IETF Last Call Review of draft-ietf-rats-eat-measured-component-10
review-ietf-rats-eat-measured-component-10-secdir-lc-salowey-2026-01-25-00

Request Review of draft-ietf-rats-eat-measured-component
Requested revision No specific revision (document currently at 12)
Type IETF Last Call Review
Team Security Area Directorate (secdir)
Deadline 2026-01-26
Requested 2026-01-12
Authors Simon Frost , Thomas Fossati , Hannes Tschofenig , Henk Birkholz
I-D last updated 2026-03-02 (Latest revision 2026-02-20)
Completed reviews Secdir IETF Last Call review of -10 by Joseph A. Salowey (diff)
Artart IETF Last Call review of -10 by Henry S. Thompson (diff)
Secdir Telechat review of -11 by Joseph A. Salowey (diff)
Assignment Reviewer Joseph A. Salowey
State Completed
Request IETF Last Call review on draft-ietf-rats-eat-measured-component by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/pAVgEfB0WRzvpptDGjHbHU2Z5kY
Reviewed revision 10 (document currently at 12)
Result Has issues
Completed 2026-01-25
review-ietf-rats-eat-measured-component-10-secdir-lc-salowey-2026-01-25-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is the document is mostly ready, but I would like
some clarification.

The document is well written and has good security considerations, however I am
unclear as to the purpose of the "authority" field. The authority field points
to a public key used for a digital signature. Where is the definition of the
signature and how it is generated? Is this the signature on the EAT?  If so why
does the authority need to be defined here? No doubt this is explained in
another RATS document, but I was not able to find in a quick read of some of
the documents.