Session Date/Time: 06 Nov 2023 08:30

scitt

Summary

This IETF meeting for the scitt (Scalable Causal Integrity Transparency Technology) working group covered several key aspects of the project including architecture, use cases, registration policies, a potential API, and hackathon updates. Key discussion revolved around improving the architecture draft, clarifying use cases (specifically related to software supply chain security), refining registration policies for transparency services, and discussing a RESTful API for interacting with the SCITT system.

Key Discussion Points

Recap of SCITT Architecture: Hank presented a recap of the SCITT architecture, emphasizing its role in providing scalable authenticity for endorsements, especially in software supply chains.
Document Updates: Updates on the use case and architecture documents were provided. The importance of normative language and clarity of terminology was highlighted.
Registration Policies: The registration policy concept was a major point of discussion. The goal is to define a minimal set of rules for transparency services to determine the admissibility of statements. Cedric explained the solution of associating configuration to registration via statement IDs.
Seaborne API: Ori presented a high-level overview of a conceptual Seaborne API, detailing the messages involved in signing statements, registering them with a transparency service, and retrieving receipts. A hypothetical REST API was presented as one approach.
Feeds: A discussion around the concept of "feeds" was conducted to provide a mechanism for downstream suppliers to subscribe to relevant information from upstream suppliers, particularly related to security relevant properties.
Hackathon Report: John presented results from the hackathon which focused on specification improvements, particularly the federation with activity pub.
Confidential Computing: Presentation and discussion of a suggestion to incorporate trusted execution environments with symmetric signatures for attested agents.

Decisions and Action Items

Working Group Last Call for Use Case Document: The use case document has been put up for Working Group Last Call and is expected to complete soon.
- ACTION: Volunteers to review the use case document. (Ori, NCR, and one other volunteer).
Monthly Interim Meetings: The frequency of interim meetings will be reduced to once a month.
Focus on Completing Software Supply Chain Examples: Focus implementation efforts on solidifying examples for existing use cases to allow the group to achieve v1.
Update Documents: Update the architecture and API drafts to reflect topics, subject, terminology, and URL examples discussed during the meeting.

Next Steps

Continue development and refinement of the SCITT architecture and related specifications.
Progress toward completion of the open PRs.
Address open questions around integrity and authentication of statement and policy IDs.
Continue discussion and refinement of the API specification, based on feedback and experimentation.
Progress implementations of the example uses cases.