During the call, one item that came up was how to lessen the likelihood of a fraudulent report being submitted as part of the certification/badging process.
One suggestion was to include additional runtime, vnf-specific trace information in the report itself making it more difficult to fabricate. The VVP team discussed this, but we feel this would be non-trivial to implement and not truly prevent the core issue. We would not be in favor of pursuing this option. If we feel that we need to protect against fraudulent reports, then we are suggesting two alternatives that can be discussed in a future session. 1) Certification Portal Executes the validations directly using Dovetail: a. Since we are only scanning a set of static files, and the validation tools will be available in a container for execution, we could simply have the portal run the scan upon uploading of the artifacts. This eliminates a fraudulent report submission entirely, and avoids other issues such as ensuring the proper versions of the tools are executed externally. b. I do understand there may be sensitivity to uploading the proprietary artifacts, but there is no need for them to be stored or shared indefinitely. They would only need to be retained for the duration of the scan. After that we simply need to retain the checksum of the artifact that was submitted. c. If we simply don't think VNF Providers would agree to that, then our back-up option is below 2) Display Artifact Checksum Along with Badge a. The VVP tool already computes an MD5 hash of all the file contents and stores that in the report b. If we retain this information and publish it on the certification site, then the ultimate consumer of the artifact can at least verify the artifact they receive from the vendor corresponds to the artifact submitted for certification. We should likely do this even in option #1 for the same reason. c. This doesn't mean prevent the provider from submitting a fabricated report, but it does ensure that it can be challenged and verified after-the-fact if needed. d. I believe the CSAR similarly has an checksum that can be used for this purpose as well. We can discuss the topic further in one of our upcoming joint calls. Thanks, Trevor From: onap-disc...@lists.onap.org [mailto:onap-disc...@lists.onap.org] On Behalf Of Gaoweitao(Victor) Sent: Sunday, February 03, 2019 2:26 AM To: complia...@lists.lfnetworking.org; onap-disc...@lists.onap.org; opnfv-tech-discuss@lists.opnfv.org Cc: Kanagaraj Manickam <kanagaraj.manic...@huawei.com>; Lincoln Lavoie <lylav...@iol.unh.edu> Subject: [onap-discuss] CVC Jonit Meeting (Feb 4th) Agenda Hi VNFSDK/VVP/Dovetail Developers, Here is the initial agenda for Feb 4th Joint meeting<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_CVC-2BJoint-2BMeeting-2B02-2D04-2D2019&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=-YhkEGJSSKD46SqQByjR_bJvnYWC7lsI62elfSWGTQA&e=>, feel free to add your topics: 1. CVC one click deployment 2. Show marketplace capability and is it possible used for dovetail test script execution trigger? I will be absence due to Chinese new year and Kanagraj from VNFSDK Team is my proxy and host the meeting. The zoom bridge is still available during my absence: https://zoom.us/j/346625009<https://urldefense.proofpoint.com/v2/url?u=https-3A__zoom.us_j_346625009&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=-wmrOsLWyh45frQOsVJCAqGlh2DmMNJu15PMacF17Z0&e=> The previous meeting minutes is here: https://wiki.onap.org/display/DW/Joint+CVC+Meeting<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_Joint-2BCVC-2BMeeting&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=mkSu7O2_kzmJipm2xlbfaaZGwXViIQJvQt12MmFifJo&e=> BR Victor _._,_._,_ ________________________________ Links: You receive all messages sent to this group. View/Reply Online (#15324)<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_message_15324&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=2DIdFBAfxs43n6h4Lw6yH2FGyRmBqimlbz41vQNgGtw&e=> | Reply To Group<mailto:onap-disc...@lists.onap.org?subject=Re:%20%5Bonap-discuss%5D%20CVC%20Jonit%20Meeting%20%28Feb%204th%29%20Agenda> | Reply To Sender<mailto:victor....@huawei.com?subject=Private:%20Re:%20%5Bonap-discuss%5D%20CVC%20Jonit%20Meeting%20%28Feb%204th%29%20Agenda> | Mute This Topic<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_mt_29638769_1198157&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=LeTLkAhNSX8sD_rxDuVs1mIlWHYZESMZPmuIf18ic_A&e=> | New Topic<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_post&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=rxFGHYc7sNu0tzbdyYovrN7Kpnj-T_bZ9Gu0niWSMT8&e=> Your Subscription<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_editsub_1198157&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=6n1a-52slPnkgXiGGJySGaZzkxq_t5TrSTw_o9GtvqI&e=> | Contact Group Owner<mailto:onap-discuss+ow...@lists.onap.org> | Unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_unsub&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=x3ICz0g1PsytMM03urA8OHzkY-WW_yA77jqC4tU5b7Q&e=> [trevor.lov...@att.com] _._,_._,_
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22773): https://lists.opnfv.org/g/opnfv-tech-discuss/message/22773 Mute This Topic: https://lists.opnfv.org/mt/29667350/21656 Group Owner: opnfv-tech-discuss+ow...@lists.opnfv.org Unsubscribe: https://lists.opnfv.org/g/opnfv-tech-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
