Markdown Version | Session Recording

Session Date/Time: 06 Feb 2023 16:00

SCITT

Summary

This interim meeting focused primarily on the status and path forward for the use cases document, aiming for a stable version for working group adoption before IETF 116. Discussions included reviewing open issues, clarifying terminology around "trust," and incorporating new sub-use cases. Updates were also provided on the architecture document's terminology and the ongoing work on receipts (Merkel proofs) at the COSY level. Finally, the group touched upon the identity aspects related to Sigstore, emphasizing the need to define identity within SCITT's scope.

Key Discussion Points

• Use Cases Document Progress:
  • The group reviewed the current status of the use cases document, noting a recent merge of edits by Yogesh to accelerate progress.
  • Hank highlighted an open Pull Request (PR) reflecting Monty Wiseman's contribution, which is now framed as "context frosting" for auditing.
  • Yogesh provided a summary of Use Case 2, focusing on post-release software auditing by various parties and the need for end-users to discover and evaluate assessments from authoritative entities.
  • Dick and others raised minor issues and proposed changes. Kay offered to review and comment on all open issues, and Yogesh committed to tracking their resolution.
  • Zach and Joshua confirmed their intent to contribute sub-use cases via a PR by early March, before the IETF 116 deadline.
• Terminology and "Trust":
  • The discussion revisited the use of "trust" terminology in the use cases document. Hank noted his effort to reduce its excessive use, focusing instead on verification leading to implicit trust.
  • Participants (Dick, Ray, Neil) emphasized that "trust" is part of the SCITT name and concept, but it needs to be clearly defined as being established through evidence rather than blind reliance.
  • John cautioned the group to stay within SCITT's charter, focusing on standardizing the organization of evidence, not necessarily standardizing all forms of trust relationships or complex identity verification (e.g., KYC processes).
• Architecture Document:
  • Hank admitted minimal recent progress on the architecture document due to focus on use cases and terminology.
  • He noted a refinement in terminology from the architecture, boiling it down to "statements," "signed statements," and "transparent statements."
  • Johannes inquired about the participation of initial authors, Cedric and Antoine, with Cedric confirming ongoing internal work and commitment.
• Receipts and COSY:
  • Hank updated the group on discussions regarding the COSY-level serialization of receipts.
  • The focus is on creating a generic COSY-based representation for various types of Merkel proofs, recognizing receipts as distinct from simple counter-signatures.
  • An internal goal was set to have a communicable proposal for this generic approach by Thursday, with broader transparency planned for the following week.
• Sigstore and Identity:
  • Ray initiated a discussion on Sigstore's strengths in simplifying repository pushes and signing, but highlighted its limitations in comprehensive identity management and addressing complex product views spanning multiple repositories or pipelines.
  • Ori provided context by linking to NIST SP 800-63, suggesting a focus on "service identity" (for software systems/processes) rather than individual human identities.
  • It was agreed that while SCITT won't define a new identity system, it needs to integrate with existing concepts and potentially assert levels of identity establishment.
• IETF 116 Logistics: Johannes reminded participants about the early bird registration deadline today and encouraged hackathon participation.
• Community Engagement: Yogesh expressed intent to reach out to presenters from recent SBoM and supply chain security events to attract them to SCITT's work.

Decisions and Action Items

• Decision: The working group aims to submit a stable version of the use cases document by next Monday, following the interim meeting, to prepare for a working group adoption call before IETF 116. This serves as a "forcing function" to achieve a consistent document.
• Action Item: Kay and Yogesh to review and address open issues on the use cases document, particularly clarifying the use of "trust" terminology, within the next week. Kay offered to create a PR for this.
• Action Item: Zach and Joshua to contribute text on sub-use cases as a PR before the early March deadline for IETF 116 document submission.
• Action Item: Hank, Mike, and Ori to progress the generic COSY-based representation for Merkel proofs (receipts), with an internal goal for a communicable proposal by Thursday and broader visibility next week.
• Action Item: Johannes to invite a co-chair from the OS working group to discuss identity in a future SCITT meeting, providing context on existing identity frameworks.
• Action Item: Yogesh to engage with the SBoM and supply chain security communities based on recent Dem presentations to potentially attract contributions to SCITT.

Next Steps

The immediate focus for the SCITT WG is to finalize and stabilize the use cases document for submission and a working group adoption call. Concurrently, efforts will continue on defining receipts using a generic COSY-based approach and rekindling progress on the architecture document, especially regarding terminology. Discussions on integrating identity concepts within SCITT's scope will continue in future meetings.