 Hey folks. Can somebody talk to make sure I've got my morning audio configured? Hey Steve. Hey, there we go. And people start showing up. This is getting bad. I don't want to disappear from webcam because it's just, it's some connectivity with people, but I think I'm going to start putting one of those things on my, can I get like one of those own hats and like hair things that just kind of floats on your head? Oh, I see somebody's already got it. Great. Thanks, Aaron. I'm assuming you did that. How you feeling, Justin? Yeah, back to normal. Welcome back. So we have this call at 1030 where I'm drinking coffee and then we have the later call on Wednesdays where, uh, Vincent's drinking wine. There seems to be some combination of the two. We'll give a couple of moments for people to join. And Justin, uh, Capos, I just, I've replied to your, um, post this morning on the feedback. It's a, it's probably the most meaningful conversation we might want to figure out is how do we find the balance. So. I saw. I will Cormac offline from Slack. And I want to apologize in advance. I'm going to have to drop out of this call a bit early. So. Okay. Let's see what agenda items we have. Maybe we can cover, um, that topic sooner. We're at the five minutes. I don't see Justin. Cormac online. He might have had another call. I camera of Vincent said he was or wasn't coming. So. All right. Why don't we pull up. Just pop this over here. Okay. So from a working group status, which was the agenda item, I guessing, uh, Aaron popped in there. So thank you. Aaron, am I giving you credit for somebody else? No, I just copied. I just. I was just getting it started. So yeah. Awesome. Thank you. Yeah. Oh, and, uh, something that we were discussing. I can't really just call the OCI Wednesday call is being better around taking notes. This is something I've watched the helm team a while ago do really good as they kind of a designated note taker. And if that person's talking to somebody, it picks up from them. Cause it is hard to talk and type at the same time. Um, so I don't know how we want to start doing that. Um, any volunteers. I'm hoping we'll get a collaborative work. I'll certainly type when I, when I can with, uh, trying to keep up with the conversation as well. So mostly for a status, uh, a couple of things, uh, that I was going to chat about, um, Um, Obviously we have this one conversation, which I'll queue up. Uh, so let me just kind of indent this here and we'll talk about the, um, Scenarios update or scenarios feedback. I'll call that. Um, So when we start there, well, there's that actually, let's get a couple of items on here. Then there's, um, Um, Um, Um, flow that we'd been wanting to do and, uh, Provide a status on that and why I was thinking we wanted to start focusing on that. Uh, is any other topics people want to cover just in anybody else? Okay. Um, It's going to be difficult to do this without Cormack here. Cause I know he, you know, there was this conversation with, uh, between Kapo's Cormack and myself in a. Um, Um, Um, Last week we had a pretty good conversation where we were talking around, uh, kind of, I'm implying it as a scope. Might not be the best way to do it, but scope isn't necessarily a bad word per se, but there's this conversation that I've been, at least that I've been kind of pushing from, and I'll just kind of put a transparent of where the, where I've been kind of thinking. But obviously completely open to where we want to do this is we're really trying to do that signature on, uh, a piece of content. Um, because if we can sign content that says this thing is what it is, as long as the key that backs it up is still valid. Uh, then that enables lots of different scenarios, because then you could put lots of other documents that represent. Um, additional information that you could then trust because there's a signature associated with it. Um, that said, I think, and I'll cue this up for you, Justin, to kind of, to jump in. I think there's a little bit of a challenge is that signature good enough to actually mean anything. And do we need to take it further to what you've been doing with tough, um, to do some additional validation. And I think that's the push and pull part that I'm just trying to get my head around. Um, we just get my head around. So with that, I'll guess. Is this, is this the, we're talking about the scenarios document discussion, right? I just want to be a hundred percent. Yeah. So basically the, um, Am I being too concrete in some of the technology or maybe scope? Yeah. So, so yeah, and I'll just, you know, because I am going to have to drop off soon, I'll, I'll try to keep this kind of brief, just to explain the sort of problem here to people. So, um, one, one, uh, if you kind of over scope scenarios, um, like are too precise in how you're describing things, you can run into crazy situations. And so I'll just give kind of an example here. So, um, you know, let's, let's say that you, you know, rather than doing anything with no, whatever, we're just trying to move people that have had some kind of medical emergency, um, quickly to hospitals. That's like the, the kind of thing we're trying to do. Um, then if, if we kind of over describe this and talk about how, you know, um, like any vehicles for doing this have to have puncture, resistant tires with thinking being that, you know, if an ambulance is carrying someone and it runs over a, you know, a board with nails and the middle of the road and gets a flat tire than that results in deaths. Um, if you kind of over specify it in that way to say all vehicles that transport people must have tires that are puncture resistant, then, um, the problem you run into is that later your design that you come up with may involve, for instance, helicopters that fly people from hard to access locations. And then those are required to be fitted with puncture resistant tires. He's kind of like, you know, to continue my silly example here. That's a good example. So what I'm arguing for in, to try to bring it back home. Um, what, what I'm arguing for in the scenarios is for us to focus on the goals we're trying to achieve and to leave as much as possible of the mechanisms out so that we're not being specific, but instead of talking about the fact that, um, you know, that, that, um, like there have to be puncture resistant tires on the ambulance is the fact that, you know, the goal has to be that we have to be able to transport things and have this reliability and this resistance to these types of, you know, conditions and scenarios and so on. Because, um, then I think we can better ensure that what we're getting is actually a solution that, that meets the goals, not just, um, uh, sort of, uh, like, uh, you know, doesn't already have pre-baked into it a bunch of design that some of which maybe doesn't, uh, doesn't fit or, uh, possibly, you know, wouldn't, uh, isn't justifiable. No, totally fair. Um, I think there's no, um, it's hard to debate that because it's a very valid point, right? It's, uh, I was going to make some joke about helicopters. Still have tires, the big ones, but you know, they can still get there. You know, they sketch across, but anyway, um, I think the question is, uh, so here's the larger part. One of the things that, and I want to circle back around to this, as I think in some places we're being so open-ended that people are having struggles on where to engage and provide more context. So the example I've been using lately is, you know, we've got electricians, we've got plumbers, we've got, uh, cabinet builders, if you will, and they know that task really, really well. Uh, the concrete example is I have some people internally that are handle key management and they've been hacking at notary, uh, notary or Docker content trust and how they could create private keys, uh, in a separate environment so that they're never actually on build machines. Um, and they're not knowing where to plug in. So the only thing they can see is the existing Docker content trust. So I have some internal teams that are starting to build up solutions around something that we know doesn't work. So what I've been struggling a bit with is how can we give enough of a sketch and I'm purposely using the word sketch as opposed to a blueprint of what this thing is going to look like on this vacant lot and the vacant lot is on a hillside, not on a beach. It's, you know, a two-story house with four bedrooms. And if we can outline, you know, the basics of it, um, that, and maybe to your point, it's like, Hey, I've got a family of four with two kids that are aged two and four or whatever. Is there enough details there that it gives the ability for people to bring their expertise in and know where to contribute? And, you know, the analogy there is like, you know, the sketch shows that there's this big house and there's this big room and the kitchen people could come in going, you know, if you move the wall over four inches, I can get this thing in and then the somebody else can say whatever they about keeping the roof up high. So, right, there is one perspective and that's, and that's why we've tried to put some things in the scenarios or in the DevOps flows that people are doing related to containers. I'm using containers, but I air quoted it because I wanted to be more artifact driven, but is specific into a registry. So. Using, I just think we, you know, I don't think there's wild disagreement, but I do think that having the scenarios be the requirements, the actual like required things in scenarios is important and having the threat model and and some other things related to that exist at a high level, including perhaps some of the, you know, some of the UX slash design work really gets kind of co created, but I think you need to have like the threat model and you need to have the like a scenarios that's, that's not at that level. And then once we have that, then I think that you're absolutely right that people can step in and propose things with designs. But otherwise, like, how do we judge if we just bake it into scenarios, then how do we judge if a requirement is a good, like if a scenario part of a requirement is part of a scenario is good or not. We sort of don't have that the way to really reason about it. It's just, well, it was written and it was agreed to. And that's, that's not, not really the, you know, whereas I think the scenarios themselves, we all, we could all agree on the goals and the scenarios absent the design aspects, which I hope, you know, but yeah, I can see why right now it would be hard for an electrician or a plumber to come in just like before the architect has, you know, has drawn a sketch of the building. It's hard for them to do that. And so we do this for architectural purposes. So that would help me a little bit more. This is why it was because I haven't been disagreeing with your feedback. I just I'm trying to figure how to make it actionable. And by all means others, you know, I'm looking around and I see some people that are, you know, have a lot of great contents. So please chime in with info. I'm trying to figure out how to turn it into more concrete. I mean, this is where, you know, I want to tap into the fact that you being a professor have the ability to communicate this in a better way. So if you could help me structure, structure the wording a little bit better, I'm really happy to do that. Because I what I'm, what I'm wondering though, is like, when I look at this, I don't see, I'm not seeing, you know, it's always about perspective, right? I mean, you know, the concrete things that are the need to change as an example, for instance, like there is a presumption around, we want registries, we want these DevOps flows. What is it that is there a specific thing that I could be word or restructure in a different style of that would help you would make it more generic in a way. I'm going to have to drop, but I think that level of specificity we could discuss and do. But in general, there's things that aren't going to change. I mean, there's the mountains in your example, the hillside is there. The size of the plot is there. The number of people that need to do things, and the fact that they need to be safe, those don't change. But then the actual mechanisms used to accomplish those are like, those are not forces of nature. It's not, you know, of course, you know, they have to be wooden beams in your house example, or of course we have to do signing in this way, or of course we have to do whatever. I mean, we very likely will agree with a large part of what's proposed, but the, you know, we'll end up with a lot of that in the design. But with that baked into the scenarios, it becomes hard in many ways to tell if we've like presumed things that we shouldn't have as part of it. And it'll give us like a much firmer foundation. So I'll talk with you more about this offline. And maybe we can also include Justin Cormack, who's got a brief conversation with him. And I think we're, we're seeing a lot of the same kinds of things. So, okay. Rather than just to make a quick phone call with me or, you know, something. So I pinged him. So hopefully we'll have that to review that it scales much better when it's written. So have a good day. We'll chat later, ping me. We'll figure out something. We'll bring the conversation back to the group. Sounds good. Thanks. Thanks, Justin. Thank you. Thank you. Thank you. Thank you. Could we maybe attract those suggestions as a pull request on the current specifications? Uh, So the, so yes, but I, I, I'm not sure. Yes. If. When I butcher somebody's pronunciation name, please correct me. That is what we were discussing. I didn't actually paste it because I was talking again. There is a PR. I'm not sure. I don't know. I don't know. I don't know. I don't know. I don't have any requirements for the scenarios that mark down. That Justin, I've been discussing back and forth. So are you looking for more? Or are you. Or are you looking to try to capture these notes in? Yeah, just making sure we're capturing this notes in PR. Because I wouldn't want to have those over discussion and then lose track of them. I think like putting in a PR makes it more concrete where we can just review it and say, yes, this makes sense to up level it and we can just apply it. Yeah. Yeah. So, this notes and you can see what I think we are doing. Just what you're asking. But again, this is always about perspective, right? So it's. Let me take. I'm going to put the link to my response because my response is right after Justin. So this way you'll capture both. So I'm just going to put it here. We're adding a name and we're adding a default. We're adding a default price.group planning and top of valuation. I've highlighted that with a PR, PR, whoops. You're number 15. So take a look at that. If you don't feel like that covered what we just did. We can always do more. It's always a balance of the notes we're taking here versus taking notes in PR is completely. So that was one of the things I think I wanted to bring up I think it would be more efficient if they actually commented on the PRs themselves and closed them outside of the meeting. I'm sorry, this is the problem with typing and listening. You said a part of it, repeat your last part of the sentence. So I think part of the problem has been that we've been debating PRs and scenarios in the meeting itself, whereas I think the looking at the PRs and commenting on them over time and then giving people enough time to comment and then closing them out in a week would be we'd be making I think more progress that way rather than trying to debate everything in the 30 minute call. Yeah, no, it's fair. I think it would try to do a combination of both because sometimes the back and forth in text gets lost where a phone call helps facilitate but then there's a combination of both to be fair. An example, I was on a completely different project. I was going back and forth, I completely missed what a person's context was. Somebody pinged me offline, explained to me some of their background, and when I considered their background and then we were talking through it, I understood exactly what they were referring to and there was an easy change for me to make, but it only happens with that dynamic conversation. So we're not trying to do one or the other, I think is the thing. And we've had a lot of good feedback on the PRs that we've gotten some stuff in. So please take a look at that PR and we want to support both. We know some people think better by typing and some conversations work better by conversation, but we want to capture both. Anything else on that one, before we go to the next, well, the threat model update, I don't know, Sam, were you able to look at who's here to provide an update on that? I don't have an update to provide. Okay. Okay. One of the last things that came out of the threat model conversation we had roughly two weeks back was that until we have more of a design in place, it's really hard to do sort of like a threat model analysis. The one thing that we talked about a bit in that one was looking at key management from outside of a threat model perspective. I think at a high level, we understand the threats we want to cover, but a real full detailed analysis comes after we have more of the design in place. We may want to look into how we want to sequence those parts of the project. No, that's great. Actually so this is, there is a threat model doc and maybe the threat model doc is not titled properly. The threat model doc was supposed to be, here's the high level threats that we want to encounter. To your previous comment, this was the conversation we had in the initial scenarios doc that Justin had provided. And we actually moved some of the feedback from the scenarios into the threat model. So the idea is that, and again, I'm open to threat model doc markdown be renamed to something as threat model requirements or something. So yeah, I think we want to make sure we're capturing that because it did tease out some really good info on camera, which particular one it was. I think it was some of the revocation scenarios. Yeah, I think if we call this like acknowledged threats from V1 that we're trying to address, I think that's a fruitful conversation. And I think that's one where I'd like to talk to both Justin and figure out when we look into threat model versus what can we get done for the key management. Now there were some interesting conversations on key management. My audio was a little bit garbled last week, but I think there are high level questions around what we want the signing to attest to versus what we view as sort of like updates that are necessarily not security related. I think Justin brought up last week that you'd always be pushing everyone to use the latest version of the update and use that to make sure they're getting all the patches and everything that they need. I think we'd push back against that a little bit and say that not necessarily every update has a flaw and then we'd look more at like the key management and how keys are revoked to track security vulnerabilities. But you should be able to roll back to a previous version of software as long as you know that doesn't have any vulnerabilities in it. No, I remember that from last week and that was there's lots of interesting conversations around the rollback concept and when does it happen and so forth. So and that's what I'd love to see written up more because I think it it's it's hard to digest until you can read it four or five times. Okay, let me I'm going to finish my note here for a second about splitting up the threat. What did you what did you call it the threat model requirements? Yeah, so this is like I would say we call it like current threat models that we can address for Nord AV1 and then a key management discussion that is separate from a threat model discussion of a design. Key management separate from a threat model design, right? Yeah, great, perfect. We and we talked about having the key manager being a separate work group. I think there were so many people that were overlap. We left at the same, but I think we need to split it out. I know and I'm looking I don't see some of the Microsoft folks on because they're actually on a conflicting call. But we've been also trying to figure out and this actually come up to the UX flow. So let me just broaden back. So I mentioned that we've internally been have some teams that were working on this as with any large company. There's lots of people working on things. I got to work with John Gosman has this Gosman's rule that any good idea has at least five implementations going on and you only know about three. I'm assuming it's the same with other companies as well. So the some of these things did pop up that these other teams were working on it. So what we've been trying to figure out is how to work on a little bit of that sketch and we realize that this will be absolutely iterative. So luckily instead of physically building a real house, it'll be a little bit more of a Lego model, if you will, that it's easy to kind of tear it back down, rebuild it up as we learn more. But I think there's some contractors that want to get in and start doing some plumbing and electrical. And only after they do some of the work will they realize some of the things are going to bubble out for requirements. Omar Paul was really good about, I think it was Omar, was mentioning that we need to make sure that key management is a pluggable model. So that we're not tied to the keys being part of the registry per se. That native US you can use their key management Azure. You can use our key management and others you can use, I just drew a blank. Hashi Corpse, Key Vault for instance. But there's other things around keys being offline is another scenario. So to try to move some stuff forward, what we've been talking about is the UX probably being a bit of that sketch. Like having this scenario is written down and we'll continue this conversation that Justin and I were just discussing. Cuz I'm not, I think, I'm not sure he's, the thing that I'm trying to make sure is are we debating the actual content, the intention or the goals or whatever are wrong or just it's the wording and the style that are making it too difficult to try to figure out how to implement. So those are subtleties that we should work on. But can we continue to make a little more progress in this era of cycles? So we've been talking about having a little bit of a UX flow to help put a sketch that here's the interaction models we wanna have from a usability. And an experience in the sense of what we're capturing and enabling and start allowing some of the people to work on different parts of the project. So we're talking about getting that done, release started. We'll probably sketch it out for the remaining of this month. Let's just look at the calendar cuz we have some people that will be available in the beginning of May that can start hacking at a solution. So we were gonna just sketch out some stuff with like a UX flow that will tease out some of these things and hopefully that'll provide a very, again, very iterative on how we're thinking about all these different things. So I promised a couple of weeks ago nothing is gonna be concrete cuz we know everybody's, first of all, everybody's engaged. Normally this would be something we wanna make sure we capture and certainly at this time where people have to disappear for a couple of weeks for reasons of world pandemic. We wanna make sure that everybody had a chance to jump back in and take a look. So that was the main topic there. Actually, I just realized we're actually at 11 and we are at a half an hour. That makes sense to me. I think if they're also in this Slack channel and we wanna look at other times to kind of look at what we understand as concerns and be one that we wanna address and see if we have consensus there. Happy to set up a meeting at a different time. If you can ping me their aliases, I can reach out to them and see if we can schedule a chat at a different time. Yeah, we probably, this is something we talk about a lot about moving it to evening and morning so that people in other parts of the world can contribute. And we never seem to get that done because moving is almost more difficult. But let's see what we can, I don't know what voting app is good for good times, but let's, yeah, why don't we talk about that? Again, we just talked about in the Slack, when I say offline it's necessary always in private. Let's just ping each other on the Slack channel for the Notary Vee too. And see what we can come up with and we can find another meeting time. Yep, I think there if you, for me like in the past, like when we went to the Threat Mall discussion, I retouched to Cormac and Kappos and we were able to figure out times and then just shared that in the regular Slack channels so everyone else could join in. So if you have people in Microsoft that are working on key management and you ping me their aliases, I can make sure that we find times that work for them. Excellent. All right, well, thank you, folks. We have a small group this week. I hope everybody's doing well. Glad Justin is back feeling good. And I look forward to talk to you guys on Slack in next week. Thanks, folks. Thank you.