Closed jhdalek55 closed 1 year ago
I honestly don't know what other "supply chain technologies" to write about here. Can someone else take the lead here? Or at least point me in the right direction?
Hi Lois,
The obvious one is "in-toto". Either Justin or Marina could probably suggest some text.
Cheers,
PS - On today's NIST Supply Chain Security Workshop, one of the presenters focused on open source used "in-toto" as his example for a mature supply chain security tool. Hooray.
Ira McDonald (Musician / Software Architect)
Chair - SAE Trust Anchors and Authentication TF Co-Chair - TCG Trusted Mobility Solutions WG
Co-Chair - TCG Metadata Access Protocol SG
*Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF Designated Expert - IPP & Printer MIBBlue Roof Music / High North Inchttp://sites.google.com/site/blueroofmusic http://sites.google.com/site/blueroofmusichttp://sites.google.com/site/highnorthinc http://sites.google.com/site/highnorthincmailto: @. @.>(permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434*
On Mon, Nov 8, 2021 at 5:21 PM Lois Anne DeLong @.***> wrote:
I honestly don't know what other "supply chain technologies" to write about here. Can someone else take the lead here? Or at least point me in the right direction?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/uptane/uptane-standard/issues/222#issuecomment-963628369, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE33UO6SKJDX6L5AXWYQ76DULBEOXANCNFSM5HMRVFEQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
I should have added the clarifying comment "other than in-toto." I've been educating myself in all things supply chain to draft the white paper, but I have not yet found any other examples of supply chain security being applied in the automotive world. It's specifically a shout-out for that type of information. Also, as much as I would like to, I don't think our Deployment pages should just say "Use in-toto," though the whitepaper will lean heavily in that direction.
Glad to hear in-toto got a positive mention at the workshop.
I would mention it more as the properties we need and in-toto as an exemplar of what can integrate in smoothly.
On Tue, Nov 9, 2021 at 6:48 AM Lois Anne DeLong @.***> wrote:
I should have added the clarifying comment "other than in-toto." I've been educating myself in all things supply chain to draft the white paper, but I have not yet found any other examples of supply chain security being applied in the automotive world. It's specifically a shout-out for that type of information. Also, as much as I would like to, I don't think our Deployment pages should just say "Use in-toto."
Glad to here in-toto got a positive mention at the workshop.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/uptane/uptane-standard/issues/222#issuecomment-963644168, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGRODZRDNROWT6SHFX7FT3ULBHS5ANCNFSM5HMRVFEQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
I can take a stab at this. I'm in the midst of working out the text for the white paper so I can do this simultaneously.
Please look at Deployment PR #121, which provides a response to this question.
@mnm678 Even though we have a partial response for this in PR #121 in the Deployment pages, I think we should leave the issue open and marked as "Future" until we have an actual proposed in-toto/Uptane solution.
This issue was partially addressed by Deployment PR #121. However, we leave the issue up because a proposal for an in-toto/Uptane hybrid is under discussion. We will close the issue with that proposal.
This issue has been addressed in part by the introduction of Scudo in an Uptane whitepaper (see https://uptane.github.io/papers/scudo-whitepaper.pdf). An ITE will follow and this will help determine how supply chain issues are addressed in either the Standard or the Deployment pages.
This can likely be closed once PURE 3, which introduces Scudo as a supply chain security option, is reviewed and adopted.
Once PURE 3 is adopted, we will re-write the existing section on Supply Chain Security in the Enhanced Security Practices section to offer Scudo as a secure add-on. We should also modify section 3.4 (Out of Scope), which lists supply chain security as out of scope for Uptane and points the reader to in-toto. While we can keep supply chain issues as "out of scope," we should mention the Scudo option and point readers to it. Then, this issue can be closed.
PURE 3 was approved for adoption at the 2/28 Uptane Standards meeting. Subsequently, the text on Supply Chain Security in the Enhanced Security Practices section was updated to include Scudo, with a pointer to PURE 3.
We also need to update the "Out of Scope" section so it can reference Scudo. However, this seems to involve setting up a reference and I'm not sure how to do this.
If someone can set this up, all that is required is adding a sentence to line 284 (end of third bullet in the "Out of Scope" section of the Standard) stating "PURE 3 offers Scudo, one strategy for improving supply chain security of automobiles by using Uptane and in-toto". After we complete this task, I believe we can close this issue.
Supply chain security is out of scope for Uptane at present.
It's one part of the solution (focusing on repository -> end device security). More holistic solutions, like in-toto, integrate with Uptane to provide a more complete solution.
Sorry, misclick. We need to update the document as Lois described.
If someone can set this up, all that is required is adding a sentence to line 284 (end of third bullet in the "Out of Scope" section of the Standard) stating "PURE 3 offers Scudo, one strategy for improving supply chain security of automobiles by using Uptane and in-toto". After we complete this task, I believe we can close this issue.
We discussed this issue at the 3/14 Standards meeting. Lois will open a PR with the suggested wording changes for the Standard. Once that has been reviewed and accepted, this issue can be closed.
With the merger of Standard PR #249 and the Deployment PR #146 we can now close this issue.
At the October 26 Uptane Standards meeting, it was decided we should add a few sentences to the Deployment Best Practices document on how Uptane integrates with other supply chain technologies.