Skip to main content

Minutes interim-2023-scitt-11: Mon 16:00

Meeting Minutes Supply Chain Integrity, Transparency, and Trust (scitt) WG
Date and time 2023-03-20 16:00
Title Minutes interim-2023-scitt-11: Mon 16:00
State Active
Other versions markdown
Last updated 2023-03-20


Meeting Minutes - 20th March 2023

Minute Taker: Hannes Tschofenig, Kay Williams

IETF Meeting Attendees

On-location Meeting Attendees

  • Henk Birkholz
  • Cedric Fournet
  • Roy Williams
  • Kay Williams
  • Jon Geater
  • Orie Steele

Remote Meeting Attendees

  • Hannes Tschofenig
  • Steve Lasker
  • Yogesh Deshpande

IETF 116 Meeting Agenda

WG Drafts

Detailed Software Supply Chain Uses Cases for SCITT (Kay, 30min )

An Architecture for Trustworthy and Transparent Digital Supply Chains (Cedric, Steve)

Steve: Issues to discuss:

  • Terminology / Building Blocks (SCITT Service Components)
  • Identity
  • Merkle Tree Formats

Kay: It may be good to clarify what items we have resolved.

Dick: Put more emphasis on the purpose of SCITT.

Hannes suggests to ask SCITT-outsiders.

Henk: Kay is a good presenter for the use case and Cedric is a good
presenter for the architecture. Hackathon is a good time to polish the
slides. For the architecture it will be important to highlight what the
building blocks are to create bigger systems. COSE will have a
presentation about the generalized receipt idea. The
draft-birkholz-scitt-receipts will be a profile of this generalized
draft and since COSE takes place before SCITT I can present an update.

Ray: I ran into this issue of "trust" vs. "trustworthiness". I think the
high-level diagram where the evaluation of the stored data in the ledger
is not insight the SCITT registry and happens outside (at another
layer). Talks about the idea of a distributed registry. Why is an
append-only log necessary? Maybe it is better to have a highly
distributed registry.

Charlie: We should progress through the agenda faster. Who is the
audience at the meeting?

Hannes: Explains how an IETF meeting looks like and that folks typically
attending other groups will join the meeting. So, we need to explain
content to those who are not participating in the weekly calls as well.
Of course, we also want to make progress with the open issues. Reading
the documents is assumed.

Charlie: We yet have to have the debate about the identification. We had
this debate about COSE and the

Roy: Are you talking about the serialization or the identity technology
(X.509, DIDs)?

Charlie: Don't know. I don't know whether COSE is widely deployed.

Roy: [Explains X.509 and PGP]

Charlie: We need to allow backards-compatibility. We need to discuss the
append-only log.

Roy: You need to write these questions up.

Charlie: The third item is "vetting" before an entry can be made into
the SCITT ledger doesn't this require a trusted third party? This is an
undefined role.

Neal: The audience includes tech-savy people who are potential users of
this technology.
My ideas: Discussing scaling would be important.

  • How would an end user/consumer gather all the statements for a given
    software component (potentially involving a number of SCITT
  • Different end users will query the ledger and will come to different
    conclusions (dependent on their threat models, requirements, and
    uses of the software/artifact).

Maybe start the agenda with a terminology for the day. Do the use
case doc and do the architecture. Use some complex user queries and
explain how this works.

We have a problem that is worth solving -- that's why we have the use
cases. Then, we talk about the details in the architecture. How do
policies and scaling fit in?

Cedric: We need to avoid re-starting discussions from scratch. I can
present where we are. Regarding scalability: Receipts can be checked
offline. We don't have to go to the registry for freshness. We talked a
lot about the identity and the DIDs are described in the document.

Yogesh: Could you add issues to Github, Charlie? I believe many of these
points have been discussed in the past. If we capture the issues in
Github then we can point others to those (closed/agreed) issues.

Given that the meeting is in Japan I believe there are many new
participants. We will have to re-introduce some of the concepts rather
than directly into the open issues.

Dick: Transparency & Trust are terms we hear all the time in the US
(e.g. NIST). There is definitely an audience, who want access to
something. This is an opportunity for SCITT. We need to have some
high-level content that explains what we are doing (rather than diving
into the details).

Non-WG Drafts

Countersigning COSE Envelopes in Transparency Services (Ori, 10 min )