►
From YouTube: IETF-SCITT-20230731-1500
Description
SCITT meeting session at IETF
2023/07/31 1500
https://datatracker.ietf.org/meeting//proceedings/
B
D
D
C
So
the
so
the
as
I
mentioned
that
the
the
meeting
the
skit
meeting
last
week,
I
thought
it
would
be
a
good
idea
to
have
a
call
today,
even
if
it's
a
short
call
to
just
reflect
a
little
bit
on
the
IDF
meeting,
what
action
items
we
picked
up
and
kind
of
what
the
next
steps
are.
If
we
wait
a
few
weeks
after
the
IDF
meeting
took
place,
then
all
the
all
our
memories
about
it
would
have
vanished,
and
so
we
would
start
from
scratch
again
like
summarizing
I.
C
C
C
There's
still
for
me,
the
question
on
how
the
skid
emulator
is
going
to
be
sort
of
aligned
with
the
specification,
because
it's
currently
not
so
super
friendly
to
use,
because
the
terminology
it
uses
for
everything
for
the
apis
for
the
for
the
command
line
for
yeah
for
everything
is,
is
outdated
by
now.
I,
don't
know
who
is
actually
maintaining
it.
C
B
So
my
hope
and
expectation
is
that,
as
we
build
that
document,
updating
the
API
specification
with
a
bit
more
correctness
like
expected,
error
codes
and
things
like
that,
as
we
update
that
document,
we'll
update
the
emulator,
possibly
even
rewrite
it,
but
we'll
update
the
open
source
code,
hand
in
hand
with
that
to
meet
the
original
expectation
that
it's
supposed
to
mirror
and
test
the
specification
rather
than
sort
of
replace
or
drive
it.
So
I
think
we
should
find
a
relatively
natural
way
of
updating
it.
E
F
E
Don't
understand
exactly.
You
know
how
it's
done
other
than
I
mean
I
understand
the
basis
of
like
if
we
have
a
signed
artifact
that
can
be
submitted
to
this
thing
and
someone
else
can
check
it
to
say
yeah,
that's
the
same
one
that
I
have
in
hand,
but
that
doesn't
really
close
the
loop
on
all
these
other
things
that
we
need.
F
E
E
There's
a
lot
that
I
don't
happen
to
know,
because
if
you,
if
you
don't
stay,
you
know
absolutely
and
trying
to
stay
on
the
leading
ad
Leading
Edge
of
things
you'll
find
out
that
you've
missed
things
for
the
last
few
years
that
other
people
have
been
working
on
all
time
and
again.
So
that
was
very,
very
interesting
of
things
that
are
that
are
not
not
actually
applicable
to
this
subject.
But
anyway,
that's
my
take
on
it.
E
E
A
A
It
became
very
clear
that
we
have
to
close
down
there
on
the
architecture
document
and
move
forward
on
some
of
the
remaining
open
issues
in
their
entirety.
There
was
one
new
scenario
that
came
up
post
the
hackathon
that
I
haven't
talked
to
John
about,
but
I
talked
to
others
about
which
is
in
the
physical
supply
chain.
A
In
a
nationalistic
mechanisms,
we
may
need
a
mechanism
where
we
have
more
than
one
receipt
from
different
skip
instances
for
different
Global
regions,
but
I'll
start
a
thread
on
the
the
skip
mailing
list
to
discuss
that
Hannah
I
saw
your
comment
of
asking
for
the
the
emulator
see
what
we
can
do
for
for
people.
It's
been
a
heck
of
a
week.
A
They
were
I
noticed
that
in
the
skip
meeting
we
had
a
few
cases
where
hidden
agendas
wanted
to
to
Trump
and
drive
some
part
of
the
discussion
to
force
it
into
other
discussions
and
thanks
Kirsten
for
the
meeting
with
the
Gordon
gordian
envelope.
People
and
hopefully
you
get
some
clarity
there
I,
don't
know
what
happened
the
rest
of
the
week,
because
I
left
on
Monday
and
I've
been
running
ever
since
so.
C
A
I
wrote
some
stuff
internally
here:
I
will
send
mail
to
Carson
and
to
Hank
and
Ori,
who
are
also
in
the
room,
we'll
get
a
summary
out
of
it.
The
what
they're
trying
to
do
is
collective
disclosure
and
what
they
were
trying
to
drive
into
to
skip
was
the
concept
of
of
privacy
and
protection,
which
was
kind
of
over
and
above
what
skip
was
trying
to
do
right.
A
If
you
use
in
a
case
where
strong
identity
is
required,
then
the
the
notarization
of
the
identities
are
configured
to
be.
That
way.
If
you
wanted
to
use
something
like
did
with
sub
tickets
to
mask
identities,
even
that's
supported,
but
that's
not
a
configuration
requirement
for
skit,
though
they
wanted
us
to
put
it
in
somewhere,
saying,
suggested
and
be
careful
and
watch
for
this
Behavior
I.
Don't
know
whether
that
belongs
in
the
architecture
document.
A
The
official
path
yeah
they
were,
they
were
desperately
trying
to
figure
out
how
to
get
into
seaboor
and
we
gave
them
suggestions
on
how
to
bring
It
Forward.
They
were
trying
to
ship
yesterday
and
get
a
rubber
stamp
and,
of
course,
we're
going.
We
have
some
thoughts,
we
have
to
read
through
the
document
and
what
the
they
came
away
with.
C
F
Yeah,
this
is
the
thing
I'm
just
trying
to
add
on
very
carefully
that
yeah.
There
was
some
urgency
by
the
authors
and
so
I
think
the
main
issue
was
to
Express
the
trees.
They
need
within
civil
structures
natively
and
not
using
cozy
at
all
and
people
were
like,
but
you
could
sign
something
or
they
have
something.
You
said:
no,
no,
no,
we're
doing
it
like
this
and
everybody's
like
okay.
This
is
an
interesting
approach,
so
maybe
cut
your
approach
in
pieces.
F
So
that
has
to
happen
now.
I'm,
not
entirely
sure
how
the
authors
of
the
Guardian
envelope
will
react
to
that.
But
it
is
very
specific
and
it
is
a
monolithic
designed
and,
as
you
can
see,
with
skit
we
are.
We
are
even
making
approaches
more
generic,
and
this
is
yeah.
It's
basically
the
other
way
around.
So
we
will
see
how
this
works
out.
I
think
that
in
general,
they're,
smart
people
but
I
think
they
they
figured
a
lot.
They
built
a
lot
of
hammers
for
for
narrative.
F
C
A
Except
for,
except
for
us,
taking
it
in
as
a
payload
and
and
generating
a
receipt
for
an
outer
cozy
wrapper,
what
they
were
trying
to
do
was
done
with
Seaboard
directly
and
try
to
use
basically
trees
of
shredding
of
structures
to
to
hide
data.
So
I
they
look.
It's
not
a
hundred
percent
belongs
in
our
field
or
in
our
discussion.
It
has
some
interest.
That's
why
I
posted
the
document.
A
E
F
Yeah
I
can,
could
you
say
some
words
to
that,
so,
oh
apparently
and
I
did
not
actually
read
that
when
Roman
was
starting,
the
consensus
call
for
the
kishven
charter.
He
wrote
if
there's
enough
concerns
before
the
ITF.
We
can
cancel
the
meeting
and
do
not
need
a
buff
because
there's
enough
consensus
on
list
and
to
his
perception.
That
was
the
case
and
then
his
strategy
was
without
notification
to
cancel
the
buffet
that
caused
the
confusion.
So
I
look
back
and
yes,
he
wrote
exactly
that.
F
F
So
if
you
have
any
problems
with
the
current
Charter
I
think
you
can
find
that
on.
The
key
trends
list
are
in
the
data
tracker
on
the
key
keyframes
group
site
and
and
if
there's
something
in
there,
that
is
confusing,
please
say
so.
I
think
kids,
friends
is
is
definitely
only
about
group
chats
and
the
only
thing
I
highlighted
is
well
if
this
transcends
group
chats
from
two
to
thousands
of
people
in
in
messaging
services.
F
B
C
That's
that's
what
it's
designed
for
and
it
mixes
well
combines
two
Mercury
trees,
namely
one
the
one
we
use
as
well.
The
the
log
tree
and
additionally,
the
prefix
tree
for
faster
search
and
on
top
of
the
the
search
option.
There's
also
funny
enough
privacy
construct
called
vrf
you,
but
not
the
vendor
response
form,
but
the
verifiable
forgot
the
name
again.
What
the
acronym
stands
for
pseudo-random
function
also
some
sort
of
privacy
enhancing
mechanism,
and
so
so
it's
a
it's
a
very,
very
much
of
purpose.
C
D
That's
in
the
registry,
directly
sort
of
like
a
registry
of
deeds,
so
that
that's
a
that's
a
key
one,
and
the
other
thing
too,
to
mention
is
that
you
know
there
is.
There
is
a
very
active
software
supply
chain.
That
is,
you
know
you
use
every
day
and
it
includes
things
like
pgp
and
Xbox
509
and
digital
signatures
using
those
keys.
So
it's
I
think
it's
imperative.
Whatever
we
do
here
is
to
also
accommodate
what
is
current
practice
today
and
and
I.
D
Don't
think
it
matters
much
how
you
implement
it
with
regard
to
the
ietf
skit
protocol,
so
long
as
that
protocol
ensures
the
integrity
of
the
process
to
register
trusted
statements,
yeah
I
think
that's
key.
If
we,
if
we
fail
to,
if
we
fail
to
protect
the
integrity
of
the
trust
registry,
then
we
we
will
likely
have
challenges
in
adoption.
C
G
Sorry,
I
think
the
call
for
adoption
did
go
out
unless
I'm
confusing
it
with
the
other
call
for
adoptions
that
that
went
out
but
I'm
fairly.
Certain
the
cozy
list
has
a
call
for
adoption
for
the
commuter
draft,
which
is
the
thing
that
we
expect
receipts
to
profile
on
top
of,
and
also
the
CCF
profiling
draft
was
briefly
introduced,
but
there
was
no
call
for
adoption
for
that
one.
As
far
as
a
more.
C
C
E
Well,
I
just
wanted
to
say
that
the
the
issue
of
the
feed
was
something
that
that
we
did
discuss
quite
a
bit
and
I
think
there
was.
There
was
still
is
some
a
couple
of
different
points
of
view
about
what
a
feat
is
and
it's
different
than
what
I
thought
it
was
and
what
seemed
to
be
stated
in
the
document.
But
then
it
seemed
like
there
was
some
further
discussion
about
that
that
that
may
have
pulled
that
together,
as
into
one
kind
of
uniform
I.
E
B
My
kind
of
service
to
this
community
is
is
mostly
in
trying
to
build
what
we've
written
in
the
specs
and
see
if
it
actually
works
and
and
give
some
sort
of
practical
hints
to
it,
rather
than
meddling
in
the
the
building
of
the
documents
themselves.
And
so
that's
what
I've
been
doing
alongside
the
work
that
you
know,
everybody
else
has
been
working
on
the
on
the
specs.
C
G
I
guess
is
that
if
we
do
have
some
URL
structures
that
we're
starting
to
like
I,
think
it's
worth
evaluating
whether
there
will
be
data
Uris
or
QR
codes
associated
with
some
of
those
standard
rest
API
interfaces.
You
know,
maybe
the
answer
is
you
know
no,
but
I
think
it
can
be
helpful
to
think
about
other
cases
where
you've
had,
as
you
know,
specific
elements
that
had
a
QR
code
associated
with
them.
What
is
stealing
a
QR
code
mean
in
that
context?
G
Hopefully
it's
safe
to
just
steal
them
paste
them
on
various
things,
but
you
know
you
won't
be
cautious
around
privacy
and
security
considerations.
As
soon
as
you
have
URLs,
you
want
to
become
cautious
about
what
does
it
mean
if
that
URL
becomes
a
QR
code
and
people
start
scanning
it
and
clicking
it
that
kind
of
thing?
That's
it.
C
G
G
Guess
it's
worth
considering
whether
the
authenticated
remote
signer
use
case
you
know
is,
is
part
of
this
ecosystem
or
not,
and
the
reason
I
bring
that
up
is
that
it
it
can
make
interoperability
testing
a
little
bit
difficult
having
some
of
this
stuff
sort
of
split
out
from
the
client
and
it's
it's
related
to
a
number
of
conversations
I
had
with
other
folks
throughout
the
week
around.
You
know,
where
is
the
confidence
and
the
keys
that
you're
using
to
sign
the
sign
statements?
G
The
original
issuer
claims
about
the
artifact,
as
opposed
to
the
confidence
and
the
keys
that
are
used
to
make
the
transparent,
signed
statements
which
you
know
are
coming
from
the
transparency
service.
So
I
don't
know
the
timeline
for
the
API,
but
having
an
independent
document
that
can
have
independent
polar
quests
and
move
along
a
little
bit.
Faster
seems
like
a
thing
that
we
should
get
set
up
soon,
so
that
we
can
make
parallel
progress.
D
D
Yeah
I
think,
or
he
hit
on
a
really
good
point.
There
there's
a
lot
of
work,
as
you
know,
right
now
to
post
registered
trust
marks
or
trust
labels.
The
U.S
is
doing
one
we're
going
to
have
language
in
the
far
this
September.
The
EU
CRA
has
this
concept
of
a
CE
Mark
and
the
constant
and
the
concepts
of
both
evolving
around
the
use
of
QR
codes.
D
So
ori's
point
about
QR
codes
is,
is
really
important,
I
think
because
it
would
be
viable
in
Myoma,
in
my
opinion,
to
post
a
QR
code
into
a
skit
trust
registry,
where
people
can
retrieve
that
and
then
you
know,
look
up
any
trust
label
information
that
may
be
associated
with
that
QR
code,
so
I
think
having
that
is
a
high
priority
use
case.
This
use
of
trust
labels
and
QR
codes
for
that
purpose
would
be
very
beneficial
and
skit
seems
to
be
a
viable
solution
for
that.
For
that
particular
case,
thank
you.
F
Was
not
sure
if
that
was
kind
of
kind
of
implied
already,
but
but
there
is
now
a
scrappy
ID
that
includes
a
copy,
a
raw
copy.
It
doesn't
make
a
lot
of
sense
by
itself
without
introduction
such
a
raw
copy
of
the
of
the
API
definitions
that
are
currently
in
the
architecture
consecutively.
That,
though
the
API
parts
will
move
out
of
the
architecture,
but
that
was
not
enough
reason
to
update
it
right
now
so
expect
these
two
disappear
from
the
architecture
and
maybe
a
reference
to
the
reference.
F
F
Yeah
it
has,
it
needs
more
love,
so
there's
just
the
core
if
I
think
as
soon
as
John
and
already
agree
on
core
API
elements,
because
I
couldn't
do
the
first
submission
and
that
does
not
have
to
include
all
open
construction
sites
like
whatever
feeds
and
such.
So
it
has
to
be
the
basis
for
construction
here,
and
then
we
can
see
how
many
levels
we've
built
on
it.
So
I
think
our
first
submission
could
be
relatively
soon.
C
C
F
C
C
F
Super
great
everything
that
is
more
conceptual
is
is
okay
with
the
issue.
If
you
want
to
do
it
formally
and
make
already
very
happy
make
a
tiny
issue
for
HPR,
but
but
I
think
a
good
PR
description
is
also
fine.
Please
already
don't
install
things
at
me,
and
so
so
I
think
yeah
GitHub
PRS
are
the
most
valuable
contribution.
D
Yeah
harness
I
can
point
to
those
so
two
two
places
where
you
can
look
for
information
about
those
is,
if
you
look
at
the
European
cyber
security
resilience
act.
They
talk
very
specifically
about
this
use
of
trust,
essentially
trust
labels.
They
call
them
a
CE
Mark
and
it's
essentially
intended
to
provide
some
level
of
proof
that
a
a
product
has
undergone
some
level
of
cyber
security
testing
and
and
past
some
you
know
requirements.
The
same
is
also
true
for
what's
happening
in
the
United
States
as
well.
D
There
are
there's
a
President
Biden
announced
that
there's
a
new
initiative,
that's
due
to
be
completed
by
September
30th,
which
is
called
the
U.S
cyber
security
Mark.
And
it's
a
these
talk
about
use
of
a
QR
code
that
can
be
placed
on
a
either
like
an
iot
device,
some
packaging
or
on
an
online
website
that
enables
the
user
to
go.
Look
at
you
know
some
information
about
the
trustworthiness
of
these
devices
by
looking
at
the
materials
they
submitted
to
achieve
their.
D
A
D
Yeah
Roy
I
did
some
research
on
this
and
Singapore
and
Finland
both
have
what
effectively
are
static.
Labels
I,
don't
know
what
the
eucce
Mark
will
be
and
I
don't
know
what
the
U.S
cyber
security
Mark
will
be,
but
I
have
suggested
to
nist
that
we
have
Dynamic
labels
simply
because
trust
in
software
is
ephemeral
it
it's
one.
It
can
change
from
one
day
to
the
next.
D
Yeah
I'm
just
using
their
terminology,
they
call
them
labels.
If
you
look
at
the
nist
iot
labelings
recommendations
that
you
know
they
all
refer
to
these
things
as
labels
and
I
so
I,
you
know
I
I
just
adopt
their
terminology
for
this,
but
but
ultimately,
what
it
does
is
it
points
to
some
information
which
you
hope
is
trustworthy.
D
Hence
the
reason
why
it
needs
to
be
in
a
skit
trust
registry,
so
that
people
can
take
that
information,
believe
it
when
they
see
it
and
use
it
to
you
know
in
a
risk-based
mind
decision
you
know
so
anyway.
I'll
put
two
links
in
I'll:
put
a
link,
a
couple
of
links
in
the
chat
for
people
who
want
to
know
more
about
that.
Thanks.
H
H
H
C
C
D
Yeah,
thank
you.
Harness
yeah,
Neil,
I,
I,
agree
completely.
I
also
agree
with
honors
too
I.
I
can
tell
you
that
software
Engineers
don't
swim
well
in
pools
with
politicians
and
regulators
and
they're
the
ones
who
come
up
with
these
terms
and
once
they
have
their
stuck,
but
the
the
point
and
the
thing
about
skit,
which
I
really
like
a
lot.
Is
it
really
doesn't
matter
whether
it's
static
or
dynamic,
because
skit
gives
us
the
ability
to
support
both?
D
A
A
E
D
E
H
D
H
D
E
Okay,
so
let
me
jump
in
the
I
think
it'd
be
pretty
useful
for
us
to
take
a
look
at
this
top
very
top
view
and
and
dick
you
may
be
the
best
person
to
come
in
with
something
to
say.
Let's
say,
I
did
have
this
label
on
a
product
iot
product
or
on
a
website
or
whatever,
when
I
just
downloaded
the
software
and
I
guess
I'm
supposed
to
shine
my
cell
phone
on
it
and
bring
up
the
the
thing
or
else.
E
That
is,
you
know
everything
has
been
pushed
out
of
it
that
we
don't
fully
understand
yet,
and
you
that's
good,
because
that
means
that
everything
in
it-
hopefully
we
do
fully
understand
and
it
can
be
locked
down
and
then
that
becomes
a
very
solid
building
block.
But
now
we
need
to
fill
in
the
difference
between
the
the
gap
between
what
what
is
desired
by
you
know,
regulators-
and
you
know
the
public
really
here
and
where
this
building
block
is
and
to
see.
E
If
we
can't
start
to
fill
in
fill
that
in
so
maybe
is
there
any.
The
question
is:
is
there
any
real
proposals
for
what's
supposed
to
be
the
response
to
clicking
on
the
QR
code
and
and
maybe
we
can
get
some
proposed?
You
know
some
solid
like
that,
vrf
and
I.
Think
we
should
change
the
name
of
it
to
the
the
vendor,
submission
form
or
something,
because
vrf
is
going
to
always
be
a
problem.
But.
H
E
F
Yeah
my
mic
is
acting
up.
They
were
talking
about
pointing
to
Dynamic
things
and
get
somehow
I
assume
that
all
the
things
that
we
will
point
to
always
enshrined
in
some
event,
Only
log,
but
but
the
thing
you
probably
want
to
point
to
and
have
a
smart
query
on,
is
the
feed
structure,
for
example.
So
that
seems
to
be
relatively
close
together
and
I
assume.
That
is
what
are.
We
also
implied,
maybe
that
I'm
guessing
now.
C
F
Maybe
you
need
more
than
than
the
things
is
good
service
can
give
to
you
and
there's
already
a
relatively
composable
mudfire
thing
that
could
include,
for
example,
pointer
to
the
correct
feed
query
and
the
responsible
transparency
service
list.
For
example,
you
don't
know,
maybe
there
are
multiple
and
and
such
so
I
would
not
say
that
directly
the
fee,
but
that
would
be
one
of
the
options.
Yes,.
C
A
C
That's
I'm,
it's
still
ongoing,
like
I,
talked
to
various
people,
but
there's
no
clear
since
I
got
like
there
was
no
clear
response.
It,
it
kind
of
sounds
like
a
difficult
problem,
but
I'm
I'm
still
on
to
it.
So
like
we
had
some
ideas,
also
discussed
at
the
hackathon
which
I
could
summarize
based
on
what
Ori
distributed
and
some
of
the
stuff
that
was
sent
to
the
mailing
list.
But
it's
you
know
people
seem
to
be
all
over
the
map
there
on
that
topic.
C
H
Great
thanks,
yeah
I
had
the
the
same
idea:
Hank
that
pointing
to
a
feed,
either
directly
or
indirectly
would
be
great
and
so
just
to
wrap
it
back
to
Dick's
example.
You
know
this
and
in
the
way
that
that
Ray
framed
it,
it
would
be
great
if
I
as
a
user
could
buy
some
product
and
there
was
a
QR
code
and
the
it
would
essentially
be
the
the
vendor
claiming
compliance
with.
H
What
the
current
status
is
and
and
because
we're
talking
about
a
formally
defined
compliance,
claim
that
they're
making
it's
kind
of
it
should
be
a
yes,
no
answer
whether
or
not
something
is
still
in
compliance
or
whether
you
need
an
update
or
whatever
so
I.
That
would
be
a
really
useful
use
case
is
kind
of
what
I
think.
C
No
no
problem,
we
are
actually
already
reaching
the
end
of
the
hour.
I
took
a
lot
of
notes,
but
on
the
last
item
on
this
QR
code,
thing
I'm
actually
wondering
whether
it
would
be
good
to
write
a
short
document.
The
short
draft,
providing
a
little
bit
of
a
background
like
based
on
these
regulatory
proposals
and
then
a
description
on
how
we
would
actually
accomplish
this
in
in
an
intraoperable
form.
C
C
D
Johannes
this
is
Dick
Brook,
so
yeah
I
I
will
happily
contribute
to
that.
But
I
would
hope
that
we
could
do
this
collaboratively.
A
few
of
us
put
to
get
put
our
minds
together
and
come
up
with
something
and
I'd
also
ask
that
we,
you
know
not
just
keep
this
within
skit
but
I'll.
Actually,
you
know,
publish
whatever
we
produce
with
the
parties
that
are
considering
implementation
of
this,
like,
in
this
case
the
FCC
in
the
U.S
I.
D
C
C
F
Yeah
so
obviously
I
have
some
thought
into
this
rats
needed
a
specific
way
to
refer
to
verifiers
for
their
for
their
testers,
that
that
can
be
found
easily
for
relying
parties
so
that
they
can
actually
do
some
of
the
models.
That's
also
why
there's
now
this
conceptual
message
wrap
and
such,
and
so
so
skit
has
the
same
issue.
F
We
want
also
have
events
also
have
to
an
understanding
that
the
transparency
service
itself
is
trustworthy,
composed
photography
and
therefore
we
have
multiple
methods
to
do
them.
One
of
them
on
a
lower
layer
again
is
red,
so
so
that
I
I
I
I
actually
go
with
a
few
proposals
that
that's
that
go
basically
on
the
abstract
level.
So
what
are
the
requirements
on
this?
What
we
think,
so
we
have
a
lot
of
experience
with
QR
codes
since
covert
I.
F
That
would
compose
a
potential
solution
here
and
then
we
can
base
but
I
think
create
visibility
with
that
document.
I
think
under
that's
what
your
point
was
and
and
but
then
we
can
also
already
provide
some
some
idea
where
our
requirements
come
from
and
most
certainly
also
what
the
idea
of
buildings
blocks
already
exists
to
to
maybe
build
a
solution
for
this.
C
Good,
okay,
John
and
I
will
definitely
sort
of
ping
you
regarding
some
of
the
action
items
you
received
during
the
during
the
last
week,
and
and
also
doing
this
summary
we
did
today
so
be
prepared
and
we
are
going
to
set
up
a
call
for
next
week
again
think
about
the
agenda.
Maybe
we'll
talk
about
the
we
could
talk
about
the
API.
We
could
also
talk
about
the
update
to
the
architecture
document.
There
have
been
a
few.