[Proposal] Whitepaper on Public Sector Software Supply Chain

cncf / public-sector-user-group

🏛️ 🗣️ ☁️ CNCF User Group focused on advancing cloud computing in the public sector

https://www.cncf.io/enduser/

Apache License 2.0

19 stars 2 forks source link

[Proposal] Whitepaper on Public Sector Software Supply Chain #12

Open idunbarh opened 1 month ago

idunbarh commented 1 month ago

Public Sector CNCF Members are seeing Government Customer focus on securing software supply chains and receiving attestations. These attestations need to be signed and have provenance bridge across multiple company and network boundaries.

These boundaries and the sensitive nature of the products make using public repositories and public signing services unusable.

The proposal is to create a whitepaper that outlines strategies to cover several different topics.

How multiple entities can establish roots of trust which can be used to verify signatures.
Document metadata required to meet customer requirements
Outline CNCF and OpenSSF projects that can help solve roots of trusts and share the outlined metadata
Document consistent approaches to privately sharing signed attestations
Document approaches to policy/verification of attestations

@Charley-Mann @brandtkeller @eddiezane

Starefossen commented 1 month ago

@jksolbakken (AppSec) and I (Platforms) from the Norwegian Labor and Welfare Administration (@navikt) would like to participate on this whitepaper!

Charley-Mann commented 4 weeks ago

Hi @idunbarh @Starefossen, I'd like to kick off this project soon so we can attract more great folks to participate. Would you be free for a quick call next week to determine the initial structure of the paper and get things rolling? How would Wednesday 16:00 CEST suit?

Starefossen commented 3 weeks ago

@Charley-Mann That time works very well for me!

Charley-Mann commented 3 weeks ago

@Starefossen excellent! Would you please send me an email, so I can set up a call?

idunbarh commented 3 weeks ago

@Charley-Mann @Starefossen We're also good from our side, and I know several of the public sector usergroup member organizations are interested in participating.

We have a public sector user group meeting this Thursday (June 13th) but it might be a little late in the evening (10am PST, 1pm EST).

I got an action item to start a draft outline before that meeting. Does it work for both of you to participate and chart a path forward there?

Charley-Mann commented 3 weeks ago

@idunbarh @Starefossen - 10am PST this Thursday works for me. Could you please link me to the meeting invite so I can join?

Starefossen commented 3 weeks ago

I believe you need to register on the CNCF platform and then you can see the meeting info here: https://zoom-lfx.platform.linuxfoundation.org/meeting/92496539385?password=c2394fad-98a0-486d-9746-deff3b7de463