Open JAG-UK opened 1 year ago
andyparsons
commented
1 year ago Thanks @JAG-UK. I'm reading up but not very familiar with SCITT. Can you point to any docs or literature on adoption of SCITT? Is there a good proof of concept/production application that would make near-term use of this if it were to be added? Thanks!
JAG-UK
commented
1 year ago Hi @andyparsons
SCITT is pretty early so we're working on specs and adoption in real time (just like C2PA :-) ) but we have a good cross-over of supporters and contributors which is in part why I think the fit is so strong.
As for a proof-of-concept, there's a SCITT emulator that aims to keep pace with the standard development. It's fully open source and intended to work as both emulator and client interoperability tester. The code is here: https://github.com/scitt-community/scitt-api-emulator
On top of that we've created an RKVST integration that enables that same client to use the RKVST service for authentication and ledger storage, and others have created implementations of the necessary COSE and CBOR building blocks too. The RKVST branch (which will become a PR RSN as soon as we update the docs) is here: https://github.com/scitt-community/scitt-api-emulator/tree/116-hackathon-rkvst-implementation
There's also a video you can watch of it working in general listed in the resources at the end of this post. This again looks at my company's particular implementation but the principles would apply to any choice of SCITT service, of which we hope and expect to see many.
Other resources:
Short intro: I am co-chair of the IETF Supply Chain Integrity, Transparency and Trust working group. We define an open architecture and REST interface for notarising and verifying digital supply chain artifacts to promote transparency and detect/discourage fraud in multi-party systems.
I believe that SCITT offers a very good answer to the question of external assertion stores as outlined in the C2PA specification, particularly for adversarial scenarios where things like stripping or deliberate messing with manifests could be an issue. In short (though it's more nuanced than this in reality) SCITT offers an interoperable way of committing to a blockchain and verifying the proofs without needing big upheaval of application infrastructure and so on.
I already have a simple way to do this with command chaining (just putting the output of C2PA tool into a SCITT command line tool) but think it would be good to make this a built-in option and save such work being widely duplicated and fragmented. If the maintainers are happy with this idea I'll create a branch.
More info at https://scitt.io and https://datatracker.ietf.org/wg/scitt/documents/