Welcome and Introduction (5 mins)

SCITT Overview (10 mins)

Henk
Review Update Streams, supporting multiple vendors to submit
statements about an artifact
## Recap since 121 (10 mins) {#recap-since-121-10-mins}
Steve
- Architectural Overview. Nicer picture, no rotation required.
- Technical recap: scrubbing and polishing the architecture
- Cleanup on the SCRAPI draft, pushed merkle tree proof to ISEG
  for adoption

AJ Stein: The diagram has that we have 2 organizations doing a
transaction, but we don't have any text for that?
Steve: We've definitely talked about it, but it might not be in the
draft now; but it is supported,
Multiple parties could make statements about the same subject (e.g. a
software security company could make a statement about some other
entity's software) and the provider could then make a counter statement
saying something like "that issue is fixed"
AJ: Not that there is a problem in the model, per se, but that the text
says it is singular.
Steve: will check the text
Henk: It isn't explicit in the text, but it is there since the first
use case is software

Introduction to Transparency 201 (20 mins)

Jon
Not just a collection of misc information
Focused on quality statements, assuring statements can't be
backdated
not defining a way to store statements, those are adjacent services.
as data is moved around, you can lose a lot of crucial contexts, and
integrity protection
SCITT standards to detect changes of content as it's moved.
Verifiable record keeping
We want to identify the identities that are making claims. Focused
on business use cases, not personal identities
Not just centralized registries, happy to support, but not the focus
Why isn't just publishing anything useful?
Just becuase you can see something, doesn't mean it's true
They should be treating them as witness statements, to judge whether
you trust the identity making the statement
You can make an informed decision, based on who made a statement
about a thing
Scenarios
- Tamper proofing - more versatile than just a signature
- Pre-commitment - why we have merkle trees, not just a signature.
  Capture a photo of my cat. Then, when it's stolen, you can say I
  recorded a picture of my cat a month ago, so i can prove it's
  mine.
- Even if you delete your copy, if someone else has a copy, they
  can still validate the integrity of the copy
Non-equivicoation
- What stops me from pictures of 500 cats, then claiming I owned
  them all
- The transparency service would show that you've created 500
  entries, and not just the realistic few
Building Blocks
- Not all parts may be required to every instance

Erum Welling: Does the provenance contain the historical ownership?
Jon: Partially, it does capture some of it, but it depends on some
external searching ability; you have to be build to capture the subject
name and then find it
Erum: If the artifact gets modified, what happens?
Jon: SCITT only provides this signing and transparency; it is avowedly
agnostic to the content of the artifact; so it is possible to link
things together with their subjects and statements, but its not inherint
in SCITT.

SCRAPI and SCITT Transparency Services!

Steve
- What is stored on the append only log
  1. Signed statetment
  2. Hash
  3. Both (yes)
- Layering the SCITT architecture
  Architecture
  - Transparency Service Implementation
  - SCITT append only log
  - SCITT registrationtion
  - AAPI for Ancillary Services
- Choices around where meta data goes, what's protected and
  unprotected
- Now that we get the receipt back, we can put in the unprotected
  bucket
- MCR: don't forget you can use redirection by saving a key that
  redirects

mcr: feeling on the fence about the unprotected header; selective
disclosure from teh SPICE mechanisms uses them potentially; it might
want behave differently. Might want a layer of indirection based on the
unprotected part. And the impacts of the subject from things that might
be the same, but have different unprotected material.
steve: we struggled with this, COSE says don't include the unprotected
header, and the receipt example is good with the expense report
mcr: e.g. capturing the exchange rate which is time dependent

aj: can you clarify what should and should not be stored in the
transparency log, you mentioned something about that quickly
steve: the ledger is only protecting of the signed statement, but an
implementation could include additional stores with the additional
information. So the unprotected header could be in the log, but it
doesn't have to be in the log
aj: so the draft does't use MUST on what you have to include and
exclude from the log
steve: there is a MUST that says you have to exclude the unprotected
header; want to make sure what is written to the log so that it can be
verified consistently
aj: okay - get what you're saying now

erum: is there a way for a chain to bypass this (so skipping a change in
the artifact)
jon: SCITT as defined is about making statements about artifacts; but
you can make policy around the use of the statements

roy: unsigned headers cannot prove a timeline of changes, etc.

henk: the arch says that its okay to send a set of stuff with a whole
pile of junk in the unprotected header; registration policies are
interesting because they could control the rules about notarized uses
and unprotected materials

SCRAPI (15 mins)

Jon
Minimal Reference API
Basicly registering signed statements, getting receipts back
Got a bunch of things working, starting with an artifact, put into a
payload, hash it wish cose-hash-envelope, submit, get the receipt
and attach to the unprotected header to create a transparent
statement
MCR - really interesting icons, would like to see those understood
and standardized
- Bottom right is the inclusion proof
- Request to put the svg's in the github
Jon
- Reason for the multi-party iconography is they can be
  distributed
Henk
- Can be transparent confidentiality
- And confidential transparency
Jon
- Transparency of the log information is completely separate to
  your policy of what's "public"
Implementations
- DataTrails & Microsoft
  ## Hackathon Report (10 mins) {#hackathon-report-10-mins}
Jon
Nobuu Aoki and Jon hacked on code
Eliminated json and made all things cbor
Worked to remove cbor from the bodies, and use http for minimal code
Nobuo prototeyped YANG
Challenges between 121 and 122
- Can't assume syncronous post/receipt
- Have to deal with the id's, and may also fail before completing
- Cleaver solution was to use resource moved placeholders
- Might tell you a different location, based on sharding, success
  or failure
What we learned
- the theory worked
- better compat for retrofit implementations
Yang model for SBOMs
- Two issues identified
- How do I make the messy process of failed builds, show lineear?
- If we can make statements about statements, we can resolve this
- In SCRAPI, we have reliable locators, those can be used as
  pointers
Is there hearburn about making statements about statements
MCR
- how is this YANG
- Jon - focus on RFC 9472
A.J.
- Can you explain how invaliate is implemented
- Jon: 9472 says if you do a new version of a step, it's better
  than the old version
- A.J. conceptual foundation is in 9042?
Henk
- Once Steve's box of snakes are put back in, we can open a new
  box of snakes for statements about statements
Thanks to Auoki

Next Steps (5 mins)

Request if Architecture is ready for last call
Architecture to goto last call
AOB Open Mic (10 mins)
would you like to schedule a virtual interim in about 6 weeks to
review the last call documents
Jon: If we get significant feedback, we can do that.
Chris: will look at what holiday's we'd need to navigate for a
Erum
- Question about the use case documents.
Chris
- IETF no longer publishes Use Case Documents as RFCs
- Future use case documents can be done somewhere else
Henk
- Can post new use caes documents
Chris
- Some AD's don't like lots of docs that won't advance, and are
  asked to clean those out