[{"author": "Dick Brooks", "text": "

Lots of interesting stuff happening today in the US: https://energycentral.com/c/ec/harmonization-cybersecurity-across-critical-infrastructure-moving-fast

", "time": "2023-03-20T16:00:57Z"}, {"author": "Kay Williams", "text": "

Hello everyone!

", "time": "2023-03-20T16:02:19Z"}, {"author": "Dick Brooks", "text": "

Hi Kay

", "time": "2023-03-20T16:02:32Z"}, {"author": "Steve Lasker", "text": "

https://datatracker.ietf.org/meeting/116/materials/agenda-116-scitt-00

", "time": "2023-03-20T16:04:03Z"}, {"author": "Cedric Fournet", "text": "

Do we need to book a SCITT hackathon project for the week-end?

", "time": "2023-03-20T16:11:04Z"}, {"author": "Cedric Fournet", "text": "

I am also wondering how to follow up on the slide deck from IETF115, notably the issues summarizing the hackathon in London.

", "time": "2023-03-20T16:12:33Z"}, {"author": "Steve Lasker", "text": "

Followup on the London Hackathon topics is a good portion for updates.

", "time": "2023-03-20T16:15:15Z"}, {"author": "Neal McBurnett", "text": "

Question on the architecture perhaps ripe for discussion at IETF116: does the architecture scale to allow consumers to gather all the evidence they need to address the main use cases?

", "time": "2023-03-20T16:15:30Z"}, {"author": "Neal McBurnett", "text": "

Perhaps my scaling question is good for a hackathon

", "time": "2023-03-20T16:16:51Z"}, {"author": "Cedric Fournet", "text": "

Neal: yes!

", "time": "2023-03-20T16:17:41Z"}, {"author": "Steve Lasker", "text": "

Neal, can you define \"scale\" in this topic?

", "time": "2023-03-20T16:18:13Z"}, {"author": "Neal McBurnett", "text": "

If software developers around the world are constantly updating supply chain info and consuming it, providing evidence for billions of end-users who use it frequently to query a variety of bits of evidence relevant to whether a particular artifact meets their specific requirements, that could be a lot of traffic

", "time": "2023-03-20T16:20:09Z"}, {"author": "Neal McBurnett", "text": "

And of course IETF is renowned for having expertise in scaling protocols and systems

", "time": "2023-03-20T16:21:19Z"}, {"author": "Steve Lasker", "text": "

Gotcha. I think you're asking if a single instance would scale to the worlds demands?

", "time": "2023-03-20T16:21:41Z"}, {"author": "Neal McBurnett", "text": "

I'm focused on a consumer meeting their own needs. Via one or many instances.

", "time": "2023-03-20T16:22:13Z"}, {"author": "Neal McBurnett", "text": "

So it really melds the use case and architecture discussions

", "time": "2023-03-20T16:22:34Z"}, {"author": "Steve Lasker", "text": "

SCITT is intended to be run my multiple entities. Software Vendors will host their own SCITT instances, for instance Microsoft will host a SCITT instance for its software.
\nOther vendors will host theirs.
\nThere will likely be other entities, from security vendors or industry verticals that will host statement around various software products

", "time": "2023-03-20T16:22:36Z"}, {"author": "Henk Birkholz", "text": "

RFC9334 (rats architecture) states in Section 1: \"Amongst other things, this document is about trust and trustworthiness. Trust is a choice one makes about another system. Trustworthiness is a quality about the other system that can be used in making one's decision to trust it or not. This is a subtle difference\"

", "time": "2023-03-20T16:23:50Z"}, {"author": "Henk Birkholz", "text": "

+1 to append-only log

", "time": "2023-03-20T16:24:07Z"}, {"author": "Steve Lasker", "text": "

Consumers (not necessarily end users), but consumers of SCITT will query the SCITT Transparency Services related to the software they care about.
\nThey could then query other SCITT Transparency Services for statements related to their software from entities they trust.

", "time": "2023-03-20T16:24:21Z"}, {"author": "Cedric Fournet", "text": "

Neal: the hope is to scale up the updates by registering only a summary of the update info, e.g. hashed commitments to large SBOMs. For the lookups, we can replicate the registry and still issue recent receipts, so it is less a bottleneck (although it can still be quite costly to scale up). But I'd be happy to go through the details.

", "time": "2023-03-20T16:25:29Z"}, {"author": "Dick Brooks", "text": "

I agree S/MIME is broadly adopted across the Energy industry for data interchange

", "time": "2023-03-20T16:29:35Z"}, {"author": "Roy Williams", "text": "

Charlie, my push is to ensure we have a flexible format that allows movement on identity.

", "time": "2023-03-20T16:36:22Z"}, {"author": "Charles Hart", "text": "

@Roy I agree - just have a concern that COSE is not widely used/understood yet

", "time": "2023-03-20T16:37:53Z"}, {"author": "Roy Williams", "text": "

Investments in libraries and examples are key, but COSE is a progression from JSON signing and encryption via CBOR. Outlining which languages need to be brought up first, which groups review and perform threat models are larger than this. Some of which may come up in the IETF COSE meeting.

", "time": "2023-03-20T16:44:44Z"}, {"author": "Roy Williams", "text": "

It is scope is increasing and it is actively being worked through. One of the first questions I had when this came up is \"Do we know why we should not use S\\MIME?\".

", "time": "2023-03-20T16:45:53Z"}, {"author": "Roy Williams", "text": "

Field confusion within the serialization format is important to keep our eye on. Getting out of the ASN.1 parsing business will help.

", "time": "2023-03-20T16:46:33Z"}, {"author": "Kay Williams", "text": "

Agree with Yogesh, let's use GitHub to track issues/questions regarding the architecture document.

", "time": "2023-03-20T16:48:11Z"}, {"author": "Cedric Fournet", "text": "

Agreed. Also a good way to improve the architecture text!

", "time": "2023-03-20T16:48:59Z"}, {"author": "Cedric Fournet", "text": "

Yogesh: can we use the use cases as a gentle intro to SCITT, or do we need a technical summary before?

", "time": "2023-03-20T16:49:44Z"}, {"author": "Raymond Lutz", "text": "

Using restaurant cleanliness scores may not translate well to international audience.

", "time": "2023-03-20T16:53:52Z"}, {"author": "Neal McBurnett", "text": "

A restaurant cleanliness board is an example of one scitt instance, but on top of that note that different people have different restaurant requirements like looking for Halal food, made carefully separated from a variety of allergens, using locally-sourced ingredients, organic ingredients, paying a fair wage, securely managing credit cards they take from you, etc etc.

", "time": "2023-03-20T16:57:06Z"}, {"author": "Neal McBurnett", "text": "

so I want the end-user to be able to query to meet their overlap of requirements

", "time": "2023-03-20T16:57:45Z"}, {"author": "Cedric Fournet", "text": "

Does anyone have context on the \"key transparency BOF\" at IETF116?

", "time": "2023-03-20T16:59:20Z"}, {"author": "Neal McBurnett", "text": "

And whether the bananas were shipped properly :)

", "time": "2023-03-20T16:59:41Z"}, {"author": "Steve Lasker", "text": "

I've got a hard stop at the hour.

\n

I believe we need the online discussions, but agree with Charlie to stay focused on the agenda items and timeboxed.

\n

I would vote for weekly meetings after IETF 116, at the same time.
\nOnce we get back in sync with UK/US times.

", "time": "2023-03-20T17:01:03Z"}, {"author": "Dick Brooks", "text": "

That analogy was presented by Anne Neuberger in a video, linked in this article: https://energycentral.com/c/um/what-does-it-mean-rebalance-cybersecurity-risk

", "time": "2023-03-20T17:01:49Z"}, {"author": "Raymond Lutz", "text": "

Yes Anne Nueberger is excellent!

", "time": "2023-03-20T17:02:32Z"}]