Re: [Secdispatch] Request for session at IETF 113
Eric Rescorla <ekr@rtfm.com> Mon, 21 March 2022 23:23 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E9B3A14D0 for <secdispatch@ietfa.amsl.com>; Mon, 21 Mar 2022 16:23:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvJ5Yzq-k8o9 for <secdispatch@ietfa.amsl.com>; Mon, 21 Mar 2022 16:23:00 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDCB53A1443 for <secdispatch@ietf.org>; Mon, 21 Mar 2022 16:23:00 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id b7so11384810ilm.12 for <secdispatch@ietf.org>; Mon, 21 Mar 2022 16:23:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NPUedg51XI6Y+40GxS7I9E/DyY3bKol17zmLoaUdkSY=; b=7ARU+9nz4ByQWVrcXVWmGAEptytDP/oRLSJL3zmNZ2uk7J1PW5cSWycoEp+YGAtN7i TXd9oPmmIoI1xN0POPnTj2v5YmKGp8IG4HDqvBkumzvb7+M4TuTTPZIxkq70bCXJuPIR ber4ZAI+nyJSGInx0RogXUY+hLKF39hgh1GD0JCoEPg5FYBmRjt/K+KBYyMBNZtIVP77 4Ta3fyWz1cpL3s44z2+xApyj/5nuMeQQzKY5oKQZo+npQ8x1p6cH1AfE2areWHO1mULj RO9h8pUBGSjxLL8AHr3Ue/pwOKZg66h4WfPGNN8GiHu8/6XCgWW3ghN5Priq3hG0PO+B bveA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NPUedg51XI6Y+40GxS7I9E/DyY3bKol17zmLoaUdkSY=; b=v8gv76c/2Cpt+VZ70wCrn8yD/eJEAmLyefyxMrEyJQ5OB1LapGRbD816QlJJS5Kez9 wmFZEpXxdz6eTl7wnXkmV1oYD8E6m++MkLRLR57M1NByOuMTVODxx3Cwx8AxRZzvoApf jubgGKo2ySfKR9t2jbIXyIBgZbHIW3OK0haAt7uYLMJCzJPxsxLpJWi8ImCDFuxSk2nI TxFSTvqudn2bN9wuYqW/9AT6wKbJv+MFOyG7tM4yOTpm1GzWaMYgES/+lewS565Heoav 78NlPN+C/bJA/lOmRn7s2GQPsTT6J7Gl7BsjIaG44Dc1F8hV1O+OXHLiuYMiQJM8hzKZ cS6w==
X-Gm-Message-State: AOAM533A8gqSdcJPjk6j5sUyUzobVa+32lZEhwThPMdVhRWguCOMT3D4 eWeJWUWIhWs2PbiBI9AR/LYDI5sRwhKZartpQQWZrxFSNe3raQ==
X-Google-Smtp-Source: ABdhPJyj89rb5uCCD0Vd1xZOZGH+yYeQ+VS3VVgyAUSFdodQS2vrIYp+6mfJ0ACiow6SPN5TIo1HQuI1QlswbNdIdUk=
X-Received: by 2002:a05:6e02:1c2a:b0:2c7:dcdb:86f3 with SMTP id m10-20020a056e021c2a00b002c7dcdb86f3mr11693414ilh.276.1647904979760; Mon, 21 Mar 2022 16:22:59 -0700 (PDT)
MIME-Version: 1.0
References: <164583895227.24617.1939040203283436909@ietfa.amsl.com> <5b97a678-eba1-09c3-7e70-c71dd98db8a9@sit.fraunhofer.de>
In-Reply-To: <5b97a678-eba1-09c3-7e70-c71dd98db8a9@sit.fraunhofer.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 21 Mar 2022 16:22:24 -0700
Message-ID: <CABcZeBMJgKPSyJ3Z1igS38fbgsp6R-FxVd193+CGsKJC2dchuA@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: IETF SecDispatch <secdispatch@ietf.org>, scitt@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f14e3905dac2c669"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/FMFmoN7Ve4us6GMclubUF9dJlQY>
Subject: Re: [Secdispatch] Request for session at IETF 113
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 23:23:05 -0000
OVERALL This document describes a general structure for providing transparency for software artifacts, effectively a generalization of what's often called "binary transparency". This is a useful kind of service in concept an at least theoretically an appropriate topic for IETF. The answer to the secdispatch questions depends, I think on the level of interest people have in deploying such a service and especially with this as a starting point. Specifically, we'd need to hear from: - Software vendors - Potential transparency service (log) operators. I'd particularly like to hear from people who already are involved with Binary Transparency: https://developers.google.com/android/binary_transparency If there is interest, I would be supportive of moving forward with this. Given the complexity of the topic, a BOF is probably the next step. TECHNICAL I do have a few small technical comments. 1. I'm still working through the semantics of the identities you are using. As I understand it, the signatures are intended to provide evidence that the vendor actually published something, but if you use did:web, then can't the vendor just use a different key for each signature and remove the key from the Web site later. What proof is there that the vendor endorsed a specific key? 2. I understand the appeal of the append only log, but I'd observe that much of the value in CT has been achieved without any real verification by clients of the inclusion proofs but just relying entirely on SCTs. So, perhaps we don't need to try as hard here. This point applies to BT as well, I think. 3. S 6.3 seems to require the claim to be appended to the log prior to issuing the receipt. This is not how CT is architected, as I understand it because of concerns about the latency of that process. Instead, certificates have SCTs. Do similar concerns apply here? I'm sure all of these could be addressed during the standards process, and they certainly don't preclude doing this work, but I noted them as I read the document and thought it would be good to record them. On Wed, Mar 9, 2022 at 2:40 PM Henk Birkholz < henk.birkholz@sit.fraunhofer.de> wrote: > Hi secdispatch, > (hi scitt), > > emerging work on the topic of Supply Chain Integrity, Transparency, > Trust has taken some shape recently. > > The work combines existing IETF building blocks to facilitate useful > Internet-based support of global supply chain interoperability. > > Current contributions focus on the definition of Transparency Services > based on Internet technology (using CBOR/CDDL/COSE) to achieve > unambiguous, scaleable, and resilient integration with common devops and > secops requirements. > > I'd like to request secdispatch agenda time for two documents that are > currently submitted: > > https://datatracker.ietf.org/doc/draft-birkholz-scitt-architecture/ > > and > > > https://datatracker.ietf.org/doc/draft-birkholz-scitt-receipts/ > > These two contributions are in -00 state. Yet, they already address > essential requirements, such as, air-gapped validation when being > offline, integration of remote attestation, efficient and crypto-agile > signing prescriptions for out-of-the-box interoperability, and - in > essence - long-long-term guarantees in support of various types of > supply chains requirements. > > We’d be happy to present this emerging work in secdispatch with the goal > of discussing whether it might fit into the IETF space and how to > progress it together. > > Viele Grüße, > > Henk > > > > On 26.02.22 02:29, "IETF Secretariat" wrote: > > Dear Mohit Sethi, > > > > The session(s) that you have requested have been scheduled. > > Below is the scheduled session information followed by > > the original request. > > > > > > secdispatch Session 1 (2:00 requested) > > Tuesday, 22 March 2022, Afternoon Session II 1430-1630 > > Room Name: Grand Park Hall 3 size: 250 > > --------------------------------------------- > > > > > > iCalendar: > https://datatracker.ietf.org/meeting/113/sessions/secdispatch.ics > > > > Request Information: > > > > > > --------------------------------------------------------- > > Working Group Name: Security Dispatch > > Area Name: Security Area > > Session Requester: Mohit Sethi > > > > > > Number of Sessions: 1 > > Length of Session(s): > > Number of Attendees: 200 > > Conflicts to Avoid: > > > > > > > > > > People who must be present: > > Benjamin Kaduk > > Kathleen Moriarty > > Mohit Sethi > > Paul Wouters > > Richard Barnes > > Roman Danyliw > > > > Resources Requested: > > > > Special Requests: > > Please avoid conflict with any Security related BoF. > > --------------------------------------------------------- > > > > > > _______________________________________________ > > Secdispatch mailing list > > Secdispatch@ietf.org > > https://www.ietf.org/mailman/listinfo/secdispatch > > _______________________________________________ > Secdispatch mailing list > Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch >
- [Secdispatch] secdispatch - Requested session has… "IETF Secretariat"
- Re: [Secdispatch] secdispatch - Requested session… Sean Turner
- Re: [Secdispatch] secdispatch - Requested session… Kathleen Moriarty
- [Secdispatch] Request for session at IETF 113 Henk Birkholz
- Re: [Secdispatch] Request for session at IETF 113 Eric Rescorla
- Re: [Secdispatch] Request for session at IETF 113 Richard Barnes
- Re: [Secdispatch] Request for session at IETF 113 Kathleen Moriarty
- Re: [Secdispatch] [EXTERNAL] Re: [SCITT] Request … Antoine Delignat-Lavaud
- Re: [Secdispatch] Request for session at IETF 113 Chris Inacio
- Re: [Secdispatch] Request for session at IETF 113 Ira McDonald