[{"author": "Kiran Karunakaran", "text": "<p><a href=\"https://datatracker.ietf.org/wg/scitt/meetings/\">https://datatracker.ietf.org/wg/scitt/meetings/</a></p>", "time": "2023-01-30T16:05:38Z"}, {"author": "Joshua Lock", "text": "<p>I see agenda and materials links but not the meetecho link</p>", "time": "2023-01-30T16:06:28Z"}, {"author": "Joshua Lock", "text": "<p>got it <span aria-label=\"embarrassed\" class=\"emoji emoji-1f633\" role=\"img\" title=\"embarrassed\">:embarrassed:</span></p>", "time": "2023-01-30T16:07:56Z"}, {"author": "Hannes Tschofenig", "text": "<p>The meeting link is in the calendar invite. Click on the session materials.</p>", "time": "2023-01-30T16:10:10Z"}, {"author": "Yogesh Deshpande", "text": "<p>Hannes, can you please provide share permission</p>", "time": "2023-01-30T16:10:12Z"}, {"author": "Hannes Tschofenig", "text": "<p>I guess I will just send it around every time because it is hard to find</p>", "time": "2023-01-30T16:10:40Z"}, {"author": "Brian Knight", "text": "<p><a href=\"https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/pull/18/files\">https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/pull/18/files</a></p>", "time": "2023-01-30T16:14:07Z"}, {"author": "Roy Williams", "text": "<p>We can hear Dick and Yogesh. Yogesh can you not hear Dick?</p>", "time": "2023-01-30T16:15:06Z"}, {"author": "Roy Williams", "text": "<p>Dick the question is are the three roles for the discussion</p>", "time": "2023-01-30T16:15:20Z"}, {"author": "Michael Prorock", "text": "<p>+1 3 roles for basic use case doc makes sense</p>", "time": "2023-01-30T16:18:27Z"}, {"author": "Michael Prorock", "text": "<p>use case doc should outline the use cases, and should avoid touching on solutions</p>", "time": "2023-01-30T16:20:49Z"}, {"author": "Monty Wiseman", "text": "<p>I've been called into a meeting. I'll be traveling on business next week so will not back on Feb 13</p>", "time": "2023-01-30T16:22:10Z"}, {"author": "Henk Birkholz", "text": "<p>if  a supllier is the auditor, it auto-magically becomes a self-asserter</p>", "time": "2023-01-30T16:23:44Z"}, {"author": "Henk Birkholz", "text": "<p>as Neal said</p>", "time": "2023-01-30T16:23:51Z"}, {"author": "Henk Birkholz", "text": "<p>\"stating an opinion\"</p>", "time": "2023-01-30T16:24:03Z"}, {"author": "Kay Williams", "text": "<p>+1 Neal. Supplier make a statement of authorship; Auditor makes other statements (e.g. software meets a set of requirements)</p>", "time": "2023-01-30T16:24:45Z"}, {"author": "Henk Birkholz", "text": "<p>trusted 3rd parties (according to NIST) create these \"3rd party attestations\", which are in IETF typically referred to as \"Endorsements\"</p>", "time": "2023-01-30T16:24:59Z"}, {"author": "Michael Prorock", "text": "<p>related to this use case directly <a href=\"https://www.theregister.com/2023/01/30/opinion_eu_foss_security/\">https://www.theregister.com/2023/01/30/opinion_eu_foss_security/</a></p>", "time": "2023-01-30T16:26:12Z"}, {"author": "Michael Prorock", "text": "<p>queueing to speak to supplier self attestation</p>", "time": "2023-01-30T16:27:09Z"}, {"author": "Henk Birkholz", "text": "<p>Charlie is right! I made an oversimpleifiaction</p>", "time": "2023-01-30T16:27:15Z"}, {"author": "Joshua Lock", "text": "<p>apologies all, I have a conflict and have to drop early. Will keep up with this discussion on the list.</p>", "time": "2023-01-30T16:30:34Z"}, {"author": "Roy Williams", "text": "<p>Michael, your volume starts out low.</p>", "time": "2023-01-30T16:33:40Z"}, {"author": "Michael Prorock", "text": "<p>Thanks Roy</p>", "time": "2023-01-30T16:34:38Z"}, {"author": "Orie Steele", "text": "<p>We did cover some of the FIPS scenario at the last IETF</p>", "time": "2023-01-30T16:34:46Z"}, {"author": "Orie Steele", "text": "<p>In the examples / stories from the hackathon</p>", "time": "2023-01-30T16:34:55Z"}, {"author": "Orie Steele", "text": "<p>I'd love to see more unpacking of those use cases.</p>", "time": "2023-01-30T16:35:18Z"}, {"author": "Michael Prorock", "text": "<p>+1 Orie</p>", "time": "2023-01-30T16:35:39Z"}, {"author": "Henk Birkholz", "text": "<p>@Neal, good point. Would you propose the \"delegation\" vs. \"signing authority\" on the list?</p>", "time": "2023-01-30T16:36:24Z"}, {"author": "Henk Birkholz", "text": "<p>+1 Orie</p>", "time": "2023-01-30T16:36:40Z"}, {"author": "Orie Steele", "text": "<p>People can \"sign anything they have\"... but there is often no reason to trust an issuer to make claims about subjects they have not authority over.</p>", "time": "2023-01-30T16:39:19Z"}, {"author": "Henk Birkholz", "text": "<p>+1 Hannes, it is about what<br>\n1.) who signed<br>\n2.) what information is added by that<br>\n3.) is that entity authorized by a supply chain party<br>\nbut that also already delves into solution space - we need generic use cases and have to take care that they are mostly in the sweet-spot between being solution/use case and specific/generic</p>", "time": "2023-01-30T16:39:50Z"}, {"author": "Henk Birkholz", "text": "<p>+1 Dick, roles and entities separation</p>", "time": "2023-01-30T16:40:01Z"}, {"author": "Michael Prorock", "text": "<p>have to drop in 5 - really appreciate the conversation and forward movement</p>", "time": "2023-01-30T16:40:22Z"}, {"author": "Orie Steele", "text": "<p>^ yes, roles are useful, and same entity often plays multiple roles at different stages of a supply chain.</p>", "time": "2023-01-30T16:40:28Z"}, {"author": "Henk Birkholz", "text": "<p>@Orie: role + role \u2260 new role, entities are the \"aggregator\" for roles</p>", "time": "2023-01-30T16:41:28Z"}, {"author": "Henk Birkholz", "text": "<p>@Orie: I think that was a +1 :-)</p>", "time": "2023-01-30T16:42:22Z"}, {"author": "Orie Steele", "text": "<p>&lt;3 yes, thats what i meant.</p>", "time": "2023-01-30T16:43:50Z"}, {"author": "Orie Steele", "text": "<p>+1 Jon, great use case regarding FIPs and Hardware.</p>", "time": "2023-01-30T16:44:56Z"}, {"author": "Kay Williams", "text": "<p>Need to drop.  Henk and Yogesh, thanks for your work on the use cases. I reviewed.</p>", "time": "2023-01-30T16:46:47Z"}, {"author": "Jon Geater", "text": "<p>+1 for signing only for yourself</p>", "time": "2023-01-30T16:50:49Z"}, {"author": "Jon Geater", "text": "<p>Attestations are witness statements. They take responsibility for a claim</p>", "time": "2023-01-30T16:51:06Z"}, {"author": "Roy Williams", "text": "<p>Producer's do not have complete control of who\\what makes additional claims on their product.  Antimalware companies will produce evidence and \"my\" company will make an endorsement as to whether or not their employees CAN use that product.</p>", "time": "2023-01-30T16:54:16Z"}, {"author": "Roy Williams", "text": "<p>The producer does not control that statement.</p>", "time": "2023-01-30T16:54:26Z"}, {"author": "Roy Williams", "text": "<p>There is an RBAC role of the producer though that they in the future can expire their product.  External claims by competitors should must be precluded from that.</p>", "time": "2023-01-30T16:55:55Z"}, {"author": "Roy Williams", "text": "<p>Summary.  Read read the use case and post comments.</p>", "time": "2023-01-30T16:56:40Z"}, {"author": "Roy Williams", "text": "<p>Have to head out.  Thanks everyone.</p>", "time": "2023-01-30T16:56:48Z"}, {"author": "Henk Birkholz", "text": "<p>there seems to be a poplular candidate for policy laguage</p>", "time": "2023-01-30T16:58:39Z"}, {"author": "Raymond Lutz", "text": "<p>The term \"signing\" is overloaded, and if we separate the meaning then this will resolve this I think.</p>", "time": "2023-01-30T17:02:39Z"}]