jhdalek55
commented
1 year ago @adityasaky Was this resolved? If so, then can you close it?
Open adityasaky opened 1 year ago
jhdalek55
commented
1 year ago @adityasaky Was this resolved? If so, then can you close it?
adityasaky
commented
1 year ago I'd like @trishankatdatadog to weigh in here. I'm not 100% convinced we should describe a way where the layout information is not included for image. I think we can't do justice in describing out-of-band mechanisms to correctly associate layouts to images. In comparison, I think the con of including layout information (the current status of the document) is not very troubling as attackers can do more than just associate the wrong layout in that scenario.
adityasaky
commented
1 year ago That said, I think we don't have to block #9 on this as we aren't marking it as "Final", per PURE-1.
trishankatdatadog
commented
1 year ago I'd like @trishankatdatadog to weigh in here. I'm not 100% convinced we should describe a way where the layout information is not included for image. I think we can't do justice in describing out-of-band mechanisms to correctly associate layouts to images. In comparison, I think the con of including layout information (the current status of the document) is not very troubling as attackers can do more than just associate the wrong layout in that scenario.
We should describe the pros and cons of each option
Currently, the Scudo PURE specifies that every image must have a mapping to the in-toto layout to use to verify its software supply chain. @trishankatdatadog noted in https://github.com/uptane/pures/pull/9#discussion_r1012292535 that this is one option and layouts for each image may be inferred or communicated to clients out of band. The PURE should explore both of these options and lay out the pros and cons for each.
See: #9, #2