Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

post IETF 114 BoF charter proposal #18

Merged
merged 28 commits into from
Sep 1, 2022
Merged
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
a20da4a
addresses Wei's BoF comment on non-technical points
henkbirkholz Aug 19, 2022
7c2764d
addresses Monty's and Orie's BoF comments
henkbirkholz Aug 19, 2022
3b2b63e
addresses Thomas' and EKR's BoF comments
henkbirkholz Aug 19, 2022
1f8ba57
formatting
henkbirkholz Aug 19, 2022
7064eb0
addresses Brendan's BoF comments on threat models
henkbirkholz Aug 19, 2022
9beeceb
Update ietf-scitt-charter.md
bremoran Aug 19, 2022
25e978c
Merge pull request #17 from bremoran/patch-1
henkbirkholz Aug 19, 2022
d00d187
milstone content related to threat model
henkbirkholz Aug 22, 2022
2001b7d
Update ietf-scitt-charter.md
henkbirkholz Aug 24, 2022
7973519
Update ietf-scitt-charter.md
henkbirkholz Aug 24, 2022
9899bac
fixes #5
henkbirkholz Aug 26, 2022
d8bfb56
Merge branch 'post-BoF-1st-pass' of github.com:ietf-scitt/charter int…
henkbirkholz Aug 26, 2022
8126dfc
addresssing PHB's BoF comment about vendor heterogeneity
henkbirkholz Aug 26, 2022
37b0df0
addressing Cedric's BoF comment on issuing new identities over and over
henkbirkholz Aug 26, 2022
93025eb
addressing Dick's comment on consistent and legit software signing
henkbirkholz Aug 26, 2022
d07c0bb
addressing Eliot's comment on minimal number of players
henkbirkholz Aug 26, 2022
ba1aeb8
fixes #4
henkbirkholz Aug 29, 2022
24aae1a
Update ietf-scitt-charter.md
henkbirkholz Aug 29, 2022
93f7a70
Merge branch 'master' into post-BoF-1st-pass
henkbirkholz Aug 29, 2022
987f095
latest suggested change on Brendan's paragraph
henkbirkholz Aug 29, 2022
f565f13
Merge branch 'post-BoF-1st-pass' of github.com:ietf-scitt/charter int…
henkbirkholz Aug 29, 2022
60e628f
adding Dick's suggested change from comments
henkbirkholz Aug 29, 2022
2e4066e
Update ietf-scitt-charter.md
yogeshbdeshpande Aug 30, 2022
62fa5f1
Apply suggestions from code review
yogeshbdeshpande Aug 30, 2022
325e942
Update ietf-scitt-charter.md
yogeshbdeshpande Aug 30, 2022
f238ff7
addressing Dick's comment on unwanted implication of "compliance"
henkbirkholz Sep 1, 2022
fca935b
Update ietf-scitt-charter.md
yogeshbdeshpande Sep 1, 2022
8ce7aa4
Update ietf-scitt-charter.md
yogeshbdeshpande Sep 1, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 21 additions & 11 deletions ietf-scitt-charter.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,33 @@ Over the years, rapid technological advancements have motivated organizations to
While these improvements help organizations increase efficiency and swiftly bring innovations to market, the rapid increase in scale, size, and complexity of supply chains has led to more frequent and sophisticated supply chain attacks.
The traditional methods of safeguarding supply chains (e.g., pre- and post-audit methodologies) are no longer adequate.

The output of the SCITT WG is a set of standards that define the essential building blocks enabling the security of supply chain systems and assisting implementers in securing deployments.
For example, a public computer interface system could report its software composition, which can be compared against known software compositions for such a device, as recorded in a public append-only transparent registry.
Therefore, providing an individual using the system with confidence that it will behave as and when expected, consistently and without deviation.

Problem Statement
=================
It is challenging to manage the compliance of products across end-to-end, global supply chains.
It is challenging to manage the conformance of products across end-to-end, global supply chains.

Some of the fundamental security issues that face the supply chain ecosystem today are as follows:

1. A single product is composed of multiple sub-products coming from different suppliers. There is no agreed-upon standard to compose information from different producers.
1. A single product is composed of multiple sub-products coming from different suppliers. There is no agreed-upon standard to compose information from different producers as every vendor is doing it differently.
2. There are no APIs defined for automated publishing, retrieval, or independent verification of the information above.
3. The absence of decentralized, globally interoperable, transparent services to publish the supply chain data.
4. The lack of sufficient standards for independently verifying the presence of supply chain data in tamper-proof data stores.
5. Fractured verification methodologies across software distribution ecosystems create inconsistent security guarantees for end users.
6. Software consumers have no trustworthy way to verify that a software signature on a software package is legitimate.

A minimal, simple, and concise set of building blocks that interact in a standardized way will assure long-term accountability and interoperability for supply chain components throughout their lifecycles across architecturally diverse systems.

Goals
=====
Based on an input document on the architecture (draft-birkholz-scitt-architecture-00), the WG will:

1. Standardize the overall security flows for securing a software supply chain, covering the essential building blocks that make up the architecture, and
2. specify these building blocks, employing the existing work already done within other IETF WGs such as COSE WG, and IETF RATS WG, as appropriate.
1. Standardize the overall technical security flows for securing a software supply chain, which also includes firmware, and covering the essential building blocks that make up the architecture.
2. In addition to this, the WG shall employ the existing work already done within
- other IETF WGs such as COSE WG, and IETF RATS WG, as appropriate, as well as
- in coordination with other standards bodies, such as the, OpenSSF, W3C, or the Trusted Computing Group.

The WG may refine the input document on the architecture in the process.

Expand All @@ -33,26 +41,27 @@ The WG does not:
1. make recommendations or suggestions on best practices on how to design the supply chain,
2. establish a universal/centralized registry for supply chain data,
3. try to prevent supply chain issuers from making false claims,
4. define specific implementation guidance on storage, query, or retrieval of supply chain statements, or
5. select specific Bill of Materials (BOM) formats and metadata headers.
4. define data formats for payload content, such as Bills of Materials data formats.

Program of Work
===============

The main deliverables defined by this program of work provide a guideline for milestones that are in scope of the WG charter. Documents produced by the working group will address one or more of the the following main deliverables:
The main deliverables defined by this program of work provide a guideline for milestones that are in scope of the WG charter. Documents produced by the working group will address one or more of the following main deliverables:

## Architectural Model: Actors, Interactions, Terminology

The WG shall start out by documenting and defining terms in an architectural model for:

1. essential actors, such as the supply chain "issuer" (one which generates supply chain artifacts and statements about them) and
1. essential actors, such as the claim's "issuer" (one which generates supply chain artifacts and statements about them), "notary", and "consumer" and
2. the basic interactions these have with other actors, and their duties in the ecosystem.

The architectural model shall provide an aggregated overview of corresponding actor-specific information models and interaction models and will provide examples of composition patterns that illustrate how to addresss a concise set of use cases.
The architectural model shall provide an aggregated overview of corresponding actor-specific information models and interaction models and will provide examples of composition patterns that illustrate how to address a concise set of use cases.

The architectural model shall include an abstract threat model that minimally encompasses the initial use cases and will be based on a set of to be defined security objectives.

## Consistent Actor Identification

The WG shall select (and potentially profile) acceptable common identity format/formats that will be used to identify and authenticate various actors in the SCITT ecosystem.
The WG shall select (and potentially profile) acceptable common identity format/formats that will be used to identify and authenticate various actors in the SCITT ecosystem. The WG shall create guidance on how to create and manage new identity documents, their trust anchors, and corresponding security considerations in the context of supply chains.

## Information Models and Interaction Models for:

Expand All @@ -68,11 +77,12 @@ The WG shall specify a standard format for authenticity data returned from the t

## Generic Protocol Bindings for Information Model and Interaction Models

The WG shall standardize request-response interactions ("external API") and potentially other generic interaction schemes provided to various actors to interact with the supply chain ecosystem. This includes standardizing inter-component messages (based on the interaction models) between supply chain actors to support easy reference implementations of SCITT building blocks by various organizations and easy industry-wide adaptation.
The WG shall standardize request-response interactions ("external API") and potentially other generic interaction schemes provided to various external entities to interact with the supply chain ecosystem. This includes standardizing inter-component messages (based on the interaction models) and payload serialization between supply chain actors to support easy reference implementations of SCITT building blocks by various organizations and easy industry-wide adaptation.

Milestones
==========
* Architecture and Terminology
* Use Cases, Security Objectives, and concise Threat Model
* Information and Interaction Models
* Countersigning Format for Claim Registration
* HTTP-based REST API for Request-Response Interactions