►
From YouTube: SLSA Meeting (July 26, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
my
mac
is
giving
me
access
denied
to
sharing
my
screen
or
my.
B
A
B
Where
is
this
thing
hold
on?
I
have
it.
B
A
So
I
can
try
my
camera
that
might
be
yeah.
A
This
is
a
better
view.
I
don't
like
the
nose
up
angle
and
then
the
other
now
is
sharing
the
screen.
B
A
101.,
thank
you.
Windows
totally
got
this
mac
yeah.
B
B
A
B
A
Yes,
no,
maybe
yes,
yes!
Okay!
I
have
to
I
have
to
get
used
to
this.
You
know
seeing
people
on
a
different
view
and
zoom.
We
use
webex,
so
not
quite
well
versed
in
zoom,
okay,
folks,
let's
get
started.
A
If
you
can
add
your
name
I'll
put
the
meeting,
I
had
it
where's
the
chat,
where's,
the
chat.
A
This
is
the
meeting
notes,
link
where
you
can
add
your
name
and
I
just
figured
it'd
be
fun
if
you
are
willing
to
share
something
about
yourself
either
something
you're
excited
about.
You
know
something
you're
bummed
about
kind
of
helps
us
get
to
know
each
other,
especially
since
we're
a
smaller
group
and
we'll
be
working
together
more
closely.
I
figured
you
know
it
might
be
a
good
way
to
get
to
know
each
other
a
little
bit
better.
Okay,
so
for
the
agenda
a
couple
items
one
is
you
know?
A
How
do
we
as
a?
I
guess,
special
interest
group
collaborate
right,
slack
et
cetera,
going
over
existing
efforts
and
then
maybe
new
efforts.
So
does
anybody
have
any
other
agenda
items
that
we
want
to
add.
A
B
This
is
jason,
so
yeah.
I
think
the
bi-weekly
is
working
pretty
well.
We
do
spend
a
lot
of
time
on
the
blog,
and
I
know
that
we're
gonna
get
to
the
mapping
but
yeah.
I
think
the
bi-weekly
looks
great.
A
Okay-
and
this
is
my
first
time
taking
notes
so
please,
if
anybody
can
help
me
out
here,
feel
free
if
I'm
not
doing
it
right
to
just
chime
in
here.
I
think
people
have
edit
rights,
but
if
not
I'll
have
to
figure
that
out
too
I'm
not
a
google
docs
person
either.
Surprise,
surprise:
okay,
any
other
comments.
What
about
slack
communications?
There
hasn't
been
a
lot
of
communications
on
our
slack
channel,
so
not
sure
if
that's
something
that
people
keep
up
with,
if
you
would
prefer
a
different,
medium
or
asynchronous
discussion.
D
E
Experience
for
me,
I
think,
spike's
good.
I
think
it'll
yeah,
we'll
we'll
expect
to
get
momentum,
and
you
know
it
will
be
it'll,
be
all
of
us
setting
the
example
as
well
and
kind
of
you
know,
making
it
be
active
and
then
inviting
others
in
because
they
see
that
it's
active
and
so
on.
A
C
And
I
agree:
well
I
think
it
I
think,
sly,
like
we
have
a
mailing
list
and
whatnot,
but
it's
it's
not
the
most
active
outside
of
just
a
couple
of
announcements,
which
I
think
you
know
the
mailing
list
makes
sense
for
announcements.
C
A
And
I'm
butchering
people's
names
live
okay
so
that,
let's
see
so
the
the
discussion
group,
I
think
the
concern
with
that
remind
me.
This
is
why
I
don't
take
notes,
while
I'm
hosting
a
meeting,
because
I
forget,
as
people
well
as
I'm
typing
you're
saying,
because
there's
it's
not
really
active
is
that
right,
mike.
C
Yeah
I
mean
it's
the
discussion,
the
the
like
the
mailing
list
is
mostly
being
used
for
like
compared
to
let's
say
other
groups
right
like
if
I
look
at
the
ietf,
the
majority
of
their
communication
is
happening
in
mailing
list
sorts
of
things,
whereas
in
in
what
we're
doing
you
know,
mailing
lists
seems
to
be
mostly
just
like
announcements
that
that's
really
all
it's
being
used
for.
A
E
That
was
me,
I
I
hope
this
isaac.
E
I
hope
it's
not
not
controversial
or
or
off
bounds,
but
I
thought
you
know,
since
this
is
the
inaugural
meeting,
just
kind
of
getting
all
of
us
aligned
on
what
we
think
this
group
is
about,
and
what
I
pasted
in
between
the
double
quotes
here
is
kind
of
one
possible
proposal
here,
which
is
that
there's
a
bunch
of
adjacent
technologies
and
frameworks
and
methodologies
around
salsa
and
I
think,
making
the
relationship
between
salsa
and
those
adjacencies
clear
and
then
establishing
the
appropriate
cross
links
as
well,
and
so
you
know
having
the
salsa
specification,
all
the
spells,
assaults
and
documentation
refer
to
you
know
those
those
other
adjacent
standards
or
frameworks,
and
then
in
the
the
flip
side
of
that
is
you
know
I
would.
E
E
In
the
same
way
that
they're,
you
know
they
have
a
references
section
and
a
non-normative
references
section
where
they
will
point
to
you
know
other
background
or
adjacencies.
I
think
that
you
know
we
can
think
of.
E
A
Yeah
and
actually
that
brings
up
a
good
point
and
it's
people
feel
free
to
chime
in.
A
I
know
there's
a
few
of
us
on
here,
but
if,
if,
if
you
want
to
raise
your
hands
or
just
jump
in
by
all
means
brandon-
which
I'm
surprised
he's
not
here
but
brandon
had
mentioned
that
he
was
working
with,
I
believe
it
was
nist,
because
we've
been
working
on
a
couple
of
things
in
the
background
and
he
was
working
with
nist
to
try
to
get
the
salsa
being
mapped
to
ssds.
A
So
that
is
a
good
example
of
this,
except
instead
of
nti
ssdf.
So
I
think
that
that
definitely
aligns
with
what
we've
we've
been
thinking.
In
the
background,
too,.
C
B
A
Okay,
yeah
now
for
the
alignment
of
what
this
group
is
about,
I
thought.
Maybe
there
was
a
proposal
by
mark
and
josh
that
had
the
definitions
of
the
different
cigs.
So
if
someone's
able
to
find
that.
B
E
Oh,
that's
interesting.
There's
a
there's,
a
very
different
outcome
statement
there,
which
I
think
I'll
paste
in
here
as
well.
B
E
E
I
mean
maybe
those
two
like
hey:
we've
got
the
relationship,
we've
made
clear,
the
relationship
we
solved
between
salsa
and
the
universe
in
which
salsa
exists
and
and
goal
number
two
is
salsa.
Is
the
the
lingua
franca
supply
chain
security.
E
Other
thing
which
I
I
wanted
to
throw
in
as
well-
and
I
you
know
as
a
despite
my
accent,
I'm
a
us
person
but
like
I,
I
also
have
my
own
bias
and
you
know
tend
to
use
the
word
government
to
mean
u.s
government,
but
I
think
we
should
recognize.
There
are
other
governments
and
one
of
the
things
that
I'm
interested
in
and
maybe
we
get
into
potential
new
efforts.
Is,
you
know,
thinking
about
non-us
emerging
standards
and
so
for
every
every
time
we
we
say
the
word
ssdf.
We
should
think
about.
E
What's
the
eu's
equivalent
of
ssdf,
what's
apex
equivalent
to
ssdf
and
so
on,
and
actually
go
out
and
seek
out
those
things
and
find
out
what
are
the
emerging
regulatory
frameworks
and
standards
in
non-us
territories.
B
Kind
of
related
to
isaac's
discussion
around
that
for
those
that
are
familiar
with
the
cloud
security
alliance,
ccm,
it's
a
controls
matrix
it
maps
kind
of
like
it
goes
to
the
different
nist,
but
it
also
covers
like
canadian
mexican
chinese,
germany
yeah
and
it's
it's
a
pretty
good
mapping.
I'm
not
saying
we
mimick
it,
but
it's
a
good
reference
of
of
a
framework
that
goes
across
like
that.
E
F
E
F
It's
it's
it's
admirable
to
think
that
we're
going
to
get
salsa
as
the
one
standard,
but
I
think
we've
got
a
lot
of
work
to
do
to
get
there.
B
Yeah
yeah
and
what
I
I
think
it's
useful
for
is
like
the
compliance
guys
like
the
risk
management
compliance
guys
when
they're
trying
to
figure
out
hey
how
does
salsa
fit
into
this
a
cross
mapping
could
show
them
hey
if
you're,
basically
using
this
over
your
organization's
compliant.
This
is
how
salsa
would
meet
some
of
those
security
controls
or
those
processes,
so
it
it's
pretty
common
to
kind
of
cross
reference.
Those
for
compliance
groups.
F
And
it's
evolving
and
we
should
willingly
suggest
that
people
add
additional
evidence
as
to
whether
it
maps
to
salsa
is
a
working
discussion
that
we
have
to
work
through.
A
Yeah
yeah,
I
think
we
had
somewhat
discussed
that
when
we
were
working
on
the
blog
and
the
mapping
spreadsheet
was
what
happens
when
you
know,
there's
an
update
or
there's
a
new
document
right.
We
would
have
to
go
back
and
you
know
do
it,
but
at
the
same
time,
that's
essentially
what
we're
doing
in
our
own
companies
right
we're
trying
to
map
what
the
new
requirements
are,
and
so
we
would
be
doing
that
anyways
in
our
day
jobs,
and
so
we
would
just
bring
back
that
knowledge
back
to
the
community.
F
That's
a
dangerous
thing
to
get
into
yeah.
You
know
if,
if
we
decide
that
hey,
we
need
to
move
to
a
completely
different
hashing
algorithm.
That
doesn't
mean
previous
statements
for
the
last
five
years
are
immediately
thrown
away.
It's
just
a
migration
path
right.
So
that's
a
very
tender
subject
to
get
into.
F
So
that's
a
social
standard,
let's
say
we
have
v1
and
everything
is
gets
approved
to
say:
hey,
we're,
v1,
salsa,
compliant
and
all
along.
We
invented
v2.
I
don't
necessarily
think
we're
going
to
go
back
to
all
v1
claims
and
say:
okay
now.
What
is
it
light?
And
you
can't
install
the
software
because
it
doesn't
make
salsa
v2
right.
So
you
it's
a
really
tough
conversation
to
have.
A
Yeah
that
one
actually
was
brought
up
in
the
spec
meeting
on
monday.
I
don't
know
if
folks
know
of
that
one
it's
going
to
be
happening
every
week,
and
that
was
one
thing
right.
It's
like
what
happens
to
the
people
that
are
currently
certified
on
version
0.1
and
if
we
move
to
one
or
two
I
suggested
well,
maybe
if
there's
a
you
know
like
vmware,
certifications,
you're
certified
on
bcp6
right
bpp5,
so
maybe
that's
the
distinction
that
you
can
state
that
you're
certified
against
a
specific
spec
or
specific
version
of
the
spec.
E
E
They
see
that
as
squarely
in
scope
for
the
specification
working
group
and
it's
an
explicit
part
of
the
the
the
considerations
that
I'm
looking
at
for
how
to
get
to
1.0
is
you
had
to
get
a
1.0
without
invalidating
or
creating
confusion
around
0.1.
E
Also,
how
to
get
the
1.0
I'm
with
a
clear
path
to
1.1
on
2.0
and
which
again
doesn't
create
confusion
or
invalidation
around
1.0.
So
it's
definitely
you
know
front
and
center
for
the
specification
working
group.
As
I
concerned.
D
And
I
think
a
lot
of
this
is
going
to
be
a
linear
process
anyway,
right
because
we
first
have
to
get
organizations
in
general
to
have
an
understanding
of
what
sauce
is
and
why
it's
important,
because
I
talked
to
too
many
what's
that
and
they
just
don't
understand
it
so
supply
chain.
Security
in
general
is
not
yet
part
of
most
organizations
vernacular.
D
So
we
need
to
get
it
to
that
point
first
and
it
has
also
become
the
de
facto
standard
for
supply,
chain
security
and
and
once
that's
done
or
we're
kind
of,
as
that's
done
to
sort
of
tail
into
that
now
we
can
start
talking
about
versioning
and
saying:
okay,
you
are
you
know
you
are
ready
or
certified
et
cetera
at
this
level
and
then,
as
new
levels
come
out.
Then
it's
real
really
up
to
the
the
organizations
to
decide
hey,
we
really
need
to,
and
it's
mostly
going
to
be
defined
by
their
customers.
D
F
I
would
just
caution
you
phrasing
it
that
way,
because
salsa
is
one
of
the
data
points
secure
supply
chain,
you
still
got
vex,
you
still
have
the
s-bombs
and
how
they
all
relate
are
part
and
parcel
of
the
same
problem.
Space
and
salsa
is
only
one
an
important
piece
out
of
it,
but
it's
not
the
complete
end-all
story
here.
F
E
That's
exactly
right,
I
couldn't
agree
more
and
I
think
actually,
that's
absolutely
central.
If
not,
there
is
on
detroit.
This
working
group
here
that
yes,
salsa,
is
a
piece
of
the
puzzle,
and
so
I
mean
this
group
here.
Ideally,
we
would
paint
the
picture
of
the
entire
puzzle
and
then
assemble
the
pieces
within
it
and
show
oh
here's,
the
salsa
piece
and
here's
the
constellation
of
pieces
surrounding
it,
including
s-bomb,
including
skin,
including
and
all
these
other
things
and
here's
how
to
reason
about
the
space
and
understand
salsa's
position.
Within
this
broader
context.
F
You
know
I
just
to
digress
a
little
bit.
I
don't
think
end.
Users
are
going
to
understand
salsa
they're,
going
to
look
for
somebody
to
make
an
endorsement
that
says:
hey
looking
at
the
salsa
data,
I
you
can
safely
use
this
piece
of
software
and
and
the
question
is:
is
there
an
up
level
or
is
there
a
representation
of
the
stores
like
the
play,
store
and
so
forth?
B
G
I
wanted
to
add
to
what
roy
said
and
then
and
then
what
isaac
was
was
saying
as
well
paint
the
entire
picture,
also
making
sure
that
we
that
we
paint
the
picture
of
what
salsa
isn't
right.
G
So
so,
not
only
do
we
address,
you,
know,
salsa's
use
and
and
in
the
audience
that
it's
intended
that
the
use
is
intended
for,
but
we
also
paint
the
picture
of
what
salsa
isn't
what
audience
still
needs
a
a
standard
or
framework,
and
then
what
those
gaps
are,
understanding
that
there
may
we
may
be
able
to.
You
know
we're
sitting
there
in
this
group
together,
where
we
could
be
working
on
something
that
could
parallel
with
salsa
that
could
service
that
other
audience
right.
G
So
so
I
I
I
want
to
expand
that
focus
that
just
builds
trustworthiness
throughout
the
community
as
well.
Right
we've
not
only
said
what
this
is.
We
give
the
entire
puzzle.
This
is
what
it's
used
for.
This
is
the
ice,
but
this
is
where
our
gaps
are
on,
what
we
could,
what
we
can
fill
using
x,
y
and
z
right.
So
I
I
I'd
like
to
propose
that
as
well
because
as
roy
just
said,
you
know
there
are
applications,
but
then
who
else
is
you
know
there
are
other
frameworks
out
there?
G
Who
else
is
missing
right?
So
I
guess,
and
I'm
only
saying
that,
because
I
see
one
of
the
lines
written
up
here,
the
the
one,
the
one
single
framework-
that's
almost
impossible
today,
just
because
there's
so
many
different
areas
of
supply
chain
and
and
service
development
and
everything
else.
So
I
I
mean
that
that's
my
only
area
of
caution.
There.
A
F
The
leader,
frank,
the
lingard.
G
That's
where
it's
right
here
right
under
the
ccm
this
one
right
here,
yeah.
A
F
Could
be,
you
can
give.
B
C
Yeah,
I
I
think,
along
those
same
lines,
I
think
it's
it's
worthwhile
to
also
as
we
kind
of
communicate.
C
Some
of
this
out
make
clear
the
distinction
between,
like
salsa
the
sort
of
attestation
specification
versus
salsa,
the
set
of
requirements
versus
some
of
the
other
things,
because
I
know
one
of
the
the
big
things
that
was
also
discussed
yesterday
in
the
specification
call
was
it's
often
very
unclear
to
folks
who
are
coming
in
where
that
delineation
is
like
what
is
the
builder
responsible
for
for
versus
what
is
me
as
somebody
who's
building
a
project
responsible
for
right,
because
some
of
the
salsa
requirements
are
very
much
focused
on
the
requirements
of
a
project
versus
some
of
them
are
very
focused
on
what
should
your
build
or
ci
pipeline
be
responsible
for
and
for
a
lot
of
folks?
C
They
just
sort
of
out.
You
know
they.
They
use
a
a
tool
or
a
sas
or
whatever
to
to
do
that
for
them,
and
it
could
be.
You
know
confusing
as
to
hey,
I'm
just
using
a
tool
shouldn't
that
be
providing
salsa
for
me,
and
it's
like.
Oh,
that
provides
some
level.
But
then
you
have
potentially
responsibilities
on
top
of
that
when
you're
building
your
software.
B
E
I
have
just
a
few
super
high
level
slides,
which
I
put
together
on
software
attestation
and
then
how
salsa
fits
within
that
the
anastasia
framework,
how
I
see
ssdf
and
skip
fitting
in
that's
that
same
framework
as
well,
and
if
it
would
be
useful,
I
can
just
take
10
minutes
to
go
through
those
slides
and
potentially
it
would
be,
or
could
form
some
useful
groundings
and
for
some
discussion
in
this
space.
E
A
So,
let's
try
to
get
through
some
of
these
quickly,
at
least
at
the
talking
point.
As
a
quick
talking
point,
and
then
you
know
we
can
get
to.
Is
this
okay,
somebody
added
this
and
then
I
can.
I
can
come
back
to
this
one.
If
that's
okay
and
I
think
I
saw
an
additional
hand
up-
was
it
part.
B
B
A
Yeah,
so
I
guess
if,
if
the
group
and
jay
do
you
have
an
additional
question
before
I
move
on
or
is
that
an
old
hand
up.
A
Okay,
if
the
the
team
does
not
mind
this
kind
of
bleeds
into
the
existing
effort,
so
I
don't
know
are:
are
we
comfortable
with
the
discussion
we've
had
so
far
with
the
scope
and
charter?
I'm
guessing
we're
going
to
need
some
sort
of
issue
or
pr
drafted
to
actually
create
the
scope
and
the
charter,
but
not
sure
if
everybody's
comfortable,
where
we
stand
right
now,.
A
A
See
I
see
shaking
heads
okay,
okay,
so
for
existing
efforts
and
part
that
this
will
help
cover.
Some
of
what
you've
asked
is
this
is
a
spreadsheet
and
hopefully
you
all
have
access,
and
basically
the
idea
is
that
we
would
map
salsa
to
ssdf
to
nist
853
the
executive
order,
800
161.,
I
forget,
who
volunteered
to
do
the
cncf
one
and
any
additional
frameworks
that
come
out
was
that
you
mike.
C
I
think
it
might
have
been
john,
but
him,
and
I
both
work
on
the
the
cncf
side
with
with
regards
to
this
stuff,
so
I
can
take.
I
can
take
it
yeah.
A
And
so
the
idea
is
is
that
we
would
call
out
what
are
the
requirements
from
each
of
those
specifications
or
frameworks
that
salsa
meets
or
can
potentially
meet
the
criteria
for,
and
so
I
think
this
helps
with
what
you're
suggesting
and
the
hope
for
the
team
that
it's
been
several
of
us.
It
was
brandon
myself
emmy
from
red
hat
aaron
from
verizon.
A
I
can't
remember
who
else
there
was
a
couple
like
two
more
people
in
there
and
the
idea
would
be
that
once
we're
done
with
the
ssdf
that
we
would
go
propose
to
nist
right,
hey.
Can
you
link
salsa
and
then
we
would
continue
on
down
this
path
and
as
we
finalize
this
spreadsheet,
then
we
can
propose
this
to
open
ssf.
A
As
an
openness
of
document
to
say,
hey
here
is
how
we
can
help
organizations,
you
know,
comply
with
certain
controls
or
these
different
frameworks
and
how
also
can
help.
So
that
was
the
the
overarching
idea
and
we've
post
we've
posted
a
our
pr
for
a
blog
post,
and
I
think
it's
about
ready,
and
so,
if
you
are
interested
in
reviewing
it,
we're
really
trying
to
push
it
out.
It's
been
committed,
eight,
like
you
know
a
long
time
ago,
but
this
this
blog,
you
know,
let
me
do
the
salsa
vlog.
A
Here
it
is
no
foundation.
I'll
put
this
in
the
link
too.
This
was
the
original,
so
it's
nice
and
pretty
versus
the
github.
So
it
talks
about
the
different
frameworks,
and
you
know
what
salsa
can
provide
based
off
of
the
supply
chain
security
standard,
and
you
know
what
we're
trying
to
do
as
open
ssf
salsa,
and
we
invite
the
community
to
give
feedback
on
that
mapping.
So
I'll
put
this
in
the
in
the
chat,
but
that's
kind
of
what
we've
been
working
on
in
the
background
it
just
kind
of
organically
happened.
C
Oh,
no,
no
yeah,
yeah,
yeah
that
this
looks
good
and
the
cncf
actually
also
has
a
a
group
that
was
starting
to
do
the
same
thing.
The
other
way
like.
How
can
we
map
the
cncf
best
practices
to
stuff
like
salsa?
C
So
we
should
coordinate,
but
I
think
actually
one
of
the
things
I
wanted
to
sort
of
bring
up
as
a
little
bit
of
a
concern
and
more
of
an
a
question
to
the
to
the
rest
of
the
group
of
when
sort
of
looking
at
a
lot
of
the
different
sort
of
documents
that
are
out
there
that
are
doing
similar
sorts
of
things
like
because
you
also
have
scvs.
You
have
actually.
C
I
just
found
out
this
morning
that
the
cd
foundation
plans
to
do
their
own
and
and
there's
a
bunch
of
other
ones
that
have
come
out
of
finos
and
all
sorts
of
other
groups.
C
One
is
what
can
we
do
to
sort
of
better
coordinate
among
the
various
groups,
and
then
the
second
thing
is
that
some
of
the
the
various
like
some
of
the
frameworks,
control
groupings
etc,
are
at
conceptually
different
levels
like
the
cncf's
best
practices
are
very
much
more
like
implementation,
best
practices
that
you
would
say,
oh
well,
if
I
have
a
control,
oh,
if
you
want
to
go
the
cloud
native
route,
here's
an
easy
way
to
do
that,
and
so
sometimes
they're
at
different
levels.
C
And
I
and
I'm
not
sure
what
we
can
do
to
sort
of
make
some
of
those
things
clear,
because
some
of
these
things
are
going
to
be
at
different
levels,
and
we
want
to
make
sure
we
also
don't
conflate
that
either.
A
Okay,
I
would
agree,
there's
a
lot
and
more
more
that
I
was
hoping
for.
I
thought
it
was
just
a
few
so
team.
You
know
how.
Oh
I
see,
hands
up.
Sorry,
I
don't
know
who
was
first.
E
So
I
I
was
just
gonna
say
I
I
reviewed
the
blog
post
this
morning
and
I
really
like
it.
I
think
it's
ready
to
go
and,
in
my
opinion,
the
one
thing
which
I
think
would
be
useful
to
think
about
for
this
blog
post.
But
then
also
just
in
the
broader
context
of
this
group,
is
how
we,
how
we
publish
our
work,
because
I
do
think
that
their
elements,
the
blog
posts.
I
look
at
and
go
well
actually
that
that
shouldn't
be
a
blog
post.
E
That
should
be
part
of
the
core
documentation.
And
so
I
want
to
be
careful
as
we
go,
that
we're
not
just
kind
of
putting
blog
posts
out,
but
we're
actually
making
sure
that
we're
building
up
the
core
project
and
and
salsa
documentation
based
as
well
and
looking
at
you
know
blog
po
or
examining
closely
when
we
when
something
is
the
right
thing
to
put
in
a
blog
post
and
a
blog
post
alone
versus
when
it
should
be
part
of
the
core
documentation
versus
when
there
should
be
items
in
both
places
and
so
on.
E
Because
I
I
do
want
to
make
sure
that
the
documentation
is
comprehensive
for
the
project
and
you
shouldn't
have
to
read
the
blog
to
understand
the
project.
It
seems
to
me.
E
And
so
one
of
the
things-
and
I
can
take
a
first
crack
at
this-
maybe
just
put
them
out
and
slack
on
the
mailing
list,
but
maybe
some
as
well
as
having
the
scope
and
charter
for
this
group
defined.
Maybe
we
should,
you
know,
start
to
lay
out
some
working
principles
as
well
like
so
I
think
you
know,
keeping
an
eye
on
non-us
frameworks
and
regulations
is
one
principle
which
you
keep
in
mind.
I
think
keeping
in
mind.
E
What
do
we
make
part
of
the
core
documentation
versus
what
we
blog
is
another
one.
I
think
general
inclusiveness
showing
our
work,
this
kind
of
stuff,
I'm
super
useful.
A
It's
okay,
it
happens
so
I
got
layout
working
principles
and
so
are
you
imagining
putting
this
as
a
I
thought.
I
heard
the
the
distribution
either
slack
channel
or
the
mailing
lesson,
or
maybe
I
misheard,
yeah.
E
I
mean
I
I
mean
I
don't
mind,
drafting
some
and
sharing
them
for
feedback
on
the
mailing
list
or
in
the
slack
but
kind
of
incorporating
them.
I
guess
into
the
the
collaboration
motion
of
this
this,
this
working
group
that
hey
we
have
the
meeting
notes
document.
We
have,
you
know
our
regular
schedule.
We
have
norms
as
to
how
we
communicate.
E
We
have
a
couple
of
draft
potential
goals
or
charters
about.
You
know
the
scope
of
this
working
group.
It
would
be
great
just
in
terms
of
general
as
we
build
up
the
collaboration
infrastructure
and
build
structure
around
what
we're
doing
here.
Having
some
you
know,
documented
working
principles
like
how
how
we
work
or
or
what
we
consider
important,
or
you
know
how
we
make
decisions
or
what
we
prioritize
and
things
like
us
versus
non-us
things
like
blog
versus
documentation.
E
F
So
isaac,
I
have
a
basic
question
now:
what
happens
if
one
of
the
governments
puts
in
the
request
that
doesn't
transition
across
borders,
like
if
nsa
asked
for
salsa
level
15
to
basically
be?
We
got
access
to
the
all
the
source
code
for
the
product,
which
would
not
work
for
companies
out
of
china,
and
vice
versa,
would
is
there
a
back
door
for
how
that
is
not
part
of
salsa
and
how
they
would
deal
with
that.
E
I
mean
I
think
that
there
will
always
be
things
that
aren't
part
of
salsa.
I
think
there
will
always
be.
I
mean
looking
right
now
and
ssdf
versus
also
the
two
have
very
different
scopes.
You
know,
ssdf
vulnerability,
measurement,
section
and
salsa
has
no
concern
with
vulnerability
management,
and
so
I
think
that
part
of
this
group
is
not
to
go.
Oh
there's
gaps,
let's
close
them
and
more
to
go.
Oh
there's
gaps,
let's
explain
them
and
help
people
understand
them
and
help.
E
F
F
I'm
asking
is,
if
there's
a
requirement
that
one
of
the
governments
make
is
there
a?
This,
is
how
you
pivot
out
of
salsa
right
this.
This
would
be
a
nut.
We
would
say:
hey
this
doesn't
fit
in
the
salsa
framework.
If
we
want
to
make
it
standardized
across
all
governments,
or
do
we
allow
one
government
to
control
that
we
have
I
to.
E
I'm
absolutely
not
suggesting
that
we
standardize
across
all
governments.
I'm
saying
that
when
we
position
ssdf,
it
should
be
clear
to
everyone
how
is
ssdf
different
different
from
salsa
great
yeah.
I
understand
what's
that,
and
so
it's
less
an
effort
of
like
kind
of
trying
to
standardize
across
governments
and
more
trying
to
be
descriptive
about
how
salsa
does
or
does
not
apply
to
these
various
emerging
frameworks.
A
A
F
A
New
standards
arise,
we
have
to
alter
the
specification
and
then
we
also
need
to
map
back.
If
it's
not
here
today,
but
then
you
know
in
a
month.
There
is
some
new
specification,
at
least
that's
how
I'm
envisioning
it
in
my
head.
Yes,
I
think.
E
I
would
push
back
on
the
the
premise
of
that.
Just
a
little,
and
maybe
on
on
this
is
part
of
roy's
question
as
well
is,
if
there's
a
new
specification
or
new
new
requirement
coming
out
from
the
government,
I
don't
think
there's
any
requirement,
that's
also
respond
to
it
or
incorporate
it
or
extend
salsa.
I
think
yeah
it'll
be
a
consideration.
E
We
would
look
at
it.
Do
we
think
so
this
didn't
scope,
the
cell,
so
do
we
think
it
would
be
useful
to
incorporate?
Should
we
generalize
and
upscope
and
look
at
salsa,
but
I
I
don't
think
that
there's
there's
any
notion
that
salsa
is
a
responsive
effort
and
we're
watching
to
see
what
government
regulations
come
out
and
then
making
sure
that
sales
attracts
them.
That's
that's
not
how
I've
thought
about
salsa,
and
maybe
that's
maybe
that's
something
we
should
clear
up
here
as
well.
E
If
we
think
differently
about
that,
because
the
idea
that
hey
what
happens
if
some
government
comes
out
with
this
new
thing,
what
do
we
do,
then?
I
think
we
do
what
we
always
do.
You
know
we're
going
to
look
at
the
industry.
We're
going
to
look
at
the
community
we're
going
to
look
what
government's
doing
and
we're
going
to
synthesize
all
of
the
various
data
points
that
we
have
in
the
ecosystem
surrounding
us
and
chart
the
right
course
for
salsa.
E
F
Yes,
but
it
does
ruin
your
position
if
we
say
hey,
ssdf
mapping
to
salsa
the
government
controls
ssdf
if
they
start
drifting
away,
what
we
can
represent
they'll
go
back
to
hey.
You
have
to
give
us
ssdf
claims,
not
we
don't
necessarily
care
about
salsa
kind
of
weakens
the
story,
which
is
why
I
brought
it
out
here.
What
is
our
position
when
we
hit
these
cases
of?
Is
there
a
back
door
that
you
say
salsa
plus
whatever
x?
And
that's
what
I
don't
see
here.
E
B
E
Right-
and
I
think
the
answer
could
be-
you
know,
hey
you
know
in
time
salsa,
you
know
we
intend
to
expand
salsa
to
cover
vulnerability
management,
but
I
don't
think
I
don't
think
the
intent
of
salsa
is
to
you
know,
be
able
to
have
a
one-to-one
method
with
ssdf.
I
think
it's
useful
descriptively
to
explain
salsa
to
people
who
are
familiar
with
ssdf.
If
I
come
in
with
a
familiarity
with
ssdf
and
want
to
understand
salsa,
there
should
be
a
document.
C
And
I
also
think
that
there's
there's
still
like
the
two
ways
you
could
potentially
go
about
it
right.
One
is
like
the
the
depth
sort
of
like
question
of
like
how
deep
does
the
salsa
go,
because
the
more
specific
salsa
might
go,
the
more
it
kind
of
also
falls
under
like
you
know.
C
If
salsa
starts
talking
about
specific
encryption
algorithms,
as
opposed
to
talking
about
high
level,
you
know
you
should
be
using
encryption
or
something
like
that,
and
then
the
other
one
is
sort
of
the
the
general
sort
of
like
breadth
question
of
like
what
sorts
of
things
does
salsa
want
to
even
say
is
within
its
scope
versus
you
know
some
of
those
things,
and
I
think
that
kind
of
ties
back
into
you
know,
because
I
I
think
it
is
a
huge
concern
from
our
perspective
roy
and
it's
one
that
also,
I
think
like
at
some
level.
C
We
have
to
defer
to
just
sort
of
the
constituent
members
and
say
like
hey:
what
are
you
know?
What
are
the
constituent
members
made
of
and
it's
made
up
of
folks
across
the
world,
and
so
I
think
that
kind
of
ties
our
hands
at
least
a
little
bit
with
salsa
to
say,
okay,
we
would
probably
defer
to
saying
you
know
well,
the
members
are
across
the
world,
so
we're
not
going
to
apply
that
specific
us
government
standard
that
precludes.
You
know,
adoption
to
to
other
major
members
of
our
community.
A
G
And-
and
I
guess
to
that
end-
and
I
didn't
hear
this
if
it
was
mentioned
in
the
beginning-
should
there
be
a
maybe
a
a
monthly
meeting
between
salsa
specification
and
positioning
just
in
case,
you
know,
if
one,
if
there's
nothing,
to
talk
about,
there's
nothing
to
talk
about.
G
But
let's
say
something
like
this
occurs
right
and
it
requires
a
bit
of
polishing
one
on
the
specification
side
and
into
how
we
position
after
making
decisions
regarding
the
specification,
perhaps
having
that
meeting,
might
put
us
in
a
better
position
to
kind
of
frame
the
language
or
or
how
we
want
to
address.
Whatever
changes
occur
to
specification
as
a
result
of
any
government
influence.
G
Bring
back
status,
I'm
gonna,
I'm
gonna,
say
they're
supposed
to
I'm
also
going
to
say.
Maybe
not
the
these.
These
specific
means
we're
having
specification
the
tooling
and
the
positioning.
These
are
very
distinct
meetings.
What
happens
in
that?
Bi-Weekly
salsa
meeting
is
a
bit
more
broader
than
what
happens
here,
and
I
think
that
that
any
changes
regarding
specification
that
might
impact
positioning
or
any
changes
positioning
that
might
impact
specification.
G
I
think
those
are
still
narrow
enough
where
they
might
require
their
own
conversation
just
because
of
the
broadness
of
that
bi-weekly
salsa
meeting
also.
G
Out
this
earlier-
and
this
is
something
that
I
don't
want
to
gloss
over-
this
salsa
effort-
is
so
huge
that
other
organizations,
large
organizations
as
well
might
feel
a
strategic
push
to
create
something
similar
that
might
be
in
the
works
right
now
and
there.
G
It
has
to
be
room
for
us
to
have
those
conversations
around
what
can
be
what
is
it's
just
strictly
competitive
in
nature
or
what
may
be
able
to
be
pulled
in
consumed
so
that
some
of
the
questions
that
we
have
around
the
completeness
of
salsa
might
be
answered
by
maybe
pulling
in
some
things
that
could
potentially
give
salsa,
if
and
even
in
concert
or
partnership
with
another
standard,
that
kind
of
one-to-one
mapping,
or
even
maybe
not
one-to-one,
maybe
one-to-many,
or
maybe
the
one
mapping
with
the
ssdf
right
such
that
the
specification
and
positioning
conversation
can
have
a
little
bit
more
meat
on
it
around.
G
How
do
how
can
we
respond
using
other
resources
we
have
in
place
now
that
that
is.
That
is
a
bit
ambitious.
That's
a
bit
aspirational
and
far-fetched,
and
I'm
really
thinking
about
the
the
togetherness
around
all
the
all
of
us
organizations
being
included
in
this
right.
That
could
be
that
could
be
talked
about
offline.
But
I
just
wanted
to
throw
that
nugget
out
there
as
well.
Just
as
a
conversation
piece.
A
So
I
agree
the
the
salsa
biweekly
currently
is
too
broad,
but
these
these
these
three
new
sigs
they
just
started
meeting
this
week,
and
so
I
think
the
proposal
going
forward
for
the
bi-weekly
is
that
each
of
the
six
specification,
positioning
and
tooling
will
have.
I
don't
know
if
it's
five
or
ten
minutes
at
the
beginning
of
each
salsa
bi-weekly
meeting
to
provide
an
update,
and
so
I
suspect,
right
it's
too
early
because
we
just
started,
but
I
suspect,
what's
going
to
happen,
is
that's
where
we
would
raise
the
red
flag.
A
I
don't
know,
but
others
do
you
agree.
Do
you
disagree.
A
It
I
think
it
is
okay,.
G
All
right
that
doesn't
mean
somebody's
charter
or
something
something
that
needs
to
be
written
down
somewhere,
because
if
not,
then
other
things
are
going
to
take
precedent.
That'll
happen
for,
like
maybe
the
first
couple
and
then
they'll
just
get
swept
to
the
side.
Eventually
for
other
pressing
issues,
I
mean
I,
you
know
that
should
be
written
down.
A
Yeah,
I
thought
I
remember
reading
it
somewhere
I'll
have
to
find
it.
E
A
Yeah,
so
I
think
it'll
get
better
right,
but
this
is
the
first
week,
so
we
haven't
seen
that
so
I
suspect
next
week
is
a
social
media.
Bi-Weekly,
so
we'll
probably
see
something
next
week,
yeah.
G
And
and
all
the
all
the
sigs
are
having
meetings
this
week,
one
was
yesterday,
there's
one
plus
one
today,
one
on
friday.
So
next
week
during
that
bi-weekly,
there
should
be
15
minutes
for
each
so
about
40
about
anywhere
from
30
to
45
minutes
of
that
meeting.
Or
is
it
15
minutes
for
all
three.
E
And
I
think
I
mean
I
think,
jay
that
your
point
is
well
taken.
I
think
you're
absolutely
right.
I
think
part
of
this
is
you
know.
As
we
stand
up
these
work
streams,
we're
gonna
be
need
to
adjust
and
so
yeah,
starting
with
10
to
15.
If
we
discover
that's
not
enough,
we
can
have
it.
It
could
be
that
you
know
we
may
not
need
that
whole
section
on
a
bi-weekly
basis,
but
since
we're
just
getting
going,
I
think
to
your
point
we
should
be.
E
A
A
Okay,
okay,
so
we
have
all
of
these
things,
which
is
going
back
to
the
we
need
to
keep
an
eye
like
what
what
are
what
what
wasn't
language
laying
out
working
principles
right,
so
we're
keeping
an
eye
on
it.
So,
as
a
team,
what
do
we
think?
Well,
not
not
this
one.
Sorry!
A
A
To
show
hey,
salsa
doesn't
solve
all
your
problems,
so
I'm
hoping
that
will
help,
but
in
terms
of
these
things,
what
does
a
team
think
we
should
do?
Should
we
go
off
and
and
maybe
create,
maybe
a
document
or
an
issue
that
explains
what
the
objective
of
that
document
or
new
framework
is
and
if
we
should
or
should
not
attempt
to
either
write
a
blog
or
incorporate
it
into
that
spreadsheet.
B
F
C
A
F
B
F
So
what
we're
requesting
the
working
group
is
some
fundamental
building
blocks
that
we
think
all
secure
supply
chains
are
going
to
need
at
this
point
right
and
if
it's
standardized
and
says,
hey
here's,
the
interface
that
you
have
to
support.
You
want
to
be
as
small
as
possible,
so
we
can
have
multiple
implementations
across
the
organization.
F
E
F
I'd
think
of
it
slightly
differently.
There
would
be
microsoft,
implemented.
Skin
interface
and
potentially
sync
story
implements
at
the
section
of
the
skid
interface
that
it's,
it
is
overlaps
with
and
so
forth,
and
then
google
and
anybody
else
may
implement
theirs
or
whatever.
But
what
we're
you
know
we're
asking
for
four
things
in
the
ietf
one
is
the
the
equivalent
of
electronic
equivalent
of
a
human
notary
right.
I
saw
isaac
presented
this
and
he
signed
it.
Therefore,
you
can
trust
it
because
the
your
notary
stamped
it
there's
a
counter
signature
on
it
one.
B
F
F
Like
three
of
my
auditors
say
yes
and
one
says:
no,
what
does
that
mean,
and
it's
not
necessarily
salsa
to
me
salsa-
is
pointing
back
at
here's
proof
that
we
have
this
data,
whereas
an
endorsement
from
the
nsa
or
some
or
somebody
else
is
saying
hey,
you
can
trust
us,
but
we're
not
going
to
tell
you
how
we
came
to
that
conclusion
and
yeah.
That's
how
I
fundamentally
think
of
these
now
to
argue:
is
that
all
the
ietf's
going
to
do?
F
E
God
makes
sense
now.
No,
that
makes
great
sense,
and
I
mean
I
think
I
mean,
and
this
is
you
know
I
have.
I
have
some
some
slides
on
this
and
maybe
a
subsequent
session.
We
can,
we
can
go
through
them,
but
I
I
think
of
skit,
as
potentially
you
know
complementary
results.
I
mean
it
seems
to
that.
Skit
is
an
attestation
framework
for
making
almost
arbitrary
attestations
without
a
piece
of
software,
and
so
those
attestations
could
be
hey.
E
I
did
a
vulnerability
scanner
this
this
container
on
this
date,
and
I
found
it
vulnerability,
free
and
that's
an
attestation
you
may
want
to
use,
skip
to
store
and
have
notarized.
You
may
want
to
store
an
s-bomb.
You
may
want
to
store
a
salsa
at
this
station.
You
may
want
to.
F
E
Exactly
so,
it
seems
to
me
that
I
mean
when
we
talk
about
salsa
and
skit.
It
seems
actually
that
there
they
have
different,
functional,
different,
functional,
altitudes
and
capabilities.
This
also
is
a
set
of
things
that
you
may
want
to
say
about
a
software.
Artifact
and
skit
is
a
way
of
storing
notarizing
distributing
discovering
repudiating
an
arbitrary,
essentially
arbitrary,
set
of
manifestations
that
a
software
artifact.
B
A
So
I'm
gonna
say:
timeout
we
went
into
the
weeds
a
little
bit,
it's
okay,
it's
okay!
It
happens,
especially
with
techies,
so
the
original.
I
do
it
all
the
time.
The
original
question
was:
what
do
we
do
about
all
of
these
things
and
I
think
my
mark
mike
you
had
your
hand
up.
I
think
you
were
going
to
answer
that
question.
Hopefully.
A
C
So
yeah,
I
think,
to
start
off
something
like
a
github
issue
with.
Maybe
an
associated
document
is
probably
going
to
be
good,
because
I
think
the
the
conversation
there,
what
was
was
really
good,
which
is
just
like.
C
E
Yeah,
I
was
I'm
just
going
to
echo
that
and
I
think
that
the
I
mean
the
reasonable
place.
To
start
I
mean
I'm
staring
at
this.
There
was
a
line
item
somewhere,
which
you
know
had
an
overall
picture
of
the
space.
I
mean.
I
think
that
the
the
weighted
is
the
end-to-end
supply
chain
framework
positioning.
I
think,
having
agreeing
some
kind
of
overall
framework
independent
of
any
of
these
four
and
three-letter
acronyms
down
here
is
the
right
how
to
anchor
this,
and
so,
let's
describe
the
problem.
E
Space
and,
let's
say
hey,
here's
the
the
universe
of
problems
and
then,
within
that
problem
space
we
can
start
to
position
these
pieces
and
say
well.
Salsa
has
a
mapping
to
this
area
of
the
problem
space.
You
know.
Skit
has
a
mapping
to
a
completely
separate
but
equally
valuable,
set
of
problem
space
over
here.
F
It's
the
only
place
that
that
ends
up
mattering
is
do
we
have
to
format
it
and
how
do
we
sell
it
right
and
if
we
have
to
support
multiple
of
those,
that's
going
to
hurt
so
yeah
there's
a
you're
just
system
is
a
100
accurate.
You
want
flexibility,
some
of
these
things
all
compose,
but
we
may
have
to
to
settle
on
some
language
at
some
point.
F
F
Melba
I'd
love
to
see
your
supply
chain
framework
position
because
it's
probably.
A
More
than
happy
mike
has
a
copy.
I
I
actually
did
share
it
at
open
source
summit.
More
than
happy
to
paste
it
here,
yeah,
it
was
intended
to
share
with
the
masses.
So
if
we
can
alter
it
to
make
it
better,
I'm
all
for
it.
C
Sure
I
mean
it
might
even
make
sense.
Sorry,
I
I
get
a
delivery,
so
it
might
make
sense
to
maybe
start
off
with
them
all
somehow
associated
in
one
just
so
that,
like
we
can
set
the
set
like
some
guidelines
on
how
we're
viewing
these
things.
So
we
know
like
oh
this
is
you
know.
Is
this
considered
a
standard?
Is
this
considered
a
best
practice
and
so
on,
and
then
we
can
kind
of
go
back
and
think
about
how
they
all
interact
with
each
other.
A
Okay,
so
I
can
open
up
an
issue
with
all
of
these
in
one
I
don't
think
it's,
oh,
I
don't
have
the
ability
to
do
like
any
sort
of
epics
or
oh,
because
it's
not
zen
hub
yeah.
I
was
thinking
of
zen
hub
because
you
can
do
stories
and
then
the
dependencies
for
the
the
epics
which
are
stories.
F
So
one
of
the
things
I've
found
in
this
whole
space
is,
unless
we
start
pinning
and
settling
on
some
building
blocks,
assuming
this
building
block
as
long
as
everything
is
still
fluid.
Nobody
gets
all
this
stuff
right.
If,
if
we
say
hey
we're
gonna
assume
salsa
is
the
way
you're
going
to
attest
things.
Assuming
you're
gonna
write
your
s
bombs
out
blah
blah
blah,
then
we
can
build
on
it
as
a
whole
framework,
but
right
now,
every
time
you
know,
I'm
sure,
isaac
and-
and
I
could
paint
two
completely
different
pictures
and
people
go.
F
You
just
confuse
the
hell
out
of
me,
so
we
kind
of
need
to
get
some
common
languages,
because
we
could
do
a
whole
bunch
of
different
things.
That's
not
going
to
help
everybody,
try
and
picture
what
the
hell
we're
building.
A
Okay,
I
will
try
to
write
that
up,
but
we
are
over
on
time.
So
I.
A
Respect
everybody's
time,
I
will
try
to
write
that
last
sentence
up
and
I
guess
we
will
meet
in
two
weeks,
but
we
can
obviously
work
asynchronously
on
the
salsa
positioning
slack
channel.
So
thank
you
everybody
for
joining.
I
think
it
was
a
productive
meeting
so.