Session Date/Time: 28 Mar 2023 04:00

scitt

Summary

The SCITT working group met to discuss the current status of adopted work items, focusing on the architecture and use cases documents. Discussions included terminology alignment, interoperability, scalability, and security considerations. The group also reviewed the experiences from the hackathon, highlighting the practical implementation of the architecture.

Key Discussion Points

Adoption of Work Items: The group has adopted the architecture document (including the security model) and the use cases document (focused on software supply chain).
Terminology Alignment: Significant discussion centered around terminology, particularly aligning with other groups like COSE and RATs, and agreeing on terms like "signed statement," "append-only log," and "transparent statement." The term "artifact" may be reconsidered.
Weekly Interim Meetings: The group has been holding almost weekly interim meetings, which have been valuable for making progress. The frequency of these meetings will be reassessed, considering time zone convenience.
Architecture Document PR16: Feedback was requested on the closed PR16 on Github, and suggestions were made to create new PRs or issues regarding any lost contributions.
Use Cases: Nine use cases were identified, covering a range of scenarios including software, firmware, and various phases of the software lifecycle. Roles were identified as statement issuers and statement consumers.
Hackathon Experience: Multiple implementations of the current architecture were demonstrated, focusing on the interfaces for retrieving payloads and receipts. The importance of retrieving signed statements and the flexibility in tree algorithms were emphasized. Concerns were raised regarding long-running operations and the need for an asynchronous model. The group considered ways of handling Cosy data more efficiently.
Registration Policies: There was discussion on whether registration policies should be standardized, with some arguing for a system to describe policies rather than standardizing specific ones. Content typing policies was suggested, and concerns over overly complex requirements were raised.
Scalability: Scalability was discussed in the context of signing, storage, and verification. Batching of signatures, compact data structures, and proactive validation were identified as potential solutions.
Trust Model and Transparency Service: There were considerations about how the transparency service will be operated, with suggestions for distributed or federated models. Emphasis was placed on making the service easily verifiable.
COSE Inclusion Proofs: Discussion centered around the evolution of receipts to Cozy merkel proofs and their benefits in the software supply chain eco-system.

Decisions and Action Items

Action Item: Issue a poll to determine the preferred frequency (weekly or bi-weekly) and timing of interim meetings, considering time zone convenience.
Action Item: Volunteers Roy and Thomas will review the architecture document.
Decision: Continue to work on the architecture and use cases documents.

Next Steps

Continue work on architecture and use case documents.
Address open issues on the Github repository.
Request feedback and reviews on architecture and use case documents.
Consider breaking up the architecture document into smaller documents to ease review.
Encourage participation and integration of code with existing implementations.
Continue discussions on performance and scalability.
Address interoperability tests between different implementations.