IETF Supply Chain Integrity, Transparency, and Trust (scitt)

The IETF has a security-related working group called Supply Chain Integrity, Transparency, and Trust (SCITT), whose charter reads:

"The Supply Chain Integrity, Transparency, and Trust (SCITT) WG will define a set of interoperable building blocks that will allow implementers to build integrity and accountability into software supply chain systems to help assure trustworthy operation. For example, a public computer interface system could report its software composition that can then be compared against known software compositions or certifications for such a device thereby giving confidence that the system is running the software expected and has not been modified, either by attack or accident, in the supply chain.

Problem Statement

Some of the fundamental security issues that face the supply chain ecosystem today are as follows:

1. A single product is composed of multiple sub-products coming from different suppliers. There are several standards to compose supply chain information with different producers choosing different methods.

2. There are no uniform APIs or services to publish supply chain information to third parties, nor are there ways to verify the integrity or date of publication of that information.

3. There is a lack of decentralized, globally interoperable, transparent services to publish supply chain data.

4. The lack of sufficient standards for independently verifying the presence of supply chain data in tamper-proof data stores.

5. Fractured verification methodologies across software distribution ecosystems create inconsistent security guarantees for end users.

6. Software consumers have no trustworthy way to verify that a software signature on a software package is legitimate.

A minimal, simple, and concise set of building blocks that interact in a standardized way will assure long-term accountability and interoperability for supply chain components throughout their lifecycles across architecturally diverse systems.

Goals

Based on an input document on the architecture (draft-birkholz-scitt-architecture), the WG will standardize the technical flows for providing information about a software supply chain, which also includes firmware, and covering the essential building blocks that make up the architecture."
 

WG Link: https://datatracker.ietf.org/group/scitt/about/

WG Documents: https://datatracker.ietf.org/group/scitt/documents/

WG Mailing List: https://mailarchive.ietf.org/arch/browse/scitt/