[SCITT] SCITT <-> OpenSSF terminology

Zachary Newman <zjn@chainguard.dev> Mon, 29 August 2022 14:58 UTC

Return-Path: <zjn@chainguard.dev>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14858C1D3C57 for <scitt@ietfa.amsl.com>; Mon, 29 Aug 2022 07:58:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chainguard.dev
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKlll-gC765A for <scitt@ietfa.amsl.com>; Mon, 29 Aug 2022 07:57:56 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DD1BC1527B7 for <scitt@ietf.org>; Mon, 29 Aug 2022 07:57:55 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id h27so6197016qkk.9 for <scitt@ietf.org>; Mon, 29 Aug 2022 07:57:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chainguard.dev; s=google; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:from:to:cc; bh=rBrteE/ZS9IfG/dA9O6IkyDlUpPSbv+kgVvWvdXLnqM=; b=WlEaXz1oSguKObR1gp5afqJ4qT1dfgIzDSyeX6v9RvVgfi81QMTtVTBY6BZlM0c8hm hhXmT76vq175NgM3vF60kNzWSuO/kUUjxMkWf9L0D0/zZbXcKLJhuJxQ1amFT+DamDFc fegJs4JOU3gW7vqmSU5TAA2KlQ0/CkOhfHPzuC2l6bL3faNSiyuqxtk+ug0TjlDcUoEY TbdGP2QW77JZmB0qr1eFXWP3WupLUu7Swza3+65h/Ghneafp+Lll5Fr22sSPjruXbMxi s4LKLdVzFPv9iJM06cjX55Ofl105Nnd5qIHHmz5kjtRRtXOFaROkvFdjOJZ/o5qjq0nf Ma4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:x-gm-message-state:from:to:cc; bh=rBrteE/ZS9IfG/dA9O6IkyDlUpPSbv+kgVvWvdXLnqM=; b=DDSDVFo5GJMFcYV7uIeCNWbqrKkiJovikJoEolF6cxCrC4o6t2eKYBPI1vrw+cSO+y wz318o/vpC42yxAuLF89aKMFE+H9O/KlZKj3dlRVdkGqSuqkIfN/SJs3+9dc5Y4XcYp5 NwoWTaMEge/oT5HTnvQWdsWVR/QnIenAWMlZ8e4ZML8z98lkesBcFANwuaZngK8zkgMX Pzvr/bOSK0d9jzPupdPfP3daQXfl3oK9ihrFPYfxelbeRoFWiHCzO+CU23gGNBxgeDKI BP72BCtBXP8KWyw/yvvmXFNyXx39W2daBfqA2BLYlc+XCaBkwT57cJcSe2G0tfkQjHi3 ++gw==
X-Gm-Message-State: ACgBeo1jRwjPFZEXjIIzfc9L/aWUpqQ06ilaF7AOTtrkCtlqZpSMEDR5 EzBkEISiDqwyc4+fH8XKi6p5/ZQyWJ6Oag==
X-Google-Smtp-Source: AA6agR5KYXj8a+ni91ouozLoan9bMP7aYLB560sf/LDUpY+kEJ3MlIKrjnM3dGGk4+mcLq7diDw8Kw==
X-Received: by 2002:a05:620a:461e:b0:6bb:b3af:f5ce with SMTP id br30-20020a05620a461e00b006bbb3aff5cemr8126215qkb.681.1661785074289; Mon, 29 Aug 2022 07:57:54 -0700 (PDT)
Received: from smtpclient.apple (ool-43573857.dyn.optonline.net. [67.87.56.87]) by smtp.gmail.com with ESMTPSA id bq12-20020a05620a468c00b006b95b0a714esm5938984qkb.17.2022.08.29.07.57.53 for <scitt@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Aug 2022 07:57:53 -0700 (PDT)
From: Zachary Newman <zjn@chainguard.dev>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Message-Id: <7A5D5FF2-C3C9-48DC-B218-580209F0B5D8@chainguard.dev>
Date: Mon, 29 Aug 2022 10:57:53 -0400
To: scitt@ietf.org
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/utSOqlCifoorbqUGWNf-wMlBYR4>
Subject: [SCITT] SCITT <-> OpenSSF terminology
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 14:58:00 -0000

Hi all,

I was asked at the last SCITT meeting to coordinate with the OpenSSF w/r/t terminology. Here’s what I’ve learned:

1. There’s no one effort to define terminology across the OpenSSF.
2. The OpenSSF is split up into “working groups”; some of these working groups have their own terminology but it’s not in a standard format or anything, you have to dig around.
3. Sigstore is the most pertinent OpenSSF project; they don’t have a formal terminology list (though they hope to at some point). I’m familiar with most of the terminology they use.

I will let this group know if any proposed SCITT terminology seems to conflict with the Sigstore language. The main potential issue seems to be “attestation,” which Sigstore mostly uses to mean SLSA attestations[1], which are themselves an extension of the in-toto attestation format. However, I think it’s mostly clear from context when it’s referring to the abstract idea of an attestation, or a specific attestation format. In general, it never uses the idea of a “remote attestation."

I will also let this group know there is ever a formal terminology document, which will be useful for compare/contrast.

Cheers,
Zack

[1] https://github.com/slsa-framework/slsa/blob/main/docs/attestation-model.md