Markdown Version | Session Recording

Session Date/Time: 12 Dec 2022 16:00

SCITT

Summary

This interim meeting focused primarily on reviewing the latest updates to the SCITT Use Cases document Pull Request (PR) by Hank, addressing the initial challenges with the new MeetEcho meeting tool, and outlining next steps for document development. There was general agreement to merge the updated use cases to facilitate further contributions. Discussions also touched on refining terminology, extracting requirements from use cases, and identifying missing use case categories such as auditing and air-gapped infrastructure.

Key Discussion Points

• MeetEcho Tooling: The session began with significant discussion around issues with the new MeetEcho platform, including difficulty locating the chat and note-taking functions, ICS calendar links not containing direct meeting links, and general user unfamiliarity. The chairs acknowledged the learning curve and the need for better onboarding.
• Use Cases Document (PR Review):
  • Hank provided an overview of his refactoring of the use case document, which included rewriting some existing content (originally by Yogish) and adding two new use cases: "updated statements over time" and "promoting software."
  • He highlighted a structured approach for new use cases: generic overview, actual use case, and problem summary, written in "layman's terms" before introducing architectural language.
  • Dick commended Hank's work on the "trust bond" use case, emphasizing its relevance to solving trustworthiness problems when downloading software from the internet.
  • Participants provided positive feedback on Hank's format, which breaks down use cases into description, consumer wants, and the need for standardization.
  • Ori suggested a more frequent merging schedule for such documents to improve editorial shape and facilitate smaller, more focused reviews.
  • Roy raised a question about "negative use cases" or policy considerations to prevent misuse, such as leveraging SCITT for marketing or forcing upgrades. This was recognized as a good topic not to lose track of.
  • Hank proposed adding at least two new categories of use cases: auditor use cases (e.g., auditing after the fact) and infrastructure use cases (e.g., air-gapped scenarios in critical systems). He committed to drafting these.
  • Dick proposed an "App Store trustworthiness" use case, where a SCITT registry could indicate the trustworthiness of an app before installation, referencing ongoing real-world supply chain issues (e.g., with Tick Tock).
  • Ori clarified that SCITT provides technology for building transparency services, which could be numerous, rather than being a single "SCITT registry." He suggested that the specific "consumer brand feeling" of an App Store integration might be beyond the IETF's scope, while the underlying building blocks are not. There was general agreement on this distinction.
• Requirements and Terminology:
  • Case suggested that after consolidating use cases, the next step should be creating a list of user requirements, which can then inform the architecture document.
  • Roy and Hank stressed the importance of driving terminology discussions, especially for key roles and concepts like "message" and "statement," to ensure consistency across documents and avoid conflicts with other groups (e.g., RATs).
  • Hannes indicated that the architecture document (recently submitted as a WG document by Hank) has many open issues and would benefit from review.

Decisions and Action Items

• Decision: The use case Pull Request (PR) by Hank will be merged into the main branch to improve readability and allow further community contributions. (Hank noted that Brian had approved the PR, making it ready for merge).
• Action Item (Hank): Draft and add auditor use cases and air-gapped infrastructure use cases to the document. (Target: December)
• Action Item (Case): Begin the process of deriving customer requirements from the existing use cases. (Target: January, acknowledging upcoming holidays)
• Action Item (Roy): Lead a discussion on key terminology (e.g., "message," "roles," distinction from RATs verifier) on the mailing list.
• Action Item (Hannes): Update the agenda for the next meeting (next Monday) to focus on discussing the newly added use cases.
• Action Item (Chairs): Consider organizing a MeetEcho training session, possibly during the less strained Christmas period.

Next Steps

• Continue refining and expanding the use case document with additional use cases (auditor, air-gapped infrastructure) and further editorial improvements.
• Begin extracting formal requirements from the use cases to inform the architecture document.
• Initiate mailing list discussions on core terminology to establish working definitions.
• Review and make progress on the architecture document, leveraging the evolving use cases and requirements.
• Consider inviting representatives from Six Store for a liaison discussion and presentation at a future meeting (e.g., early January).
• The next scheduled meeting is Monday, December 12th.