Skip to main content

Minutes interim-2023-scitt-01: Mon 16:00

Meeting Minutes Supply Chain Integrity, Transparency, and Trust (scitt) WG
Date and time 2023-01-09 16:00
Title Minutes interim-2023-scitt-01: Mon 16:00
State Active
Other versions markdown
Last updated 2023-01-17


Blue Sheet (Attendees)
Behcet Sarikaya
Charles Hart
Dick Brooks
Joshua Lock
Monty Wiseman
Neal McBurnett
Steve Lasker
Zachary Newman
Henk Birkholz
Kay Williams
Jon Geater
Ray Lutz
Orie Steele


  • Lead: Hannes Tschofenig
  • Welcome to the group
  • We are using IETF tooling including Meetecho for remote
    participation and HedgeDoc for notes

Use Cases Discussion

  • Use case document is getting in better shape
  • Is the content up to date?

  • Henk Birkholz

    • Not a lot of changes
    • Addressing feedback from Hannes and others
    • Most feedback has been entered as issues in GitHub
    • Need to create uniform style across Henk and Yogesh's documents
    • Reached out to Monty to distill Firmware use case
  • Yogesh

    • Style he had been using was based on document shared by Hannes
  • Henk Birkholz

    • Yogesh and Henk to meet to come up with a proposal for style and
      review with the group
    • Do we have sigstore use cases covered?
  • Joshua Lock

    • Can help with sigstore use cases
  • Dick Brooks

    • Proposed additional use case - registration of a trust score
  • Charles Hart

    • Not all issues from mailing list are included in Use Cases
    • Some use cases use proprietary terminology (e.g. 'Trust Bond',
      'Trust Score')

      • If we are going to use any terms of art, need to ensure
        these are not proprietary
      • Dick: officially withdrawing the term 'Trust Bond' pending
        another way to describe
    • Question regarding whether evidence is stored in the ledger or

      • Roy: would be great to have two use cases; one that shows
        evidence stored in the ledger, another where it is outside
      • Jon: discussion already had and concluded on mailing list
        that support is needed for both
      • Steve: documenting in use cases (or some other requirements
        document?) will help; some technical challenges, e.g. query,
        promotion across ledger instances; access control
    • (Another point that Kay missed...) (perhaps point that a third
      option would be linking or referring to some public evidence
      outside the ledger??)

  • Election Use Case

    • Ray

      • Working on election data use case
      • Requires data outside of the ledger
      • Also requires air-gap support
    • Hannes:

      • makes sense to have several paragraphs written about it
      • useful to document somewhere even if we put it on hold for
    • Ray:

      • would need to summarize; currently too detailed
    • Roy:

      • Would love to see full document
  • Non-opaque well known statements (Henk)

    • Relationships between statements
    • Links to external payload
  • Audit use case

    • What should be exposed during audit? This will help inform what
      data is stored on ledger, which is external (Roy)
  • Sigstore Use Cases (Hannes)

    • Link posted to mailing list ahead of the holidays
    • Writeups by different companies
    • Would be good to cover these in our use cases
    • Key Management, Air-gapped scenarios
    • Can someone review and ensure these are covered in our document?
  • Goal data for finishing use case document?

    • Should we set a date? (Dick)
    • Proposed date - mid-February (Hannes)
    • Henk: agree with mid-February; needs to switch to another
      project by then
    • Dick: agree with mid-February

Additional Topics for today's meeting

  • Sigstore use cases (proposed by Hannes)
  • Proposed new use case (proposed by Hannes)
  • Workback schedule for IETF 116 (proposed by Roy)
  • Terminology document (proposed by Roy)

Threat Model

  • Henk to ping Brendan Moran to help with threat model
  • Hannes - sensible to include threat model in architecture document

Material for IETF 116 (Roy)

  • Summary

    • Use Cases
    • Threat Model
    • Terminology
  • Jon

    • Use Cases
    • Threat model
  • Roy

    • What will the slides be?
    • Who will work on each slides?
    • Posters
  • Hannes

    • Jon/Hannes to send email to see who will attend in person and
    • Remote attendance for IETF 116 may be challenging give time zone
  • Yogesh

    • Terminology should also be a topic for IETF 116; discussion with
      Cedric and Antoine before the holidays, should be able to wrap
      up in the next several weeks
    • Will take an action to summarize current status and open items
      and share with SCITT mailing list


  • Monty

    • do we have a place to describe definitions of concepts we need
      describe terms for? Once we have a list of definitions, we can
      define terms
    • Is there method for discussion of terms
  • Hannes

    • Mailing list
  • Yogesh

    • All terms we use should be in the terminology section of the
      SCITT architecture document

Thursday technical meeting

  • Thursday bi-weekly meeting - is this still happending? (Ray)
  • Hannes: No. The only formal meeting is this one on Mondays; there
    may be ad-hoc small group meetings on specific topics.
  • Yogesh: The Thursday meeting (from his outlook calendar) has now
    been cancelled