[Scudo] Describe all configurations for handling in-toto layouts

[adityasaky]

Currently, the Scudo PURE specifies that every image must have a mapping to the in-toto layout to use to verify its software supply chain. @trishankatdatadog noted in #9 (comment) that this is one option and layouts for each image may be inferred or communicated to clients out of band. The PURE should explore both of these options and lay out the pros and cons for each.

See: #9, #2

[jhdalek55]

@adityasaky Was this resolved? If so, then can you close it?

[adityasaky]

I'd like @trishankatdatadog to weigh in here. I'm not 100% convinced we should describe a way where the layout information is not included for image. I think we can't do justice in describing out-of-band mechanisms to correctly associate layouts to images. In comparison, I think the con of including layout information (the current status of the document) is not very troubling as attackers can do more than just associate the wrong layout in that scenario.

[adityasaky]

That said, I think we don't have to block #9 on this as we aren't marking it as "Final", per PURE-1.

[trishankatdatadog]

I'd like @trishankatdatadog to weigh in here. I'm not 100% convinced we should describe a way where the layout information is not included for image. I think we can't do justice in describing out-of-band mechanisms to correctly associate layouts to images. In comparison, I think the con of including layout information (the current status of the document) is not very troubling as attackers can do more than just associate the wrong layout in that scenario.

We should describe the pros and cons of each option