Hi Trevor, I think one concern I have with Option 1 is, it will only work for the VVP compliance testing, as soon as we move towards more advanced testing (i.e. live cycle testing, etc), it would cause a split path for VNF testing, where you have to do 1/2 of your testing through a web portal and then 1/2 on some type NFVI / MANO platform that is in your lab or another lab. I think this will just make for a complicated future.
For option 2, this provides some protection, but a clever user could always just overwrite what is in the logs before submitting this. Many of these questions / points were already talked about a lot within the OPNFV program, when that was developed and there was a desire to protect the results as well. Cheers, Lincoln On Thu, Feb 7, 2019 at 10:42 AM LOVETT, TREVOR J <[email protected]> wrote: > During the call, one item that came up was how to lessen the likelihood of > a fraudulent report being submitted as part of the certification/badging > process. > > > > One suggestion was to include additional runtime, vnf-specific trace > information in the report itself making it more difficult to fabricate. > The VVP team discussed this, but we feel this would be non-trivial to > implement and not truly prevent the core issue. We would not be in favor > of pursuing this option. > > > > If we feel that we need to protect against fraudulent reports, then we are > suggesting two alternatives that can be discussed in a future session. > > > > 1) *Certification Portal Executes the validations directly using > Dovetail*: > > a. Since we are only scanning a set of static files, and the > validation tools will be available in a container for execution, we could > simply have the portal run the scan upon uploading of the artifacts. This > eliminates a fraudulent report submission entirely, and avoids other issues > such as ensuring the proper versions of the tools are executed externally. > > b. I do understand there may be sensitivity to uploading the > proprietary artifacts, but there is no need for them to be stored or shared > indefinitely. They would only need to be retained for the duration of the > scan. After that we simply need to retain the checksum of the artifact > that was submitted. > > c. If we simply don’t think VNF Providers would agree to that, then > our back-up option is below > > *2) **Display Artifact Checksum Along with Badge* > > *a. *The VVP tool already computes an MD5 hash of all the file > contents and stores that in the report > > *b. *If we retain this information and publish it on the > certification site, then the ultimate consumer of the artifact can at least > verify the artifact they receive from the vendor corresponds to the > artifact submitted for certification. We should likely do this even in > option #1 for the same reason. > > *c. *This doesn’t mean prevent the provider from submitting a > fabricated report, but it does ensure that it can be challenged and > verified after-the-fact if needed. > > *d. *I believe the CSAR similarly has an checksum that can be used > for this purpose as well. > > > > We can discuss the topic further in one of our upcoming joint calls. > > > > Thanks, > > Trevor > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Gaoweitao(Victor) > *Sent:* Sunday, February 03, 2019 2:26 AM > *To:* [email protected]; [email protected]; > [email protected] > *Cc:* Kanagaraj Manickam <[email protected]>; Lincoln Lavoie < > [email protected]> > *Subject:* [onap-discuss] CVC Jonit Meeting (Feb 4th) Agenda > > > > Hi VNFSDK/VVP/Dovetail Developers, > > > > Here is the initial agenda for Feb 4th Joint meeting > <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_CVC-2BJoint-2BMeeting-2B02-2D04-2D2019&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=-YhkEGJSSKD46SqQByjR_bJvnYWC7lsI62elfSWGTQA&e=>, > feel free to add your topics: > > > > 1. CVC one click deployment > > 2. Show marketplace capability and is it possible used for dovetail > test script execution trigger? > > > > I will be absence due to Chinese new year and Kanagraj from VNFSDK Team is > my proxy and host the meeting. > > > > The zoom bridge is still available during my absence: > https://zoom.us/j/346625009 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__zoom.us_j_346625009&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=-wmrOsLWyh45frQOsVJCAqGlh2DmMNJu15PMacF17Z0&e=> > > > > The previous meeting minutes is here: > https://wiki.onap.org/display/DW/Joint+CVC+Meeting > <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_Joint-2BCVC-2BMeeting&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=mkSu7O2_kzmJipm2xlbfaaZGwXViIQJvQt12MmFifJo&e=> > > > > > > BR > > Victor > > _._,_._,_ > ------------------------------ > > Links: > > You receive all messages sent to this group. > > View/Reply Online (#15324) > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_message_15324&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=2DIdFBAfxs43n6h4Lw6yH2FGyRmBqimlbz41vQNgGtw&e=> > | Reply To Group > <[email protected]?subject=Re:%20%5Bonap-discuss%5D%20CVC%20Jonit%20Meeting%20%28Feb%204th%29%20Agenda> > | Reply To Sender > <[email protected]?subject=Private:%20Re:%20%5Bonap-discuss%5D%20CVC%20Jonit%20Meeting%20%28Feb%204th%29%20Agenda> > | Mute This Topic > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_mt_29638769_1198157&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=LeTLkAhNSX8sD_rxDuVs1mIlWHYZESMZPmuIf18ic_A&e=> > | New Topic > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_post&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=rxFGHYc7sNu0tzbdyYovrN7Kpnj-T_bZ9Gu0niWSMT8&e=> > > Your Subscription > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_editsub_1198157&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=6n1a-52slPnkgXiGGJySGaZzkxq_t5TrSTw_o9GtvqI&e=> > | Contact Group Owner <[email protected]> | Unsubscribe > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_unsub&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=x3ICz0g1PsytMM03urA8OHzkY-WW_yA77jqC4tU5b7Q&e=> > [[email protected]] > > _._,_._,_ > -- *Lincoln Lavoie* Senior Engineer, Broadband Technologies 21 Madbury Rd., Ste. 100, Durham, NH 03824 [email protected] https://www.iol.unh.edu +1-603-674-2755 (m) <https://www.iol.unh.edu/>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22769): https://lists.opnfv.org/g/opnfv-tech-discuss/message/22769 Mute This Topic: https://lists.opnfv.org/mt/29667350/21656 Group Owner: [email protected] Unsubscribe: https://lists.opnfv.org/g/opnfv-tech-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
