Re: [SCITT] Intel is taking the lead on a Trust Service Registry
John Andersen <johnandersenpdx@gmail.com> Fri, 21 July 2023 01:35 UTC
Return-Path: <johnandersenpdx@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76037C151546 for <scitt@ietfa.amsl.com>; Thu, 20 Jul 2023 18:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCo8fiSg1dJI for <scitt@ietfa.amsl.com>; Thu, 20 Jul 2023 18:35:03 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5A0C151543 for <scitt@ietf.org>; Thu, 20 Jul 2023 18:35:02 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-52173d4e9f9so1749153a12.0 for <scitt@ietf.org>; Thu, 20 Jul 2023 18:35:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689903301; x=1690508101; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ovQSXXp9viSH8chJAMJwqXN0qgaAa0mViYzrP9rstO4=; b=c4UoXRJ0EiZLSFAXOr3Fau+Y9G5f0qI77cGhnZOuc4ddORRv+QuZkJlnro5Tv3UHGx oZcvVyBhW7xKtKUQlOShQ02CgvQmYOJ14oPYbbhSv2nQ3yux4f6tFL4exCg15trf33nU Z8OqrHbaXeAcx21meaGsVUGHfpCvXzxGnB/A1vgE0q5YMVrAD20JU9Pxw/umTchpCJVt ItXLi/g4noSriFztsj/bHqmEr4wIcj8hI0KNNidkeMVQOHZ3L8LF3MVuov1UqHWHT6UK U/CPJQJ+q4EC4jjLmEpGLKNwU2J4jVDuuExbCfMajO+jbsou9y6id/B/njmjiXxhqNwV zt1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689903301; x=1690508101; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ovQSXXp9viSH8chJAMJwqXN0qgaAa0mViYzrP9rstO4=; b=hHPBJqXbrIQwijkZd24sf3LeEulYJN0yc0+PAfyPWIA9nh20dtFRIQP0x1S8XWKR7x FbF1hvinhwBROITjBSCe7B3Ve5qCRVMzoSL/XhezHQ6aM/juwa4JvMRC9/YGMQph+5ZI oneZydnAH06SjBYaBgbvLNLRHD1cLdSuCMwAx+Cy8NKKrdPiNnHRGszwmgFMZr+FOGv0 32daxxayLercQWvBLGJJczXwkc8sjndrjQCIfnpomkm1q4XbComwVi8i2vM0D/AZ6HWB 9cYbQjsXdnERzRcvh0ftOU4f9ab8yQAXjaBAp+cnmd4A052EXgXlIUY7Odn0PNaDpQ90 n/Gg==
X-Gm-Message-State: ABy/qLbHHWMXYgzdK/+9vsVZqaY8VBlRUIx52c/+27JQUssVbCOXOTPp 5ERTd5ieA9kXpD5FQ3ImTU0CmyTYN4aJbc54hvjk4BJS
X-Google-Smtp-Source: APBJJlGME4u5wZFp5C6mCzt7Oe2rmn7Y2Sa9NAsWlg66Yn5S/rFsKlgtZaWdPUrr99Kbdx+yu1OgZ4BNciPMVrXmI0I=
X-Received: by 2002:aa7:d997:0:b0:521:ab99:89f9 with SMTP id u23-20020aa7d997000000b00521ab9989f9mr349458eds.14.1689903300646; Thu, 20 Jul 2023 18:35:00 -0700 (PDT)
MIME-Version: 1.0
References: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com> <CAPFAYiVeq0Y+4U=yjia6CvpsXEC6HbtunHkj07SMp2X+Mz+ZfA@mail.gmail.com> <242d01d990bd$f8423ed0$e8c6bc70$@reliableenergyanalytics.com> <CAPFAYiVMA+HSFjBbXOd8F9VdRYiMcVPqobc2AyX79zekUz5MTw@mail.gmail.com> <246501d990c3$9d1fa6e0$d75ef4a0$@reliableenergyanalytics.com> <CAPFAYiX+arF6HMBfkGRAU==NJnK-KrSYqefQKh_wjOUVw9eQ0w@mail.gmail.com> <CAPFAYiXbzyL=+3u_8TV8B7icwFJq1DT5wjqGCbNi10Wa7uNNjw@mail.gmail.com> <012001d9b585$9daae200$d900a600$@gmx.net> <01cc01d9b589$cad87270$60895750$@reliableenergyanalytics.com> <CAPFAYiUAw=gV80rP+1jFSmi6mrsfzgcNL1JLbzBjkQExNw7buQ@mail.gmail.com> <AS8PR10MB7427F0FDD8294AFD81E150CAEE38A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <AS8PR10MB7427F0FDD8294AFD81E150CAEE38A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
From: John Andersen <johnandersenpdx@gmail.com>
Date: Thu, 20 Jul 2023 18:34:49 -0700
Message-ID: <CAPFAYiVWeZgT+9uHPH1V07qWh9aST6pbif18AP7Cai51qzFjVg@mail.gmail.com>
To: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>, "scitt@ietf.org" <scitt@ietf.org>
Content-Type: multipart/related; boundary="000000000000f0eeb80600f545f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/me2ivRwHGYSOafsAleCNYCOFu5U>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2023 01:35:07 -0000
Hi Hannes,
Yes. This use case is a specialization of (cross between) the following use
cases from the Detailed Software Supply Chain Uses Cases for SCITT
<https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/> doc.
- 3.3: Security Analysis of a Software Product
- We'll cover OpenSSF Scorecard and other analysis mechanisms
including meta static analysis / aggregation (example: GUAC).
- 3.4: Promotion of a Software Component by multiple entities
- We'll cover how these entities can leverage analysis mechanisms to
achieve feature and bugfix equilibrium across the diverged environment.
- Future use cases could explore semantic patching to patch across
functionally similar projects.
Thank you,
John
On Tue, Jul 18, 2023 at 02:11 Tschofenig, Hannes <
hannes.tschofenig@siemens.com> wrote:
> Hi John,
>
>
>
> do you think your use case is covered in the list of use cases from
> draft-ietf-scitt-software-use-cases-00:
>
>
>
> • 3.1. Verification that Signing Certificate is Authorized by
> Supplier
>
> • 3.2. Multi Stakeholder Evaluation of a Released Software
> Product
>
> • 3.3. Security Analysis of a Software Product
>
> • 3.4. Promotion of a Software Component by multiple entities
>
> • 3.5. Post-Boot Firmware Provenance
>
> • 3.6. Auditing of Software Product
>
> • 3.7. Authentic Software Components in Air-Gapped
> Infrastructure
>
> • 3.8. Firmware Delivery to large set of constrained IoT
> Devices
>
> • 3.9. Software Integrator assembling a software product for
> a smart car
>
>
>
> If it is not covered in this list, what text would need to be added?
>
>
>
> Ciao
> Hannes
>
>
>
>
>
> *Von:* SCITT <scitt-bounces@ietf.org> *Im Auftrag von *John Andersen
>
>
> *Gesendet:* Samstag, 15. Juli 2023 18:33
> *An:* dick@reliableenergyanalytics.com
> *Cc:* Hannes Tschofenig <hannes.tschofenig@gmx.net>; scitt@ietf.org
> *Betreff:* Re: [SCITT] Intel is taking the lead on a Trust Service
> Registry
>
>
>
> Thanks guys,
>
>
>
> We’re trying to outline a methodology for securing a rolling release
> across a poly repo development topology. Amber is a piece which can fit
> into that methodology. S2C2F recommends rebuilding OSS and mirroring. When
> pulling directly from upstream without org specific patches, this results
> in duplication of builds across the industry, lots of wasted compute. By
> leveraging artifact upload admission control policy engines running in
> attested environments we can enable trusted cross org data sharing. As
> build systems build software and store the content addresses of the BOMs
> and associated metadata in transparency services, they enable downstream
> users to verify when third parties are running that specific software
> within attestation enabled environments.
>
>
>
> Just as builds of OSS are attested, we can attest to the trust we have in
> that OSS via the same mechanisms, by running projects like OpenSSF
> scorecard within the same style of environment we use to build packages.
>
>
>
> Federation of built package and trust attestations via transparency
> services enables peer to peer (or org to org) communication of what we
> expect software to be when built (SLSA) and if we think one should use the
> software (Scorecard). This also forms the basis for a sort of review system.
>
>
>
> I know this is fairly abstract, but once again, from the definition of the
> reference entity perspective we can about the methodology for trusting
> components. Confidential compute and attestations from image builds within
> those environments are one way we can facilitate decentralization of
> communication of data related to trustworthiness. This is because we
> potentially (future looking) can tie attestations back to arbitrary
> hardware roots of trust. Obviously that’s not the current setup, but
> independent verification leveraging end user defined sets of hardware
> rooted public keys could potentially facilitate true decentralized
> communication in a trustworthy manner. That's the hope at least, please
> shoot holes in that until it’s solid or falls over.
>
>
>
> Thank you,
>
> John
>
>
>
> On Thu, Jul 13, 2023 at 05:59 Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> John,
>
>
>
> Here’s the link to the Project Amber story that Hannes is referring to:
>
>
> https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* Hannes Tschofenig <hannes.tschofenig@gmx.net>
> *Sent:* Thursday, July 13, 2023 8:29 AM
> *To:* 'John Andersen' <johnandersenpdx@gmail.com>;
> dick@reliableenergyanalytics.com
> *Cc:* scitt@ietf.org
> *Subject:* AW: [SCITT] Intel is taking the lead on a Trust Service
> Registry
>
>
>
> Thanks for pointing us to your work, John.
>
>
>
> Project Amber, as pointed out by Dick, is an attestation verification
> service (the verifier in the IETF RATS terminology). Intel has ben
> operating such a service in the past for prior Intel attestation
> technologies.
>
>
>
> How is your project on “Rolling Alice” related to Project Amber?
>
>
>
> Ciao
>
> Hannes
>
>
>
> *Von:* SCITT <scitt-bounces@ietf.org> *Im Auftrag von *John Andersen
> *Gesendet:* Samstag, 27. Mai 2023 20:36
> *An:* dick@reliableenergyanalytics.com
> *Cc:* John Whiteman <john.whiteman@owasp.org>; ofcio@omb.eop.gov;
> scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>; swsupplychain-eo <
> swsupplychain-eo@nist.gov>
> *Betreff:* Re: [SCITT] Intel is taking the lead on a Trust Service
> Registry
>
>
>
> This talk is the foundation for this work:
>
>
> https://gist.github.com/07b8c7b4a9e05579921aa3cc8aed4866#file-rolling_alice_progress_report_0003_down_the_dependency_rabbit_hole_bsides_portland_2019-md
>
>
>
> Progress is slow but steady. The goal is to bake as much of the
> methology’s risk analysis and reaction capabilities into existing tooling,
> processes, formats, and infrastructure as possible.
>
>
>
> Thank you,
>
> John
>
>
>
> On Sat, May 27, 2023 at 11:19 John Andersen <johnandersenpdx@gmail.com>
> wrote:
>
> I wholeheartedly agree with you!!!
>
>
>
> Hence the pursuit of Alice Intelligence (AI, John W gets credit for that
> acronym)
>
> https://mailarchive.ietf.org/arch/msg/scitt/iEAhuuicVxgoXJiAZIGmpZOctcc/
>
>
>
> Thank you,
>
> John
>
>
>
> On Sat, May 27, 2023 at 10:49 Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Thanks, John.
>
>
>
> I’m doubtful that open source, volunteer, software maintainers will want
> to invest their energies doing the tedious work of analyzing software
> supply chain risk assessment data and preserve tamper-proof evidence that
> can be presented in a lawsuit or audit, and support/operate an online,
> reliable service to answer consumer queries like “Is this software product
> vulnerable as of right now?”. It’s a lot of tedious work, that must be done
> in order to operate a credible, legitimate “Trust Registry” Service, that
> also costs money to operate.
>
>
>
> But I’ve been wrong before, I never thought anyone would buy a “pet rock”
> but some did.
>
> https://en.wikipedia.org/wiki/Pet_Rock
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* John Andersen <johnandersenpdx@gmail.com>
> *Sent:* Saturday, May 27, 2023 1:32 PM
> *To:* John Whiteman <john.whiteman@owasp.org>;
> dick@reliableenergyanalytics.com
> *Cc:* ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>;
> swsupplychain-eo <swsupplychain-eo@nist.gov>
> *Subject:* Re: [SCITT] Intel is taking the lead on a Trust Service
> Registry
>
>
>
> Hi Dick,
>
>
>
> Thanks for sending those and looping them into this discussion. Sections
> 2.1.1 and 3.2 respectively look related to the high level goals of the use
> case doc. We plan to leverage threat models heavily (
> https://m.youtube.com/watch?v=TMlC_iAK3Rg) to assist with risk
> determination and further sharing of vuln details including how much data
> to share about the architecture of the system context in question for the
> triggering event.
>
>
>
> We want to enable OSS maintainers, and the secure software forges to have
> these same capabilities.
>
>
>
> Thank you,
>
> John
>
>
>
> On Sat, May 27, 2023 at 10:09 Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Thanks, John.
>
>
>
> I’m not familiar with the vuln sharing goals of OpenSSF stream 8, but I am
> familiar with the NIST Vulnerability Disclosure concepts in SP 800-216 and
> C-SCRM SP 800-161:
>
> https://csrc.nist.gov/publications/detail/sp/800-216/final
>
>
>
> This document recommends *guidance for establishing a federal
> vulnerability disclosure framework, properly handling vulnerability
> reports, and communicating the mitigation and/or remediation of
> vulnerabilities.* The framework allows for local resolution support while
> providing federal oversight and should be applied to all software,
> hardware, and digital services under federal control.
>
>
>
> The SP 800-216 framework is also in harmony with SP 800-161 RA-5
> Vulnerability Disclosure Reports, where software suppliers provide
> consumers with software product vulnerability disclosures, at the SBOM
> component level:
>
> https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
>
>
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* John Andersen <johnandersenpdx@gmail.com>
> *Sent:* Saturday, May 27, 2023 12:58 PM
> *To:* dick@reliableenergyanalytics.com
> *Cc:* ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>;
> swsupplychain-eo <swsupplychain-eo@nist.gov>
> *Subject:* Re: [SCITT] Intel is taking the lead on a Trust Service
> Registry
>
>
>
> WIP but related:
>
> https://github.com/ietf-scitt/use-cases/pull/18
>
>
>
> Have been mocking up how we can run SCITT within TEEs which leverage the
> Amber attestation environment to attest to validity of insert policy run (
> https://github.com/scitt-community/scitt-api-emulator/pull/27#issuecomment-1528073552
> ) within hermetic builds. This facilitates a recursive trust relationship
> which enables dependency review (trust propagation) of OSS. Results are
> federated across the decentralized network of software forges.
>
>
>
> This work is in pursuit of the vuln sharing goals of OpenSSF stream 8.
>
>
>
> Thank you,
>
> John
>
>
>
> On Sat, May 27, 2023 at 08:11 Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Hello Everyone,
>
>
>
> This announcement from Intel is further proof that a “Trust Service” is
> becoming a foundational requirement for trustworthy computing.
>
> *A Trust Service Startup Inside the Chip Company*
>
>
> https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html
>
>
>
> Amen to this: ““Attestation is the ability for you to prove that something
> is what it says it is,” Yeluri explains. “And that is really the ground
> truth in confidential computing. *If you can’t attest and say it is truly
> what it is, confidential computing is immaterial.”*
>
>
>
> “Before taking that big step, Yeluri and team *checked with a couple
> dozen customers — banks, manufacturers, telecommunications services — and
> received votes of support*.”
>
>
>
> The following observation is “spot on” *based on REA’s experience
> operating the SAG Community Trust Registry ™ (SAG-CTR ™)*:
>
>
>
> “A few suggested Intel just build it as open source. But Yeluri and team
> believed that while the core attestation primitives can be open sourced, *a
> solution could only succeed “as a turnkey service. That means somebody has
> to operate it at scale,” he says, “and we think we can do that.”*
>
>
>
> REA agrees with the above statement, operating a reliable, trustworthy
> “trust service” at scale, like REA’s SAG-CTR, is a lot of work that
> requires the analysis, storage and maintenance of evidence that is
> trustworthy and can be presented during a lawsuit or audit, that cannot be
> properly operated by open source volunteers.
>
>
>
>
> https://www.einpresswire.com/article/545051889/announcing-the-sag-ctr-tm-community-trust-registry-for-digitally-signed-software
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> --
> SCITT mailing list
> SCITT@ietf.org
> https://www.ietf.org/mailman/listinfo/scitt
>
>
- [SCITT] Intel is taking the lead on a Trust Servi… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Hannes Tschofenig
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… Tschofenig, Hannes
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen