Minutes interim-2023-scitt-03: Mon 16:00
minutes-interim-2023-scitt-03-202301231600-00
Meeting Minutes | Supply Chain Integrity, Transparency, and Trust (scitt) WG | |
---|---|---|
Date and time | 2023-01-23 16:00 | |
Title | Minutes interim-2023-scitt-03: Mon 16:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2023-01-26 |
SCITT Interim WG meeting (01/23)
Chairs: Hannes Tschofenig and Jon Geater
Note takers: Kiran Karunakaran, Brian Knight, Kay Williams
Topics:
Sigstore Presentation- Joshua Lock and Zachary Newman
Link:
https://docs.google.com/presentation/d/1h88-zgs7OvwBnJpijN4jYa7-eyPKumAIif1L51azNIM/edit#slide=id.p
Sigstore- sign, verify and protect software
Easy to use, visible infrastructure
User (developer,machine) authenticate (OpenID, SPIFFE, DIDs?), Sigstore
(CT log Fulcio) provides a X.509 signing cert which is ephemeral (10
mins)
Rekor is the artifact log (Signatures and metadata)
Working together with SCITT- leverage mailing list to iron out technical
differences
Ray: How can you monitor with ephemeral nature? Can someone use the
login and compromise security?
Zack: We have to balance expiration with validity and longevity.
Timestamp along with signature, artifact will be provided to the user to
make the decision
Ray: Identity could be a concern here. Bar is lower
Zack: External policies should figure out if the identity is strong or
not
Roy: Timestamp model is not enough for notarization. How does it fit?
Zack: Anything that goes in Sigstore log will have identity and
timestamp. Ownership of identity is delegated to the identity provider
(OIDC).
Henk: tsa/tst support for cose-
https://www.ietf.org/archive/id/draft-birkholz-cose-tsa-tst-header-parameter-00.html
Roy: Authenticode case, is predicated on standard CA (for money)
certificates. The certificates can be validated for a longer period, but
run into all the problems that Zach\Joshua mentioned. The problem I see
ahead of us is identity correlation. A bucket of certificates and
associating them based on dn as being == is potentially very weak.
Authenticode is documented
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode
Carl: part of the problem with code signing is lack of constrain on use
of a key. Identity verification does not limit how the key is used to
verify code though. It just shows whose key was stolen. The value of a
stolen key would be less if key was less useful in broad sense
Zack: Log is pluggable (different format, signatures or other content..)
Cedric: Goals for transparency maybe different. SCITT does not require
consolidation with timestamp. Policies are applied beforehand in SCITT
as part of notarization. There are layers to solution and this is a
start
Zack: Narrow trust- Trust only CAs for signature, Trust only log for
timestamp
Dick: Does Fulcio have a signing service documentation?
Zack: No RFC style doc but there are documents that Sigstore will share
Dick: How do I sign/search signatures? would like to test it out.
Zack: use the hash to search.
Olle: https://docs.sigstore.dev/rekor/verify-release/
Charlie: need to figure out how to be interoperable. SCITT seems more
rigor from a policy standpoint while Sigstore is lightweight easy to use
Hannes: We'll discuss terminology and use case documents next session