IETF Logo Mail Archive

Re: [SCITT] [Secdispatch] Request for session at IETF 113

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 22 March 2022 13:21 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 375AF3A12B8; Tue, 22 Mar 2022 06:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqW-vUvCWJmq; Tue, 22 Mar 2022 06:21:37 -0700 (PDT)
Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7EA3A12D5; Tue, 22 Mar 2022 06:21:35 -0700 (PDT)
Received: by mail-vk1-xa2a.google.com with SMTP id 188so6020869vku.5; Tue, 22 Mar 2022 06:21:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GS+Aemus5tk+4YW1JocTwVIrJVZUNk5FHmYM2lqVxcM=; b=ns430hsnwwi02o4X3s7c7aeMCFpiTt5SkJ4yDtCT6h+HlvAFF5mQ0oWJ49IVvKgBTj CAqcOMGWn+/6eUXoTZNna0i7bdmgRWH7SsU979ThS9D4dUUYBOBiex/f29p7LmDwWp9I pr9N3bXPzmJzK8zNOiMGWJZXJUkdHtT/3iwCsR+fAfDzPuLkTCjB31zPy5frm3A3XdX2 MozO3wfj6ZG0aoZ/jmmHhcLvboKY2dpsBTqlZeKVItwSqjUmroY48xtqK0OHccokGm4E pywqUDfltrlp/pQ6ocH+ahVnSqyM8F+HEhMZxcfXd19H92bAppttdi3J8+KCBpQRjgRT CSLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GS+Aemus5tk+4YW1JocTwVIrJVZUNk5FHmYM2lqVxcM=; b=ZrsCLugfbk/4lbz+jimbRvxrrUOviP2pDN5zsyjKNfGBmmkhWvHIrRKzyUuhBdxyzi grHe0dxAunzreu/JV2csYDeyMUL5zTG8BmtvgXqhNVottPUPZZ8da5sK6yk8YjTILKIk Qo7aw9dWmTL3L4Z/XttGnz4uMWrKALidDgZkblJja4Qbry09OSdQ0eaLOMz6tjnpzVLk Mes/Owi9ctxWUV+aWe4LXF30o7nMRFyodEEQMhnA/Yq0GIYhJ0RqDUaQQ6+nxrBvGe+T 0W4QqEWoqFVDVlNH8qlgDrGghdWsQ0RpelQzVr3TMkQptB4vGBwSuOt2R7Tnf2gtb5G4 vgyA==
X-Gm-Message-State: AOAM531d1QPnie+EjeCn7J/XtS29ftb8Nsmd9zdGY/wVQDSvCmAwB52d afyJaDhszlzK1bB6Woy6KRK/62UpE2rfpxU4pqyaN0CGsIA=
X-Google-Smtp-Source: ABdhPJw3lYZSKaLvmHHkijwtvPJj1D97quI+I/UPu8btekWUKmPmh1iyvnQcctNwOgN0c+cwIEcfheqIVU+D0jDMEaI=
X-Received: by 2002:a1f:ac04:0:b0:32d:710:5930 with SMTP id v4-20020a1fac04000000b0032d07105930mr9726350vke.6.1647955294340; Tue, 22 Mar 2022 06:21:34 -0700 (PDT)
MIME-Version: 1.0
References: <164583895227.24617.1939040203283436909@ietfa.amsl.com> <5b97a678-eba1-09c3-7e70-c71dd98db8a9@sit.fraunhofer.de> <CAL02cgT7cRXsM7qNtMarcxcLd0fdSCtj_dM+79=DbnMWyikdhQ@mail.gmail.com>
In-Reply-To: <CAL02cgT7cRXsM7qNtMarcxcLd0fdSCtj_dM+79=DbnMWyikdhQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 22 Mar 2022 09:20:58 -0400
Message-ID: <CAHbuEH6mrun0dF_zMTWUtG3zex3NjHhijYrcPpKOYxdkx=B3Kw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, scitt@ietf.org, IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ecccdb05dace7de9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/kTCHXC5CNGG_3oiRVanJbo9JSRY>
Subject: Re: [SCITT] [Secdispatch] Request for session at IETF 113
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 13:21:45 -0000

Greetings,

I have some similar questions, and question the hard requirement for a DID.
It seems that there will be many use cases that would want a traditional
PKI like is used with SigStore for a higher level of assurance. Both a
traditional PKI and a distributed can use the distributed ledger.

I am aware of vendors looking at this solution, so there's support behind
it. They also want to make sure the right thing is done, hence it coming to
the IETF to get broad review.

I think on the signature part, it would be useful to also support PKI with
ACME and to see the client authentication methods supported as sigStore
uses a certificate (their flow is a little different from ACME at the
moment).

I also support this being developed in the IETF as it's an important
problem set and now has vendor traction due to requirements. I'd just like
to see support for traditional PKI and ACME for the certificates/keys.

I have to go through the document more closely as the problem set needs to
consider organizations and individuals in terms of scale as well. How will
this be managed? Will it be manageable and can it be architected to reduce
the distributed burden so that security just works (as opposed to needing
another million jobs to be filled that can't be filled).

It's an important problem and would benefit from the IETF review process
and openness to bring more vendors together than those who are already
participating.

Best regards,
Kathleen

On Tue, Mar 22, 2022 at 7:31 AM Richard Barnes <rlb@ipv.sx> wrote:

> Hi folks,
>
> It looks like at a high level, the approach here is along the same lines
> as what has been discussed as "Binary Transparency" elsewhere.  There have
> been several stabs taken at this before.  See, for example:
>
> https://www.sigstore.dev/
> https://unmitigatedrisk.com/?tag=binary-transparency
>
> https://github.com/FreeBSDFoundation/binary-transparency-notes/blob/master/debian.txt
> https://wiki.mozilla.org/Security/Binary_Transparency
>
> While these existing approaches do help validate that there is some
> interest in the field for what SCITT does, it's not clear how SCITT is
> different from / better than this prior art.
>
> --RLB
>
>
> On Wed, Mar 9, 2022 at 5:40 PM Henk Birkholz <
> henk.birkholz@sit.fraunhofer.de> wrote:
>
>> Hi secdispatch,
>> (hi scitt),
>>
>> emerging work on the topic of Supply Chain Integrity, Transparency,
>> Trust has taken some shape recently.
>>
>> The work combines existing IETF building blocks to facilitate useful
>> Internet-based support of global supply chain interoperability.
>>
>> Current contributions focus on the definition of Transparency Services
>> based on Internet technology (using CBOR/CDDL/COSE) to achieve
>> unambiguous, scaleable, and resilient integration with common devops and
>> secops requirements.
>>
>> I'd like to request secdispatch agenda time for two documents that are
>> currently submitted:
>>   > https://datatracker.ietf.org/doc/draft-birkholz-scitt-architecture/
>>
>> and
>>
>> > https://datatracker.ietf.org/doc/draft-birkholz-scitt-receipts/
>>
>> These two contributions are in -00 state. Yet, they already address
>> essential requirements, such as, air-gapped validation when being
>> offline, integration of remote attestation, efficient and crypto-agile
>> signing prescriptions for out-of-the-box interoperability, and - in
>> essence - long-long-term guarantees in support of various types of
>> supply chains requirements.
>>
>> We’d be happy to present this emerging work in secdispatch with the goal
>> of discussing whether it might fit into the IETF space and how to
>> progress it together.
>>
>> Viele Grüße,
>>
>> Henk
>>
>>
>>
>> On 26.02.22 02:29, "IETF Secretariat" wrote:
>> > Dear Mohit Sethi,
>> >
>> > The session(s) that you have requested have been scheduled.
>> > Below is the scheduled session information followed by
>> > the original request.
>> >
>> >
>> >      secdispatch Session 1 (2:00 requested)
>> >      Tuesday, 22 March 2022, Afternoon Session II 1430-1630
>> >      Room Name: Grand Park Hall 3 size: 250
>> >      ---------------------------------------------
>> >
>> >
>> > iCalendar:
>> https://datatracker.ietf.org/meeting/113/sessions/secdispatch.ics
>> >
>> > Request Information:
>> >
>> >
>> > ---------------------------------------------------------
>> > Working Group Name: Security Dispatch
>> > Area Name: Security Area
>> > Session Requester: Mohit Sethi
>> >
>> >
>> > Number of Sessions: 1
>> > Length of Session(s):
>> > Number of Attendees: 200
>> > Conflicts to Avoid:
>> >
>> >
>> >
>> >
>> > People who must be present:
>> >    Benjamin Kaduk
>> >    Kathleen Moriarty
>> >    Mohit Sethi
>> >    Paul Wouters
>> >    Richard Barnes
>> >    Roman Danyliw
>> >
>> > Resources Requested:
>> >
>> > Special Requests:
>> >    Please avoid conflict with any Security related BoF.
>> > ---------------------------------------------------------
>> >
>> >
>> > _______________________________________________
>> > Secdispatch mailing list
>> > Secdispatch@ietf.org
>> > https://www.ietf.org/mailman/listinfo/secdispatch
>>
>> _______________________________________________
>> Secdispatch mailing list
>> Secdispatch@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdispatch
>>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email