I just want to add that I am excited to see this conversation about different roots of trust. We live in a world where both trust models exist and will continue to grow for their respective reasons. We need strong centralized trust for government and corporate identity. We also need distributed trust to support ad-hoc communities. Both have software supply chains which need SBOM support, SBOMs that should be digitally signed.
For Windows components we are relying on COSE signed <product>.spdx.json SBOMs built at each step in our supply chain, the signature gets verified by each consumer in the pipeline. In our ecosystem the strong root of trust is important. However, if we needed an open source component, the one signed by a distributed authority that we trust would be far stronger than a package that was not protected by a signed SBOM. Just my $0.02. -- Joe Bussell Windows Engineering System | Tool Benders 🙋♂️ My pronouns are he/him<https://pronoun.is/he> (why this matters<https://pronouns.org/what-and-why/>) 🗓️ Book a meeting with me<https://outlook.office.com/bookwithme/user/[email protected]/meetingtype/23WCp6gy8UKwSRsqIkcCmg2?anonymous> 👍 Inviting Feedback<https://forms.office.com/r/FxAwaVPjjb> ⌚ Timezone: (GMT-8) US Pacific N.B.: I may send mail during times when others are not working. I do not expect engagement from you when you are not working. From: [email protected] <[email protected]> On Behalf Of David Kemp via lists.spdx.org Sent: Monday, February 6, 2023 10:24 AM To: SPDX-list <[email protected]> Subject: [EXTERNAL] [spdx-tech] Identities Gary, Yes. The W3C Distributed Identifiers Architecture<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fdid-core%2F%23architecture-overview&data=05%7C01%7Cjoe.bussell%40microsoft.com%7C5ddc4e6d9c7b4eb988d608db086f5344%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638113046472799521%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jiW8Q9UniF298ttqrjrNInnSmkYqpClJ2rZD1pZAPx4%3D&reserved=0> has an identity manager (DID controller) that assigns distributed identifiers (DIDs) to DID subjects. Presumably it uses the word "controller" instead of "authority" to contrast with X.509 certificate authorities, but the meaningful distinction is between centralized vs. decentralized identity management, not a difference in meaning between authority vs controller vs manager vs. assigner. Other points of interest: * A Decentralized Identifier, or DID, is a URI. -- The only thing that distinguishes any string or URI from an identifier is the fact that an identifier corresponds to an identity (DID document) managed by an authority/controller/manager/assigner. A URI that looks like a DID is not a DID if it has no corresponding identity, just as a 9 digit number is not an SSN unless it is backed by an identity. * The subject of a DID is, by definition, the entity identified by the DID. The DID subject might also be the DID controller. * The controller of a DID is the entity (person, organization, or autonomous software) that has the capability to make changes to a DID document. -- DID recognizes autonomous software (SoftwareAgent) as a peer of person and organization. In DID, entity means a real thing (person, group, organization, thing, or concept) to which an identifier is assigned. SPDX models real things like persons, packages, and relationships using data structures (Elements). If "Entity" is used as an SPDX type, then it must model all of the real-world entities covered by SPDX, not just those related to identities. I.e., "Entity" would be the name of SPDX Element, not a subclass of Element. But it is easier to understand and keep straight "Element models an entity" than "the Entity class models a real-world entity". Regards, David On Wed, Jan 11, 2023 at 9:48 PM Gary O'Neall <[email protected]<mailto:[email protected]>> wrote: I had a similar though. I was wondering if the definitions provided would support a BlockChain like approach which does not have a centralized “authority”. Gary From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of William Bartholomew (CELA) via lists.spdx.org<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.spdx.org%2F&data=05%7C01%7Cjoe.bussell%40microsoft.com%7C5ddc4e6d9c7b4eb988d608db086f5344%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638113046472799521%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XL7hHeom8f20I%2FOMEhjLrL746zKM7LCaosJx2jUoQkQ%3D&reserved=0> Sent: Wednesday, January 11, 2023 4:14 PM To: SPDX-list <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: [spdx-tech] Identities These all seem reasonable to me. My only comment is that there may not be a "formal" authority. For example, an identification scheme could use an algorithm to derive a globally unique identifier or use a convention to guarantee sufficient uniqueness. An authority may or may not associate an identifier with an identity. Regards, William Bartholomew (he/him) – Let’s chat<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fbook-willbar&data=05%7C01%7Cjoe.bussell%40microsoft.com%7C5ddc4e6d9c7b4eb988d608db086f5344%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638113046472799521%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SUE%2BjZXl5kK%2FsHJ%2FeVqf%2BAizvq%2Bc47o9SBaefn2fXLc%3D&reserved=0> Principal Security Strategist Global Cybersecurity Policy – Microsoft My working day may not be your working day. Please don’t feel obliged to reply to this e-mail outside of your normal working hours. ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of David Kemp via lists.spdx.org<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.spdx.org%2F&data=05%7C01%7Cjoe.bussell%40microsoft.com%7C5ddc4e6d9c7b4eb988d608db086f5344%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638113046472799521%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XL7hHeom8f20I%2FOMEhjLrL746zKM7LCaosJx2jUoQkQ%3D&reserved=0> <[email protected]<mailto:[email protected]>> Sent: Wednesday, January 11, 2023 2:59 PM To: SPDX-list <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL] [spdx-tech] Identities At the tech meeting we decided to accept the current identity model and move forward without blocking the 3.0 release. The discussion covered many ideas on which no decisions were documented, and I wonder if we can reach agreement on these points while the discussion is still fresh, without allowing any No Decisions to become blockers. 1) An Identifier is different from an Identity. Discussion: Identifiers have the property of being associated with zero, one, or multiple identities over time. Note: at any specific time an identifier should be associated with at most one identity. 2) Every Identity MUST have an authority. Discussion: The authority associates identifiers with identities. If there is no authority, there can be no identity to which an identifier refers. * The Social Security Administration is the authority that maintains records of peoples' identities. Every 9 digit number is an identifier, but only some of those identifiers are associated with an identity: 000-00-0000 and 123-45-6789 are "SSN identifiers" but they (probably) have never been assigned to an identity by the authority. * "hotmail.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhotmail.com%2F&data=05%7C01%7Cjoe.bussell%40microsoft.com%7C5ddc4e6d9c7b4eb988d608db086f5344%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638113046472799521%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Pgz6BXFWML%2FueedMdxSNK5hxvKXlR0SuPx0YXr1f3RU%3D&reserved=0>" is the authority that maintains hotmail identities. The identifier "[email protected]<mailto:[email protected]>" is (probably) not an identity because of minimum length restrictions on the local portion. The authority assigns identifiers to identities, ensuring uniqueness. The identifier "[email protected]<mailto:[email protected]>" has probably been assigned to several identities over time. The authority determines if it is currently assigned to any identity. * Without assistance from the authority it is impossible for SPDX to distinguish the identities to which an identifier is assigned. If "[email protected]<mailto:[email protected]>" is an active identity in 2021 and 2022, it is impossible to know if they are the same identity or two different identities unless some other information (such as SSN or a hypothetical hotmail UID) is included in those identities. SpdxId is not part of the identity - many Identity Elements can be created for the same identity. 3) Authorities determine what subject types they support Discussion: SSA will not assign identities to anyone other than natural people - it is fraud to attempt to create fake accounts. Hotmail doesn't do any identity proofing - anyone or anything can get a hotmail account on request, so the distinction between person and organization doesn't exist for that authority. Squatters have claimed many obvious hotmail organization identifiers, but at the moment "[email protected]<mailto:[email protected]>" is available. 4) Some authorities create identities and assign identifiers to processes Discussion: A process identity type is not a PID running on an operating system, it is a subject type accepted by an identity management authority. Hotmail has already created "[email protected]<mailto:[email protected]>" and "[email protected]<mailto:[email protected]>" identities, and "[email protected]<mailto:[email protected]>" is currently available to be claimed. As above, hotmail does not do any identity proofing or declaration of identity types. But the U.S. Government does explicitly manage non-person entity identities for corporations, devices and processes in addition to person identities. It is neither esoteric nor difficult to accommodate process identities in the logical model; the same standard of acceptance should apply to Principals/Actors/Agents that are processes as to those that are persons or organizations. Dave -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4953): https://lists.spdx.org/g/Spdx-tech/message/4953 Mute This Topic: https://lists.spdx.org/mt/96211555/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
