Minutes interim-2022-scitt-05: Mon 16:00
minutes-interim-2022-scitt-05-202212191600-00
Meeting Minutes | Supply Chain Integrity, Transparency, and Trust (scitt) WG | |
---|---|---|
Date and time | 2022-12-19 16:00 | |
Title | Minutes interim-2022-scitt-05: Mon 16:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2022-12-19 |
minutes-interim-2022-scitt-05-202212191600-00
Supply Chain Integrity, Transparency, and Trust (SCITT): Meeting Minutes
- Meeting: Working Group
- Date and Time: 19 December 2022, 16:00 - 17:00 UTC
- Chairs: Hannes Tschofenig; Jon Geater
- Note Takers: Kiran Karunakaran, Brian Knight
Resources
- Meeting Video - TBD
- Agenda
- Bluesheets - TBD
- Chat Log
- Presentations: None
Status Update
- Perspective from the Chairs
- Last call for 2022
- Appreciate the engagement and progress
- Next call scheduled for 9 January 2023, 16:00 - 17:00 UTC
Use Case Discussions
-
Firmware Use Case: Monty Wiseman
- GitHub References: Markdown, Preview
-
Overview
- Firmware runs at a higher privledge level compared to OS or
applications - Several potential security issues across boot sequence and
during runtime - Boot measurements required to support supply chain assurance
(e.g., RoT, TPM); Example verification flow - match
integrity measurements against ledger
- Firmware runs at a higher privledge level compared to OS or
-
Discussion: Hannes Tschofenig, Roy Williams, Henk
Birkholz-
Suggest addition of text to describe SCITT usage
- Shorten the description, but extend the SCITT benefits
- Vendors that provide subcomponents provide entries
to ledger - Reference integrity values uploaded to ledger
- Vendors that provide subcomponents provide entries
- Shorten the description, but extend the SCITT benefits
-
Consider multi-threaded use case
- Reference TCG document
-
Propose 1:1 with Henk & Monty
- Build two crisp use cases focused on consumer
perspective and TCG is in scope
- Build two crisp use cases focused on consumer
-
-
Software Use Case: Henk Birkholz
- GitHub References: IETF ID HTML, Markdown
-
Overview
-
PR#9 is targeted at completeness in content; Needs
some refinement-
Scalable Determination of Trustworthiness in
Multi-Stakeholder Ecosystems & Checking the History of
Statements about Software by Auditors- Make discovery of relevant sources available, which
reduce costs - Consumer and standardization focus
- Make discovery of relevant sources available, which
-
Recommend merge post-holiday
-
-
PR#5 is non-controversial
- Recommend merge now
-
-
Discussion: Tracy Miranda
- SigStore has some existing use cases which may augment the
existing draft or shape new ones - Reference: OpenSSF Landscape
- See Case Studies in bottom right: (Autodesk,
DB Schenker, Rancher Government Solutions,
Verizon, Edgeless Systems) - Henk and Hannes offered to sync on use cases
- See Case Studies in bottom right: (Autodesk,
- SigStore has some existing use cases which may augment the