Software Use Case
agenda-interim-2022-scitt-04-scitt-01-04

Meeting Agenda Supply Chain Integrity, Transparency, and Trust (scitt) WG
Date and time 2022-12-12 16:00
Title Software Use Case
State Active
Other versions markdown
Last updated 2022-12-13

agenda-interim-2022-scitt-04-scitt-01-04

Supply Chain Integrity, Transparency, and Trust (SCITT): Meeting Minutes

Resources

Introduction

  • Welcome from Hannes to the group
  • We are using IETF tooling including Meetecho for remote participation and HedgeDoc for notes

Use Cases Discussion

  • Hannes shared the pull request for use cases https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/pull/8/files
  • Henk described three use cases
    • Trust Bond between Package Supplier and Signing Authority
    • Updated Statements over Time
    • Authenticity of Promoted Software Products
  • Dick confirmed the description of the Trust Bond use case
  • Firmware Use Case
    • Hannes asked if Firmware use case is from Monty
    • Henk said he thinks Monty has not yet reviewed
  • We need an audit use case and an infrastructure (system integration) use case
  • Editor's Copy of Software Supply Chain Use Case: Please review and submit feedback via GitHub PR
  • Orie looked at the most recent versions overall looked good, only a few comments; would be in favor of more frequent merging of the content. It is easier to do a review of a smaller pull request.
  • Dick one other use case 'use an app store to check if an application is trusted - e.g. go to a SCITT registry'

  • Henk - reply to Orie - Yogesh created the use case, so he hesitated to merge while Yogesh is out. That said, he can merge if there is no objection from the working group

  • Orie - responding to Dick's comment about 'check with trust registry' which seems to imply a single registry. Previous discussion has been that there will be multiple registries. Thinking of consumer branding on top of SCITT may be best handled outside of IETF.

  • Charlie - Agree with Orie's point that there should be several registries. +1 to Orie's point
  • Dick - desire to raise awareness of supply chain use cases today
  • Hannes - if one sector would like to offer a 'trusted registry' for that sector (e.g. IoT) they can do that.

Next Steps

  • What to discuss in upcoming meeting
  • Secretary sent meeting for next Monday (12/19), two week break, then meet again on 1/9
  • Ideas:
    • Sigstore update
    • Review architecture document
    • Customer Requirements (based on use cases)
    • Also need to make progress on terminology
  • Kay - process flow - use cases, problem summary, customer requirements, architecture
    • Hannes - would someone be willing to volunteer to create the customer requirements
    • Kay - will drive a customer requirements document (possibly a section of the use cases document). Will start this in January.
    • Roy - will the requirements be for everything in the use case, or just the building blocks
    • Hannes - requirements are only for the building blocks
  • Henk - IETF mantra - parallelize, don't serialize; agree with Roy we can agree on most important roles; this discussion needs to be driven on the mailing list
    • Hannes - Roy would you like to drive on the mailing list
    • Roy - sure; can drive

IETF Infrastructure

Next Meeting Agenda

  • Next meeting is on 19 December 2022,16:00 - 17:00 UTC
  • Target to have audit use case and infrastructure use case in the PR for review by next meeting: Discuss for next meeting
  • Next step is to derive user requirements (scope for working group) from use case document and align on terminology (at least for critical terms)