Fair Share Cost Tokens
Session Abstract
The Cyber Resilience Act (CRA) will require FOSS projects to step up their security and, following the logic of the FOSS ecosystem, produce attestation for their software.
This talk introduces fair-share cost tokens – a feature which supports financial flows along open source software supply chains. (No blockchain)
Session Description
The goal of this talk is to provide an overview of the economic component of the CRA attestation project [1].
Fair-share cost tokens are cryptographically signed tokens which allow manufacturers to prove that they are making their „fair“ contribution to the
health of their FOSS Ecosystem. Whenever a commercial software producer – a manufacturer in terms of the CRA – includes FOSS code maintained by a legal entity – an Open Source Software Steward in terms of the CRA – the token is used for attestation. Thus, the two parties can create a communication channel in case of a security incident. The same mechanisms should allow to bring resources deeper into the supply chain, as it can also be used by software stewards to allocate resources towards stewards whoms codebase they are using.
Frameworks like SCITT [2] and Omnibor [3] could allow for their technical implementation. However, some policy work is required to make the situation of potential FOSS projects in the EU compatible with 501 (c) 3´s in the US.
[1] https://github.com/orcwg/cra-attestations
[2] https://datatracker.ietf.org/wg/scitt/about/
[3] https://omnibor.io/project/
