aibom

aibom copied to clipboard

I suggest replacing the term "attestation" with "authenticity." This change is recommended for the following reasons:

• The term "attestation" may be confused with legal attestations of a company. ;-)
• The term "authenticity" more accurately captures the essence of verifying the originality and integrity of AI components. It directly addresses the concern of ensuring that each element is genuine and unaltered, which is a fundamental aspect of AI security.
• The concept of "authenticity" aligns closely with prevalent industry standards and practices in cybersecurity and AI development. This alignment can facilitate better understanding and compliance among practitioners and stakeholders.
• While "attestation" generally refers to a self declaration or certification by a third party, "authenticity" is more aligned with integrity checks and provenance verification.

This issue was first raised in the previous AI BOM repository at https://github.com/manifest-cyber/ai-bom , but that repo was deleted.

Attestation has many meanings depending on the context. for instance, in the word of confidential computing, attestation is the proof of property of a system to a third party. IETF also has a definition in the context of its RATS architecture: https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html

with that being said, attestations may be correct and appropriate since the attestation is a proof. Authenticity is proving who you are, and integrity is protecting the data from unauthorized changes. Both may be achieved by a singular function (such as verifying the signature and the resulting digest) but they are not always executed together (even though they should be).