**Session Date/Time:** 24 Jul 2023 16:30

# scitt

## Summary

This meeting covered updates since the last IETF meeting, a hackathon report presented by John, and a deep dive into the architecture document, particularly focusing on identity, feeds, and the role of the transparency service. The discussion emphasized the importance of interoperability and avoiding scope creep while acknowledging the complexities of identity management and its interplay with software supply chain security.

## Key Discussion Points

*   **Updates since last IETF meeting:** Regular conference calls were held, and the architecture document was updated. The use case document needs further review.
*   **Hackathon Report (John):** The hackathon aimed to build a useful supply chain integrity application using SCITT building blocks. Key areas explored included indexing and storage. Vendor Response Form (VRF) use case was proven end-to-end.
*   **Architecture Document (Mike, Ori):**
    *   SCITT will remain payload agnostic and not become a curator of diverse semantics.
    *   Discussion on "feeds" as a lens into the supply chain value network. Feeds were determined to be an identifier chosen by the issuer for the artifact. Discussion on changing the definition of the identifier. 
    *   Detailed discussion on identity management, issuers, and the challenges of binding keys to identifiers over time. Emphasis on relying on other IETF work for identity and avoiding re-invention.
    *   Concerns raised regarding privacy and potential for signature correlation, prompting a need to double-check the use of VRFs in cryptographic functions.
    *   The role of the transparency service was discussed, particularly concerning verifying statements and signing them. 
    *   Concerns regarding over-identification and the necessity for privacy-enhancing technologies in some domains, especially in the context of human rights.
* The idea of having a common data model for exchanging Identities. Did web being one example of such.
* Consideration towards a history of public keys and the ability to go back and see who signed something.
* Consideration of the different levels of identities. What level of Identity has to enter a building block.

## Decisions and Action Items

*   **Action Item:** Seek input from non-editors for use case document review before initiating a working group last call. Elliot, deck, holden and other folks volunteered to help.
*   **Action Item:** Include an "out of scope" section in draft documents to clarify boundaries.
*   **Action Item:** Explore potential for interoperability regarding "feeds" while accounting for necessary use case specificity.
*   **Action Item:** Review and potentially reduce text on identity in the architecture document, referencing existing specifications instead.
*   **Action Item:** Discuss BRF use case with key Trends and potentially incorporate requirements for additional privacy features.
*   **Action Item:** Investigate reusable technology for identifying companies.
*   **Action Item:** Commit hackathon-related code to the open source repository.
* Discuss and decide whether to use the same tecnhiques as DidWeb as the recommended way or not.

## Next Steps

*   Continue to refine the definition of "feeds" and determine a suitable structure.
*   Further discussions on the layering issue and the boundary between application-level functionality and building blocks.
*   Review and potentially adjust the text on registration policies in the architecture document.
*   Address open issues in the GitHub repository.
* Continue conversations on the list.