IETF Last Call Review of draft-ietf-suit-report-14
review-ietf-suit-report-14-secdir-lc-housley-2025-08-07-00
| Request | Review of | draft-ietf-suit-report |
|---|---|---|
| Requested revision | No specific revision (document currently at 16) | |
| Type | IETF Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2025-08-11 | |
| Requested | 2025-07-28 | |
| Authors | Brendan Moran , Henk Birkholz | |
| I-D last updated | 2025-10-23 (Latest revision 2025-10-21) | |
| Completed reviews |
Genart IETF Last Call review of -14
by Behcet Sarikaya
(diff)
Secdir IETF Last Call review of -14 by Russ Housley (diff) Genart Telechat review of -15 by Behcet Sarikaya (diff) Secdir Telechat review of -15 by Russ Housley (diff) |
|
| Assignment | Reviewer | Russ Housley |
| State | Completed | |
| Request | IETF Last Call review on draft-ietf-suit-report by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/mKd-wlP9zgwi9hknZ8zj4huRzg4 | |
| Reviewed revision | 14 (document currently at 16) | |
| Result | Not ready | |
| Completed | 2025-08-07 |
review-ietf-suit-report-14-secdir-lc-housley-2025-08-07-00
I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-suit-report-14 Reviewer: Russ Housley Review Date: 2025-08-07 IETF LC End Date: 2025-08-11 IESG Telechat date: Unknown Summary: Not Ready Major Concerns: Section 5: I do not understand the meaning of "Manifest Processor & Report Generator". This is part of a MUST statement, and it is unclear what is required. Section 5: The last paragraph begins with "This information is not intended". I cannot determine what information is being referenced, , and it is unclear what SHOULD be translated into general-purpose claims. Section 7: This section does not have any information that will assist an implementer. It does not explain what makes an EAT measurements type more consumable than a SUIT_Report on its own. If this section is kept, it should include a reference to EAT; the reference is several pages earlier. Minor Concerns: Section 4: It is not clear which algorithm will be used to compute the SUIT_Digest. The structure is defined in [I-D.ietf-suit-manifest], and I copy it here: SUIT_Digest = [ suit-digest-algorithm-id : suit-cose-hash-algs, suit-digest-bytes : bstr, * $$SUIT_Digest-extensions ] For example, is the party that produces the SUIT_Reference that contains the SUIT_Digest expected to use the same hash algorithm as was used in the SUIT_Manifest? Section 5: What does the term "well-informed" really mean here? I read the sentence without this term an come away with the same understanding. Can this be dropped? Nits: Section 3: s/well, however this/well; however, this/ Section 4: s/of SUIT_Records/of SUIT_Records as defined in Section 3/ Section 5: s/SUIT_report/SUIT_Report/