Remote ATtestation procedureS (RATS) Architecture
draft-ietf-rats-architecture-22

Thanks for the document. A few comments only.

#1 Figure 3

I cannot make sense of Figure 3. I understand the text in Section 3.2, so it might
not matter. But for instance the figure does not show to me at all that the bootloader
attested the kernel.

#2 Dark sides

Obviously, this architecture can be misused for bad things. It might be nice to have a section on this as per RFC 8280, but I am also not sure what to say other than "don't use this to restrict people based on discriminatory features".

#3  IPR

I am a little concerned about the IPR claims filed. Intel reserves the right to charge, and Huawei only allows free use for Section 4.3 and 6 despite that there is no Section 4.3 and it makes little sense for Section 6 ? I also believe that this document merely lists very generic concepts based on known prior art (but I am not a lawyer)

I have very little to add, other than noting that I find Use-Case and Architecture documents to be really helpful.
They help "set the stage" when reading a new set of document, or deploying a new technology. Thank you!

Should the datatracker show that this document replaces both draft-birkholz-rats-architecture and draft-thaler-rats-architecture?

# GEN AD review of draft-ietf-rats-architecture-21

CC @larseggert

Thanks to Gyan S. Mishra for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/weBLFxmD2doRWhcZDm-kGjv8m0A).

## Comments

### Boilerplate

This document uses the RFC2119 keyword ['SHOULD'], but does not contain the
recommended RFC8174 boilerplate.

I don't think you need to add the boilerplate, simply rephrase the sentence
so it is more clear that you are in fact citing RFC4086 here?

### Inclusive language

Found terminology that should be reviewed for inclusivity; see
https://www.rfc-editor.org/part2/#inclusive_language for background and more
guidance:

 * Terms `native` and `natively`; alternatives might be `built-in`,
   `fundamental`, `ingrained`, `intrinsic`, `original`

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Grammar/style

#### Section 2.6, paragraph 2
```
uthenticator. Relying Party: Any web site, mobile application back-end, or s
                                 ^^^^^^^^
```
Nowadays, it's more common to write this as one word.

#### Section 3, paragraph 2
```
em component, device is often used as a illustrative synonym throughout this
                                      ^
```
Use "an" instead of "a" if the following word starts with a vowel sound, e.g.
"an article", "an hour".

#### Section 3, paragraph 4
```
l messages shown in Figure 1. Section Section 4 provides a more complete def
                              ^^^^^^^^^^^^^^^
```
Possible typo: you repeated a word.

#### Section 3.2, paragraph 4
```
-entity can be called an Attester. Among all the Attesters, there may be onl
                                   ^^^^^
```
Do not mix variants of the same word ("among" and "amongst") within a single
text. (Also elsewhere.)

#### Section 3.2, paragraph 5
```
 final Evidence to the Verifier. Therefore the router is a composite device,
                                 ^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Therefore".

#### Section 3.2, paragraph 6
```
t that connects to the Verifier. Typically one router in the group is design
                                 ^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Typically".

#### Section 4.1, paragraph 9
```
ation (e.g., birth certificate) is the the Evidence, the passport is an Attes
                                   ^^^^^^^
```
Possible typo: you repeated a word.

#### Section 5.2, paragraph 7
```
e Verifier is an expected one by out of band establishment of key material, c
                                 ^^^^^^^^^^^
```
Did you mean "out-of-band"?

#### Section 7.4, paragraph 1
```
e 1 illustrates the flow of a conceptual messages between various roles. This
                            ^^^^^^^^^^^^^^^^^^^^^
```
The plural noun "messages" cannot be used with the article "a". Did you mean "a
conceptual message" or "conceptual messages"?

#### Section 7.5, paragraph 1
```
n Attester, which can include privacy sensitive information as discussed in s
                              ^^^^^^^^^^^^^^^^^
```
This word is normally spelled with a hyphen.

#### Section 7.5, paragraph 2
```
ve information as discussed in section Section 11. Unlike Evidence, which is
                               ^^^^^^^^^^^^^^^
```
Possible typo: you repeated a word.

#### Section 9, paragraph 10
```
 new epoch, such as by using a counter signed by the Epoch ID Distributor as
                               ^^^^^^^^^^^^^^
```
This word is normally spelled as one word.

#### Section 9, paragraph 10
```
essages that might be associated with a epoch ID that the receiver has not ye
                                      ^
```
Use "an" instead of "a" if the following word starts with a vowel sound, e.g.
"an article", "an hour".

#### Section 9, paragraph 11
```
 ID approach minimizes the state kept to be independent of the number of Att
                                 ^^^^^^^^^^
```
The verb "kept" is used with the gerund form.

#### Section 11, paragraph 7
```
avoid attacks where an attacker is able get a key they control endorsed. To s
                                   ^^^^^^^^
```
The preposition "to" is required before the verb "get".

#### Section 11, paragraph 8
```
 authentication, * auditing, * fine grained access controls, and * logging. S
                               ^^^^^^^^^^^^
```
This word is normally spelled with a hyphen.

#### Section 12.1.1, paragraph 1
```
pants in a certain epoch of choice for ever, effectively freezing time. This
                                   ^^^^^^^^
```
The adverb "forever" is spelled as one word.

```
station Result contains an expiry time time(RX_v) then it could explicitly ch
                                  ^^^^^^^^^
```
Possible typo: you repeated a word.

#### Section 16.2, paragraph 20
```
 it to its own clock or timestamps. Thus we use a suffix ("a" for Attester, "
                                    ^^^^
```
A comma may be missing after the conjunctive/linking adverb "Thus".

#### "Appendix A.", paragraph 3
```
me(EG_a)-time(VG_a) < Threshold. Similarly if, based on an Attestation Resul
                                 ^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Similarly".

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool

Hi,

Thanks for this architecture document.  I only have a few minor/nit level comments:

Minor level comments:

(1) p 35, sec 10.4.  Discussion

   Implicit and explicit timekeeping can be combined into hybrid
   mechanisms.  For example, if clocks exist and are considered
   trustworthy but are not synchronized, a nonce-based exchange may be
   used to determine the (relative) time offset between the involved
   peers, followed by any number of timestamp based exchanges.

By trustworthy, I assume that this means that it is known that the clock on the device isn't suffering from clock skew?

Nit level comments:

(2) p 3, sec 1.  Introduction

   in making one's decision to trust it or not.  This is subtle

This is a subtle ...


(3) p 22, sec 5.3.  Combinations

       .-------------.
       |             | Compare Evidence
       |   Verifier  | against appraisal policy
       |             |
       '--------+----'
            ^   |
   Evidence |   | Attestation
            |   | Result
            |   v
       .----+--------.
       |             | Compare
       |   Relying   | Attestation Result
       |   Party 2   | against appraisal policy
       '--------+----'
            ^   |
   Evidence |   | Attestation
            |   | Result
            |   v
       .----+--------.               .-------------.
       |             +-------------->|             | Compare Attestation
       |   Attester  |  Attestation  |   Relying   | Result against
       |             |     Result    |   Party 1   | appraisal policy
       '-------------'               '-------------'

As a very minor nit, I'm surprised that the numbering of the relying parties is not the other way round, since presumably the flow talks to relying party 2 before relying party 1.  As alternative suggestion could be to label them something like "Main Relying Party" and "Secondary Relying Party".

Regards,
Rob