Bug 1368 - Source Certification Contract (SCC)
Summary: Source Certification Contract (SCC)
Status: IN_PROGRESS
Alias: None
Product: General
Classification: JogAmp
Component: builds (show other bugs)
Version: tbd
Hardware: All all
: P4 normal
Assignee: Sven Gothel
URL:
Depends on: 1369
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-03 05:39 CEST by Sven Gothel
Modified: 2019-04-03 05:54 CEST (History)
0 users

See Also:
Type: FEATURE
SCM Refs:
Workaround: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Gothel 2019-04-03 05:39:04 CEST 
Long term goal implementing SCC as an secure trustworthy alternative
to simply signed jar files.

https://jogamp.org/wiki/index.php/SCC_Overview

    Are You Who You Say You Are?

This question doesn't make clear Who is who, or who are we talking about?

When attempting to run a binary object on your system, users need to trust the binary and its original source code.

The question should ask for the authorship of the binary and it's assumed source code, hence SCC authenticates the binary against the source code it claims to be originated from.

SCC answers:

    This binary is produced by this set of source code, which is trusted by these people.

SCC verifies whether a binary object's signature matches its assumed source code signatures.

SCC provides a list of personal signatures who trust this source code, as well as a list of personal signatures who trust this binary object. Hence SCC incorporates a chain of trust. https://en.wikipedia.org/wiki/Chain_of_trust