Minutes interim-2023-scitt-01: Mon 16:00
minutes-interim-2023-scitt-01-202301091600-00
| Meeting Minutes | Supply Chain Integrity, Transparency, and Trust (scitt) WG | |
|---|---|---|
| Date and time | 2023-01-09 16:00 | |
| Title | Minutes interim-2023-scitt-01: Mon 16:00 | |
| State | Active | |
| Other versions | markdown | |
| Last updated | 2023-01-17 |
minutes-interim-2023-scitt-01-202301091600-00
Blue Sheet (Attendees)
Behcet Sarikaya
Charles Hart
Dick Brooks
Joshua Lock
Monty Wiseman
Neal McBurnett
Steve Lasker
Zachary Newman
Henk Birkholz
Kay Williams
Jon Geater
Ray Lutz
Orie Steele
Introduction
- Lead: Hannes Tschofenig
- Welcome to the group
- We are using IETF tooling including Meetecho for remote
participation and HedgeDoc for notes
Use Cases Discussion
- Use case document is getting in better shape
-
Is the content up to date?
-
Henk Birkholz
- Not a lot of changes
- Addressing feedback from Hannes and others
- Most feedback has been entered as issues in GitHub
- Need to create uniform style across Henk and Yogesh's documents
- Reached out to Monty to distill Firmware use case
-
Yogesh
- Style he had been using was based on document shared by Hannes
-
Henk Birkholz
- Yogesh and Henk to meet to come up with a proposal for style and
review with the group - Do we have sigstore use cases covered?
- Yogesh and Henk to meet to come up with a proposal for style and
-
Joshua Lock
- Can help with sigstore use cases
-
Dick Brooks
- Proposed additional use case - registration of a trust score
-
Charles Hart
- Not all issues from mailing list are included in Use Cases
document -
Some use cases use proprietary terminology (e.g. 'Trust Bond',
'Trust Score')- If we are going to use any terms of art, need to ensure
these are not proprietary - Dick: officially withdrawing the term 'Trust Bond' pending
another way to describe
- If we are going to use any terms of art, need to ensure
-
Question regarding whether evidence is stored in the ledger or
outside- Roy: would be great to have two use cases; one that shows
evidence stored in the ledger, another where it is outside - Jon: discussion already had and concluded on mailing list
that support is needed for both - Steve: documenting in use cases (or some other requirements
document?) will help; some technical challenges, e.g. query,
promotion across ledger instances; access control
- Roy: would be great to have two use cases; one that shows
-
(Another point that Kay missed...) (perhaps point that a third
option would be linking or referring to some public evidence
outside the ledger??)
- Not all issues from mailing list are included in Use Cases
-
Election Use Case
-
Ray
- Working on election data use case
- Requires data outside of the ledger
- Also requires air-gap support
-
Hannes:
- makes sense to have several paragraphs written about it
- useful to document somewhere even if we put it on hold for
now
-
Ray:
- would need to summarize; currently too detailed
-
Roy:
- Would love to see full document
-
-
Non-opaque well known statements (Henk)
- Relationships between statements
- Links to external payload
-
Audit use case
- What should be exposed during audit? This will help inform what
data is stored on ledger, which is external (Roy)
- What should be exposed during audit? This will help inform what
-
Sigstore Use Cases (Hannes)
- Link posted to mailing list ahead of the holidays
- Writeups by different companies
- Would be good to cover these in our use cases
- Key Management, Air-gapped scenarios
- Can someone review and ensure these are covered in our document?
-
Goal data for finishing use case document?
- Should we set a date? (Dick)
- Proposed date - mid-February (Hannes)
- Henk: agree with mid-February; needs to switch to another
project by then - Dick: agree with mid-February
Additional Topics for today's meeting
- Sigstore use cases (proposed by Hannes)
- Proposed new use case (proposed by Hannes)
- Workback schedule for IETF 116 (proposed by Roy)
- Terminology document (proposed by Roy)
Threat Model
- Henk to ping Brendan Moran to help with threat model
- Hannes - sensible to include threat model in architecture document
Material for IETF 116 (Roy)
-
Summary
- Use Cases
- Threat Model
- Terminology
-
Jon
- Use Cases
- Threat model
-
Roy
- What will the slides be?
- Who will work on each slides?
- Posters
-
Hannes
- Jon/Hannes to send email to see who will attend in person and
remote - Remote attendance for IETF 116 may be challenging give time zone
- Jon/Hannes to send email to see who will attend in person and
-
Yogesh
- Terminology should also be a topic for IETF 116; discussion with
Cedric and Antoine before the holidays, should be able to wrap
up in the next several weeks - Will take an action to summarize current status and open items
and share with SCITT mailing list
- Terminology should also be a topic for IETF 116; discussion with
Terminology
-
Monty
- do we have a place to describe definitions of concepts we need
describe terms for? Once we have a list of definitions, we can
define terms - Is there method for discussion of terms
- do we have a place to describe definitions of concepts we need
-
Hannes
- Mailing list
-
Yogesh
- All terms we use should be in the terminology section of the
SCITT architecture document
- All terms we use should be in the terminology section of the
Thursday technical meeting
- Thursday bi-weekly meeting - is this still happending? (Ray)
- Hannes: No. The only formal meeting is this one on Mondays; there
may be ad-hoc small group meetings on specific topics. - Yogesh: The Thursday meeting (from his outlook calendar) has now
been cancelled