Re: [SCITT] [EXTERNAL] RE: SCITT Architecture document
Steve Lasker <StevenLasker@hotmail.com> Fri, 12 April 2024 21:53 UTC
Return-Path: <StevenLasker@hotmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC6BC14F6A9 for <scitt@ietfa.amsl.com>; Fri, 12 Apr 2024 14:53:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.221
X-Spam-Level:
X-Spam-Status: No, score=-1.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxBR240M_7ZJ for <scitt@ietfa.amsl.com>; Fri, 12 Apr 2024 14:53:09 -0700 (PDT)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04olkn2100.outbound.protection.outlook.com [40.92.45.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8541C14F5E9 for <scitt@ietf.org>; Fri, 12 Apr 2024 14:53:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cNz0RLhzzmWyoSG3nsXPgCkEwvMPxnrzp68r4fGZs10/kcbFVsGuOOvSLs9iKXnphB+W+XBOXliw6xx9K824Qltq7g5iMMk04+VqNQC4wl2NZtt+jS2AfSsM3ekReUN9eYsuN5OqxhwA77MZBHMtZMC1Htd12mg5wbMYC89FdtENzOj1YdVema4CKjnQ/btVHqwZ1j/cvugBe5o5tl7V1/r017xvQ1v7e6XCM6Uo5TOnL9HW83+pFCDfLabfyJKxSQ5kEM1hUER/JJ3vXuh2lZLcfb6WgVc4wdTFL8AS5sY5wXLC/GvfXqUmzuL6MMws4uZD4A4btjNkPEL9D7OhtQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pRFdwBBVr3IMN1JgkmAvUoClmgzCE4E8FGVFNYwtFx4=; b=D1YSZy5ckJFX5Ew63IxwQYsuLsoE5hkeRfN+PMuJsIP2rlZStC7G/bvFD/QPZiISKNjQIU/qEd1wP0ysbDC9/TdPrE/hHK/DWqwGTshpgwPhntJ1OrCnHffBFrC5AHAkoIS40GPQTwoQPsZv0vpz8u19nBjPWDtXHV6Fxrw+PIpLFuWrCNTvik8xOWkAJLLH2qG2EiTBNohqwkzP+YcaGeuMeZW6Ads/O4oM4IUy13tLvvZS/kwGCTnJxCD4T+nEcZLpPPKioFsg/kLA4XhqSzJ0REof+gBHG68mjoTPxVZxxT/7cyssx/n3zfi8tPGlQQToucFanq0kzqCe3pLJtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pRFdwBBVr3IMN1JgkmAvUoClmgzCE4E8FGVFNYwtFx4=; b=Szalk/lYyJzDgrhxzALPgejLHY04ADEL8lbpWPj7L/Rv6Be5zxVDie1IDa0T6x4sPo9ZPVys/iaQa4entAHIGA2E58oZ6r/s23JgBvS2Ob+yvjbu3Vj9XCwMLs+SllILJlF7bdE5mONghyfssQxR91OuoGffrnTQF/aTPIIuQFVm5uxQngZhv2Lw5EPI3TR3WKnJgriM9vfL/nM1xbZLnJArkhb9a5Kpq/7/LeW92shyjeAFJcoTRV14nFXaXKzVD6a+NgNWAvNDCT8EksSIPyiMY/wI1E7dPC0WRef3amUs3hcCY2PsZaUi8UXJgScUUWnOQpJeGw5FqXfh8I/iYg==
Received: from SJ0PR17MB4334.namprd17.prod.outlook.com (2603:10b6:a03:293::13) by SA1PR17MB5572.namprd17.prod.outlook.com (2603:10b6:806:1cb::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.55; Fri, 12 Apr 2024 21:53:07 +0000
Received: from SJ0PR17MB4334.namprd17.prod.outlook.com ([fe80::b62b:b634:f329:2727]) by SJ0PR17MB4334.namprd17.prod.outlook.com ([fe80::b62b:b634:f329:2727%4]) with mapi id 15.20.7409.042; Fri, 12 Apr 2024 21:53:06 +0000
From: Steve Lasker <StevenLasker@hotmail.com>
To: "Roy Williams (E+P)" <roywill@exchange.microsoft.com>, Richard Brooks <dick@reliableenergyanalytics.com>, "scitt@ietf.org" <scitt@ietf.org>
CC: Sylvan Clebsch <Sylvan.Clebsch@microsoft.com>, Cedric Fournet <fournet@microsoft.com>, Antoine Delignat-Lavaud <antdl@microsoft.com>
Thread-Topic: [SCITT] [EXTERNAL] RE: SCITT Architecture document
Thread-Index: AQHagJZIKXgdFIRMEEa4ltV9XPBd37FlOzCQ
Date: Fri, 12 Apr 2024 21:53:06 +0000
Message-ID: <SJ0PR17MB4334154EDAE94D32C4EA256BD2042@SJ0PR17MB4334.namprd17.prod.outlook.com>
References: <PH7PR21MB31433CA824023AA25A1AA1938E342@PH7PR21MB3143.namprd21.prod.outlook.com> <117c401da8096$12881990$37984cb0$@reliableenergyanalytics.com> <PH7PR21MB314300CCCA79CBFD76BCB6CE8E342@PH7PR21MB3143.namprd21.prod.outlook.com>
In-Reply-To: <PH7PR21MB314300CCCA79CBFD76BCB6CE8E342@PH7PR21MB3143.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=65643ff3-6595-47d6-8ca5-8e913631eafa; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-03-27T22:29:21Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
x-tmn: [HO+nlqaT/EGyjpOXH+U4wV4a+DUaByHM]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR17MB4334:EE_|SA1PR17MB5572:EE_
x-ms-office365-filtering-correlation-id: 993545be-c555-4be2-4c29-08dc5b3aef99
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: P9b+2aktdyZhxlrIGDFwhUymcmlQ83fXuibta4InOjH7YJRV1wzmTp3bmPjtA0gZXXh+9jjaHMEmnvjo81GdYteiNbiWycy2+KOV+k/vJ86COuhGaJuEO2hkGIitaWKFjWe26DgHIsxfAXnTLsz5cL1bduFZOSYUzOMCrPpA0U0Xx5MXM6ORDjXyxxjKWUHPatYpdJiYBWI2hO6YXoKK1rSsjllrg95yPVqdU7R0X+acWwFFz4VTMMgpIqJhYRANnVnuL9d0NTXlpFokmfRujvEUkgSdasVPySdEUMa+aTmlAiYxmr1yJQ4UDx/InVQ1WZPlEH+If/yoAU1FKXO1ydMy8WnFi1i+Cqv2cOrf4P+QYVX0WPn0NRcAei38HXva2i1WKldVUPikQTDaCi3/l8ORgeLBA+HVF3i9R3F7hNzMKay84qAKL4qI55TOfVgi7fWynI/XjykEMBny4/TCAbpq3zPN0JsebAmmhADyS2K31HBltcJhxvjcnb7T3B5+gWTGspTvl6Gd+rzi+WOY6rZYXpPMCuREnCdH2IhzpXOcWzVkwpzSB9VMe7d7KjWYehfQwL6h3+/3MQZ9k8wVayRIvD3/36ex7bnx2dhWe6RsljQn3zruxILRzqceNZEp1ajOVk0nls15H+D2bkLwzoNg7EkRh+wlO288TMoohyYeduL/jVHvUjzMwLus8YW79fFQxZbRWlbWc9YwRZz8vwsFAFuI7S/OC7c4FN5lvrA=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7ND9gAg5Ptt1laiCWnU+2oxRpXRitqFAHdlLCmQa3T+ThcWbd/eGdX8jQZdcy1EN0++XVTxCWsEwzNrwXtvHruS1xpfpgcfqnRg1E3K1dnture91Ma7pPu9YDVVXuLp/dQfIUqZ6iPoMTdN4Z9xQhnp/8kvYsmOs/GqxMTfFF+Au8aN3Ne/upNLXgeLxo29pw9q3UBmWYPk+MLmXOVqKQ39UHrj8iblnfGMCwMFfMcLgMvzO5P27yeVQLjbTX9+AEM+/vhbneOtul8YPlzmFKmLunoH9oDCZkgb0xzq6lexGuhYJuYTepClIrfHnyDAka0hfbCjALQV0CfVEjJnxj+7F0ErLvJXEG3EdDNNhI5gltkkp2oaB3RhcJDMveu7wGxKSzuf41eEd1Q6eSqIfjGo6NEYIp0gwd7yxjzUvZJ12jGAb+/Fj3OR4JUpnrxX3i7tAtfbuhqqt6hJcQT4oVRsQ1RqsTE+N9wZEjOpbS34Dgv6zBZqTaRkYp8zSByI1VQ+pRWITrejbYY98xVw+0RKg34afXOxyjtgGRkNXSOAZnrVYa/qYCgNhWfuziWu/7czuOQxMpL5XI/5URZgpliplWZ20HqIiFL94k3/VdjJIxL1x5EovCqhH0NSXqH23xgPv+njAH6j8VBaPNKSt5VXu3VR6pQwnIteCcGbA62N+Y5fZuT8t2EWnNWUtzXJ6VVFtH5x6/+Mqo0Mt9Mc1kaRFvzk8MTV8VC4fwqwoXXrxKjsMxuxpB1Tvok9HC1NOA1oghWEe7VINtkr2XdhaddDKbUbrpkOljLm8sSAaJWZa9n+aPHH8yS5bE0xHzQ8r2kn8s+N4dbRNQyiqNqLZkI4dNfGyB0k9QWFI4uGtxGyF3nPHtGysEamGflVMiwGfHLPuZT/IeFBdtJNccsFLWf5d2x73xEeVx28yxZ7nUqdiEQ/eSn+tiwVhE2/hS4RHjKzx1Ip/k+JNLtYfc3FSrEX7Jq6L2FsuSHQk6ViPVR+BpaVEoujHlxMTkx0gprFYs2Q7vo+VY1sNBEx0lysZjUaYFBUlXYpHPOXL7daMaSE8WkSRdj5EViN/Y0uivnJlBPIDWSvhrNcCxKNmEStU/vjep+Z7DqH1tEfTSrZUZEWbQ61fMkx2J4H8ez0Y6jnckJB0ANKPkMrWsqIjpuKqAXdQWJvOWXURTrfzoG1DTvBHoFz3CW9KzcOwbDL1M3ieERvotqCzox76r34HtWR96XWDh/zJVZ7e8s0CHDPyJc4=
Content-Type: multipart/related; boundary="_005_SJ0PR17MB4334154EDAE94D32C4EA256BD2042SJ0PR17MB4334namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-c704e.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR17MB4334.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 993545be-c555-4be2-4c29-08dc5b3aef99
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Apr 2024 21:53:06.5372 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR17MB5572
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/lLxUrHcU6FRneccvzvUP3ykXkkM>
Subject: Re: [SCITT] [EXTERNAL] RE: SCITT Architecture document
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 21:53:14 -0000
Thanks, Roy, A few PRs and questions on the items below: 1. The introduction discusses distributed, ... This word should be deleted. Tracked at: https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/pull/230 2. Removal of Feeds While I could see how feeds could enable federation, or publishing of info for a specific artifact, feeds add value unto themselves as a way to get the related statements to an artifact (subject), or getting all statements from an issuer. 3. ...receipts don't expire... Tracked at: https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/issues/232 We need a proposal for how to address this 5. In section 4.1.1.2<https://www.ietf.org/archive/id/draft-ietf-scitt-architecture-06.html#name-auditability-of-registratio> it alludes that an auditor can mine the log to authenticate and retrieve the transparent statement. ... Tracked at: https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/pull/233 6. By and large the generic aspect of the document is there but we missed one sentence: "Signed Statements and Artifacts associated with a digital artifact." It wasn't clear where you're suggesting this get added or edited. The only place I saw "software package" was section 4.1.4: https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/draft-ietf-scitt-architecture.html#section-4.1.4 Can you provide a specific recommendation? From: SCITT <scitt-bounces@ietf.org> On Behalf Of Roy Williams (E+P) Sent: Wednesday, March 27, 2024 3:29 PM To: Richard Brooks <dick@reliableenergyanalytics.com>; scitt@ietf.org Cc: Sylvan Clebsch <Sylvan.Clebsch@microsoft.com>; Cedric Fournet <fournet@microsoft.com>; Antoine Delignat-Lavaud <antdl@microsoft.com> Subject: Re: [SCITT] [EXTERNAL] RE: SCITT Architecture document That is acceptable to me. From: Dick Brooks <dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>> Sent: Wednesday, March 27, 2024 3:28 PM To: Roy Williams (E+P) <roywill@exchange.microsoft.com<mailto:roywill@exchange.microsoft.com>>; scitt@ietf.org<mailto:scitt@ietf.org> Cc: Sylvan Clebsch <Sylvan.Clebsch@microsoft.com<mailto:Sylvan.Clebsch@microsoft.com>>; Cedric Fournet <fournet@microsoft.com<mailto:fournet@microsoft.com>>; Antoine Delignat-Lavaud <antdl@microsoft.com<mailto:antdl@microsoft.com>> Subject: [EXTERNAL] RE: [SCITT] SCITT Architecture document Roy, Would "software package" be replaced with something more generic, like "digital artifact"? Thanks, Dick Brooks [cid:image001.png@01DA8CE4.08D219F0] [cid:image002.png@01DA8CE4.08D219F0] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> (tm) http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/> Email: dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com> Tel: +1 978-696-1788 From: SCITT <scitt-bounces@ietf.org<mailto:scitt-bounces@ietf.org>> On Behalf Of Roy Williams (E+P) Sent: Wednesday, March 27, 2024 6:23 PM To: scitt@ietf.org<mailto:scitt@ietf.org> Cc: Sylvan Clebsch <Sylvan.Clebsch@microsoft.com<mailto:Sylvan.Clebsch@microsoft.com>>; Cedric Fournet <fournet@microsoft.com<mailto:fournet@microsoft.com>>; Antoine Delignat-Lavaud <antdl@microsoft.com<mailto:antdl@microsoft.com>> Subject: [SCITT] SCITT Architecture document By and large the document is at a point where it can be called on for final reading. There are some nits or issues that we would like to see done to tighten it up. 1. The introduction discusses distributed, but there is no real discussion of how or what that means and it leads readers to set an expectation that is incorrect. This word should be deleted. 2. Removal of the Feeds definition. This was in the original version, and we have bounced all over the place during the last year to formulate a solution to a problem with Federation. We have decided collectively to park that and thus the use of feeds is gone. In a future overarching product or charter it could come back. 3. There is a bit of a misunderstanding generated by stating that receipts don't expire, which later on is a line that requests for a refreshed receipt can be supported. The logical receipt is intended to never expire and based on the protected content in the ledger's log a new receipt can be generated at any time. This gives us an avenue to bridge a world from today to post quantum cryptography based counter signatures that is important. We need to clear up these two points. 4. What goes into the append only log can vary from implementation to implementation. It may be that one implementation records the hash of the signed statement, plus evidence of how we proved that it was valid at the time of acceptance (things like records of OCSP response, or CRL lookups). Another implementation may simply store the signed statement. This from a generic point of view means that given access to the signed statements you can prove that it is on the append only log always. 5. In section 4.1.1.2 it alludes that an auditor can mine the log to authenticate and retrieve the transparent statement. Based on the last statement this has two problems. The first it assumes that the signed statement is kept and that it can generate a new receipt (see 3) and produce a transparent statement. If it could this would be equivalent to the original in intent but not binary equal. The original receipt (or last created receipt from a refresh) is not required (or intended) to be kept in the ledger. Generically then this is impossible and may be where we would leverage consistency proofs in a later version. 1. By and large the generic aspect of the document is there but we missed one sentence: "Signed Statements and Artifacts associated with a software package." We would suggest removing the "software package".
- Re: [SCITT] [EXTERNAL] RE: SCITT Architecture doc… Roy Williams (E+P)
- [SCITT] SCITT Architecture document Roy Williams (E+P)
- Re: [SCITT] SCITT Architecture document Michael Prorock
- Re: [SCITT] SCITT Architecture document Dick Brooks
- Re: [SCITT] [EXTERNAL] RE: SCITT Architecture doc… Steve Lasker
- Re: [SCITT] [EXTERNAL] RE: SCITT Architecture doc… Roy Williams (E+P)