►
From YouTube: IETF-SCITT-20230918-1500
Description
SCITT interim meeting session
2023/09/18 1500
https://datatracker.ietf.org/group/scitt/meetings/
A
B
D
B
A
E
Yeah,
we
haven't
actually
made
any
progress
on
that
harness.
My
apologies,
I
I
know
that
you
know
it's
not
an
excuse,
but
I
will
tell
you
that
things
are
really
crazy
here
in
the
US
right
now
with
the
SEC
cyber
security
regulations
going
into
effect
in
December.
So
is
a
really
good
chance.
I
won't
have
any
time
to
work
out
until
after
December,
okay,
but.
E
Oh
there's
no
doubt
about
that.
In
my
mind,
especially
in
you
know,
we're
supposedly
two
weeks
from
getting
the
the
word
here
in
the
US
about
the
new
cyber
security
Trustmark.
This
is
supposed
to
be
regulations
put
in
place
by
September
30th.
On
that
I
mean
I
was
Bob
Martin
here
he
might
have
no
okay,
I
haven't
heard
any
more
about
it,
but
I
know
it's
due
on
September
30th
and
that
that
would
be
a
prime
candidate,
in
my
opinion,
to
register
a
security
label
in
a
skip
registry.
A
C
C
A
F
E
Inside
information,
basically,
you
know
see
what
I
see
online.
The
FCC
is
supposed
to
be
putting
on
some
guidance
on
how
to
make
these
labels
available.
I
know,
if
you
look
at
Singapore
and
Finland
you'll
see
that
they're
they
don't
have
a
quote
registry.
If
you
will
they,
they
just
have
websites
where
you
can
go
check
these
labels,
but
it
looks
like
FCC
may
be
hosting
something
a
little
more
formal,
at
least
that's
my
impression.
F
Challenge
to
get
something
like
skit
adopted,
given
that
all
these
things
are
starting
to
kind
of
fall
to
like
a
least
common
denominator,
implementation
lately,
I
think
of
s-bomb.
In
the
same
way
you
know
attestation
and
so
forth,
they're
all
kind
of
like
okay,
you
know
scribble
something
in
a
cocktail
napkin
and
send
it
to
us
and
you're.
Okay,
so
I
think
we're
ways
from
having
you
know
verified.
A
E
E
The
concept
behind
at
least
the
U.S
cyber
security
Mark
is
that
you,
you
will
have
a
QR
code
on
the
box.
Let's
say
you
go
into
Best
Buy
and
you
want
to
check
you
know
on
this.
Router
there'll
be
a
QR
code
on
the
box
that
enables
you
to
check
the
trust
you
know
for
this
trust
label.
Well,
that
that
QR
code's
got
to
take
you
someplace
right,
yeah,.
F
But
that's
where
you
know
manufacturer
website
or
whatever
I
think
so
so
I
made
my
point:
I
don't
want
to
be
labored
here,
but
I
think
it
would
be
a
great
application.
I
just
don't
think
that
we're
gonna
have
any
requirements
for
government
work
or
even
consumer
iot
seals
that
are.
You
know
that
need
Authentication
almost
in
any
way.
A
But
but
of
course,
sort
of
like
it
starts
somewhere
and
then
there's
some
progress
and
and
things
to
work
over
time
and
and
in
general,
like
regulation,
doesn't
pinpoint
or
point
to
a
specific
standard,
and
you
have
to
do
this
or
that
I
think
it
will
sort
of
sort
out.
But
I
see
a
lot
of
use.
Cases
where
something
like
a
skip
registry
would
obviously
be
of
great
value,
which
brings
us
to
the
topic
of
today.
John.
D
Yes
correct,
so
there
was
a
nice
conversation
going
on,
but
now
there
isn't
so
we
we
don't
have
the
guest
presentation
on
the
upside
that
allows
us
to
continue
our
actual
work,
leading
up
to
118
of
trying
to
sort
out
feeds
we
have
had
with
a
UK
national
holiday
in
the
US
national
holiday
and
then
the
d-bomb
presentation.
Last
week,
we've
had
quite
a
few
weeks
off
chasing
that
that
progress,
so
I'm
actually
quite
glad
to
be
back
on
I.
G
G
G
That
provides
an
append
only
solution,
because
you
know
it's
the
sort
of
thing
where
the
the
relying
parties
are
going
to
want
to
note
that
it
was
claimed
at
a
certain
time
and
be
able
to
prove
that,
even
if
somebody
takes
it
off
their
website
because
they
got
something
wrong
or
whatever
you
know,
it's
it's
ideal.
So
I
think
we
should
be
making
that
point,
and
you
all
know
that,
but
just
wanted
to
chime
in
with
that.
A
A
D
So
we
can
put
that
to
the
back
Steve's
here
and
has
some
good
input
so
on
on
versions
and
versioning
I
think
we
can
look
at
that
as
a
use
case
for
feeds
and
instructing
that
and
I
did
want
to
pick
up
one
PR
that's
come
in
to
come
into
the
emulator
from
John
Anderson,
adding
oidc
as
the
authentication
method
for
for
the
client.
Because,
of
course,
we
have
to
decide
whether
we're
going
to
build
that
into
Scrappy
or
make
it
a
kind
of
optional
extension
for
Scrappy.
A
The
we
have
the
for
the
we
have
currently
two
PRS
open.
One
is
an
older
PR
that
I
filed
on
one
specific
section
and
then
I
think
it
was
Cedric
couldn't
picked
up.
Another
comment:
I
I
posted
as
a
review
about
the
RC
255
two
one,
one,
nine
language
the
month.
We
should
and
worked
on
that
as
well,
so
we
have
those
two
I
suspect.
C
A
C
H
So
maybe
I
can
give
an
update
on
these
two
pull
requests.
So
so
there
are
two
of
them.
There
is
one
entire
energy,
but
we
got
stuck
on
the
very
first
term
last
time,
so
adding
more
time
and
I
plan
to
report
on
that
in
the
details
meeting
tomorrow,
but
that's
still
not
something
that
is
ready
but
I'm,
just
starting
there,
then
on
the
user.
Antoine
is.
H
A
A
A
C
A
C
B
A
A
The
yeah
so
and
then
worked
on
the
text
a
little
bit
as
you
can
see.
So
what
what
I
was
also
trying
to
do
is
try
to
organize
sort
of
more
clearly
according
to
like
the
steps
that
happen
like
in
this
case,
we
are
seeing
the
issuing
of
the
sign
statements,
starting
with
that
one
and
then
sort
of
go
step
by
step
from
that
and
reshuffle
the
text.
A
C
One
question
Johannes
one
question
here:
is
it
actually
issuing
sign
statement
or
it
is
actually
explaining
what
sign
statement
format
is
because
the
line
642
on
the
older
version
was
had
an
explicit
statement
about
sign
statement
format
and
you
are
saying
issuing
design
statement.
So
are
you
talking
about
issuing
it
or
are
you
talking
about
its
format,
which
is
part
of
the
sign
statement.
A
Well,
if,
if
you
before,
you
can
use
the
API
that
is
described
in
this
other
document
in
the
scrappy
document
you
have
to
the
issuer
has
to
take
all
the
different
claims
and
Munch
it
together
and
then
produce
a
sign
statement
and
has
to
get
it
ready
for
making
the
API
call.
This
is
this:
is
the
text
for
that.
A
A
A
A
There
are
a
few
steps,
then,
here
and
and
I
think
it
was
Cedric
or
Antoine
who
then
in
the
pr
tightened
up
the
the
the
shoot
made
Mass
language.
So
that's
good
as
well
get
to
that
if
you
scroll
down
so
after
all,
these
different
steps
are
done,
it's
registered
and
then
in
response.
The
issuer
then
gets
the
the
transparent
statement,
kind
of
Slash
receipt
back,
the
transparent
statement
being
the
receipt
and
essentially
the
the
sign
statements.
A
A
A
G
C
A
C
A
C
C
I
Okay,
I'm
using
again
hi
no
I
have
not
looked
at
this.
As
far
as
test
week
was
half
year
ago,
some
IDs
have
been
submitted,
so
there
was
a
lot
of
expiration
date
last
week.
For
me,
sorry
so
I
had
to
switch
gears
a
little
bit
I'm
now
back
on
track
with
actual
current
iitf
work,
and
this
is
on
my
list
to
be
done
on
a
business
trip
this
week.
I
C
H
D
A
Yeah,
but
it's
it's
a
good
big
thanks
to
to
Antoine
for
touching
this,
because
that
was
something
I
noticed
when
I
was
reading
through
the
document
that
he
is
now
going
through
it
and
checking
like
what
should
we
really
have.
They
are
like.
We
can't
sprinkle
the
shoots
all
over
the
place
or
maze
need
to
be
a
little
bit
tight
on
some
aspects
and
maybe
looser
on
others
and.
H
So
I
think
that's
the
thing.
I
think
it's
super
important
and
I
think
it's
a
great
way
of
going
back
to
any
issues
where
we
picked
should
because
we
did
not
have
an
agreement
on
whether
it
was
on
lateral
or
not
so
I
think
I
know
we
will
shoot
the
reflecting
the
lack
of
consensus
and
those
that's.
Why
get
there.
A
Exactly
and
and
specifically
we,
the
the
shoot,
is
sometimes
a
convenient
way
to
get
out
of
the
tough
question
on
whether
something
should
be
mandatory
or
not.
I
understand
that,
but
for
for
an
implementer
if
they
are
only
shoots
in
there,
it
gets
really.
Tough
developers
have
a
hard
time
than
to
figure
out
like
when,
should
they
actually
Implement
a
certain
functionality
and
when
not
because
they
have
a
hard
time
making
that
judgment
code
so.
H
C
C
Yes,
but
I
think
me
just
keeping
it
may
keeps
feels
a
bit
ambiguous,
because
what
are
we
trying
to
say
may
means
who
does
it?
So
we
can
give
an
example
that
these
things
may
be
a
part
of
some
policy
decided
by
this
skit
owner,
or
maybe
some
implementations
may
decide
it
based
on
their
use
case,
something
like
that.
We
can
put
a
disclaimer
or
an
additional
clarification.
I
meant
with
what
what
we
mean
by
May
here.
C
J
A
H
H
Okay,
so
we
should
we
could
just
use
May
in
all
those
cases.
For
now,
until
we
Define
explicitly
what
the
profile
or
configuration
is,
and
once
we
have
a
once,
the
profile
exists,
we
can
say
we
can
refer
to
it
to
explain
the
the
profile
may
be
configured
to
require
it,
in
which
case
issuers
must
implemented.
A
Etc
there's
a
risk
like
if
you
have
all
sorts
of
use
cases
in
mind
and
the
whole
document
is
just
a
may-
may
do
this
and
that
then
you
can
almost
forget
the
maid
to
begin
with
red,
because
then
then
it's
kind
of
a
meaningless
there's,
no
interoperability
whatsoever.
So
I
think
that
the
pay,
the
first
question
to
ask
is:
do
you
actually
anticipate
any
level
of
interoperability
with?
What's
in
this
document,.
H
I
do,
of
course,
but
but
I
think
there
are
two
levels
of
interoperability.
There
is
interoperability
between
within
a
given
supply
chain,
and
then
there
is
interability
of
God
and
services
between
different
civilians
and
for
the
letter,
I
think
is
going
it's
harder
to
moderate
every
implementation
to
implement
all
the
features
that
are
going
to
be
required
in
only
a
few
sublections,
so
that
that
so-called
difficulty
that
we
have.
A
A
H
A
A
H
H
C
H
C
A
A
It
says
like
those
are,
the
the
the
benefit
to
implement
sort
of
mechanisms
and
and
then
much
much
later,
people
came
up
with
profiles,
and
so
of
course
here
like,
for
example,
one
profile
would
be
one
that
Packers,
let's
say,
hangs
Famous
Seafood
example,
and
who
knows
what
people
in
the
seafood
industry
would
want
to
use
in
terms
of
algorithms?
Maybe
they
don't
like
that.
That
did
web
method.
I
have
no
idea.
C
H
C
A
A
A
But
it
does
like
standard,
he
doesn't
say
which,
from
which
standards
organization,
it's
a
document
right,
but
you
can
you
can
you
can
change
the
language
to
say
like
for
this
specific
case?
It
needs
to
have
some
profile
some
specifications
somewhere.
It
doesn't
need
to
be
you
can
you
can
come
up
with
a
registry
to
to
give
people
a
chance
to
register
in
Ayana
different
profiles,
so
it's
easier
to
find.
Okay,
for
example,
okay,.
H
J
H
C
A
H
A
A
A
C
I
A
B
Well,
actually,
we
could,
but
I
actually
wasn't
when
I
was
poppy
in
the
queue.
What
I
was
going
to
suggest
is.
This
is
one
of
the
general
things
we
hear
is
feedback
of
specs
is
when
things
say
may
or
or
could
or
or
should
it
gets
very
vague
about
what
the
implementation
should
be
so
I
without
specifics
on
that
as
much
that's
must
and
should
clarifying
clarifying
will
help.
I
H
A
B
You
let
me
share
a
specific
yes,
oh
I
see
okay,
this
is
where
I
can
I'm
trying
to
remember
how
it
there
we
go
okay,
so
there
was
two
hack
docs
that
we
started
hacking
together
to
try
to
put
some
more
context.
So
the
identifiers
is
certainly
a
you
know,
a
piece
I
think
the
the
question
is:
if
we
roll
all
the
way
back
is
what
do
we
think
the
structure
of
a
feed
should
be?
Is
it
just
a
plain
string?
B
B
So
how
do
we
think
of
that
in
the
concept
of
a
feed?
What
I
did
was
I
wrote
this
up
a
bit
just
to
pull
into
the
discussion.
How
do
we
want
to
structure
a
feed
so
that
we
can
think
about
the
various
permutations
of
that?
So
this
is
rough.
I
was
just
trying
to
get
this
together.
So
it's
a
purpose
of
conversation.
So
how
do
we
structure
skit
feeds
how
to
correlate
previous
versions?
B
And
one
of
the
topics
we've
been
discussing
is:
do
we
have
you
know
an
artifact,
an
arbitrary
sample
project,
or
do
we
have
a
real
world
project
that
we
could
use
as
a
reference?
So
I
definitely
want
to
have
that
conversation?
What
real
world
examples
should
we
look
at
for
now?
I've
just
used
this
net
Watcher
sample,
but
we
should
definitely
look
at
some
existing
ones
and
Robin
had
shared
some
additional
documents
on
various
package
managers.
So
I'll
come
to
that
art
of
that
document
in
a
minute.
B
So
the
idea
here
is
that
there's
just
as
an
example,
there's
multiple
versions
that
are
currently
in
support
for,
in
this
case
the
net
Watcher
version,
one
supports
on-premise
networks
and
just
for
the
arguments
that
the
version
2
takes
care
of
cloud,
hosted,
networks
and
they're,
not
necessarily
compatible
or
the
version
two
customers
have
to
opt
into
paying
for
it
and
so
they're
paying
for
version
one
they're
not
paying
for
version
two
they're
expecting
patching
and
servicing
a
version.
One
well
version
two
is
adding
its
capabilities
as
well.
B
Then
this
is
the
point
here
that
patching
is
never
necessarily
a
linear
concept,
so
that
you
know
version
one,
and
you
can
think
about
this
as
get
branching
as
well,
is
how
somebody
would
be
patching
different
versions,
and
in
this
case
a
version.
Three
is
started
and
I've
just
showed
the
permutations
as
both
windows
and
Linux
versions
of
this
particular
thing,
but
it
could
be
Windows
and
Mac.
It
could
be
different,
processor,
architectures
and
so
forth.
B
B
If
there
are
five
artifacts
that
come
out
of
a
build
that
need
individual
statements,
that
being
associated
with
them,
but
there's
some
logical
grouping
around
those
and
if
there's
an
average
of
five
builds
a
day
that
are
being
produced,
not
all
of
which
will
actually,
if
a
build
fails.
For
instance,
you
might
skip
that
version
and
not
put
it
on
the
skip.
So
if
you
notice
here
in
the
windows,
one
I
just
happen
to
skip
1.0
into
1.3.
B
B
There
is
just
each
one:
is
its
own
feed
and
I
can
put
s-bombs,
and
you
know
statements
and
Vex,
and
you
know
statements
of
quality
and
so
forth
to
that
one
build
or
if
I
have
a
new
version
of
that
can
I
put
that
new
version
on
the
same
feed
and,
have
you
know
some
kind
of
structure
here
so
I
don't
have
an
answer
per
se.
I
just
wanted
to
bring
up
the
concept
of
versioning
to
think
about
when
we're
structuring
feeds
so
that
we
could
think
about.
B
B
H
H
To
put
all
of
them
as
part
of
the
registration
info,
that
provides
a
key
value
map,
and
so
the
idea
was
to
have
the
issuer
and
then
the
issue,
our
Peaks,
a
field
which
is
a
simple
name
for
the
whole
collection
of
transaction
statements
and
then
use
the
registration
info
for
all
the
details,
and
that
may
include
versions
like
semantic
versions
or
the
secret
version
numbers
or
timestorms
or
anything
else,
but
because
these
are
going
to
be
optional,
laptop
I.
Don't
think
we
should
outrage
that
into
the
feed
so
I.
H
My
suggestion
is
to
keep
the
feed
as
simple
as
it
can
and
to
keep
the
only
the
registration
info
as
well.
The
only
header
that
provides
an
extension
point
where
you
may
want
to
put
versions
or
timestones
or
anything
else.
The
the
maybe
a
a
remark
on
top
of
that
is
that
providing
the
feed
is
a
simple
anatomy
and
then-
and
so
it's
the
same
for
everything
in
the
collection,
then
we
have
the
registration
info.
H
You
can
also
provide
even
more
details
on
what
to
do
with
that
in
the
payload,
but
then
that's
opaque
and
that's
another
good
possibility.
So
as
an
example,
if
I
take
your
network
example,
Steve
I
think
the
to
me,
the
feed
should
be
the
name
of
the
guitar
project
and
the
version
should
go
into
into
the
registration
info
together
purpose,
perhaps
with
the
timestamp
info
information.
B
Yeah
and
I
want
to
get
to
your
question
Roy
and
so
the
I
one
of
the
things
that
I
was
thinking
about,
is
the
piece
that
we
have
to
kind
of
digest,
and
this
is
why
I
think
some
examples
will
help
is,
if
it's
fine
to
say
we
don't
want
to
be
part
of
the
feed.
But
if
we
say
it's
not
part
of
the
feed,
what
does
it
look
like?
So
that
was
the
thing
that
I
was
trying
to
digest
is
if
I
have
just
a
new
feed
for
every
build.
B
Is
that
more
practical
as
well
so
and
I
was
thinking
of
capturing
this
in
the
skid
IO
website,
so
it's
not
directly
in
the
specs
and
we
could
decide
if
we
want
to
put
in
the
specs.
But
what
is
an
example
look
like,
and
are
we
happy
with
that
example?
So
it's
it's
not
just
say
if
we
want
to
include
it,
but
if
we
want
to
exclude
it,
what
would
a
typical
project
look
like
so.
C
Shall
I
go
next
year?
Two
things
I
wanted
to
ask
is
First.
Fundamental
thing
is
why
this
kind
of
relationship
where
this
version
is
related
to
this?
Can
this
relationship
be
not
part
of
skit
claim
about
the
artifact
that
this
is
the
artifact
I
am
produced
it.
This
is
this
version.
This
is
linked
to
this
version,
so
why
it
should
be
in
the
field
or.
F
B
Part
of
the
question:
yeah,
that's
exactly.
The
kind
of
question
is
I'm
trying
to
take
the
discussion.
We've
had
to
date
around
feeds
and
model
out.
What
would
it
actually
look
like,
and
do
we
like
what
it
looks
like
because
and
it's
Maps
back
this
was
Oreo's.
Bringing
this
up
is
what
are
the
actual
use
cases
we're
trying
to
track
so
in
the
use
cases,
I
added
versioning,
as
the
latest
thing
yeah.
C
Yeah
or
something
like
artifact,
versioning
or
because
I
am
producing
new
artifacts,
which
are
linked
to
my
previous
artifacts.
How
would
I
manage
them
because
kit
versioning
means
skip
transparency,
service,
versioning
or
something
it
felt
like
that?
So
thanks,
yeah,
okay,
yeah
I,
think
that's
it
from
me.
Yeah.
J
The
only
right
the
original
question
I
had
for
you
was
the
s-bomb
already
defines
the
title
and
the
version
semantics
and
that's
not
referencing-
it
here
seems
kind
of
odd
and
that
its
mechanisms
need
to
be
taken
into
account,
which
kind
of
gets
into
a
use
case
or
a
vertical
I
understand
what
you're
saying
I
think
it
also
gets
into
questions
of.
How
do
you
guarantee
only
the
owners
of
the
product
actually
get
to
produce
versions
that
should
show
up
on
here,
and
how
do
you
deal
with
with.
E
J
Between
mergers
and
acquisitions,
those
are
all
strong
things
to
my
way,
I
always
think
claims
or
endorsements
to
allow
you
to
know
which
version
you
should
migrate
to
or
from.
As
you
know,
in
the
windows
case,
it
isn't
just
six.
It's
probably
20
100
200,
different
versions
that
are
shipping
out
there.
B
Right,
that's
kind
of
what
I
was
I
I
wasn't
trying
to
get
as
complex
as
Windows,
but
there's
certainly
you
can
imagine
two
and
three
versions
that
you
know
companies
maintain
and
the
caliber
becomes
an
interesting
one
as
well
and
I.
Think
that's
what
you're
bringing
up
is.
Also
is
the
question
of:
do
we
lean
into
s-bombs
like
how
much
does
skit
dependent
on
a
particular
artifact
type?
E
J
Which
is
why
I
had
a
hard
time
but
trying
to
figure
out
feeds
and
the
concept
of
a
ledger
versus
it's
part
of
the
query
and
storage
subsystem
on
top
of
it
and
which
is
why
I
continue
to
struggle
with
with
feeds
and
their
value
here.
I
understand
the
feed
concept
when
it
comes
to
register
the
policy
the
configuration
for
what
trusted
roots
are
and
what
identity
providers
you
support.
When
you
start
getting
into
the
broader
context
of
of
each
use
case
or
vertical,
this
becomes
really
really
hard.
All
of
a
sudden.
A
I
I'm
not
sure,
if
I,
can
you
hear
me
yeah,
oh
okay,
it
doesn't
show
the
indicator
on
my
side
again.
The
mythical
dropped,
the
indicator.
So
I
was
not
sure.
Sorry,
sorry,
a
testament
between
this.
The
noise
was
me
so
yeah
on
the
top
of
the
order,
mostly
I,
think
usage
of
feeds
or
the
they
are
not
living
in
a
vacuum.
So
now,
I
I
was
educated
again
that
they
exist
below
the
issua
and
below
the
feed
system.
D
I'll
be
quick,
but
just
to
save
people
a
lot
of
work
in
the
coming
week
of
thinking
about
this.
It
is
a
well-made
and
pretty
unbreakable
decision
that
we
made
a
long
time
ago
that
skit
is
payload
agnostic
and
doesn't
look
inside
the
payload
to
work
out.
Anything
and
I
think
that
informs
an
awful
lot
about
what
we
can
or
can't
do
with
vertical
specific
version
format.
So
I
think,
because
the
feed
ID
is
a
very
important
syntax
to
work
out,
because
it's
shared
between
clients
and
relying
parties
and
code.
D
We
need
to
have
a
syntax
which
is
able
to
carry
all
of
the
use
cases
that
we
care
to
think
of,
but
I
don't
think
it
should
specify
any
of
those
use
cases.
So
when
we
look
at
software
versions
and
firmware
versions
and
the
subtleties
of
configuration
versions
which
are
all
legitimate
and
necessary
parts
of
the
software
supply
chain,
we
we
need
to
make
sure
that
those
can
be
expressed
in
whatever
we
come
up
with.
C
B
E
Steve
I'll
be
very
brief.
Yeah
I
think
we
showed
a
really
good
example
during
the
hackathon,
when
we
showed
that
a
vendor
response
file,
which
is
really
intended
to
support
software
supply
chain
artifacts,
including
s-bombs
and
vdrs,
and
other
information.
That
I
think,
is
a
really
good
example
of
the
kind
of
information
that
people
will
be
expecting
if
they
want
to
conduct
a
risk
assessment
on
software.
Thanks.
A
Yeah,
thank
you.
Thank
you,
Steve
for
sort
of
starting
this
discussion.
So
obviously
we
need
to
it
was
the
beginning,
or
at
least
a
continuation
of
what
we
had
before
and
we
are
not
there
yet,
but
we'll
have
to
figure
out
on
how
to
put
the
sort
of
come
to
a
conclusion
and
defeat
discussion.
That's
important
for
the
API
design,
but
it's
also
important
for
the
architectural
argument.
So
we
need
to
find
the
a
nice
ground
in
between
of
what
would
work
for
all
these
different
use
cases.