Federation via ActivityPub #37

johnandersen777 · 2023-10-16T06:49:46Z

This pull request adds an option for federating events via the ActivityPub protocol.
- Federation of SCITT events, such as receipt created, enable near real-time communication between supply chains.
- Acceptance of claims to SCITT where payload data contains VEX, VSA, VRF, SBOM, S2C2F alignment attestations, etc. has the side effect of enabling a consistent pattern for notification of new vulnerability (OpenSSF Stream 8) and other Software Supply Chain Security data.

Jump to viewing docs

References
- Federation part 1 ietf-wg-scitt/draft-ietf-scitt-architecture#79
- SCITT Architecture: 7. Federation
- https://www.w3.org/TR/activitypub/
- OpenSSF Stream 8: Coordinate Industry-Wide Data Sharing to Improve the Research That Helps Determine the Most Critical OSS Components
- Notifications of new VEX openvex/spec#9
- Use Case: Attestations of alignment to S2C2F and org overlays ietf-scitt/use-cases#18
- https://scitt.unstable.chadig.com
TODO
- Federate Receipt Created event
  - Create a note to the outbox on receipt creation
    - Receipt Created event federated data
      - Receipt
      - Entry ID
      - Claim
      - treeAlgorithm
      - Public Service Parameters (are all these okay to be public?)
        
        Used to verify receipts
        
        Discovery of service parameters ietf-wg-scitt/draft-ietf-scitt-architecture#96
  - Alice and Bob ActivityPub Following each other
  - Receiving events on new receipts
  - Receipt verification
  - Submission of claim to receiving log
    - Add entry_id to receipt (wait for Cedrick to write up)
    - ~~Make entry IDs hash's of claims to enable content addressablilty~~
      - Decide if this is okay to dis-allow registration of the same claim twice of if that should be allowed
        
        Federation part 1 ietf-wg-scitt/draft-ietf-scitt-architecture#79 (comment)
- Documentation
  - Basic example showing claims inserted into Bob's log also being inserted in to Alice's log
- Addition of routes to server.py
  - ~~Bovine Herd servers not able to resolve accounts in each other to follow via webfinger~~
- Demo at IETF 118 SCITT Meeting
  - https://notes.ietf.org/notes-ietf-118-scitt
  - https://www.meetecho.com/ietf118/recordings/#SCITT
- Tests
  - Stupid mock client requests / DNS servers, replace with localhost?
- Arch PRs
  - Federation options in service parameters
  - Federation extensions for different threat model contexts
    - ActivityPub
Future
- verify_statement key resolution via ActivityPub publicKeyPem lookup
- Actors as Feeds (as Subjects)
- Documentation
  - Federation with differing insert policies
  - OIDC auth middleware with GitHub Actions example workflow #31
    - Potentially enable OIDC auth on submission to each endpoint so it becomes more obvious why we want the instances themselves federating
- Align on and document in SCITT 7. Federation what events should be federated
- Mapping for entry ID across instances when claims are not content addressable

Last known working commit: 5c0918b
Previous last known working commit: 88b38ed

Related: scitt-community#37 Signed-off-by: John Andersen <johnandersenpdx@gmail.com>

…usness: Remove references to Heartwood link to SCITT ActivityPub pull request Related: scitt-community/scitt-api-emulator#37