IETF Logo Mail Archive

Re: [SCITT] Intel is taking the lead on a Trust Service Registry

John Andersen <johnandersenpdx@gmail.com> Sat, 27 May 2023 16:58 UTC

Return-Path: <johnandersenpdx@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826DAC14CE39 for <scitt@ietfa.amsl.com>; Sat, 27 May 2023 09:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ROpJwQbJCa9O for <scitt@ietfa.amsl.com>; Sat, 27 May 2023 09:58:20 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACBC6C14F5E0 for <scitt@ietf.org>; Sat, 27 May 2023 09:58:19 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3f60e536250so19537255e9.1 for <scitt@ietf.org>; Sat, 27 May 2023 09:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685206698; x=1687798698; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sc07szd43bNa9I4mPXot4ih12Yir0FoOIQIU+TUTGd0=; b=duDUn3YwSye/iaGR5+pBazSVOa/ZcFeqs1RkLtiUwq/UYdyH1l+FKdjcJDb1r2bhHD ojmCyZhdZQJHiVGB9loI37IxnbEsVmqdZOZZ+veGoglRqvnbR/6p/5lrK+h2M/aAhdDW A8ZJpaUySK2J0PaCl2bbjTzvmH/0Lhx7l0aprOOcOnLL3nE98t2RipPk59LDRSBZuKmM F6VbTxAAymhwz7NlYMx6fveFRWuSakWlVK1AabAWeGZJV+TgvevTw2wcrnUFT86aC0sQ un5NJ0w7CI2Y/KzShveIKVGsRwpnRis2J7I2gJYm907Ek1HR+LSa6poWkVuU0kxC6lt2 Se6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685206698; x=1687798698; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sc07szd43bNa9I4mPXot4ih12Yir0FoOIQIU+TUTGd0=; b=LJwA1ydnqACXuqiIhAGYM9++ozLTUgvc9bMj38tcoSFRXLa9KdzUZ+vXsmvL10+QVp CruILs+vJEib1SqCQiraTBocpmCnJmyuDAjB3McyTJHshkIDIiMLEWZk2OdmX4RLyk9E cBPnj6ZvoYWj+RoH2C1cz9zlnTPiSb3oh2/JUJbp/D/v4fyLVLAqdDs8hrtW5F7hue4W tyIb2P2zEmeZUyPo9PZwRYvsmgGRMDpnOuI5NvSHvUnnBBZylyd5UXa8PTrQUjSkj/Vz CQdxjQ78dX1bvsjvCHB2VGg7oDBnK8Y+mGfbwYaBA9OWml+FsrHjOip7QM/u96SjRBac VvIw==
X-Gm-Message-State: AC+VfDyib6fqgquI4eEDgx5zQJeIGrUSDo5jxfwQoGmDGXSeAzOyD64W KwqZAKkKqos2JoioATqKFrFMJE3nLl7iaHCQk5k=
X-Google-Smtp-Source: ACHHUZ4g907hTFUCPs5JswIeex/JcfZyHnmEYlaIlZrv4ngjfzVUgWzYTHmtk/yCYi8RbhftJRcLVbNRcfwoHsTa8L0=
X-Received: by 2002:a05:600c:19d2:b0:3f6:f81:385e with SMTP id u18-20020a05600c19d200b003f60f81385emr2065490wmq.17.1685206697736; Sat, 27 May 2023 09:58:17 -0700 (PDT)
MIME-Version: 1.0
References: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com>
In-Reply-To: <238d01d990ad$81b699b0$8523cd10$@reliableenergyanalytics.com>
From: John Andersen <johnandersenpdx@gmail.com>
Date: Sat, 27 May 2023 09:58:06 -0700
Message-ID: <CAPFAYiVeq0Y+4U=yjia6CvpsXEC6HbtunHkj07SMp2X+Mz+ZfA@mail.gmail.com>
To: dick@reliableenergyanalytics.com
Cc: ofcio@omb.eop.gov, scitt@ietf.org, scrm-nist <scrm-nist@nist.gov>, swsupplychain-eo <swsupplychain-eo@nist.gov>
Content-Type: multipart/mixed; boundary="000000000000979fdb05fcafc243"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/vzEsHrjnEVbhDRVfsYvIPdn_JoY>
Subject: Re: [SCITT] Intel is taking the lead on a Trust Service Registry
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2023 16:58:24 -0000

WIP but related:
https://github.com/ietf-scitt/use-cases/pull/18

Have been mocking up how we can run SCITT within TEEs which leverage the
Amber attestation environment to attest to validity of insert policy run (
https://github.com/scitt-community/scitt-api-emulator/pull/27#issuecomment-1528073552
) within hermetic builds. This facilitates a recursive trust relationship
which enables dependency review (trust propagation) of OSS. Results are
federated across the decentralized network of software forges.

This work is in pursuit of the vuln sharing goals of OpenSSF stream 8.

Thank you,
John

On Sat, May 27, 2023 at 08:11 Dick Brooks <dick@reliableenergyanalytics.com>
wrote:

> Hello Everyone,
>
>
>
> This announcement from Intel is further proof that a “Trust Service” is
> becoming a foundational requirement for trustworthy computing.
>
> *A Trust Service Startup Inside the Chip Company*
>
>
> https://www.intel.com/content/www/us/en/newsroom/news/trust-service-startup-inside-chip-company.html
>
>
>
> Amen to this: ““Attestation is the ability for you to prove that something
> is what it says it is,” Yeluri explains. “And that is really the ground
> truth in confidential computing. *If you can’t attest and say it is truly
> what it is, confidential computing is immaterial.”*
>
>
>
> “Before taking that big step, Yeluri and team *checked with a couple
> dozen customers — banks, manufacturers, telecommunications services — and
> received votes of support*.”
>
>
>
> The following observation is “spot on” *based on REA’s experience
> operating the SAG Community Trust Registry ™ (SAG-CTR ™)*:
>
>
>
> “A few suggested Intel just build it as open source. But Yeluri and team
> believed that while the core attestation primitives can be open sourced, *a
> solution could only succeed “as a turnkey service. That means somebody has
> to operate it at scale,” he says, “and we think we can do that.”*
>
>
>
> REA agrees with the above statement, operating a reliable, trustworthy
> “trust service” at scale, like REA’s SAG-CTR, is a lot of work that
> requires the analysis, storage and maintenance of evidence that is
> trustworthy and can be presented during a lawsuit or audit, that cannot be
> properly operated by open source volunteers.
>
>
>
>
> https://www.einpresswire.com/article/545051889/announcing-the-sag-ctr-tm-community-trust-registry-for-digitally-signed-software
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> http://www.reliableenergyanalytics.com
>
> Email: dick@reliableenergyanalytics.com
>
> Tel: +1 978-696-1788
>
>
>
>
> --
> SCITT mailing list
> SCITT@ietf.org
> https://www.ietf.org/mailman/listinfo/scitt
>

v2.23.0 | Report a Bug | By Email