content: draft: reliable -> authenticatable and auditable #1143
Conversation
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
TomHennen
changed the title
|
Need one more maintainer to approve. Maybe @arewm can help. |
| @@ -183,7 +183,7 @@ Intended for: | |||
| Organizations that want strong guarantees and auditability of their change management processes. | |||
|
|
|||
| Benefits: | |||
| Provides reliable information to policy enforcement tools. | |||
| Provides verifiable information to policy enforcement tools. | |||
There was a problem hiding this comment.
I think we chose the word "reliable" specifically to avoid "verifiable."
I suspect these will never be fully verifiable -- the data required to verify contributor info for instance is enormous and probably PII.
I think the best we can do is make the claims "authentic," IE: we know who made the claims.
There was a problem hiding this comment.
I'm looking for @marcelamelara's thoughts here before I do anything else with this PR.
I also think we're never going to find any terminology that is exactly right here. There are different levels of reliability, verifiability, and authenticity depending on how deep you want to go.
There was a problem hiding this comment.
My main concern with using "reliable" is that it's a subjective term, much how "trustworthy" is in the eye of the auditor/verifier. I do think "authentic" could work, as might "auditable". @zachariahcox is right that the info may not ever be fully verifiable, but my view is that we're aiming to enable auditing (if not verification) of the process.
There was a problem hiding this comment.
I like 'auditable'
There was a problem hiding this comment.
Went with "authenticatable and auditable"
TomHennen
changed the title
Signed-off-by: Tom Hennen <tomhennen@google.com>
Updating name of Source Level 3 to make it more clear by removing the somewhat ambiguous 'Source Provenance' and including the language from PR slsa-framework#1143 instead. Signed-off-by: Tom Hennen <tomhennen@google.com>
Updating name of Source Level 3 to make it more clear by removing the somewhat ambiguous 'Source Provenance' and including the language from PR slsa-framework#1143 instead. Signed-off-by: Tom Hennen <tomhennen@google.com>
Updating name of Source Level 3 to make it more clear by removing the somewhat ambiguous 'Source Provenance' and including the language from PR #1143 instead. fixes #1112 --------- Signed-off-by: Tom Hennen <tomhennen@google.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com> Co-authored-by: Aditya Sirish <8928778+adityasaky@users.noreply.github.com>
Clarify what type of data source level 3 provides to policy enforcement tools.
'authenticatable and auditable' is more easily understood by the community than 'reliable'. It's also less prone to misinterpretation than 'verifiable' which might sound like a much more thorough process has been done.
fixes #1137