►
From YouTube: IETF-SCITT-20230918-1500
Description
SCITT interim meeting session
2023/09/18 1500
https://datatracker.ietf.org/group/scitt/meetings/
A
B
B
Yeah,
it's
definitely
helpful
all
right:
okay,
nevermind.
D
D
Know
why
data
tracker
makes
it
so
difficult
to
just
sort
of
schedule
the
standing
meeting,
except
that
I
suppose
we're
not
really
supposed
to
have
standing
meetings
so.
B
A
There
have
you
had
a
chance
to
work
already
on
the
the
brf
with
Ray
I.
Remember
that
you
guys
wanted
to
put
a
document
together
and
submit
it.
E
Yeah,
we
haven't
actually
made
any
progress
on
that
harness.
My
apologies,
I
I
know
that
you
know
it's
not
an
excuse,
but
I
will
tell
you
that
things
are
really
crazy
here
in
the
US
right
now
with
the
SEC
cyber
security
regulations
going
into
effect
in
December.
So
is
a
really
good
chance.
I
won't
have
any
time
to
work
out
until
after
December,
okay,
but.
A
E
Oh
there's
no
doubt
about
that.
In
my
mind,
especially
in
you
know,
we're
supposedly
two
weeks
from
getting
the
the
word
here
in
the
US
about
the
new
cyber
security
Trustmark.
This
is
supposed
to
be
regulations
put
in
place
by
September
30th.
On
that
I
mean
I
was
Bob
Martin
here
he
might
have
no
okay,
I
haven't
heard
any
more
about
it,
but
I
know
it's
due
on
September
30th
and
that
that
would
be
a
prime
candidate,
in
my
opinion,
to
register
a
security
label
in
a
skip
registry.
A
C
C
A
F
Think
what
do
you
think?
What
dick?
How
do
you
think
that's
going
to
work
because
I've
been
looking
at
that
and
it
doesn't
really
seem
that
related
to
skit?
It's
just
a
self-assertion
really
at
this
point.
E
Inside
information,
basically,
you
know
see
what
I
see
online.
The
FCC
is
supposed
to
be
putting
on
some
guidance
on
how
to
make
these
labels
available.
I
know,
if
you
look
at
Singapore
and
Finland
you'll
see
that
they're
they
don't
have
a
quote
registry.
If
you
will
they,
they
just
have
websites
where
you
can
go
check
these
labels,
but
it
looks
like
FCC
may
be
hosting
something
a
little
more
formal,
at
least
that's
my
impression.
F
Challenge
to
get
something
like
skit
adopted,
given
that
all
these
things
are
starting
to
kind
of
fall
to
like
a
least
common
denominator,
implementation
lately,
I
think
of
s-bomb.
In
the
same
way
you
know
attestation
and
so
forth,
they're
all
kind
of
like
okay,
you
know
scribble
something
in
a
cocktail
napkin
and
send
it
to
us
and
you're.
Okay,
so
I
think
we're
ways
from
having
you
know
verified.
F
A
E
E
The
concept
behind
at
least
the
U.S
cyber
security
Mark
is
that
you,
you
will
have
a
QR
code
on
the
box.
Let's
say
you
go
into
Best
Buy
and
you
want
to
check
you
know
on
this.
Router
there'll
be
a
QR
code
on
the
box
that
enables
you
to
check
the
trust
you
know
for
this
trust
label.
Well,
that
that
QR
code's
got
to
take
you
someplace
right,
yeah,.
F
But
that's
where
you
know
manufacturer
website
or
whatever
I
think
so
so
I
made
my
point:
I
don't
want
to
be
labored
here,
but
I
think
it
would
be
a
great
application.
I
just
don't
think
that
we're
gonna
have
any
requirements
for
government
work
or
even
consumer
iot
seals
that
are.
You
know
that
need
Authentication
almost
in
any
way.
A
But
but
of
course,
sort
of
like
it
starts
somewhere
and
then
there's
some
progress
and
and
things
to
work
over
time
and
and
in
general,
like
regulation,
doesn't
pinpoint
or
point
to
a
specific
standard,
and
you
have
to
do
this
or
that
I
think
it
will
sort
of
sort
out.
But
I
see
a
lot
of
use.
Cases
where
something
like
a
skip
registry
would
obviously
be
of
great
value,
which
brings
us
to
the
topic
of
today.
John.
A
You
have
kindly
sent
out
an
email
to
the
list,
pointing
out
that
we
haven't
really
managed
to
get
here
back
from
our
presenters.
D
Yes
correct,
so
there
was
a
nice
conversation
going
on,
but
now
there
isn't
so
we
we
don't
have
the
guest
presentation
on
the
upside
that
allows
us
to
continue
our
actual
work,
leading
up
to
118
of
trying
to
sort
out
feeds
we
have
had
with
a
UK
national
holiday
in
the
US
national
holiday
and
then
the
d-bomb
presentation.
Last
week,
we've
had
quite
a
few
weeks
off
chasing
that
that
progress,
so
I'm
actually
quite
glad
to
be
back
on
I.
G
G
Was
just
waiting
to
to
jump
in
the
queue.
But
oh.
G
Yeah
yeah
thanks.
Sorry,
I
I
just
wanted
to
support
the
notion
that
the
sort
of
use
that
dick
is
talking
about
you
know
for
asserting
compliance
with
Marx
is
an
ideal
and
very
hopefully,
very
easy
application
for
either
skit
or
for
six
store
or
for
kind
of
anything.
G
That
provides
an
append
only
solution,
because
you
know
it's
the
sort
of
thing
where
the
the
relying
parties
are
going
to
want
to
note
that
it
was
claimed
at
a
certain
time
and
be
able
to
prove
that,
even
if
somebody
takes
it
off
their
website
because
they
got
something
wrong
or
whatever
you
know,
it's
it's
ideal.
So
I
think
we
should
be
making
that
point,
and
you
all
know
that,
but
just
wanted
to
chime
in
with
that.
A
Yeah
thanks:
okay,
but
John,
as
you
said,
and
also
as
you
wrote
in
your
email,
will
just
postpone
the
presentation
and
and
hopefully
we'll
hear
back
from
the
d-bomb
or
the
omnibal
community.
So
we
can
then
get
more
insight
into
what
they
actually
up
to.
A
But
till
that
time
we
can
have
a
look
at
our
PRS.
We
have
two
PRS
opened.
We
have
a
bunch
of
open
issues
and
Steve
has
also
looked
into
this
feed
versioning
topic,
which
we
also
talked
about
in
the
past.
So
we
had
enough
content
to
talk
about.
So
where
do
we
want
to
start.
D
Well,
since
Steve
is
here,
that's
a
a
bonus,
Hank's
got
his
hand
up
so
I
think
just
to
make
sure
we
we
plan
our
time.
D
The
most
important
thing
we
have
to
sort
out
is
the
feed
ID,
which
is
what
we
were
discussing
three
weeks
ago
when
we
were
last
on
our
on
our
standard
agenda,
because
if
we
don't
sort
out
the
feed
ID
at
the
very
least,
then
we
don't
have
interoperability
in
the
claim
envelope
or
the
receipt
envelope
rather,
and
and
that's
just
a
big
problem.
D
So
that's
the
thing
that
I
think
has
to
be
working
by
118,
but
then
again
that's
work
that
I
and
Ori
have
been
doing,
and
frankly,
I
haven't
been
doing
that
working
or
he's
not
on
the
call.
D
So
we
can
put
that
to
the
back
Steve's
here
and
has
some
good
input
so
on
on
versions
and
versioning
I
think
we
can
look
at
that
as
a
use
case
for
feeds
and
instructing
that
and
I
did
want
to
pick
up
one
PR
that's
come
in
to
come
into
the
emulator
from
John
Anderson,
adding
oidc
as
the
authentication
method
for
for
the
client.
Because,
of
course,
we
have
to
decide
whether
we're
going
to
build
that
into
Scrappy
or
make
it
a
kind
of
optional
extension
for
Scrappy.
A
The
we
have
the
for
the
we
have
currently
two
PRS
open.
One
is
an
older
PR
that
I
filed
on
one
specific
section
and
then
I
think
it
was
Cedric
couldn't
picked
up.
Another
comment:
I
I
posted
as
a
review
about
the
RC
255
two
one,
one,
nine
language
the
month.
We
should
and
worked
on
that
as
well,
so
we
have
those
two
I
suspect.
A
D
Yes,
let's
get
those
done
first
and
then
do
the
the
new
content
after
that,
so
that
we
can
keep
moving
forward.
C
So
Hennis,
can
you
share
this
this,
so
that
it
is
easy
for
people
to
understand
in
the
group
sure.
A
I'm
sure
give
me
a
stop.
Well,
then
I
can't
take
meeting
minutes.
At
the
same
time.
Can
someone
else
share?
I
can
share.
C
H
So
maybe
I
can
give
an
update
on
these
two
pull
requests.
So
so
there
are
two
of
them.
There
is
one
entire
energy,
but
we
got
stuck
on
the
very
first
term
last
time,
so
adding
more
time
and
I
plan
to
report
on
that
in
the
details
meeting
tomorrow,
but
that's
still
not
something
that
is
ready
but
I'm,
just
starting
there,
then
on
the
user.
Antoine
is.
H
We
got
into
a
very
detailed
discussion
about
the
the
what
we
wanted
to
do,
and
so
it's
also
going
quite
slowly
and
that's
also
something
we
are
planning
to
discuss
tomorrow
in
the
details.
Meetings
of
our
birth
I'm,
not
sure
we
are
ready
to
have
a
good
discussion
today.
A
But
we
have,
we
have
to
be
asked
that
we
can
definitely
look
into
and
yogish
is
just
throwing
them
up
on
the
screen.
So
we
can
talk
about
those,
it's
great
that
you
guys
are
working
on
new
Beyonds
because
of
the
the
upcoming
meeting.
A
For
what
it's
worth
actually
I
should
remind
you
that
today
is
the
early
bird
submission
deadline,
so
in
case
you
want
to
participate,
participate
that
the
next
IDF
meeting
in
what
form
you
like.
If
today
is
the
time
to
get
the
the
cheapest
deal.
C
Sorry
I
just
had
a
yeah.
A
We
can
see
the
chat
window
and
that's
obviously
sweet
artifacts.
That's.
C
Okay,
so,
which
one
are
we
discussing?
The
proposal
for
Section
six
is
from
Johannes
yeah.
A
That's
the
oldest
one.
Should
we
start
with
that
one
first,
and
what
I
was
trying
to
accomplish
I
try
to
keep
it
brief.
It
has
been
out
there.
You
thank,
thankfully
yogishi
you've
provided
a
lot
of
feedback.
C
A
C
B
A
A
The
yeah
so
and
then
worked
on
the
text
a
little
bit
as
you
can
see.
So
what
what
I
was
also
trying
to
do
is
try
to
organize
sort
of
more
clearly
according
to
like
the
steps
that
happen
like
in
this
case,
we
are
seeing
the
issuing
of
the
sign
statements,
starting
with
that
one
and
then
sort
of
go
step
by
step
from
that
and
reshuffle
the
text.
A
That's
why
it
looks
a
little
bit
like
I
did
a
lot
of
rewrite,
but
actually
I
was
moving
stuff
around.
Maybe.
C
One
question
Johannes
one
question
here:
is
it
actually
issuing
sign
statement
or
it
is
actually
explaining
what
sign
statement
format
is
because
the
line
642
on
the
older
version
was
had
an
explicit
statement
about
sign
statement
format
and
you
are
saying
issuing
design
statement.
So
are
you
talking
about
issuing
it
or
are
you
talking
about
its
format,
which
is
part
of
the
sign
statement.
A
Well,
if,
if
you
before,
you
can
use
the
API
that
is
described
in
this
other
document
in
the
scrappy
document
you
have
to
the
issuer
has
to
take
all
the
different
claims
and
Munch
it
together
and
then
produce
a
sign
statement
and
has
to
get
it
ready
for
making
the
API
call.
This
is
this:
is
the
text
for
that.
A
Yeah,
you
can,
you
can
always
improve
okay,
but
I.
Think
it's
yeah
step.
I
By
step,
okay,
let's
go.
A
To
the
next
section
yeah,
so
I
I
mentioned
that
already
with
the
cddl,
not
a
big
deal
just
formality.
There's
the
list
that
you
just
browsed
over
the
list
of
technologies
that
the
S
bombs
that
could
go
into
I
think
yogis.
You
actually
owe
us
still
some
references
in
here:
okay,
I.
C
Here,
yes,
so,
but
you
want
me
to
kind
of
this
one,
let
let
in
merge
this
one
and
then
do
that
or
add
that.
A
Actually
and
then
you
can
also
change
the
title,
because
I
see
here,
I
have
registering
sign
statements.
Yes,
well,
it's
it's!
It
actually
is
the
well
you
you
can
think
about
section.
A
Here,
like
the
trans,
the
DS
receives
the
the
sign
statement
using
the
API
and
then
it
needs
to
register
them,
and
then
it
produces
the
transparent
statement.
And
so
it
when.
A
There
are
a
few
steps,
then,
here
and
and
I
think
it
was
Cedric
or
Antoine
who
then
in
the
pr
tightened
up
the
the
the
shoot
made
Mass
language.
So
that's
good
as
well
get
to
that
if
you
scroll
down
so
after
all,
these
different
steps
are
done,
it's
registered
and
then
in
response.
The
issuer
then
gets
the
the
transparent
statement,
kind
of
Slash
receipt
back,
the
transparent
statement
being
the
receipt
and
essentially
the
the
sign
statements.
A
A
There's
the
obviously
the
pointers
to
all
the
other
draft
is
like
the
committer,
for
example.
Okay,.
A
You
know
when
I
move
it
then
it
gets
a
little
bit
confused
and
then
you
see
this,
this
checklist
I
just
moved
it
up.
There
yeah.
G
C
A
C
Yeah
makes
sense,
yeah,
so
I
think
I
think
we
should
give
people,
maybe
what
two
days
for
this
review
or
what
do.
A
You
want
to
be
honest,
really
not
not
anymore,
because
it
has
been
out
there
for
a
long
time
already.
A
But
I
think
since
the
beginning
of
August,
so
because
it
would
be
nice
to
then
also
fold
in
the
changes
that
are
described
in
the
other
document.
Yeah.
C
C
I
Okay,
I'm
using
again
hi
no
I
have
not
looked
at
this.
As
far
as
test
week
was
half
year
ago,
some
IDs
have
been
submitted,
so
there
was
a
lot
of
expiration
date
last
week.
For
me,
sorry
so
I
had
to
switch
gears
a
little
bit
I'm
now
back
on
track
with
actual
current
iitf
work,
and
this
is
on
my
list
to
be
done
on
a
business
trip
this
week.
I
I
C
Can
yeah,
let's
give
let's
set
a
cutoff
date
of
Wednesday
and
then
let's
wait
for
48
hours
for
Cedric
and
Hank
to
revert
back
on
this
pull
request.
If
by
Wednesday
we
don't
get
enough
response
or
enough
reviews,
then
we
will
merge
it,
as
is.
A
Perfect,
let's
jump
to
the
other
PR,
which
concerns
the
language.
A
You
have
a
Steph
Cedric,
did
you
do
this
one
or.
H
D
A
Yeah,
but
it's
it's
a
good
big
thanks
to
to
Antoine
for
touching
this,
because
that
was
something
I
noticed
when
I
was
reading
through
the
document
that
he
is
now
going
through
it
and
checking
like
what
should
we
really
have.
They
are
like.
We
can't
sprinkle
the
shoots
all
over
the
place
or
maze
need
to
be
a
little
bit
tight
on
some
aspects
and
maybe
looser
on
others
and.
H
So
I
think
that's
the
thing.
I
think
it's
super
important
and
I
think
it's
a
great
way
of
going
back
to
any
issues
where
we
picked
should
because
we
did
not
have
an
agreement
on
whether
it
was
on
lateral
or
not
so
I
think
I
know
we
will
shoot
the
reflecting
the
lack
of
consensus
and
those
that's.
Why
get
there.
A
Exactly
and
and
specifically
we,
the
the
shoot,
is
sometimes
a
convenient
way
to
get
out
of
the
tough
question
on
whether
something
should
be
mandatory
or
not.
I
understand
that,
but
for
for
an
implementer
if
they
are
only
shoots
in
there,
it
gets
really.
Tough
developers
have
a
hard
time
than
to
figure
out
like
when,
should
they
actually
Implement
a
certain
functionality
and
when
not
because
they
have
a
hard
time
making
that
judgment
code
so.
H
I
completely
agree,
I
guess
one
one
concern
that
came
out
in
several
of
those
discussions
is
that
in
some
cases
the
decisions
are
not
going
to
be
made
by
the
standard,
but
they
are
not
going
to
be
made
by
the
you
that
the
the
the
users
as
well
so
for
a
given
instance
of
a
blockchain
of
a
supply
chain.
H
You
may
some
things
are
going
to
that,
will
actually
are
going
to
remain
monetary
and
I
think
between
what
should
be
moratory
in
the
implementation
and
watchful
monetary.
In
every
deployment
we
have,
there
are
difficult
decisions
to
be
made
so
I
so
I
think
for,
for
example,
some
head.
H
Some
contents
after
registration
for
would
likely
be
monetary
in
a
given
to
Black
shine,
but
are
not
going
to
be
monetary
for
this
heat
architecture
overall,
and
maybe
we
can
have
a
preliminary
discussion
that
explains
that
and
and
I
think
using
shoot
is
a
way
to
say
most
people
who
instantiate
skit
are
going
to
require
it
that
some
of
them
may
opt
out
and
that's
why
it
will
show.
A
Think
it's
a
case-by-case
thing.
It's
it's.
C
I
think
I
have
I,
have
a
suggestion
like
wherever
it
is
not
specific
to
a
very
skit
architecture.
Specific
thing
we
may
say
that
this
is
left
to
a
specific,
a
specific
policy
of
implementation
or
a
specific
kind
of
institution
of
skit
implementation,
or
something
like
that.
We
should
say.
H
To
me,
that's
very
close
to
my
interpretation
of
my
heart.
Yes,.
C
Yes,
but
I
think
me
just
keeping
it
may
keeps
feels
a
bit
ambiguous,
because
what
are
we
trying
to
say
may
means
who
does
it?
So
we
can
give
an
example
that
these
things
may
be
a
part
of
some
policy
decided
by
this
skit
owner,
or
maybe
some
implementations
may
decide
it
based
on
their
use
case,
something
like
that.
We
can
put
a
disclaimer
or
an
additional
clarification.
I
meant
with
what
what
we
mean
by
May
here.
A
C
A
Should
we
should
we
also
give
two
days
48
hours,
to
get
sort
of
the
the
to
try
to
close
this,
to
see
more
reviews
and
and
see
where
we
are
I'm.
J
A
When
we,
we
would
say
exactly
that
right,
then
maybe
maybe
the
the
answer
is
that
it
shouldn't
use
that
type
of
normative
language.
It
should
actually
explain
that
exactly
what
you
just
said.
H
So
so
one
way
to
deal
with
that
would
be
to
introduce
my
explicit
notion
of
configuration
or
profile
so
that
we
can
say
that
if
it
is
in
the
profile,
then
you
must
do
it.
A
Right
it
could
be
a
profile,
for
example,
you
could,
you
could
punt
it
done
that
you.
H
Says
I
know
this
process
of
thinking
the
architecture
and
the
instantiating
for
bachelor
supply
chain.
Sorry,
is
it's
not
just
that
it's
described
anywhere
and
that's
probably,
you
probably
be
more
explicit
about
that.
If
you
want
to
capture
this,
this
distinction.
A
Yeah,
so
where
specifically,
do
you
want
to
sort
of
defer
the
issue
to
a
profile,
let's
say
well.
H
Okay,
so
we
should
we
could
just
use
May
in
all
those
cases.
For
now,
until
we
Define
explicitly
what
the
profile
or
configuration
is,
and
once
we
have
a
once,
the
profile
exists,
we
can
say
we
can
refer
to
it
to
explain
the
the
profile
may
be
configured
to
require
it,
in
which
case
issuers
must
implemented.
H
To
to
do
it,
and-
and
we
so
I
will
postpone
that
and
possibly
put
at
least
instead
of
showing
those
cases
all
the
time
being,
but
yeah.
A
Etc
there's
a
risk
like
if
you
have
all
sorts
of
use
cases
in
mind
and
the
whole
document
is
just
a
may-
may
do
this
and
that
then
you
can
almost
forget
the
maid
to
begin
with
red,
because
then
then
it's
kind
of
a
meaningless
there's,
no
interoperability
whatsoever.
So
I
think
that
the
pay,
the
first
question
to
ask
is:
do
you
actually
anticipate
any
level
of
interoperability
with?
What's
in
this
document,.
H
I
do,
of
course,
but
but
I
think
there
are
two
levels
of
interoperability.
There
is
interoperability
between
within
a
given
supply
chain,
and
then
there
is
interability
of
God
and
services
between
different
civilians
and
for
the
letter,
I
think
is
going
it's
harder
to
moderate
every
implementation
to
implement
all
the
features
that
are
going
to
be
required
in
only
a
few
sublections,
so
that
that
so-called
difficulty
that
we
have.
A
A
I
can,
for
example,
here
the
specific
case
like
if
I
see,
ori's
comment
that
looks
to
me
like
when
we
talk
about
this
I.
Think,
for
example,
I
would
merge
his
his
so.
H
This
is
a
good
example,
so,
for
example,
I
think
one
of
the
shows
that
we
are
turning
into
a
must
is
to
require
that
all
implementation,
the
dignified
method.
H
So
so
now,
if
I'm
doing
your
supply
chain
and
all
my
issuers
are
going
to
use
this
feminine
certificate,
the
fact
that
I
have
to
provide
an
implementation
that
does
the
call
out
to
get
the
Manifest
for
this
web
is
a
complication
and
many
people
will
object
input
things
like
that.
So.
A
Here
I
have
the
solution.
I
would
write
in
absence
of
a
profile
the
webmaster
is
mandatory
to
implement,
because
then
someone
can
come
along
and
write
the
profile
and
say
no.
In
my
case,
it's
not
the
dead
web
method
because
of
whatever
supply
chain
India.
It
will
be
the
edit
key
message.
A
Actually
other
specifications
do
that
too.
If
you,
for
example,
look
at
the
TLs
specification,
it
has
mandatory
to
implement
ciphers
there
and
it
explicitly
says
the
statement
that
I
just
made.
H
H
A
Wrong,
so
let
me
just
look:
look
and
post
you,
the
sentence.
A
H
C
H
C
A
Let's
just
look
at
look
at
when
the
DLS
103
when
Ecker
wrote
the
TLs
103
specification,
like
that,
the
link
that
I
sent
into
the
chat
Windows.
That's
basically
what
you
want.
A
It
says
like
those
are,
the
the
the
benefit
to
implement
sort
of
mechanisms
and
and
then
much
much
later,
people
came
up
with
profiles,
and
so
of
course
here
like,
for
example,
one
profile
would
be
one
that
Packers,
let's
say,
hangs
Famous
Seafood
example,
and
who
knows
what
people
in
the
seafood
industry
would
want
to
use
in
terms
of
algorithms?
Maybe
they
don't
like
that.
That
did
web
method.
I
have
no
idea.
C
H
A
I'm
expecting
a
review
on
that
other
document.
H
C
There
should
be
a
profile:
the
parent
spec
should
have
a
profile
field
somewhere
right,
because
then
it
can
refer
to
a
specific
profile.
No.
A
A
Explicit
field,
it
can
be
like
a
deployment
specific
circumstance
like
some
Community
decides
that
they
want
to
use
kit
in
a
specific
way.
H
But
but
an
important
distinction
is
that
says:
You
must
have
an
application
profile
standard,
not
just
a
profile
yeah.
A
A
But
it
does
like
standard,
he
doesn't
say
which,
from
which
standards
organization,
it's
a
document
right,
but
you
can
you
can
you
can
change
the
language
to
say
like
for
this
specific
case?
It
needs
to
have
some
profile
some
specifications
somewhere.
It
doesn't
need
to
be
you
can
you
can
come
up
with
a
registry
to
to
give
people
a
chance
to
register
in
Ayana
different
profiles,
so
it's
easier
to
find.
Okay,
for
example,
okay,.
H
So
what
I
will
propose,
then,
is
that
we
introduce
a
the
supply
chain
profile
as
a
as
something
that
is
not
different
yet,
and
then
we
use
that
that
term
to
refer
to
to
the
profiling
and
to
qualify
some
of
the
should
that
that
we
are
turning
into
into.
We
must
sorry
different.
J
H
A
But
don't
put
it
into
this
PR,
because
that
will
confuse
things
even
more
right.
A
I
think
it
would
be
good
if
we
could
complete
this
one
and
create
another
API
specifically
with
this
with
this
profile
idea,
how
does
that
sound.
C
A
Discussed
just
now
like
this
huge
like
you,
you
basically
went
through
the
whole
document.
It's
it
always
causes
problems
with
sort
of
making
some
progress
on
agreeing
on
the
things.
H
That
what
you
are
looking
here
is
local
rewrites
that
we
can
well.
You
can
leave
less
showed
by
must
and
I
think
your
Colony
height
that
refers
to
the
super
Champion
profile
is
good
enough
for
this
pull
request.
Otherwise,
do
we
leave
those
should
be
either.
A
A
I
I
think
it
would
be
good
if
maybe
someone
like
Hank
could
also
do
a
review
again
of
this
one
to
see
whether
you
are
fine
with
this
thief.
Or
should
we
switch
topic
and
let
this.
A
C
I
A
B
Well,
actually,
we
could,
but
I
actually
wasn't
when
I
was
poppy
in
the
queue.
What
I
was
going
to
suggest
is.
This
is
one
of
the
general
things
we
hear
is
feedback
of
specs
is
when
things
say
may
or
or
could
or
or
should
it
gets
very
vague
about
what
the
implementation
should
be
so
I
without
specifics
on
that
as
much
that's
must
and
should
clarifying
clarifying
will
help.
I
But
the,
and
so
unless
they
get
sorry,
there's
a
thing,
it's
one
that's
working
on
it,
so
it's
not
done
yet
and
we
can't
just
merge
it
right
now.
It's
also
not
fit
for
a
48
hour
deadline.
I
think
this
is
the
next
few
item
so
and
we
can
move
to
Steve's
topic.
I
think
that's.
H
Fine
yeah
yeah
as
yes
as
I,
said
we
are
here
on
the
goal
there,
but
for
many
instances
what
to
do
is
a
specific
discussions.
There
sorry.
A
B
You
let
me
share
a
specific
yes,
oh
I
see
okay,
this
is
where
I
can
I'm
trying
to
remember
how
it
there
we
go
okay,
so
there
was
two
hack
docs
that
we
started
hacking
together
to
try
to
put
some
more
context.
So
the
identifiers
is
certainly
a
you
know,
a
piece
I
think
the
the
question
is:
if
we
roll
all
the
way
back
is
what
do
we
think
the
structure
of
a
feed
should
be?
Is
it
just
a
plain
string?
B
B
When
we
think
about
releasing
artifacts,
there
is
the
concept
of
there's
multiple
versions
of
an
artifact,
and
when
you
combine
that
a
couple
of
different
dimensions
of
there's
continuous
versions
versions,
aren't
necessarily
linear
in
the
sense
that
every
new
build
is
a
update
to
the
previous
one.
B
B
So
how
do
we
think
of
that
in
the
concept
of
a
feed?
What
I
did
was
I
wrote
this
up
a
bit
just
to
pull
into
the
discussion.
How
do
we
want
to
structure
a
feed
so
that
we
can
think
about
the
various
permutations
of
that?
So
this
is
rough.
I
was
just
trying
to
get
this
together.
So
it's
a
purpose
of
conversation.
So
how
do
we
structure
skit
feeds
how
to
correlate
previous
versions?
B
And
one
of
the
topics
we've
been
discussing
is:
do
we
have
you
know
an
artifact,
an
arbitrary
sample
project,
or
do
we
have
a
real
world
project
that
we
could
use
as
a
reference?
So
I
definitely
want
to
have
that
conversation?
What
real
world
examples
should
we
look
at
for
now?
I've
just
used
this
net
Watcher
sample,
but
we
should
definitely
look
at
some
existing
ones
and
Robin
had
shared
some
additional
documents
on
various
package
managers.
So
I'll
come
to
that
art
of
that
document
in
a
minute.
B
So
the
idea
here
is
that
there's
just
as
an
example,
there's
multiple
versions
that
are
currently
in
support
for,
in
this
case
the
net
Watcher
version,
one
supports
on-premise
networks
and
just
for
the
arguments
that
the
version
2
takes
care
of
cloud,
hosted,
networks
and
they're,
not
necessarily
compatible
or
the
version
two
customers
have
to
opt
into
paying
for
it
and
so
they're
paying
for
version
one
they're
not
paying
for
version
two
they're
expecting
patching
and
servicing
a
version.
One
well
version
two
is
adding
its
capabilities
as
well.
B
Then
this
is
the
point
here
that
patching
is
never
necessarily
a
linear
concept,
so
that
you
know
version
one,
and
you
can
think
about
this
as
get
branching
as
well,
is
how
somebody
would
be
patching
different
versions,
and
in
this
case
a
version.
Three
is
started
and
I've
just
showed
the
permutations
as
both
windows
and
Linux
versions
of
this
particular
thing,
but
it
could
be
Windows
and
Mac.
It
could
be
different,
processor,
architectures
and
so
forth.
B
The
other
thing
is
that
we
didn't
necessarily
want
to
build
in
the
Assumption
of
semantic
versioning,
so
I've
got
the
Cal
version
as
an
I
wanted
to
put
that
as
an
example
as
well.
B
B
If
there
are
five
artifacts
that
come
out
of
a
build
that
need
individual
statements,
that
being
associated
with
them,
but
there's
some
logical
grouping
around
those
and
if
there's
an
average
of
five
builds
a
day
that
are
being
produced,
not
all
of
which
will
actually,
if
a
build
fails.
For
instance,
you
might
skip
that
version
and
not
put
it
on
the
skip.
So
if
you
notice
here
in
the
windows,
one
I
just
happen
to
skip
1.0
into
1.3.
B
Would
if,
if
we
want
to
have
a
feed,
have
the
ability
to
have
Associated
statements
around
that
artifact
every
time
do
I
build,
do
I
create
yet
another
feed.
B
B
There
is
just
each
one:
is
its
own
feed
and
I
can
put
s-bombs,
and
you
know
statements
and
Vex,
and
you
know
statements
of
quality
and
so
forth
to
that
one
build
or
if
I
have
a
new
version
of
that
can
I
put
that
new
version
on
the
same
feed
and,
have
you
know
some
kind
of
structure
here
so
I
don't
have
an
answer
per
se.
I
just
wanted
to
bring
up
the
concept
of
versioning
to
think
about
when
we're
structuring
feeds
so
that
we
could
think
about.
B
B
B
Oh
sorry,
thank
you.
I
can't
see
that
so
I'll
pause
there
go
ahead.
Let
me
go
back
over
here.
Okay,.
H
So
so
I
I
agree
versions
are
interesting
and
something
that
we
should
discuss.
I
disagree
that
it
should
be
part
of
the
feeder
so
in
as
far
as
I
recall
in
all
the
discussions
of
versions
and
timestamps,
and
this
kind
of
additional
complex,
optional
features,
the
the.
H
To
put
all
of
them
as
part
of
the
registration
info,
that
provides
a
key
value
map,
and
so
the
idea
was
to
have
the
issuer
and
then
the
issue,
our
Peaks,
a
field
which
is
a
simple
name
for
the
whole
collection
of
transaction
statements
and
then
use
the
registration
info
for
all
the
details,
and
that
may
include
versions
like
semantic
versions
or
the
secret
version
numbers
or
timestorms
or
anything
else,
but
because
these
are
going
to
be
optional,
laptop
I.
Don't
think
we
should
outrage
that
into
the
feed
so
I.
H
My
suggestion
is
to
keep
the
feed
as
simple
as
it
can
and
to
keep
the
only
the
registration
info
as
well.
The
only
header
that
provides
an
extension
point
where
you
may
want
to
put
versions
or
timestones
or
anything
else.
The
the
maybe
a
a
remark
on
top
of
that
is
that
providing
the
feed
is
a
simple
anatomy
and
then-
and
so
it's
the
same
for
everything
in
the
collection,
then
we
have
the
registration
info.
H
You
can
also
provide
even
more
details
on
what
to
do
with
that
in
the
payload,
but
then
that's
opaque
and
that's
another
good
possibility.
So
as
an
example,
if
I
take
your
network
example,
Steve
I
think
the
to
me,
the
feed
should
be
the
name
of
the
guitar
project
and
the
version
should
go
into
into
the
registration
info
together
purpose,
perhaps
with
the
timestamp
info
information.
B
Yeah
and
I
want
to
get
to
your
question
Roy
and
so
the
I
one
of
the
things
that
I
was
thinking
about,
is
the
piece
that
we
have
to
kind
of
digest,
and
this
is
why
I
think
some
examples
will
help
is,
if
it's
fine
to
say
we
don't
want
to
be
part
of
the
feed.
But
if
we
say
it's
not
part
of
the
feed,
what
does
it
look
like?
So
that
was
the
thing
that
I
was
trying
to
digest
is
if
I
have
just
a
new
feed
for
every
build.
B
Is
that
more
practical
as
well
so
and
I
was
thinking
of
capturing
this
in
the
skid
IO
website,
so
it's
not
directly
in
the
specs
and
we
could
decide
if
we
want
to
put
in
the
specs.
But
what
is
an
example
look
like,
and
are
we
happy
with
that
example?
So
it's
it's
not
just
say
if
we
want
to
include
it,
but
if
we
want
to
exclude
it,
what
would
a
typical
project
look
like
so.
H
So
again,
I
I
really
think
that
the
feat
should
be
the
broad
category
of
transfer
on
segments
and
if
they
are
a
discriminator
versions
or
anything
else,
you
should
foreign.
C
Shall
I
go
next
year?
Two
things
I
wanted
to
ask
is
First.
Fundamental
thing
is
why
this
kind
of
relationship
where
this
version
is
related
to
this?
Can
this
relationship
be
not
part
of
skit
claim
about
the
artifact
that
this
is
the
artifact
I
am
produced
it.
This
is
this
version.
This
is
linked
to
this
version,
so
why
it
should
be
in
the
field
or.
F
B
Part
of
the
question:
yeah,
that's
exactly.
The
kind
of
question
is
I'm
trying
to
take
the
discussion.
We've
had
to
date
around
feeds
and
model
out.
What
would
it
actually
look
like,
and
do
we
like
what
it
looks
like
because
and
it's
Maps
back
this
was
Oreo's.
Bringing
this
up
is
what
are
the
actual
use
cases
we're
trying
to
track
so
in
the
use
cases,
I
added
versioning,
as
the
latest
thing
yeah.
C
Yeah
or
something
like
artifact,
versioning
or
because
I
am
producing
new
artifacts,
which
are
linked
to
my
previous
artifacts.
How
would
I
manage
them
because
kit
versioning
means
skip
transparency,
service,
versioning
or
something
it
felt
like
that?
So
thanks,
yeah,
okay,
yeah
I,
think
that's
it
from
me.
Yeah.
J
The
only
right
the
original
question
I
had
for
you
was
the
s-bomb
already
defines
the
title
and
the
version
semantics
and
that's
not
referencing-
it
here
seems
kind
of
odd
and
that
its
mechanisms
need
to
be
taken
into
account,
which
kind
of
gets
into
a
use
case
or
a
vertical
I
understand
what
you're
saying
I
think
it
also
gets
into
questions
of.
How
do
you
guarantee
only
the
owners
of
the
product
actually
get
to
produce
versions
that
should
show
up
on
here,
and
how
do
you
deal
with
with.
E
J
Between
mergers
and
acquisitions,
those
are
all
strong
things
to
my
way,
I
always
think
claims
or
endorsements
to
allow
you
to
know
which
version
you
should
migrate
to
or
from.
As
you
know,
in
the
windows
case,
it
isn't
just
six.
It's
probably
20
100
200,
different
versions
that
are
shipping
out
there.
B
Right,
that's
kind
of
what
I
was
I
I
wasn't
trying
to
get
as
complex
as
Windows,
but
there's
certainly
you
can
imagine
two
and
three
versions
that
you
know
companies
maintain
and
the
caliber
becomes
an
interesting
one
as
well
and
I.
Think
that's
what
you're
bringing
up
is.
Also
is
the
question
of:
do
we
lean
into
s-bombs
like
how
much
does
skit
dependent
on
a
particular
artifact
type?
E
J
Which
is
why
I
had
a
hard
time
but
trying
to
figure
out
feeds
and
the
concept
of
a
ledger
versus
it's
part
of
the
query
and
storage
subsystem
on
top
of
it
and
which
is
why
I
continue
to
struggle
with
with
feeds
and
their
value
here.
I
understand
the
feed
concept
when
it
comes
to
register
the
policy
the
configuration
for
what
trusted
roots
are
and
what
identity
providers
you
support.
When
you
start
getting
into
the
broader
context
of
of
each
use
case
or
vertical,
this
becomes
really
really
hard.
All
of
a
sudden.
B
What
do
folks
think
about
capturing
some
examples
so
that
we
can
see
it
if
somebody
was
implementing
skit,
the
skit
in
general,
not
even
specific,
to
feeds,
but
if
somebody
was
implementing
skit
for
a
particular
software
product,
what
could
it
look
like,
and
what
does
it
look
like
for
people
that
are
already
using
it.
A
I
I'm
not
sure,
if
I,
can
you
hear
me
yeah,
oh
okay,
it
doesn't
show
the
indicator
on
my
side
again.
The
mythical
dropped,
the
indicator.
So
I
was
not
sure.
Sorry,
sorry,
a
testament
between
this.
The
noise
was
me
so
yeah
on
the
top
of
the
order,
mostly
I,
think
usage
of
feeds
or
the
they
are
not
living
in
a
vacuum.
So
now,
I
I
was
educated
again
that
they
exist
below
the
issua
and
below
the
feed
system.
I
Direct
info
map
that
can
be
arbitrary
and
forwards
also
something
like
sequence
number,
which
not
arbitrary
I,
think
so
I
think
that's
what
would
help.
I
You
really
is
a
set
of
statements
about
software
like
mock-ups
s,
forms
mock-up,
cves,
mock-up
version
updates
of
software
again
represented
via
S
forms,
I
assume
and
make
a
small
graph
of
interrelated
examples
that
are
all
Standalone
statements
but
somehow
related
and
then
find
out
from
this
set
of
say,
like
I,
don't
know
5
to
15
examples
that
are
somehow
interrelated,
then
then
try
to
figure
out
how
to
use
the
feeds
for
those
I
think
that
might
make
sense.
I
It's
just
a
very
embryonic
proposal,
but
I
think
it
would
make
this
a
relatively
abstract
discussion,
more
attachable
and
therefore
I
think
we
can
move
on
a
little
bit
and
sorry
for
my
voice.
B
Sorry,
you're
sick,
honey
s
or
John.
D
I'll
be
quick,
but
just
to
save
people
a
lot
of
work
in
the
coming
week
of
thinking
about
this.
It
is
a
well-made
and
pretty
unbreakable
decision
that
we
made
a
long
time
ago
that
skit
is
payload
agnostic
and
doesn't
look
inside
the
payload
to
work
out.
Anything
and
I
think
that
informs
an
awful
lot
about
what
we
can
or
can't
do
with
vertical
specific
version
format.
So
I
think,
because
the
feed
ID
is
a
very
important
syntax
to
work
out,
because
it's
shared
between
clients
and
relying
parties
and
code.
D
We
need
to
have
a
syntax
which
is
able
to
carry
all
of
the
use
cases
that
we
care
to
think
of,
but
I
don't
think
it
should
specify
any
of
those
use
cases.
So
when
we
look
at
software
versions
and
firmware
versions
and
the
subtleties
of
configuration
versions
which
are
all
legitimate
and
necessary
parts
of
the
software
supply
chain,
we
we
need
to
make
sure
that
those
can
be
expressed
in
whatever
we
come
up
with.
C
B
E
Steve
I'll
be
very
brief.
Yeah
I
think
we
showed
a
really
good
example
during
the
hackathon,
when
we
showed
that
a
vendor
response
file,
which
is
really
intended
to
support
software
supply
chain
artifacts,
including
s-bombs
and
vdrs,
and
other
information.
That
I
think,
is
a
really
good
example
of
the
kind
of
information
that
people
will
be
expecting
if
they
want
to
conduct
a
risk
assessment
on
software.
Thanks.
A
Yeah,
thank
you.
Thank
you,
Steve
for
sort
of
starting
this
discussion.
So
obviously
we
need
to
it
was
the
beginning,
or
at
least
a
continuation
of
what
we
had
before
and
we
are
not
there
yet,
but
we'll
have
to
figure
out
on
how
to
put
the
sort
of
come
to
a
conclusion
and
defeat
discussion.
That's
important
for
the
API
design,
but
it's
also
important
for
the
architectural
argument.
So
we
need
to
find
the
a
nice
ground
in
between
of
what
would
work
for
all
these
different
use
cases.
A
But
it's
still
sort
of
descriptive
enough
that
we
can
put
something
in
that
document.
D
Then
I
will
over
time
we
should.
We
should
close.
It's
just
yeah,
hopefully
we'll
get
those
48-hour
deadlines
done,
we'll
get
a
new
clean
version
to
work
off
and
then
we'll
pick
back
up
on
feeds
and
versions.