Re: [SCITT] Intel is taking the lead on a Trust Service Registry
John Andersen <johnandersenpdx@gmail.com> Fri, 21 July 2023 01:35 UTC
Return-Path: <johnandersenpdx@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76037C151546 for <scitt@ietfa.amsl.com>; Thu, 20 Jul 2023 18:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCo8fiSg1dJI for <scitt@ietfa.amsl.com>; Thu, 20 Jul 2023 18:35:03 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5A0C151543 for <scitt@ietf.org>; Thu, 20 Jul 2023 18:35:02 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-52173d4e9f9so1749153a12.0 for <scitt@ietf.org>; Thu, 20 Jul 2023 18:35:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689903301; x=1690508101; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ovQSXXp9viSH8chJAMJwqXN0qgaAa0mViYzrP9rstO4=; b=c4UoXRJ0EiZLSFAXOr3Fau+Y9G5f0qI77cGhnZOuc4ddORRv+QuZkJlnro5Tv3UHGx oZcvVyBhW7xKtKUQlOShQ02CgvQmYOJ14oPYbbhSv2nQ3yux4f6tFL4exCg15trf33nU Z8OqrHbaXeAcx21meaGsVUGHfpCvXzxGnB/A1vgE0q5YMVrAD20JU9Pxw/umTchpCJVt ItXLi/g4noSriFztsj/bHqmEr4wIcj8hI0KNNidkeMVQOHZ3L8LF3MVuov1UqHWHT6UK U/CPJQJ+q4EC4jjLmEpGLKNwU2J4jVDuuExbCfMajO+jbsou9y6id/B/njmjiXxhqNwV zt1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689903301; x=1690508101; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ovQSXXp9viSH8chJAMJwqXN0qgaAa0mViYzrP9rstO4=; b=hHPBJqXbrIQwijkZd24sf3LeEulYJN0yc0+PAfyPWIA9nh20dtFRIQP0x1S8XWKR7x FbF1hvinhwBROITjBSCe7B3Ve5qCRVMzoSL/XhezHQ6aM/juwa4JvMRC9/YGMQph+5ZI oneZydnAH06SjBYaBgbvLNLRHD1cLdSuCMwAx+Cy8NKKrdPiNnHRGszwmgFMZr+FOGv0 32daxxayLercQWvBLGJJczXwkc8sjndrjQCIfnpomkm1q4XbComwVi8i2vM0D/AZ6HWB 9cYbQjsXdnERzRcvh0ftOU4f9ab8yQAXjaBAp+cnmd4A052EXgXlIUY7Odn0PNaDpQ90 n/Gg==
X-Gm-Message-State: ABy/qLbHHWMXYgzdK/+9vsVZqaY8VBlRUIx52c/+27JQUssVbCOXOTPp 5ERTd5ieA9kXpD5FQ3ImTU0CmyTYN4aJbc54hvjk4BJS
X-Google-Smtp-Source: APBJJlGME4u5wZFp5C6mCzt7Oe2rmn7Y2Sa9NAsWlg66Yn5S/rFsKlgtZaWdPUrr99Kbdx+yu1OgZ4BNciPMVrXmI0I=
X-Received: by 2002:aa7:d997:0:b0:521:ab99:89f9 with SMTP id u23-20020aa7d997000000b00521ab9989f9mr349458eds.14.1689903300646; Thu, 20 Jul 2023 18:35:00 -0700 (PDT)
MIME-Version: 1.0
References: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com> <CAPFAYiVeq0Y+4U=yjia6CvpsXEC6HbtunHkj07SMp2X+Mz+ZfA@mail.gmail.com> <242d01d990bd$f8423ed0$e8c6bc70$@reliableenergyanalytics.com> <CAPFAYiVMA+HSFjBbXOd8F9VdRYiMcVPqobc2AyX79zekUz5MTw@mail.gmail.com> <246501d990c3$9d1fa6e0$d75ef4a0$@reliableenergyanalytics.com> <CAPFAYiX+arF6HMBfkGRAU==NJnK-KrSYqefQKh_wjOUVw9eQ0w@mail.gmail.com> <CAPFAYiXbzyL=+3u_8TV8B7icwFJq1DT5wjqGCbNi10Wa7uNNjw@mail.gmail.com> <012001d9b585$9daae200$d900a600$@gmx.net> <01cc01d9b589$cad87270$60895750$@reliableenergyanalytics.com> <CAPFAYiUAw=gV80rP+1jFSmi6mrsfzgcNL1JLbzBjkQExNw7buQ@mail.gmail.com> <AS8PR10MB7427F0FDD8294AFD81E150CAEE38A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <AS8PR10MB7427F0FDD8294AFD81E150CAEE38A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
From: John Andersen <johnandersenpdx@gmail.com>
Date: Thu, 20 Jul 2023 18:34:49 -0700
Message-ID: <CAPFAYiVWeZgT+9uHPH1V07qWh9aST6pbif18AP7Cai51qzFjVg@mail.gmail.com>
To: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>, "scitt@ietf.org" <scitt@ietf.org>
Content-Type: multipart/related; boundary="000000000000f0eeb80600f545f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/me2ivRwHGYSOafsAleCNYCOFu5U>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2023 01:35:07 -0000
Hi Hannes, Yes. This use case is a specialization of (cross between) the following use cases from the Detailed Software Supply Chain Uses Cases for SCITT <https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/> doc. - 3.3: Security Analysis of a Software Product - We'll cover OpenSSF Scorecard and other analysis mechanisms including meta static analysis / aggregation (example: GUAC). - 3.4: Promotion of a Software Component by multiple entities - We'll cover how these entities can leverage analysis mechanisms to achieve feature and bugfix equilibrium across the diverged environment. - Future use cases could explore semantic patching to patch across functionally similar projects. Thank you, John On Tue, Jul 18, 2023 at 02:11 Tschofenig, Hannes < hannes.tschofenig@siemens.com> wrote: > Hi John, > > > > do you think your use case is covered in the list of use cases from > draft-ietf-scitt-software-use-cases-00: > > > > • 3.1. Verification that Signing Certificate is Authorized by > Supplier > > • 3.2. Multi Stakeholder Evaluation of a Released Software > Product > > • 3.3. Security Analysis of a Software Product > > • 3.4. Promotion of a Software Component by multiple entities > > • 3.5. Post-Boot Firmware Provenance > > • 3.6. Auditing of Software Product > > • 3.7. Authentic Software Components in Air-Gapped > Infrastructure > > • 3.8. Firmware Delivery to large set of constrained IoT > Devices > > • 3.9. Software Integrator assembling a software product for > a smart car > > > > If it is not covered in this list, what text would need to be added? > > > > Ciao > Hannes > > > > > > *Von:* SCITT <scitt-bounces@ietf.org> *Im Auftrag von *John Andersen > > > *Gesendet:* Samstag, 15. Juli 2023 18:33 > *An:* dick@reliableenergyanalytics.com > *Cc:* Hannes Tschofenig <hannes.tschofenig@gmx.net>; scitt@ietf.org > *Betreff:* Re: [SCITT] Intel is taking the lead on a Trust Service > Registry > > > > Thanks guys, > > > > We’re trying to outline a methodology for securing a rolling release > across a poly repo development topology. Amber is a piece which can fit > into that methodology. S2C2F recommends rebuilding OSS and mirroring. When > pulling directly from upstream without org specific patches, this results > in duplication of builds across the industry, lots of wasted compute. By > leveraging artifact upload admission control policy engines running in > attested environments we can enable trusted cross org data sharing. As > build systems build software and store the content addresses of the BOMs > and associated metadata in transparency services, they enable downstream > users to verify when third parties are running that specific software > within attestation enabled environments. > > > > Just as builds of OSS are attested, we can attest to the trust we have in > that OSS via the same mechanisms, by running projects like OpenSSF > scorecard within the same style of environment we use to build packages. > > > > Federation of built package and trust attestations via transparency > services enables peer to peer (or org to org) communication of what we > expect software to be when built (SLSA) and if we think one should use the > software (Scorecard). This also forms the basis for a sort of review system. > > > > I know this is fairly abstract, but once again, from the definition of the > reference entity perspective we can about the methodology for trusting > components. Confidential compute and attestations from image builds within > those environments are one way we can facilitate decentralization of > communication of data related to trustworthiness. This is because we > potentially (future looking) can tie attestations back to arbitrary > hardware roots of trust. Obviously that’s not the current setup, but > independent verification leveraging end user defined sets of hardware > rooted public keys could potentially facilitate true decentralized > communication in a trustworthy manner. That's the hope at least, please > shoot holes in that until it’s solid or falls over. > > > > Thank you, > > John > > > > On Thu, Jul 13, 2023 at 05:59 Dick Brooks < > dick@reliableenergyanalytics.com> wrote: > > John, > > > > Here’s the link to the Project Amber story that Hannes is referring to: > > > https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: dick@reliableenergyanalytics.com > > Tel: +1 978-696-1788 > > > > > > *From:* Hannes Tschofenig <hannes.tschofenig@gmx.net> > *Sent:* Thursday, July 13, 2023 8:29 AM > *To:* 'John Andersen' <johnandersenpdx@gmail.com>; > dick@reliableenergyanalytics.com > *Cc:* scitt@ietf.org > *Subject:* AW: [SCITT] Intel is taking the lead on a Trust Service > Registry > > > > Thanks for pointing us to your work, John. > > > > Project Amber, as pointed out by Dick, is an attestation verification > service (the verifier in the IETF RATS terminology). Intel has ben > operating such a service in the past for prior Intel attestation > technologies. > > > > How is your project on “Rolling Alice” related to Project Amber? > > > > Ciao > > Hannes > > > > *Von:* SCITT <scitt-bounces@ietf.org> *Im Auftrag von *John Andersen > *Gesendet:* Samstag, 27. Mai 2023 20:36 > *An:* dick@reliableenergyanalytics.com > *Cc:* John Whiteman <john.whiteman@owasp.org>; ofcio@omb.eop.gov; > scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>; swsupplychain-eo < > swsupplychain-eo@nist.gov> > *Betreff:* Re: [SCITT] Intel is taking the lead on a Trust Service > Registry > > > > This talk is the foundation for this work: > > > https://gist.github.com/07b8c7b4a9e05579921aa3cc8aed4866#file-rolling_alice_progress_report_0003_down_the_dependency_rabbit_hole_bsides_portland_2019-md > > > > Progress is slow but steady. The goal is to bake as much of the > methology’s risk analysis and reaction capabilities into existing tooling, > processes, formats, and infrastructure as possible. > > > > Thank you, > > John > > > > On Sat, May 27, 2023 at 11:19 John Andersen <johnandersenpdx@gmail.com> > wrote: > > I wholeheartedly agree with you!!! > > > > Hence the pursuit of Alice Intelligence (AI, John W gets credit for that > acronym) > > https://mailarchive.ietf.org/arch/msg/scitt/iEAhuuicVxgoXJiAZIGmpZOctcc/ > > > > Thank you, > > John > > > > On Sat, May 27, 2023 at 10:49 Dick Brooks < > dick@reliableenergyanalytics.com> wrote: > > Thanks, John. > > > > I’m doubtful that open source, volunteer, software maintainers will want > to invest their energies doing the tedious work of analyzing software > supply chain risk assessment data and preserve tamper-proof evidence that > can be presented in a lawsuit or audit, and support/operate an online, > reliable service to answer consumer queries like “Is this software product > vulnerable as of right now?”. It’s a lot of tedious work, that must be done > in order to operate a credible, legitimate “Trust Registry” Service, that > also costs money to operate. > > > > But I’ve been wrong before, I never thought anyone would buy a “pet rock” > but some did. > > https://en.wikipedia.org/wiki/Pet_Rock > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: dick@reliableenergyanalytics.com > > Tel: +1 978-696-1788 > > > > > > *From:* John Andersen <johnandersenpdx@gmail.com> > *Sent:* Saturday, May 27, 2023 1:32 PM > *To:* John Whiteman <john.whiteman@owasp.org>; > dick@reliableenergyanalytics.com > *Cc:* ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>; > swsupplychain-eo <swsupplychain-eo@nist.gov> > *Subject:* Re: [SCITT] Intel is taking the lead on a Trust Service > Registry > > > > Hi Dick, > > > > Thanks for sending those and looping them into this discussion. Sections > 2.1.1 and 3.2 respectively look related to the high level goals of the use > case doc. We plan to leverage threat models heavily ( > https://m.youtube.com/watch?v=TMlC_iAK3Rg) to assist with risk > determination and further sharing of vuln details including how much data > to share about the architecture of the system context in question for the > triggering event. > > > > We want to enable OSS maintainers, and the secure software forges to have > these same capabilities. > > > > Thank you, > > John > > > > On Sat, May 27, 2023 at 10:09 Dick Brooks < > dick@reliableenergyanalytics.com> wrote: > > Thanks, John. > > > > I’m not familiar with the vuln sharing goals of OpenSSF stream 8, but I am > familiar with the NIST Vulnerability Disclosure concepts in SP 800-216 and > C-SCRM SP 800-161: > > https://csrc.nist.gov/publications/detail/sp/800-216/final > > > > This document recommends *guidance for establishing a federal > vulnerability disclosure framework, properly handling vulnerability > reports, and communicating the mitigation and/or remediation of > vulnerabilities.* The framework allows for local resolution support while > providing federal oversight and should be applied to all software, > hardware, and digital services under federal control. > > > > The SP 800-216 framework is also in harmony with SP 800-161 RA-5 > Vulnerability Disclosure Reports, where software suppliers provide > consumers with software product vulnerability disclosures, at the SBOM > component level: > > https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final > > > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: dick@reliableenergyanalytics.com > > Tel: +1 978-696-1788 > > > > > > *From:* John Andersen <johnandersenpdx@gmail.com> > *Sent:* Saturday, May 27, 2023 12:58 PM > *To:* dick@reliableenergyanalytics.com > *Cc:* ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>; > swsupplychain-eo <swsupplychain-eo@nist.gov> > *Subject:* Re: [SCITT] Intel is taking the lead on a Trust Service > Registry > > > > WIP but related: > > https://github.com/ietf-scitt/use-cases/pull/18 > > > > Have been mocking up how we can run SCITT within TEEs which leverage the > Amber attestation environment to attest to validity of insert policy run ( > https://github.com/scitt-community/scitt-api-emulator/pull/27#issuecomment-1528073552 > ) within hermetic builds. This facilitates a recursive trust relationship > which enables dependency review (trust propagation) of OSS. Results are > federated across the decentralized network of software forges. > > > > This work is in pursuit of the vuln sharing goals of OpenSSF stream 8. > > > > Thank you, > > John > > > > On Sat, May 27, 2023 at 08:11 Dick Brooks < > dick@reliableenergyanalytics.com> wrote: > > Hello Everyone, > > > > This announcement from Intel is further proof that a “Trust Service” is > becoming a foundational requirement for trustworthy computing. > > *A Trust Service Startup Inside the Chip Company* > > > https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html > > > > Amen to this: ““Attestation is the ability for you to prove that something > is what it says it is,” Yeluri explains. “And that is really the ground > truth in confidential computing. *If you can’t attest and say it is truly > what it is, confidential computing is immaterial.”* > > > > “Before taking that big step, Yeluri and team *checked with a couple > dozen customers — banks, manufacturers, telecommunications services — and > received votes of support*.” > > > > The following observation is “spot on” *based on REA’s experience > operating the SAG Community Trust Registry ™ (SAG-CTR ™)*: > > > > “A few suggested Intel just build it as open source. But Yeluri and team > believed that while the core attestation primitives can be open sourced, *a > solution could only succeed “as a turnkey service. That means somebody has > to operate it at scale,” he says, “and we think we can do that.”* > > > > REA agrees with the above statement, operating a reliable, trustworthy > “trust service” at scale, like REA’s SAG-CTR, is a lot of work that > requires the analysis, storage and maintenance of evidence that is > trustworthy and can be presented during a lawsuit or audit, that cannot be > properly operated by open source volunteers. > > > > > https://www.einpresswire.com/article/545051889/announcing-the-sag-ctr-tm-community-trust-registry-for-digitally-signed-software > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: dick@reliableenergyanalytics.com > > Tel: +1 978-696-1788 > > > > > > -- > SCITT mailing list > SCITT@ietf.org > https://www.ietf.org/mailman/listinfo/scitt > >
- [SCITT] Intel is taking the lead on a Trust Servi… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Hannes Tschofenig
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… Tschofenig, Hannes
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen