https://notes.ietf.org/notes-ietf-interim-2024-scitt-01-scitt#
", "time": "2024-01-08T16:03:00Z"}, {"author": "Orie Steele", "text": "we need to close the adoption call for scrapi still iirc
", "time": "2024-01-08T16:05:55Z"}, {"author": "Orie Steele", "text": "its not in datatracker yet.
", "time": "2024-01-08T16:06:10Z"}, {"author": "Jon Geater", "text": "I'll take a look. Hannes was going to press the buttons but I'll take it over
", "time": "2024-01-08T16:06:35Z"}, {"author": "Steve Lasker", "text": "https://ietf-wg-scitt.github.io/draft-ietf-scitt-architecture/#go.draft-ietf-scitt-architecture.diff
", "time": "2024-01-08T16:06:54Z"}, {"author": "Orie Steele", "text": "Henks comment here on text changes needed that are blocking architecture: https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/issues/148#issuecomment-1881265948
", "time": "2024-01-08T16:08:56Z"}, {"author": "A.J. Stein", "text": "Thank you for the explanation, Orie.
", "time": "2024-01-08T16:13:57Z"}, {"author": "A.J. Stein", "text": "https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/issues/120#issuecomment-1865318043
", "time": "2024-01-08T16:15:34Z"}, {"author": "Orie Steele", "text": "+1 to remove auditor if possible
", "time": "2024-01-08T16:18:27Z"}, {"author": "Raymond Lutz", "text": "Add one more thing that the relying party may need to review what the verifier has stated.
", "time": "2024-01-08T16:20:58Z"}, {"author": "Raymond Lutz", "text": "verifier is like what we may consider the notary role.
", "time": "2024-01-08T16:21:38Z"}, {"author": "Orie Steele", "text": "can keep , auditor, but then is an auditor a relying party or a verifier?
", "time": "2024-01-08T16:22:13Z"}, {"author": "Raymond Lutz", "text": "Auditor is not a good term to be used here because the auditor is always outside the whole activity.
", "time": "2024-01-08T16:22:33Z"}, {"author": "A.J. Stein", "text": "I can speak to this later but so I remember: auditor is a nebulous term in the government compliance space, and I would recommend against it.
", "time": "2024-01-08T16:22:42Z"}, {"author": "Orie Steele", "text": "does RATs have auditor role?
", "time": "2024-01-08T16:23:04Z"}, {"author": "A.J. Stein", "text": "(We are individuals, not organizations, but this one I have felt on numerous occasions and causes endless problems.)
", "time": "2024-01-08T16:23:23Z"}, {"author": "Orie Steele", "text": "is a scitt auditor a RATs verifier? or a RATs RP?
", "time": "2024-01-08T16:23:27Z"}, {"author": "Raymond Lutz", "text": "Auditor would logically be the role of confirming the entirety of the merkle tree consistency.
", "time": "2024-01-08T16:23:38Z"}, {"author": "Roy Williams", "text": "That is definitely not true Orie
", "time": "2024-01-08T16:23:46Z"}, {"author": "A.J. Stein", "text": "I would like to circle back to the original issue: is alignment with SCITT and RATS and other assorted specifications we reference (informative and normative) is important?
", "time": "2024-01-08T16:24:11Z"}, {"author": "A.J. Stein", "text": "Henk is saying no.
", "time": "2024-01-08T16:24:14Z"}, {"author": "Orie Steele", "text": "great, I also assume an auditor is a RATs RP
", "time": "2024-01-08T16:24:27Z"}, {"author": "Orie Steele", "text": "thats what I said : )
", "time": "2024-01-08T16:24:34Z"}, {"author": "Roy Williams", "text": "Yes, the overlap between RATS and SCITT does not align at that point.
", "time": "2024-01-08T16:24:37Z"}, {"author": "Orie Steele", "text": "the term RP has ties to both OAUTH and RATS... if we add RP, we MUST address both WG usages.
", "time": "2024-01-08T16:26:10Z"}, {"author": "Raymond Lutz", "text": "There is a need for the role of confirming proof of possession which can then be read later by the relying party without doing the activitiy.
", "time": "2024-01-08T16:26:14Z"}, {"author": "Orie Steele", "text": "verifier = (sig check, inclusion proof check)
\nrp = (everything after verifier)
", "time": "2024-01-08T16:27:47Z"}, {"author": "Roy Williams", "text": "Verifying of the ledger is a non-trivial role and we must ensure that leveraging that role does not expose information from other submitters. If the proof kept on the ledger is PAT then auditing gains access and that would be bad in general.
", "time": "2024-01-08T16:28:08Z"}, {"author": "Roy Williams", "text": "If you want to stipulate that verifier only gets at inclusion proof then that would side step my issue.
", "time": "2024-01-08T16:28:53Z"}, {"author": "Henk Birkholz", "text": "Verifying means a lot of things :sweat_smile: This sounds like a SCITT Verifter and not a RATS Verifier.
", "time": "2024-01-08T16:30:13Z"}, {"author": "Orie Steele", "text": "certainly true, if RATS and OAUTH verifiers don't understand how to \"check proofs\".
", "time": "2024-01-08T16:30:54Z"}, {"author": "Henk Birkholz", "text": "SCITT Verifier = (sig check, inclusion proof check)
", "time": "2024-01-08T16:31:12Z"}, {"author": "Orie Steele", "text": "is a SCITT verifier a RATS verifier who understands \"proof checks\" ?
", "time": "2024-01-08T16:31:53Z"}, {"author": "Raymond Lutz", "text": "auditor usually is an end-to-end review and evaluation.
", "time": "2024-01-08T16:32:10Z"}, {"author": "Henk Birkholz", "text": "Signature Checking in SCITT means something else than for Evidence in RATS
", "time": "2024-01-08T16:32:13Z"}, {"author": "Roy Williams", "text": "Verifier and RP also cause confusion.
", "time": "2024-01-08T16:32:14Z"}, {"author": "Orie Steele", "text": "don't use words differently than other IETF work, without explaining what the difference is.
", "time": "2024-01-08T16:33:08Z"}, {"author": "Raymond Lutz", "text": "But Henk, I think they are quite similar. The RATS checking of evidence is like checking for biometrics
", "time": "2024-01-08T16:33:24Z"}, {"author": "Steve Lasker", "text": "This was the reason we went with issuer and verifier, to try and avoid conflicts with other specs. Not sure if we're coming full circle.
", "time": "2024-01-08T16:33:51Z"}, {"author": "A.J. Stein", "text": "What does this actually mean if I am writing a TS service and/or client:
\n", "time": "2024-01-08T16:34:30Z"}, {"author": "Orie Steele", "text": "issuer and verifier have specific meaning in OAUTH / ACE. Our use of them is consistent, modulo the new concept of \"proof checks\".
", "time": "2024-01-08T16:34:38Z"}, {"author": "A.J. Stein", "text": "What is an auditor doing with/in the service \"an entity that checks the correctness and consistency of all Transparent Statements issued by a Transparency Service.\"?
", "time": "2024-01-08T16:34:54Z"}, {"author": "Jon Geater", "text": "Locked queue to make sure we complete this conversation and move to the next PR. Hopefully everyone has enough to make progress on the list.
", "time": "2024-01-08T16:36:29Z"}, {"author": "Roy Williams", "text": "On the physical side with the GS1 efforts, we found that the number of times people validated blockchain data is super low. I contend that reviewing the data that we pushed through SCITT will be the larger process and if we get to \"audit\" of the ledger audit log is special.
", "time": "2024-01-08T16:36:38Z"}, {"author": "Roy Williams", "text": "So the flow through Audit to review of the log is steps.
", "time": "2024-01-08T16:37:20Z"}, {"author": "Andrew Reiter", "text": "Must drop early.
", "time": "2024-01-08T16:38:39Z"}, {"author": "Steve Lasker", "text": "https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/issues/151
", "time": "2024-01-08T16:41:09Z"}, {"author": "Roy Williams", "text": "Ray the comment resonated that verifying of receipts and signatures is going to get confused with verification of the log. I would rather not confuse those.
", "time": "2024-01-08T16:42:21Z"}, {"author": "Orie Steele", "text": "I'd say the challenge is: what part of this is architecture, and what part is implementation specific.
", "time": "2024-01-08T16:43:14Z"}, {"author": "Raymond Lutz", "text": "Henk, I just realized my original objection to the use of verifier is because it was being used instead of relying party. Now with both, it makes more sense that the verifier is doing what it needs to do to actually do the verification while relying party just relies on that result. Verification of the log seems like a much larger role unless we confine it to just the log specific to the entry of concern.
", "time": "2024-01-08T16:46:20Z"}, {"author": "Orie Steele", "text": "its ok, i don't mind headaches
", "time": "2024-01-08T16:47:59Z"}, {"author": "A.J. Stein", "text": "Isn't the whole philosophy of the append-only ledger that it gets verified over time?
", "time": "2024-01-08T16:50:50Z"}, {"author": "A.J. Stein", "text": "To Roy's previous comment, whether or not human auditors, whatever their role, they can choose to not verify the ledger frequently. But in Certificate Transparency long-running verification, automated and whether or not humans review it, is pivotal.
", "time": "2024-01-08T16:51:57Z"}, {"author": "Roy Williams", "text": "A.J. Agreed, but the question of how expensive this could be and how many requests we allow. We don't want this to be a DOS vector.
", "time": "2024-01-08T16:53:42Z"}, {"author": "A.J. Stein", "text": "Not bring up more irrelevant terminology, the relevant CT design and philosophy call these witnesses.
\nhttps://github.com/transparency-dev/witness
", "time": "2024-01-08T16:54:22Z"}, {"author": "Steve Lasker", "text": "https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/pull/143
", "time": "2024-01-08T16:56:49Z"}, {"author": "Roy Williams", "text": "Thanks all
", "time": "2024-01-08T16:59:53Z"}]