[UPDATE Feb 26, 2025: The US Coast Guard has announced plans to create a "Trust Registry" (approved products list) containing products that are allowed to be installed on USCG digital ecosystems across IT and OT domains on land and sea]
[UPDATE Feb 9, 2024: A new version of the IETF Supply Chain Integrity Transparency and Trust (SCITT) Architecture is now available. The SCITT Use Cases Document is also available online.]
Apple became the first big player to announce a "Trust Registry" capability for apps obtained from anywhere on the Internet. Apple calls it a notarization service, which is effectively what a Trust Registry contains ( called "signed statements" in SCITT vernacular), we call these "Trust Declarations" at REA. Here is Apples description of the notarization function:
"Notarization for iOS apps is a baseline review that applies to all apps, regardless of their distribution channel, focused on platform policies for security and privacy and to maintain device integrity. Through a combination of automated checks and human review, Notarization will help ensure apps are free of known malware, viruses, or other security threats, function as promised, and don’t expose users to egregious fraud."
Could Apple become the "Trust Anchor" for the "digital world of things"Â (DWOT â„¢) where people will only buy "Apple Trusted Products" listed in a "Trust Registry"? Apple is a trusted brand; it's conceivable to me. Interesting times ahead for manufacturers of digital products supplying to the energy industry, like video surveillance cameras and other digital products, even other apps, such as Android apps, and inverters used by DER devices. Why not?
A paper from Hitachi was presented at the World Economic Forum conferece in Davos 2021 that provides practical and prudent insights on why we need a "trust anchor" for the cyber-physical fusion that is occurring in the digital world of things (DWOT â„¢). Here is an excerpt from this paper that expresses why we need to have trust in the DWOT â„¢
"A functioning society is built on trust. Whether we’re drinking water from a faucet, riding an elevator or sending an e-mail, we’re trusting that somebody, somewhere, has taken the necessary steps to make sure that activity is safe.
Yet today, our shared foundation of trust is under strain as never before. Rapid social and economic change, deepening political divisions, and the disruptive impact of new technologies are stretching the limits of traditional systems of trust-building. Governments, businesses and civil society are struggling to keep up.
Our changing digital age has made it harder and harder to know just whom to trust"
Perhaps, someday facilities managers in the Energy industry will only buy video surveillance cameras that have the "Apple Trusted Product" label which they can verify using a"Trust Registry". It appears Apple has some work to do, first.
You're probably wondering, how would a customer be able to verify that a product they download from anywhere on the Internet is in fact trustworthy or an "Apple Trusted Product". Here is how the process works using SAG-CTRâ„¢, but first, it's important to understand that every digital product has a unique product ID called a SHA-256 hash value, which can be calculated if you have access to the product software or a unique product name, like a PURL/SWID. SAG-CTR uses the SHA-256 hash value as a unique product ID for all "Trust Declarations" - this unique Product ID concept is key to making a "Trust Registry", and SAG-CTR work effectively.
1. The consumer downloads a software product from the Internet (iOS app) they want to buy and install to a local folder.
2. The consumer uses a simple, free script, to calculate the SHA-256 hash value for the downloaded software product, revealing its "ProductID" (the SHA-256 hash value). Some platforms have a built in command to display the SHA-256 hash value for a file, for example Linux has the sha256sum command that will reveal a SHA-256 hash value product ID for a software product or other software artifact.
3. The consumer queries the SAG-CTRâ„¢ "Trust Registry" using the API provided by REA to check that the product is indeed an "Apple Trusted Product", using the calculated ProductID, for example: https://softwareassuranceguardian.com/SAGCTR_inquiry/getAppleTrustLabel?ProductID=calculatedhashvalue
4. The consumer examines the results returned to determine if the "ProductID" is an "Apple Trusted Product" and makes a buying decision, based on the results returned from the SAG-CTRâ„¢ query.
Here is an actual trust label lookup for a software product, note trust label type and product category. Consumers can lookup all trusted products for a particular product category or a particular trust label or both, i.e. show me all EU CE Mark trusted products along with their "Trust Score". Here is a lookup request for all trusted EU CE Mark Labeled products for a particular product category https://softwareassuranceguardian.com/SAGCTR_inquiry/getByProdCatLabelType?ProductSName=IOTCAMERA&LabelSName=EUCE
An example of another "Trusted Product" trust label, from Singapore, is available here and here is one from BSI in Germany.
On February 22, 2024 the US FCC published a progress report on the US Cyber Trust Mark labeling initiative. A link to the FCC progress report is available here.
The steps above can also be used to lookup other digital product "Trust Declarations", such as an EU CE Mark or a US Cyber Trust Mark by accessing the correct SAG-CTR API along with the ProductID value. A consumer can even check if an API or PURL/SWID is trustworthy, using the SAGâ„¢ method implemented in SAG-CTRâ„¢
A foundational trust anchor capability is coming for the digital world, IMO. This is going to give a big boost to "radical transparency" for the supply chain of digital products. The blinders are coming off and we are on the road to radical transparency for the digital world. The benefits to social welfare from having a "Trust Registry" where consumers can go to check for trusted products before buying or installing a product are significant
"Radical Transparency" cannot be achieved until the buying public has the ability to check for trusted products using a no-cost, easy to use method, before buying and installing a digital product in their trusted environments.
Never trust software, always verify and report!â„¢