- From: Orie Steele <orie@transmute.industries>
- Date: Mon, 18 Apr 2022 16:31:48 -0500
- To: Shawn Butterfield <sbutterfield@salesforce.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAN8C-_+42CDXCRBqqdwXHamtn-eNTirxo=w2VidYOzM8gekYzw@mail.gmail.com>
Software supply chain, like physical supply chain, has various stages, and each stage is a place where an attacker might have gotten a compromise. I am interested in "author signatures" but also in "package repos" and binaries... I've been following the discussions in OpenSSF and Sigstor regarding container signing, and wanted to see what building on top of off the shelf components might look like for npm instead of containers... Each language / stack has its own version of this problem... If you wanted to verify the full supply chain of a polyglot project, you would pretty quickly feel frustrated with the lack of coordination on this subject. If you are interested in this topic I suggest joining https://openssf.org there are a number of initiatives underway there, many of which are reinventing parts of DIDs and VCs... for example SLSA has the concepts of "type" and "predicate" but does not use JSON-LD and is probably not going to be understood automatically by search engines. - https://slsa.dev - https://sigstore.dev All of these projects struggle from the "how do I authenticate and provenance domain specific data, without creating domain specific cryptography" problem. ... Many of them are opting to create domain specific cryptography, and use case specific metadata, which raises the cost for end users to verify the full supply chain... .... assuming that this is not going to end in a winner take-all market... based on their work : ) I would prefer to see open standards, not just open source, and solutions that embrace decentralization, market competition and diversity. It might be a utopian dream to hope that Go, Python and TypeScript modules could be verified using DIDs and off the shelf crypto, but together we can make it a reality, if we are patient enough with standards politics. OS On Mon, Apr 18, 2022 at 11:35 AM Shawn Butterfield < sbutterfield@salesforce.com> wrote: > Orie, > > Is your salient use case for traceability in software at packaging time? > Thanks as always for this, especially jose-actions. I can imagine this > being quite useful. > > Butters @ Salesforce | Software Architect > > > On Mon, Apr 18, 2022 at 9:02 AM Orie Steele <orie@transmute.industries> > wrote: > >> I wanted to share another DID Web + JOSE + GitHub demo: >> >> - https://github.com/OR13/signor >> - https://github.com/OR13/jose-actions >> >> TLDR - JWS linked to DIDs from a Github Action. >> >> If you choose your JSON payload and header correctly, this will also work >> for VCs. >> >> The jose implementation powering the action is my favorite: >> >> https://www.npmjs.com/package/jose >> >> Regards, >> >> OS >> >> -- >> *ORIE STEELE* >> Chief Technical Officer >> www.transmute.industries >> >> <https://www.transmute.industries> >> > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Monday, 18 April 2022 21:33:12 UTC