- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Tue, 28 Feb 2023 18:27:03 +0000
Thanks to Our Robot Overlords and Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2023-02-28/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2023-02-28/audio.ogg ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2023-02-28 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Feb&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Organizer: Mike Prorock, Kimberly Linson, Harrison Tang Scribe: Our Robot Overlords and Our Robot Overlords Present: Harrison Tang, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), PL, Greg Bernstein, Paul Dietrich GS1, Jennie Meier, Gregory Natran, Anil John, Nis Jespersen , BrentZ, TimG, Sandy Aggarwal, Orie Steele, John Kuo, Wendy Seltzer, Mike Prorock, Jeff O - HumanOS, David Waite, Dmitri Zagidulin, Manu Sporny, Leo, Andrew Whitehead, stevelasker, Kerri Lemoie, Matthieu Collé, Stuart Freeman, Juan Caballero, David I. Lehn, Nikos Fotiou, Kayode Ezike, Bryan Luisana, Geun-Hyung Kim, Julien Fraichot <orie> afk for a sec <tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> Another weird jitsi-ism to note and track... I joined before the host, and the "waiting for host" display persisted after the host joined, with only "cancel" and "i am the host" buttons, which forced me to drop from the meeting and then rejoin. <anil_john_[us/dhs/svip]> The Weekly Meeting information page @ https://www.w3.org/community/credentials/weekly-meeting-information/ is a bit out of date. <orie> i am back Our Robot Overlords are scribing. Mike Prorock: I see Steve home so perfect timing. Harrison_Tang: Transcription is on because I'm not sure I don't know why you didn't say the recording ends on. Mike Prorock: Manager can you teleport things actually running or not. <stevelasker_> Hi folks Manu Sporny: It's not they'll be a little red button once you can try Harrison is to stop subtitle. Our Robot Overlords are scribing. <mprorock> /me once again emphasizes my frustration with jitsi Mike Prorock: https://www.w3.org/Consortium/cepc/ Mike Prorock: There we go I think we're officially kicked off now so hello all and welcome to the main weekly ccg meeting the today the topic is the supply chain Integrity transparency and Trust group from ietf talking about what's going on there and some overlaps are joined by three wonderful people at least from that group will be talking to the work going on over there just a quick reminder that this meeting has with all meetings at w3c. Mike Prorock: EC is run under. Mike Prorock: https://lists.w3.org/Archives/Public/public-credentials/2023Feb/0157.html Mike Prorock: https://www.w3.org/community/credentials/join Mike Prorock: Will conduct put a link to that in the chat the agenda for today is in the link that I am pasting here from the mailing list archive for the announcement just a quick note that anyone can participate in these calls and the one kind of key item is if you're planning on contributing to acct work item you must be a member of the ccg with IP our agreement signs we don't get ourselves into any intellectual property fun stuff later on. Mike Prorock: Down the road we do as noted in. Mike Prorock: Just take recordings and post them and those are archived up on our GitHub the we do also manage the queue either by I think the raise hand button is now Linked In all the way but in the chat you can just type the letter Q followed by the plus sign and it will add you to the queue or take you off. Mike Prorock: A lot of copy and paste. <mprorock> In IRC type “q+” to add yourself to the queue, with an optional Mike Prorock: Constructions there just in case you need them because sometimes explaining something that's being typed versus seeing it as a little bit different quick pause for introductions any aside from our speakers anyone new to this call anyone that hasn't been on this call and quite a while. Mike Prorock: I can always. Mike Prorock: Call on people like Wendy who haven't seen all in a little while. Wendy_Seltzer: Sure great to see if folks I'm Wendy Seltzer I left the w3c name at the end of 20 22 and and now with two cows looking into broader questions in the identity space so looking forward to catching up on the work here. Mike Prorock: Awesome great to have you so any other intros new to the group not new to the group. Mike Prorock: Changed roles Etc. Mike Prorock: Right with that I'm going to jump over to any announcements and reminders and then I'll touch on the work item a new as well after that but any broad Community announcements Manu Europe. Manu Sporny: https://msporny.github.io/vc-specs-directory/ Manu Sporny: Yeah just two of them one of them is that there is a new kind of proposal I think that's going to be circulated at the verifiable credentials working group around the specifications around the verifiable credentials ecosystem so we're calling this the verifiable credential specifications directory right now it's just a personal repo but it's going to be kind of discussed as a thing we might. Manu Sporny: Adopt in the VC w g just giving this. Manu Sporny: Up that that works happening what we're trying to do is be a bit more decentralized with how we run the Registries one of the big issues with the decentralized identifier registry is that one there a normos number of decentralized identifier methods in there and then to the maintainers of that registry had to repeatedly make judgment calls on whether or not to allow something into. Manu Sporny: The registry and that. Manu Sporny: Kind of a gatekeeping exercise some people didn't like the fact that the editors had so much say about what gets into the registry or not in so this is kind of our second attempt at making it a bit more quote-unquote fair to get into these Registries basically if you are extending the verifiable credential specification in any way we want to be able to kind of point to your specification whether it's at in a w3c. Manu Sporny: In any group or differ. Manu Sporny: Or ITF or whatever you should be able to at least list your specification there so that's the first item just be aware that that conversations going on right now around how to make process of registering specifications that extend the core data model more fair and easy the second item do you want me to go into as well it's the it's the test suite for verifiable credentials 20 or like do you want to pick that up at. Mike Prorock: We'll Circle back to the test Suite just if there's any other announcements that way we can get them up and then come back to the proposed for cutting there any any other community announcements here. Mike Prorock: https://github.com/w3c-ccg/community/issues/241 Mike Prorock: All right well cool well then may proceed okay still linked to the issue there so. Manu Sporny: Even great thanks and I'll just do a quick screen share so the idea here is that the verifiable credentials version 20 specification is going to be going into candidate recommendation probably sometime during the summer one of the things we want to be sure that we have kind of lined up is a good test suite for that. Manu Sporny: For we go into Canada track you don't have. Manu Sporny: A good idea to do that and so this proposed work item is a test suite for the verifiable credentials 20 data model right now it's partially complete we are looking for other supporters from other organizations basically this is a you know it's a we need it we need something that tests the the specification and we're trying to learn from the version 11 data model tests. Manu Sporny: It's to get. Manu Sporny: Something that has tests that are more repeatable so that we can run tests on a regular basis like a weekly basis against the the specification to make sure that we can write new tests and understand how the ecosystem is going to do with that new test before like publishing it and getting a whole bunch of hate mail that implemented a test that you know breaks the ecosystem and so and so forth so we're trying to do a better job this time around with the more you know see I see. Manu Sporny: Debased test Suite I'll also. <pl> Pleased to share that the paper on Composable Credentials via LInkedClaims and Manu Sporny: That lets see it is based on the verifiable credentials API that is being incubated in the ccg that might be viewed as controversial by some so pay particular attention to that we already have 13 implementers that have demonstrated interop at a higher level through the jobs for the future plugfest number two that happened last November and then again. Manu Sporny: We will have another one happening in May so. Manu Sporny: But tried-and-tested approach that resulted in really good interrupt demonstrations a couple of months ago so we're trying to apply that same those same learnings to the verifiable credential 20 specification so the work item proposals there we're looking for a couple of or other organizations to support it and I think that's it. Mike Prorock: https://github.com/w3c-ccg/community/issues/241 Mike Prorock: Excellent please add commentary to there to the issue there and I'll repost the issue just in case you needed I think there's obviously very strongly supportive of testing I think it would be great to get some broader input from the VC working group and from the chairs over there as well as well as I think input from those of us who have worked on test Suites also I know or he's already done some commentary there so with that. Mike Prorock: That I. Mike Prorock: Yes please Brent thank you sorry that's my bad. BrentZ: My cat that is myself to the queue if that's okay no worries my question. BrentZ: How does this ccg work item differ from the work described in the VC working group Charter to produce a test Suite. Manu Sporny: It doesn't the the idea is incubated here check to make sure that we've got the iron you know wrinkled the wrinkles kind of ironed out and then the V CW G could decide that they want to pull this test Suite in or point to it or that kind of stuff so that that stuff is just kind of like we're going to have to figure that out later on but the the the idea is that this. Manu Sporny: Could become the. Manu Sporny: EG test suite for the VC 20 data model. Mike Prorock: +1 Brent BrentZ: Thank you for explaining the reasoning behind bringing it to the ccg as a work item I would encourage rather than doing that bring it to the VC working group as a work item since that's where it's intended to be anyway and that's where the conversation really ought to be had and held. Manu Sporny: Okay we can do that. Orie Steele: +1 Brent Mike Prorock: Yep and chair hat on and obviously this is my personal coach are opinion Harrison and Kimberly could way otherwise is if we already know that it's going to try to go somewhere I think we should just take it right there so I'm very much in favor of runs commentary. <bumblefudge_> minor announcement: some RWoT papers got finalized this week. The one Martin Riedel, Egidio from Nym and I worked on will hopefully follow in another week or two! https://twitter.com/RWOTEvents/status/1630281887112638464 Mike Prorock: Yeah I think. Manu Sporny: Plus one I can do that I guess we have a couple of other work items that are I don't know if they're taking that path like this I guess credential schema was already a part of ccg I guess we just need clarification from the chairs in CC G and B CW G what the intention what we should be doing now that we're like getting really close to feature for he's going directly to V CW G or incubating here first just. Manu Sporny: For a couple of months. Manu Sporny: Be cwg I was falling what I thought was you know the process we had always been following. Mike Prorock: Yeah no worries there I think Brent you and Christina and myself and Harrison and Kimberly can just do a quick Circle up on the email and decide a good path forward there yeah and maybe I can give you my quick read which is that if it's already listed as a deliverable and was not incubated at ccg and it's planning to go to the VC working group it should go straight to the VC working group if it was already in ccg being incubated then you know that's obviously a different case. Mike Prorock: Yep all right well with that let us move on to the topic for the day and so I am going to hand the ball to the Steve Hank or a combo along with anyone else they may choose to put on the spot and let them talk about skid a bit I will be monitoring the queue but I do want to get them to at least get a quick overview out for the group before we start actually calling into questions there so with that. Mike Prorock: Take it away SCITTlings. Orie Steele: Awesome thanks for using our acronym I will screen share and I'll give a quick intro and then I think Hank will take over. Orie Steele: Assuming I remember how to screen share in Gypsy. Orie Steele: Can everyone see my screen. Orie Steele: Excellent so I'm I'm always steal one of the contributors to skit also involved in dids and BCS with me today Steve Lasker who weave on weave omitted from the title slide I'm sorry Steve we'll get that fixed for you anyone else when I give quick introductions before we Dive In. Stevelasker: I guess I'll just say hello but we've been making great progress on skit and is just working across the various groups it's been pretty impressive to see all of the homes that are already in place they were trying to make sure we put in a group. Orie Steele: Hank if you're introducing yourself you're muted. Mike Prorock: Start fraunhofer network connection. Orie Steele: That's probably it. Orie Steele: Apologies if you hear me coughing or wheezing during this presentation and I was I'm screen sharing I have not muted myself in fact let me go ahead and do that really quick before. Orie Steele: Too far end. Stevelasker: I thought I saw Hank in the list here. Stevelasker: No he was driving back quickly so maybe he's he might still be in the car getting settled. Mike Prorock: Yeah I just hit him on slack so worried I think you and Steve might be on point so they take a knee. Stevelasker: And I Channel my German accent. Orie Steele: Alright like I'm happy. <bumblefudge_> Nein danke Orie Steele: I'm happy to drive until we get interrupted. Orie Steele: All right so we're going to introduce the skit Community to the w3c ccg. Orie Steele: I'm seeing back-channel from Hank no I cannot hear you. Orie Steele: All right let's proceed so. Orie Steele: Essentially there's been a number of cyber security incidents that have raised the eyebrows of folks specifically related to solve for supply chain incident so most recently the executive order 14 028 on improving the nation's infrastructure and there's been a lot of work that's happened as a result of that executive order to try and increase the. Orie Steele: Ability and. Orie Steele: All these for organizations that consume software or especially software that might have complicated open-source sort of dependency graph to kind of keep an eye on what what what dependency is go into your software how to how confident are you in those dependencies and in the case of an instant you know how can you trace through various pieces of software that could be involved in that particular incident. Orie Steele: Yeah I think that's it. Orie Steele: Else you want to say on this slide ski. Mike Prorock: There is that wonderful familiar always. Nis Jespersen : Okay now I get why you don't see anyone yeah I was using the Gypsy app that was an enormous tremendous experience which typically works well but well not in this case I'm sorry I heard nothing I was wondering when the science does. Nis Jespersen : I'm so sorry. Orie Steele: You have not missed anything we've just gone to your slide and I said incidents happen and that's basically it you're welcome to take over. Nis Jespersen : Okay I read it that said I'm so sorry for this extra technology works right snafu so my name is Hank Hank Buchholz located in Germany at fucking at The fraunhofer Institute for secure information technology and sometimes struggling this technology so yeah we are probably you had already some things I'm some context I'm working and started position one of my hats. Nis Jespersen : Is standardization the ietf and TCG. <mprorock> ha, steve should be on that slide, why am i on there ;) <stevelasker> amend the ledger... Nis Jespersen : And I'm very familiar with the work of the w3c of course and next like this I guess re and austie for really going into some details here we are going to talk about today V get skip is the supply chains Integrity transparency and Trust effort at the ietf and this is motivation slides of course incidents at my hurt that's correct a lot of things like Supply chains are spending the globe some other people call it. Nis Jespersen : Value creation graphs whatever you. Nis Jespersen : It's moving data it's moving data between stakeholders and that sometimes gets blocked unintentionally or intentionally so there is no 40 no 28 on improving the national cybersecurity there's also the National Security thermal Creations an advisory committee that is advising the president's office about how to counter some of these threats and I think. Nis Jespersen : It is a. Nis Jespersen : As a u.s. Centric a little bit because both of these examples are from the US but it's kind of highlighting this arrived at a level where people care about things and now we want to fix some parts of it so next time please and that comes to what is skit and I've been told maybe I shouldn't spoil everything at the beginning so I will so skit is basically a set of building blocks that one this is intended to increase Trust. Nis Jespersen : In the authenticity and the for example. Nis Jespersen : He of assertions about supply chain products artifact statements and and that is for a long time so exceeding typical lifespans of certificates and I'm talking about the old ways that a certificate could last for like two years like I don't know it'll be fun they are section death ID and not like six weeks as we might be having approaching in the future so so it's about. Nis Jespersen : Trusting statements for next I. Nis Jespersen : And these statements about in the ITF about software first because when we approached the ITF and said hey let's try to do something very small in this very very big context people got very scared about the big context so so the first thing that happens is that like scopa Town Supply chains very big word you can't do all the supply chain that is prone to error because all the use case it was somehow very and the devil is not. Nis Jespersen : Details and yeah so software pretty. Nis Jespersen : Everybody booking besides he and the ietf and the CC and so on so supply chain for software was our initial chartering starting point and it includes all the things like about the software component Z good old switch from the good days firmware descriptions all the package repositories out there container Jesus's very own VOC and we argued for chartering that we would use some building blocks from the ietf that are already there but are not only the eyes. Nis Jespersen : I have of course that's why we're here so next. Nis Jespersen : Yeah this is just some examples I'd say to talk about things that are originating from supply chain entities the first thing of course is an ITF example it's a concise reference Integrity manifests basically for trustworthiness aspersions created by remote at the station so this is this is this the item for example this artifact would explain at tested to verify to verify us that they want to check the trustworthiness of a test. Nis Jespersen : But there's also. Nis Jespersen : Very Co driven context that is the softer bit of materials I think SPD X is one of the examples that others are going to X of course and you could vote split if you count that in to that mix and and of course there are very very useful things out there that are can be used on a daily basis can be used at Hawk and that's contain initiative here you're all these are statements about software in the end and we want to. Orie Steele: Did we lose you. Mike Prorock: I believe we lost Hank. Orie Steele: He'll probably come back in a second. Nis Jespersen : And always correct. Nis Jespersen : Here you that is this is a mesh obviously you know and my mesh my time I'm using my phone so maybe maybe it's that I don't know so we have you lost the these artifacts we're talking about those we try to increase the believability of the things we State about them and these statements I mean Quorum as bombs or either service configuration they are all statements about more complex software setups deployments or packages next I please. Nis Jespersen : So that of these things in these statements and the could go into all the vulnerability versus packaging versus built rules becoming the actual problem that's all nice and fine I think that's very important content and a lot of people defining that we're not doing that next slide please. Nis Jespersen : What we do as how to the issue to add some again believability to these statements to these artifacts we are talking about products they were talking about so if you're talking about artifacts in software disability artifacts typically in in other supply chain artifacts are already the statements about the product so artifact is a kind of a interesting term all over the place but let's go with that right now so we add some proves. Nis Jespersen : To these statements and make them. Nis Jespersen : I'm statements for called claims and now basically next slide please you can already forget everything I said about what we're talking about because that's opaque opaque to the skit concept we are taking in a certain transparency servers a signed statement and how to sign it that's something we specify in the igf put it into a service and the service has an append-only lock all. Nis Jespersen : All these claims are than ever. Nis Jespersen : Again that is a tent only locks so how to use that building block and a bigger system is currently actually otoscope you do some reference application they're going API with rest but that is not the core solution the cost solution is how to uniformly signed integer statement and then you add it to an append-only log how to get a receipt back and also trust that one that's called transparent claim or transparent statement and our world right now so that's actually true things. Nis Jespersen : We are going to standardize here in the ietf and want to talk about here. Nis Jespersen : Is someone useful or relatable and next idea. Nis Jespersen : And that's basically what we want to have us fissures need to identify themselves have to be identified after the fact to some extent especially if they're participating in critical supply chain applications and we need this transparency service and can argue about the name but there's a note interpolation function in there and it's working like a real world notary it does not read the contract it just says you said that at this point you can trust me I have the time. Nis Jespersen : I have the identity is verified I put this into my append only law. Nis Jespersen : And you get back this receipt with a proof that I just notarized this and that's basically it both of these things are very very tiny because we're using again ITF technology we can talk about that later but it is Seaboard so that's I don't know Vic's a good and it warrants and it guarantees some things or whatever and said is sure something's going to use a very hot rod it assures that you have long-term accountability and you can detect if some statements became Falls over time. Nis Jespersen : I mean some things are product in good intent and 20 years later you realize well. Nis Jespersen : Doing the job that they're doing other things also and they're not very good at that and maybe even harmful so we want to express that that's true with I don't know building materials like Asbestos and it's true of libraries used for ages somewhere and then at some point you will detect a weakness and vulnerability and have X that goes for on forever because never been resolved conceptual problem and you also want to have accountability and auditability for who says it and why he was allowed or she or the data tier sorry to to state. Nis Jespersen : That on the ledge and that's basically it and that's where I hand over to Ari and he met Ed whatever. Nis Jespersen : So this points are okay I think I don't know questions really work if it's in chat are Auto oil but I'm both now. Mike Prorock: Yeah watching the Q man who I see you on the computer. Manu Sporny: Yeah thank you for all this I think it's good I've been wondering how all these pieces fit together you know for a while I guess the thing that I'm still a bit fuzzy on is exactly what is the skit group standardizing in what parts do you feel you're going to pull in from outside of the skit group like ietf or w3c. Manu Sporny: Like for example what. Manu Sporny: Now is you know as you know the there's a verifiable credentials working group at the w3c we you know have spent a lot of time on how to express have you know Express claims about a credential subject in Secure that you know statement what pieces do you feel are your going to pull in from external sources and what pieces are you defining in the skip working group itself I know you already went. Manu Sporny: A over that kind of but I'm try. Manu Sporny: Could you call out some specifications that you're pulling in and in which specifications are you are you actually working out that might help. Nis Jespersen : Of course let's start with the biggest answer first we are for this small things we are actually creating specifications for people in tons of context even for the supply chain use case rolls all over the place statement examples like we see for example are selected to slogan as a use case for example and and that is that is pulled in with a lot of text I have to admit but then you're asking also what we re using. Nis Jespersen : So of course the civilization that is sibo. Nis Jespersen : Basically it'll look at the future and express constraint node environments as well as large skating systems for every kind of system industrial iot or cloud services from The Edge are called internal basically all the scope that is why we are looking at the circulation that is very likely to be future proof you can't always be sure but that's what we are currently going with and I think it's a good choice person. Nis Jespersen : Then we are pulling in based on seaboard. <mprorock> cose_sign1 Nis Jespersen : The concise object an encryption working group output the Cozy working group which basic defining a possible of course assigning an envelope that includes a protected header will put you all the important metadata attributes that have to be also signed provide space for unprotected header where you can for example Put a receipt to render it with a like counter signature with metadata transparently in the payload or maybe even a detached payload and the signature. Orie Steele: Hank we have some slides that cover some of that I think we should wish it advance and then if it doesn't answer the question please ask you again. Mike Prorock: Yeah Circle back yep. Orie Steele: Stealing classic tank stealing Thunder these are my slides you had your chance. Nis Jespersen : Okay yeah I'm so sorry I couldn't see into the future but wonder if you stay with us here I think I'm stealing already content from other slides maybe we could defer the question a little bit Yeah okay this is good. Orie Steele: Awesome felt so the slides that were about to share with you all are from ietf on 115 so they're a bit dense but they're going to sort of recap some of the basic introduction that Hank is given this particular slide is a high-level architecture overview you have verifiers they want to know whether an artifact is authentic that artifact could be a binary could be container it could be firmware. Orie Steele: There could be other parts of the software Supply. Orie Steele: And the notary when the notary furnishes a transparent claim to the verifier the verifier can you use that transparent claim to gauge the authenticity of the software artifacts and on the right hand side you have the issuer is making statements about the artifacts and they're submitting those sign statements we call claims to the notary for inclusion so this is what Hank was already sort of getting ahead to. Orie Steele: There's lots of different. Orie Steele: That are relevant to software supply chain and there's lots of different serialization formats that are an important component of software supply chain so if you think about it the issuer has lots of soft of artifact types that they want to secure today so there's Json there's XML there's s Palm formats like SPG X and cyclin D x-- their salsa and each of these formats usually has some you know. Orie Steele: Concrete median. Orie Steele: Associated with it because these are formats that software has to make use of today already and so there's usually a media type that describes them so for example Helm chart has a media type and a Helm chart is an important part of deploying software within kubernetes so one exciting point of overlap is decentralized identifier so you can see in this case the issue or is identified with it decentralized identifier and you know the Hope here. Orie Steele: Is basically what Hank was mentioning before we're hoping to bridge the gap. Orie Steele: The world of x509 and oid see that exist today and the future world where decentralized identifiers might play a better role in providing identity for issuers the other sort of components of what goes into a skit claim so as Hank mentioned is cozy sign one but there's some parameters in the header that are important the issuer parameters important so that we can identify the the issuer the key that was used to sign the. Orie Steele: Algorithm that was used to sign these are all. <bumblefudge_> feed ~= topic ? Orie Steele: Looks you've been working with verifiable credentials the feed is a new header claim that we're proposing and that's to identify you know basically information about the artifact type itself and then the content type this is again a field that's familiar to folks within the verifiable credentials working group because we spent a lot of time talking about media types and in fact there is support for using the same cozy sign one. Orie Steele: Sure with verifiable credentials with a content type that. Orie Steele: You application slash credential + LD + Jason so just pointing out the use of the CT y parameter here you can see in the example its application xc9 10 firmware image but it could be that that confident type could be other information that's relevant to solve for supply chain hopefully that's starting to answer some of your questions man you about how this work might fit together. <henk> feed is basically like a broker topic, yes <bumblefudge> toll, danke Orie Steele: Important component of skit which hasn't been you know there are no formal work items around it but it very often comes up is this question of policies and standardization so you know first of all when the issuer wants to make a claim transparent there's a before they even can register that claim the issuer might have a policy that they're going to apply so the issuer might rebuild the software artifact run some automated. Orie Steele: Ruling on it to decide whether it's ready to be. Orie Steele: About it so some of that tooling could say you know all right am I ready to sign over this information let me review before I sign am I ready to accept responsibility for this do I feel confident in the process that was used to create this artifact my sure this is the format that I'm wanting to sign because I'm about to sign it and that's signing B so maybe I want to change some part of the representation before I do that and then you know what does the artifact what artifact does it refer. Orie Steele: Were too so in the case of a binary you know am I being clear about. Orie Steele: Identifier for the binary in my claims or maybe I want to use a different one or maybe I'm maybe I'm trying to protect a particular Helm chart or an SPD excess bomb so the issuer has to sort of make those decisions before they can create their their claim but once they've managed their issuance policy they are going to bring that sign claim to the their transparency service or the notary and then there's a registration policy that the notary or the transparency service is going to. Orie Steele: In force. <stevelasker> A feed is a collection of statements around a particular artifact. Orie Steele: Require that all issuers be two Factor authentication and all from email addresses on a corporate domain in order to have their this claim certain Claims can only be registered with that policy for example so if you're in a corporate environment you know certain transparency Services might only accept artifacts that are from that Corporation from issuers who are strongly authenticated bound to that Corporation Etc another transparency service might operate in an open source environment where they're taking artifacts from. Orie Steele: All different kinds of. Orie Steele: They're just using open ID connect so the registration policy is the policy that the transparency service uses to evaluate whether a given claim should be made transparent and usually you know the minimum that the registration policy will have is that it's going to authenticate the issue or in some way. Orie Steele: Right and then on the other side with the verifier accepting the transparence claim you know verifiers might have different requirements in terms of which kinds of transparent claims they'll accept and from which issuers or from which notaries so it could be that you know as much as I love Hank I don't trust him to make claims about software products that my company produces and even if he's able to make those claims transparent with a notary that's really will trust it. Orie Steele: It's still not. Orie Steele: To Walter you know myself as a verifier or folks who rely on my software and so the validation policy for the transparent claims is another dimension so these this policy Dimensions important to think about although like the specifics of how the policy languages are built and enforced are currently there are no work items that are actively underway about policy language is just an important component to understand. Orie Steele: So I'm going to. Orie Steele: Balls of like water what is the problem that we're trying to solve here and there's two ways to think about it there's the sort of malicious issuer scenario and that's you know where a bad issue or tries to serve malware to Alice but not too Bob so you can imagine you know maybe Bob is you know trying to run a threat analysis platform analysis going to consume software and if Bob catches the the malware he's going to warn everyone. Orie Steele: One and so when the software is. Orie Steele: The issuer you know they want to serve the mount the the package without malware in it to Alice but they but they want to serve the package with malware to Bob and you can see the little bug in the malware in the bottom part of the image so this bad issuer is basically they're trying to create two claims for the same lib Acme x86 one of them has malware in it the other. Orie Steele: One doesn't. Orie Steele: And they said. Orie Steele: Them both to the notary and because the notary is recording both of them a an auditor can see that there are duplicate claims that have been registered so the notary in this case is honest but the issuer is malicious but because the issuer is required to make their claims transparent and auditor can review the notary and see that there's these conflicting claims for lib Acme x86. Orie Steele: Another angle on this is to consider bad notary so imagine that bad notary tries to roll back Bob's version with a receipt from Fork registry so in this scenario incompatible receipts and this comes from the structure of the notary itself which can be implemented in different ways as was mentioned those incompatible receipts means the notary endorsed inconsistent Registries and so that that is also detectable because of the the nature. Orie Steele: Sure of the. Orie Steele: Only Ledger and so if you find that a notary is doing that kind of thing you're probably never going to trust them ever again. Orie Steele: All right so I think at this point we are essentially done I've got this slide to leave up as we take questions Mike are we on time on my head of time. Mike Prorock: I think now is probably a good time for questions especially knowing that Hank responses can sometimes be informative. Orie Steele: Really bro and Hank under the bus. Mike Prorock: I can't help it give I see what first I think. Geun-Hyung Kim: Hi ya thinks this is a great presentation I think my my questions and her little high level so well first one is this is ietf that were talking about this would be a work item for right. Geun-Hyung Kim: A working group okay okay. Orie Steele: This is a working group at ietf with with several documents that are intended to be worked on by that working group currently the architecture document is the only formal work item ITF I believe. Geun-Hyung Kim: Okay that's helpful so yeah the first one was just sort of it was my expectation that ietf needs things scope down a lot more but the working group makes sense I think the main thing where I'm still sort of struggling is maybe it's just a terminology thing but around the notary transparency service like depending on what role that might like what form that might take it just really stands out as an unnecessary like it sounds. Geun-Hyung Kim: Like it's easy to just sort of not. Manu Sporny: +1 To Kim... feels like unnecessary centralization? Have same question as Kim -- what purpose does that role play in the ecosystem? Geun-Hyung Kim: Too much action to that role or too much of it like investment in a single kind of centralization point because that looks very clearly like something that can be openly audited Noah guess the governance of all of this and sort of like there's probably use case specific things that I could see some form of curation going into it but I'm just curious to poke into to get more information on that because that just really. Geun-Hyung Kim: Lee maybe it's a term service maybe I don't know just more. Geun-Hyung Kim: Part of it. <manu_sporny> Feels like a "Trust Registry" <bumblefudge> is there a package manager usecase to map the roles to, maybe? <manu_sporny> ooooh, much more clear now via "Mapping ietf terms to W3C ones" <mprorock> Regs mandate a central point in many cases unfortunately Orie Steele: Sure so one thing I'm not sure if I go ahead this slide here just I prepared this in case we needed to have a terminology discussion the transparency service in quotes is sort of like the the concept of verifiable data registry in decentralised identifiers and verifiable credentials so the log part of it is like the verifiable data registry. Orie Steele: But the notary sort of actions. Orie Steele: Of it is a little bit different it's like an independent role sort of like an issue or in a verifier combined. <bumblefudge> exploding-head-emoji Geun-Hyung Kim: Okay that's that's helpful and all of that said I think I'm really even though supply chain software Supply chains one of the first focuses I do think that this pattern will be really interesting beyond that so interest like it's great that you're focusing on specific use cases just to get somewhere but I'm also eager to follow along to see how it can inform other efforts so. <stevelasker> The notary's purpose is to verify the credentials and assure the registration policy is met. For instance, what types of IDs are acceptable. Mike Prorock: Yeah can that was really helpful and I think two notes one because the centralization thing I think is something that tugged a bunch of us right up front but unfortunately there are certain regulations in certain countries that mandate like there must be a single you know repo for XYZ right for certain types of use cases so we have to be able to meet that plus more flexible use cases right as you can imagine the and then regarding the other use cases and applicability. Mike Prorock: Leti and Steve. https://github.com/scitt-community Mike Prorock: Be a good one to reach out to who's on this call but there is a skit community formed to look at how do we handle things like reference implementations or exploring other use cases with this pattern as it evolved so if you're interested in that side that's definitely something worth taking a look at I believe Dimitri is up next. Dmitri Zagidulin: I was going to ask about which pieces on this architecture diagram are likely to be standardized by the working group and or image inserted partially in that only the architecture itself apparently I was curious specifically about the notary transparency service we've run into need for that use case in VC edu context the notion of and it's a that transparency service that audit log if you will is a roll. Dmitri Zagidulin: So that I think we're not talking about enough. Dmitri Zagidulin: LBC working group are old all that is to task is the format and the API of the notary transparency service likely to be standardized by this. <mprorock> physical/cyber-physical supply chain needs as well for a clear append only notary (at least the interface) Orie Steele: So the the first I'll do the easy ones the the format of the claims are definitely to be standardized by this get working group at ietf the format of the receipt is definitely to be standardized at ietf although there's a separate document that tracks the structure of receipts today there's some rest sort of API interoperability components around interacting with a transparency service that I think are going to be standardized and. Orie Steele: That might answer. <manu_sporny> What, IETF isn't going to start standardizing blockchains!? :P Orie Steele: The question that you're asking the specifics of like the internal mechanism for building an append-only log I think that is probably a there's a probably a boundary somewhere around that where you know ITF isn't going to get into the specific you know disk layout you know format that you've used for your service but generally speaking there's like a pendulum Lee log or Merkel database. Orie Steele: Sure that's a. <mprorock> /me lol @manu <kerri_lemoie> @orie - do you know timelines of the IETF standardization work? Orie Steele: Component of getting the receipt object so there is work that's planned with in ietf to standardize some components of that sort of similar to the certificate transparency work but a little bit more generic but that's intended you know stuff that hasn't fully landed yet. Nis Jespersen : This is Hank may I add something to this while again to Cozy types of cozy envelopes the core of all the specifications here and yes the the way how you create a inclusion proof sometimes maybe part of that receipt on they have a lot of attendees that are actually pretty new to the ietf of the w3c all together they're actually coming from supplied. Nis Jespersen : Chain stakeholders I want to say. Nis Jespersen : And when they arrived at the new place they come with a question and then you need to reply to the question in sometimes in the form of a protocol so that's why we actually doing the rest API because without at least a reference guidance that is this rest I pi and the ietf is not prone to do a lot of them but without it you wouldn't be able to answer simple questions like can could you please give me all vulnerabilities that are known to this thing. Nis Jespersen : NG Forex on software which is. Nis Jespersen : I think people want to be have an answer to but but if you would just build a building blocks they will drag you out you've thrown into them and they won't work by themselves so there has to be a small compromise here through to provide some reference API some some not a reference system because the ITF does not build systems its building blocks and and then go from there and that is I think why we are also here to to to to make. Nis Jespersen : More use of these building blocks and and find out how. Nis Jespersen : Match them with existing work and again or if I can probably more my experts on this topic that this inter connected use but I think that's that's what this is about we can't solve this alone the people that were the supply chain stakeholders said that the people that were those and this use some of this case the software creators all of them are like yeah and the probably not we should give it to keep it and that's why we are here. Mike Prorock: I saw a quick question from carry which was just on timelines that ietf and then I'll call on Bumble fudge. Mike Prorock: So standardization timelines that ietf Hank if you've got a quick comment. <kerri_lemoie> Thanks :) <bumblefudge> famous last words? Nis Jespersen : So I don't want to nitpick at the ietf but I think the standard latency of hitting a milestone in the ayat if across all Collective Milestones is 1.5 years late we are better than that moment so at the moment we are hitting our marks pretty very was only 2 months latency and actual timeline is that we have a consistent. Nis Jespersen : Terminology at the. Nis Jespersen : Year terminology means that we label them in a way that everybody can compromise and grudgingly my probably around but the definitions are actually pretty much in order and that is the important part so the labels of the definitions of the things people are worrying about at the moment then again the we have to kind of create some generic - to this we are coming this from the skit point of view to the eye. Nis Jespersen : ATF and we have just one requirement on this receipts for. Nis Jespersen : But we realize whether plenty ways to do this trees of hashes in all Merkle trees parse trees level trees unbalanced ones and there might be a generic part of this has to go to Cozy anyways so their deadline that's very the Milestones will also be some some cozy Milestones because we would add essential cozy elements I think in the future but our current road map that tells us that in the with the start of. Nis Jespersen : 24 All relevant. Nis Jespersen : Stones are set that's an ambitious goal and we can't pick our about two things too long we tend to bicker about naming things but the size we also defining the structure of things so I think we are paralyzing the bickering with the construction of a contribution a little bits and that is the Mantra of the ITF I think not to serialize better paralyzed. Mike Prorock: I think that was very helpful and I think about as clear as we can get and ietf context and I think one note that is probably a little bit different than we see in w3c sometimes that we do see this in some working groups at w3c is there's very much a home for certain places so like if it's a very cozy specific thing maybe skit related work but it's going to take place in the coast a working group as opposed to it. Mike Prorock: Kitt so Mr bumble. Juan Caballero: Okay I was actually. Mike Prorock: A up on the cue probably the last word. Juan Caballero: Actually that was a it was a it was good that carry got it before me because I was going to ask something related with the which was are their language wide package managers that have expressed interest and like at what level of sophistication for you know of like you mentioned like V1 of all the building blocks built as a tight as a milestone like would it be premature for people to be thinking. Juan Caballero: At package. Juan Caballero: Gale before then or are you already trying to get input from those types communities that run package managers. Nis Jespersen : So nobody's jumping that one I think now is the time to put in requirements if you are interested in having your favorite or your own or your stakeholder Pax Romana system addressed I think that's a that's a statement type so effectively whatever the requirements About Management your statement is would go into the requirements of an API will go in through the requirements of the messages we actually want to Define here so it might be. Nis Jespersen : Trickle down there. <dmitri_zagidulin> to ask a different way, are there package managers in the working group? <bumblefudge> ^^ :D Nis Jespersen : With some layers coming from a explicit application but there's no better than real data right so I assume we hope to have audience including stakeholders from that domain and best case scenario some heart requirements that are bashing the current Concepts like no this won't work because and then go from them. <greg_bernstein> NPM, PyPi? Mike Prorock: Yeah and into that note also call out that there are some pretty large players that deal with distribution of software very heavily engaged in this and showing up to meetings and discussing what they're doing and how it overlaps so you know I think you're going to be seeing whether you may are directly impacted this or otherwise right it's going to be out there as a thing it just might be a little bit behind the scenes unless we look at things like. Mike Prorock: You know education or physical Supply. <bumblefudge> get the crates.io people in there hehe Mike Prorock: It might be a little more visible pipe I'm not 100% sure on Greg seeing your comment on there we are doing stuff directly with machine learning and web crawling input for machine learning stuff so there's interesting stuff going on there so. <kerri_lemoie> Thanks for the presentation!! <bumblefudge> amazing presentation! Mike Prorock: Cool well with that I just really want to thank Steve and Hank and or in for their time today obviously we could have a lot of fun conversations certainly those folks in the working group probably recognized. Mike Prorock: Commentary around things like cty. Geun-Hyung Kim: :Clap: <orie> Thanks for the opportunity to present <stevelasker> Happy to continue the conversation through the IETF SCITT discussions and/or the SCITT Community: https://github.com/scitt-community Mike Prorock: Meeting because this is important to a lot of us so and helps if expand use of verifiable credentials into other serialization formats uses over time so with that Harrison would probably kill recording once again thanks all really appreciate the great questions today in the great presentation from the. <stevelasker> Thanks everyone.
Received on Tuesday, 28 February 2023 18:27:03 UTC