IETF Logo Mail Archive

Re: [Fud] Editorial Charter Update

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 09 October 2017 08:27 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: fud@ietfa.amsl.com
Delivered-To: fud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00CC0134CAD for <fud@ietfa.amsl.com>; Mon, 9 Oct 2017 01:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Level:
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_Alv4lKJP1N for <fud@ietfa.amsl.com>; Mon, 9 Oct 2017 01:27:19 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 264D5134CF0 for <fud@ietf.org>; Mon, 9 Oct 2017 01:24:36 -0700 (PDT)
Received: from [192.168.91.203] ([80.92.122.248]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LuKHz-1dJvTk0o8l-011fFc; Mon, 09 Oct 2017 10:24:23 +0200
To: Carsten Bormann <cabo@tzi.org>, Russ Housley <housley@vigilsec.com>
Cc: "Fud@ietf.org" <fud@ietf.org>
References: <c14c92bf-cf99-efdb-6693-0e33519fbb0a@gmx.net> <578DD8B8-E786-4913-AE6A-65FFA29019AD@vigilsec.com> <FD3975C8-C252-4E70-8D96-29918FC0DAB3@tzi.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <66e408f7-44b5-b1a3-a53b-82454b8260a4@gmx.net>
Date: Mon, 09 Oct 2017 10:24:21 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <FD3975C8-C252-4E70-8D96-29918FC0DAB3@tzi.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:DLa0rtJ2hkMfK7/ZGUkKjC0xSABuWv5L50caf1mdjYZTsaXNqXY sSpFabNYuhSPArsKVjwZHyesb02QeRC3Q+YoZIZ7wyFXbauxtqJ1SSs1WVPFtXdbR38LUiu Vx3+cbAC5L5rJgAplIdkFD+e5vcVMaUvt8KelgvESePVTBgXhGTS7R6jeO0YS8QJ7X/VcyA gYcIzjm7OBgpa7DewOwAw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:OYF/z9v3PtA=:Yj6xUsvkjV1/v72JY/ACKb UpGmuiHpOPxtsZkZLsv5/u6OdhsLk1k5+q6lXecVJLDnADM1vJ3EUmJRNHKvL+SBor2CvQh/Q bBaPT1T0owpY0egybXtuff0rdaKQ1Ysb/dH0QUawu7ePkY06jz/gAF5u0V6yhK97+sXgdH4My QQkDxei0VqbYG/+vJbsAYDFtOlB/9o4ILkQ2Km+ZrnsJ0zwNVsg1t4R9ps9I4tJuBWGq0GKOb eWqkWKUvKJbHFc35yggNiBAa1J+QYk2ftCTu383ffMuBDGctrLSuRXiF0ze6sPX1ipUPdPYt/ EvA9WKCL7JIjXUm+N6xfe0nEEFKXFC80ZP7rtETvPeAw6Gdmg8nydLeWP5qlAHGEC20ur7FAs Sap0zJsCdGL+A81YXRqKPz6iqorr6dwjDfzbg7MybEcjVoPLMDmnX3igSe73RvgRxBzsqnYIC bCe6I+1aiJV5oPr8s57zqH7EaaQj1yBtzBnySHz3wDEwlOxpFCMrZ5DLW9A4FrCREflv3QTiG 2idl9JaHIpvZU9H7bCxKvBhHW464YqW+dpb+ZqXOC200iPP8cdLftnlfuqYUFK/dwO0qCYvKL 3aVW/1gnhTYh/xYsKmsIv881LVutrT0fCKbV7e7vT29n/a77x++r4sVbK1N9nVvs4w9jU6aKs /3ug/xcMR/QgeL5UsjtHmGALysTBPs6mKavhlphnMBE2S7iKD4q7pJKFiCs241mLJCDoO+f16 jJ8+mJU3K3XAlO798mi1lPqR1jWglYC9nUr7jXYMCH0J4YcZ206W/N5ZDVem8TUlh29r7fwJw jUvqfpQwqgYZlfKo6F6vZaRwPABirv1a8GfMkzeVj3y5F0LRRk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/fud/6CvyFi4CB4MBWHYvRrRaByqIBBI>
Subject: Re: [Fud] Editorial Charter Update
X-BeenThere: fud@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: FUD - Firmware Updating Description <fud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/fud>, <mailto:fud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/fud/>
List-Post: <mailto:fud@ietf.org>
List-Help: <mailto:fud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/fud>, <mailto:fud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 08:27:22 -0000

Hi Carsten

I had provided a response to your comment and asked whether it clarifies
things.

I don't believe you have responded.

So far, I haven't heard you saying anything about what you would like to
see done in this working group. I would also like to know what you see
wrong with bug fixing and tweaking?

Ciao
Hannes


On 10/04/2017 07:31 PM, Carsten Bormann wrote:
> Hi Russ, 
> 
> I had a comment about a possible misunderstanding of the FUD/suit WG
> being misunderstood as the rfc4108 bug fixing and tweaking WG. I'm not
> sure that had been addressed. I'm mostly offline in the next seven days
> or so. 
> 
> Sent from mobile
> 
> On 3. Oct 2017, at 16:43, Russ Housley <housley@vigilsec.com
> <mailto:housley@vigilsec.com>> wrote:
> 
>> Here is an update to the charter text based on the comments.
>>
>> Note that the WG name is still FUD.  Any name change will be handled
>> by the IESG.
>>
>> Russ
>>
>> = = = = = = =
>>
>> Firmware Updating Description (FUD)
>> [Alternative proposal: SUIT (Software Updates for Internet of Things)]
>>
>> Vulnerabilities in Internet of Things (IoT) devices have raised the
>> need for a secure firmware update mechanism that is also suitable for
>> constrained devices.  Security experts, researchers, and regulators
>> recommend that all IoT devices be equipped with such a mechanism.  While
>> there are many proprietary firmware update mechanisms in use today, there
>> is a lack of a modern interoperable approach of securely updating the
>> software in IoT devices.
>>
>> A firmware update solution consists of several components, including:
>>  *  A mechanism to transport firmware images to IoT devices.
>>  *  A manifest that provides meta-data about the firmware image
>>     (such as a firmware package identifier, the hardware the package
>>     needs to run, and dependencies on other firmware packages), as
>>     well as cryptographic information for protecting the firmware
>>     image in an end-to-end fashion.
>>  *  The firmware image itself.
>>
>> RFC 4108 provides a manifest format that uses the Cryptographic Message
>> Syntax (CMS) to protect firmware packages.
>>
>> More than ten years have passed since the publication of RFC 4108, and
>> greater experience with IoT deployments has lead to additional
>> functionality, requiring the work done with RFC 4108 to be revisited.
>> The purpose of this group is to produce a second version of RFC 4108
>> that reflects the current best practices.  This group will focus on
>> defining a firmware update solution for Class 1 devices, as defined in
>> RFC 7228, that is -- IoT devices with ~10 KiB RAM and ~100 KiB flash.
>> This group will not define any transport mechanisms.
>>
>> In June of 2016 the Internet Architecture Board organized a workshop on
>> 'Internet of Things (IoT) Software Update (IOTSU)', which took place at
>> Trinity College in Dublin, Ireland.  The main goal of the workshop was
>> to foster a discussion on requirements, challenges, and solutions for
>> bringing software and firmware updates to IoT devices.  This workshop
>> also made clear that there is a lack of regulatory requirements, which
>> contributes to challenges associated with misaligned incentives.  It is
>> nevertheless seen as important to create standard building blocks that
>> help interested parties implement and deploy a solid firmware update
>> mechanism.
>>
>> In particular this group aims to publish three documents, namely:
>>  *  An IoT firmware update architecture that includes a description of
>>     the involved entities, security threats, and assumptions.
>>  *  The manifest format.
>>  *  A revision to RFC 4108 that reflects the current best practices.
>>
>> This group will use draft-moran-fud-architecture as a starting point for
>> discussion of the "Architecture" document.
>>
>> This group will use draft-moran-fud-manifest as a starting point for
>> discussion of the "Manifest Format" specification.
>>
>> This group does not aim to create a standard for a generic software
>> update mechanism for use by rich operating systems, like Linux, but
>> instead this group will focus on software development practices in the
>> embedded industry.  "Software update solutions that target updating
>> software other than the firmware binary (e.g. updating scripts) are
>> also out of scope.
>>
>> This group will aim to develop a close relationship with silicon vendors
>> and OEMs that develop IoT operating systems.
>>
>>
>> Milestones:
>>
>> Dec 2017     Submit RFC 4108bis document as WG item.
>>
>> Dec 2017     Submit "Architecture" document as WG item.
>>
>> Dec 2017     Submit "Manifest Format" specification as WG item.
>>
>> Jul 2018     Submit "Architecture" to the IESG for publication as an
>>             Informational RFC.
>>
>> Nov 2018     Submit RFC 4108bis document to the IESG for publication as
>>             a Proposed Standard.
>>
>> Nov 2018     Submit "Manifest Format" to the IESG for publication as
>>             a Proposed Standard.
>>
>>
>> Additional calendar items:
>>
>> Mar 2018     Release initial version of the manifest creation tools as
>>             open source.
>>
>> Apr 2018     Release first version of manifest test tools as open
>>             source.
>>
>> Jun 2018     Release first IoT OS implementation of firmware update
>>             mechanisms as open source.
>>
>> _______________________________________________
>> Fud mailing list
>> Fud@ietf.org <mailto:Fud@ietf.org>
>> https://www.ietf.org/mailman/listinfo/fud
>>
> 
> 
> _______________________________________________
> Fud mailing list
> Fud@ietf.org
> https://www.ietf.org/mailman/listinfo/fud
>

v2.23.0 | Report a Bug | By Email