Skip to main content

Minutes interim-2023-scitt-03: Mon 16:00
minutes-interim-2023-scitt-03-202301231600-00

Meeting Minutes Supply Chain Integrity, Transparency, and Trust (scitt) WG
Date and time 2023-01-23 16:00
Title Minutes interim-2023-scitt-03: Mon 16:00
State Active
Other versions markdown
Last updated 2023-01-26

minutes-interim-2023-scitt-03-202301231600-00

SCITT Interim WG meeting (01/23)
Chairs: Hannes Tschofenig and Jon Geater
Note takers: Kiran Karunakaran, Brian Knight, Kay Williams

Topics:
Sigstore Presentation- Joshua Lock and Zachary Newman
Link:
https://docs.google.com/presentation/d/1h88-zgs7OvwBnJpijN4jYa7-eyPKumAIif1L51azNIM/edit#slide=id.p

Sigstore- sign, verify and protect software
Easy to use, visible infrastructure
User (developer,machine) authenticate (OpenID, SPIFFE, DIDs?), Sigstore
(CT log Fulcio) provides a X.509 signing cert which is ephemeral (10
mins)
Rekor is the artifact log (Signatures and metadata)
Working together with SCITT- leverage mailing list to iron out technical
differences

Ray: How can you monitor with ephemeral nature? Can someone use the
login and compromise security?
Zack: We have to balance expiration with validity and longevity.
Timestamp along with signature, artifact will be provided to the user to
make the decision
Ray: Identity could be a concern here. Bar is lower
Zack: External policies should figure out if the identity is strong or
not
Roy: Timestamp model is not enough for notarization. How does it fit?
Zack: Anything that goes in Sigstore log will have identity and
timestamp. Ownership of identity is delegated to the identity provider
(OIDC).
Henk: tsa/tst support for cose-
https://www.ietf.org/archive/id/draft-birkholz-cose-tsa-tst-header-parameter-00.html

Roy: Authenticode case, is predicated on standard CA (for money)
certificates. The certificates can be validated for a longer period, but
run into all the problems that Zach\Joshua mentioned. The problem I see
ahead of us is identity correlation. A bucket of certificates and
associating them based on dn as being == is potentially very weak.
Authenticode is documented
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode

Carl: part of the problem with code signing is lack of constrain on use
of a key. Identity verification does not limit how the key is used to
verify code though. It just shows whose key was stolen. The value of a
stolen key would be less if key was less useful in broad sense
Zack: Log is pluggable (different format, signatures or other content..)

Cedric: Goals for transparency maybe different. SCITT does not require
consolidation with timestamp. Policies are applied beforehand in SCITT
as part of notarization. There are layers to solution and this is a
start
Zack: Narrow trust- Trust only CAs for signature, Trust only log for
timestamp
Dick: Does Fulcio have a signing service documentation?
Zack: No RFC style doc but there are documents that Sigstore will share

Dick: How do I sign/search signatures? would like to test it out.
Zack: use the hash to search.
Olle: https://docs.sigstore.dev/rekor/verify-release/
Charlie: need to figure out how to be interoperable. SCITT seems more
rigor from a policy standpoint while Sigstore is lightweight easy to use

Hannes: We'll discuss terminology and use case documents next session