From dd0203e5fb88b90824fe7571cde93a51afee560a Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Tue, 26 Mar 2024 21:45:05 -0400
Subject: [PATCH 1/7] Create related effort page #51

---
 related-efforts.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 related-efforts.md

diff --git a/related-efforts.md b/related-efforts.md
new file mode 100644
index 0000000..10da3e6
--- /dev/null
+++ b/related-efforts.md
@@ -0,0 +1,11 @@
+---
+layout: page
+title:  Related Efforts
+permalink: /related-efforts
+nav_order: 1
+has_children: true
+has_toc: false
+---
+
+# Related Efforts
+

From 8549b74c2df4c526b7ff039e6adbb0243b573134 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Tue, 26 Mar 2024 22:05:23 -0400
Subject: [PATCH 2/7] Add supply chain section with BOM formats for #51

---
 related-efforts.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/related-efforts.md b/related-efforts.md
index 10da3e6..a3e22e6 100644
--- a/related-efforts.md
+++ b/related-efforts.md
@@ -9,3 +9,13 @@ has_toc: false
 
 # Related Efforts
 
+Software and services that implement the SCITT architecture support a variety of use cases. Below is an inventory of related efforts, be it specifications, implementations, or initiatives, where SCITT is applicable.
+
+## Supply Chain
+
+### Bill of Materials
+
+- [CycloneDX](https://cyclonedx.org)
+- [SPDX](https://spdx.dev/)
+- [Software Identificatino Tags - SWID (ISO/IEC 19770-2:2015)](https://www.iso.org/standard/65666.html)
+- [CoSWID - Concise Software Identification Tags (RFC9393)](https://datatracker.ietf.org/doc/rfc9393/)

From 40c8ce70c08372184103fc7ffe557f7a830e667b Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Tue, 26 Mar 2024 22:06:13 -0400
Subject: [PATCH 3/7] Add supply chain digital signatures for #51

---
 related-efforts.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/related-efforts.md b/related-efforts.md
index a3e22e6..27b5f32 100644
--- a/related-efforts.md
+++ b/related-efforts.md
@@ -19,3 +19,8 @@ Software and services that implement the SCITT architecture support a variety of
 - [SPDX](https://spdx.dev/)
 - [Software Identificatino Tags - SWID (ISO/IEC 19770-2:2015)](https://www.iso.org/standard/65666.html)
 - [CoSWID - Concise Software Identification Tags (RFC9393)](https://datatracker.ietf.org/doc/rfc9393/)
+
+### Digital Signatures
+
+- [OpenPubkey](https://www.bastionzero.com/openpubkey)
+- [Sigstore](https://www.sigstore.dev/)

From fa64e9bda5ce75d716e33f97097cea10658bb1c6 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Tue, 26 Mar 2024 22:06:37 -0400
Subject: [PATCH 4/7] Add supply chain vulnerability mgmt for #51

---
 related-efforts.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/related-efforts.md b/related-efforts.md
index 27b5f32..97a39f4 100644
--- a/related-efforts.md
+++ b/related-efforts.md
@@ -24,3 +24,9 @@ Software and services that implement the SCITT architecture support a variety of
 
 - [OpenPubkey](https://www.bastionzero.com/openpubkey)
 - [Sigstore](https://www.sigstore.dev/)
+
+## Vulnerability Disclosure and Management
+
+- [Common Security Advisory Framework (CSAF)](https://csaf.io)
+- [VEX CSAF Profile](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex)
+- [OpenVEX](https://github.com/openvex)

From 86dcfbb305863e1b44b18a58fb63ccde21f0bec1 Mon Sep 17 00:00:00 2001
From: Nikos Fotiou <nikosft@gmail.com>
Date: Mon, 1 Apr 2024 20:08:54 +0300
Subject: [PATCH 5/7] more related efforts added

---
 related-efforts.md | 63 +++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 57 insertions(+), 6 deletions(-)

diff --git a/related-efforts.md b/related-efforts.md
index 97a39f4..ff93fab 100644
--- a/related-efforts.md
+++ b/related-efforts.md
@@ -11,7 +11,18 @@ has_toc: false
 
 Software and services that implement the SCITT architecture support a variety of use cases. Below is an inventory of related efforts, be it specifications, implementations, or initiatives, where SCITT is applicable.
 
-## Supply Chain
+## Software Supply Chain Security
+A list of efforts for protecting the security of software supply chain
+
+- [Microsoft SDL](https://www.microsoft.com/en-us/securityengineering/sdl)
+- [Google Software Delivery Shield](https://github.blog/2023-04-19-introducing-npm-package-provenance/)
+- [SigStore](https://www.sigstore.dev/)
+A [blog post](https://openssf.org/case-studies/2024/02/16/scaling-up-supply-chain-security-implementing-sigstore-for-seamless-container-image-signing/)
+describing how SigStore is used by Yahoo!
+
+
+## Artifacts
+A list of artifact types that can be (potentially) recorded in a Transparency registry
 
 ### Bill of Materials
 
@@ -19,14 +30,54 @@ Software and services that implement the SCITT architecture support a variety of
 - [SPDX](https://spdx.dev/)
 - [Software Identificatino Tags - SWID (ISO/IEC 19770-2:2015)](https://www.iso.org/standard/65666.html)
 - [CoSWID - Concise Software Identification Tags (RFC9393)](https://datatracker.ietf.org/doc/rfc9393/)
+- [Microsoft's SBOM tool](https://github.com/microsoft/sbom-tool)
 
-### Digital Signatures
-
-- [OpenPubkey](https://www.bastionzero.com/openpubkey)
-- [Sigstore](https://www.sigstore.dev/)
 
-## Vulnerability Disclosure and Management
+### Vulnerability Disclosure and Management
 
 - [Common Security Advisory Framework (CSAF)](https://csaf.io)
 - [VEX CSAF Profile](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex)
 - [OpenVEX](https://github.com/openvex)
+
+### Other types
+- [Supply-chain Levels for Software Artifacts (SLSA)](https://slsa.dev/)
+SLSA together with SigStore is [used by npm](https://github.blog/2023-04-19-introducing-npm-package-provenance/)
+- [Security scorecards](https://securityscorecards.dev/)
+- [in-toto attestations](https://in-toto.io/)
+
+
+
+## Related tools
+
+### Digital Signatures and Key Transparency
+
+- [OpenPubkey](https://www.bastionzero.com/openpubkey)
+A tool that can be used for generating public keys using OIDC
+- [Sigstore Fulcio](https://docs.sigstore.dev/certificate_authority/overview/)
+A Certificate Authority that can be used for generating certificates bound to identities in other systems (e.g., GitHub)
+- [step-ca](https://github.com/smallstep/certificates)
+A self-hosted CA that can be used (among other things) for issuing certificates using OIDC
+- [The update framework](https://theupdateframework.io/)
+A tool for managing public keys that can be used for verifying signatures
+- [CONIKS](https://coniks-sys.github.io/)
+A Key Transparency service [used in Apple's iMessage](https://security.apple.com/blog/imessage-contact-key-verification/)
+
+### Centralized registries
+
+- [Grafeas](https://grafeas.io/)
+- [Linux Vendor Firmware Service](https://fwupd.org/)
+
+### Auditable registries
+- [Certificate Transparency](https://certificate.transparency.dev/)
+  - A [blog post](https://wiki.mozilla.org/Security/Binary_Transparency) about how Mozilla is using
+  certificate transparency to implement "binary transparency"
+- [Binary Transparency](https://binary.transparency.dev/)
+  - Binary transparency as [used in Google's Pixel phones](https://developers.google.com/android/binary_transparency/pixel)
+  - Binary transparency as [used in F-Secure's Armory Drive](https://github.com/usbarmory/armory-drive/wiki/Firmware-Transparency)
+  - Binary transparency as [used by Go](https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md)
+
+## Directives and guidelines
+Various bodies have issued directives that are related to software supply chain security
+
+- [NIST Secure Software Development Framework (SSDF)](https://csrc.nist.gov/pubs/sp/800/218/final)
+- [White House executive order M-22-18](https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf)
\ No newline at end of file

From 48fd577c40e1a2b588663ba1bfa1f3e938117434 Mon Sep 17 00:00:00 2001
From: Steve Lasker <stevenlasker@hotmail.com>
Date: Wed, 10 Apr 2024 08:40:45 -0700
Subject: [PATCH 6/7] Apply suggestions from code review

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
---
 related-efforts.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/related-efforts.md b/related-efforts.md
index ff93fab..2caba47 100644
--- a/related-efforts.md
+++ b/related-efforts.md
@@ -45,8 +45,6 @@ SLSA together with SigStore is [used by npm](https://github.blog/2023-04-19-intr
 - [Security scorecards](https://securityscorecards.dev/)
 - [in-toto attestations](https://in-toto.io/)
 
-
-
 ## Related tools
 
 ### Digital Signatures and Key Transparency

From 9684a67ed3a611c6c36a67ebf5ddc1834e91c9af Mon Sep 17 00:00:00 2001
From: Steve Lasker <stevenlasker@hotmail.com>
Date: Wed, 10 Apr 2024 08:41:11 -0700
Subject: [PATCH 7/7] Update related-efforts.md

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
---
 related-efforts.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/related-efforts.md b/related-efforts.md
index 2caba47..f0efe4b 100644
--- a/related-efforts.md
+++ b/related-efforts.md
@@ -32,7 +32,6 @@ A list of artifact types that can be (potentially) recorded in a Transparency re
 - [CoSWID - Concise Software Identification Tags (RFC9393)](https://datatracker.ietf.org/doc/rfc9393/)
 - [Microsoft's SBOM tool](https://github.com/microsoft/sbom-tool)
 
-
 ### Vulnerability Disclosure and Management
 
 - [Common Security Advisory Framework (CSAF)](https://csaf.io)