►
From YouTube: IETF-SCITT-20221219-1600
Description
SCITT meeting session at IETF
2022/12/19 1600
https://datatracker.ietf.org/meeting//proceedings/
A
B
B
A
Also
drop
them
a
mail
to
the
mailing
list
to
tell
people
to
use
remind
them
about
the
correct
link.
B
A
A
A
A
A
A
A
So
John
tell
me,
then
we
went
Hank
and,
and
others
are
here,
so
we
can
actually
start.
We
have
three
pull
requests
requests
to
look
at.
So
that's
or
at
least,
let
me
check
now
the
merge
one
already
that's
excellent
was
actually
two
K
provided
two
pull
requests.
A
Last
week,
I
looked
at
them
as
well
and
sort
of
edits
to
the
to
the
use
cases,
so
that
was
good
and
Hank
provided
an
additional
use
case
based
on
what
we
discussed
last
week
and
then
apparently
Steve
hat
some
other
edits.
So
we
can
look
at
those
and
hopefully
hopefully
we
can
merge
them.
So
we
have
another
version
of
the
document
or
an
updated
version.
D
A
Today,
yeah,
actually,
maybe
we
can
also
talk
about
that
right
now
and
we'll
wait
till
Hank
join
Sookie
can
talk
about
his
use
case,
but
since
we
weren't
able
to
look
at
USCS
last
week,
we
should
do
that
now.
Do
you
want
me
to
open
something.
D
Yeah
I
sent
out
a
link
I'm
trying
to
find
it.
I
just
had
to
interrupt
another
meeting
so
I'm
trying
to
locate
it,
but
I
sent
that
out.
D
A
D
Because
I've
initially
posted
it,
no
it's
on
GitHub,
it's
actually
on
the
old
I
guess
it
was
on
the
older
site,
use
cases.
Sorry.
A
B
A
Actually
I
did
I
did
yeah.
A
Yeah
yeah
yeah
because
I
I
reviewed
your
firmware
use
case.
D
F
A
D
D
Besides
the
stuff
that
we
see
that's
visible,
post
boot
and
that's
the
operating
system,
we
think
of
the
operating
system
in
the
software-
that's
running
on
it
stuff,
that's
visible
to
to
the
user,
but
there's
an
awful
lot
of
code,
in
fact,
probably
millions
of
lines
of
code
that
actually
run
and
are
gone
by
the
time
the
OS
begins
to
load,
and
then
some
of
this
is
even
continue
to
run,
especially
on
on
that
x86
PC.
D
A
It's
actually
the
same.
That's
what
I'm!
Sorry!
It's!
It's!
Not
it's,
not
an
x86,
unique
concept!
It's
this
for
a
class
processors,
A-Class
processor!
It's
the
same!
There's
us
some
similar
stuff.
D
Oh
okay,
good
I
didn't
want
to
speak
for
that,
but
I
only
familiar
with
the
x86.
Obviously,
but
thanks
for
that
that
Enlightenment,
that's
that's
good,
so
somebody
might
be
interested
in
understanding
and
by
the
way,
this
stuff
boots
with
extremely
high
privilege.
It
does
things
like
and
I
go
into
the
an
explanation
a
little
bit
down
here,
but
it
even
does
very
high
privilege
things
like
configure
memory.
D
The
memory
configuration
actually
has
a
number
of
security
related
issues
oems,
especially
in
the
horizontal
Market,
tend
to
get
very
clever
about
how
they
can
figure
memory
optimized
for
one
architecture
versus
another,
and
it's
up
to
the
early
firmware
to
actually
perform
that
configuration
we
have
actually
seen
aliases
getting
created
were
too
too
physical
would
appear
to
be
physical
memory
locations
to
actually
go
to
the
same.
D
The
same
actual
physical
location-
and
this
could
be
this-
could
have
some
security
implications,
so
somebody
might
want
to
really
understand
in
the
same
way
we
think
about
supply
chain.
Assurance
for
the
OS
and
applications
you
might
want
to
think
about
supply
chain
Assurance
for
the
stuff
that
runs
prior
to
the
operating
system
and
even
continues
to
run
during
the
operating
system.
So
that's
kind
of
the
introduction
any
questions
or
challenges
to
that
to
the
necessity
of
this.
A
For
me,
it
makes
total
sense.
What
do
you
think
yeah,
okay,.
D
So
and
again
so
scrolling
down
on
this
table
here,
you
know
again:
I
want
to
be
speaking
to
a
great
degree
on
actually
six
architecture
and
that,
with
with
the
TPM,
just
a
platform
module
you
know,
and-
and
so
you
kind
of
you
can
kind
of
break
it
down
into
these
seven
kind
of
seven
architectures
and
they're
roughly
broken
down.
D
If
you
look
at
the
PC
client
spec
for
the
for
the
TPM,
the
they're
roughly
broken
down
like
this,
although
not
entirely,
but
you've
got
the
initial
boot
Vector,
which
is
the
very
early
part
of
the
the
food
cycle.
Memory
configuration
you've
got.
You
know
the
loading
of
the
runtime
code
and
in
this
case
s
m
and
and
UEFI
runtime
executable.
You
got
full
boot
mode,
that's
running
and
then
moving
on
you
know
up
to
up
to
the
higher
levels.
D
I
wanted
to
break
this
down
kind
of,
logically
and
by
by
boot
cycle
stages,
and
typically
we
only
really
see
you
know
reference
layer,
six
and
seven
right.
We,
we
don't
see
the
layer
reference
one
through
one,
one
through
five
at
all
so
kind
of
scrolling
down.
Then
what
we've?
D
You
know
what
we've
done
kind
of
scroll
down
to
the
table:
I
guess,
let's
go
down
to
the
instructional
diagrams
yeah
do.
D
To
the
diagram,
yeah
I
just
moved
to
the
diagram,
that'll
be
a
little
okay,
this
one
and
then
some
of
the
detail.
Some
of
the
details
are
up
there,
so
here
I'm,
gonna,
I'm
gonna
dive
into
specifically
how
the
TPM
deals
with
this
and
TPM
is
widely
available
on
almost
all
windows
and
Linux
base
x86
systems.
D
What
we've
done
is
created
this
concept.
How
do
you
measure
this?
How
do
you
record
the
evidence
of
this
stuff
and,
after
all,
it's
going
to
be
gone
by
the
time
the
the
OS
boots
or
most
of
it?
How
do
you
actually
have
any
visibility
to
this
and
how
the
TPM
does?
This
is
starting
on
the
very
left
you
know
with
the
with
the
early
reset
of
the
system
at
the
reset
Vector.
At
the
same
time,
you
run
it
run
the
reset
Vector.
D
The
platform
is
required
to
be
designed
to
also
reset
the
TPM
and
part
of
resetting
the
TPM.
We've
got
these
a
set
of
registers
in
them
called
platform
configuration
registers
and
essentially
how
they
worked,
is
I
actually
scrolled
just
a
little
bit.
Maybe
do
it
low
to
the
section
right
there
right
right
there,
yeah
and
so
don't
know
where
it
says:
measurement
operation
just
to
kind
of
level
Set.
What
a
PCR
is
is
the
size
of
a
hash.
Whatever
you
decide,
it's
going
to
be
originally
started
with
so
shot.
D
One,
and
most
of
them
are
all
shot.
256
or
3d4.
The
operation
can
be
shown
in
the
the
bottom
formula
is,
of
course,
it
starts
with
zero
starts
with
the
value,
zero
and
an
extend
operation.
There's
no
right
to
a
PCR
there's
only
an
extend
an
extend
operation
is
take
internally
within
the
TPM.
It
takes
the
existing
PCR
value,
which
is
a
reset
zero
and
you
append
it
with
the
value
that
you're
extending
and
then
you
hash
that
and
replace
the
PCR.
D
You
know
very
the
blockchain
kind
of
recording
of
a
log
with
a
very
scarce
resource.
We
knew
that
we
couldn't
keep
the
hash
of.
All
of
these
events
could
be
independent
implementation,
hundreds
of
them,
but
this
actually
does
keep
inside
a
single
PCR,
a
non-tamperable
record
of
everything.
D
That's
happened
during
during
the
boot
process,
so
you
have
to
understand
that
the
concept
of
PCR
and
extending
in
order
to
make
sense
so
now,
if
you
can
scroll
down
what
we
do
and
in
in
this
kind
of
very
simplistic
role
and
I've
simplified
this
down
to
one
PCR,
we
I
can
explain
the
the
rationale
for
more
than
one
later,
but
just
to
get
the
one
in
you
know
and
yeah
as
you
go
through
this
boot
cycle,
you
start
with
the
PCR
zero
being
zero
PCR
being
zero
and
prior
to
going
to
the
next
block
of
code
that
you're
going
to
execute-
and
this
is
very
common
in
the
boot
cycle-
a
very
sequential
boot.
D
In
fact,
most
of
the
time
the
CPU
is
single
threaded
you're,
going
to
measure
it
you're
going
to
measure
it
simply.
Is
you
take
a
hash
of
that
module
and
then
you
perform
the
above
operation
with
it,
and
then
that
is
now
recorded
into
the
PCR,
and
you
can
keep
doing
that
infinite
number
of
times.
And
what
you
end
up
with
is
is
a
immutable
record
of
exactly
what
happened
getting
to
to
the
end
state.
D
If
you'll
notice,
there's
actually
two
operations
that
go
go
on,
the
first
is
the
extend
operation
into
the
TPM,
but
you
might
also
one
that's.
This
is
what's
really
important
for
this
working
group.
You
might
also
want
to
keep
a
richer
record
outside
in
memory
and
disk,
or
you
know,
at
the
early
boot,
you
don't
have
a
disk,
a
a
record
of
what
you
actually
extended,
which
is
a
hash
of
the
module
that
you
were
about
to
execute.
So
what
you
end
up
with
is
a
sequence
of
these
event.
D
Log
records
which,
by
the
magic
of
hashing
and
extending
you
can
then
verify,
is
accurate
because
these
records
are
out
in
unprotected
space,
but
you
can
go
along
and
verify
that.
In
fact,
these
are
the
records
that
were
extended
into
the
TPM
as
as
the
thing
progressed
and
nobody
Downstream
can
modify
them
without
being
detected.
D
D
We
now
have
the
ability
to
get
a
source
of
these
measurements.
We
call
them
rims
for
reference
Integrity
measurements.
We
have
the
ability
to
get
rims
from
a
source,
for
example
the
device
manufacturer
platform
manufacturer
that
says
okay.
This
is
what
it
should
look
like
when
I
booted
my
machine
in
the
factory
when
I
developed
it.
D
This
is
how
it
looked,
and
this
is
how
it
better
look
when
you
get
it
right,
and
so
what
we
have
now
is
the
ability
to
have
a
verifier
that
can
get
these
event
logs
from
memory,
which
of
course,
at
this
point
are
not
trusted
because
they
can
be
transferred.
They
can
be
stored
in
memory.
They
can
store
on
the
disk.
D
D
So
now
I
have
the
end
state
of
that
PCR,
however,
number
extends
there
were,
and
all
I
really
need
to
do
is
replay
this
event.
Log
and
if
I
replay
this
event
log
and
it
exactly
matches
this
PCR,
which
I
now
trust
because
it
was
signed,
nobody
could
tamper
with
it.
I
can
now
verify
that
the
event
log
that
is
represents
everything
that
happened
from
the
reset
Vector
I
can
compare
that
against
the
measurement
or
you
know,
would
be
called
the
supply
chain.
D
Maybe
the
turb
rim
came
predates
long
before
any
of
the
any
of
these
efforts
in
ITF.
So
we're
calling
rims
for
now
can
now
verify
against
a
well-known
record
from
a
trusted
source,
and
so
that
I
mean
that's
pretty
much.
There's
there's
a
lot
of
links
with
that.
D
That's
really
a
summary
of
verifying
the
early
boot
or
initial
boot
of
the
platform
and
how
it
can
take
part,
especially
using
the
TPM,
but
there's
probably
other
Technologies
out
there
as
well
supply
chain
Assurance
of
the
of
the
early
boot
cycle
of
the
machine.
And
of
course
you
know,
as
you
have
bios
updates
we're
expecting
the
platform
manufacturers
device
manufacturers
to
along
with
the
BIOS
update.
D
A
Was
a
lot
that
that's
good,
like
I,
see
like
with
the
as
I
wrote
in
my
my
review,
I
think,
there's
a
little
bit
more
text
needed
in
terms
of
like
the
what
skit
would
be
doing
and
I
see
two
aspects
here
from
your
description
and
they
are
probably
separable
you
could.
One
is
the
fact
that
you
make
the
well
the
different
vendors
that
provide
firmware
low
level.
A
Software
would
make
those
at
least
the
metadata
metadata
of
those
are
publicly
available
through
the
notary
service
Ledger,
that's
one
which
then
allows
you
to
find
out
like
what
software
is
around.
What's
the
latest
version
and
and
to
make
that
sort
of
visible
to
everyone
in
the
supply
chain,
the
other
aspect
and
I
think
that's.
A
The
second
part
that
you
talked
about
is
to
actually
have
these
these
rims,
so
reference,
Integrity
values
or
measurements,
sort
of
upload
it
as
well,
so
that
you
can
use
that
the
let
the
The
Ledger
in
combination
by
the
verifier
to
actually
dip
into
those
and
compare
those
values
is
that
is
that
a
fair
summary
yeah.
D
And
I
think
going
even
further
beyond
that,
we
we
think,
there's
you
know,
there's
gonna
be
some
manufacturers
that
actually
produce
it
from
the
source
and-
and
that
would
be
great,
but
there
are
a
lot
of
Manufacturers
or
even
systems
today
that
are
out
there
that
have
this
capability,
but
were
produced
prior
to
the
manufacturer.
Producing
these
these
rims
or
reference
measurements
I
think
that
there's
room
for
independent,
because
everything
that
I've
done
here
can
be
obtained.
You
don't
have
to
be
the
manufacturer
to
obtain
this.
D
If
you
have
a
system
say
you
bought
a
system
or
you
had
a
you
know.
You
had
a
manufacturing
floor
that,
had
you
know
5000
of
these
systems
already
right.
If
you,
what
you
can
do
is
take
one
of
them
that
you
trust
has
not
been
tampered
with.
You
know
which,
if
you're
worried
about
you,
know
pre,
you
know
attacks
on
the
firmware.
You
could
take
one
that
you
know
hasn't
been
tampered
with
directly
from
the
from
the
source
perform
all
of
these
operations
yourself,
there's
nothing
in
here.
D
That
requires
the
actual
manufacturer
visibility
into
the
BIOS.
All
this
information
is
available
on
the
standard
lining
system
example.
So,
there's
no
reason
this
has
to
come
from
the
actual
manufacturer.
Somebody
could
be
producing
these
on
their
own.
That's
where
I
think
the
real
value
or
among
the
values
for
skit
would
be.
Someone
says:
Hey
I've
looked
at
this
I've
examined
this
bios,
it's
got.
D
You
know
this
particular
set
of
components
has
nothing
that
I'm
looking
for
as
far
as
threats
go
and
I'm
going
to
put
these
values
on
onto
a
ledger
somewhere,
because
I've
looked
at
them
or
multiple
people
have
looked
at.
That's
where
I
think
some
of
the
value,
if
you
just
simply
want
to
trust
the
manufacturer,
they're
all
going
to
sign
these
yeah
okay,
you
put
them
on
on
The
Ledger
itself,
but
I
think
the
real
value
is
other
people.
Looking
at
this
as
well.
A
Right
and
I
think
that's
you
are
going
further
down
like
I,
think
that's
where
we
still
need
a
little
bit
of
text,
so
what
I
would
do
is
and
I
I
don't
see
if
anyone
else
raises
his
hand
but
to
sort
of
shorten
the
description
above
a
little
bit
and
but
then
extend
the
this
text.
This
kit
use
case
or
this
kid
sort
of
benefits
a
little
bit
to
explain
what
you
just
said.
What
to
to
capture
that
here,
yeah.
D
A
D
A
lot
of
there's
a
lot
of
background
yeah
and
maybe
I
can
link
to
it,
because
I
think
it
is
important
for
someone
that
doesn't
understand
this,
to
have
some
document
that
that
does
explain
it.
But
you're
right.
This
yeah,
two
or
three
sentences
is
not
sufficient
as
a
skit
use
case.
As.
C
D
What
might
well
so
there
is
a
sequence
number
in
inside
them.
The
BIOS
is
required
to
keep
some
order
of
how
it
happened,
so
one
might
have
to
understand
if
it
became
multi-threaded
that
these
events
might
not
always
be
in
that
sequence,
but
that
can
always
be
verified
using
the
PCL.
The
PCR
would
still
verify
them.
So
that's
a
good
point.
D
The
verifier
would
need
to
know
in
a
multi-threaded
fluid
environment
that
if
they
look
at
the
system
two
different
times
depending
on,
what's
going
on,
say
A,
cold
boot
versus
a
worm
boot
that
I
think
that
would
be
classic.
You
got
disk
drives
that
are
already
spinning
up
and
they
can
respond
faster
on
the
on
a
warm
booth
and
on
a
cold
boot
right.
So
that
might
lead
to
these
events
happening.
So
they
can't
just
look
at
the
sequence,
the
assumed
sequence.
D
Order
so
the
the
event
log,
the
the
PCR,
is
still
going
to
reflect
the
actual
sequence
things
are
measured
in,
so
that's
still
going
to
be
verifiable.
What
the
verifier
shouldn't
assume
in
your
scenario
is
that
when
they
look
at
the
first
system,
they
actually
have
to
make
sure
that
they
verify
the
sequence
as
it's
been
given
to
them
by
that
system
and
not
assume
it's
the
same
sequence
as
previous
systems.
They've
looked
at.
D
Is
it
okay
to
there?
There
actually
is
a
TCG
document
that
a
published
document
that
describes
this
so
I
don't
have
to
put
all
this
detail
in
here.
A
Just
wanted
everything
in
one
document,
yeah
document
yeah,
please
do
so
like
we
don't
need
to
replicate
and
specifically
like
if
we
can
keep
it
at
the
level
that
people
get
the
story
and
if
they
care
about
the
details,
then
they
go
over
to
the
other
document.
It
will
be
unavoidable
if
someone
wants
to
understand
all
the
details
to
go
to
other
documents.
D
D
A
A
Meanwhile,
I
still
can't
see
it
I
see.
I
am
in
the
queue.
Oh
excellent
I.
Do
you
want
to
talk
about?
Should
we
switch
over
to
no?
You.
A
G
I
want
to
talk
about
this:
okay,
cool,
hi,
Monty,
hi,
hey
sorry
for
delay
your
stage
time
here.
That
was
kind
of
awkward
thing.
Sorry
about
that.
Having
said
that,
I
can
speak
now
from
experience.
Having
had
101
sessions
with
dick
Brooks,
who
is
not
here
today,
I
see,
but
it's
very
close
to
Christmas.
So
maybe
we
can
spin
off.
G
Maybe
this
week,
I,
don't
know
what
your
Christmas
plans
are
for
right
now,
but
maybe
you
can
spin
off
a
101
and
and
then
create
crisp
facets
of
this
use
case
here.
That
would
align
with
the
current
phrasing
and
the
use
case
document,
and
we
can't
we
don't
have
to
limit
this
to
two.
But
my
initial,
intuitive
Target
would
be
like
spinning
off
too
crisp
use
cases
here.
G
That
would
maybe
even
abstract
a
little
bit
from
TCG
work,
but
can
reference
TCG
work
but
highlight
the
actual
issue:
what
customers
or
the
consumer
of
the
of
the
software
needs
and
and
why
standardization
is
useful
in
this
scope.
So
would
that
be
something
you
feel
useful
is
useful.
D
Yeah
it
very
much
would
be
and
regarding
my
plans,
I
was
actually
planning
on
taking
most
of
the
week
off,
but
my
CTO
informed
me
on
Friday.
He
had
different
plans
for
me,
so
so
I
will
actually
be
working
this
week.
So
okay
yeah
this
week
we
could
we
could
we
could.
We
could
meet.
G
Yeah,
okay,
then
that's
through
this
offline
find
a
good
time
and
yeah.
So
dick
was
pretty
satisfied
with
the
outcome
so
that
that
was
so
that
I
have
one
out
of
one
use
cases
where
this
happens
well,
so
maybe
maybe
we
should
just
repeat
that
experience
yeah!
Okay,
let's,
let's
check
that
online,
then
okay,
yeah.
D
A
Please
get
something
put
together
and
submitted
sapr.
That
would
be
excellent
to
make
progress
on
this
topic,
but
yeah
thanks
Monty
for
contributing
that
right
up
yeah.
As
someone
who
like
works
on
low
level
software,
obviously
with
the
use
case,
resonates
with
me.
Okay,
thanks.
D
A
A
Okay,
if
we
switch
over
to
us,
because
I
would
really
like
to
merge-
or
at
least
if
the
content
is
acceptable,
merge
this
one
and
also
the
other
PR
from
Steve.
Should
we
talk
about
this
one.
G
So
this
PR
is
now
a
lot
of
things
right.
So
so
we
have
the
yeah.
That's
that's
one
of
the
prominent
ones.
This
is
from
dick
Brooks
and
mine.
That's
last
iteration!
So
we
we
had.
We
have
a
very
clunky
Title
Here.
All
of
this
is
not
targeted
at
being
super
readable
but
capturing
the
essence
of
what
we
try.
G
What
we
try
to
talk
about
so
I
think
everything
that
is
refactoring
here
is
probably
wording
getting
this
more
crisp
getting
this
less
clunky,
but
so
the
the
first
draft
is
targeted
of
having
all
the
content
in
and
and
getting
the
idea
across.
So
this
is
the
second
use
case.
I
was
refining
with
Dick
and
I.
Think
that
happens
pretty
well.
I
think
you
already
harness
created
an
issue
on
the
two
offload
items
here.
G
G
Exactly
so
yeah
so
I,
basically
also
I
transmogrified
three
of
the
items
in
your
email
of
your
recent
email
into
three
issues,
specifically
one
the
three
items
that
are
about
things
that
I
added
so
I
created
issues
from
them,
not
about
the
things
you
commented
on
yoga's
item
I
I
refrained
from
from
elaborating
on
that
so
yeah,
but
this
is
I,
hope,
readable
at
least,
and
that's
the
most
important
thing,
because
then
we
can
bash
it
and
make
it
better.
Do.
A
You
want
to
give
a
short
summary
of
what
you
did
like
you
talked
about
it
last
week,
but
just
as
a
recap.
G
Yeah,
so
the
the
base
idea
here
is
stemming
from
the
App
Store
a
scenario
which
we
started
with
and
we
up
leveled
that
a
little
bit
so
it's
more
abstract
now
so
also
talking
about
an
app
store
was
like
limiting
it
basically
to
I,
don't
know
the
you
know
the
whole
virtual
owners
that
are
very
prominent
in
cell
phones
and
so
so
because
they
use
the
term
App
Store.
Somehow
and-
and
we
wanted
to
highlight-
what's
what's
the
actual
problem
behind
that
example.
G
I
want
to
call
it
example
here
right
now,
and
that's
that's
typically,
that
you
have
a
lot
of
thresholds
and
I.
Think
the
consumer
releases
of
release
of
the
ones
highlight
is
good,
but
there's
something
here
like
the
third
or
four
sentence:
discovery
of
all
sources
of
statements
and
or
identify
Authority
entities
creating
sibling
costs.
So
that's
the
thing
sometimes
getting
all
the
information
about
a
software
is
not
feasible
for
everybody,
sometimes
you're
you're,
getting
in
the
situation.
G
G
So
what
we
want
to
do
here
is
to
make
discovery
of
these
authoritative
entities
and
what
they
are
issuing
more
easily
accessible
and
and
and
reduce
that
cost
so,
and
that
is
that
is
manifesting
and
offloading
some
burden
right.
So
you
now
have
entities
taking
on
that
burden
instead
of
you
and
you
just
consume
the
output.
I
think
that's
one
of
the
big
things
here
and
with
respect
to
the
App
Store.
G
Of
course,
the
App
Store
in
this
specific
example
would
have
a
certain
opinion
and
endorsing
certain
things
and
like
even
explicitly
not
addressing
other
things
are
just
being
silent
about
it,
and
that
is
just
one
source.
So
I
think
the
other
thing
here
which
again
is
effective,
is
cost,
but
it's
a
discovery
of
all
relevant
sources.
So
we
had.
We
had
some
some
hyperbole
examples
that
are
just
from
from
politics.
G
You
know
if
you're
looking
at
the
environment
and
oil
companies
have
different
opinions
than
or
fossil
fuels,
companies
have
different
prints
and
green
peas,
so
Greenpeace
definitely
wants
to
reference
endorsements
from
Big
Oil,
but
maybe
you
might
think
situation
where
big
oil
is
not
as
interested
in
referencing
green
fish
all
the
time
right.
So
so,
if
you
find
one
repository,
you
find
a
biased
set
of
reference
to
the
other,
and
you
find
the
other
repository.
You
find
a
bias
reference
to
the
other.
G
So
so
you
find
have
to
go,
find
both
repositories,
basically
for
statements
and
then
look
at
them
and
then
make
your
own
decision,
which
one
is
actually
interesting
to
you
like.
Are
you
more
interested
in
I?
Don't
know,
selling
fossil
fuels
or
into
a
projected
environment,
and
then
you
might
come
with
different
decisions
here,
so
this
decision
making
process
basically
is
inhibited
if
you
can't
find
all
these
statements
right.
I
I
just
used
a
very
probably
Politically,
Incorrect
example
here,
but
still
the
point
is
valid.
G
A
A
So
I
don't
know
exactly
where
the
the
text
is.
That's
why
I've
been
scrolling
scrolling
around
a
little
bit
but
yeah
somewhere
in
here,
because.
A
G
But
a
lot
of
changes
are
through
use
cases,
so
this
is
use
case.
All
the
green
boxes
basically
highlight
where
new
bullet
points
is
so
changing.
Checking
the
history
of
statements
by
Auditors.
What's
another
the
thing
that
I
promised
so
I
I
was
promising.
Three
things:
I
was
promising
getting
the
app
store
use
case
and
that's
what
we
just
talked
about
getting
here.
G
Auditor
use
case
in
that's
this
one
here
right,
so
our
Auditors
have
sometimes
a
hard
time
again
finding
all
the
relevant
statements,
but
also
the
history
of
statements
like
did
this
change.
What's
the
current
status
of
this?
Where
are
we
right
now?
Also?
There
are
explicit
examples
here
in
the
text
like
examples
of
procedure.
G
Results
in
this
case
for
compliance
checking
for
example
or
important
to
audits,
includes
a
available
fresh
and
applicable
code
reviews,
B
certification
documents
like
trips
and
common
or
common
criteria,
C
virus
scans,
D,
vulnerability,
disclosure
reports
which
can
refer
to
fixed
or
unfixed
issues,
and
then
e
security
impact
applicability.
Justification
statements
why
the
software
is
okay
to
run,
and
so
this
is
there's
a
five
prominent
examples
and
example
lists
what
Auditors
have
to
deal
with,
and
when
you
already
look
at
the
only
look
at
this
five
example
sets.
G
Then
you
realize
that
probably
a
lot
of
different
formats,
it's
probably
for
humans
to
read.
You
know
it's
hard
to
parse
that
it's
hard
to
understand
how
this
works
so
Auditors
run
into
this
issue
of
having
this
they're
like
experts
in
their
own
assessment
domain,
but
necessarily
expert
in
the
discovery,
relevance
finding
it
all
and
then
parsing
it
and
getting
it
somehow
in
your
report
domain.
So
an
auditor
needs
to
have
a
clear
audit.
G
Trail
I
was
not
I
was
trying
to
not
use
the
term
Auto
Trade
here,
but
I
I
wrote
something
like
after
the
facts
and
and
long
term
availability
right.
So
that's
in
the
that's
where
standardization
kicks
in
and
then
the
second
Green
Box,
and
so
this
is
about
people
that
are
not
only
wanting
to
avert
danger
and
have
real
concerns
about
risks
and
want
to
be
secure.
G
But
this
is
about
more
about
the
compliance
and
external
regulation
checking
sometimes
there's
some
some
oversight,
governance
and,
and
that
that
that
requires
you
to
do
things
or
attitude
things.
And
then
you
have
to
pay
money
to
people
to
official
certificate
Auditors
to
actually
check
for
that
and
that
that's
not
uncommon
and
that's
a
very
costly
procedure,
and-
and
we
can
help
with
that-
and
that
is
why
a
consumer
wants
some
things
here.
So
a
consumer
expects
when
they
come
into
this
order
situation
that
it's
it's,
it's
not
a
cost
explosion
again.
G
Cost
is
really
a
problem
behind
cost,
always
relates
to
effort
and
discoverability,
and
how
much
you
have
to
pay
to
get
it
all
into
one
document,
because
you'll
get
with
pictures.
Pdfs,
whatever
it
might
be
relatively
dragon
is
what
you
have
to
process
here
and
then
the
the
standardization
section
again
goes
into
why
this
is
useful.
What
can
be
done?
What
what
what
values
would
come
from?
G
Standardization,
yeah,
I,
think
it's
pretty
straightforward,
but
I
think
thorough
reviews
required
still
so
happy
to
get
a
lot
of
bashing
here,
especially
with
the
ballot
points.
For
example,
K
bashed,
my
last
one
where
we
use
the
term
endorsement,
which
is
an
architecture
term,
and
she
rigorously
eliminated
that
right,
putting
it
back
to
layman's
terms
to
neutral
terms,
I
think
that's
very
important
that
we
have
neutrogens
here,
and
so
this
hasn't
happened
here
so
yet
I
hope
that
people
find
something
that
they
don't
like
and
then
make
it
better.
A
Cool
Chrissy.
H
Yeah
not
directly
so
I'm
happy
to
wait
but
yeah
for
those
of
you
who
don't
know
me:
I
am
Community
chair
for
the
six
door,
Community
meetings
and
Zach
mentioned
Zach's.
My
colleague
he
mentioned
you're
talking
case
studies
and
I
have
some
case.
Studies
I've
been
working
with
folks
in
the
sigster
community
and
I
definitely
see
some
overlap
with
the
ones
mentioned
here.
So
I
was
gonna,
highlight
some
of
those
and
maybe
ask
where
the
best
place
to
feature
them
all.
A
No,
no,
it's
good.
Have
you
written
them
up
somewhere
already
or
or
are
you
in
the
process
of
writing
them?
Well,.
H
A
H
Yeah,
it
asked
to
show
a
deck,
but
I
want
to
share
my
screen.
How
do
I
do
that.
G
G
Yeah,
while
you're
trying
traces
so
welcome
on
board,
that's
great
if
you
can
associate
with
existing
use
cases,
there's
always
the
decision
to
make
to
add
your
details
that
interesting
to
you
to
existing
ones
or
to
kind
of
shape
a
new
use
case.
That's
that's
that's
different
from
the
others
and
gets
its
own
item.
So
whatever
you
have
as
a
requirement
is
very
welcome
here
and
yeah
I
I
think
there
are
two
lanes
again
adding
two
existing
or
adding
your
own
all
new
item.
So.
H
H
C
C
G
Good
good
point:
yeah,
it's
interesting,
you
are
visible
and
I
quickly
will
answer
Royce
question.
So
there's
the
thing
that
use
cases
should
lose
layman's
terms.
They
should
not
OBS
that
colloquial
language
intentionally
and
I
was
using
the
term
endorsement,
that's
already
overloaded
by
rats
and
potentially
by
texts
that
will
be
included
in
the
architecture.
G
So
the
the
most
simple
language
is
useful
for
use
cases
because
they
explicitly
are
not
using
architecture,
language,
they're,
just
Layman's
words
of
or
a
famous
expression,
so
to
to
explain
what
the
problem
is
and
then
we
can
derive
requirements
from
them
and
then
we
can
say-
and
this
system
does,
that.
C
Yeah
I
understand
the
requirements,
I
mean
I.
Just
don't
want
to
allow
the
discretion
to
say:
hey,
let's
dumb,
it
down,
restrict
terminology
overlap
with
rats,
because
the
verticals
have
their
own
terminology
in
in
saying
hey
the
way
to
work
through.
This
is
why
I
wrote.
The
terminology
document
is
that
we
can't
allow
things
to
squat
until
we
have
a
great
picture
on
things
here.
I
have
no
problem
with
endorsement
and
trying
to
dump
it
down
to
rats.
Always
is
not
what
I
want
to
do
here.
G
I
Throw
something
out
without
raising
my
hand,
Bob
Martin
here,
I
I,
think
you
know,
as
Hank
started
out
with
he.
He
had
gotten
in
a
little
too
deep
in
his
terminology
in
something
that
shouldn't
have
been
using
anyone's
terminology.
It
should
have
been
neutral
because
it's
a
use
case
I
think
the
discussion
Roy
that
you
want
to
get
will
be
after
that
and
there
we
will
use
the
languages
of
the
different
communities
and
figure
out
how
to
resolve
them.
Foreign.
H
H
So
one
of
the
things
I
wanted
to
call
out
like
I,
think
there's
overlap
with
some
of
the
things
mentioned.
So,
for
example,
this
the
one
on
Rancher
that
this
is
run
to
Government
Solutions
and
they
talk
about
kind
of
dealing
with
air
gap,
customers
and
the
places
they
were
ended
up
using
Sig
store
in
those
environments.
H
Some
of
the
other
ones
like
DB
schenka
is
the
logistics
company.
Verizon
is
looking
at
5G.
Edgeless
systems
is
operating
in
kind
of
the
confidential
Computing
area,
so
like
well,
I,
don't
think.
Like
case
studies,
focus
on
the
adoption
and
the
journey
I
think
we
could
extract
the
specific
use
cases,
perhaps
in
a
format
that
works
and
then
maybe
kind
of
linked
to
the
case.
Studies
as
just
a
reference
but
yeah
just
I,
wanted
to
highlight
these
and
how
folks
are
using
them
and
then
see.
H
What's
the
best
way
to
kind
of
incorporate
it
with
the
the
use
case,
work
you're
all
doing.
G
So
this
is
saying
this
is
actually
something
awesome,
but
because
the
the
very
latest
use
case
we
added
is
about
air
gap
literally,
and
if
you
have
similar
requirements
we
can,
for
example,
I
I,
know
I'm,
so
in
this
month
in
December
I'm
in
charge
of
the
use
case
document
I'm,
not
sure
this
will
continue
in
January,
but
I
will
not
just
disappear.
So
what
we
could
do
is,
for
example,
take
this
obvious
one
that
you
just
highlighted
with
the
air
gap.
G
G
I
can
already
see
four
paragraphs
so
for
how
I
use
this
document,
it
might
be
a
little
bit
too
verbose,
but
maybe
the
the
key
messages
smaller
and
more
concise,
and
if
you
can
split
some
of
those
out
and
then
include
them,
for
example,
into
the
existing
air
gap
scenario,
or
we
realize
okay,
the
action
two
paragraph
scenarios
you
can
make
that
editorial
decision
pretty
much
as
soon
as
you
like
and
then
go
from
there.
So
I'm
free
for
calls
until
the
day
before
Christmas,
literally
this
and
but
also
next
year.
G
So
no
pressure
and-
and
we
can
definitely.
H
I
think
that
works
really
well
for
the
air
gap
and
some
of
the
other
ones.
We
can
pull
into
separate
one
like
the
there's,
an
edgeless
system,
one
which
is
on
confidential
Computing,
which
is
something
I
only
learned
about
recently
through
through
the
folks
using
it.
Could
that
be
a
standalone
one.
Perhaps.
C
G
Yeah,
that's
true!
So
there's
existing
technology.
Yes,
sorry
for
this,
it
does
existing
terminology.
We
have
to
a
little
bit
back
off
from
and
yes
confidential
computers
about,
sometimes
the
proof
of
validity
of
the
running
code.
That's
different
from
what
skip
provides,
so
we
are
complementary
but
to
in
order
to
find
it
out.
I
think
we
have
to
spell
it
out.
First
I
think
that's
the
most
important
thing
to
provide
it
on
first
yeah,
actually.
C
It
also
fits
in
with
Monty's
document,
which
is
firmware,
which
is
you
kind
of
need,
those
building
blocks
to
get
to
a
tested
boot
to
a
for
a
confidential
compute
container
anywhere.
So
there
I
guess,
there's
three
things
out
of
that
one.
Is
there
anything
missing
from
Monty's
document
in
this
space,
where
rats
fits
in
with
the
confidential
compute
space
and
whatever?
What
else
is
missing.
H
And
then
see
what
makes
sense
and
I
I
think
there's
four
or
five
different
topics
there
so
happy
to
set
up
new
threads
or
jump
in
on
the
existing
ones.
I
can
see,
but
yeah
just
just
coming
up
to
speed
with
it.
With
what
you're
holding
let's
see.
A
Yeah,
it's
definitely
a
a
great
idea
and
let's
have
a
look
at
those
use
cases.
I
I,
unfortunately
didn't
notice
them
before
you.
You
shared
the
link,
so
so
that's
great
as
well
is
good
that,
since
you
guys
posted
some
links,
I
was
actually
wondering
since
K
is
not
here.
Has
someone
Kieran?
Have
you
taken
some
notes
in
the
meeting
minutes
by
any
chance.
A
Here:
okay,
that's
excellent:
okay,
yeah
I
was
just
worried
that
I
have
to
sort
of
like
then
watch
the
recording
and
then
recreate
the
notes,
but
so
excellent.
Whoever
did
it
thanks
a
lot.
A
Oh
John
John
you
did
it
no
Prime,
I
think
so
anyway,
whoever
did
it
that's
great.
Thank
you
good.
So
we
have
we'll
have
lots
more
use
cases
to
look
into
good.
How
should
we
best
proceed
so
Steve?
Do
you
want
to
say
a
few
words
about
about
your
pull
request
as
well?
So
you
had
pull
request
number
five
in
that
list.
You
want
to
briefly
go
over
this
or
because
you
made
a
number
of
changes.
E
Hey
honest
I
can
briefly
speak
about
K
second
PR,
the
summarization
of
problem
summary,
so
Hank
Did.
You
get
a
chance
to
review
that.
G
Yes,
I
did
review
that
it
is
a
non-conflicting
merge.
It
was
an
addition
which
is
basically
a
summary
of
the
other
use
cases.
So
I
said
ship
it
and
pulled
it
in.
You
can
always
elaborate
on
that.
It's
literally
a
draft.
So
all
this
is
in
high
mode
right
now
and
I
saw
no
danger
in
having
a
summarization
chapter
here,
and
this
is
a
starting
point.
She
called
it.
A
placeholder
and
I
found
a
placeholder
be
non-conflicting
with
any
other
work
and
approved
too
much
yeah.
A
I
looked
at
it
this
when
yeah
I
talked
to
her
on
Friday
about
her
to
Beyond.
So
so
that's
those
are
good
edits.
So
it's
always
welcome
if
someone
actually
goes
through
and
and
cleans
up
the
text,
because
there's
often
some
inconsistency
introduced-
and
in
this
case
this.
G
A
We
just
talked
about
was
a
summary,
so
that's
good
as
well,
but
yeah
Steve
SP.
Can
you?
Can
you
talk
about
that
tattoo
or
is
that
because
it
was
mostly
editorial
changes
for
like
improving
the
text
overall,
the
flow.
E
Yeah,
unfortunately,
Steve
was
out
most
of
last
week,
so
I
hadn't
had
a
chance
to
like
talk
to
him
about
it,
but
I'll
show
him
a
message.
I
think
he's
back
this
week,
so
I'll
try
and
sync
with
him
on
that.
A
Okay,
well
I'm
I'm
I
would
almost
Lean
Forward.
Just
accepting
this
one
is
like
red.
I
retreated.
There
wasn't
anything
like
content
changes
in
there.
I
was
just
trying
to
improve
the
the
language
and
I
I
trust,
Steve's,
English,
definitely
better
than
mine.
So.
A
G
Ush
now
that
Tracy
highlighted
that
she
could
contribute
a
lot
of
to
a
lot
of
areas.
I
also
think
it's
I
would
repeat
your
recent
sentiment
here
that
pull
things
are
more
visible
than
things
that
are
just
in
branches,
so
personally,
I
would
say,
merge
it
for
now.
This
is
a
draft
and
therefore
subject
to
change,
but
I
think
in
Maine
it's
more
visible.
G
It
hasn't
received
a
lot
of
review
with
respect
to
the
recent
editions,
yet
so
the
other
one
which
the
dead
so
also
we
are
at
Christmas
time
So.
My
answer
would
be
as
soon
as
possible
with
respect
to
this
Christmas
and
New
Year's
Eve
approaching.
Maybe
we
will
give
a
when
we
go
into
Hiatus
or
holidays,
give
people
the
chance
to
review
the
VR
and,
on
the
before
the
first
session,
I
make
a
a
check
on
how
much
people
we
got
if
there
was
Zero
feedback.
G
This
also
counts,
for
this
is
not
controversial.
If
you
put
it
in
and
if
that
creates
controversy
controversy,
then
we
just
create
new
issues
on
it
right.
It's
a
draft
so
but
but
I
would
not
merge
it
right
now.
Even
it's
less
visible
because
there
has
actually
been
there's
a
lot
of
free
if
you're
missing
the
other
one
at
extensive
review
and
so
I
would
keep
it
as
a
PR
for
now
and
then
oh,
is
it
a
PR
actually
yeah.
A
A
Yeah
but
maybe
maybe
you
could
merge
I
think
you
have
well
Sean
the
the
edits
from
Steve
because
they
are.
A
He
was
open,
ask
for
some
review
and
then
at
the
same
time
we
are
going
to
review
the
the
use
cases
on
Shankar
and
Autodesk
and
Rancher
and
and
so
on,
edgeless
systems
on
the
list.
And
then,
when
we
meet
again
at
the
beginning
of
next
year,
we
can
then
sort
of
like
conclude
on
those
and
and
incorporate
and
and
whatever
whatever
will
come
out
of
the
discussion.
G
Okay,
so
what
I
hear
is
that
we
are
what
would
merge
Steve's
edits
into
final
merge
now
I
have
to
look
at
finder
merge
because
I
think
he
branched
from
Branch.
Oh
man
and
final
merch
would
be
from
yogish,
and
let's
look
at
this,
and
yoga
is
just
saying-
is
a
a
bunch
of
conflicts
at
the
moments.
A
Wrong
that
that
can
happen,
but
anyway,
I
think
we
are
approaching
the
end
of
the
hour,
and
this
is
our
last
call
for
this
year.
So
I
think
speaking
also
for
John
I'm,
happy
that
you
guys
were
so
engaged
in
the
discussions
like
since
the
group
was
started
and
I
think
we
are
making
some
progress
and
and
I
see
the
use
case,
architecture
things
moving
along.
A
So
with
that
I
wish
you
a
happy,
Christmas
and
and
also
happy
New
Year,
and
we
see
each
other
again
at
the
beginning
of
next
year.
Let
me
look
when
the
next
call
is.
C
B
G
It
yeah
and
if
you
want
to
have
some
discussion
beforehand,
but
literally
this
year
again
in
December
I'm
a
little
bit
off
in
charge
of
this
document
and
just
reach
out
otherwise
I
think
your
idea
to
emit
a
lot
of
links
to
the
list
is
great,
because
then
people
can
follow
that
and
read
up.
So
whatever
you
feel
comfortable
with
go
ahead.
A
Yeah
I'm
also
for
what
it's
worth
I'm,
also
still
around
till
the
end
of
the
year,
and
so,
if
you
have
any
questions
so
just
drop
me,
an
email
I
will
also
look
at
the
review.
The
use
cases
that.
F
Yeah
I,
likewise
happy
holidays
to
you
all,
so
I
did
drop
another
possible
use
case
onto
the
email
list,
I'm
not
putting
it
into
any
other.
You
know
documentation
yet
I
just
want
to
see
if
there's
any
feedback
or
any
report
or
not
support
for
the
concept.
So
this
one
I
sent
that
was
for
a
registering
press
scores.
Thank
you.