CBOM for liboqs #1336
Comments
|
Can you please explain the benefit of this for OQS (users and developers)? Who uses "CBOMs"? At first sight this looks like a vendor-specific/proprietary code description format, i.e., useful only for one party. The draft PR in turn adds changes to core data structures that make maintenance of Additionally, can I ask whether this has to be in |
|
Thanks @baentsch for the comments.
The CBOM spec was just recently released. It's an open specification based on the OWASP CycloneDX specification (see references above), with the plan to upstream to a next version of CycloneDX.
I think the changes you refer to is the addition of a
The format itself can be used for any library. Having the CBOM in liboqs allows other components to refer to its CBOM. OQS-openssl would have a different CBOM than liboqs. It would add a dependency to liboqs (and its CBOM) and to the algorithms it uses from liboqs. |
|
Thanks for the background, @bhess.
When is this planned? It just "feels wrong" for an OSS project (not controlled by one company) to include reference to one company's (github) repo as proposed here
I'd see the benefit of such format and tooling if & when this is truly open and generally used. What is positive is your use of the Apache license for your project.
Correct. See additional questions in the PR. The goal should be to avoid anything that creates dependencies across projects that have the potential to break things without suitable manual intervention (ensuring naming consistency in this case).
Then we're two already :)
That I find an even less desirable approach given that only a minority of algorithms with OIDs in oqs-openssl or oqs-provider are implemented in
Could you contemplate doing that for the downstream projects first before deciding how/what to include in |
Yes, correct: it's under Apache-2.0 and therefore open and available for general use.
Isn't it then more a question where the best place is for the definitions (names, oqs algorithm name, OID, code point, ...)?
Thinking about it: could it make sense to move these definitions to a separate repository, e.g.
I think it makes most sense to start with the core component liboqs and later the downstream projects that depend on liboqs. |
Such API is a very good suggestion I'd whole-heartedly welcome. Albeit -- OQS_SIG_new_by_oid I'd understand more -- where/what standardized KEM OIDs?
Conceptually Yes -- particularly as this is a rather general problem that already was suggested/came up in contexts beyond OQS, e.g. IETF-Hackathon/pqc-certificates#3. The lack of such "online registry" for "not-yet-quite standardized" IDs lead to the many sample PQ deployments done without interop in mind/capabilities (AWS, Cloudflare, Google, etc.). Thoughts welcome how/where to locate this! IETF to me sounds like a good place. This arguably would need support by quite a few teams, though.... Maybe worth while a post to the various dev mailing lists (oqs, pqc, ietf, ...)? Thoughts, @dstebila @christianpaquin ? |
Right, I primarily meant |
|
Hi all, just joining the conversation. Looks reasonably interesting. But I'm not very familiar with the software bill of materials landscape. Basil, do you know if there are other competing formats or has everyone coalesced around CycloneDX? Regarding a registry for interim identifiers, nothing has stuck; we had a spreadsheet but it stopped getting updated, then we had our YML files, but those were hard to find, and others seem to be in the same boat. IETF won't want to establish a registry for non-standardized identifiers; once they create standards, they have IANA registries to list them in. We could try again to create a spreadsheet of identifiers that are known to be used; perhaps having it as a Github repo that anyone can edit (rather than a Google docs spreadsheet that I had to maintain) might make it easier? Would have to think about the relevant fields. I do like the idea |
No spreadsheet, please -- we do need a way to trace changes.
Yes: That would also allow tracking if code and artifacts (e.g., certs) fall apart due to an incorrect edit.
Well, we still have them and use them to drive all code generation. That they're hard to find is our fault alone: We'd simply need to publish them prominently -- if we have the chutzpah to be the "guardians of the unassigned numbers" (IUNA, so to say ;-) |
We found CycloneDX the most aligned with a cbom use case, it was initially designed for application security analysis and already supports several use cases in this domain. The main alternative is SPDX which is mainly about licenses. As far as I know there is no other open format that supports the cbom use case out of the box. Regarding registry, I'd also support a github repository to be able to keep track. As first step just collect the different yml definition files there. The projects can then directly pull it as subrepo. |
Okay, makes sense.
Sure, we can create it as a repo under the OQS organization on Github or create it somewhere else.
I have never had much success using Git's submodule feature. In principle it works, but I think it is quite awkward because clones of the repo don't actually give you the contents of the sub-repo, you have to do extra steps. But we can worry about that if and when the time comes. |
ACK. Using submodules isn't a fool-proof approach to always get the most current version of some file. I'd rather suggest a git-based repo that also is viewable via web-browser (to address the "hard-to-find" concern): So, in summary of all of the suggestions above, what about this:
I'd suggest this to be (the git repo behind) openquantumsafe.org, to announce this widely and invite everyone to submit new entries (if they for some reason don't want to/did not already use an ID listed there). As soon as IANA assigns IDs we simply add those and refrain from updates to such IANA-assigned IDs: The (new/TBD) alg-id logic in our projects would keep ticking identically for truly standardized and still-experimental algs. |
|
Regression testing.
…On Thu, 22 Dec 2022 at 23:05, Michael Baentsch ***@***.***> wrote:
I have never had much success using Git's submodule feature. In principle
it works, but I think it is quite awkward because clones of the repo don't
actually give you the contents of the sub-repo, you have to do extra steps.
ACK. Using submodules isn't a fool-proof approach to always get the most
current version of some file. I'd rather suggest a git-based repo that also
is viewable via web-browser (to address the "hard-to-find" concern): So, in
summary of all of the suggestions above, what about this:
- We collect all ID-defining YML files in one git-tracked location
- Combine this with a YML->MD or HTML generator we already have such
as to display contents readable & prominently
- Ensure all IDs are keyed by OID (both for SIG and KEMs) and carry a
date (of introduction)
- Only ever add to it -> new alg versions *need* a new OID, but *may*
carry an existing liboqs/openssl/openssh name; git (version) references to
actual algs arguably also need to be in there (and possibly other
information, e.g., NIST submission reference text, etc.)
- Use this central place to pull the most current ID set when building
liboqs, oqs-openssl, oqs-provider, oqs-openssh,
test.openquantumsafe.org and current docker images (incl. interop test
images).
I'd suggest this to be (the git repo behind) openquantumsafe.org, to
announce this widely and invite everyone to submit new entries (if they for
some reason don't want to/did not already use an ID listed there). As soon
as IANA assigns IDs we simply add those and refrain from updates to such
IANA-assigned IDs: The (new/TBD) alg-id logic in our projects would keep
ticking identically for truly standardized and still-experimental algs.
—
Reply to this email directly, view it on GitHub
<#1336 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA5TUIIDDO4VMAYGAVY4ILWOQRU7ANCNFSM6AAAAAATEVXPSQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Cryptography Bill of Materials (CBOM) [1] is a format to describe cryptographic assets (such as libraries, algorithms) and their dependencies. It's an extension to the CycloneDX standard [2] for Software Bills of Materials.
(C)BOMs simplify, for example, the exchange of component composition and add visibility of components and dependencies.
This issue is about generating a CBOM of liboqs. Much of the required information is already available on the yml-doc files. They can be used to generate a CBOM (json file).
[1] https://github.com/IBM/CBOM
[2] https://cyclonedx.org
The text was updated successfully, but these errors were encountered: