It is a daunting task to drive the world toward a better digital future. However, a pioneering group strives to build these crucial standards for future generations.
The other week in San Francisco at IETF117, a group of developers and subject matter experts gathered to do just that. The IETF mission is: “To make the internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the internet.” This standards body is quite unique – anyone with the right passion can join. Believe it or not, humming is a measure of consensus. This creative process centered around “rough consensus and running code” ensures the group is in alignment, ready to get working on hard problems, and prove it practically. For IETF117 San Francisco, this was certainly the case. Huge strides were made at the meeting, including in the Supply Chain Integrity, Transparency, and Trust (SCITT) code hackathon. Let’s take a closer look.
SCITT Working Group at the IETF117 Hackathon
To drive innovation with the help of attendees, IETF meetings are always preceded by a weekend long hackathon, enabling participants to move forward rough consensus on specifications, showcase new ideas, and prove working solutions. The intent of the hackathon this time was to use the RKVST implementation to show the practicality of building systems on top of interoperable open SCITT building blocks. The promises of SCITT include four complementary security guarantees:
- Authenticity – statements made by issuers about supply chain artifacts must be identifiable, authentic, and non-repudiable
- Origin – append-only log, so that statements on provenance and history can be consistently audited
- Non-repudiation – issuers can efficiently prove to any other party the registration of their signed statements
- Non-equivocation – issuers can’t tell different incompatible stories to different relying parties
These are the core pillars in the digitalization of the modern supply chain. This is a messy system – multi-party, multi-application, with little interoperability.
A quick overview of the main mission of SCITT
As a reminder, the Supply Chain Integrity, Transparency and Trust (SCITT) initiative is a set of proposed IETF building blocks for managing compliance of goods and services across end-to-end supply chains through the use of cryptographic identity and transparency technologies. SCITT supports the verification of physical and digital goods and services where the authenticity of entities, evidence, policy, and artifacts need to be assured.
Due to the complexity of real-world supply chains and the need to fit with existing investments in process and technology, the group sets out to focus on smaller discrete components that can showcase the promise of SCITT and make progress a little bit at a time. In this case, the focus is on search and indexing complicated systems all with SCITT transparency.
The use case – ensuring the cybersecurity of medial devices
The team aimed to apply SCITT to a real life use case from the US Food and Drug Administration (FDA). This is based on an actual need to acquire software artifacts from medical device manufacturers, per section 524B of the US Federal Food, Drug and Cosmetic Act (FD&C), Ensuring Cybersecurity of Medical Devices. At its core, the use case focuses on registering signed statements (Vendor Response Files or VRFs) into a SCITT registry or ‘Transparency Service’ that identifies the location of required cybersecurity artifacts (e.g., SBOMs, vulnerability disclosure reports, etc) along with their transparency and trust information. Basically, this is about publishing and verifying VRFs to drive efficiency and transparency.
An area of focus for the team was to explore the importance of identifiers in the SCITT layer. In this case with company identifiers for medical devices. Additionally, how does search, indexing, and storage on the application layer, take advantage of the SCITT building blocks – in a maintainable and commercial way.
Grounded in SCITT’s pillars of authenticity, origin, non-repudiation, and non-equivocation the team was successful in this exercise. What was accomplished:
- Successful end-to-end demonstration of attesting and verifying the Vendor Response Form (VRF)
- Drove the specification forward with thoughtful perspective on where company identifiers should exist
- Drove the specification forward for when higher-level concepts need to be brought into scope
All evidence files in the SCITT-registered VRF were successfully downloaded and used in an evaluation of trustworthiness of medical device software. This is a powerful indicator for how verifiable data can be automated and used at a large scale.
The IETF SCITT Hackathon community successfully demonstrated how an IETF SCITT Trust Registry can be used to safely exchange trusted software supply chain information (SBOMs, Vulnerability Disclosure Reports, SSDF attestations and cybersecurity label data) between a software producer and consumer using a Vendor Response File (VRF) document. The SCITT capability shows than an international Trust Registry is a real possibility, enabling greater transparency into the software supply chain, globally.
This use case proved to be a terrific example of RKVST in action and the potential of the interoperable open SCITT model. The team was able to use SCITT primitives in this implementation to get a full end-to-end example of a searchable middleware SCITT underlay, joining two live commercial tools from different companies, that were able to use this technology to better prove trustworthiness in the digital supply chains.
What makes this project at the IETF117 Hackathon so useful is that it is generalizable to a variety of use cases. This exercise produced a whole payload of JSON that shows consistency and is self-integral. A discreet payload generalizes perfectly well to any tool, and this example has moved the needle for future SCITT use cases in all kinds of supply chain verticals and digital trust domains. A job well done!