IETF Logo Mail Archive

Re: [SCITT] [EXT]Re: Endor: A SCITT PoC for W3C Verifiable Credentials

Carl Wallace <carl@redhoundsoftware.com> Thu, 11 August 2022 11:22 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D488AC14F73B for <scitt@ietfa.amsl.com>; Thu, 11 Aug 2022 04:22:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yU499eSk12dx for <scitt@ietfa.amsl.com>; Thu, 11 Aug 2022 04:22:10 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 099BFC14CF10 for <scitt@ietf.org>; Thu, 11 Aug 2022 04:22:10 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id mk9so13043485qvb.11 for <scitt@ietf.org>; Thu, 11 Aug 2022 04:22:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=mime-version:in-reply-to:references:thread-topic:message-id:cc:to :from:subject:date:user-agent:from:to:cc; bh=V+OdE9auhDs7Dw5rDoVMrJcx7f9wPBg/qTVa9IoKPt0=; b=QLobd6jr05yfOJuYISRwHyAAMjqoC95Ejgmu9hgIIU6klcp57r+qwHaWpXiM/VnnTY f+ZkyJFNrB7kNEx6d/DbaDY2dOk0XhcroknfhRMO2JaoBXmIlkfFElQk2JrFlKOYouqQ b2hht7uTzskT0jROjc6JrA0pR0saD0nAFdfaw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:in-reply-to:references:thread-topic:message-id:cc:to :from:subject:date:user-agent:x-gm-message-state:from:to:cc; bh=V+OdE9auhDs7Dw5rDoVMrJcx7f9wPBg/qTVa9IoKPt0=; b=a3+HqxYNdHffL5UUx/1/fO/bwxTtPIFpKXvR1SMwz/rbdRrdjiEpsU6YfOBDb+x0aO TXG1mOKK04HtZS1Mbaqa9e2KGshNDBuY6WFTSLyluC1mY0WLmQ597aGVMLSSUbJcsfXR kS6rkWvX4TqgF5w2ipcWgM1+eUCK4OOI+xsQnHIGb4dFMxBcQeiukTORcge8wXutt8KS WWP4FlxtV2mAULg+kY0EPo+MFLzLDCZNbLKyOMpXrn3FI8Lnm3n+lqQGJ9H7jP7Q1fTU jqOVoGDurPpD6m2U1FKsrI3W4vcIVaUVOXlI0rOb4XFjvUqYljG5qsTTJpmmomUOwGlO u8Ig==
X-Gm-Message-State: ACgBeo1IT/uWnQWJlbW62HP2uOtYMMhmZGI40zSwxlXVizwVuoah4GFO sPHVu+GtD40RvDdPgS7NCKerew==
X-Google-Smtp-Source: AA6agR7YvB15FxCq7WKbRFAGYhz/1YHDf8Z2IPbDiSExUs1MYvdkJ4Eko5cWUjuQYbUqJ5nkbe2ZMQ==
X-Received: by 2002:ad4:5c85:0:b0:474:7ce3:5fb with SMTP id o5-20020ad45c85000000b004747ce305fbmr27220882qvh.76.1660216928321; Thu, 11 Aug 2022 04:22:08 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-83-240.washdc.fios.verizon.net. [173.66.83.240]) by smtp.gmail.com with ESMTPSA id m17-20020a05620a24d100b006b893d135basm1988696qkn.86.2022.08.11.04.22.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Aug 2022 04:22:07 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.63.22070801
Date: Thu, 11 Aug 2022 07:22:06 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Orie Steele <orie@transmute.industries>, Steve Lasker <Steve.Lasker@microsoft.com>
CC: "scitt@ietf.org" <scitt@ietf.org>, Steve Lasker <Steve.Lasker=40microsoft.com@dmarc.ietf.org>, "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>
Message-ID: <1B9FF775-B7AF-41F6-B8BE-A6783B0C5452@redhoundsoftware.com>
Thread-Topic: [SCITT] [EXT]Re: Endor: A SCITT PoC for W3C Verifiable Credentials
References: <CAN8C-_K-w5QQqrZDS9VH2-gzOO9e+HS8b9nGvG+ZBjJ-PM-MCw@mail.gmail.com> <LV2PR21MB3350154C13FA8A6F9D940FA79C9C9@LV2PR21MB3350.namprd21.prod.outlook.com> <13e501d8a738$1b277ed0$51767c70$@reliableenergyanalytics.com> <CAN8C-_JvDwS4CTBJMm9YN8jdXnLATPg0j3xO5BFs+yraWZc2Yg@mail.gmail.com> <144801d8a73c$adb8dec0$092a9c40$@reliableenergyanalytics.com> <OS3PR01MB75270FA0BFF65C76B2AD2D58D19C9@OS3PR01MB7527.jpnprd01.prod.outlook.com> <OS3PR01MB75272702BC43C5DA50A57081D19C9@OS3PR01MB7527.jpnprd01.prod.outlook.com> <170b01d8a766$6cf8b110$46ea1330$@reliableenergyanalytics.com> <DS7PR21MB33410F208AF17F985E9D7F609C659@DS7PR21MB3341.namprd21.prod.outlook.com> <CAN8C-_+f5rvhSDKxGCJ_SxBuhO4HwONx7ZkRSV2qnhpYvH1_uQ@mail.gmail.com>
In-Reply-To: <CAN8C-_+f5rvhSDKxGCJ_SxBuhO4HwONx7ZkRSV2qnhpYvH1_uQ@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3743047327_2202297157"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/jVe8ZzGIe6we9wPGyawUdfdQ_f0>
Subject: Re: [SCITT] [EXT]Re: Endor: A SCITT PoC for W3C Verifiable Credentials
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2022 11:22:14 -0000

A single “trust store” may or may not suffice, but we likely want to put some fences around each trust anchor to limit what the trust anchor may be used to verify.

 

The FIDO metadata alliance has method of organizing trust anchors based on authenticator type: https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html.

 

I briefed this new spec to the RATS working group last month: https://datatracker.ietf.org/doc/html/draft-wallace-rats-concise-ta-stores-00. There’s a fork of the Veraison project’s Corim repo with support for the -00 draft added here: https://github.com/carl-wallace/corim. I’d imagine the environment and constraints parts move a bit still, but the rough idea may be what you are getting at below.

 

 

From: SCITT <scitt-bounces@ietf.org> on behalf of Orie Steele <orie@transmute.industries>
Date: Wednesday, August 10, 2022 at 2:30 PM
To: Steve Lasker <Steve.Lasker@microsoft.com>
Cc: "scitt@ietf.org" <scitt@ietf.org>, Steve Lasker <Steve.Lasker=40microsoft.com@dmarc.ietf.org>, "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>
Subject: Re: [SCITT] [EXT]Re: Endor: A SCITT PoC for W3C Verifiable Credentials

 

> This just points to the value of having personal, company, industry policy based trust stores

+1 to this, here are a few examples of how groups have formed their own trust systems:

- https://www.iata.org/en/pressroom/pr/2020-12-16-01/ (aviation / travel)
- https://vci.org/issuers (healthcare)
- https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac (personal)

You can imagine scenarios where a more limited set of issuers  might be required, or cases where you really want to be very open.

Regards,

OS

 

On Wed, Aug 10, 2022 at 1:21 PM Steve Lasker <Steve.Lasker@microsoft.com> wrote:

It’s an interesting example of whether a single root trust store is the best solution. 

Just because the browser trusts a root certificate, doesn’t mean it’s something we individually, or as a company believe is appropriate. We’ll just leave the specifics for obvious conclusion. 

This just points to the value of having personal, company, industry policy based trust stores

 

From: SCITT <scitt-bounces@ietf.org> On Behalf Of Dick Brooks
Sent: Wednesday, August 3, 2022 11:26 AM
To: 'Hart, Charlie' <charlie.hart@hal.hitachi.com>; Orie Steele <orie@transmute.industries>
Cc: 'Steve Lasker' <Steve.Lasker=40microsoft.com@dmarc.ietf.org>; scitt@ietf.org
Subject: Re: [SCITT] [EXT]Re: Endor: A SCITT PoC for W3C Verifiable Credentials

 

That’s correct, Charlie. OATI’s root cert is not included in the browser trusted certificate store. 

 

I’m not sure why they chose to do this. 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: Hart, Charlie <charlie.hart@hal.hitachi.com> 
Sent: Wednesday, August 3, 2022 12:00 PM
To: 'Orie Steele' <orie@transmute.industries>; dick@reliableenergyanalytics.com
Cc: 'Steve Lasker' <Steve.Lasker=40microsoft.com@dmarc.ietf.org>; scitt@ietf.org
Subject: Re: [SCITT] [EXT]Re: Endor: A SCITT PoC for W3C Verifiable Credentials

 

(Side comment: I see that OATI is not a recognized root certificate authority by Mozilla or Apple - didn't check others - so the website is therefore inaccessible without relaxing security.)

 

From: SCITT <scitt-bounces@ietf.org> on behalf of Hart, Charlie <charlie.hart@hal.hitachi.com>
Sent: Wednesday, August 3, 2022 11:48 AM
To: 'Orie Steele' <orie@transmute.industries>; dick@reliableenergyanalytics.com <dick@reliableenergyanalytics.com>
Cc: 'Steve Lasker' <Steve.Lasker=40microsoft.com@dmarc.ietf.org>; scitt@ietf.org <scitt@ietf.org>
Subject: Re: [SCITT] [EXT]Re: Endor: A SCITT PoC for W3C Verifiable Credentials 

 

Thanks Dick. That is really helpful for SCITT a lot of related projects I am working on.

 

Charlie

From: SCITT <scitt-bounces@ietf.org> on behalf of Dick Brooks <dick@reliableenergyanalytics.com>
Sent: Wednesday, August 3, 2022 9:26 AM
To: 'Orie Steele' <orie@transmute.industries>
Cc: 'Steve Lasker' <Steve.Lasker=40microsoft.com@dmarc.ietf.org>; scitt@ietf.org <scitt@ietf.org>
Subject: [EXT]Re: [SCITT] Endor: A SCITT PoC for W3C Verifiable Credentials 

 

Orie,

 

Here is a high-level overview of the authentication mechanism and tracking used today for OASIS, inter-tie electricity scheduling.

 

Everything starts with the NAESB registry (EIR); https://www.naesb.org/pdf4/webregistry_mo_registration_quick_ref_guide_v1.0_0417.pdf 

 

Entities involved in inter-tie electricity transactions must register with NAESB’s EIR, see link above.

The registration process requires a party to obtain a NAESB compliant X.509 certificate from an accredited certificate authority (ACA); https://www.naesb.org/pdf4/ac_authorities_2022.pdf

 

Entities use their digital certificates for identification in OASIS; https://www.naesbwry.oati.com/NAESBWRY/sys-index.wml 

 

Inter-tie transactions are scheduled and tracked, using an E-TAG; https://en.wikipedia.org/wiki/NERC_Tag 

 

E-TAG’s are used to “connect the dots” and settle transactions that flow across Balancing Authroities.

 

Hope this helps.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: Orie Steele <orie@transmute.industries> 
Sent: Wednesday, August 3, 2022 9:09 AM
To: dick <dick@reliableenergyanalytics.com>
Cc: Steve Lasker <Steve.Lasker=40microsoft.com@dmarc.ietf.org>; scitt@ietf.org
Subject: Re: [SCITT] Endor: A SCITT PoC for W3C Verifiable Credentials

 

Thanks! 

 

I am interested in applying Verifiable Credentials to energy use cases, even if we don't have customers in that sector today.

The calls are open (https://github.com/w3c-ccg/traceability-vocab#meetings), but fair warning that most of the work happens on github async, and we usually just process issues and PRs during call time.

There are also aspects of Verifiable Credentials that I believe are relevant to the structure of endorsements / receipts:

The concept of "evidence":

- https://www.w3.org/TR/vc-data-model/#evidence
- https://datatracker.ietf.org/doc/html/draft-ietf-cose-countersign#section-3.1
- https://datatracker.ietf.org/doc/html/rfc4998

 

As one example.

I am hopeful that the next version of the Verifiable Credentials specification can point more directly to IETF RFCs to make its arguments, 
even if the json data model can't be updated to support CBOR / COSE as a first class citizen this round.
Perhaps the next charter for that WG might support this better, if we pave the way with examples.

Regards,

OS

 

On Wed, Aug 3, 2022, 7:54 AM Dick Brooks <dick@reliableenergyanalytics.com> wrote:

I agree. This paper by Orie, Michael, Brian and Mahmoud is very useful as guide for terminology and semantics.

 

I can provide the authors with a description of how we track electricity transactions for inter-tie scheduling, called OASIS a NAESB standard, if interested.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: SCITT <scitt-bounces@ietf.org> On Behalf Of Steve Lasker
Sent: Tuesday, August 2, 2022 8:21 PM
To: Orie Steele <orie@transmute.industries>; scitt@ietf.org
Subject: Re: [SCITT] Endor: A SCITT PoC for W3C Verifiable Credentials

 

Very cool, Orie. 

Love the sandbox experiments

 

 

From: SCITT <scitt-bounces@ietf.org> On Behalf Of Orie Steele
Sent: Saturday, July 30, 2022 2:08 PM
To: scitt@ietf.org
Subject: [SCITT] Endor: A SCITT PoC for W3C Verifiable Credentials

 

I made this today:

https://github.com/OR13/endor

As it says in the readme, this is just a toy example I made up to experiment with.

The nice thing about endorsing W3C Verifiable Credentials is that they are already an abstraction that applies to "non software supply chain" use cases... 

For example, we model cyber physical supply chain flows using them:

https://w3id.org/eability

There are a number of organizations looking at oil and gas, steel, ecommerce, and agriculture supply chains.

Often they will share some common trade documents such as Bills of Lading or Commercial Invoices.

These are examples of "SCITT Artifact Types" which you might expect to see across various distinct supply chain use cases.

However, as is the case with Oil and Gas needing to account for fluid dynamics, and software needing to account for compilers, build servers and various source files, there are cases where you may need to model components of a supply chain with Verifiable Credentials that are highly specific to the use case.

If you can tolerate modeling in RDF, W3C Verifiable Credentials come with a built in abstract data model that integrates well with existing industry ontologies such as:

- https://www.ebi.ac.uk/chebi/
- https://qudt.org/

My main complaint against W3C Verifiable Credentials is the limitation to JSON representations, if we could represent RDF in CBOR, we would have the best of both worlds with the main remaining disadvantage being the namespace overhead inherent in RDF.

If you drop that, you will likely need some registry or algorithm process for handling collisions and interoperability, but there are various solutions to those problems.

If you feel I butchered any of the concepts or terminology, feel free to yell at me here or on github issues, as I said, I made this today, it's not reflective of actual SCITT architecture, it was just to explore the space.

Regards,

OS

 

-- 

ORIE STEELE

Chief Technical Officer

www.transmute.industries

 


 

-- 

ORIE STEELE

Chief Technical Officer

www.transmute.industries

 

-- SCITT mailing list SCITT@ietf.org https://www.ietf.org/mailman/listinfo/scitt

v2.23.0 | Report a Bug | By Email