Skip to content
Paula Livingstone writing · projects · tools

Attestable Review: Working Notes

Literature Review: The Gap, Discharged

Where the three readings come together. Provenance, attestation, and policy each stop exactly short of representing a claim's basis and adjudicating fitness for an action; even composed, they leave that model un-supplied. The gap the problem statement asserted is now the reading's conclusion.

Three readings, each of a mechanism that comes near the problem: provenance, which records where a claim came from; attestation, which certifies who produced an artefact and that it was unaltered; and the policy engine, which decides at runtime whether an action is permitted. Each was read in its own specification, and each was pressed with the strongest version of the objection that it already does what this work proposes. This is where the three come together, and where the gap the problem statement asserted becomes something the reading has shown.

The three, on the same four questions

Each near-neighbour was examined against the same four questions, so they answer on common axes rather than each on its own terms.

Provenance (W3C PROV)Attestation (in-toto, SLSA)Policy (OPA, XACML)
What it establishesWhere a claim came from: the entities, activities, and agents in its productionWho produced an artefact, and that it was not alteredThat a decision was computed according to the rules and facts supplied
When it operatesRetrospectively; a record of what happenedAcross the supply chain; certifies production after the factAt runtime, on query, at the point of action
Represents basis, and adjudicates fitness for an action?No. Records origin; adjudicates nothingNo. Certifies custody and process; content-agnostic by constructionNo. Evaluates supplied attributes; supplies no model of them
Where it ends, by its own scopeAt the record. Assessment is a use by external partiesAt the signature. What was signed may be falseAt evaluation. The rules and the facts are the user's

Read across the bottom two rows, the three answers are one answer in three registers. None represents a claim's basis. None adjudicates fitness for an intended action. Each, by its own stated scope, stops exactly short of the question this work asks.

Why the three together still leave the gap open

The natural rejoinder is that what none covers alone, the three might cover together: provenance records the origin, attestation authenticates it, the policy engine decides on it. But composing them does not produce the missing part, because the missing part is not a fourth mechanism of the same kind. It is the model the three would operate on.

Provenance can record that a value was generated by a model; it cannot say what that licenses. Attestation can carry and sign that record across a boundary; it cannot say whether the record is true or sufficient. A policy engine can refuse an action when a claim's basis falls below the bar, but only once basis, the bar, and the action's requirement have been defined, represented, and handed to it. Each rival presupposes the same absent thing: a principled, portable representation of a claim's evidentiary basis and of the actions that basis can and cannot warrant. The three are transport, record, and evaluation. What they would transport, record, and evaluate is what does not yet exist.

Where the missing model would attach

The reading did not only find an absence. It found where the absent model would connect to what already works. Two of the rivals resolved into parts of the eventual solution rather than competitors to it:

  • Attestation as transport: an authenticated envelope that will carry a claim of basis across a trust boundary, once such a claim exists to carry.
  • The policy engine as evaluator: a runtime decision point that will adjudicate admissibility, once the model is defined and supplied to it.

The in-toto specification joins these two directly, naming automated policy engines as an attestation's intended consumers. So the existing machinery already composes into a pipeline, transport feeding evaluation, with exactly one part missing: the model of basis that would give the pipeline something meaningful to carry and to decide. That model is the contribution, and its route to deployment is now concrete rather than hypothetical.

The gap, now a finding

The problem statement asserted that no existing mechanism lets a receiving owner determine whether the evidence behind a claim is sufficient for the specific action they intend to take. After reading provenance, attestation, and policy in their own specifications, that is no longer an assertion. It is the conclusion of the reading, and each near-neighbour has testified to it in its own words. Provenance externalises the assessment, calling it a use by parties outside itself (W3C, 2013). Attestation is content-agnostic: in-toto does not validate whether the claims it carries are correct (in-toto, n.d.), and SLSA makes no claim about whether an artefact is fit for purpose (OpenSSF, 2023). The policy engine supplies no model, being domain-agnostic and accepting arbitrary input with no built-in notion of basis (Open Policy Agent, n.d.).

The gap is real, it is specific, and it is unaddressed by the mechanisms that come nearest to it. Across all of the reading, not one specification forced a claim in the problem statement to soften. The question that opens is therefore licensed: because no artefact supplies action-relative admissibility, whether one can be built is genuinely open, and worth the building.

References

in-toto (n.d.). in-toto Attestation Framework: Specification. in-toto project. github.com/in-toto/attestation

Open Policy Agent (n.d.). Documentation and Rego Policy Language Reference. openpolicyagent.org/docs/latest

OpenSSF (2023). Supply-chain Levels for Software Artifacts (SLSA): Threat Model, v1.0. Open Source Security Foundation. slsa.dev/spec/v1.0/threats

W3C (2013). PROV-Overview. W3C Working Group Note. w3.org/TR/prov-overview