4QUT8JlmHU0S5DXC ExUhKNVw6Yr6a7HWrFe5nTWBkcernv2tN1/pgH5KGNSq/1U2RoXTQiYtmKMN7b78QTGF 5oDSFbmI0PHODh11sX+/Xcjc2su9Ck1roIOIbD9MfNp5Z4eC3cBlKXTQidmp2i/K5/+9 uo/DNYfISDnvEwUTyLW6zTxgfCQowDHHyEcqI1QtE3F1n7Kt78FyBWSaEV48GWU8FMbm oIZw==
X-Gm-Message-State: ACgBeo3XCPWdPlF32U1MyoZ6qgWx/X2tL7logNo7jgKTljsNoCOPQZ5k FLJldndI3kUCXFmAUNosZeEHxBfddyzZ1xRLf9t93WHl
X-Google-Smtp-Source: AA6agR5sMBPrrpasF8OUf04BJJYSuda0KL2XpjUfkQzUx4goJJRHzt3Qi69PXJyZJ1xcMnh67sbGzwPFyzQ8+Q0USYc=
X-Received: by 2002:a05:600c:214d:b0:3a5:ce18:bb71 with SMTP id v13-20020a05600c214d00b003a5ce18bb71mr13302479wml.1.1661187253388; Mon, 22 Aug 2022 09:54:13 -0700 (PDT)
MIME-Version: 1.0
From: John Andersen <johnandersenpdx@gmail.com>
Date: Mon, 22 Aug 2022 09:54:02 -0700
Message-ID: <CAPFAYiVhcDyoSLxbwo976ddN2XMcsF_Eedy9mBH7OzUaVA2SCQ@mail.gmail.com>
To: scitt@ietf.org
Cc: John Andersen <john.s.andersen@intel.com>
Content-Type: multipart/alternative; boundary="00000000000024c9cf05e6d74cf1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/iEAhuuicVxgoXJiAZIGmpZOctcc>
Subject: [SCITT] Intel Corporation pursuing SCITT interoperability via Open Architecture / Alice
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2022 16:54:16 -0000
Hi all, I am on vacation but can’t help myself as SCITT is very exciting. I was watching the BoF presentation recently linked on the mailing list mentioned folks will be doing implementations in one of the first slides. We are not so much doing an implementation as seeking to be interoperable with other implementations so as to feed and consume data. Maybe that makes it an implementation, just wanted to put it out there that this is what were working on. I believe I mentioned in the last meeting of July that we were working on this and aligning with the OpenSSF as well (Identifying Security Threats, Metics, and Alpha-Omega) The code is very early stages but we are going to be analyzing software supply chains and serializing them to a format known as the Open Architecture, or Alice, then we stumbled across SCITT and found it seems to be most of the same stuff (we have some additions for risk management which I’m not clear if they are covered by SCITT yet or if they will be layered on top). We’ll probably do SCITT plus some extra stuff as linked DIDs. Just posting as an FYI as I see others must have mentioned their intent to implement. References: - Rolling Alice - https://github.com/intel/dffml/blob/alice/docs/tutorials/rolling_alice/ - 2022-07-25 Supply Chain Integrity, Transparency and Trust (SCITT) - https://github.com/intel/dffml/discussions/1406#discussioncomment-3223361 - 2022-07-20 Identifying Security Threats WG - https://github.com/intel/dffml/discussions/1406#discussioncomment-3191292 Thanks, John
- [SCITT] Intel Corporation pursuing SCITT interope… John Andersen