Remote ATtestation procedureS (RATS) Architecture
draft-ietf-rats-architecture-22
Yes
Roman Danyliw
No Objection
Erik Kline
John Scudder
Zaheduzzaman Sarker
(Andrew Alston)
Note: This ballot was opened for revision 21 and is now closed.
Roman Danyliw
Yes
Erik Kline
No Objection
John Scudder
No Objection
Paul Wouters
No Objection
Comment
(2022-09-07 for -21)
Sent
Thanks for the document. A few comments only. #1 Figure 3 I cannot make sense of Figure 3. I understand the text in Section 3.2, so it might not matter. But for instance the figure does not show to me at all that the bootloader attested the kernel. #2 Dark sides Obviously, this architecture can be misused for bad things. It might be nice to have a section on this as per RFC 8280, but I am also not sure what to say other than "don't use this to restrict people based on discriminatory features". #3 IPR I am a little concerned about the IPR claims filed. Intel reserves the right to charge, and Huawei only allows free use for Section 4.3 and 6 despite that there is no Section 4.3 and it makes little sense for Section 6 ? I also believe that this document merely lists very generic concepts based on known prior art (but I am not a lawyer)
Warren Kumari
No Objection
Comment
(2022-09-07 for -21)
Not sent
I have very little to add, other than noting that I find Use-Case and Architecture documents to be really helpful. They help "set the stage" when reading a new set of document, or deploying a new technology. Thank you!
Zaheduzzaman Sarker
No Objection
Alvaro Retana Former IESG member
No Objection
No Objection
(2022-09-07 for -21)
Sent
Should the datatracker show that this document replaces both draft-birkholz-rats-architecture and draft-thaler-rats-architecture?
Andrew Alston Former IESG member
No Objection
No Objection
(for -21)
Not sent
Lars Eggert Former IESG member
No Objection
No Objection
(2022-09-07 for -21)
Sent
# GEN AD review of draft-ietf-rats-architecture-21 CC @larseggert Thanks to Gyan S. Mishra for the General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/weBLFxmD2doRWhcZDm-kGjv8m0A). ## Comments ### Boilerplate This document uses the RFC2119 keyword ['SHOULD'], but does not contain the recommended RFC8174 boilerplate. I don't think you need to add the boilerplate, simply rephrase the sentence so it is more clear that you are in fact citing RFC4086 here? ### Inclusive language Found terminology that should be reviewed for inclusivity; see https://www.rfc-editor.org/part2/#inclusive_language for background and more guidance: * Terms `native` and `natively`; alternatives might be `built-in`, `fundamental`, `ingrained`, `intrinsic`, `original` ## Nits All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. ### Grammar/style #### Section 2.6, paragraph 2 ``` uthenticator. Relying Party: Any web site, mobile application back-end, or s ^^^^^^^^ ``` Nowadays, it's more common to write this as one word. #### Section 3, paragraph 2 ``` em component, device is often used as a illustrative synonym throughout this ^ ``` Use "an" instead of "a" if the following word starts with a vowel sound, e.g. "an article", "an hour". #### Section 3, paragraph 4 ``` l messages shown in Figure 1. Section Section 4 provides a more complete def ^^^^^^^^^^^^^^^ ``` Possible typo: you repeated a word. #### Section 3.2, paragraph 4 ``` -entity can be called an Attester. Among all the Attesters, there may be onl ^^^^^ ``` Do not mix variants of the same word ("among" and "amongst") within a single text. (Also elsewhere.) #### Section 3.2, paragraph 5 ``` final Evidence to the Verifier. Therefore the router is a composite device, ^^^^^^^^^ ``` A comma may be missing after the conjunctive/linking adverb "Therefore". #### Section 3.2, paragraph 6 ``` t that connects to the Verifier. Typically one router in the group is design ^^^^^^^^^ ``` A comma may be missing after the conjunctive/linking adverb "Typically". #### Section 4.1, paragraph 9 ``` ation (e.g., birth certificate) is the the Evidence, the passport is an Attes ^^^^^^^ ``` Possible typo: you repeated a word. #### Section 5.2, paragraph 7 ``` e Verifier is an expected one by out of band establishment of key material, c ^^^^^^^^^^^ ``` Did you mean "out-of-band"? #### Section 7.4, paragraph 1 ``` e 1 illustrates the flow of a conceptual messages between various roles. This ^^^^^^^^^^^^^^^^^^^^^ ``` The plural noun "messages" cannot be used with the article "a". Did you mean "a conceptual message" or "conceptual messages"? #### Section 7.5, paragraph 1 ``` n Attester, which can include privacy sensitive information as discussed in s ^^^^^^^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 7.5, paragraph 2 ``` ve information as discussed in section Section 11. Unlike Evidence, which is ^^^^^^^^^^^^^^^ ``` Possible typo: you repeated a word. #### Section 9, paragraph 10 ``` new epoch, such as by using a counter signed by the Epoch ID Distributor as ^^^^^^^^^^^^^^ ``` This word is normally spelled as one word. #### Section 9, paragraph 10 ``` essages that might be associated with a epoch ID that the receiver has not ye ^ ``` Use "an" instead of "a" if the following word starts with a vowel sound, e.g. "an article", "an hour". #### Section 9, paragraph 11 ``` ID approach minimizes the state kept to be independent of the number of Att ^^^^^^^^^^ ``` The verb "kept" is used with the gerund form. #### Section 11, paragraph 7 ``` avoid attacks where an attacker is able get a key they control endorsed. To s ^^^^^^^^ ``` The preposition "to" is required before the verb "get". #### Section 11, paragraph 8 ``` authentication, * auditing, * fine grained access controls, and * logging. S ^^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 12.1.1, paragraph 1 ``` pants in a certain epoch of choice for ever, effectively freezing time. This ^^^^^^^^ ``` The adverb "forever" is spelled as one word. ``` station Result contains an expiry time time(RX_v) then it could explicitly ch ^^^^^^^^^ ``` Possible typo: you repeated a word. #### Section 16.2, paragraph 20 ``` it to its own clock or timestamps. Thus we use a suffix ("a" for Attester, " ^^^^ ``` A comma may be missing after the conjunctive/linking adverb "Thus". #### "Appendix A.", paragraph 3 ``` me(EG_a)-time(VG_a) < Threshold. Similarly if, based on an Attestation Resul ^^^^^^^^^ ``` A comma may be missing after the conjunctive/linking adverb "Similarly". ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT]. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments [IRT]: https://github.com/larseggert/ietf-reviewtool
Robert Wilton Former IESG member
No Objection
No Objection
(2022-09-06 for -21)
Sent for earlier
Hi, Thanks for this architecture document. I only have a few minor/nit level comments: Minor level comments: (1) p 35, sec 10.4. Discussion Implicit and explicit timekeeping can be combined into hybrid mechanisms. For example, if clocks exist and are considered trustworthy but are not synchronized, a nonce-based exchange may be used to determine the (relative) time offset between the involved peers, followed by any number of timestamp based exchanges. By trustworthy, I assume that this means that it is known that the clock on the device isn't suffering from clock skew? Nit level comments: (2) p 3, sec 1. Introduction in making one's decision to trust it or not. This is subtle This is a subtle ... (3) p 22, sec 5.3. Combinations .-------------. | | Compare Evidence | Verifier | against appraisal policy | | '--------+----' ^ | Evidence | | Attestation | | Result | v .----+--------. | | Compare | Relying | Attestation Result | Party 2 | against appraisal policy '--------+----' ^ | Evidence | | Attestation | | Result | v .----+--------. .-------------. | +-------------->| | Compare Attestation | Attester | Attestation | Relying | Result against | | Result | Party 1 | appraisal policy '-------------' '-------------' As a very minor nit, I'm surprised that the numbering of the relying parties is not the other way round, since presumably the flow talks to relying party 2 before relying party 1. As alternative suggestion could be to label them something like "Main Relying Party" and "Secondary Relying Party". Regards, Rob