Thanks Ash! That’s a very visionary view. I’m not sure if this blockchain thing match our needs , but anyway i will take a look into it
On Jan 13, 2017, at 23:03, Ash Young <[email protected]<mailto:[email protected]>> wrote: I agree with you Lincoln. My concern with this discussion is that it sounds like we're about to go down a path that we're going to find ourselves re-doing in the not-too-distant future. Has anyone considered using blockchain to establish the id of the scripts, the infra, the users, etc.? At least then we have a standardized (or pending standard) for creating an immutable ledger of the trust, the exchange, the transaction, the participants, etc. We're talking about ensuring the overall integrity of the chain of custody. And that's what this technology is for. Right now, we have a couple of key projects in Hyperledger that can help with this (e.g., Fabric and Sawtooth Lake). Also, we're talking about an exchange between Customer and Vendor. There is a project, ProjectVRM, that was created for facilitating this purpose. They've created a protocol for this. Anyway, the only other question I have is how do you plan to "upload" the keys? I imagine this is an unattended operation. BTW, I've copied this to the Security team, since it kinda is a relevant security discussion. Ash On Thu, Jan 12, 2017 at 5:49 PM, Lincoln Lavoie <[email protected]<mailto:[email protected]>> wrote: Hi Yujun, The challenge is how to provide the "id" of the "scripts" and the private key infrastructure. For what I proposed, that would be part of the release process, with OPNFV staff taking the role to handle the generation / maintenance of the private key. That key combined with the hash for the test "scripts" would allow the signed results to verify they were run using unchanged "scripts / code." We could extract out the signing / validity checker part of the project, make that more general, and then any project could use that system to "sign" it's output. Cheers, Lincoln On Thu, Jan 12, 2017 at 8:14 PM, Yujun Zhang <[email protected]<mailto:[email protected]>> wrote: Hi, Lincoln, Leo QTIP project is also very interested in digital signatures of test data and report. It seems to be a common requirement from all test projects. I wonder if it is possible to provide it in OPNFV infra as a service, maybe integrated it in CI evolution. cc @Fatih, @Morgan. -- Yujun On Fri, Jan 13, 2017 at 6:08 AM Lincoln Lavoie <[email protected]<mailto:[email protected]>> wrote: Hi Leo, It may be worth separating the encryption from the signature piece. I believe the primary purpose of the security requirements were to ensure the integrity of the testing (i.e. the dovetail tests were not modified by the tester, to "solve" a failure). In this process, I don't believe that is accomplished, because the scripts are generating their own key each time. I think this will also lead to a nightmare number of keys that have to be kept, maintained, and tracked to look at results run in the past. Attached is a different approach. This approach would only sign the results, which protects their integrity compared against the scripts that were used to generate the results. If a user wanted to "protect" their results, I would leave it to them to encrypt them and share keeps with the expected "consumer." In this approach, OPNFV Staff would be responsible for maintaining the public / private key (which should likely be updated with each release. That key is used, along with a hash (MD5 sum or similar) of the Dovetail "scripts" to sign the results. That signature can then be validated against the public key, to ensure the scripts or results were not tampered with prior to review. This approach assumes the trust is placed with the OPNFV staff, in building (compiling) the integrity tool w/ the private key, and providing only the compiled version with each release (private key would have be protected within that tool). The "gotcha" is making sure that compiled tool can run on all platforms and ensuring the private key is well protected. And, if the OPNFV staff are able to maintain the set of keys, etc. Thoughts? Cheers, Lincoln On Thu, Jan 12, 2017 at 4:46 AM, Leo Wang <[email protected]<mailto:[email protected]>> wrote: Hi, Luke and Lincoln, Dovetail team plans to add this feature to dovetail tool , and need your professional advices from security group and 3rd party lab, so would you guys take a time to review this idea? Thank you both in advance ! I’ve update the diagram with digital signature, and both encryption and digital signature can be optional to fit in user’s demand for details, please check this link: https://wiki.opnfv.org/display/dovetail/Dovetail+Security+of+Report <encryption and digital signature (2).png> × On Dec 27, 2016, at 18:00, Lijun (Matthew) <[email protected]<mailto:[email protected]>> wrote: digital signature should be added to do integrity checks, etc. +1. /MatthewLi 发件人:Leo Wang 收件人:Yujun Zhang 抄送:Motamary, Shabrinath via opnfv-tech-discuss 时间:2016-12-27 16:32:46 主题:Re: [opnfv-tech-discuss] [dovetail]Dovetail encryption for report Encryption or signature or certificate do have different role in this big picture, It can be done step by step. On Dec 27, 2016, at 16:01, Yujun Zhang <[email protected]<mailto:[email protected]>> wrote: On Tue, Dec 27, 2016 at 3:54 PM Leo Wang <[email protected]<mailto:[email protected]>> wrote: As i mentioned , someone did show their concern on the security of test report, so dovetail will provide this optional parameter for them digital signature is used to identify the source and its integrity, and surely it can raise the security level, or even better to get a digital certificate to make it more secure? Sure. You may refer the international standard ISO/IEC 17065 on how to certify a product. The standard is not about technical solution but quality processes and organizations. Encryption or signature are all technical methods to enhance the authority of a certification program. -- ******************************************************************************* Lincoln Lavoie Senior Engineer, Broadband Technologies [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/unh-iol-logo.png]<https://www.iol.unh.edu/> www.iol.unh.edu<https://www.iol.unh.edu/> 21 Madbury Rd., Ste. 100, Durham, NH 03824 Mobile: +1-603-674-2755<tel:(603)%20674-2755> [email protected]<mailto:[email protected]> [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/facebook.png]<http://www.facebook.com/UNHIOL#> [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/twitter.png] <https://twitter.com/#!/UNH_IOL> [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/linkedin.png] <http://www.linkedin.com/company/unh-interoperability-lab> Ars sine scientia nihil est! -- Art without science is nothing. Scientia sine ars est vacua! -- Science without art is empty. ******************************************************************************* _______________________________________________ opnfv-tech-discuss mailing list [email protected]<mailto:[email protected]> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss -- ******************************************************************************* Lincoln Lavoie Senior Engineer, Broadband Technologies [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/unh-iol-logo.png]<https://www.iol.unh.edu/> www.iol.unh.edu<https://www.iol.unh.edu/> 21 Madbury Rd., Ste. 100, Durham, NH 03824 Mobile: +1-603-674-2755<tel:(603)%20674-2755> [email protected]<mailto:[email protected]> [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/facebook.png]<http://www.facebook.com/UNHIOL#> [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/twitter.png] <https://twitter.com/#!/UNH_IOL> [http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/linkedin.png] <http://www.linkedin.com/company/unh-interoperability-lab> Ars sine scientia nihil est! -- Art without science is nothing. Scientia sine ars est vacua! -- Science without art is empty. ******************************************************************************* _______________________________________________ opnfv-tech-discuss mailing list [email protected]<mailto:[email protected]> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss _______________________________________________ opnfv-tech-discuss mailing list [email protected]<mailto:[email protected]> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
