owned this note changed 7 months ago
Published Linked with GitHub

Community Meeting Topics

December 12, 2024

  • Quick recap of current IETF docu

September 9, 2024

  • More discussion on using SCITT with the CycloneDX Transparency Exchange API
    • TEA has a notion of collections, can those integrate with SCITT?
    • SCITT peeps posed that collections are nice, how do we handle the lack of consistent identifiers (well-known strings are good for humans, but computers less so).
    • MIME media type is not enough.
    • How do trust anchors work in SCITT

August 12, 2024

  • Project Koala (CycloneDX Transparency Exchange) & SCITT (Olle)
  • Notes
    • No single identifier for Software. Introducing proposal for TEI URN, DNS based discovery for identifiers
    • AJ asked: how do forks and derivative software work with discovery and identity with DNS discovery?
    • Related, but different issue: Olle pointed to the OWASP Common Lifecycle Enumeration project
      • EU is mandating OSS updates be available for 3-5 years
      • Who marks a project as dead or other state changes? Can a third-party make a determination on that software if they do not make it?
    • Steve: how do you handle multiple parties making statements about artifacts? How does that inform the TEA specification?

Queue

Feel free to add to the list below.

  • SCITT alternatives and pain points:
    • Can you even use SigStore without GitHub, Google, and/or Microsoft-based OAuth identity servers? If not, what do I do?
    • (Nikos Fotiou) Kind of. If you want I can discuss about our experience with that while building our STaas Project
  • C2PA standards and how it can be used in a SCITT Transparency Service
    • Inspired by discussion of challenges to trust determinations in C2PA standards as advertised
    • Jon Geater can present on this and his recent attedance at the UN AI for Good Summit. The [talk is online] (including the C2PA representatives speaking for themselves) he has a demo.
  • Verification (of signatures and transparency data): can we make it simpler? Can we measure people "doing" it and know it is changing or improving?
  • GitHub Attestations - what does it get right? What does it get wrong? Do SCITT standards and implementations address both?
  • Attached/Detached/Hashed payloads - different patterns and how SCITT can support them (Steve Lasker)
  • The RSAA by US government agency CISA, is it a transparency service? Is it SCITT-compatible? SCITT-friendly? What can SCITT adopters learn from it? Discussed in 22 April 2024 session.
  • COSE is complex, what does it afford me (in SCITT and elsewhere), vs DSSE? Can the risks of COSE implementation bugs be mitigated with great test suites?
Select a repo