clarity: source track: continuity: should each technical control have its own continuity

[arewm]

#1483 (comment)

Should we require controls to have separate continuities or if not, can we recommend that instead? There is a tradeoff between being able to simply ratchet up controls vs. having one simple control requirement that can be enforced.

This might fall back to specific implementation details, but if we think that it would be better to separate controls, then we should make sure that the verification part of the spec is consistent.

[TomHennen]

If we require anything it should be have separate continuity per-control. If we don't do that it will be impossible to add a new control without breaking 'global' continuity for a repo and that seems bad.

That said, I bet we can leave this to the implementations to figure out? Clarifying it comes with its own costs in terms of making the spec harder to reason about.

[arewm]

I agree that there should be a separate continuity per control. Is that something that is possible with the source-tool, @puerco (I haven't looked in a while)?

If we leave it for the implementations to figure out, do we complicate verification if some SCS's might merge controls and others separate them?

[TomHennen]

I agree that there should be a separate continuity per control. Is that something that is possible with the source-tool, @puerco (I haven't looked in a while)?

If nothing has changed it should. It records the time at which each individual control was first observed in the provenance for each revision.

If we leave it for the implementations to figure out, do we complicate verification if some SCS's might merge controls and others separate them?

We'd just be complicating verification of the provenance itself, the format of which is already specific to each SCS since the format isn't well defined. The VSA verification should remain unchanged and would continue to be based on the users trust of the SCS that issues the VSA.

[TomHennen]

It sounds like we might be agreed that we can leave this up to implementations. Given that I propose we close this issue?