Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Kicking off the CRA Attestations project 
Alistair,

was nice to meet you in Brussels!

> On 28 Oct 2025, at 14:02, Alistair Woodman <awoodman@xxxxxxxxx> wrote:
>>> On 27 Oct 2025, at 17:59, Alice Sowerby via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
>>> Hi everyone. I'm super new to the CRA world, I was at the event in Brussels last week and I keep having the same idea pop into my mind about how to tackle this challenge. I will post it below as food for thought. Happy to have it severely critiqued!
>> In my understanding, an attestation is a contract between two entities: the manufacturer, and the attestation provider.
> The general sense of the word ‘Attestation’ in english (and ‘Beglaubigung’ in German) is *not* of a contract, but of a ‘statement under oath’. I.e. the Attestor makes an Affidavit (Statement under oath, with a jeopardy of either perjury or negligence) to an entity with civil or legal authority (Notary, Judge, Police, Priest etc).

Ok, but who / what would be the entity with civil or legal authority then?


> WRT the CRA, the details of process are still TBD, but my assumption is that the actual Attestation is *not* a contract, but that could be used as part of a contract or process or supply-chain verification thingy to.

Still, guaranteeing support for X years, feels like a contract to me.

I guess this also boils down to the question whether or not attestations are generic, or unique for each manufacturer.


> One strong assumption about Attestations is that it will be possible to ‘mark them as no longer current’.  Take a look at SCITT https://datatracker.ietf.org/group/scitt/about/ which is close to final call at the IETF.

I found the Non-Goals there pretty significant in our context:

Non-Goals
The WG does not:
    • make recommendations or suggestions on best practices on how to design the supply chain,
    • establish a universal/centralized registry for supply chain data,
    • define methods to prevent authenticated supply chain issuers from making false claims,
    • define data formats for payload content, such as Bills of Materials data formats.

and the fact that there is a "notary" actor in there.  Which I guess sorta answers my earlier question:

"Ok, but who / what would be the entity with civil or legal authority then?"


>> Your approach reduces attestations to commodities that can be traded.  Which I think is also a race to the bottom, which in end will kill Open Source as we know it.
> I agree that some models could lead to a race to the bottom, but I don’t think it is inevitable. Our job is it define one that doesn’t.

Fair point  :-)


>> Having a functionality to make it easier for a manufacturer to obtain the necessary attestations for all of their Open Source software, would definitely be nice to have.  But I don't think adding a centralized hub to a world that already has too many SPFs, would make much sense.
> A small number of internally and externally redundant systems (like the DNS Root system) are probably better.

Ooh, wow, that's an intriguing thought.


>> This feels very much like yet another organization in the making that will make lots of money, to be spent on non-related costs.  "A small portion could be kept to pay for the attestation registry costs" makes me shiver, as "small" has not been defined here.
> I agree that we might end up with ICANN 2.0…

Yeah, or another SIDN (Dutch Domain registry), which makes so much money that they needed to start other non-profit organizations.  Ah, the days that domain registration in NL was done by a single guy, Piet Beertema (of Kremvax fame).

But I digress   :-)


Elizabeth Mattijsen

Back to the top