[Iot-directorate] Iotdir last call review of draft-ietf-rats-eat-13

Eliot Lear via Datatracker <noreply@ietf.org> Sun, 05 June 2022 12:57 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: iot-directorate@ietf.org
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4CFC14CF01; Sun, 5 Jun 2022 05:57:47 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Eliot Lear via Datatracker <noreply@ietf.org>
To: iot-directorate@ietf.org
Cc: draft-ietf-rats-eat.all@ietf.org, last-call@ietf.org, rats@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 8.3.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <165443386776.35361.12898474920348394274@ietfa.amsl.com>
Reply-To: Eliot Lear <lear@cisco.com>
Date: Sun, 05 Jun 2022 05:57:47 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/ENIGd-TXsKulKGJKVkxsx4_nkds>
Subject: [Iot-directorate] Iotdir last call review of draft-ietf-rats-eat-13
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jun 2022 12:57:47 -0000

Reviewer: Eliot Lear
Review result: Not Ready


Major:

The most major problem with the document is this:

7.  Profiles

   This EAT specification does not gaurantee that implementations of it
   will interoperate.  The variability in this specification is
   necessary to accommodate the widely varying use cases.  An EAT
   profile narrows the specification for a specific use case.  An ideal
   EAT profile will guarantee interoperability.

This is quite counter-cultural to the IETF.  You start with the
smallest set of functionality and then expand outward to cover
different use cases that make use of different extensions.  I'm
not saying that profiles would not be necessary, but that some
additional thought be given to extension mechanisms.

This statement in particular is quite disturbing.

   In some cases CDDL may be created that replaces CDDL in this or other
   document to express some profile requirements.

Not only is this counter-cultural, but it would require an Updates:
header on any such profile, and would further just be plain out
confusing.

In short, the profile mechanism is harmful to the very concept of
interoperability.

Section 4.1:

   The nonce MUST have 64 bits of entropy as fewer bits are unlikely to
   be secure.  A maximum nonce size is set to limit the memory required
   for an implementation.

There are two sides to this equation: the generator of the nonce and
the consumer.  How is the generator supposed to know how much memory
the consumer has?

Section 4.2.1:

   UEIDs are variable length.  All implementations MUST be able to
   receive UEIDs that are 33 bytes long (1 type byte and 256 bits).  No
   UEID longer than 33 bytes SHOULD be sent.

256/8 = 8.  8+1 = 9.  I don't understand the parenthetical.

Between Section 4.2.1 and 4.2.2 there is a particular use case I would
like to understand:

If a system integrator resells a bunch of components that have been
tied together, what guidance is given as to which [S]UEID should be
exposed and for what purpose?  Does the consumer consume a full array
of each of these things?  What's the intent?

Section 4.2.6:

Please do not use a free-form text field for the software.  That makes
comparisons and authorities quite difficult.  In fact between this
section and section 4.2.7, you may wish to consider using Package
URLs.

Section 4.2.8:

As a whole this section is a bit too talkative.  Also, there are many
claims programs, and so I question the value its value.  If it is seen
as important, then some qualitative statement about specific
certifications seems more appropriate.

In general the CDDL for uints in particular requires .size values.
Otherwise you are just asking for random failures based on the limits
of varying tests.

4.2.15  DLOA

   This claim is typically issued by a Verifier, not an Attester.  When
   this claim is issued by a Verifier, it MUST be because the entity has
   received the certification in the DLOA.

Unclear antedent.  Perhaps you mean:

   This claim is typically issued by a Verifier, not an Attester.
   Verifiers MUST NOT issue this claim unless they have received the
   the certification in the DLOA.

Same issue with multiple DLOAs.

Also, is it possible that DLOAs will be produced in JSON at some point
in the future?  If so, why not allow for that by not mentioning XML,
and simply requirng observance of HTTP Content-type semantics?

Section 4.2.16

Can a software manifest be an SPDX or CycloneDX document or a pointer
to same?  There's a WHOLE lot of the former out there, and the latter
is growing in popularity.  If this is the case, let's define
appropriate types now.

   If there is no CoAP identifier
   registered for the manifest format, one should be registered, perhaps
   in the experimental or first-come-first-served range.

This sentence seems redundant, and the policy aspects opens this work
up to the peril of a policy change for the IANA registry.

Section 9

The IANA will not know what to do with this section as most of it is
not directed to them.  Much of it might be better suited as a
standalone document.  But it does raise the question of whether or not
some sort of subregistry should be formed for new claims, where an
appropriate evaluation could be managed through the IANA process (pick
your favorite).  How that would be accomplished I leave to you.

Minor:

Introduction:

   It is the use of this
   key material that make the claims set "attested" rather than just
   some parameters sent to the relying party by the device.

No.  Attestation is a claim of validity.  It is perfectly possible,
and probably likely that many claims will be attested and not used.

   EAT is focused on authenticating, identifying and characterizing
   implementations where implementations are devices, chips, hardware,
   software and such.  This is distinct from protocols like TLS
   [RFC8446] that authenticate and identify servers and services.  It is
   equally distinct from protocols like SASL [RFC4422] that authenticate
   and identify persons.

This paragraph is not well written.  EAT is an object that asserts the
validity of a remote attestation claim object.


Appendix B:

   UUIDs seem to have been designed for scenarios where the implementor
   does not have full control over the environment and uniqueness has to
   be constructed from identifiers at hand.

I don't see the value of any of this commentary.  Either you know or
you don't know.  There is no need for conjecture in such a document.

Is Section 4.4 somehow misplaced?  I'm not quite convinced what value
it is adding in that section, or what is intended to be specified.

Section 6:

   There is not yet any standard format(s) for an Endorsement.  One
   format that may be used for an Endorsement is an X.509 certificate.
   Endorsement data like Reference Values and implied claims can be
   carried in X.509 v3 extensions.

Define Endorsements or don't define Endorsements.  Don't half-define
Endorsements. Just note that there is future work to be done
somewhere.


Nits:

Abstract:

   To a large degree, all this document does is extend CWT and JWT.

This statement is just inaccurate and would add nothing in any case.
Suggest you remove.


   The document uses the term "entity" to refer to the target of the
   attestation token.

Target or object?  A target implies something at which one aims.  An
object is the entity upon which a subject acts through a verb.

   The claims defined in this document are claims
   about an entity.

Or more simply," the claims defined in this document describe an
entity."

   An entity is never a server or a service.

Neither server nor service is defined.  Don't go there.


   All claims in an EAT MUST use the same encoding except
   where explicitly allowed.

That's better said, "... except where otherwise explicitly stated."

Every instance of "CBOR encoded" or "JSON encoded" should be
hyphenated.

Personal preference nit:

The English language requires capitalization only of proper nouns,
acroynms, and the first letter of the first word of a sentence.  Legal
documentation makes use of capitals so as to indicate a very specific
meaning to phrase in what is generally highly convoluted language.  If
you believe that your work is so convoluted that you need to use
capitals, my suggestion is that you rewrite your work.  Otherwise,
maybe use lower case letters.

Section 4.1:

   In CBOR, the nonce is a byte string and every bit in the byte string
   contributes to entropy.

This statement is a bit odd.  Can you show me a nonce in which some
bit does NOT contribute to entropy?

4.2.18

{#swevidence} should not appear in the text.

Section 4.3.2

If you are going to use the term "epoch" you have to describe when
that epoch begins.  That has to be commonly understood between the
parties.