- Hannes shared the pull request for use cases https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/pull/8/files
- Henk described three use cases
- Trust Bond between Package Supplier and Signing Authority
- Updated Statements over Time
- Authenticity of Promoted Software Products
- Dick confirmed the description of the Trust Bond use case
- Firmware Use Case
- Hannes asked if Firmware use case is from Monty
- Henk said he thinks Monty has not yet reviewed
- We need an audit use case and an infrastructure (system integration) use case
- Editor's Copy of Software Supply Chain Use Case: Please review and submit feedback via GitHub PR
- Orie looked at the most recent versions overall looked good, only a few comments; would be in favor of more frequent merging of the content. It is easier to do a review of a smaller pull request.
- Dick one other use case 'use an app store to check if an application is trusted - e.g. go to a SCITT registry'
Henk - reply to Orie - Yogesh created the use case, so he hesitated to merge while Yogesh is out. That said, he can merge if there is no objection from the working group
Orie - responding to Dick's comment about 'check with trust registry' which seems to imply a single registry. Previous discussion has been that there will be multiple registries. Thinking of consumer branding on top of SCITT may be best handled outside of IETF.
- Charlie - Agree with Orie's point that there should be several registries. +1 to Orie's point
- Dick - desire to raise awareness of supply chain use cases today
- Hannes - if one sector would like to offer a 'trusted registry' for that sector (e.g. IoT) they can do that.