Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt
Orie Steele <orie@transmute.industries> Wed, 17 January 2024 18:38 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CDA3C14E513 for <scitt@ietfa.amsl.com>; Wed, 17 Jan 2024 10:38:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.594
X-Spam-Level:
X-Spam-Status: No, score=-1.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zg3uJVIu5xi for <scitt@ietfa.amsl.com>; Wed, 17 Jan 2024 10:38:21 -0800 (PST)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEE5CC14F6F1 for <scitt@ietf.org>; Wed, 17 Jan 2024 10:38:21 -0800 (PST)
Received: by mail-pg1-x52c.google.com with SMTP id 41be03b00d2f7-5cdf76cde78so5925392a12.1 for <scitt@ietf.org>; Wed, 17 Jan 2024 10:38:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1705516701; x=1706121501; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xlUOplqL+Uu2046WtCWZESfwl+2Azi8tgk0jAgFk2h4=; b=N+eJqFldfK+WDXn3QkQiFuvFdTK2kJYonYkH7LqUMPduahkFgjndHYgatJq2UrOTiS C3AY/vxiI/tEHoLk7pgpRFCQy2kCzv2Seg651+SLPj2Bk63jWg2si0nNFFcmmxV6EYiB pzOql9NOyFrjLT62JuRuUw1cT6n0eKW2LAUXe+udY5fHquq1zb1NH41eMXtwNCHriNyN aydmPIvwZh4h2lnbAc/ZRtXkYWK9HCE4vrGHh6bancv4ivybjcYenzrH5CAcVDw8N54J ZqC5A2vtWAKTZ0Qk/JNclggLcfXQFK3mJfwOdgBHLdydqiFcbZFw5KIueIEeyZxgfL1T hwbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705516701; x=1706121501; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xlUOplqL+Uu2046WtCWZESfwl+2Azi8tgk0jAgFk2h4=; b=MlNw13Dir/TKCrOsZ5gvn9fBznMXe/fNdXb9spMgtVschf97XhejfrRRMMxVqOQpNz E7s8yXiO7ZF4yU5IvFH212c3IOjCghx0XB05GLlP1ZVs2Wu4ii6i/dMrYPOXDPjF3mh2 3IG7oegiWPPoW4XxSxczg1/+n6aaTfEVwA8QN0yr1pc8xUd8DTu4lnB9f+F6m3grKnJW xjQxUNof8ZuXsR2ktd+jP22XMUb5hcL2GGCckFfLqvXLDr7ViQo/YQrcX5d2RAFFkJRL 0rVUgrm1RKWgw2HzhwlmVhy/lS/PEzYAiZ4nFgvrxCdMn0ph9UHIEhb9+xrn2aYzNAr5 xUsw==
X-Gm-Message-State: AOJu0YwS9GsjAYwbaVTgeF0Vv35YkSB4P9Bd1KXKY76fVpRRjoDCK/HT 6t8DmiRQSeGys+5g8bEOCyGPPf8SmilOyp8KwtNoSmHTFcYUeA==
X-Google-Smtp-Source: AGHT+IGjfHLgz3C/Pyrbrpc/fjHQ3RdUCucrNl2N+m3JPLbrYlTM+QvXUZpo1oDLmjdRWHr5Eog06VOp/AJVK9VQDug=
X-Received: by 2002:a05:6a20:d39b:b0:19b:7e78:e085 with SMTP id iq27-20020a056a20d39b00b0019b7e78e085mr743944pzb.4.1705516700543; Wed, 17 Jan 2024 10:38:20 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_Kfj4wsXYONSzYK3832QK_z+uEDnmvZz76WvuWCGCDZeA@mail.gmail.com> <CH0PR11MB5739D5FE4861DBF695F5259A9F732@CH0PR11MB5739.namprd11.prod.outlook.com> <CAN8C-_LDUA9FRR00vqG0sRAUVwCrWzXN2SmjfMDtVfLo3REEOw@mail.gmail.com> <CAN8C-_Jf4q9p_hNvH_ZN2X_GVGNBzdONyMEUO998ET7ChK3r4g@mail.gmail.com> <a13401da496c$8a001dd0$9e005970$@reliableenergyanalytics.com> <CAN8C-_JQO2eLqRBcS7QJoWUqqPEOqCGx8DWtXFy=5Qg6k1XfvA@mail.gmail.com> <a18501da496e$29aa2e60$7cfe8b20$@reliableenergyanalytics.com> <DM6PR09MB4726A2A0459874F8C086A2C68D722@DM6PR09MB4726.namprd09.prod.outlook.com> <CAN8C-_J0LaFARj_+Ayvd5sN5wYG6B1qqeCNdT=uqBRkX_ZQRQA@mail.gmail.com> <a38e01da4974$0f1f3b70$2d5db250$@reliableenergyanalytics.com>
In-Reply-To: <a38e01da4974$0f1f3b70$2d5db250$@reliableenergyanalytics.com>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 17 Jan 2024 12:38:09 -0600
Message-ID: <CAN8C-_Lkmbw2_XGeJrCFKzA9-XNdA=FRwgoJgAMiNVM_siqW_A@mail.gmail.com>
To: dick@reliableenergyanalytics.com
Cc: "Stein, A.J. Mr. (Fed)" <alexander.stein@nist.gov>, scitt <scitt@ietf.org>
Content-Type: multipart/related; boundary="000000000000185c33060f288d56"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/noHU7fzvqPuPZ7auWbJnI53KmfY>
Subject: Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 18:38:26 -0000
No, as long as you use a COSE Sign 1 to encode the signature. You would use the x5t header parameter to point to your cert... of course it's possible that no transparency service will accept that signed statement and issue a receipt, because you used a self signed cert. OS On Wed, Jan 17, 2024 at 12:36 PM Dick Brooks < dick@reliableenergyanalytics.com> wrote: > Does this also exclude self-signed artifacts using X.509? > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: dick@reliableenergyanalytics.com > > Tel: +1 978-696-1788 > > > > > > *From:* Orie Steele <orie@transmute.industries> > *Sent:* Wednesday, January 17, 2024 1:35 PM > *To:* Stein, A.J. Mr. (Fed) <alexander.stein@nist.gov> > *Cc:* dick@reliableenergyanalytics.com; scitt <scitt@ietf.org> > *Subject:* Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt > > > > Since you mentioned SSH... Those keys are also not supported in the > architecture. > > To be clear, when SCITT describes identity documents it is describing some > "trusted name for a public key, that can verify cose sign 1". > > When SCITT describes "Signed Statements and Receipts", those are COSE Sign > 1... > > Which means not PGP, and not DER encoded signatures from OpenSSL, or any > other signature format. > > For examples of things that exist in the wild that produce signatures that > are not compatible with the SCITT architecture: > > - JWS: https://github.com/panva/jose > - GPG Signatures: https://www.gnupg.org/gph/en/manual/x135.html > - SSH Signatures: https://www.agwa.name/blog/post/ssh_signatures > - OpenSSL Signatures: > https://www.zimuel.it/blog/sign-and-verify-a-file-using-openssl > - DSSE: https://github.com/secure-systems-lab/dsse > > Regards, > > OS > > > > On Wed, Jan 17, 2024 at 12:13 PM Stein, A.J. Mr. (Fed) < > alexander.stein@nist.gov> wrote: > > Dick, > > > > Your point is apt but many open source projects use OpenPGP reluctantly > for an ironic reason, it's the only option from a package manager or > artifact repository service and there is no required certificate authority; > it's a feature, not a bug, and this gives way to the web of trust model. > Many packaging systems use it because it is the only reliable zero-cost > option for free/open software and that last bit, the WoT, is up to the > developer and downstream users to deal with, end of story. (Everyone in the > Maven ecosystem has essentially only that option for public libraries). > > > > So why is that? > > > > The Web of Trust notions in OpenPGP are related, but different, from > X.509's hierarchical model, and both systems are earlier realizations of > what should be possible *with/alongside *SCITT services (not within, last > time this was mentioned others rightfully mentioned this is not in the IETF > SCITT charter, implementations aside): transparency services facilitate > checking artifacts themselves, artifact maker, issuer, verifier, relying > parties et cetera identifiers and *give building blocks for verifiers and > RPs to decide whether they will bind them to identities humans care about*. > I'd argue that OpenPGP has never really succeeded at this (and I had been a > very avid user in my personal life for years) and why it is the elephant in > the room. It is why OpenPubKey and SigStore started in the software supply > chain space. I say this regrettably as someone who likes OpenPGP (and there > are many hardline critics who say it should go away). > > > > More importantly, as Orie points out, it is not easy to port keying and > cert material between the two, if possible. Quick Googling confirmed > responses from "why would you do that?" to "you cannot really do that, this > isn't like PGP/OpenSSH key translation when you SSH into a server." > > > > As far as SCITT is concerned, someone could make the same recommendations > in something alongside the architecture and use identifiers and OpenPGP > signatures, but that is outside of the scope of the architecture, and this > higher level goal in italics is out of scope generally for SCITT (and Orie > has made it sound like it is really part of the Key Trans > <https://datatracker.ietf.org/wg/keytrans/about/> work). Rest of the > list: I am right in this interpretation? > > > > Best, > A.J. > > > > -- > > A.J. Stein > > IT Cybersecurity Specialist > > Secure Components and Mechanisms Group > <https://www.nist.gov/itl/csd/security-components-and-mechanisms> > > NIST ITL Computer Security Division > > Email: alexander.stein@nist.gov > Cell: +1 (202) 536-8216 > Matrix: @aj-stein-nist-619d4e9d6da03739848b2b5a:gitter.im > <https://matrix.to/#/@aj-stein-nist-619d4e9d6da03739848b2b5a:gitter.im> > > GitHub: github.com/aj-stein-nist > > > > Need to chat? Click this link to book time with me > <https://outlook.office.com/bookwithme/user/553a60383771471381091ed979a954f6@nist.gov?anonymous&ep=plink> > . > > Who am I and what am I working on? Read more in my GitHub bio > <https://github.com/aj-stein-nist/#work>. > ------------------------------ > > *From:* SCITT <scitt-bounces@ietf.org> on behalf of Dick Brooks < > dick@reliableenergyanalytics.com> > *Sent:* Wednesday, January 17, 2024 12:54 PM > *To:* 'Orie Steele' <orie@transmute.industries> > *Cc:* 'scitt' <scitt@ietf.org> > *Subject:* Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt > > > > Thanks for the feedback, Orie. > > > > I think it’s more important to support X.509 and PKCS #1 given current > software supply chain practices. However, many open source projects issue > OpenPGP signatures. This could introduce a barrier to adoption. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: dick@reliableenergyanalytics.com > > Tel: +1 978-696-1788 > > > > > > *From:* Orie Steele <orie@transmute.industries> > *Sent:* Wednesday, January 17, 2024 12:50 PM > *To:* dick@reliableenergyanalytics.com > *Cc:* scitt <scitt@ietf.org> > *Subject:* Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt > > > > Dropping lamps and oauth to discuss openpgp with cose. > > I don't see how we can possibly support OpenPGP with COSE. > > There is no way to bind a COSE Sign 1 to an OpenPGP Key or Certificate ( I > think OpenPGP has their own concept of certificates?). > > OpenPGP is typically used to produce OpenPGP Signatures, which are not > compatible with the SCITT architecture, which states that both a "Signed > Statement" and a "Receipt" are based on COSE Sign 1. > > Regards, > > OS > > On Wed, Jan 17, 2024 at 11:42 AM Dick Brooks < > dick@reliableenergyanalytics.com> wrote: > > Anything that will enable support for X.509 and PKCS #1 signatures would > be good. The same is true for OpenPGP. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: dick@reliableenergyanalytics.com > > Tel: +1 978-696-1788 > > > > > > *From:* SCITT <scitt-bounces@ietf.org> *On Behalf Of *Orie Steele > *Sent:* Wednesday, January 17, 2024 12:40 PM > *To:* Mike Ounsworth <Mike.Ounsworth@entrust.com> > *Cc:* scitt <scitt@ietf.org>; LAMPS <spasm@ietf.org>; oauth < > oauth@ietf.org> > *Subject:* Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt > > > > It seems OAUTH has a draft that also addresses the binding of `iss` to > certificates: > > > If the iss value contains a DNS name encoded as a URI using the DNS URI > scheme [RFC4501]. In this case, the DNS name MUST match a dNSName Subject > Alternative Name (SAN) [RFC5280] entry of the leaf certificate. > > - > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-01#section-3.5 > > It seems that based on the OAUTH guidance, the SCITT guidance should match > the OAUTH guidance. > > Regards, > > OS > > > > On Tue, Jan 16, 2024 at 7:46 PM Orie Steele <orie@transmute.industries> > wrote: > > There are 3 things that make up the SCITT ecosystem: > > 1. Signed Statements (COSE Sign 1 based signatures over arbitrary content, > with CWT Claims in the header). > 2. Receipts (COSE Sign 1 based counter signatures with inclusion proofs > for transparency logs) > 3. Identity Documents (certificates or public keys delivered from a trust > store) > > > In a way, Signed Statements are a bit like a CSR with evidence, and > Receipts are like a Certificate. > > The goal with Signed Statements was to make them really easy to create, > and not have any identity specific blocks for creating them (such as DIDs > or x509)... > Issuer's should be able to start using them without waiting for approval, > but a (conservative / rigorous) Transparency Service might require extra > vetting before they will provide a Receipt for one. > > When you get a software artifact with a signed statement and a receipt, > you actually have the following, encoded in the "Transparent Statement": > > Software Producer Identity ( identifier to key binding ) > issues --> Signed Statement ( signature over the artifact / statement, > proving that content has not been tampered with, signed by the "issuer" / > software vendor ) > > Transparency Service Identity ( identifier to key binding ) > issues --> Receipt ( proof of inclusion, signed by the transparency > service, proving a Signed Statement, was valid according to their policy at > the time it was included in their log ) > > So these questions regarding x5t and iss / sub apply to both Receipts and > Signed Statements, and SCITT is designed today, such that the identity > infrastructure could be the same or different for both. > > We should be able to use federated workload identity, x509 and blockchain > if that is required, or just x509 if that does the job. > > Also, it's possible to have multiple receipts for the same signed > statement, this proves a signed statement is in multiple transparency logs. > > Inline for the rest, this time with a CSR analogy: > > > > On Tue, Jan 16, 2024 at 4:40 PM Mike Ounsworth <Mike.Ounsworth@entrust.com> > wrote: > > Hi, > > > > As Orie mentioned, we’ve discussed this. I am an X.509 PKI guy, so I see > all problems through X.509-coloured glasses (interpret that with whatever > feelings of joy, excitement, disgust, or rage as you see fit). > > > > We have decades of experience of handling the UI aspects of this (and of > training user behaviour) through the Windows Code Signing and Linux package > manager ecosystems. When you see a popup saying “Do you want to install > “firefox.exe” which is verified by “Mozilla Corporation”?”, or “Do you want > to add the GPG key for “cURL Project” to apt sources?” users know what to > expect; that there is some level of trust in that naming information – in > Windows, the CA verified that the person requesting the cert is actually > Mozilla Corporation. In Linux package managers we put that responsibility > onto distro maintainers or end users, but there’s still a vetting process > to bind keys to names. > > > > What’s important to me is that SCITT is building on this history and > maintaining the user experience expectations. If a holder of a trusted key > is allowed to put whatever name they want for themself in the ‘iss’ field > of a signed SCITT object, then that would no longer be in keeping with the > historical precedent of other code signing ecosystems. > > > How is a SCITT Signed Statement different from an integrity protected CSR > here? > > If the iss, sub, or any other claims in the Signed Statement, do not match > the Transparency service policy, which covers both the verification > material the transparency service has in its trust store, and the claims, > then no Receipt will be issued by the TS. > > I suppose this is similar to a CSR request with claims that the CA does > not support? > > > > Aside – I’m not a SCITT expert so I don’t know what the semantics of ‘sub’ > are in SCITT, but I imagine that refers to the object being signed, and not > to the entity doing the signing? I don’t see how ‘sub’ has anything to do > with the x5t. > > > > > > That's right, sub is a text string, it's the identifier about which the > issuer is making assertions, regardless of which key verifies the > assertions... iss is just another assertion, only this time, it's a self > assertion regarding an identifier for the "entity" that controls the > signing key, that's used to make assertions about the subject. > > > > > > > > When `x5t` is present, iss MUST match subjectAltName in the resulting > certificate. > > > > This one is an interesting point in that an X.509 cert can contain a whole > list of names in the DN: CN, and in the SANs list. I would amend Orie’s > sentence to: > > > > “When `x5t` is present, iss MUST match either the CN or one of the > subjectAltNames in the referenced certificate.” > > > > In that case, ‘iss’ is providing value because it allows you to choose > which of the multiple verified names you want displayed in the UI. > > > > > > agreed. > > > > > > > > Requiring the text value of `iss` to match the `subjectAltName`, and > considering any message where they conflict invalid, does not change the > fact that all claims (including iss, and sub) are ONLY reliable, when you > trust a key that verifies them. > > Yeah, I disagree with that. > > I think that’s taking an overly simplified view of “trust”. > > I mean, that’s necessary, but not sufficient to have trust. > > You have to trust that key AND you have to trust how that key has been > bound to a name string. > > > > Right, in the case of a cert in a trust store, you trust the "multiple > verified names", when you install the cert in your trust store. > > You can install multiple certs for the same names (right?), if "iss" maps > to multiple certs, each containing multiple names, either all the certs > will verify the message, or some will, or none will. > > In the case of a trust store that is a database that maps an "identifier" > to a "key", like key transparency, you trust the name for the key based on > the KT structure as opposed to the cert and trust store structure. > > > > I can trust both the signing certs for Mozilla, and for the maintainers of > the Sublime Text Editor to sign their own software. What I don’t trust is > for the Sublime Project certificate to sign a firefox.exe claiming to be > Mozilla. > > > > But of course anyone with a signing capability can create such a > signature, and it is up to policy to decide if it's acceptable. > > > Just because their key is in my truststore does not mean that I trust them > to name themselves. > > > This is why Receipts matter, a receipt is a counter signature that says > basically "some vendor signed this software, we (the TS) authenticated > them, and the iss, sub, and details of the software met our policy, that's > why we issued a Receipt." > > In a way, the issuer proposes the iss and sub, and TS accepts those > proposals by issuing a Receipt. ( similar to CSR? ) > > Because of this, there will likely be strong industry pressure to pick > identifiers for issuers (iss) and identifiers for artifacts (sub) that > multiple independent transparency services will accept. > > Unfortunately, I don't think SCITT knows what those identifiers will be at > this point in time.... it's looking like an open ended graph problem. > > > > > Or, phrased a different way; we’re talking about cryptography, right? That > means that it’s in-scope to consider dishonest parties. Let’s say I > incorporate Mike’s Software Funhouse, inc and I buy a publicly-trusted > Windows code signing cert (the only requirement for which is to be a > registered company). Now, it turns out that my business is setting malware, > so I very much intended to sign a firefox.exe that’s full of malware. You > should trust my cert to correctly identify me as Mike’s Software Funhouse, > inc, and you should absolutely not trust my cert to sign a firefox.exe > claiming to be from Mozilla. > > > > If you get a Receipt from Mozilla that says they have made a Signed > Statement, "transparent", from your build server, the iss for the Signed > Statement will be an identifier for your build server bound to some ( > hopefully hardware backed ) key Mozilla trusted enough to issue a > Receipt.... and the Receipt's iss will be an identifier for Mozilla's > transparency service, regardless of if they are using x509, key > transparency, or something new to handle the identity to public key binding. > > > The prompt to the user will be: "Do you still trust Mozilla to issue > Transparency Receipts? Mike's Software Funhouse has a Receipt from Mozilla > for this custom Firefox build". > > The prompt might also mention some receipts from other transparency > services that you don't trust yet, in case Mozilla is the only issuer of > receipts you have installed currently. > > You won't need to install a cert / public key for every software producer > / signed statement issuer, you will only need to install keys for > transparency services, and let them do their job of vetting the software > artifact and statement issuer's. > > If you really want to, you can install keys for both the transparency > service and the issuer, and check the inclusion proof, the signature on the > receipt, the signature on the signed statement, and the hash of the > artifact, in case it was extremely large. > > And it will work regardless of if the identity layer (just imagine if > there was only one) is KT, x509, DIDs, or a filesystem directory on your > android phone with "iss" values as vendor names, and jwk.json and key.cbor > files inside them, that you sync over nfc at the hotel bar every ietf. > > > > > > > > PS – Orie, don’t think you’re gonna pull me into being a full member of > the SCITT WG. Nice try. > > > My usual strategy is to threaten terrible design, but in the case of x509, > I don't have enough experience to tell if it's working. > > --- > > *Mike* Ounsworth > > > > *From:* Orie Steele <orie@transmute.industries> > *Sent:* Tuesday, January 16, 2024 3:42 PM > *To:* scitt <scitt@ietf.org>; LAMPS <spasm@ietf.org> > *Cc:* Mike Ounsworth <Mike.Ounsworth@entrust.com> > *Subject:* [EXTERNAL] Issuers: Lamps <> Scitt > > > > Hello, We've been evolving the SCITT architecture, and taking advantage of > some newer work in COSE. - https: //datatracker. ietf. > org/doc/draft-ietf-cose-cwt-claims-in-headers/ As a result, SCITT now has > the potential to have "Signed > > Hello, > > We've been evolving the SCITT architecture, and taking advantage of some > newer work in COSE. > > - https://datatracker.ietf.org/doc/draft-ietf-cose-cwt-claims-in-headers/ > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-cose-cwt-claims-in-headers/__;!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvwYgR_YJA$> > > As a result, SCITT now has the potential to have "Signed Statement" cose > headers that look like this: > > { > / alg: ES256 / 1: -7, > / x5t: 10:B9:24:...:1D:8B:93 / 34: h'10b924...1d8b93', > / CWT Claims in Headers / 15: { > / iss: some text string / 1: software.vendor.example, > / sub: some text string / 2: pkg:nuget/EnterpriseLibrary.Common@6.0.1304 > > } > } > > The question is this: > > When `x5t` is present: > > How should `iss` and `sub` in > https://www.iana.org/assignments/cwt/cwt.xhtml > <https://urldefense.com/v3/__https:/www.iana.org/assignments/cwt/cwt.xhtml__;!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvw8PSGnBE$> > > Relate to `issuer` and `subjectAltName` in > https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc5280*section-4.1.2.6__;Iw!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvw6CrPo4w$> > ? > > I initially asked Mike O, what normative requirements should SCITT have > regarding this possible header structure, and which list should I ask > this on? > > I'll summarize some of the background, and then pitch what I think SCITT > should say on this subject (pun intended), any mistakes are my fault, not > Mike's. > > First a quick recap on what putting `x5t` in a COSE / JOSE header means > (let's assume we are not interested in "is SHA-1 safe to use these > days")... : > > - https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.7 > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc7515*section-4.1.7__;Iw!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvwu769voA$> > - https://datatracker.ietf.org/doc/html/rfc9360#section-2 > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc9360*section-2__;Iw!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvwWqvWdmY$> > > > x5t: This header parameter identifies the end-entity X.509 certificate > by a hash value (a thumbprint). The 'x5t' header parameter is represented > as an array of two elements. The first element is an algorithm identifier > that is an integer or a string containing the hash algorithm identifier > corresponding to the Value column (integer or text string) of the algorithm > registered in the "COSE Algorithms" registry (see < > https://www.iana.org/assignments/cose/ > <https://urldefense.com/v3/__https:/www.iana.org/assignments/cose/__;!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvw4CfWJ84$>>). > The second element is a binary string containing the hash value computed > over the DER-encoded certificate. > > Let's consider the common UI experience where a user is prompted to agree > they trust a software producer who signed a binary before installing it, > based on certificates in the user's trust store: > > Today, a user attempts to install a binary, and a dialog shows up > displaying the "Are you sure you want to install software from: > software.vendor.example?", where "software.vendor.example" is the > subjectAltName of the certificate in the trust store. > > > The signed software has hints about the software producer ( iss / kid / > x5t ) and they help software (such as an operating system) find a public > key (certificate with subjectAltName), in a trust store, which verifies the > binary, and then the user can be prompted to confirm they are comfortable > proceeding. > > > With SCITT, there is a possibility that the software verifies without > using a certificate, in which case, the UI would have nothing to display, > since there is no "subjectAltName" in the trust store, if the trust store > is just a set of COSE Keys or JWKs. > > In this case, (***after verification***) the UI could display any of the > fields in the SCITT header to the user. > > This could lead to a public key being used to sign binaries, where the > `iss` is different in each message (signed binary), even if the public key > is the same. > > It is possible for the same certificate (discovered by x5t) to be used > with different `iss` values, so binaries signed by the same cert with > "subjectAltName: software.vendor.example", might display a prompt that > looked like: > > "Are you sure you want to install software from (iss: vendor.example, > subjectAltName: software.vendor.example)?" > > "Are you sure you want to install software from (iss: > software.vendor.example, subjectAltName: software.vendor.example)?" > > "Are you sure you want to install software from (iss: distributor.example, > subjectAltName: software.vendor.example)?" > > > Regardless of the text we write, let's agree this will happen, now that > it's possible for it to happen. > > With this context out of the way, I hope we are ready to discuss the > guidance the SCITT Architecture should provide. > > Implementation Guidance: > > 1. Only display verified claims (iss, sub, etc...). > > Claims in the header or payload MUST NOT be displayed until after they > have been verified. > > This guidance unifies the hint processing enabled by x5t with hint > processing enabled by `kid`. > If you don't have a key that verifies the message, you see "this software > is not trusted". > If you cannot verify the message (because you don't have a cert or a > public key in your "trust store"), you will never see any potentially > incorrect information. > If you have a cert in your trust store, you see the iss, that was signed > by the cert that verifies the binary. > If you have a COSE Key in your trust store, you see the `iss` that was > signed by the COSE Key that verifies the binary. > > 2. Forbid conflicting identifiers (Redundant) > > When `x5t` is present, iss MUST match subjectAltName in the resulting > certificate. > > This would ensure that the same "software producer identifier" is > displayed, regardless of if the message is a COSE Sign 1 SCITT message, or > an existing binary signed with x509. > > This will cause validation policies to throw errors, after verification > succeeds, and requires comparing the verified headers to the certificate > used to verify them. > > 3. Forbid conflicting identifiers (Exclusive) > > When `x5t` is present, iss and kid MUST be absent. > > This will cause validation policies to throw errors, after verification > succeeds, and will cause complex UI that attempts to resolve the "verified > issuer label" from different data structures. > > SCITT Security Considerations: > > I think SCITT should call out that 2 and 3 do not actually give you any > security improvement, and if implemented incorrectly, could lead to "trust > without verify" bypass at the policy layer... and I think 2 and 3 should > not be included in the architecture. > > In the case that the trust store is compromised, it can already contain a > certificate that can match any `iss` or `x5t` in the binary. > > In the case that the trust store is uncompromised, and filled with keys > and certificates that can verify messages: > > Requiring the text value of `iss` to match the `subjectAltName`, and > considering any message where they conflict invalid, does not change the > fact that all claims (including iss, and sub) are ONLY reliable, when you > trust a key that verifies them. > > Consider an alternative proposal, where SCITT mandates that `kid` always > be equal to a specific identifier, for example: "did:example:123#key-42", > or equivalently, { iss: did:example:123, kid: 42 } > > If there is no way to get a certificate or key from this "custom > identifier hint", there is nothing that can possibly be displayed to the > user, since there are no certificates, or claims signed by a public key > that is trusted. > > Headers are "hints", nothing about a header or a payload should be > evaluated by a policy until after a verification succeeds, at which point, > you are looking at what the issuer intended to sign, arguing that software > vendors should implement specific string matching rules when "upgrading" to > SCITT, after verifying, seems like a recipe for lots of validation errors, > that are not actually providing any value, or even worse, deep / expensive > / complex validation before verification (aka > https://cwe.mitre.org/data/definitions/502.html > <https://urldefense.com/v3/__https:/cwe.mitre.org/data/definitions/502.html__;!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvwKK_KUNY$> > ) > > Now please tell me everything I got wrong : ) > > OS > > -- > > > > > *ORIE STEELE*Chief Technology Officer > www.transmute.industries > <https://urldefense.com/v3/__http:/www.transmute.industries__;!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvwbYBl6kM$> > > [image: Image removed by sender.] > <https://urldefense.com/v3/__https:/transmute.industries__;!!FJ-Y8qCqXTj2!fjzKqcSRy4mYBet3i43Yz5aytF4UHea6E3zd8XFtXK9Me93OWcXe4vEb1B1_uzJzphtPPAnsi8Zj45dTiMvwJ7Pdhgs$> > > > > > -- > > > > > *ORIE STEELE*Chief Technology Officer > www.transmute.industries > > [image: Image removed by sender.] <https://transmute.industries/> > > > > > -- > > > > > *ORIE STEELE*Chief Technology Officer > www.transmute.industries > > [image: Image removed by sender.] <https://transmute.industries/> > > > > > -- > > > > > *ORIE STEELE*Chief Technology Officer > www.transmute.industries > > [image: Image removed by sender.] <https://transmute.industries/> > > > > > -- > > > > > *ORIE STEELE*Chief Technology Officer > www.transmute.industries > > [image: Image removed by sender.] <https://transmute.industries/> > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [SCITT] Issuers: Lamps <> Scitt Orie Steele
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Mike Ounsworth
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Orie Steele
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Orie Steele
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Dick Brooks
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Orie Steele
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Dick Brooks
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Stein, A.J. Mr. (Fed)
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Dick Brooks
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Orie Steele
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Dick Brooks
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Orie Steele
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Stein, A.J. Mr. (Fed)
- Re: [SCITT] [EXTERNAL] Issuers: Lamps <> Scitt Mike Ounsworth
- Re: [SCITT] [lamps] [EXTERNAL] Issuers: Lamps <> … Tim Hollebeek