Author: Kim Lewandowski, on behalf of the Digital Identity Attestation Working Group
We kicked off the first Digital Identity Attestation Working Group meeting under the OpenSSF in August, 2020. The objective of this working group is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance or origin of the code they maintain, produce and use.
We spent the first several meetings discussing different threat models as it relates to the digital identities of those involved in software supply chains, and what types of attacks are possible in each link of the chain. After this exercise, we’ve filled up our meetings with community presentations as we all try to learn more about this space and brainstorm potential opportunities to work together on mitigating these types of attacks.
Below is a summary of the presentations to date:
- Presenter: Konstantin Ryabitsev (Linux Foundation)
- Summary: This presentation is an overview of how the Linux Kernel handles developer identity verification.
- Presenter: Santiago Torres-Arias (Purdue University)
- Summary: This presentation introduced in-toto as a framework to automate compliance for software supply chain operations, onboarding new actors (e.g., developers) within an organization, and verifying best practices on software development lifecycles. Using in-toto, these processes can be cryptographically checked to ensure each actor performed their duties properly, that no steps were missed and no evidence of these steps was tampered with.
Self Sovereign Identity
- Presenter: Arnaud Le Hors (IBM)
- Summary: A short introduction to Self Sovereign Identity, a new system of identity management allowing individuals and organizations to have control over their digital identity. This presentation introduces the overall architecture based on a specific scenario, highlights key principles, and points to various related initiatives focusing on developing supporting standards and software.
The Node.js Release Process
- Presenter: Myles Borins (GitHub)
- Summary: Myles reviewed how the Node.js project manages releases in a secure and reliable way. We looked at the tools we use to help release managers maintain multiple release lines, our testing infrastructure, and the processes we have in place to ensure reliable consistent releases.
Git Signing with SSH
- Presenter: Damien Miller (Google)
- Summary: Discussion of the goal of having every line of code in a git repository cryptographically attributable back to an author or importer.
A proposal to refactor git’s cryptography support to allow more signature schemes than just the current gnupg. Proposal to add support for signing using SSH keys, based on the observation that most git users already have a SSH key that they use to authenticate to a repository. Discussion of progress already made in OpenSSH to support arbitrary signatures that could be compatible.
Hope that signing using SSH keys could be made near-seamless and that signing of commits and pushes could become default for most users. Discussion of repository-host side countersigning, etc needed to retain provenance across rebase/merge operations.
- Presenter: Mike Malone (Smallstep)
- Summary: An introduction to and overview of public key infrastructure (PKI) standards and technologies. Broadly, PKI deals with key distribution and management (enrollment, renewal, revocation, transparency, etc). This presentation explores the standards and practices in place for the Web PKI (HTTPS), and how they could be applied to help secure the software supply chain.
- Presenter: Mike Schwartz
- Summary: Janssen is an open source digital identity and access management platform. Organizations can use this software to self-host an identity provider or to build this capability into a product . The project includes “Janssen Auth Server”, which is an OAuth Authorization Server and an OpenID Connect Provider. Janssen Auth Server is a fork of the core component of Gluu Server 4.2.2, which was certified at the OpenID Foundation. Other components of the Janssen Project include an implementation of a W3C WebAuthn server (FIDO 2), which enables people to enroll, authenticate and manage these new credentials. In addition to the source code, the Janssen Project publishes cloud native assets and a distribution which can be installed on a VM or bare metal.
- Project Home Page: https://jans.io
We’re always looking for new presenters on topics in this space. If you are interested in presenting or would like to get involved with the working group, check out the GitHub repo for details on meetings and other communication channels.
In the future, this working group is looking to explore efforts around signature transparency throughout the software supply chain.
Thanks to all the presenters for taking the time to present and for their help compiling this recap!