Markdown Version | Session Recording

Session Date/Time: 10 Jul 2023 15:00

SCITT

Summary

The SCITT working group meeting primarily focused on reviewing and merging outstanding Pull Requests (PRs) for the Architecture document to meet the draft submission deadline. Several PRs addressing terminology, document structure, and DID (Decentralized Identifier) resolution were discussed and approved for merging. A significant technical discussion ensued regarding the explicit support for DIDs versus traditional identity mechanisms like PGP and X.509 certificates in the SCITT architecture. Preparation for the upcoming hackathon was also a brief agenda item, and the chairs committed to addressing the scope of a broader "company identification" discussion that had occurred on the mailing list.

Key Discussion Points

• Hackathon Preparation: Participants were reminded to register for the upcoming hackathon, which will be held in two weeks, offering both in-person and remote participation. A link for registration was shared.
• Architecture Document PR Review:
  • Typo and Grammar Fixes (PR 80/82): A PR by John for minor typos, pluralization, and grammar was discussed. It was noted that this PR included roster changes which should be separated.
  • Removing TBDs (PR 72): A PR to remove "To Be Done" markers embedded directly in the document and replace them with references to GitHub issues (or simply remove them, assuming the entire document is a work in progress) was reviewed. The group agreed on the importance of having open issues in the issue tracker rather than inline TBDs.
  • Removing Use Cases from Architecture (PR 73): The group discussed moving the detailed use case descriptions from the Architecture document to the separate Use Case document, replacing the section with a high-level summary and a link. This was seen as a clean way to manage content separation.
  • Payload Types Expansion and Registration Policy (PR 76): A PR flattening a list of payload types (e.g., CoSWID, SPDX) and addressing registration policies led to a discussion on the need to expand acronyms and provide references for these technologies. The broader discussion on registration policies was acknowledged as long-standing and requiring more time.
  • Transparency Statement Terminology (PR 77): A PR by Yogesh aimed to clarify the distinction between "signed statements" (registered with the transparency service) and "transparent statements" (issued by the transparency service with a receipt). This was considered an important clarification.
  • DID Resolution and Referencing (PR 78): Ori presented a PR to define DID resolution and referencing within the Architecture document, aligning the terminology with current DID specifications for discovering keys from ISS and KID fields in signed message envelopes. This sparked a significant debate:
    • Importance: The technical importance of clearly defining how keys are discovered for verification was recognized.
    • Support for Legacy Technologies: Concerns were raised by Dick and Roy about the perceived lack of explicit support or compatibility with existing, widely-used software supply chain practices such as PGP and X.509 certificates, arguing that neglecting these could hinder adoption.
    • Scalability: Roy argued that traditional PGP key distribution methods do not scale to the problem size SCITT addresses, and that CA-issued X.509 certificates are the primary existing "at scale" solution, with DIDs offering a path for "cheaper keys."
    • Scope: It was clarified that PR 78 primarily strengthens existing text around DIDs and does not preclude other identity mechanisms, but rather sets a clearer baseline for DIDs.
    • Proposal for Future Work: Consensus emerged that while PR 78 should be merged for definitional clarity, separate issues should be opened to discuss and propose specific text for supporting X.509 certificates and PGP within the SCITT architecture, distinguishing between encoding formats and trust distribution models.
• Use Case Document Status: Due to time constraints, the Use Case document PRs were not reviewed. Authors are expected to submit an updated version by the deadline.
• "Company Identification" Discussion Scope: The chairs noted that a "lively discussion" on the mailing list regarding "company identification" had expanded beyond the current SCITT charter. They committed to reviewing the topic's scope and consulting with other IETF experts to determine the appropriate forum or working group for such a discussion.

Decisions and Action Items

Decisions

• PR 72 (Remove TBDs): Approved for merge once Hank's approval is confirmed.
• PR 73 (Remove Use Cases from Architecture): Approved for merge, replacing the detailed section with a summary and link to the dedicated Use Case document.
• PR 76 (Payload Types Expansion/Registration Policy): The detailed expansion and referencing of payload types will be postponed to a separate issue/PR. The list flattening in PR 76 will be reverted.
• PR 77 (Transparency Statement Terminology): Approved for merge to clarify "signed statements" and "transparent statements."
• PR 78 (DID Resolution and Referencing): Approved for merge to clarify DID definitions and resolution processes within the Architecture document.

Action Items

• John: Recreate PR 80/82 for typo and grammar fixes in the Architecture document, ensuring no roster changes are included.
• Hannis:
  • Merge PRs 72, 73, 76 (after linting fix and list revert), 77, and 78.
  • Create a GitHub issue for the detailed expansion and referencing of payload types (related to PR 76).
  • Schedule another working group meeting for next Monday to discuss hackathon preparations and other topics.
  • In collaboration with John (co-chair), discuss the scope of the "company identification" topic and post an update to the mailing list, seeking guidance on the appropriate working group or forum.
• Yogesh: Expand the list of payload types with descriptions and references in a separate issue/PR. Fix a minor line wrapping issue on line 962 in PR 77.
• Authors of Use Case Document: Submit a new version by the draft submission deadline.
• Working Group Participants: Open GitHub issues for proposing specific text and support mechanisms for X.509 certificates and PGP within the SCITT architecture.

Next Steps

• Complete merging of approved PRs for the Architecture document.
• Submit updated versions of the Architecture and Use Case documents.
• Prepare for and participate in the upcoming IETF hackathon, focusing on identity management aspects relevant to SCITT.
• The chairs will initiate a discussion on the mailing list regarding the appropriate scope and forum for the "company identification" conversation.
• New issues will be created and addressed for detailed support of X.509 and PGP identity mechanisms within the SCITT architecture.
• The working group will continue to refine and advance its drafts, with potential further discussions on identity mechanisms at IETF 117.