Minutes interim-2023-scitt-28: Mon 15:00
minutes-interim-2023-scitt-28-202308141500-00
Meeting Minutes | Supply Chain Integrity, Transparency, and Trust (scitt) WG | |
---|---|---|
Date and time | 2023-08-14 15:00 | |
Title | Minutes interim-2023-scitt-28: Mon 15:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2023-08-21 |
SCITT Virtual Interim Meeting 14th August 2023
Agenda
Published items
• Review open PRs
• Progress of emulator reflecting -117 results
• Progress of SCRAPI
• Update and discussion on Feed structure
Additional items (agenda bashing)
• (Jon) Session request for -118 is open. Any constraints?
• (Ray) New agenda item "Data Packaging"
Notes
Progress of emulator reflecting -117 results
Jon committed coding work on the emulator to the Github repo:
https://github.com/scitt-community/scitt-api-emulator
For transmission of CBOR, Jon's implementation uses armored JSON to
transmit data over the wire.
Progress of SCRAPI
Orie suggested to use YAML for the API description.
Henk: Added himself as a reviewer, Got blocked on Jon's comment
questioning the value of a YAML version. YAML is a good diagnostic
language for CBOR but it's not resiliant to transmission over the wire
so...not against it, but it can cause some niggles.
Orie: Developers misparse the binary and they re-encode the binary as
text. Lots of API tooling is not yet ready for CBOR and COSE. You can
say that: Here is the JSON encoding of it. I prefer to wrap COSE/CBOR
structures in YAML or JSON for easier processing. I would be concerned
about only using CBOR/COSE.
Hannes asking a clarifying question.
Ray: Complete agree with Orie. Ease of use is important. CBOR replaces
ASN.1 and it was at a time when bandwidth was limited. This is not so
important today. If we can leave it as JSON, why go to CBOR?
Jon: I got hung-up with a similar question as Ray - if we have JSON why
bother with YAML? But that's not really important: all this makes a lot
of sense in terms of debugging, wire transport etc.
Henk: One reason to stick with COSE/COSE is the signature checking. The
support for COSE/CBOR in the web context is not great but we need to
look into the future. Henk believes that JOSE cannot provide the same
functionality as COSE.
Neal: Agree with Henk having seen the problems with two ways of
presenting things. Sticking to something is better than supporting
multiple options.
Orie: We should distinguish between the payload and the API response. If
the API is implemented in a real-world deployment then JSON and YAML are
off-the-plate.
Ray: If you look at major providers today, they are using JSON. I want
to talk a bit about the QR code work done in Europe, they used a
simplified JSON structure to allow readability. Nobody cares about how
it is encoded.
Henk: I am with Ray. The European Health Certificates is a CBOR
structure -
https://github.com/ehn-dcc-development/eu-dcc-hcert-spec/blob/main/README.md.
When the QR code is shown to a reader it is displayed to the human. On
the reference API we can have two versions (CBOR and JSON).
Orie: I make a strong statement. There is a MTI CBOR API. You shouldn't
need anything else. Optionally, we could add YAML encodings for
human-readable versions and debugging. There should be no expectation of
interoperability from the YAML-based API.
Data Packaging
Background: I had previously reviewed various packaging trends here:
https://docs.google.com/document/d/1xfU_s1Eu51z_WGg5VYBsQtjsKcrV6_TvFXj2WxBcj90/edit?usp=sharing
-- packaging data for SCITT.
And the idea is to consider that we would leave the scitt machine very
minimal and push everything, including identity into a higher level.
Ray argues to work on a draft describing the VRF. No document exists yet
but the plan is to work on one. Hannes encouraged him to work with Dick
on such a document.
Update and discussion on Feed structure
Postponed
Review open PRs
Postponed
Agenda items for next week
Steve: Feed structure
Henk: Issues & PRs
Dick: SCRAPI API
Roy: A query API is out of scope and not in the charter.
Yogesh: I sent a mail to the list about CISA on how to secure the
software supply chain. I suggest to reply to the call for comments.