Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BRSKI ?

Eliot Lear Sat, 29 May 2021 07:07:10 -0700

So this raises an interesting question, which is probably more appropriate for RATS. What information should be shared with whom and how? The voucher is shipped in the clear without much prompting. There are different views about how sensitive software inventory is. This is why the draft doesn't take a position on the subject, other than to allow for the notion that some requests *may* need to be authenticated.


Eliot


On 29.05.21 00:12, Michael Richardson wrote:

Eliot Lear <l...@lear.ch> wrote:
     > This having been said, I think you may be applying the right policy at
     > the wrong time.  It may make more sense to first establish trust, but
     > limit access to the device until you have the SBOM.  In fact you want
     > to do it that way, because at any time the posture of a device can be
     > found to be wanting.

No, it's the right time.

We specifically designed the voucher flow such that it could contain
attestation artifacts (evidence).   Max was quite articulate about that!

The evidence is communicated through the registrar to the MASA.  This is
identically the background check flow from the RATS architecture.
The MASA is the Verifier.  The Verifier is who needs access to the SBOM, and
conveniently, that's also the manufacturer.

The Registrar is the Relying Party.

What we didn't document is how we do freshness for the evidence.
There are a number of choices.

--
Michael Richardson <mcr+i...@sandelman.ca>   . o O ( IPv6 IøT consulting )
            Sandelman Software Works Inc, Ottawa and Worldwide

OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BRSKI ?

Reply via email to