Internet-Draft | SCITT Extension Supply Chain | July 2025 |
Aoki | Expires 8 January 2026 | [Page] |
This document includes a collection of representative Computational Supply Chain Use Cases. These use cases aim to identify computational supply chain problems that the industry faces today and act as a guideline for developing a comprehensive security architecture and solutions for these scenarios.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-nobuo-scitt-use-cases-extension/.¶
Discussion of this document takes place on the SCITT Working Group mailing list (mailto:scitt@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/scitt/. Subscribe at https://www.ietf.org/mailman/listinfo/scitt/.¶
Source for this draft and an issue tracker can be found at https://github.com/aoki-n1/draft-nobuo-scitt-use-cases-extension.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 January 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Supply chain for components that make up a computer system consists of the entire lifecycle, including hardware selection, system design, development, build, integration, deployment, and maintenance. In the software supply chain, SBOM and SCITT architecture are exemplary initiatives that enhance software transparency. Discussions focusing on hardware and its interfaces are also beginning. These supply chain security measures are expected to reduce the complexity of software and provide visibility into its lifecycle, thereby reducing the number of cyber threats that can cause harmful effects such as risks related to the system's attack surface, data leaks, business disruptions, damage to reputation, intellectual property, and financial assets. On the other hand, thorough supply chain security for computer systems can only be achieved by integrating support from hardware to the software stack, enabling effective risk assessment and mitigation. Modern computer systems are influenced by evolving computer architectures and increasingly complex software stacks, making the integrated management of components not always straightforward. End users, such as consumers, need to be able to evaluate whether suppliers maintain appropriate security practices without requiring access to proprietary intellectual property, necessitating an evolutionary extension of the SCITT specification. Post-SCITT compliant products support compliance management with legal, regulatory, and technical requirements (often differing but overlapping and interrelated), risk assessment, and detection of supply chain attacks throughout the entire lifecycle, prioritizing data privacy.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Supply chain security is a crucial requirement for ensuring the stable supply of materials that directly impact consumer survival and those widely used by the majority of consumers, while minimizing threats related to the economy, public health, and safety. As an extension of discussions in the physical domain, the definition of software supply chain security in the cyber domain, [SoK-SW-SCS], has been established. This is due to the numerous supply chain attacks targeting vulnerabilities in the software supply chain that have been experienced globally, as well as the academic progress in analyzing these attack vectors. This analysis can also be applied to the supply chains of computer systems, which include both hardware and software. Supply chain attacks on computer systems typically involve attackers gaining initial access, making malicious changes upstream in the supply chain, and exploiting vulnerabilities in the downstream systems that are already in operation.¶
The SCITT Architecture [I-D.draft-ietf-scitt-architecture] defines the core objects, identifiers and workflows necessary to interact with a SCITT Transparency Service:¶
The extended YANG data model with transparency schemers [RFC9472] defines schemers for mapping SBOMs and vulnerability information.¶
As described above, specifications for software supply chain security are maturing; however, it remains unclear whether existing standard specifications can be followed while also encompassing a scope that extends beyond software.¶
Software integration is an essential task in building computer systems. The ecosystemization of software development is advancing, a process that involves procuring various software components from multiple suppliers at different layers and creating packages of varying sizes. These include a considerable number of third-party components. Furthermore, depending on the design, there may be cases where components are not strictly separated from one another. Additionally, modern computer systems adopt a variety of architectures and infrastructures. Similar to the increasing complexity of software stacks, computer architectures continue to evolve to keep pace with advancements in applications and hardware.¶
End-consumers want:¶
all hardware and software components required to build a computer systems are displayed¶
the ability to identify and retrieve all components from a secure and tamper-proof location - to receive an alert when a vulnerability scan detects a known security issue on a running component¶
verifiable proofs on build process and build environment with all supplier tiers to ensure end-to-end build quality and security¶
SCITT provides a standardized way to:¶
provide a tiered and transparent framework that allows for verification of integrity and authenticity of the integrated hardware and software at both component and product level before using¶
notify hardware and software integrators of vulnerabilities identified during security scans of running components¶
provide valid annotations on build integrity to ensure conformance¶
provide an interface that reconciles the division of responsibilities between the software and hardware sides¶
The privacy considerations of the SCITT Architecture [I-D.draft-ietf-scitt-architecture] apply.¶
The privacy considerations of the SCITT Architecture [I-D.draft-ietf-scitt-architecture] apply.¶