Trust registries are a vitally important part of our economy and a necessity for many legal documents that need to be trustworthy. They are all around us and one trust registry in particular serves as a role model for determining trustworthiness of software products.
A “Registry of Deeds” is an example of a “Trust Registry” that many people encounter in their daily lives. I used data from the “Massachusetts Land Records Database” (i.e., a Registry of Deeds) when researching properties that I was interested in purchasing. The materials found in a “Registry of Deeds” are subject to a rigid process to ensure that only trustworthy data is placed into the Registry. Why is this important? Because people use the information in a “Registry of Deeds” to make investment decisions, which demands that this data be trustworthy to ensure the people using this data can be assured that proper vetting prevents fraudulent information from being placed into the registry. People using “Registry of Deeds” data implicitly trust that the materials in the registry are indeed trustworthy, which means they don’t have to do their own investigation to determine the trustworthiness of a deed.
Today, there is no such thing as a nationally recognized “Trust Registry” for Software products and the artifacts that are part of the “software supply chain of trust”. People that want to purchase and install a software product or check for vulnerabilities in software are on their own to identify and acquire the necessary materials to ascertain trustworthiness in software products. The work can be daunting and time consuming and may not result in a reliable determination of “trust”. Can the industry help solve this problem? Yes, it can; the IETF Supply Chain Integrity, Transparency and Trust (SCITT) is working on a “Trust Registry” for the software supply chain that aims to serve a similar role that a “Registry of Deeds” provides for land records, but for software products.
The purpose of a “SCITT Trust Registry” is to provide people with access to trustworthy information that can be used to make software product buying decisions and the ongoing monitoring of software trustworthiness.  A SCITT Trust Registry Operator is responsible for managing the contents of a SCITT Trust Registry to ensure that only trusted statements are being recorded in the registry. There are many types of “trust statements” in a software supply chain that can be placed into a SCITT Trust Registry, i.e., SBOM’s, Vulnerability Disclosure Reports, Cybersecurity Trust Marks (labels) and risk assessment evidence data that can be presented in a lawsuit involving a cybersecurity incident.
There are many viable uses for a SCITT Trust Registry that can help software consumers. It is imperative that the processes used to populate a SCITT Trust Registry are “high integrity” to ensure that only “trusted statements” are placed into a SCITT Trust Registry and the materials returned by a “SCITT Trust Registry” inquiry (e.g., Transparency Service) is trustworthy, from a consumer’s perspective, eliminating the need to do any additional research to ascertain trustworthiness of software products. Just like a “Registry of Deeds” is used to acquire the “truth” about land ownership and issues affecting a property, a SCITT Trust Registry can do the same for software products and software supply chain artifacts.
The IETF SCITT initiative is currently under development, additional information is available on the IETF SCITT website and the SCITT mailing list used by the work group. I’ll be talking more about the role of a “Software Trust Registry” and the preservation of tamper-proof risk assessment evidence for any shareholder lawsuits following a cyber incident at the BSides CT conference on 9/30 hosted by Quinnipiac University.  Energy Central is also planning a PowerSession on the SEC Cybersecurity Regulations that go live in December 2023; keep an eye out for an announcement – we have an excellent set of industry experts that agreed to share their insights during this session.
Â
Â
Â