Minutes interim-2023-scitt-31: Mon 15:00
minutes-interim-2023-scitt-31-202308281500-00
| Meeting Minutes | Supply Chain Integrity, Transparency, and Trust (scitt) WG | |
|---|---|---|
| Date and time | 2023-08-28 15:00 | |
| Title | Minutes interim-2023-scitt-31: Mon 15:00 | |
| State | Active | |
| Other versions | markdown | |
| Last updated | 2023-09-04 |
Agenda for 28th August 2023
Minute taker: Hannes Tschofenig
Update and discussion on Feed structure
Jon started the meeting with a discussion about the feed structure.
Hannes asks what can be written down specifically.
Jon: We have to find out whether we need more than just an opaque
string.
Orie: We are talking about a parameter in the protected, in the header
of the signed statement, or in any signed statement.
Hannes: Cannot we select one of approach?
Orie: The header parameter needs to be there. We have been handwaving
and also regarding the content.
Ray explains the full chain based on his whiteboard.
Roy: The receipt is returned as part of the signed statement. The
question is whether it is stored together or combined together as it is
returned. That's an implementation-specific issue. The identity is
dictated by the SBOM content. There is not necessarily a product-to-id
match. The claims in the SBOM are potentially specific and could be
stored in the SCITT subsystem and not in the ledger.
Hannes, Roy and Ray talk about the FDA use case and what their
requirements are precisely.
Charlie believes that they have no requirement for authentication.
Roy believes that the use of digital signature is implicit.
Charlie responds that the information may just be sent via email or
uploaded to some database by authorized persons.
After clarifications Charlie pointed out that the authentication of the
issuer could just happen via an authenticated channel (e.g. a web login)
rather than using digital signatures covering the payloads. This is the
channel vs. object level security discussion.
Roy shares his view after talking to David Waltermire from NIST about
using CVEs. He believes there is an opportunity for alignment between
different technologies.
Henk: The users of the system will ask two questions: Is this authentic?
Is the response what I want?
It is not clear whether we need more than a byte array for the feed.
Hannes: It sounds like we just use what we have in the document right
now. Today, the architecture document defines feed as a string.
Orie: We want some structure beyond the string. I believe it should be a
URL.
....
When making a signed statement transparent you are adding a receipt to
the unprotected header of it.
Progress of SCRAPI
New draft that we hope will help the API progress faster:
https://github.com/ietf-scitt/draft-birkholz-scitt-scrapi