SCITT Interim WG Meeting (02/06/2023)

Chair: Hannes Tschofenig and Jon Geater

Note taker: Kiran Karunakaran

Agenda Bash

Use Case Discussion: Open PR for Monty's FW use case  
Receipt ID Discussion  
Architecture/Terminology Discussion  
Sigstore Discussion

Use Case Discussion:

Yogesh: 1st use (verification that signing cert is authorized by
supplier) has been simplified per feedback from last meeting   
https://github.com/ietf-scitt/draft-birkholz-scitt-software-supply-chain-use-cases/

Ray: User identity should be an item for future meeting. Authentication
and validation of identity   
Steve: There's different "types of identities" and the policy can
accept/decline types of specific identities. But, a focused convo on the
topic would be helpful  
Orie: Identity Assurance Levels... see also
https://pages.nist.gov/800-63-3/  
Henk: Would Joshua and Zack like to contribute (Sigstore) to use case
document?   
Zack: Yes.Next week or so for a draft, plenty of time to review before
the meeting  
Kay will work with Yogesh to review all the open issues on use cases  
Jon: We need to lock down use case doc this week. That will give us time
to work on architecure ID before IETF116. ID submission cut-off deadline
is in just 5 weeks (2023-03-13).  
Henk: At the moment, these are living documents and we need to get them
to a stable version before publishing it.  
Yogesh: Issue #19 and #20 are minor changes. Overuse of term trust
(Issue #14) needs to be cleaned out  
Kay: Kay will open a PR to clean up the doc. Only use the term trust in
relevant and appropriate places. There are couple of 'trust
relationship' and 'trust bond' that needs to be modified  
Ray: Build trust through evidence. Even a financial trust, like a trust
deed, is backed by interest in the property. No blind trust- Trust is
built via solid evidence.  
Neal: +1 to avoiding murky terms like "trust relationship" and "trust
bond".  
Dick: Trust is in the name of our group SCITT  
Steve: I agree Trust is a good term to keep.Trust is established through
the policy and the verification of the identity through the notary
portion of the policy. Trust is also established through a verified
identity  
Jon: +1 the evidence is your raw material from which to build trust.
SCITT doesn't itself GIVE trust. It ENABLES it. Deeper, richer
reputations  
Neal: So re the phrasing in the document, I don't think we are creating
a "standardized way" to "manage trust relationships". We are
standardizing ways to manage the evidence via which relying parties can
use to develop and manage their own trust relationships in whatever ways
they do  
Kay and Yogesh will work through the issues this week and close them out

Architecture,Receipt and Termonology Discussion:

Henk: Build a generic COSE profile (various Merkle tree) instead of
building it specific for SCITT. We'll have a draft to review soon.

Sigstore Discussion:

Neal: Re: sigstore. I missed the 01-23 SCITT meeting, but I think they
provide an excellent substratum for our work. as As I commented in the
video (https://youtu.be/nZHfOFN-Q7A), many in SCITT WG seem interested
in baking some policies in to the infrastructure. I'm wondering what the
options are for layering policies and well-known CA or auditor
identities on top of Sigstore to vouch for policy compliance and address
all the SCITT use cases.  
Ray: Sigstore misses the larger view but does well for individual
pipelines and repos. Identity problem and additional layering need to be
resolved.There has to be levels of identification  
Orie: https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/
concept of identity (people vs service)  
Hannes: We'll have OAuth co-chair come to SCITT interim WG meeting to
talk about identity