Skip to main content

Last Call Review of draft-ietf-suit-mud-09
review-ietf-suit-mud-09-secdir-lc-gondrom-2024-12-12-00

Request Review of draft-ietf-suit-mud
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-11-14
Requested 2023-10-24
Authors Brendan Moran , Hannes Tschofenig
I-D last updated 2024-12-12
Completed reviews Genart Last Call review of -06 by Behcet Sarikaya (diff)
Iotdir Telechat review of -07 by Michael Richardson (diff)
Opsdir Last Call review of -06 by Susan Hares (diff)
Secdir Last Call review of -09 by Tobias Gondrom
Assignment Reviewer Tobias Gondrom
State Completed
Request Last Call review on draft-ietf-suit-mud by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/1qi43fwONtFa9vQTzz7zS8CwUSo
Reviewed revision 09
Result Ready
Completed 2024-12-12
review-ietf-suit-mud-09-secdir-lc-gondrom-2024-12-12-00
Reviewer: Tobias Gondrom

Review result: Ready

 

Overall, looks good. 

 

One nit: 

Page 5

s/not the MUD file primarily to due/ not the MUD file primarily due to

 

Comments: 

I have some mixed views about the MUD URL reference to the MUD file in the
SUIT manifest, it could lead to inconsistent security postures if one
signature works and the MUD signature doesn't verify and the complexity
might make it difficult to get consistent behavior across implementations.
Also loading the MUD file for a difference source may lead to issues if the
source can not be reached. Having said that, I can understand why the
authors have chosen this approach to extend the SUIT manifest in a more
flexible manner. The draft could specify more explicitly the rules
(MUST/MUST NOT) how a network shall react if either the URL can not be found
or if the MUD file signature does not verify. 

Also some concern with regards to how the MUD file will work together if a
SBOM would be present and whether overlap may occur and potentially cause
confusion by the management consoles. 

 

Just my 2 cents. 

 

Best regards, Tobias