Re: [SCITT] Intel is taking the lead on a Trust Service Registry
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 13 July 2023 12:29 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE35CC14CE53 for <scitt@ietfa.amsl.com>; Thu, 13 Jul 2023 05:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmFiAIP73BFo for <scitt@ietfa.amsl.com>; Thu, 13 Jul 2023 05:29:28 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77640C13AE51 for <scitt@ietf.org>; Thu, 13 Jul 2023 05:29:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1689251347; x=1689856147; i=hannes.tschofenig@gmx.net; bh=pBed/giqMnj8tJhTOhub+eIOvfX9TokjzifoRcZegco=; h=X-UI-Sender-Class:From:To:Cc:References:In-Reply-To:Subject:Date; b=AWXTpE0t3UpcQyrFo0i8U24dohujOUhZRm3wnXuaW1WYxpMdDHsnsSNHUrhkNDxRn7unFww ZCq6R8PuGMYBL4Nstx2p1GbI+u/9/Q5lVcxXvppvOsyFLhINCoZ6roPsX3sYU2y13oWE8aVq8 lRZe5FV+4IRus09+jyJCJkL3NLyjb+SxcpcFiED9/EKUka6Y5Gl0OkOYrMAeUqy8AaxoxUHn0 IEPYhjl2XCOflbL691SCEj39S+hK4nLeQ70Dcp2IKR0O+tNYYg2VCQu2dY8bLm430tbshdNXm v/zPP9c6oP58kXZVl7CbfXuP6fsFQ5e67UF+izxxnpKozdfKW/7A==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from SurfaceHannes ([46.125.249.57]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MCbEp-1qAGXZ2ugd-009e8h; Thu, 13 Jul 2023 14:29:06 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: 'John Andersen' <johnandersenpdx@gmail.com>, dick@reliableenergyanalytics.com
Cc: scitt@ietf.org
References: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com> <CAPFAYiVeq0Y+4U=yjia6CvpsXEC6HbtunHkj07SMp2X+Mz+ZfA@mail.gmail.com> <242d01d990bd$f8423ed0$e8c6bc70$@reliableenergyanalytics.com> <CAPFAYiVMA+HSFjBbXOd8F9VdRYiMcVPqobc2AyX79zekUz5MTw@mail.gmail.com> <246501d990c3$9d1fa6e0$d75ef4a0$@reliableenergyanalytics.com> <CAPFAYiX+arF6HMBfkGRAU==NJnK-KrSYqefQKh_wjOUVw9eQ0w@mail.gmail.com> <CAPFAYiXbzyL=+3u_8TV8B7icwFJq1DT5wjqGCbNi10Wa7uNNjw@mail.gmail.com>
In-Reply-To: <CAPFAYiXbzyL=+3u_8TV8B7icwFJq1DT5wjqGCbNi10Wa7uNNjw@mail.gmail.com>
Date: Thu, 13 Jul 2023 14:29:05 +0200
Message-ID: <012001d9b585$9daae200$d900a600$@gmx.net>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_0121_01D9B596.61364A10"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGtoQ4c+B6TqAZxglWuG/ovVVgzAwJd05bjAr2KISsB5lXH8QKSsrIoAT9qvQMBUTYIGq+unnng
Content-Language: de-at
X-Provags-ID: V03:K1:eVZbX2XeHdLMYh2bq9UFROLzl1oLDHMy/Hk50obKdzR1ThNW8X4 fXdQa+ZS1sMX9iS/IeBi9oV0ltZ9FaltDUvClXJvv5oECGIDxDAiYFgrysGd5WbFqdn08Lc 0rx/S6yIHnbRXxbW7d4FWkuLPbzuj1WC5yPAyY+iBjVZBPOgYMVbSjSR2guVofoG9JtE2XO Vpm3hzIOc1bxJWR/XLtYw==
UI-OutboundReport: notjunk:1;M01:P0:6TxA2DhViTg=;S+19BqFYNU98T1OvD9N6m8MqLf9 9xEXo+sHZKeCIh1JA+KhIm3OMuOQ8jw0yggjXXF+4njWe9OXTD4p3JZQckEhDNNhA6EhNfrzk 0yWTHubzZ5NlJGv7VCYWo5UsAi8yR5U+bYNktT8HZDvVNs8qKmlvE/mvwX00XW7Hu5P0twwQh G4JC3TArwFJde4UWa3LIndO8JOimpVVXa8IqDfCEgeX8zyuwzD25W4siN7WWTwWW7HtTqJLXW 9e2hEOwS3ldjhT97b3BMbib8JsB1pgdTtj2ISuNIE2GmP/WJLjTGe25P/dMDQgG5ADAIPIlOM +9/ZjBCV0E85ewujO5uI4hDejJQOsckLsT6ui6y6QzFK8fs+4M6na1kwRsc+O9BDwsvYRSql+ gJ7Pp9+MbXRnRAQ7Cmm9pjlp+DpfkVP1ccl0m6PY6PXUcvd6Ugymi8VtYJRY/VEH8jcJgp5bi 0Vf8gT8EoT2rvWb2fl3/a88XKvOC7cAA2VSgq3Zmz5sKQnTR1BPeozuof/qfXYSd4I8xQidcq 5lc+E7MXTLBwU/bSMqZjnvJ4JjUR9qNOvSLQo/OSzSI7qgG1If4z96WCx2870IZ/kAWoSwi3J hV3ud7dunLqXedQk9sQKdE5yDcVmY/5CxzCb+bHCVYtV5E2g5hNQvVI9Pw/wg0H0Z88OJbm/C wXUAqs96y3b9ei/wfMMoiIgUah22WW+mDOUkBPEyyf6WqaAi4dmoNwSagLow4ZbVpH/LFf7Xc rG29dsQjg///2OLfATKi0cxHHEwQVHhEfyXtcRmF+0x2yYR29/ASJU7JPyZflHZDSQtF41C7f vBwezg1PGsIOZXHIdy/Y5+qqwNWr2vzx0yMTfk2/rz0JBd2btMYVKI5jSJa/9rjlPvjFRPyOk 3jaoKt+mvCw/ZhJaamVpDKWwwsNqUHdqXXg4g9wV9zt4nHOWyXXOv1ewnh6GWEXkSsFdhvpYN IeAKP9lVBCvilNKf9uw7QwHMkkM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/qyhbK8PPrR_iherKWsBJU5U5D6s>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2023 12:29:33 -0000
Thanks for pointing us to your work, John. Project Amber, as pointed out by Dick, is an attestation verification service (the verifier in the IETF RATS terminology). Intel has ben operating such a service in the past for prior Intel attestation technologies. How is your project on “Rolling Alice” related to Project Amber? Ciao Hannes Von: SCITT <scitt-bounces@ietf.org> Im Auftrag von John Andersen Gesendet: Samstag, 27. Mai 2023 20:36 An: dick@reliableenergyanalytics.com Cc: John Whiteman <john.whiteman@owasp.org>; ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>; swsupplychain-eo <swsupplychain-eo@nist.gov> Betreff: Re: [SCITT] Intel is taking the lead on a Trust Service Registry This talk is the foundation for this work: https://gist.github.com/07b8c7b4a9e05579921aa3cc8aed4866#file-rolling_alice_progress_report_0003_down_the_dependency_rabbit_hole_bsides_portland_2019-md Progress is slow but steady. The goal is to bake as much of the methology’s risk analysis and reaction capabilities into existing tooling, processes, formats, and infrastructure as possible. Thank you, John On Sat, May 27, 2023 at 11:19 John Andersen <johnandersenpdx@gmail.com <mailto:johnandersenpdx@gmail.com> > wrote: I wholeheartedly agree with you!!! Hence the pursuit of Alice Intelligence (AI, John W gets credit for that acronym) https://mailarchive.ietf.org/arch/msg/scitt/iEAhuuicVxgoXJiAZIGmpZOctcc/ Thank you, John On Sat, May 27, 2023 at 10:49 Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote: Thanks, John. I’m doubtful that open source, volunteer, software maintainers will want to invest their energies doing the tedious work of analyzing software supply chain risk assessment data and preserve tamper-proof evidence that can be presented in a lawsuit or audit, and support/operate an online, reliable service to answer consumer queries like “Is this software product vulnerable as of right now?”. It’s a lot of tedious work, that must be done in order to operate a credible, legitimate “Trust Registry” Service, that also costs money to operate. But I’ve been wrong before, I never thought anyone would buy a “pet rock” but some did. https://en.wikipedia.org/wiki/Pet_Rock Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: John Andersen <johnandersenpdx@gmail.com <mailto:johnandersenpdx@gmail.com> > Sent: Saturday, May 27, 2023 1:32 PM To: John Whiteman <john.whiteman@owasp.org <mailto:john.whiteman@owasp.org> >; dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> Cc: ofcio@omb.eop.gov <mailto:ofcio@omb.eop.gov> ; scitt@ietf.org <mailto:scitt@ietf.org> ; scrm-nist <scrm-nist@nist.gov <mailto:scrm-nist@nist.gov> >; swsupplychain-eo <swsupplychain-eo@nist.gov <mailto:swsupplychain-eo@nist.gov> > Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry Hi Dick, Thanks for sending those and looping them into this discussion. Sections 2.1.1 and 3.2 respectively look related to the high level goals of the use case doc. We plan to leverage threat models heavily (https://m.youtube.com/watch?v=TMlC_iAK3Rg) to assist with risk determination and further sharing of vuln details including how much data to share about the architecture of the system context in question for the triggering event. We want to enable OSS maintainers, and the secure software forges to have these same capabilities. Thank you, John On Sat, May 27, 2023 at 10:09 Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote: Thanks, John. I’m not familiar with the vuln sharing goals of OpenSSF stream 8, but I am familiar with the NIST Vulnerability Disclosure concepts in SP 800-216 and C-SCRM SP 800-161: https://csrc.nist.gov/publications/detail/sp/800-216/final This document recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control. The SP 800-216 framework is also in harmony with SP 800-161 RA-5 Vulnerability Disclosure Reports, where software suppliers provide consumers with software product vulnerability disclosures, at the SBOM component level: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: John Andersen <johnandersenpdx@gmail.com <mailto:johnandersenpdx@gmail.com> > Sent: Saturday, May 27, 2023 12:58 PM To: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> Cc: ofcio@omb.eop.gov <mailto:ofcio@omb.eop.gov> ; scitt@ietf.org <mailto:scitt@ietf.org> ; scrm-nist <scrm-nist@nist.gov <mailto:scrm-nist@nist.gov> >; swsupplychain-eo <swsupplychain-eo@nist.gov <mailto:swsupplychain-eo@nist.gov> > Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry WIP but related: https://github.com/ietf-scitt/use-cases/pull/18 Have been mocking up how we can run SCITT within TEEs which leverage the Amber attestation environment to attest to validity of insert policy run (https://github.com/scitt-community/scitt-api-emulator/pull/27#issuecomment-1528073552 ) within hermetic builds. This facilitates a recursive trust relationship which enables dependency review (trust propagation) of OSS. Results are federated across the decentralized network of software forges. This work is in pursuit of the vuln sharing goals of OpenSSF stream 8. Thank you, John On Sat, May 27, 2023 at 08:11 Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com> > wrote: Hello Everyone, This announcement from Intel is further proof that a “Trust Service” is becoming a foundational requirement for trustworthy computing. A Trust Service Startup Inside the Chip Company https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html Amen to this: ““Attestation is the ability for you to prove that something is what it says it is,” Yeluri explains. “And that is really the ground truth in confidential computing. If you can’t attest and say it is truly what it is, confidential computing is immaterial.” “Before taking that big step, Yeluri and team checked with a couple dozen customers — banks, manufacturers, telecommunications services — and received votes of support.” The following observation is “spot on” based on REA’s experience operating the SAG Community Trust Registry ™ (SAG-CTR ™): “A few suggested Intel just build it as open source. But Yeluri and team believed that while the core attestation primitives can be open sourced, a solution could only succeed “as a turnkey service. That means somebody has to operate it at scale,” he says, “and we think we can do that.” REA agrees with the above statement, operating a reliable, trustworthy “trust service” at scale, like REA’s SAG-CTR, is a lot of work that requires the analysis, storage and maintenance of evidence that is trustworthy and can be presented during a lawsuit or audit, that cannot be properly operated by open source volunteers. https://www.einpresswire.com/article/545051889/announcing-the-sag-ctr-tm-community-trust-registry-for-digitally-signed-software Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -- SCITT mailing list SCITT@ietf.org <mailto:SCITT@ietf.org> https://www.ietf.org/mailman/listinfo/scitt
- [SCITT] Intel is taking the lead on a Trust Servi… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Hannes Tschofenig
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen
- Re: [SCITT] Intel is taking the lead on a Trust S… Dick Brooks
- Re: [SCITT] Intel is taking the lead on a Trust S… Tschofenig, Hannes
- Re: [SCITT] Intel is taking the lead on a Trust S… John Andersen