SCITT Transparency
Supply Chain Integrity, Transparency and Trust — IETF draft-ietf-scitt-scrapi. EPI implements Mode B (SCITT Producer) with Merkle inclusion proofs, independent service keys, and offline receipt verification.
Specification
EPI implements the IETF SCITT architecture as a COSE_Sign1 producer. The full specification is documented in the project repository.
IETF draft-ietf-scitt-scrapi conformance
Architecture
Two independent keypairs enforce separation of duties. The artifact signing key never touches the transparency service.
┌─────────────────────────────────────────────────────────┐
│ EPI Artifact │
│ ┌──────────────┐ ┌──────────────────────────────┐ │
│ │ manifest.json │ │ artifacts/scitt/ │ │
│ │ Ed25519 signed│ │ statement.cbor (COSE_Sign1) │ │
│ │ │ │ receipt.cbor (COSE_Sign1) │ │
│ └──────────────┘ └──────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────┐ ┌──────────────────────┐
│ Artifact Signing Key │ │ SCITT Service Key │
│ (~/.epi/keys/) │ │ (~/.epi/local-scitt/)│
│ Signs manifest │ │ Signs receipt │
└──────────────────────┘ └──────────────────────┘
Registration flow
# Local (CI, air-gap, development)
$ epi scitt register case.epi --local
[OK] Local SCITT Registration Complete
Service: local
Entry: 8c2576b5f92a348a74e5088fef295a02
# Production (remote transparency service)
$ epi scitt register case.epi --service https://scitt.epilabs.org
[OK] Registration Complete
Entry ID: ...
Trust Level upgraded to MEDIUM
# Verification includes SCITT check
$ epi verify case.epi
Integrity: Verified
Signature: Valid
Transparency: VERIFIED (Merkle inclusion)
Trust Level: MEDIUM (SCITT anchored)
Merkle inclusion proofs
Every receipt embeds a Merkle audit path that proves the statement was registered at a specific position in the transparency log. The proof is verified during epi verify without contacting the service.
Leaf hash sha256(0x00 || tree_index || entry_hash)
Internal sha256(0x01 || left || right)
Root recomputed from leaf + audit path
Verification audit_path → root == signed_tree_head
Local service
The built-in local SCITT service works offline with no extra dependencies. State is stored at ~/.epi/local-scitt/.
~/.epi/local-scitt/
service.key Ed25519 private key (independent from artifact key)
service.pub Ed25519 public key
log.jsonl Append-only transparency ledger
The service keypair is generated automatically on first use. It is separate from the artifact signing key, satisfying SCITT's separation-of-duties model.