Update ietf-scitt-charter.md #20
Conversation
Should we use the term "Compliance" or "Trustworthiness"
ietf-scitt-charter.md
Outdated
|
|
||
| The output of the SCITT WG is a set of standards that define the essential building blocks enabling the security of supply chain systems and assisting implementers in securing deployments. | ||
| For example, a public computer interface system could report its software composition, which can be compared against known software compositions for such a device, as recorded in a public append-only transparent registry. | ||
| Therefore, providing an individual using the system with confidence that it will behave as and when expected, consistently and without deviation. | ||
|
|
||
| [//]: # (MW: "recorded in a public ledger, " I thought that is too implementation specific for an introduction) |
There was a problem hiding this comment.
Also agree. Additionally, I suggest a few capitalization and grammatical edits.
SCITT forms a set of building blocks that will allow implemeters to build interoperable supply chain integrity systems. For example, a public computer interface system could report its software composition that can be compared against known software compositions for such a device providing an individual using the system confidence that it will behave as expected, when expected, and nothing/nowhen else.
There was a problem hiding this comment.
resolved in previous commits and reflected in current branch. also removed "public" as that can be misunderstood easily
There was a problem hiding this comment.
@kaywilliams I like where that is going. May I offer this slight mod. I'm concerned that we're swerving a little into the 'preventative security' world where actually the work here is transparency and accountability. In the example given we don't have total confidence that the computer will always behave perfectly: there may be bugs or operator-borne attacks, for example. But what we do have is confidence that you're dealing with the computer system you thought you would be, and that nothing has been injected or modified on its way to you.
I also removed "an individual" because humans aren't realistically going to be doing much of this transactional verification: we want all of this stuff to be strong enough that we can automate all the mundane validation work away.
"SCITT forms a set of interoperable building blocks that will allow implementers to build integrity and accountability into supply chain systems to help assure trustworthy operation. For example, a public computer interface system could report its software composition that can then be compared against known software compositions (and certifications?) for such a device thereby giving confidence that the system is running the software expected and has not been modified, either by attack or accident, in the supply chain".
ietf-scitt-charter.md
Outdated
|
|
||
| A minimal, simple, and concise set of building blocks that interact in a standardized way will assure long-term accountability and interoperability for supply chain components throughout their lifecycles across architecturally diverse systems. | ||
| [//]: # (MW: #6 is not true, SWID tags can be signed today.) |
There was a problem hiding this comment.
I interpret this as know standard way to discover if they key used to sign the tag is authoritative for the entity in question. SPDX and Cyclone also support signing.
ietf-scitt-charter.md
Outdated
| Over the years, rapid technological advancements have motivated organizations to implement efficient processes for supply chains (i.e., from design to manufacturing, logistics, and just-in-time delivery). | ||
| While these improvements help organizations increase efficiency and swiftly bring innovations to market, the rapid increase in scale, size, and complexity of supply chains has led to more frequent and sophisticated supply chain attacks. | ||
| The traditional methods of safeguarding supply chains (e.g., pre- and post-audit methodologies) are no longer adequate. | ||
| A Device's supply chain, including its components, is complex often being comprised of both common libraries and custom components. Knowing the identity of a Device or its component is critical to determining its compliance. However, the scale, size, and complexity of supply chains, from design, manufacturing, logistics, and just-in-time delivery has led to more frequent and sophisticated supply chain attacks. The traditional methods of safeguarding supply chains (e.g., pre- and post-audit methodologies) are no longer adequate, therefore, with the increase in suppliers and increase in the complexity of the various supply chains the means to determine a Device or component's identity requires standardization. |
There was a problem hiding this comment.
Suggest inserting "digital" in front of device.
| ## Generic Protocol Bindings for Information Model and Interaction Models | ||
|
|
||
| The WG shall standardize request-response interactions ("external API") and potentially other generic interaction schemes provided to various actors to interact with the supply chain ecosystem. This includes standardizing inter-component messages (based on the interaction models) and payload serialization between supply chain actors to support easy reference implementations of SCITT building blocks by various organizations and easy industry-wide adaptation. | ||
| The WG shall standardize request-response interactions ("external API") and potentially other generic interaction schemes provided to various actors to interact with the supply chain ecosystem. This includes standardizing inter-component messages (based on the interaction models) and payload serialization between supply chain actors to support common reference implementations of SCITT building blocks by various organizations to expedite industry-wide adaptation. |
ietf-scitt-charter.md
Outdated
|
|
||
| Goals | ||
| ===== | ||
| Based on an input document on the architecture (draft-birkholz-scitt-architecture-00), the WG will: | ||
|
|
||
| 1. Standardize the overall technical security flows for securing a software supply chain, which also includes firmware, and covering the essential building blocks that make up the architecture. | ||
| [//]: # (MW: Seems circular to have within the charter a reference to one of the documents to be produced by the WG) |
| - other IETF WGs such as COSE WG, and IETF RATS WG, as appropriate, as well as | ||
| - in coordination with other bodies, such as the, OpenSSF, W3C, or the Trusted Computing Group. | ||
| - other IETF WGs such as COSE WG, and IETF RATS WG, as appropriate, | ||
| - coordination with other bodies, such as the, OpenSSF, W3C, ISO, and the Trusted Computing Group. |
ietf-scitt-charter.md
Outdated
| @@ -37,23 +44,27 @@ The WG does not: | |||
|
|
|||
| 1. make recommendations or suggestions on best practices on how to design the supply chain, | |||
| 2. establish a universal/centralized registry for supply chain data, | |||
| 3. try to prevent supply chain issuers from making false claims, | |||
| 3. define methods to prevent supply chain issuers from making false claims, | |||
| Program of Work | ||
| =============== | ||
|
|
||
| The main deliverables defined by this program of work provide a guideline for milestones that are in scope of the WG charter. Documents produced by the working group will address one or more of the following main deliverables: | ||
|
|
||
| ## Architectural Model: Actors, Interactions, Terminology | ||
|
|
||
| The WG shall start out by documenting and defining terms in an architectural model for: | ||
| The WG shall start by documenting and defining terms in an architectural model for: |
ietf-scitt-charter.md
Outdated
| ## Generic Protocol Bindings for Information Model and Interaction Models | ||
|
|
||
| The WG shall standardize request-response interactions ("external API") and potentially other generic interaction schemes provided to various actors to interact with the supply chain ecosystem. This includes standardizing inter-component messages (based on the interaction models) between supply chain actors to support easy reference implementations of SCITT building blocks by various organizations and easy industry-wide adaptation. | ||
| The WG shall standardize request-response interactions ("external API") and potentially other generic interaction schemes provided to various actors to interact with the supply chain ecosystem. This includes standardizing inter-component messages (based on the interaction models) between supply chain actors to support common reference implementations of SCITT building blocks by various organizations to expedite industry-wide adaptation. |
|
|
||
| ## Versatile Countersigning Format in Support of Transparency Services | ||
|
|
||
| The WG shall specify a standard format for authenticity data returned from the transparent registry such as proofs, etc. The standard shall enable independent verification of supply chain claims at a (much) later point on multiple platforms across multiple geographical locations. | ||
|
|
||
| [//]: # (MW: authenticity data is not defined above. What is it?) |
There was a problem hiding this comment.
| [//]: # (MW: authenticity data is not defined above. What is it?) |
ietf-scitt-charter.md
Outdated
|
|
||
| The output of the SCITT WG is a set of standards that define the essential building blocks enabling the security of supply chain systems and assisting implementers in securing deployments. | ||
| For example, a public computer interface system could report its software composition, which can be compared against known software compositions for such a device, as recorded in a public append-only transparent registry. | ||
| Therefore, providing an individual using the system with confidence that it will behave as and when expected, consistently and without deviation. | ||
|
|
||
| [//]: # (MW: "recorded in a public ledger, " I thought that is too implementation specific for an introduction) |
There was a problem hiding this comment.
Remove public from Line 8
Co-authored-by: Orie Steele <[email protected]>
Co-authored-by: Orie Steele <[email protected]>
Co-authored-by: Orie Steele <[email protected]>
Co-authored-by: Orie Steele <[email protected]>
| 5. Software consumers have no trustworthy way to verify that a software signature on a software package is legitimate. | ||
| 4. The absence of decentralized, globally interoperable, transparent services to publish the supply chain data. | ||
| 5. The lack of sufficient standards for independently verifying the presence of supply chain data in tamper-proof data stores. | ||
| 6. Software consumers have no trustworthy way to verify that a software signature on a software package is legitimate. |
There was a problem hiding this comment.
| 6. Software consumers have no trustworthy way to verify that a software signature on a software package is legitimate. | |
| 6. Some software consumers have no trustworthy way to verify that a software signature on a software package is legitimate. |
removing emptyline
ietf-scitt-charter.md
Outdated
|
|
||
| Goals | ||
| ===== | ||
| Based on an input document on the architecture (draft-birkholz-scitt-architecture-00), the WG will: | ||
|
|
||
| 1. Standardize the overall technical security flows for securing a software supply chain, which also includes firmware, and covering the essential building blocks that make up the architecture. | ||
|
|
Co-authored-by: Orie Steele <[email protected]>
Co-authored-by: Orie Steele <[email protected]>
Co-authored-by: Orie Steele <[email protected]>
|
@henkbirkholz let me know if there is anything else I can help with on this. |
|
@OR13, we transplanted Monty's fine tuning to a local branch (to avoid rebasing the fork). I think we are good. |
|
This PR can be abandoned due to #22 |
|
I can't close the PR, but it should be closed |
|
Agreed |
Should we use the term "Compliance" or "Trustworthiness"
I used Markdown comment syntax to make comments and put questions where I wanted to explain rationale or wasn't sure enough to provide edits.