[Last-Call] draft-ietf-suit-report-14 ietf last call Secdir review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Document: draft-ietf-suit-report
Title: Secure Reporting of Update Status
Reviewer: Russ Housley
Review result: Not Ready

I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-suit-report-14
Reviewer: Russ Housley
Review Date: 2025-08-07
IETF LC End Date: 2025-08-11
IESG Telechat date: Unknown

Summary: Not Ready


Major Concerns:

Section 5: I do not understand the meaning of "Manifest Processor & Report
Generator". This is part of a MUST statement, and it is unclear what is
required.

Section 5: The last paragraph begins with "This information is not intended".
I cannot determine what information is being referenced, , and it is unclear
what SHOULD be translated into general-purpose claims.

Section 7: This section does not have any information that will assist an
implementer.  It does not explain what makes an EAT measurements type
more consumable than a SUIT_Report on its own.  If this section is kept,
it should include a reference to EAT; the reference is several pages earlier.


Minor Concerns:

Section 4: It is not clear which algorithm will be used to compute
the SUIT_Digest.  The structure is defined in [I-D.ietf-suit-manifest],
and I copy it here:

   SUIT_Digest = [
     suit-digest-algorithm-id : suit-cose-hash-algs,
     suit-digest-bytes : bstr,
     * $$SUIT_Digest-extensions
   ]

For example, is the party that produces the SUIT_Reference that contains
the SUIT_Digest expected to use the same hash algorithm as was used in
the SUIT_Manifest?

Section 5: What does the term "well-informed" really mean here? I read
the sentence without this term an come away with the same understanding.
Can this be dropped?

Nits:

Section 3: s/well, however this/well; however, this/

Section 4: s/of SUIT_Records/of SUIT_Records as defined in Section 3/

Section 5: s/SUIT_report/SUIT_Report/



-- 
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux