Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop 'Issue Statement' endpoint and related considerations #53

Merged
merged 4 commits into from
Jan 7, 2025
Merged

Drop 'Issue Statement' endpoint and related considerations #53

merged 4 commits into from
Jan 7, 2025

Conversation

achamayou
Copy link
Collaborator

An 'Issue Statement' endpoint is not necessary, nor helpful to implement a transparency service, and it is unclear why it has been added as an optional endpoint.

SCITT services should be able to compose with arbitrary signing services that produce signed statements in the correct format.

Aside from separating concerns and making the document more concise, this helps make the authentication posture consistent (see #52).

@achamayou
Drop 'Issue Statement' endpoint and related considerations
1b751f9 
An 'Issue Statement' endpoint is not necessary, nor helpful to implement a transparency service, and it is unclear why it has been added as an optional endpoint.

SCITT services should be able to compose with arbitrary signing services that produce signed statements in the correct format.

Aside from separating concerns and making the document more concise, this helps make the authentication posture consistent (see ietf-wg-scitt#52).
This was referenced Dec 6, 2024
Merged
Closed
@SteveLasker SteveLasker added this to the Draft 03 milestone Dec 31, 2024
@SteveLasker
Copy link
Collaborator

Being able to create a signed statement is an important security and usability workflow to SCITT.
I do agree a single transparency service should not sign their own statements prior to registration. However, another remote signing service could implement the API, which issue #56 covers.

@achamayou
Copy link
Collaborator Author

Being able to create a signed statement is an important security and usability workflow to SCITT. I do agree a single transparency service should not sign their own statements prior to registration. However, another remote signing service could implement the API, which issue #56 covers.

I am confused by this, my sense so far was that SCRAPI was "the API of a TS". As an implementer, or as a user, a TS is "a service that implements SCRAPI".

If I understand correctly, #56 says "SCRAPI is actually the set of all APIs that might be useful in the context of SCITT, likely (hopefully even) implemented by multiple services". Is that right?

Assuming I have got this right, I don't know that the current signing endpoint is a good thing to have, because:

  1. If the bar for having an endpoint is all important workflows, then surely there ought to be a verification endpoint?
  2. The specification doesn't say much more than "there is a way to get a COSE Sign1 over unspecified payloads". Is the issuer the same as for Transparent Statements? Is key discovery the same too? I struggle to see what interoperability value this endpoint provides.

I think it would be more coherent to specify only endpoints that we expect a TS to implement and where the specification provides interoperability value (i.e. format definitions, field semantics etc).

@achamayou achamayou mentioned this pull request Jan 2, 2025
Merged
@SteveLasker
Copy link
Collaborator

This is a good point, as while it is important to ease and standardize a means to create signed statements, it may be beyond the scope of SCRAPI.
Let's discuss this in the next meeting.

JAG-UK
JAG-UK requested changes Jan 7, 2025
View reviewed changes
draft-ietf-scitt-scrapi.md Outdated Show resolved Hide resolved
draft-ietf-scitt-scrapi.md Outdated Show resolved Hide resolved
@JAG-UK JAG-UK merged commit d5ad6f8 into ietf-wg-scitt:main Jan 7, 2025
1 check passed
@SteveLasker SteveLasker mentioned this pull request Jan 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SteveLasker SteveLasker SteveLasker left review comments

@roywill roywill roywill approved these changes

@JAG-UK JAG-UK JAG-UK approved these changes

@henkbirkholz henkbirkholz henkbirkholz approved these changes

@OR13 OR13 OR13 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Draft 03
Development

Successfully merging this pull request may close these issues.
6 participants
@achamayou @SteveLasker @OR13 @henkbirkholz @JAG-UK @roywill