Closed SteveLasker closed 10 months ago
"Registration Policy" describes the constraints imposed on who can submit signed statements and what metadata is required. The metadata AKA "Artifact Properties" is used for accessing the signed statements regarding data artifacts. There are two levels of properties: a) a base level which provides the licensee/owner, semantic label of the item, version, and category. The date submitted is calculated by the log manager. Category is used to determine the extended properties set. For example, for software use case, the base level would have Licensee:"Company ABC", ProductName:"Widget package XYZ", Version: "2.1.3", PropertiesCategory:"sw". In the extended set, we have properties such as a enumeration of possible artifact types, such SBOM, OCI container, binary, etc.
Then, the registration policy includes 2 aspects. a) which property fields are completed so the item can be later accessed and b) whether the submitter is authorized to submit the item based on evaluating the signature on the submitted item.
The minimum metadata for each artifact must be specified in the base architecture, even if in some registration policies, no metadata is required. The extended metadata must be defined for the sw use case.
The signed statements that exist in the append only log must include both the base properties and optional (use-case specific) properties, these should be protected by any signatures, and they should not be encrypted nor considered part of the artifact.
Active for 118 on-site discussion, and inclusion for 119
Need input from @fournet and @ad-l if we want/need to maintain sequence number in reg_info
or this becomes implementation specific.
Triage in the next editors meeting
Discussion on moving properties of reg_info
into defined properties/keys of CWT_Claims
, or remove reg_info
and leaving implementation-specific properties in CWT_Claims
to be used.
Discussion on the functionality of the registration policy, as defined in the architecture.