raylutz
commented
1 year ago "Registration Policy" describes the constraints imposed on who can submit signed statements and what metadata is required. The metadata AKA "Artifact Properties" is used for accessing the signed statements regarding data artifacts. There are two levels of properties: a) a base level which provides the licensee/owner, semantic label of the item, version, and category. The date submitted is calculated by the log manager. Category is used to determine the extended properties set. For example, for software use case, the base level would have Licensee:"Company ABC", ProductName:"Widget package XYZ", Version: "2.1.3", PropertiesCategory:"sw". In the extended set, we have properties such as a enumeration of possible artifact types, such SBOM, OCI container, binary, etc.
Then, the registration policy includes 2 aspects. a) which property fields are completed so the item can be later accessed and b) whether the submitter is authorized to submit the item based on evaluating the signature on the submitted item.
The minimum metadata for each artifact must be specified in the base architecture, even if in some registration policies, no metadata is required. The extended metadata must be defined for the sw use case.
The signed statements that exist in the append only log must include both the base properties and optional (use-case specific) properties, these should be protected by any signatures, and they should not be encrypted nor considered part of the artifact.
SteveLasker
Discussion on the functionality of the registration policy, as defined in the architecture.