SCITT - IETF 123

The chairs greatly thank Heather Flanagan for taking amazing notes
during the meeting.

Agenda / Notes

Introduction etc (Chairs) 5 min

Administrivia ftw!

SCITT status and architecture updates (Henk Birkholz) 10 min

(Henk) Two docs, Architecture and Reference APIs, are in progress.
Architecture is in AD Evaluation and is a proposed standard; Reference
API exists and is in final polish. See GitHub for details of changes
since the last meeting. SCRAPI changes are almost all editorial with the
exception of a better example in HASH notation.

No questions

Hackathon report & interop demo (Nicole Bates) 10 minutes

(Nicole) Hackathon focused on two projects (see slides for details):

Towards Adhesives for Supply Chain Security - Nobuo Aoki
SCITT Interop Demo - Nicole Bates, Amaury Chamyou, Jon Geater, Robin
Bryce, Brent Zundel

No questions

Where next with SCRAPI? (Amaury Chamayou) 10 minutes

(Amaury) Nothing too substantial to review. Theo neitem would like to
discuss is the API surface is consistently CBOR/COSE (errors are
CBOR/Constrained problems) and .well-known config is CBOR too (but
informative examples use OAuth-style examples, which isn't as helpful as
it could be). It would make sense for Transparency services to have an
interoperable way to expose their keys in a COSE format.

No questions (though some interesting discussion in the chat)

Supply Chain Use Cases to Design Secure Computing Systems for SCITT Extension https://github.com/aoki-n1/draft-nobuo-scitt-use-cases-extension.git (Aoki Nobuo) 10 minutes

(Aoki) Would like to add a hardware and computer architecture layer to
SCITT (see slides for details).

Questions
(Christopher - chair hat off) What does it mean to have secure hardware
vs making statements about secure hardware? That might be different
types of assertions from software security. Would this work happen in a
recharter for SCITT or do we need a new group?
(Henk) We did talk about rechartering SCITT at some point, and we'd need
to do some work to get the people involved in the original BoF who
wanted hardware in scope right away to come back. Where do semantics go
(e.g., payload, something else?) is interesting future work and would be
part of a recharting. I-Ds informing that charter would help.

Aligning RESCALE with SCITT (Evangelos Haleplidis) 10 minutes

(Evangelos) talking about a project (RESCALE = Revolutionised Enhanced
Supply Chain Automation with Limited Threats Exposure) underway in the
EU that might inform SCITT work. May want to collaborate further.
RESCALE is an end-to-end cybersecurity framework for protecting ICT
supply chains across hardware and software components. (See slides for
more details.) SCITT would be part of the Trust Storage component of
their architecture.

Questions
(Yogesh) You mentioned the format used for SBOM; are you following an
industry standard for linking with the TBOM?
(Evangelos) Using cyclone DX because it has better support for HBOM. For
the static reporting the output is written in cyph (sp?) format.

(Yogesh) Is there a verifier in the s ystem as well?
(Evangelos) Yes, there is a validator that could also use SCITT.

(Henk) A use case document would always be useful. Is the receipt itself
the transaction id, or do you have other requirements on the transaction
id that would into the receipt?
(Evangelos) Once the TBOM is generated, we don't add anything more
inside. We don't want to change that. The ID is a way to find it again
in the blockchain.
(Henk) There could be a hint in the use case about how and why to
identify something and trace it.

VCONS (added to the agenda) - Thomas McCarthy-Howe

Working on two docs in the VCON WG interacting between SCITT and VCON:

VCON Consent Attachment (references the SCITT ledger that contains
the info around the lifecycle and consent)
VCON Lifecycle (all the verbs that happen between VCON and the SCITT
ledger; when consent is gained or withdrawn)

Questions
(Henk) The application of this is great because you can improve interop
testing