POLICY for "Identity Management" requirement

[TomHennen]

For L2+ we need to figure out the story for how this is met when using GitHub.

Suggestion: Assume that since we're running on GitHub that they're using GitHub identity Management and leave it at that.

Potential problem: People could do development elsewhere and then just sync to GitHub. That will still look as though primary development happens in GitHub (just under one account) but it would be misleading.

Solution 1: Ignore that problem. Those folks can use a different tool to attest to their SLSA Source Level.

Solution 2: Have a parameter to the tool that requires people to identify the canonical source repository. The tool checks to see if that source repository matches the one it's currently running in. If it does match, then it's eligible for L2+. If it doesn't match then it can still get L1.

I think I like solution 2? It would be easy and it might be a way to answer the "Canonical location" organization requirement (mentioned in #3).

[mlieberman85]

I think I like solution 2 as well. In almost all case I've seen mirrors of repos on GitHub all state specifically that they're purely a mirror or sync along with a link to the canonical repo.