OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested


 

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Takashi Ninjouji
 

Hello Mark and Shane,

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

(2) 
In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.


 Are all of the above OK?

Best Regards
Tak



On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:


Christopher Wood
 

Hello
Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?
Thanks 
Chris

On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:


Hello Mark and Shane,

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

(2) 
In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.


 Are all of the above OK?

Best Regards
Tak



On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:


Mark Gisi
 

Hi Tak,

 

>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

One can declare conformance with the guide. According to section 3.4.2:

ÿ          3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.

Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.

 

>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.

 

Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.

 

Please let us know if you would like additional clarification.

 

best,

Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Mark Gisi
 

Hi Chris,

 

>> Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

 

We introduced the security assurance guide as a separate deliverable initially to reduce friction to adoption of both the spec and security guide. We did not want to have a company feel obligated to conform with both to achieve either one. However, having noted that, they were designed to be highly similar in spirit and format, and easily achieved together should a company choose (or a customer requires it). That is, they are separate but highly complementary. The long term objective is to create trust in open source by working toward creating a suite of highly complementary conformance specifications (e.g., license compliance, security, quality, export compliance, …) such that an organization can choose the ones that best fit their needs. For that reason we are trying to avoid creating a single monolithic specification.

 

Let us know if that does not completely address your concern.

 

best,

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: Tuesday, November 2, 2021 3:43 PM
To: main@...
Cc: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello

Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

Thanks 

Chris



On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:



Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


takashi1.ninjouji@...
 

Thanks a lot, Mark!

My understanding is getting better than before :)

>> there is no specific way to declare conformance to this guide.

I should correct my above comment because what intends the following:
  "There is no registration procedure such as in §3.6.2 of OpenChain Specification."


> At this point, companies will be able to present their evidence of conformance to any 
> party (e.g., key customers). It is not mandatory to make the evidence public, but it is
>  possible if you choose to do so.


§3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.

In supply and consumption, no wonder there is more interest in SBOM.

I hope that the community and industry can build a consensus on the quality of SBOMs together. So, I guess it is important to discuss SBOM format, compliance workflows, and automation processes for this purpose.


BR,
Tak


差出人: main@... <main@...> が Mark Gisi <mark.gisi@...> の代理で送信
送信日時: 2021年11月3日 15:32
宛先: Takashi NINJOUJI <takashi.ninjouji@...>; Shane Coughlan <scoughlan@...>
CC: main@... <main@...>
件名: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
 

Hi Tak,

 

>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

One can declare conformance with the guide. According to section 3.4.2:

ÿ          3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.

Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.

 

>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.

 

Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.

 

Please let us know if you would like additional clarification.

 

best,

Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Mark Gisi
 

Hi Tak,

 

>>   "There is no registration procedure such as in §3.6.2 of OpenChain Specification."

 

That is correct - conformance is obtained once an organization has satisfied all the requirements (verification materials). This is achieved by guide requirement 3.4.2.1. I can make the case that – although registration  is a helpful aid, it is not a requirement for spec conformance. That is – there are no verification materials that require registration. What spec conformance validation ensures is that evidence exists for each of the verification material requirements. That is achieved by 3.6.2.1.

 

>> §3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.

 

That is correct. There is no requirement to publish or make the evidence public. In fact, most will likely not choose that path. However, an organization is required to maintain digital evidence that all the requirements have been met. It is conceivable that if a supplier claims conformance, that their customer may request to see the evidence. Whether the evidence is provided to a customer is up to the negotiations between the two parties and likely subject to an NDA (assuming they agree).

 

Best,

Mark

 

 

 

From: main@... <main@...> On Behalf Of takashi1.ninjouji@...
Sent: Wednesday, November 3, 2021 3:02 PM
To: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Thanks a lot, Mark!

 

My understanding is getting better than before :)

 

>> there is no specific way to declare conformance to this guide.

 

I should correct my above comment because what intends the following:

  "There is no registration procedure such as in §3.6.2 of OpenChain Specification."

 

 

> At this point, companies will be able to present their evidence of conformance to any 

> party (e.g., key customers). It is not mandatory to make the evidence public, but it is

>  possible if you choose to do so.

 

 

§3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.

 

In supply and consumption, no wonder there is more interest in SBOM.

 

I hope that the community and industry can build a consensus on the quality of SBOMs together. So, I guess it is important to discuss SBOM format, compliance workflows, and automation processes for this purpose.

 

 

BR,

Tak

 


差出人: main@... <main@...> Mark Gisi <mark.gisi@...> の代理で送信
送信日時: 2021113 15:32
宛先: Takashi NINJOUJI <takashi.ninjouji@...>; Shane Coughlan <scoughlan@...>
CC: main@... <main@...>
件名: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

Hi Tak,

 

>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

One can declare conformance with the guide. According to section 3.4.2:

ÿ          3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.

Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.

 

>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.

 

Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.

 

Please let us know if you would like additional clarification.

 

best,

Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting: