FYI that we are spinning up a "ztrust" project under the Open Mainframe
Project umbrella.
I note, with delight, that RPM has built-in support for PGP signing.
I've been learning about that.
Acorse, PKI code signing is the norm, so we gotta support that too.
The OMP TAC meeting is tomorrow.
-- R; <><
On 11/11/25 9:17 PM, Rick Troth wrote:
This is to let y'all know that I'm presenting the "ztrust" working
group to the OMP TAC on Thursday.
Some of us have been working on the of a community trust anchor for
mainframers. For me, it started as a folder in my "vmworkshop"
skeletal repository. But it naturally extends to the MVS crowd. (So
I'll prolly drop a note to IBM-MAIN tomorrow. And it applies to Linux
too.)
Most PKI certificates are issued by commercial, institutional,
government, or military CAs. This commonly leaves volunteer projects
out in the cold. (Most PKI certs cost real money, often in short
supply when you're coding something for the CBT tape on your own time.
So we're collecting PKI root certs from other than the usual issuers.
But there's more: the PKI certs are to be signed using PGP keys. The
PGP keys, forming a companion collection, will be cross-signed. Some
of the PGP keys will also be signed by people in the greater Web of
Trust. All of this means that you can follow the chain to an entity
that you actually know.
That's the plan anyway.
In the VM world, we have a rich history of publicly shared code. We
have a level of trust in each other because we know each other. But as
security concerns grow, it's understandable that the "supply chain" be
cryptographically verified. I'm leaving out details of code signing
mechanisms. Those details are part of what goes into the ZTRUST effort.
So this project is to provide a trust anchor which mainframers can use
to assure authenticity of packages which are signed outside the usual
framework.
This makes sense in the context of supply chain defense. My friend Dan
Rathbun (a CISO) put it well:
Trust anchors for mainframe software may not seem urgent to many, but
in regulated industries, they’re directly tied to resilience and risk
posture. Volunteer-driven signing solutions could help close that gap
in ways enterprises actually respect.
The project is only just getting going. Matt Hogstrom and I have begun
collecting PGP signatures. We need more.
If you've ever used PGP (for attestation, not just for email) then you
probably have a good idea of how it works.
If anyone has an established (but volunteer) CA with a root cert that
should be included, please speak up.
The collection of keys and certs is NOT itself trustworthy. It is the
SIGNATURES which verify authenticity.
So the collection will not contain any PKI cert which does not also
have a PGP signature or does not chain up to a trusted cert,
nor will it have any PGP keys without supplemental signatures.
John Mertic said that this project should operate as a "working group"
in OMP space.
There is no code (at this time), just a collection of cross-signed PGP
keys and some PKI root certs.
I believe the meeting Thursday is to formally initiate that working
group.
Thanks Mike MacIsaac for getting me/us connected with the OMP and
(especially) the z/VM Community Tools collection.
There is an initial collection here:
https://github.com/openmainframeproject/zvm-community-tools/tree/main/ztrust/
I presume that OMP will create a "repository" (in Git speak) for ZTRUST.
If anyone can contribute, please contact me.
--
-- R; <><
--
-- R; <><
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
