Minute taker: Hannes Tschofenig
Jon showed PR#80 (revered in #82) with a number of editorial edits.
Henk noted that Jon added himself to the author list. Yogesh also noted
this issue.
Henk wants to create two PRs, one based
PR#71: PR from Roy, who still has to work on the PR.
Jon noted that further changes have to be made regarding the
authorization.
PR#72: PR with editorial changes.
Yogesh had comments regarding the style of TBDs. He prefers to include
links to open issues instead of writing TBD generically.
Suggestion to merge it.
PR#73: Use Cases
Merged the PR after incorporating text provided by Jon with reference to
use case document.
PR#76: Registration Policy
Discussion about the list of SBOM technologies. Yogesh will expand the
acronymous and add references.
Will merge the PR after fixing formattings bugs.
PR#77: Addressed confusion about what is registered by the TS and what
is returned by the TS.
Will merge the PR.
PR#78: Orie created a PR to provide further clarifications regarding
DIDs. Since the PR was recently provided, there are some discussions
about when to approve the PR.
Orie went though his PR in detail.
Dick: I am not too familiar with DIDs either. I have not seen DIDs being
used in the software supply chain. I have seen PGP and X.509
certificates. Would this PR change the way how PGP and X.509 keys are
used?
Orie: PGP are distributed out-of-band. SCITT does not support PGP in
terms of the formats. The envelopes we are using are based on COSE. The
X.509 certificates are better supported via COSE. Someone will have to
document X.509 certificates.
Dick: If you introduce something that does not accomodate the existing
practices then it will not help with adoption.
Charles: I share that concern. We need to have a way to support existing
software.
Roy talks about the challenges with key distribution. All Orie is doing
is to explain how DID are used.
Dick + Roy discuss how to deal with the existing technologies.
Charlie: There is a ton of PGP key usage.
Dick: In the energy space has been using PGP for a long time.
Charlie: I don't know why we cannot make a reference to existing
technologies.
Steve: Deal with PGP when a deployment problem emerges.
Charlie: Disagree.
Dick: If you don't support existing supply chain practices, I see
problems.
Roy: The architecture document does not preclude the use of any of these
mechanisms. It does not limit anything.
Neal: We need to resolve the issue in question. I hear no objections to
the content of the DID clarification in PR #78. So it sounds like we
should just merge it, right? Others can submit similar content on how to
handle X.509 and/or PGP.
Hannes: Should we schedule another conference call next Monday to talk
about the hackathon?
No objections from the group.
Postponed till next Monday.