Minutes interim-2022-scitt-04: Mon 16:00
minutes-interim-2022-scitt-04-202212121600-01

Meeting Minutes Supply Chain Integrity, Transparency, and Trust (scitt) WG
Date and time 2022-12-12 16:00
Title Minutes interim-2022-scitt-04: Mon 16:00
State Active
Other versions markdown
Last updated 2022-12-13

minutes-interim-2022-scitt-04-202212121600-01

Supply Chain Integrity, Transparency, and Trust (SCITT): Meeting Minutes

Resources

Introduction

  • Welcome from Hannes to the group
  • We are using IETF tooling including Meetecho for remote
    participation and HedgeDoc for notes

Use Cases Discussion

  • Hannes shared the pull request for use cases
    https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/pull/8/files

  • Henk described three use cases

    • Trust Bond between Package Supplier and Signing Authority
    • Updated Statements over Time
    • Authenticity of Promoted Software Products

  • Dick confirmed the description of the Trust Bond use case

  • Firmware Use Case

    • Hannes asked if Firmware use case is from Monty
    • Henk said he thinks Monty has not yet reviewed

  • We need an audit use case and an infrastructure (system integration)
    use case

  • Editor's Copy of Software Supply Chain Use Case: Please review
    and submit feedback via GitHub PR
  • Orie looked at the most recent versions overall looked good, only a
    few comments; would be in favor of more frequent merging of the
    content. It is easier to do a review of a smaller pull request.
  • Dick one other use case 'use an app store to check if an application
    is trusted - e.g. go to a SCITT registry'

  • Henk - reply to Orie - Yogesh created the use case, so he hesitated
    to merge while Yogesh is out. That said, he can merge if there is no
    objection from the working group

  • Orie - responding to Dick's comment about 'check with trust
    registry' which seems to imply a single registry. Previous
    discussion has been that there will be multiple registries. Thinking
    of consumer branding on top of SCITT may be best handled outside of
    IETF.

  • Charlie - Agree with Orie's point that there should be several
    registries. +1 to Orie's point
  • Dick - desire to raise awareness of supply chain use cases today
  • Hannes - if one sector would like to offer a 'trusted registry' for
    that sector (e.g. IoT) they can do that.

Next Steps

  • What to discuss in upcoming meeting
  • Secretary sent meeting for next Monday (12/19), two week break, then
    meet again on 1/9

  • Ideas:

    • Sigstore update
    • Review architecture document
    • Customer Requirements (based on use cases)
    • Also need to make progress on terminology

  • Kay - process flow - use cases, problem summary, customer
    requirements, architecture

    • Hannes - would someone be willing to volunteer to create the
      customer requirements
    • Kay - will drive a customer requirements document (possibly a
      section of the use cases document). Will start this in January.
    • Roy - will the requirements be for everything in the use case,
      or just the building blocks
    • Hannes - requirements are only for the building blocks

  • Henk - IETF mantra - parallelize, don't serialize; agree with Roy we
    can agree on most important roles; this discussion needs to be
    driven on the mailing list

    • Hannes - Roy would you like to drive on the mailing list
    • Roy - sure; can drive

IETF Infrastructure

Next Meeting Agenda

  • Next meeting is on 19 December 2022,16:00 - 17:00 UTC

  • Target to have audit use case and infrastructure use case in the PR
    for review by next meeting: Discuss for next meeting

  • Next step is to derive user requirements (scope for working group)
    from use case document and align on terminology (at least for
    critical terms)