Minutes interim-2022-scitt-04: Mon 16:00
minutes-interim-2022-scitt-04-202212121600-01
Meeting Minutes | Supply Chain Integrity, Transparency, and Trust (scitt) WG | |
---|---|---|
Date and time | 2022-12-12 16:00 | |
Title | Minutes interim-2022-scitt-04: Mon 16:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2022-12-13 |
Supply Chain Integrity, Transparency, and Trust (SCITT): Meeting Minutes
- Meeting: Working Group
- Date and Time: 12 December 2022, 16:00 - 17:00 UTC
- Chairs: Hannes Tschofenig
- Note Takers: Kay Williams, Kiran Karunakaran, Brian
Knight
Resources
- Meeting Video
- Agenda
- Bluesheets
- Presentations: None
- Chat Log
Introduction
- Welcome from Hannes to the group
- We are using IETF tooling including Meetecho for remote
participation and HedgeDoc for notes
Use Cases Discussion
- Hannes shared the pull request for use cases
https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/pull/8/files -
Henk described three use cases
- Trust Bond between Package Supplier and Signing Authority
- Updated Statements over Time
- Authenticity of Promoted Software Products
-
Dick confirmed the description of the Trust Bond use case
-
Firmware Use Case
- Hannes asked if Firmware use case is from Monty
- Henk said he thinks Monty has not yet reviewed
-
We need an audit use case and an infrastructure (system integration)
use case - Editor's Copy of Software Supply Chain Use Case: Please review
and submit feedback via GitHub PR - Orie looked at the most recent versions overall looked good, only a
few comments; would be in favor of more frequent merging of the
content. It is easier to do a review of a smaller pull request. - Dick one other use case 'use an app store to check if an application
is trusted - e.g. go to a SCITT registry' -
Henk - reply to Orie - Yogesh created the use case, so he hesitated
to merge while Yogesh is out. That said, he can merge if there is no
objection from the working group- Hannes - OK to merge
- Henk - will merge
- Henk - Done -
https://ietf-scitt.github.io/draft-birkholz-scitt-software-supply-chain-use-cases/draft-birkholz-scitt-software-use-cases.html
-
Orie - responding to Dick's comment about 'check with trust
registry' which seems to imply a single registry. Previous
discussion has been that there will be multiple registries. Thinking
of consumer branding on top of SCITT may be best handled outside of
IETF. - Charlie - Agree with Orie's point that there should be several
registries. +1 to Orie's point - Dick - desire to raise awareness of supply chain use cases today
- Hannes - if one sector would like to offer a 'trusted registry' for
that sector (e.g. IoT) they can do that.
Next Steps
- What to discuss in upcoming meeting
- Secretary sent meeting for next Monday (12/19), two week break, then
meet again on 1/9 -
Ideas:
- Sigstore update
- Review architecture document
- Customer Requirements (based on use cases)
- Also need to make progress on terminology
-
Kay - process flow - use cases, problem summary, customer
requirements, architecture- Hannes - would someone be willing to volunteer to create the
customer requirements - Kay - will drive a customer requirements document (possibly a
section of the use cases document). Will start this in January. - Roy - will the requirements be for everything in the use case,
or just the building blocks - Hannes - requirements are only for the building blocks
- Hannes - would someone be willing to volunteer to create the
-
Henk - IETF mantra - parallelize, don't serialize; agree with Roy we
can agree on most important roles; this discussion needs to be
driven on the mailing list- Hannes - Roy would you like to drive on the mailing list
- Roy - sure; can drive
IETF Infrastructure
- Some participants are not able to see the chat and notes
- Hannes will share a link to Meetecho documentation
- Henk we can also set up a tech training session
- Ned posted a few links to help folks become familiar with Meetecho:
Next Meeting Agenda
-
Next meeting is on 19 December 2022,16:00 - 17:00 UTC
-
Target to have audit use case and infrastructure use case in the PR
for review by next meeting: Discuss for next meeting - Next step is to derive user requirements (scope for working group)
from use case document and align on terminology (at least for
critical terms)