Supply Chain Integrity, Transparency, and Trust (SCITT): Meeting Minutes

Meeting: Working Group
Date and Time: 12 December 2022, 16:00 - 17:00 UTC
Chairs: Hannes Tschofenig
Note Takers: Kay Williams, Kiran Karunakaran, Brian Knight

Resources

Meeting Video
Agenda
Bluesheets
Presentations: None
Chat Log

Introduction

Welcome from Hannes to the group
We are using IETF tooling including Meetecho for remote participation and HedgeDoc for notes

Use Cases Discussion

Hannes shared the pull request for use cases https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/pull/8/files
Henk described three use cases
- Trust Bond between Package Supplier and Signing Authority
- Updated Statements over Time
- Authenticity of Promoted Software Products
Dick confirmed the description of the Trust Bond use case
Firmware Use Case
- Hannes asked if Firmware use case is from Monty
- Henk said he thinks Monty has not yet reviewed
We need an audit use case and an infrastructure (system integration) use case
Editor's Copy of Software Supply Chain Use Case: Please review and submit feedback via GitHub PR
Orie looked at the most recent versions overall looked good, only a few comments; would be in favor of more frequent merging of the content. It is easier to do a review of a smaller pull request.
Dick one other use case 'use an app store to check if an application is trusted - e.g. go to a SCITT registry'
Henk - reply to Orie - Yogesh created the use case, so he hesitated to merge while Yogesh is out. That said, he can merge if there is no objection from the working group
- Hannes - OK to merge
- Henk - will merge
- Henk - Done - https://ietf-scitt.github.io/draft-birkholz-scitt-software-supply-chain-use-cases/draft-birkholz-scitt-software-use-cases.html
Orie - responding to Dick's comment about 'check with trust registry' which seems to imply a single registry. Previous discussion has been that there will be multiple registries. Thinking of consumer branding on top of SCITT may be best handled outside of IETF.
Charlie - Agree with Orie's point that there should be several registries. +1 to Orie's point
Dick - desire to raise awareness of supply chain use cases today
Hannes - if one sector would like to offer a 'trusted registry' for that sector (e.g. IoT) they can do that.

Next Steps

What to discuss in upcoming meeting
Secretary sent meeting for next Monday (12/19), two week break, then meet again on 1/9
Ideas:
- Sigstore update
- Review architecture document
- Customer Requirements (based on use cases)
- Also need to make progress on terminology
Kay - process flow - use cases, problem summary, customer requirements, architecture
- Hannes - would someone be willing to volunteer to create the customer requirements
- Kay - will drive a customer requirements document (possibly a section of the use cases document). Will start this in January.
- Roy - will the requirements be for everything in the use case, or just the building blocks
- Hannes - requirements are only for the building blocks
Henk - IETF mantra - parallelize, don't serialize; agree with Roy we can agree on most important roles; this discussion needs to be driven on the mailing list
- Hannes - Roy would you like to drive on the mailing list
- Roy - sure; can drive

IETF Infrastructure

Some participants are not able to see the chat and notes
Hannes will share a link to Meetecho documentation
Henk we can also set up a tech training session
Ned posted a few links to help folks become familiar with Meetecho:
- https://www.ietf.org/media/documents/IETF-Meetecho-Documentation.pdf
- https://www.ietf.org/how/meetings/technology/meetecho-guide-participant/

Next Meeting Agenda

Next meeting is on 19 December 2022,16:00 - 17:00 UTC
- Agenda
- Join Meetecho
Target to have audit use case and infrastructure use case in the PR for review by next meeting: Discuss for next meeting
Next step is to derive user requirements (scope for working group) from use case document and align on terminology (at least for critical terms)