[Proposal] Whitepaper on Public Sector Software Supply Chain

[idunbarh]

Public Sector CNCF Members are seeing Government Customer focus on securing software supply chains and receiving attestations. These attestations need to be signed and have provenance bridge across multiple company and network boundaries.

These boundaries and the sensitive nature of the products make using public repositories and public signing services unusable.

The proposal is to create a whitepaper that outlines strategies to cover several different topics.

• How multiple entities can establish roots of trust which can be used to verify signatures.
• Document metadata required to meet customer requirements
• Outline CNCF and OpenSSF projects that can help solve roots of trusts and share the outlined metadata
• Document consistent approaches to privately sharing signed attestations
• Document approaches to policy/verification of attestations

@Charley-Mann @brandtkeller @eddiezane