Re: [Gen-art] Genart last call review of draft-ietf-rats-eat-21
Ines Robles <mariainesrobles@googlemail.com> Thu, 10 August 2023 20:52 UTC
Return-Path: <mariainesrobles@googlemail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11AA1C1524B3; Thu, 10 Aug 2023 13:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y88Sczf3CEXd; Thu, 10 Aug 2023 13:52:38 -0700 (PDT)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAA84C1522C6; Thu, 10 Aug 2023 13:52:32 -0700 (PDT)
Received: by mail-pg1-x52a.google.com with SMTP id 41be03b00d2f7-52cb8e5e9f5so973089a12.0; Thu, 10 Aug 2023 13:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1691700751; x=1692305551; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=soBEQwudUXTLzCD5r5RRuUOqHVbr2FzRvDvQDSCU3MA=; b=Cubt5d5AyGLA+UVVAKL54XczYMobSb6qVJyVBb9ET3aYUj35lY02Il/KB+aJI6wH6+ /llczapyas1AvyJygSzOP4QfmYWjKwM7LS9Z1iT5MzGx5Hdn7GbLb4TOJIuibrUsVv9l HcDLbHkr8LDKILHbvrd7HW9vhtPl12LgdSg1uOqJbdDV0Krp37vol0iprLMVVfNiZZZg FiZRzKRtwrBiYiybn85fRlC22OcPRxLAPcg7kj8wgDXZPMFi2126hIHaxMk2URI6MMr+ GoqdTJUbLTks0pL/Z7+4hRQ9nA/CPsvB3QI2mVjFus2nfJ9a8eU+3K2o3O/VtkYa071t 0Eog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691700751; x=1692305551; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=soBEQwudUXTLzCD5r5RRuUOqHVbr2FzRvDvQDSCU3MA=; b=RV976M9XLOZeVUItCqwrVjbv7F8xGc3HCZ+hmiF22THzqfpFmDTorbioIOrSw4rSL7 Gr4LVYD7seUPb/JW+F0VMUF56HfgtbLV+JL9booX42Wlj/k4Ugt8zmiZnG8CPeYhzUms ljiiO+kFWoixE46XF2WpkYtJo7OIlVVVd4H6bojAVh4iCe27oFeDjmKDEPqMpxZ+mCEN BBX0W6FCWiEgEIFHzJD/WpmqJGeYgzJK3fs77yYMNSdJgng3sOyLc6Rvpxez1qg+qIh+ CK6L7Vvi1QHHRQw+fAqXVXB5VcmKQZf3dou0tXtejJ/tze18zOvtmCctau9U91a+gtFE D17A==
X-Gm-Message-State: AOJu0YxLfcseJmV2VL8VaG9WejIK0s9qUX4kEg1P90Ico2nrrxKI6obi 6DIVNgghf4pT+oMQLPV8z9LyJyHXAzOLj3DR3xv4rQkuXeM=
X-Google-Smtp-Source: AGHT+IHeP7KmxbY6qcdE6Bn0Nu5Akf0mJlISBqUHGZTMX7tzZz9W3P+jKoPjdY3OzbU0Zb148sGNCfdo/F2ysbnYLBs=
X-Received: by 2002:a17:90a:de0d:b0:268:5aaf:fbe with SMTP id m13-20020a17090ade0d00b002685aaf0fbemr4480198pjv.10.1691700751114; Thu, 10 Aug 2023 13:52:31 -0700 (PDT)
MIME-Version: 1.0
References: <169162485268.42416.9384266055668934551@ietfa.amsl.com> <FC30B06B-FD73-4ED8-B327-F0C18A6462FA@securitytheory.com>
In-Reply-To: <FC30B06B-FD73-4ED8-B327-F0C18A6462FA@securitytheory.com>
From: Ines Robles <mariainesrobles@googlemail.com>
Date: Thu, 10 Aug 2023 23:51:54 +0300
Message-ID: <CAP+sJUd+hHcM7hv1V+chRXfuARAFbOGQyG4RKKdqYDxNL0Yt9A@mail.gmail.com>
To: "lgl securitytheory.com" <lgl@securitytheory.com>
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-rats-eat.all@ietf.org" <draft-ietf-rats-eat.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000056243d060297c641"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/EcL6ehCmHvBxdVz5DrYTaNiRS7M>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-rats-eat-21
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 20:52:42 -0000
Many thanks Laurence for addressing my comments and for the providing clarifications I understand the provided motive to not imply the trust to be static. Perhaps, one way to convey the potentially varying degree of trust dependant on context can be achieved by replacing "wishes" (which is usually attributed to human sentiments) and as well as changing "how much" (which represents in my understanding a quantity value): Thus, instead of: "This claims set is used by a relying party, server or service to determine how much it wishes to trust the entity." how about?: "This claims set is used by a relying party, server or service to determine the applicable trust in the entity." What do you think? Thank you and Best Regards, Ines. On Thu, Aug 10, 2023 at 10:03 PM lgl securitytheory.com < lgl@securitytheory.com> wrote: > The PR to address these is here: > https://github.com/ietf-rats-wg/eat/pull/403 > > Comments below. > > > > On Aug 9, 2023, at 4:47 PM, Ines Robles via Datatracker < > noreply@ietf.org> wrote: > > > > Reviewer: Ines Robles > > Review result: Ready with Nits > > > > I am the assigned Gen-ART reviewer for this draft. The General Area > > Review Team (Gen-ART) reviews all IETF documents being processed > > by the IESG for the IETF Chair. Please treat these comments just > > like any other last call comments. > > > > For more information, please see the FAQ at > > > > <https://wiki.ietf.org/en/group/gen/GenArtFAQ>. > > > > Document: draft-ietf-rats-eat-21 > > Reviewer: Ines Robles > > Review Date: 2023-08-09 > > IETF LC End Date: 2023-08-09 > > IESG Telechat date: Not scheduled for a telechat > > > > Summary: > > > > This document describes Entity Attestation Token (EAT) that provides an > > attested claims set that describes state and characteristics of an > entity. This > > claims set is used by a relying party, server, or service to assess the > > trustworthiness of the entity. EAT is constructed as a framework for > defining > > specific attestation tokens for specific use cases. > > > > The document is well documented, with good set of references. No major > issues > > found, minor nits found as specified below. > > > > Major Issues: None > > > > Minor Issues: None > > > > Nits: > > > > - Abstract: What about "...service to determine how much it wishes to > trust the > > entity." --> "...service to assess the trustworthiness of the entity." ? > > I prefer it as is, but am open to the change if there is consensus. > > I prefer it as is because it I think the existing wording leaves room for > the context of the trust. To me your proposed wording seems like trust is > determined once for all use cases. I think one might trust the same entity > in one context, but not in another. For example, one context might be for > transaction in dollars and another might be for authentication to access > governmental data. I don’t think trust or trustworthiness is universal > (even though lots of engineers, marketing people and such do use the word > that way). > > > > > > - Section 4.1.17: Maybe "failure, fail to run, ..." --> "failure, fail > to run, > > among others." ? > > Changed to "success, failure, fail to run, and absence” because there are > only four options. > > > > > > - In Section 4.2.14 "(DLOAs))" --> (DLOAs), the same for (Section > 4.2.16)) in > > Section 6.2.12 > > Fixed. > > > > > > - Section 4.3.3 and Section 7.3.1. "TBD(BUNDLE-Untagged-Message)" --> > > TBD602(BUNDLE-Untagged-Message) ? (To be aligned with IANA Section) > > Fixed. > > > > > - Section 6.2.12: "This document requires an EAT receiver must accept all > > claims it does not understand." are there specific security > consideration to > > follow in this case not mentioned in section 9.1? > > Reworded to "This document requires an EAT receiver must accept tokens > with claims it does not understand” as the > existing sentence really didn’t say the right thing. > > I don’t think there are security concerns here. > > > > > > - Section 6.3: It would be nice to have a caption for Table 2. (Same for > rest > > of the tables) > > Fixed. > > > > > - Section 7.3.1: "one place that that a CBOR token" --> "one place where > a CBOR > > token" ? > > Fixed. > > > > > > - Appendix C.1: "EAT doesn't define a an device implementation and DevID > does." > > --> "EAT doesn't define a device implementation, but DevID does." ? > > Fixed. > > > > > > Thanks for this document, > > > Thank you for reviewing. It’s a long document and I know it takes a lot of > work. > > LL > > > > > > Ines. > > > > > >
- [Gen-art] Genart last call review of draft-ietf-r… Ines Robles via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… lgl securitytheory.com
- Re: [Gen-art] Genart last call review of draft-ie… Ines Robles
- Re: [Gen-art] Genart last call review of draft-ie… Smith, Ned
- Re: [Gen-art] [Rats] Genart last call review of d… lgl securitytheory.com
- Re: [Gen-art] [Rats] Genart last call review of d… Smith, Ned
- Re: [Gen-art] [Rats] Genart last call review of d… Ines Robles