Markdown Version | Session Recording

Session Date/Time: 15 May 2023 15:00

SCITT

Summary

The SCITT Working Group discussed preparations for the IETF 117 Hackathon, focusing on potential use cases and different architectural strands. A significant portion of the meeting was dedicated to in-depth technical discussion around identity systems, specifically contrasting DID (Decentralized Identifiers), PURL (Package URLs), and IETF URNs for identifying software artifacts and actors. The group reiterated that defining interoperable registration policies remains the most pressing topic for the specification, exploring concepts of identity verification, trustworthiness, and revocation mechanisms beyond traditional certificates.

Key Discussion Points

• Meeting Logistics & Hackathon Preparations

  • Clarification was provided regarding recent changes to the meeting time, confirming it reverted to the usual 8 AM slot.
  • IETF 117 Hackathon:
    • Interest in participation and preparatory work was noted, with John having provided a demo of previous hackathon achievements.
    • Dick Brooks confirmed that the demo showed how consumers could query a transparency service using SHA-256 hashes, with Rea potentially implementing a consumer standpoint.
    • Proposed use cases included demonstrating a "restaurant cleanliness score" analogy for software trustworthiness, as suggested by Ian Newberger (United States White House cyber security office).
    • Three potential strands for the hackathon were identified: spec hacking (architecture), use case expansion, and interoperable registration policies.
    • The importance of addressing DID (Decentralized Identifiers) and public key persistence in receipts within the hackathon context was highlighted.
    • John offered to record and make publicly available a demonstration of SCITT working with a commercial product (outside the IETF context).

• Identity Systems & Naming Conventions

  • DID (Decentralized Identifiers):
    • Discussion on the adoption and suitability of DIDs for SCITT, particularly in the context of persistence and public keys.
    • Noted that did:web is an evolving W3C specification adopted by some standards bodies (e.g., for Verified Credentials). Ori acknowledged its customizability but also the convoluted and lengthy W3C process.
    • The concept of DID documents offering a longer-lived mechanism for indicating revocation was discussed.
  • PURL (Package URLs):
    • Concerns were raised about PURL's suitability for identifying arbitrary actors and its limitations for proprietary software, despite its potential for open-source package identification.
    • Observations from NTIA S-BOM work and SISA self-attestation forms indicated that supplier name, product name, and version are key elements for software identification, with PURL (or UUID/CPE) often optional.
    • The challenge of global vs. local uniqueness, semantics vs. syntax, and the lack of a central authority for PURL were discussed.
    • Roy raised the point that for evidence of specific builds, a per-instance unique identifier like a UUID might be more appropriate than a PURL due to rebuilds, architecture variations, and build numbers.
    • PURL was also seen as potentially useful for redirecting to permissioned stores for sensitive evidence (e.g., static analysis results).
  • IETF URNs (RFC 9162):
    • Ori suggested leveraging the IETF URN registry (e.g., for certificate transparency parameters) to identify artifacts by content (e.g., SHA-256 hashes). This could provide a common community around Merkle tree inclusion proofs.

• Registration Policies & Trust Models

  • Defining interoperable registration policies was confirmed as the next big topic.
  • The distinction between evaluating identity for authorization of a claim creation (now) versus attribution of a claim (future) was emphasized.
  • SCITT's role might not be to prescribe specific identity technology but to define that audits and identity verification have been done to some level, allowing for flexibility in underlying tech.
  • Policy Engines: Ori discussed using Rego to implement registration policies, looking at ISS (issuer) and KID (key identifier) fields, resolving key material, and making decisions based on signature trust.
  • x509 vs. DID: The challenges of integrating x509 certificate chains into DID-based systems or common libraries for verification were discussed, with a call for better documentation or normalization of x509 methods into generic DID structures.
  • Revocation and Trustworthiness:
    • Beyond validating a legitimate party, it's crucial to validate that the key and certificate used for signing are still valid (e.g., SolarWinds scenario).
    • The current "hammer" of certificate revocation (making all products signed with it suspect) was contrasted with the need for more granular "sewing needle" approaches like negative endorsements or claims against specific products.
    • DID documents were mentioned as a potential mechanism for more flexible and longer-lived revocation status.
    • The concept of verifiable identity at the root of all these systems was stressed, whether for individuals (biometrics) or organizations (registrars).
    • Ray drew an analogy to voter databases, where records are maintained and marked inactive rather than deleted, suggesting a similar approach for certificates/identities.
    • The idea that a "product" itself can have a DID document and sign claims, with an audit trail back to human maintainers, was introduced.
    • The NIST SP 800-63-3 document was cited as a useful resource for terminology and architectural background on identity challenges.

Decisions and Action Items

• Decision: The IETF 117 Hackathon topic will include registration policies, with additional work streams on architecture and use case expansion.
• Action Item: John to record and publish a demonstration of SCITT working in a commercial product environment for wider community access (outside of formal IETF meeting contexts).
• Action Item: Hannes to locate and post the link to the NIST SP 800-63-3 document on the SCITT mailing list for review.
• Action Item: Roy to ask Christina You Shoulda to document how x509 certificates are expected to be used within SCITT and potentially to normalize x509 DID methods into a generic DID structure, highlighting the strategic advantages of moving towards DIDs.
• Announcement: Christina You Shoulda will be stepping in as the program manager for Microsoft's SCITT efforts.

Next Steps

• Continue detailed discussions on public keys, DID methods (especially did:web), PURL, and IETF URNs on the mailing list to determine optimal identification strategies for SCITT.
• Advance planning and preparation for the IETF 117 Hackathon, focusing on the agreed-upon strands.
• Continue technical work on defining interoperable registration policies, considering the discussed aspects of identity verification, trustworthiness, and granular revocation.