►
From YouTube: IETF-SCITT-20230731-1500
Description
SCITT meeting session at IETF
2023/07/31 1500
https://datatracker.ietf.org/meeting//proceedings/
B
I
think
for
those
not
watching
the
chat,
I
think
we're
going
to
start
at
five
past
or
so.
If
you
want
to
grab
a
quick
drink,
go
grab
it
now.
D
D
C
So
the
so
the
as
I
mentioned
that
the
the
meeting
the
skit
meeting
last
week,
I
thought
it
would
be
a
good
idea
to
have
a
call
today,
even
if
it's
a
short
call
to
just
reflect
a
little
bit
on
the
IDF
meeting,
what
action
items
we
picked
up
and
kind
of
what
the
next
steps
are.
If
we
wait
a
few
weeks
after
the
IDF
meeting
took
place,
then
all
the
all
our
memories
about
it
would
have
vanished,
and
so
we
would
start
from
scratch
again
like
summarizing
I.
C
Think
the
the
hackathon
went
quite
well
and
John
gave
a
detailed
presentation
about
it.
I
think
we
accomplished
what
we
had.
We
accomplished
our
goal
to
put
this
FDA
use
case
together.
C
I
also
learned
a
lot
new,
as
I
was
playing
around
with
the
code
that
was
available,
the
the
skid
emulator
and
with
the
with
the
back
end
or
the
backends
provided
by
Ori
and
by
John.
So
that
was
good.
It's
still
high
Hank.
C
There's
still
for
me,
the
question
on
how
the
skid
emulator
is
going
to
be
sort
of
aligned
with
the
specification,
because
it's
currently
not
so
super
friendly
to
use,
because
the
terminology
it
uses
for
everything
for
the
apis
for
the
for
the
command
line
for
yeah
for
everything
is,
is
outdated
by
now.
I,
don't
know
who
is
actually
maintaining
it.
C
B
B
One
of
the
things
that
came
out
of
last
week
is
that
we
want
to
split
out
the
there
was
currently
called
a
candidate
API
from
the
architecture
document
and
put
it
in
its
own
work
product
which
eventually
will
become
an
ID,
possibly
even
an
RFC
at
some
point,
so
we're
going
to
create
a
thing
called
Scrappy
and
put
all
the
stuff
in
there.
B
So
my
hope
and
expectation
is
that,
as
we
build
that
document,
updating
the
API
specification
with
a
bit
more
correctness
like
expected,
error
codes
and
things
like
that,
as
we
update
that
document,
we'll
update
the
emulator,
possibly
even
rewrite
it,
but
we'll
update
the
open
source
code,
hand
in
hand
with
that
to
meet
the
original
expectation
that
it's
supposed
to
mirror
and
test
the
specification
rather
than
sort
of
replace
or
drive
it.
So
I
think
we
should
find
a
relatively
natural
way
of
updating
it.
C
Cool
okay,
thanks
John
Ray.
E
Okay
yeah,
so
I
was
pretty
happy
with
the
whole
thing.
I
have
to
say
the
hackathon
I
got
my
t-shirt
on
so,
but
I
put.
The
video
on
was
really
well
run.
E
I
think
the
whole
event
was
well
run
Dave,
you
know
if,
if
anyone
ever
thinks
about
going
to
the
hackathon
or
this
event
in
general,
I'd
say
you
know,
give
it
a
shot
now
in
terms
of
of
the
status
of
things,
it
appears
to
me
that
that
the
you
know,
we've
we've
essentially
pulled
a
few
things
out
of
this
and
which
is
which
is
fine,
because
what
it
does
is.
E
It
gives
us
kind
of
a
more
solid
core
that
can
be
that
that
can
be
like
laid
to
rest
and
and
not
laid
to
rest,
but
you
know
solidified
in
such
a
way
that
probably
won't
need
a
whole
lot
of
revision
as
we
move
up
the
up
into
higher
higher
levels
of
abstraction,
so
the
and
and
I
so
I
think
the
conversations
were
were
pretty
good
in
terms
of
trying
to
understand
why
we
were.
F
E
Out,
like
the
identity
and
the
you
know,
looking
at
looking
at
the
document,
the
Json
object
that
the
ver,
the
the
vendor
submission
file
that
was
suggested
by
dick
as
a
starting
point.
E
I
think
gives
us
a
lot
to
chew
on
and
but
I
think
we
should
probably
at
least
I
am
I'm
going
to
be
taking
a
look
at
the
election
application
and
make
a
corresponding
similar
sort
of
a
submission
document
to
that,
and
then
take
a
look
at
how
to
to
break
off
the
identity,
part
and
and
probably,
and
maybe
make
those
two
two
different
parts,
because
the
identity
doesn't
have
to
change
very
often
for
for
many
other
submissions,
but
whether
how
that
gets
incorporated
into
the
the
basal
or
the
the
core
I
think
is
still
I.
E
Don't
understand
exactly.
You
know
how
it's
done
other
than
I
mean
I
understand
the
basis
of
like
if
we
have
a
signed
artifact
that
can
be
submitted
to
this
thing
and
someone
else
can
check
it
to
say
yeah,
that's
the
same
one
that
I
have
in
hand,
but
that
doesn't
really
close
the
loop
on
all
these
other
things
that
we
need.
F
E
In
order
to
to
really
have
a
full
solution,
so
anyway,
that's
where
I
am
I,
I'm,
gonna,
I
I
didn't
get
a
chance
to
work
on
it
at
all.
Since
I
came
back,
I
did
not
attend
the
rest
of
the
meeting.
Although
I'm
watching
a
lot
of
the
videos,
I
did
go
to
the
the
like
quick
RFC,
hot
rfc's
presentations.
E
There's
a
lot
that
I
don't
happen
to
know,
because
if
you,
if
you
don't
stay,
you
know
absolutely
and
trying
to
stay
on
the
leading
ad
Leading
Edge
of
things
you'll
find
out
that
you've
missed
things
for
the
last
few
years
that
other
people
have
been
working
on
all
time
and
again.
So
that
was
very,
very
interesting
of
things
that
are
that
are
not
not
actually
applicable
to
this
subject.
But
anyway,
that's
my
take
on
it.
E
E
A
A
It
became
very
clear
that
we
have
to
close
down
there
on
the
architecture
document
and
move
forward
on
some
of
the
remaining
open
issues
in
their
entirety.
There
was
one
new
scenario
that
came
up
post
the
hackathon
that
I
haven't
talked
to
John
about,
but
I
talked
to
others
about
which
is
in
the
physical
supply
chain.
A
In
a
nationalistic
mechanisms,
we
may
need
a
mechanism
where
we
have
more
than
one
receipt
from
different
skip
instances
for
different
Global
regions,
but
I'll
start
a
thread
on
the
the
skip
mailing
list
to
discuss
that
Hannah
I
saw
your
comment
of
asking
for
the
the
emulator
see
what
we
can
do
for
for
people.
It's
been
a
heck
of
a
week.
A
They
were
I
noticed
that
in
the
skip
meeting
we
had
a
few
cases
where
hidden
agendas
wanted
to
to
Trump
and
drive
some
part
of
the
discussion
to
force
it
into
other
discussions
and
thanks
Kirsten
for
the
meeting
with
the
Gordon
gordian
envelope.
People
and
hopefully
you
get
some
clarity
there
I,
don't
know
what
happened
the
rest
of
the
week,
because
I
left
on
Monday
and
I've
been
running
ever
since
so.
C
Did
you
write
and
then
there's
the
meeting
about
the
guardian
envelopes.
C
Okay,
I
I
is
there
kind
of
a
summary
of
that
meeting.
What
came
out
of
it?
It
seems
to
be
driven
by
some
privacy
requirements,
which
I
didn't
quite
understood.
A
I
wrote
some
stuff
internally
here:
I
will
send
mail
to
Carson
and
to
Hank
and
Ori,
who
are
also
in
the
room,
we'll
get
a
summary
out
of
it.
The
what
they're
trying
to
do
is
collective
disclosure
and
what
they
were
trying
to
drive
into
to
skip
was
the
concept
of
of
privacy
and
protection,
which
was
kind
of
over
and
above
what
skip
was
trying
to
do
right.
A
If
you
use
in
a
case
where
strong
identity
is
required,
then
the
the
notarization
of
the
identities
are
configured
to
be.
That
way.
If
you
wanted
to
use
something
like
did
with
sub
tickets
to
mask
identities,
even
that's
supported,
but
that's
not
a
configuration
requirement
for
skit,
though
they
wanted
us
to
put
it
in
somewhere,
saying,
suggested
and
be
careful
and
watch
for
this
Behavior
I.
Don't
know
whether
that
belongs
in
the
architecture
document.
A
The
official
path
yeah
they
were,
they
were
desperately
trying
to
figure
out
how
to
get
into
seaboor
and
we
gave
them
suggestions
on
how
to
bring
It
Forward.
They
were
trying
to
ship
yesterday
and
get
a
rubber
stamp
and,
of
course,
we're
going.
We
have
some
thoughts,
we
have
to
read
through
the
document
and
what
the
they
came
away
with.
C
F
Yeah,
this
is
the
thing
I'm
just
trying
to
add
on
very
carefully
that
yeah.
There
was
some
urgency
by
the
authors
and
so
I
think
the
main
issue
was
to
Express
the
trees.
They
need
within
civil
structures
natively
and
not
using
cozy
at
all
and
people
were
like,
but
you
could
sign
something
or
they
have
something.
You
said:
no,
no,
no,
we're
doing
it
like
this
and
everybody's
like
okay.
This
is
an
interesting
approach,
so
maybe
cut
your
approach
in
pieces.
F
I
think
was
the
main
message,
because
it's
all
in
the
one
document
and
you're
trying
to
solve
different
you're,
combining
different
approaches
here
that
all
you
need
to
receiver
somehow,
including
the
disabled
discussion
that
was
on
the
and.
F
I
think
there
was,
there
were
sometimes
a
little
bit
irritated
due
to
the
amount
of
feedback
and
and
and
but
I
assume
that
the
message
at
least
message
of
maybe
do
a
divide
and
conquer
and
create
a
rationale
where
you
want
to
do
this
in
Native
Cebu
and
why
it
needs
your
specific
deterministic
symbol
and
not
the
one
that
now
is
written
up
by
Carlson
as
a
I
want
to
say,
but
but
there
must
be
for
the
side
meeting,
it's
a
compromise
between
multiple
approaches
I.
F
So
that
has
to
happen
now.
I'm,
not
entirely
sure
how
the
authors
of
the
Guardian
envelope
will
react
to
that.
But
it
is
very
specific
and
it
is
a
monolithic
designed
and,
as
you
can
see,
with
skit
we
are.
We
are
even
making
approaches
more
generic,
and
this
is
yeah.
It's
basically
the
other
way
around.
So
we
will
see
how
this
works
out.
I
think
that
in
general,
they're,
smart
people
but
I
think
they
they
figured
a
lot.
They
built
a
lot
of
hammers
for
for
narrative.
F
C
A
Except
for,
except
for
us,
taking
it
in
as
a
payload
and
and
generating
a
receipt
for
an
outer
cozy
wrapper,
what
they
were
trying
to
do
was
done
with
Seaboard
directly
and
try
to
use
basically
trees
of
shredding
of
structures
to
to
hide
data.
So
I
they
look.
It's
not
a
hundred
percent
belongs
in
our
field
or
in
our
discussion.
It
has
some
interest.
That's
why
I
posted
the
document.
A
E
F
Yeah
I
can,
could
you
say
some
words
to
that,
so,
oh
apparently
and
I
did
not
actually
read
that
when
Roman
was
starting,
the
consensus
call
for
the
kishven
charter.
He
wrote
if
there's
enough
concerns
before
the
ITF.
We
can
cancel
the
meeting
and
do
not
need
a
buff
because
there's
enough
consensus
on
list
and
to
his
perception.
That
was
the
case
and
then
his
strategy
was
without
notification
to
cancel
the
buffet
that
caused
the
confusion.
So
I
look
back
and
yes,
he
wrote
exactly
that.
F
F
So
if
you
have
any
problems
with
the
current
Charter
I
think
you
can
find
that
on.
The
key
trends
list
are
in
the
data
tracker
on
the
key
keyframes
group
site
and
and
if
there's
something
in
there,
that
is
confusing,
please
say
so.
I
think
kids,
friends
is
is
definitely
only
about
group
chats
and
the
only
thing
I
highlighted
is
well
if
this
transcends
group
chats
from
two
to
thousands
of
people
in
in
messaging
services.
F
So
it's
basically
I
would
call
it
s
Mimi
or
whatever
I
don't
know
so,
but
but
I
don't
know
so
so
key
trends
was
a
little
misleading
name
and
if
the
problem
here
is,
if
it
comes
up
with
very
specific
Solutions
about
group,
key
transparency
for
messaging
and
then
they
accept
the
scope
to
let's
say
Supply
chains,
then
we
would
end
up
with
very
very
different
things,
and
that
would
be
very,
very
sad,
and
that
is
the
only
thing
that
I
highlighted
that
if
there
is
a
scope,
change
that
has
to
be
taken
into
account
and
I.
F
Think
skit
is
mentioned,
at
least
in
the
in
the
charter
at
the
moment,
to
be
Orchestra
at
with
and.
B
C
Yeah
I
can
say
a
few
words
about
heat
trans
as
well,
because
I
met
with
the
primary
proponent
of
the
work,
Brian
Brenton
McMillan
macmillion,
and
he
he
basically
told
me
what
Hank
just
mentioned
and
like
they
are
implementation
or
their
specification
is
focused
on
on
messaging,
specifically
because
they
care
about
this
end-to-end
messaging
and
and
want
to
use
their
Bend
Only
log
as
a
as
a
key
store,
a
sort
of
a
key
Value
Store
like
where
key
means
key
value,
is
twice
a
little
bit
misleading
name
when
we
talked
about
keys
because
the
key
is
for
in
in
this
messaging
context
is
the
username
and
the
value
is
the
public
key.
C
That's
that's
what
it's
designed
for
and
it
mixes
well
combines
two
Mercury
trees,
namely
one
the
one
we
use
as
well.
The
the
log
tree
and
additionally,
the
prefix
tree
for
faster
search
and
on
top
of
the
the
search
option.
There's
also
funny
enough
privacy
construct
called
vrf
you,
but
not
the
vendor
response
form,
but
the
verifiable
forgot
the
name
again.
What
the
acronym
stands
for
pseudo-random
function
also
some
sort
of
privacy
enhancing
mechanism,
and
so
so
it's
a
it's
a
very,
very
much
of
purpose.
C
Build
solution,
we've
obviously
like
addressing
privacy
requirements
that
are
specific
to
medicine
right
so
yeah.
So
it's
definitely
interesting
to
watch
but
remains
to
be
seen
what
comes
out
of
it.
D
Dick
thank
you,
harness
yeah,
yeah,
I
I've,
already
written
an
article
about
this,
so
I'll
save
you
from
how
long
I
drive
here,
but
I
I
will
say
that
I
thought
the
hackathon's
a
great
success
and
I
put
a
link
to
my
article
in
the
chat,
a
couple
of
things
that
I
think
were
really
noteworthy
from
that
hackathon
one
is
that
we
know
we
need
to
be
able
to
access
the
trust
statement
after
it's
been
registered
into
the
into
the
trust
registry,
and
so
the
API
that
will
submit
the
trust
statement
will
need
to
provide
a
URL
to
the
actual
trust
statement
itself,
and
this
will
enable
a
software
producer
to
give
that
to
a
consumer
so
that
they
can
retrieve
the
information.
D
That's
in
the
registry,
directly
sort
of
like
a
registry
of
deeds,
so
that
that's
a
that's
a
key
one,
and
the
other
thing
too,
to
mention
is
that
you
know
there
is.
There
is
a
very
active
software
supply
chain.
That
is,
you
know
you
use
every
day
and
it
includes
things
like
pgp
and
Xbox
509
and
digital
signatures
using
those
keys.
So
it's
I
think
it's
imperative.
Whatever
we
do
here
is
to
also
accommodate
what
is
current
practice
today
and
and
I.
D
Don't
think
it
matters
much
how
you
implement
it
with
regard
to
the
ietf
skit
protocol,
so
long
as
that
protocol
ensures
the
integrity
of
the
process
to
register
trusted
statements,
yeah
I
think
that's
key.
If
we,
if
we
fail
to,
if
we
fail
to
protect
the
integrity
of
the
trust
registry,
then
we
we
will
likely
have
challenges
in
adoption.
C
Thanks
dick
yeah
I'm,
going
to
read
your
article
later
because
I
I
hadn't
noticed
earlier
thanks
a
lot
good,
any
other
Impressions
from
someone
in
the
call
regarding
the
ITF
meeting
or
the
or
the
hackathon
itself.
C
If
not
I'm
going
to
ask
like
I
was
in
the
Cozy
meeting
and
regarding
the
receipts,
presentation
I
think
that
went
pretty
well.
I
was
wondering
what
the
timeline
is.
So
I
I
expected
already
a
call
for
adoption
to
take
place,
because
that
would
be
important
already.
G
Sorry,
I
think
the
call
for
adoption
did
go
out
unless
I'm
confusing
it
with
the
other
call
for
adoptions
that
that
went
out
but
I'm
fairly.
Certain
the
cozy
list
has
a
call
for
adoption
for
the
commuter
draft,
which
is
the
thing
that
we
expect
receipts
to
profile
on
top
of,
and
also
the
CCF
profiling
draft
was
briefly
introduced,
but
there
was
no
call
for
adoption
for
that
one.
As
far
as
a
more.
C
Okay,
then
I
missed
it
and
as
soon
as
I
look
it
up.
I
will
post
it
to
the
to
the
skit
list,
because
obviously
there's
a
direct
dependency
to
that
work.
Yeah.
C
So
that's
excellent.
Okay
I'll
write
this
in
for
the
for
what
it's
worth,
I'm,
actually
taking
notes
foreign.
C
Regarding
Ray,
do
you
want
to
say
something
about
that.
E
Well,
I
just
wanted
to
say
that
the
the
issue
of
the
feed
was
something
that
that
we
did
discuss
quite
a
bit
and
I
think
there
was.
There
was
still
is
some
a
couple
of
different
points
of
view
about
what
a
feat
is
and
it's
different
than
what
I
thought
it
was
and
what
seemed
to
be
stated
in
the
document.
But
then
it
seemed
like
there
was
some
further
discussion
about
that
that
that
may
have
pulled
that
together,
as
into
one
kind
of
uniform
I.
E
Think
John
was
was
pulling
that,
together
into
the
possibility
of
having
several
different
points
of
view,
but
still
able
to
the
structure
below
still
able
to
accommodate
them.
All
and-
and
maybe
some
more
talk
about
the
feed
issue
could
be
would
be
appropriate
today,
thanks.
B
Feedback
yeah
can
do
so
for
those
who
watched
or
were
in
the
room
for
my
readout
of
the
hackathon
or
the
code
section
of
the
hackathon
I
failed
to
do
one
of
the
things
I
was
supposed
to
do,
which
was
to
get
unified
submission
of
claims
in
the
interoperable
client
interface.
B
B
So
I've
got
that
done
now
and
the
next
thing
to
do
on
the
code
base
was
to
in
Implement
feeds
in
there
and
just
sort
of
do
a
suck
it
and
see
kind
of
approach
to
some
of
the
details
that
that
we
want,
because
I
won't
say
too
much,
because
the
Ori
is
in
the
queue
and
he'll
probably
give
the
the
details
of
where
we
want
to
take
the
spec
in
this
area.
B
But
at
the
moment
the
client
doesn't
take
a
feed
at
all,
which
means
it's
not
conformant,
with
the
spec,
where
feed
is
a
mandatory
part
of
the
unprotected
header
of
the
projected
header
rather
and
so
I
want
to
fix
that
and
then
we'll
see
how
it
works
with
you
know,
specifying
just
by
name
or
by
name
and
properties
or
or
or
whatever
else
so
that
should
move
forward
in
the
next
week
or
so,
hopefully
in
time
for
the
next
interim.
B
Of
the
the
things
currently
called
the
emulator,
but
should
really
be
the
client,
okay,
okay,
my
my
thoughts
and
particularly
to
avoid
having
too
many
instances
of
taking
off
my
chair
hat
and
putting
it
back
on
again.
B
My
kind
of
service
to
this
community
is
is
mostly
in
trying
to
build
what
we've
written
in
the
specs
and
see
if
it
actually
works
and
and
give
some
sort
of
practical
hints
to
it,
rather
than
meddling
in
the
the
building
of
the
documents
themselves.
And
so
that's
what
I've
been
doing
alongside
the
work
that
you
know,
everybody
else
has
been
working
on
the
on
the
specs.
C
G
So
I
think
I
think
the
next
steps
that
are
important
for
making
progress
on
feed
are
to
expose
some
URLs
from
the
API
that
are
related
to
consuming
feeds,
or
at
least
to
think
about
sort
of.
G
If
you
had
received
the
collection
of
documents
that
were
using
the
feed
structure
and
you
wanted
to
expose
a
specific
receipt
or
transparent
sign
statement
via
URL,
how
might
that
interact
with
the
API
I
think
you
know
the
other
challenging
part
here
is:
there's
the
artifact
repository
transparency,
service
kind
of
combo,
where
they
come
together
and
where
URLs
might
you
know,
be
built
that
really
support,
discovering
a
specific
artifact
and
then
there's
the
sort
of
detached
mode
where
the
transparency
service
and
the
artifact
repository
like
very
separate
and
just
the
the
URLs
structure
around
feeds
and
that
topic
I
think
the
API
needs
to
sort
of
sort
out
the
boundary
for,
and
one
other
thing.
G
I
guess
is
that
if
we
do
have
some
URL
structures
that
we're
starting
to
like
I,
think
it's
worth
evaluating
whether
there
will
be
data
Uris
or
QR
codes
associated
with
some
of
those
standard
rest
API
interfaces.
You
know,
maybe
the
answer
is
you
know
no,
but
I
think
it
can
be
helpful
to
think
about
other
cases
where
you've
had,
as
you
know,
specific
elements
that
had
a
QR
code
associated
with
them.
What
is
stealing
a
QR
code
mean
in
that
context?
G
Hopefully
it's
safe
to
just
steal
them
paste
them
on
various
things,
but
you
know
you
won't
be
cautious
around
privacy
and
security
considerations.
As
soon
as
you
have
URLs,
you
want
to
become
cautious
about
what
does
it
mean
if
that
URL
becomes
a
QR
code
and
people
start
scanning
it
and
clicking
it
that
kind
of
thing?
That's
it.
C
Yeah
Ori,
what's
what's
the
timeline
or
or
Hancock,
whoever
is
working
on
it
to
take
out
the
existing
API
description,
move
it
into
a
new
document
and
then
beef
it
up
there
like?
Are
we
talking
about
the
next
two
weeks
or
are
we
talking
about
like
years
or
what
what's
the
plan.
G
So
I
don't
know
the
exact
timeline
for
those
kinds
of
changes.
There
was
one
other
thing,
I
wanted
to
say
before
I
forget,
which
is
I.
Think
the
current
API
client
does
some
sort
of
signing
locally
and
I.
G
Guess
it's
worth
considering
whether
the
authenticated
remote
signer
use
case
you
know
is,
is
part
of
this
ecosystem
or
not,
and
the
reason
I
bring
that
up
is
that
it
it
can
make
interoperability
testing
a
little
bit
difficult
having
some
of
this
stuff
sort
of
split
out
from
the
client
and
it's
it's
related
to
a
number
of
conversations
I
had
with
other
folks
throughout
the
week
around.
You
know,
where
is
the
confidence
and
the
keys
that
you're
using
to
sign
the
sign
statements?
G
The
original
issuer
claims
about
the
artifact,
as
opposed
to
the
confidence
and
the
keys
that
are
used
to
make
the
transparent,
signed
statements
which
you
know
are
coming
from
the
transparency
service.
So
I
don't
know
the
timeline
for
the
API,
but
having
an
independent
document
that
can
have
independent
polar
quests
and
move
along
a
little
bit.
Faster
seems
like
a
thing
that
we
should
get
set
up
soon,
so
that
we
can
make
parallel
progress.
C
I
agree
dick.
D
D
Yeah
I
think,
or
he
hit
on
a
really
good
point.
There
there's
a
lot
of
work,
as
you
know,
right
now
to
post
registered
trust
marks
or
trust
labels.
The
U.S
is
doing
one
we're
going
to
have
language
in
the
far
this
September.
The
EU
CRA
has
this
concept
of
a
CE
Mark
and
the
constant
and
the
concepts
of
both
evolving
around
the
use
of
QR
codes.
D
So
ori's
point
about
QR
codes
is,
is
really
important,
I
think
because
it
would
be
viable
in
Myoma,
in
my
opinion,
to
post
a
QR
code
into
a
skit
trust
registry,
where
people
can
retrieve
that
and
then
you
know,
look
up
any
trust
label
information
that
may
be
associated
with
that
QR
code,
so
I
think
having
that
is
a
high
priority
use
case.
This
use
of
trust
labels
and
QR
codes
for
that
purpose
would
be
very
beneficial
and
skit
seems
to
be
a
viable
solution
for
that.
For
that
particular
case,
thank
you.
C
Thanks
thanks
dick
pink
yeah
I.
F
Was
not
sure
if
that
was
kind
of
kind
of
implied
already,
but
but
there
is
now
a
scrappy
ID
that
includes
a
copy,
a
raw
copy.
It
doesn't
make
a
lot
of
sense
by
itself
without
introduction
such
a
raw
copy
of
the
of
the
API
definitions
that
are
currently
in
the
architecture
consecutively.
That,
though
the
API
parts
will
move
out
of
the
architecture,
but
that
was
not
enough
reason
to
update
it
right
now
so
expect
these
two
disappear
from
the
architecture
and
maybe
a
reference
to
the
reference.
F
Api
will
remain
there
and
yeah.
This
is
the
place
to
work
on,
so
the
document
exists.
I,
don't
know
when
I
did
it,
but
I
did
it
I.
Could
it
was
updated
two
days
ago
whatever
that
means,
but
I
did
it
last
week,
I
think,
but.
C
When
do
you
plan
to
submit
that
document?
Oh.
F
Yeah
it
has,
it
needs
more
love,
so
there's
just
the
core
if
I
think
as
soon
as
John
and
already
agree
on
core
API
elements,
because
I
couldn't
do
the
first
submission
and
that
does
not
have
to
include
all
open
construction
sites
like
whatever
feeds
and
such.
So
it
has
to
be
the
basis
for
construction
here,
and
then
we
can
see
how
many
levels
we've
built
on
it.
So
I
think
our
first
submission
could
be
relatively
soon.
C
C
You
want
to
be
like
you
could
as
well
start
with
the
current
API
description
before
adding
the
search,
functionality
and
and
I'm
sort
of
extending
that.
But
I.
C
F
Yeah,
that's
not
nothing
inhibiting
you
from
working
on
the
document
right
now.
We
can
do
this
in
parallel
right
now,
if
you
submit
something
or
not,
it's
making
it
more
visible.
Yes,
but
the
working
on
it
is
not
inhibited
by
anything.
C
But
yeah,
that's
that's
a
sort
of
a
request
to
the
people
who
who
had
the
who
have
depend
on
that
document.
So
that's
that
would
be
good.
C
Okay,
I
had
done
a
detailed
review
of
the
architecture
document,
not
quite
sure
how
I
should
best
distribute
that
well,
I
should
just
I.
Did
it
on
paper?
I
can
scan
it
in
and
send
it
around
or
I
could
as
well.
C
My
top
three
items
to
the
list-
I,
don't
know.
F
Super
great
everything
that
is
more
conceptual
is
is
okay
with
the
issue.
If
you
want
to
do
it
formally
and
make
already
very
happy
make
a
tiny
issue
for
HPR,
but
but
I
think
a
good
PR
description
is
also
fine.
Please
already
don't
install
things
at
me,
and
so
so
I
think
yeah
GitHub
PRS
are
the
most
valuable
contribution.
C
Okay,
I
see
there's
a
few
a
few
questions
in
the
the
chat
questions
about
what's
a
trust
label
and
what's
the
idea
of
the
QR
code,
I
don't
know
if
someone
can
can
respond
to
that.
D
Yeah
harness
I
can
point
to
those
so
two
two
places
where
you
can
look
for
information
about
those
is,
if
you
look
at
the
European
cyber
security
resilience
act.
They
talk
very
specifically
about
this
use
of
trust,
essentially
trust
labels.
They
call
them
a
CE
Mark
and
it's
essentially
intended
to
provide
some
level
of
proof
that
a
a
product
has
undergone
some
level
of
cyber
security
testing
and
and
past
some
you
know
requirements.
The
same
is
also
true
for
what's
happening
in
the
United
States
as
well.
D
There
are
there's
a
President
Biden
announced
that
there's
a
new
initiative,
that's
due
to
be
completed
by
September
30th,
which
is
called
the
U.S
cyber
security
Mark.
And
it's
a
these
talk
about
use
of
a
QR
code
that
can
be
placed
on
a
either
like
an
iot
device,
some
packaging
or
on
an
online
website
that
enables
the
user
to
go.
Look
at
you
know
some
information
about
the
trustworthiness
of
these
devices
by
looking
at
the
materials
they
submitted
to
achieve
their.
D
A
D
Yeah
Roy
I
did
some
research
on
this
and
Singapore
and
Finland
both
have
what
effectively
are
static.
Labels
I,
don't
know
what
the
eucce
Mark
will
be
and
I
don't
know
what
the
U.S
cyber
security
Mark
will
be,
but
I
have
suggested
to
nist
that
we
have
Dynamic
labels
simply
because
trust
in
software
is
ephemeral
it
it's
one.
It
can
change
from
one
day
to
the
next.
D
Yeah
I'm
just
using
their
terminology,
they
call
them
labels.
If
you
look
at
the
nist
iot
labelings
recommendations
that
you
know
they
all
refer
to
these
things
as
labels
and
I
so
I,
you
know
I
I
just
adopt
their
terminology
for
this,
but
but
ultimately,
what
it
does
is
it
points
to
some
information
which
you
hope
is
trustworthy.
D
Hence
the
reason
why
it
needs
to
be
in
a
skit
trust
registry,
so
that
people
can
take
that
information,
believe
it
when
they
see
it
and
use
it
to
you
know
in
a
risk-based
mind
decision
you
know
so
anyway.
I'll
put
two
links
in
I'll:
put
a
link,
a
couple
of
links
in
the
chat
for
people
who
want
to
know
more
about
that.
Thanks.
H
Thanks
or
not,
but
I,
just
I
I
always
think
it's
unhelpful
to
to
throw
the
word
trust
around
Loosely,
especially
you
know
as
as
Roy
points
out.
If
it's,
if
it's
a
static
thing,
because
you
know
we
need
to
assume
breach
and
we
need
to
continually
revise
those
things.
H
So
if
there's
somebody
using
it
as
dick
is
pointing
out
as
if
it's
just
a
label
and
that's
something
you
can
slap
on
something
and
it's
static
and
I
mean
those
are
all
the
images
the
term
conjures
up
for
me,
I
think
we
should
push
back
and
we
should
say
you
know.
The
actual
value
of
skit
is
a
that.
H
You
can
have
statements
out
there
that
that
can
permanently
be
tied
back
to
the
person
who
made
the
claim
that
they
had
fulfilled
the
requirements
for
cyber
security
Etc,
and
that
can
then
be
referred
to
later
on.
If
and
when
problems
come
up
so
I,
just
wonder
if
we
can
use
better
terminal
yeah.
C
You
know
like
when,
from
my
experience,
when
regulator
come
up
with
things,
it's
difficult
to
convince
them
to
use
different
terminology,
even
even
though
I
often
think
that
we
are
totally
off
like
my
most.
My
most
favorite
item
is
the
zero
trust
concept.
C
I
I'm
sure
you've
heard
about
that
zero
trust.
Networking
and
all
these
sort
of
terminology
is
not
what
you
think
it
is
but
yeah.
So
it's
It's
Tricky
tricky
dick.
D
Yeah,
thank
you.
Harness
yeah,
Neil,
I,
I,
agree
completely.
I
also
agree
with
honors
too
I.
I
can
tell
you
that
software
Engineers
don't
swim
well
in
pools
with
politicians
and
regulators
and
they're
the
ones
who
come
up
with
these
terms
and
once
they
have
their
stuck,
but
the
the
point
and
the
thing
about
skit,
which
I
really
like
a
lot.
Is
it
really
doesn't
matter
whether
it's
static
or
dynamic,
because
skit
gives
us
the
ability
to
support
both?
D
A
A
E
D
E
H
D
H
Avoid
it
in
our
own
conversations
too,
and-
and
you
know,
re-label
it
as
appropriate,
just
so
that
we
always
have
you
know
a
a
useful
Concept
in
mind.
Thanks.
D
Trust
in
software
is
ephemeral,
it's
trustworthy
one
day
and
it
may
not
be
the
next
well
I
completely
agree
with
you.
Roy
I
think
it
would
be
a
disservice
if
we
told
them
if
we
gave
him
a
static
label
and
game.
You
know
a
false
sense
of
security
when,
in
fact,
there
is.
E
Okay,
so
let
me
jump
in
the
I
think
it'd
be
pretty
useful
for
us
to
take
a
look
at
this
top
very
top
view
and
and
dick
you
may
be
the
best
person
to
come
in
with
something
to
say.
Let's
say,
I
did
have
this
label
on
a
product
iot
product
or
on
a
website
or
whatever,
when
I
just
downloaded
the
software
and
I
guess
I'm
supposed
to
shine
my
cell
phone
on
it
and
bring
up
the
the
thing
or
else.
E
Link
what
do
I
get
and
if
we
had
a
an
idea,
a
very
clear
idea
of
what
we
get
when
and
in
response
to
that,
then
we
can
start
working
down
from
that
top
level
goal
toward
the
filling
in
the
blanks,
because
what
we've
got
so
far
is
what
I
see
is
is
a
a
core
building
block.
E
That
is,
you
know
everything
has
been
pushed
out
of
it
that
we
don't
fully
understand
yet,
and
you
that's
good,
because
that
means
that
everything
in
it-
hopefully
we
do
fully
understand
and
it
can
be
locked
down
and
then
that
becomes
a
very
solid
building
block.
But
now
we
need
to
fill
in
the
difference
between
the
the
gap
between
what
what
is
desired
by
you
know,
regulators-
and
you
know
the
public
really
here
and
where
this
building
block
is
and
to
see.
E
If
we
can't
start
to
fill
in
fill
that
in
so
maybe
is
there
any.
The
question
is:
is
there
any
real
proposals
for
what's
supposed
to
be
the
response
to
clicking
on
the
QR
code
and
and
maybe
we
can
get
some
proposed?
You
know
some
solid
like
that,
vrf
and
I.
Think
we
should
change
the
name
of
it
to
the
the
vendor,
submission
form
or
something,
because
vrf
is
going
to
always
be
a
problem.
But.
H
E
F
Yeah
my
mic
is
acting
up.
They
were
talking
about
pointing
to
Dynamic
things
and
get
somehow
I
assume
that
all
the
things
that
we
will
point
to
always
enshrined
in
some
event,
Only
log,
but
but
the
thing
you
probably
want
to
point
to
and
have
a
smart
query
on,
is
the
feed
structure,
for
example.
So
that
seems
to
be
relatively
close
together
and
I
assume.
That
is
what
are.
We
also
implied,
maybe
that
I'm
guessing
now.
F
So
maybe
that
would
be
a
thing
that
we
can
talk
about
when
the
first
solution
will
come
out
are
a
little
more
clear,
I.
C
So
Hank,
so
you
are
saying
the
feed
structure
is
essentially
what
basically
would
be
encoded
in
the
QR
code
and
would
serve
them
as
a
lookup.
Is
that
what
you're
saying
did
I
hear
you
correctly?
That.
F
Maybe
you
need
more
than
than
the
things
is
good
service
can
give
to
you
and
there's
already
a
relatively
composable
mudfire
thing
that
could
include,
for
example,
pointer
to
the
correct
feed
query
and
the
responsible
transparency
service
list.
For
example,
you
don't
know,
maybe
there
are
multiple
and
and
such
so
I
would
not
say
that
directly
the
fee,
but
that
would
be
one
of
the
options.
Yes,.
C
A
C
That's
I'm,
it's
still
ongoing,
like
I,
talked
to
various
people,
but
there's
no
clear
since
I
got
like
there
was
no
clear
response.
It,
it
kind
of
sounds
like
a
difficult
problem,
but
I'm
I'm
still
on
to
it.
So
like
we
had
some
ideas,
also
discussed
at
the
hackathon
which
I
could
summarize
based
on
what
Ori
distributed
and
some
of
the
stuff
that
was
sent
to
the
mailing
list.
But
it's
you
know
people
seem
to
be
all
over
the
map
there
on
that
topic.
C
H
Great
thanks,
yeah
I
had
the
the
same
idea:
Hank
that
pointing
to
a
feed,
either
directly
or
indirectly
would
be
great
and
so
just
to
wrap
it
back
to
Dick's
example.
You
know
this
and
in
the
way
that
that
Ray
framed
it,
it
would
be
great
if
I
as
a
user
could
buy
some
product
and
there
was
a
QR
code
and
the
it
would
essentially
be
the
the
vendor
claiming
compliance
with.
H
You
know
your
set
of
of
requirements,
and
but
it
needs
to
be
dynamic
and
that's
the
the
benefit
of
skid,
and
we
need
to
make
it
clear
and
interoperable,
and
you
know
continue
to
work
in
whatever
ways
that
we
need
to
do,
that
that
a
real
person
could
click
on
something
like
that
and
and
the
the
vendor
would
be
responsible
for
keeping
that
feed
up
to
date
with
whether
it
was
actually
no
longer
in
compliance,
for
example,
and
you
know
so
that
I
I
think
in
some
sense
and
I'm
sure
that
it's
more
complicated
than
I'm
imagining
but
in
some
sense
could
be
a
a
way
to
help
the
vendors
clarify
what
they're,
claiming
and
help
users
figure
out.
H
What
the
current
status
is
and
and
because
we're
talking
about
a
formally
defined
compliance,
claim
that
they're
making
it's
kind
of
it
should
be
a
yes,
no
answer
whether
or
not
something
is
still
in
compliance
or
whether
you
need
an
update
or
whatever
so
I.
That
would
be
a
really
useful
use
case
is
kind
of
what
I
think.
C
No
no
problem,
we
are
actually
already
reaching
the
end
of
the
hour.
I
took
a
lot
of
notes,
but
on
the
last
item
on
this
QR
code,
thing
I'm
actually
wondering
whether
it
would
be
good
to
write
a
short
document.
The
short
draft,
providing
a
little
bit
of
a
background
like
based
on
these
regulatory
proposals
and
then
a
description
on
how
we
would
actually
accomplish
this
in
in
an
intraoperable
form.
C
I
think
that
could
be
could
be
quite
useful
for
anyone
who
has
not
been
following
like
this
meeting
or
the
discussions
on
the
on
the
list.
Recently.
C
Just
thinking
loud
here,
yeah.
H
Dick
you
should
just
do
something
to
throw
into
the
use
case
document.
C
D
Johannes
this
is
Dick
Brook,
so
yeah
I
I
will
happily
contribute
to
that.
But
I
would
hope
that
we
could
do
this
collaboratively.
A
few
of
us
put
to
get
put
our
minds
together
and
come
up
with
something
and
I'd
also
ask
that
we,
you
know
not
just
keep
this
within
skit
but
I'll.
Actually,
you
know,
publish
whatever
we
produce
with
the
parties
that
are
considering
implementation
of
this,
like,
in
this
case
the
FCC
in
the
U.S
I.
D
C
That
would
be
perfect,
since
you
have
a
lot
of
information
about
the
background.
I
hope
someone
in
the
call
could
work
with
dick
on
on
such
a
document.
I,
don't
think
it
needs
to
be
long.
C
I
I
kind
of
wouldn't
volunteer
to
you
like
volunteled.
As
they
say,
foreign.
D
It's
going
to
take
all
of
us
to
get
this
to
get
what
we
want
said.
That's.
C
F
Yeah
so
obviously
I
have
some
thought
into
this
rats
needed
a
specific
way
to
refer
to
verifiers
for
their
for
their
testers,
that
that
can
be
found
easily
for
relying
parties
so
that
they
can
actually
do
some
of
the
models.
That's
also
why
there's
now
this
conceptual
message
wrap
and
such,
and
so
so
skit
has
the
same
issue.
F
We
want
also
have
events
also
have
to
an
understanding
that
the
transparency
service
itself
is
trustworthy,
composed
photography
and
therefore
we
have
multiple
methods
to
do
them.
One
of
them
on
a
lower
layer
again
is
red,
so
so
that
I
I
I
I
actually
go
with
a
few
proposals
that
that's
that
go
basically
on
the
abstract
level.
So
what
are
the
requirements
on
this?
What
we
think,
so
we
have
a
lot
of
experience
with
QR
codes
since
covert
I.
F
Think
and
expressing
a
a
vaccine
certificate
in
a
cwt
with
the
QR
code
is
a
thing
that
has
been
done
in
Germany,
for
example,
so
or
everybody
who
knows
there
or
QR
code
for
being
vaccinated
might
also
know
that
it's
a
civil
encoded
thing
and
so
so
I
think
there
are
multiple
ways
to
do
this
and
I
assume
that
we
can
write
up
at
least
a
set
of
requirements
derived
from
from
standards
and
and
compliance
regulation
and
then
and
go
with
some
building
blocks.
F
That
would
compose
a
potential
solution
here
and
then
we
can
base
but
I
think
create
visibility
with
that
document.
I
think
under
that's
what
your
point
was
and
and
but
then
we
can
also
already
provide
some
some
idea
where
our
requirements
come
from
and
most
certainly
also
what
the
idea
of
buildings
blocks
already
exists
to
to
maybe
build
a
solution
for
this.
C
Good,
okay,
John
and
I
will
definitely
sort
of
ping
you
regarding
some
of
the
action
items
you
received
during
the
during
the
last
week,
and
and
also
doing
this
summary
we
did
today
so
be
prepared
and
we
are
going
to
set
up
a
call
for
next
week
again
think
about
the
agenda.
Maybe
we'll
talk
about
the
we
could
talk
about
the
API.
We
could
also
talk
about
the
update
to
the
architecture
document.
There
have
been
a
few.
C
We
can
talk
about
the
feed,
the
details
of
defeat
in
case
in
case
you
guys
made
some
progress
there.
So
whatever
it
is,
please
let
us
know
if
there's
a
specific
top
topic
you
would
like
to
talk
about,
so
we
can
put
it
on
the
agenda
and
announce
the
meeting
ASAP.