IETF Logo Mail Archive

Re: [SCITT] Intel is taking the lead on a Trust Service Registry

John Andersen <johnandersenpdx@gmail.com> Sat, 27 May 2023 18:19 UTC

Return-Path: <johnandersenpdx@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD44AC15106C for <scitt@ietfa.amsl.com>; Sat, 27 May 2023 11:19:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaI3PMzzLLlX for <scitt@ietfa.amsl.com>; Sat, 27 May 2023 11:19:29 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C84B8C14CEFC for <scitt@ietf.org>; Sat, 27 May 2023 11:19:28 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-3f6e68cc738so12565115e9.1 for <scitt@ietf.org>; Sat, 27 May 2023 11:19:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685211567; x=1687803567; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3xqHqbmN4eKDqTn9I4O2MwMfaXyGQoQi6E+o2OBJwbw=; b=hvLMwSFqVyVS1kfAztoXqSCrgjZMyOkq5WyBFMwBmUJbhprw2VihPoJdLs+ze5wqmH Eaz2z99zHteGevw7K56WL/aLySXLUNqSoLwvKhGdvco0HHDZujOEH0ifFkhC4VhNrr3X lSefmHQQjnCW2sRzHWExWRZJ0/KZ2J0fDq+YjHDAmRWmxCp7wYKgRn4bv25ftae2d1PT Xoh/d+uAI5u6k5bdgizjHMvoD9PZvmS6FIfdr/qQaBqU8BVXJpn/fWz03+UnfxEYab0/ Q5jFDXyCXV3PsLlBnLJG9Li0KtYE99C7KkaBZdSIKeC+CeQXnueRHjW3416drETiPcGh QAkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685211567; x=1687803567; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3xqHqbmN4eKDqTn9I4O2MwMfaXyGQoQi6E+o2OBJwbw=; b=baX4TAKWn3wAIbkztQ+oKsYfq7h2lfeNvDECi99M1C7o+hF4wEbQaFK4E/IX2BEGMF utpC6CNKBLu6WE3vWYiaYKUgXGaduUXGiJX3b7YKh+30u9QYrMz4JAsQwVk5/lIJ6y6U 6XbjJIWpuzGqjxLwZ0QauKdJltUxFw6NgYVSGRZKqyOP4CmDXyYVJGdWcnFaiH7az5Af HSYmK5yYt98QGOTV+WYQpPkKhOrf7DxQDq35GHkd1Rqovg52V68uG2ax2KcvX3SdqHbs nN8O8VB5G5ipRYJRFKxLaVPaW2RM/KFBU0D8mSVLKLCbCTebY15Uu/MtVVmk7AVeHcjP Oi5g==
X-Gm-Message-State: AC+VfDxoEtH3dg4mligUXVvPwO71Z/3rAqWqlWH8hHMjTtVyJLgcCOYS HuaJYOVzOw7qZiaWAL+QCCZbnR/leMJC8llB6Ng=
X-Google-Smtp-Source: ACHHUZ5OJewBCWkiNL/VNiT7HGbNN5X/FRZmqxGP4JGT8GkYYW6SZswWVQy1HWToFTMIEJIN7MZTenRe+4Cz3l0nWFs=
X-Received: by 2002:a1c:6a03:0:b0:3f4:2cb2:a6cf with SMTP id f3-20020a1c6a03000000b003f42cb2a6cfmr4488062wmc.10.1685211567035; Sat, 27 May 2023 11:19:27 -0700 (PDT)
MIME-Version: 1.0
References: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com> <CAPFAYiVeq0Y+4U=yjia6CvpsXEC6HbtunHkj07SMp2X+Mz+ZfA@mail.gmail.com> <242d01d990bd$f8423ed0$e8c6bc70$@reliableenergyanalytics.com> <CAPFAYiVMA+HSFjBbXOd8F9VdRYiMcVPqobc2AyX79zekUz5MTw@mail.gmail.com> <246501d990c3$9d1fa6e0$d75ef4a0$@reliableenergyanalytics.com>
In-Reply-To: <246501d990c3$9d1fa6e0$d75ef4a0$@reliableenergyanalytics.com>
From: John Andersen <johnandersenpdx@gmail.com>
Date: Sat, 27 May 2023 11:19:15 -0700
Message-ID: <CAPFAYiX+arF6HMBfkGRAU==NJnK-KrSYqefQKh_wjOUVw9eQ0w@mail.gmail.com>
To: dick@reliableenergyanalytics.com
Cc: John Whiteman <john.whiteman@owasp.org>, ofcio@omb.eop.gov, scitt@ietf.org, scrm-nist <scrm-nist@nist.gov>, swsupplychain-eo <swsupplychain-eo@nist.gov>
Content-Type: multipart/related; boundary="000000000000d3354d05fcb0e43e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/ulJshWvV1NpZ-LPpo6zdyPWF0Zo>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2023 18:19:33 -0000

I wholeheartedly agree with you!!!

Hence the pursuit of Alice Intelligence (AI, John W gets credit for that
acronym)
https://mailarchive.ietf.org/arch/msg/scitt/iEAhuuicVxgoXJiAZIGmpZOctcc/

Thank you,
John

On Sat, May 27, 2023 at 10:49 Dick Brooks <dick@reliableenergyanalytics.com>
wrote:

> Thanks, John.
>
>
>
> I’m doubtful that open source, volunteer, software maintainers will want
> to invest their energies doing the tedious work of analyzing software
> supply chain risk assessment data and preserve tamper-proof evidence that
> can be presented in a lawsuit or audit, and support/operate an online,
> reliable service to answer consumer queries like “Is this software product
> vulnerable as of right now?”. It’s a lot of tedious work, that must be done
> in order to operate a credible, legitimate “Trust Registry” Service, that
> also costs money to operate.
>
>
>
> But I’ve been wrong before, I never thought anyone would buy a “pet rock”
> but some did.
>
> https://en.wikipedia.org/wiki/Pet_Rock
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* John Andersen <johnandersenpdx@gmail.com>
> *Sent:* Saturday, May 27, 2023 1:32 PM
> *To:* John Whiteman <john.whiteman@owasp.org>;
> dick@reliableenergyanalytics.com
> *Cc:* ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>;
> swsupplychain-eo <swsupplychain-eo@nist.gov>
> *Subject:* Re: [SCITT] Intel is taking the lead on a Trust Service
> Registry
>
>
>
> Hi Dick,
>
>
>
> Thanks for sending those and looping them into this discussion. Sections
> 2.1.1 and 3.2 respectively look related to the high level goals of the use
> case doc. We plan to leverage threat models heavily (
> https://m.youtube.com/watch?v=TMlC_iAK3Rg) to assist with risk
> determination and further sharing of vuln details including how much data
> to share about the architecture of the system context in question for the
> triggering event.
>
>
>
> We want to enable OSS maintainers, and the secure software forges to have
> these same capabilities.
>
>
>
> Thank you,
>
> John
>
>
>
> On Sat, May 27, 2023 at 10:09 Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Thanks, John.
>
>
>
> I’m not familiar with the vuln sharing goals of OpenSSF stream 8, but I am
> familiar with the NIST Vulnerability Disclosure concepts in SP 800-216 and
> C-SCRM SP 800-161:
>
> https://csrc.nist.gov/publications/detail/sp/800-216/final
>
>
>
> This document recommends *guidance for establishing a federal
> vulnerability disclosure framework, properly handling vulnerability
> reports, and communicating the mitigation and/or remediation of
> vulnerabilities.* The framework allows for local resolution support while
> providing federal oversight and should be applied to all software,
> hardware, and digital services under federal control.
>
>
>
> The SP 800-216 framework is also in harmony with SP 800-161 RA-5
> Vulnerability Disclosure Reports, where software suppliers provide
> consumers with software product vulnerability disclosures, at the SBOM
> component level:
>
> https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
>
>
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* John Andersen <johnandersenpdx@gmail.com>
> *Sent:* Saturday, May 27, 2023 12:58 PM
> *To:* dick@reliableenergyanalytics.com
> *Cc:* ofcio@omb.eop.gov; scitt@ietf.org; scrm-nist <scrm-nist@nist.gov>;
> swsupplychain-eo <swsupplychain-eo@nist.gov>
> *Subject:* Re: [SCITT] Intel is taking the lead on a Trust Service
> Registry
>
>
>
> WIP but related:
>
> https://github.com/ietf-scitt/use-cases/pull/18
>
>
>
> Have been mocking up how we can run SCITT within TEEs which leverage the
> Amber attestation environment to attest to validity of insert policy run (
> https://github.com/scitt-community/scitt-api-emulator/pull/27#issuecomment-1528073552
> ) within hermetic builds. This facilitates a recursive trust relationship
> which enables dependency review (trust propagation) of OSS. Results are
> federated across the decentralized network of software forges.
>
>
>
> This work is in pursuit of the vuln sharing goals of OpenSSF stream 8.
>
>
>
> Thank you,
>
> John
>
>
>
> On Sat, May 27, 2023 at 08:11 Dick Brooks <
> dick@reliableenergyanalytics.com> wrote:
>
> Hello Everyone,
>
>
>
> This announcement from Intel is further proof that a “Trust Service” is
> becoming a foundational requirement for trustworthy computing.
>
> *A Trust Service Startup Inside the Chip Company*
>
>
> https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html
>
>
>
> Amen to this: ““Attestation is the ability for you to prove that something
> is what it says it is,” Yeluri explains. “And that is really the ground
> truth in confidential computing. *If you can’t attest and say it is truly
> what it is, confidential computing is immaterial.”*
>
>
>
> “Before taking that big step, Yeluri and team *checked with a couple
> dozen customers — banks, manufacturers, telecommunications services — and
> received votes of support*.”
>
>
>
> The following observation is “spot on” *based on REA’s experience
> operating the SAG Community Trust Registry ™ (SAG-CTR ™)*:
>
>
>
> “A few suggested Intel just build it as open source. But Yeluri and team
> believed that while the core attestation primitives can be open sourced, *a
> solution could only succeed “as a turnkey service. That means somebody has
> to operate it at scale,” he says, “and we think we can do that.”*
>
>
>
> REA agrees with the above statement, operating a reliable, trustworthy
> “trust service” at scale, like REA’s SAG-CTR, is a lot of work that
> requires the analysis, storage and maintenance of evidence that is
> trustworthy and can be presented during a lawsuit or audit, that cannot be
> properly operated by open source volunteers.
>
>
>
>
> https://www.einpresswire.com/article/545051889/announcing-the-sag-ctr-tm-community-trust-registry-for-digitally-signed-software
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
>
> --
> SCITT mailing list
> SCITT@ietf.org
> https://www.ietf.org/mailman/listinfo/scitt
>
>

v2.23.0 | Report a Bug | By Email