Re: [spdx-tech] Logical or Physical Element Verification?

[Dick Brooks]

Dave,

 

               Just an FYI: There are well known issues with the use of digital 
signatures for originator authenticity.

REF:

https://energycentral.com/c/ec/who-ya-gonna-trust

 

This issue was reported to NERC due to the unverified use of digital signatures 
to identify software suppliers in NERC CIP-010 software verification 
guidelines. 

 

Thanks,

 

Dick Brooks



 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of David 
Kemp
Sent: Tuesday, January 11, 2022 8:30 PM
To: SPDX-list <Spdx-tech@lists.spdx.org>
Subject: [spdx-tech] Logical or Physical Element Verification?

 

>From the minutes:




*       Sean: verification by each serialization form or one canonical 
serialization format?
*       Sebastian: Each individual format has one way of doing things, but pass 
through canonicalization to a version (ie. binary serialization) that a hash 
can be calculated against.
*       Willilam: has historically been at the logical document level, and 
transport level it is hashed.

Need to specify the type of verification:

Data Origin Authentication and Integrity (signature) verify a data producer's 
identity and that the data is what was produced.
Referential Integrity (hash) asserts nothing about the data producer, just that 
if data was read by consumer A then it has not changed when read by consumer B. 
 Consumer A creates a reference that includes a hash of the referenced data.  
Consumer A may be, but is not required to be, the producer of the referenced 
data.

Both hashes and signatures can be computed directly on the original physical 
data or on logical data by deserializing and reserializing into a designated 
physical format as Sebastian says.  "Be strict in what you generate" is 
helpful, but even then most implementations are not validated with a ton of bad 
example data designed to uncover ambiguities and errors.  Designing an 
information model is essential to enable cross-format (logical level) 
canonicalization.





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4306): https://lists.spdx.org/g/Spdx-tech/message/4306
Mute This Topic: https://lists.spdx.org/mt/88364376/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-