[SCITT] Re: Distributing a transparency statement in TEA
Orie Steele <orie@transmute.industries> Tue, 13 August 2024 12:39 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3AF3C17C884 for <scitt@ietfa.amsl.com>; Tue, 13 Aug 2024 05:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRIsY1ddOOFd for <scitt@ietfa.amsl.com>; Tue, 13 Aug 2024 05:39:35 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEF6CC151990 for <scitt@ietf.org>; Tue, 13 Aug 2024 05:39:35 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-7106e2d0ec1so3777562b3a.2 for <scitt@ietf.org>; Tue, 13 Aug 2024 05:39:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1723552775; x=1724157575; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UqVFLuhaOF7QezGPxnsxujHTfPedYZRYehVURYN/x2s=; b=LpZqPv8vpZUhUVdH+vlfNaCynq9KgMN64gU44xJI2ahw9Mk8sd1/A2j7p2hsd5rB4r rGZ8rF0H0bSJRrLDl/KSxqgvD1kYh2eTrRoeAa+kwjT9tdWVI0pBxSLpNOxTe4FOIXaq 2GbN7qyPBe53fSFT4F5ARwh3Ymam8NJNYWlq/EAbv8c4wuXJABGrF0xJEpD1zXu+zDHl gg4hF+DaYpvHdAuzIbQe1M41Z1NUiaqpNsoPCVeNe0QX4vIymH00l9OEBeix42Rb93Bs aPNuYoPhpHkiYz9uNRDnTNqHxpp4vCnIfg9TFrWTwddolCjqGseQm5NG7TF9lSmyYYvw 4bbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723552775; x=1724157575; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UqVFLuhaOF7QezGPxnsxujHTfPedYZRYehVURYN/x2s=; b=Tx6k30TneNsAYrHz3yHJB3Y2FAllfFstVS0DZFYd/AinPwImLSp+ZRLqH9YIAp1dK1 Gwff9bbEW79Envzr2GflvinLzM4+0E5bCrQwT90yvbi9ryAREYvrBcmVmG90TASguPJ1 CScraXcqqnNOIp2KgbhR+VcOuqjEUF6bSeodlPH2gkILm/r6RF+i4VZQ2kvAHTnKc1aD GCwpaUL3h0Wh6dOGzIxulL38afuzBqhQxMq+8tqmCCEPv/2L5x5susuVJqdqquN9gvbz JrGR3aERgvw1i/wspVaC5bWkZ/NSjf9+cg28iKmMSojHAmcsZhH1d6l++dXjAep5/r5O 2cSA==
X-Gm-Message-State: AOJu0Ywj79axEQPgKmJIiG/pI5t0aNmYVFcVOZW7aNweOMECGJ9uKtaR Ki/5gXvpHlRrQz2mHtEJFcc3BEzGyOpiKrqoD0k9eS2MEFFX9wyxq5E0fmqjAw79PqEM/BVd/ns 3Js1lZ6DsBzWivBCF6CmLJXAIgV34uLB5W5sA/sGe5S1J5KN3
X-Google-Smtp-Source: AGHT+IFLtuV2ZZ/ov4DLnK+Vt2KddN7YsYWMi7+2j6w4LsX8viUt/LuLABH70ETjyyqEN49QfJW/QPmgu7GpyVO8q8Y=
X-Received: by 2002:a05:6a20:9f0a:b0:1c2:8af6:31c2 with SMTP id adf61e73a8af0-1c8d75b3a47mr3954898637.44.1723552775235; Tue, 13 Aug 2024 05:39:35 -0700 (PDT)
MIME-Version: 1.0
References: <684C0632-DB8D-45DE-8DDB-AED6785B9AA3@edvina.net>
In-Reply-To: <684C0632-DB8D-45DE-8DDB-AED6785B9AA3@edvina.net>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 13 Aug 2024 07:39:22 -0500
Message-ID: <CAN8C-_J+Uk9H3fKbPLXM4iaMU1aoK+O=TR+o1NiOvug2MxzwCA@mail.gmail.com>
To: "Olle E. Johansson" <oej@edvina.net>
Content-Type: multipart/alternative; boundary="000000000000eb80b4061f8fe63c"
Message-ID-Hash: H4SXLPFLSPTYIWYLUWWN4MOGC5RM4BSW
X-Message-ID-Hash: H4SXLPFLSPTYIWYLUWWN4MOGC5RM4BSW
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: scitt <scitt@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [SCITT] Re: Distributing a transparency statement in TEA
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/mt9DVhe4leEEZSPXIRGNf9D41pE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>
I've been exploring putting cose-key and cwt thumbprints in TLSA records. This helps you confirm that a specific domain recognizes a key as confirmation method for credentials. You would probably want a draft that registered the proper bits for recognizing cnf thumbprints, and to update the associated registries. You still need key distribution though, DANE just helps you confirm a thumbprint is bound to a domain. It would still might be an improvement for notaries and code signing services, especially if attackers needed to update the DNS in order to get a new key recognized, or if updates to DNS could be used to revoke compromised keys. OS On Tue, Aug 13, 2024, 6:49 AM Olle E. Johansson <oej@edvina.net> wrote: > Hi! > > Thank you for a good meeting yesterday! > > I’ve tried to read up on the drafts and the presentations available. > > A few issues came up in my head :-) : > > * Relation between a transparency statement and the issuer/signer > > If a SCITT ts is distributed separately and the relaying party wants to > verify with the log - is there any way to discover a path to the > transparency log API from the actual statement? > > * Transparency artefact (“statement”) types > In the use cases you have a non-normative list of various artefacts that > may be used in statements. > We have the same issue in TEA - we don’t want to maintain a specific list. > If I understand it right you simply use media-type in the SCITT statement - > am I right in that or will that list be used in any other way? > > For statements that are more generic, let’s say a PDF file with a > statement of conformity with an EU law - application/PDF will not be very > useful. I think we need some extra attribute or a registry to handle this. > What do you think? > > * Digital signatures on objects > > I strongly think we have to have a PKI discussion. Your trust anchor store > doesn’t scale much. I do think that DANE and DANCE may have a role to play > here to provide more scalabilty. > > To summarize: I think that there are plenty of ways TEA will co-work with > SCITT and there are areas we can work together to use the same terminology > and make sure that there is compatibility. > > Cheers from a sunny Sweden! > > /O > -- > SCITT mailing list -- scitt@ietf.org > To unsubscribe send an email to scitt-leave@ietf.org >
- [SCITT] Distributing a transparency statement in … Olle E. Johansson
- [SCITT] Re: Distributing a transparency statement… Orie Steele
- [SCITT] Re: Distributing a transparency statement… Olle E. Johansson
- [SCITT] Re: Distributing a transparency statement… Steve Lasker