IETF Logo Mail Archive

Re: [SCITT] Question regarding Transparency Service query results and registration policy

Orie Steele <orie@transmute.industries> Mon, 19 February 2024 18:30 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC038C14F747 for <scitt@ietfa.amsl.com>; Mon, 19 Feb 2024 10:30:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfYca02CdYQT for <scitt@ietfa.amsl.com>; Mon, 19 Feb 2024 10:30:14 -0800 (PST)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C5ABC14F713 for <scitt@ietf.org>; Mon, 19 Feb 2024 10:30:14 -0800 (PST)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1d953fa3286so28081205ad.2 for <scitt@ietf.org>; Mon, 19 Feb 2024 10:30:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1708367413; x=1708972213; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+2T6dOcVe41IxhJcgeTUI/2eBFUNilqeowNc0ilvRwo=; b=FVeVr+8hiLHA8LE/zhMe8HxAZj90uddwq2S+3/p2unpOmA/aC65BM6YUDl8GhFTn99 bw6i7ZiucEANvaDfxJna8uKEopaQeDosIU/X9nK4jurYO8xWBCxXk30H6Ys5G/vJdKed 1r0LozhH/0p5rEIGEqa9bVMZljtD6IwlhYn10MLewxRvSua2xSZ9TYVKXN6jD1MFeRRC 3qNebndcWEg1F/d5p71oEDNtLZt9/GXcsS12dY76e/DlR02DViUm633fDh/txCpQtzPv sEe2L51K8GrcR0YfD5W4Jxnsr4sqqOZVcyEzM4zpnY36felsl8yIlXCxBsuBGWqK/JCL WiwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708367413; x=1708972213; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+2T6dOcVe41IxhJcgeTUI/2eBFUNilqeowNc0ilvRwo=; b=UuTDrcQVU19fKvhwzh1CBksijMUMA6fJQ3deMw3wwEPmiypCC3BBCFEPCmZLUEQCbh gHyYFJLEaXSTlUyFZGO2gcpcFox8srfGxXP0L/yt4q43ztVnDv8hdoxXTcCpLdvm19ip VAc+KA+xiINZy3pO4x82S7M6r0Glh/CLQmbJzHKXPFYfgy8UXwlNaIVyPyATasQCuk3x u306QEWniwwVAmveFvUZIXHCflg4rgEGle6m9EzWBFDcqwIySX/52ikN7jKSwpJnagYo 1SJVT1f8y2wK325DJmrofkcKEwjFEUg5vnT/fViE0EaYv2byPRDx4EYkrDwwfRMQve2F O7ww==
X-Gm-Message-State: AOJu0Yyt2JQvzsbFJCPt+AWHqxHTiHuMbhkEXcMNymOv78hlmUaMyIqh brLy8uxR+IRYKPuSXoAZVVDmgS9Ox8aRn1ygwtZBRUNkJKZkY8R+Us8Epj4xGYXPPqO/go0QemN KK4aoFgCWZrYmLALGfBMmCYPUEj6G1CwI1BE76g==
X-Google-Smtp-Source: AGHT+IGCQSzJH8X1BRtZtlUojfPUdbR+QQr2YicxrJycmUrGpiV398BCenBcNQqcThR3Nb0/m5+uisYCBrrLOnVsj5Y=
X-Received: by 2002:a17:902:e882:b0:1db:faa6:d4b3 with SMTP id w2-20020a170902e88200b001dbfaa6d4b3mr3500197plg.11.1708367413118; Mon, 19 Feb 2024 10:30:13 -0800 (PST)
MIME-Version: 1.0
References: <1196501da634f$be7c6300$3b752900$@reliableenergyanalytics.com> <CAN8C-_+VpiPcJvPBvT-Xud=pk08pcyboDnsyYjy_-PyNCcMksw@mail.gmail.com> <1230f01da6353$86924820$93b6d860$@reliableenergyanalytics.com> <CAN8C-_LCcTJ8W+LC4aFCmbVijw6hiYYBwwK_gV8CMYo-TDwzRA@mail.gmail.com> <12c4f01da635a$6c793460$456b9d20$@reliableenergyanalytics.com> <CAN8C-_+Y-tYAmRY0EhuWidYys21hi0NRUkC6dYsYFN6Y8=Xi=A@mail.gmail.com> <12d9f01da635e$72878290$579687b0$@reliableenergyanalytics.com>
In-Reply-To: <12d9f01da635e$72878290$579687b0$@reliableenergyanalytics.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 19 Feb 2024 12:30:01 -0600
Message-ID: <CAN8C-_JsfVLvU9rKDXkQxmLxWRqTyRUsGZWE0jDG-ESXizbS9A@mail.gmail.com>
To: dick@reliableenergyanalytics.com
Cc: scitt@ietf.org
Content-Type: multipart/related; boundary="000000000000ce3ce40611c048e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/nUdphVeF6tSl-4kCZZ-iBBAJ_PY>
Subject: Re: [SCITT] Question regarding Transparency Service query results and registration policy
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 18:30:19 -0000

A "registration policy" is the policy a vendor sets for deciding what
criteria a "signed statement" must meet, in order for the vendor to provide
a receipt.

For example, a vendor might require the COSE Sign1 to be signed by issuers
or certificates that are in a specific PKI (Public, Private), or that are
about a specific subject, such as a product identified by a PURL, or any
other product identifier.

A registration policy is not a place to "define APIs".

The registration policy is expected to be applied to every message that is
sent to a SCITT API Endpoint that "accepts signed statements and produces
receipts".

However, the provisioning, maintenance and definition of the policy is out
of scope for SCITT.

AFAIK, the current SCITT API endpoints are not mandatory to implement at
all, meaning there is no assurance of interoperability or conformance to a
specific set of HTTP endpoints for SCITT.

Some vendors might choose to never implement any of these SCITT HTTP APIs
and instead expose the "scitt registration apis" over gRPC, Kafka, or some
other transport.

If vendors do advertise compatibility with
https://datatracker.ietf.org/doc/draft-ietf-scitt-scrapi/
Then the normative requirements of that document apply, and those
requirements are what enable interoperability over that specific HTTP API.

I'd stress that SCRAPI is just "one HTTP" API, and since it's not mandatory
to implement, it may provide little to no interoperability.

OS


On Mon, Feb 19, 2024 at 12:07 PM Dick Brooks <
dick@reliableenergyanalytics.com> wrote:

> I am not suggesting that every vendor produce a trust score.
>
>
>
> I’m asking a question “Should SCITT vendors be expected to define their
> API’s in a Registration Policy” OR will the SCITT API define the specific
> API’s that need to be supported by each vendor?
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* Orie Steele <orie@transmute.industries>
> *Sent:* Monday, February 19, 2024 12:50 PM
> *To:* dick@reliableenergyanalytics.com
> *Cc:* scitt@ietf.org
> *Subject:* Re: [SCITT] Question regarding Transparency Service query
> results and registration policy
>
>
>
> Are you suggesting that some vendors who build products on SCITT, might
> require a "trust score" as part of their registration policy?
>
> Seems like they are allowed to do that today.
>
> If you are asserting that all registration policies should mandate such a
> check, I can imagine that might produce objections.
>
> As a general rule, vendor or domain specific registration policies seem to
> be out of scope for SCITT, although there is still debate about what is "in
> scope" for "mandatory to implement" registration policies.
>
> OS
>
>
>
> On Mon, Feb 19, 2024 at 11:38 AM Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Orie,
>
>
>
> I agree: Seems to me that something *like* this might be a better fit for
> the current SCITT APIs:
>
> My question is: Will SCITT define the API interfaces and return results of
> will this be a matter for the “Registration Policy” to address?
>
>
>
> I’m not proposing any interface standards, just trying to understand how
> this functionality will be accommodated by SCITT; in the spec or in the
> registration policy, or some other method?.
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* Orie Steele <orie@transmute.industries>
> *Sent:* Monday, February 19, 2024 12:30 PM
> *To:* dick@reliableenergyanalytics.com
> *Cc:* scitt@ietf.org
> *Subject:* Re: [SCITT] Question regarding Transparency Service query
> results and registration policy
>
>
>
> I don't see APIs like this in any of the IETF documents.
>
> Do you feel this API is essential to SCITT protocol interoperability?
>
> Can you explain why it would help Vendors A and B to agree to host such
> API endpoints, and how they might be used in a "federation" use case?
>
> Seems to me that something *like* this might be a better fit for the
> current SCITT APIs:
>
> GET
> https://vendor.a.example/receipts/urn:...ietf:scitt:signed-statement:sha256:base64url:<hash
> of signed statement>
> ~> proof that a vendor recorded a signed statement regarding a "trust
> score for a product" in their log.
>
> The "signed statement part", would be a COSE Sign1 over the JSON payload
> your current API is returning as a result.
>
> The use case for this would be, in the event of an incident, the response
> team could forward the receipt to the vendor who issues the receipt,
> when asserting that a product was "known to have a low score", and that
> its potentially the entry point of an exploit chain.
>
> OS
>
>
>
> On Mon, Feb 19, 2024 at 10:48 AM Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Thanks Orie.
>
>
>
> Here is an example of a “Transparency Service” query, that I’m thinking of
> for scrapi:
>
>
>
> I’m thinking a “Transparency Service” will need to describe it’s API
> service interfaces and results returned, including errors.
>
> Query API:
>
>
> https://softwareassuranceguardian.com/SAGCTR_inquiry/getSAGScore?FileHash=48E0EEB4C538BCD65514D68DDA5E1B41BE9F38AAB3A9B4108F056A27BE1F379A
>
>
>
> JSON Results Returned:
>
>
>
> [{"SAGScore": 88.65, "current_date": "2024-02-19", "SourceSupplierName":
> "Reliable Energy Analytics LLC", "ProductName": "SAG-PM (TM)",
> "ProductVersion": "1.2.2", "Label Type": "SAG Trusted Software", "Product
> Category": "Desktop Software Application"}]
>
>
>
> Here is an example of an error result:
>
>
>
> https://softwareassuranceguardian.com/SAGCTR_inquiry/getSAGScore?FileHash=
>
>
>
> JSON Results Returned:
>
>
>
> {"SAGresult":"Invalid Request"}
>
>
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* Orie Steele <orie@transmute.industries>
> *Sent:* Monday, February 19, 2024 11:41 AM
> *To:* dick@reliableenergyanalytics.com
> *Cc:* scitt@ietf.org
> *Subject:* Re: [SCITT] Question regarding Transparency Service query
> results and registration policy
>
>
>
> https://datatracker.ietf.org/wg/scitt/documents/
>
> ^ unless it's in one of these documents, or an issue in one of the
> repositories for working on them, or a thread on this list that is clearly
> showing consensus to do something.
>
> It's not a thing the IETF WG is developing.
>
> I think the answer to your question is "No", but having the IETF documents
> not define this, does not preclude vendors from developing products that
> build on SCITT that do this.
>
> One way to think about what should be done in the IETF documents vs in
> products build on the IETF documents is to answer this question:
>
> Is interoperability at this layer essential to solving the problem we are
> chartered to solve.
>
> Some examples of what you mean by "API Query Results" might make it easier
> for the list to answer this question.
>
> Regards,
>
> OS
>
>
>
> On Mon, Feb 19, 2024 at 10:22 AM Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Will a Transparency Service specify it’s “API query results” within the
> registration policy OR will SCITT require a Transparency Service to provide
> a catalog of supported API’s and their interface definitions? Or both?
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> --
> SCITT mailing list
> SCITT@ietf.org
> https://www.ietf.org/mailman/listinfo/scitt
>
>
>
>
> --
>
>
>
>
> *ORIE STEELE*Chief Technology Officer
> www.transmute.industries
>
> [image: Image removed by sender.] <https://transmute.industries/>
>
>
>
>
> --
>
>
>
>
> *ORIE STEELE*Chief Technology Officer
> www.transmute.industries
>
> [image: Image removed by sender.] <https://transmute.industries/>
>
>
>
>
> --
>
>
>
>
> *ORIE STEELE*Chief Technology Officer
> www.transmute.industries
>
> [image: Image removed by sender.] <https://transmute.industries/>
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email