Re: [Rats] WGLC and IPR updates for RATs Architecture draft

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Wed, 25 November 2020 20:53 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40C213A1D0F for <rats@ietfa.amsl.com>; Wed, 25 Nov 2020 12:53:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=LTBDUi2A; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=A2PSijVV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9r0GIymTtvK8 for <rats@ietfa.amsl.com>; Wed, 25 Nov 2020 12:53:23 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B443A1D11 for <rats@ietf.org>; Wed, 25 Nov 2020 12:53:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26286; q=dns/txt; s=iport; t=1606337602; x=1607547202; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=LA/d/DG2vc4jYlUkVfV5KP7391aXQq3z5rGEr62cPLg=; b=LTBDUi2ABqX4QB0JcQPrN4a+k5odJrpfct1z4OFrcCupUGv3dB1tX9bu MeOyRPoKcHMTrvHrXhyQQioRKQGwE+AOF4JR6xyJ6V0CT8/7afBvBlS57 KwyT32HZgca2tv9QyMzy2yA6h1H9wkOf5fWQ4XB1fc2b3TezddziXs81M k=;
X-IPAS-Result: =?us-ascii?q?A0DdCgAlw75ffYQNJK1ZCR4BAQsSDECDIVF8Wi8uCoQzg?= =?us-ascii?q?0kDjT0mgQWJEY5vgUKBEQNUCwEBAQ0BASMKAgQBAYFVgnUCF4INAiU4EwIDA?= =?us-ascii?q?QEBAwIDAQEBAQUBAQECAQYEFAEBhg8BAQQCJQyFcwEBBBILBhEMAQElBgUCB?= =?us-ascii?q?QEPAgEIDgQGAgImAgICHxEVAg4CBA4FGweDBAGCVQMuAQ6ieQKBPIhpdoEyg?= =?us-ascii?q?wQBAQWBMwETQYMuDQuCEAMGgQ4qgnODdoQMgQiBNA8bggCBEScMEIFRSQcuP?= =?us-ascii?q?oIbQgICAQGBJgEICgEJAhaDFzOCLI1xgj8YCxIXgneTPJAcOFUKgm6JFoJJg?= =?us-ascii?q?05ShhSFFQMfgxuPbI8GnmaCcZJxAgQCBAUCDgEBBYFtIWlwcBVlAYI+UBcCD?= =?us-ascii?q?VaCWIQXgkaEFgwXg06FFIVEdAI1AgYBCQEBAwl8jQGBNAGBEAEB?=
IronPort-PHdr: =?us-ascii?q?9a23=3Ab0vBmRZttlFUj4rfA7yV9qX/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el21QaVD4re4vNAzeHRtvOoVW8B5MOHt3YPONxJWg?= =?us-ascii?q?QegMob1wonHIaeCEL9IfKrCk5yHMlLWFJ/uX3uN09TFZXxYlTTpju56jtBUh?= =?us-ascii?q?n6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mR?= =?us-ascii?q?Y=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,370,1599523200"; d="scan'208";a="615726105"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Nov 2020 20:53:21 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 0APKrLeh021166 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 25 Nov 2020 20:53:21 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 25 Nov 2020 14:53:21 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 25 Nov 2020 15:53:20 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 25 Nov 2020 15:53:20 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G/2s1V6gxRFaJtCWxgehVQt2qA/co63TJjqgMxYZ7aHxLdd2Yk3Q96+Kk98U4zx+MKc5B5+FJERexlgYQ3aK31mX2Ail4O1AypGSzL6ZLJApd6CEyygACI7rgSpJwGZqqJvvNmrlgBVyipZKd+bqgcmorApC0OPPDRQ+nJwfbxTHlfBhA99csbPR0IGKrv8hQuZoiu24kyXoWEf+wLXLbKG9NoAeMsXZCq1QALlJhQWo+PiM4bKEgRCQMJ4BhJt4y4qpri6H+eyCq3sxvbEFuiYwPCN/12ibunmXv5XYJRYkJndf1hSAf6JLqSq95lfukAw0uSY8Re/g2p3/dVoTuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LA/d/DG2vc4jYlUkVfV5KP7391aXQq3z5rGEr62cPLg=; b=gYfeKT3G0KhiQai6i1VkQ6In8S1iqrZ/swh6OWF5e/tqVJtXNGYjU/lmqLkd/44UxSBk91ZpqBOn1Oz8YqNgf7ECvHLaIwOkKd5jytd6In1E5+nlez2NBAEgMZH6xPkwsTilrvkaDhNYUjxY5slHaDQlRyAsELJI1D/lW/s4V/JgnB+yeV0ngF1ij4yaT3jikl9vhAulHF9IfCk4h9BxbLbw67LlbK1HoXzjAoIiSpdJ9oMwyaCHFN8hDfQwKXUPE21vasagXfT5CJdE3klzgWeY54Zm0Qk6szL5wk5hCZCgpNHTySpWWdyw7cvG7ZWQ+8nYUNow4QLhl5oKiJrlJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LA/d/DG2vc4jYlUkVfV5KP7391aXQq3z5rGEr62cPLg=; b=A2PSijVVjNSk0/7TYCdMdPpzb5h87Vkzwhks18OyZ6iRYC0/nVM6MdAO5365cfJCsobDVp0+VP6jDSvQ4xVWSCpnjbZom01SfcrgmCxGdaJJqVEwLbFC1ctJSNHUm6p5EwS2jVOHnaTvw1utaBn4YrGQCuir4vVYVGVOsC3naGo=
Received: from BY5PR11MB4070.namprd11.prod.outlook.com (2603:10b6:a03:181::16) by SJ0PR11MB4957.namprd11.prod.outlook.com (2603:10b6:a03:2df::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.22; Wed, 25 Nov 2020 20:52:06 +0000
Received: from BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::8842:3f1e:4ffc:32c1]) by BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::8842:3f1e:4ffc:32c1%3]) with mapi id 15.20.3589.030; Wed, 25 Nov 2020 20:52:06 +0000
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Thomas Fossati <tho.ietf@gmail.com>
CC: "rats@ietf.org" <rats@ietf.org>, Simon Frost <simon.frost@arm.com>, "manu.gupta@arm.com" <manu.gupta@arm.com>, "yogesh.deshpande@arm.com" <yogesh.deshpande@arm.com>
Thread-Topic: [Rats] WGLC and IPR updates for RATs Architecture draft
Thread-Index: AQHWq9pf92tAUCaehEKQNe9DfVEk06nOP26AgAq8aoA=
Date: Wed, 25 Nov 2020 20:52:06 +0000
Message-ID: <6D1F0263-2501-4AEF-B78D-23A292708911@cisco.com>
References: <48C10361-A1A6-460F-8BBF-BD4429DCCC2A@cisco.com> <CAObGJnMr1eJHFSHcMC7KXJd0h6a7T6Ue8gC8ExG1g2Y8iNAWOA@mail.gmail.com>
In-Reply-To: <CAObGJnMr1eJHFSHcMC7KXJd0h6a7T6Ue8gC8ExG1g2Y8iNAWOA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.162.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6b83b19b-728c-4b63-4b80-08d89183f836
x-ms-traffictypediagnostic: SJ0PR11MB4957:
x-microsoft-antispam-prvs: <SJ0PR11MB495770BD05C5AB1BF8F96A38D6FA0@SJ0PR11MB4957.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: S3izXVmQ6AXb3w4040RtIp5n4Q2yyf1Yq44UXy3tu2EuEmqgitH5U9Hcm0fDafT8vvc67Pgz/4rbrGns9kMNmWZWXfzFc2GCjftmgQaOl98YpvKa+4OsL74rIAXqmzaSoiULbuejnpBU7HZ1CPBgHw0XMm0QPToBG3eD/jLFNsja2N2QE3ycKaJ9pWY68Gxq2lCjV3QelFrerm0S++cdlSYY7mA/TBEbRxPh50/AvILSgA4vV86sp2r7kKeicIUx6k+ml9oa9A6eHsU+ZoWh9YO8TrThGYeI2T7CVLfg3YlAsxAIIGcJzsxxvl1mqEDAWiaaUyuISfT3phSPpj/G6aAnG7YCx3c7eEOt6ffGfO3ziF4XTNRsH36zpuZWnXJ9Ths2bKq88pmObpTHDA6dAw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4070.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(396003)(346002)(39860400002)(136003)(8676002)(15650500001)(83380400001)(6916009)(30864003)(316002)(478600001)(966005)(54906003)(6486002)(26005)(76116006)(66556008)(6506007)(66946007)(53546011)(71200400001)(66446008)(8936002)(6512007)(66476007)(66574015)(64756008)(2906002)(5660300002)(36756003)(2616005)(4326008)(33656002)(186003)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: WFgGIIylGDKp9jdbS67yc8rPEcI4DGOa5eHDDgKgNmOCVktCZjujbgepyRUvMHJ/xGrgqXNv2o253yjfL4nn6ZAoS8G6+oxvi/3c88P1zWQzXPx3tfAo18Tm8IkfMsfhvsNfGtj6KHeafNsLzuWbgZtzWrYfLis9IMICbYES7MklyEpBEq/D0Lmxk8O0fwaWRzCgZNpyuMVVg0s/F8YHcKbkU0xiHLQQa66SGmv7md9Sho1lPsCjT1OPzR6e+gNIFhQkop65iXsmwQ0pRfFAtzvC4gy3DjfcCAucX5qYdzE0Ewccdt9/9wbyfZGVcDiz54jPOlyScJb6iJC60T8tYCmAQTFgwzCqeGHNaRbDFIvI4FLTg4WB7WEUl5egl/ZcsHn8Gqby3MvM+n3YuZdCAtRlLRtiXdlrh1hZvQah82xUxvzXzGWCVHC9qxclz3skLka4nIZnlIZx3eoHKgbdbud1Tlpni6bSnFj4tyE/CeBCknLdn5Ymsn7nOAj+dHRhI9/FLnIY60IUrz0P0yF9e3nfAfFVwe4oubEHJKEZHrzTX8GDFzt58zLvV6nmc8fe4V/NR0kRhWkMYtad/uhL/SWj0K549PY78zgjZz+peMg9IR9uD7vfr+CdL2Pylujz1xoqOmDO33kz21Ufv8Skz2wHs3OZXguX9zyakl0ra2D4yFH/gJpEUWj5Yl1aJqfsQnbaWTXxCMqnfVb7espQRRS0rm2snDkBleImUHxEw9XgztHaejR/Nt2WzuiLwswXVSIjY30gEzEY78oMLAsKkNt6wVXgLIIJ8QVLYEv9wRMhu+M5FHa40bCPsGxIkT76y1zMS6xXwV7BwdPLG5I8GOoxDyyibrnRNoAwoYk0GAlf3n7aOk/Q5QKFLGN0FGOqPP20hEc1GnESAED7QW/1xw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F77E4B234B255D44B145CD7A69B2B2CB@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4070.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6b83b19b-728c-4b63-4b80-08d89183f836
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Nov 2020 20:52:06.2487 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +6Vp3rLWp0Q2T+ztAM6CwuwkdHyfWHnhzgZV18HSGX8IRBuD1aVeC1h0bEudrejNc9rT69xpitGbgbGSZm5XlA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB4957
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0ts5iuwsjVPHsQM2by1zVmBu2c4>
Subject: Re: [Rats] WGLC and IPR updates for RATs Architecture draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 20:53:26 -0000

Thank you for the feedback Thomas....
I believe Michael is pulling the architecture team (and design meetings) together to address your and Guy's comments.

Best, Nancy

On 11/18/20, 8:55 AM, "Thomas Fossati" <tho.ietf@gmail.com> wrote:

    Hi Nancy, all,
    
    On Mon, Oct 26, 2020 at 8:55 PM Nancy Cam-Winget (ncamwing)
    <ncamwing=40cisco.com@dmarc.ietf.org> wrote:
    > This email is the start of a 3 week Working Group Last Call for the RATs architecture draft:
    >
    > https://datatracker.ietf.org/doc/draft-ietf-rats-architecture/
    >
    > The WGLC will run until Nov 16, 2020.
    
    This is our WGLC review of draft-ietf-rats-architecture-07.
    
    
    ** Summary:
    
    The document is in fairly good shape and nearly ready to be shipped.
    
    A big thank you to all the people involved!
    
    ** A few top-level points:
    
    1) The split between Endorsements and Reference Values is not completely
       ironed out yet.  Endorsements are not super clearly defined.
    
    This seems to be the only non-trivial missing piece.
    
    2) The appendix on Handles needs some work to better clarify the concepts
       and simplify the flow.
    
    3) It'd be great to do something around Terminology and use cases.  Simon
       has proposed rationale for restructuring as well as text to address
       the identified issues in PR#164 [1].  We'd be happy to help working on
       that until it can be merged.
    
    [1] https://github.com/ietf-rats-wg/architecture/pull/164
    
    4) The prose is at times a bit prolix and could be streamlined,
       especially in places where style tends to obscure the information
       content.
    
    ** Detailed comments and editorial suggestions:
    
    [ Abstract ]
    
    Maybe define the term "attestation" before using it in the phrase "such
    remote attestation procedures"
    
    [ 1.  Introduction ]
    
    OLD
        This documents defines
    
    NEW
        This document defines
    
    
    OLD
       to enable implementers in order to choose appropriate solutions to
       compose
    
    NEW
       to enable implementers to choose appropriate solutions to compose
    
    
    OLD
       Appraisal Policy for Attestation Results:  A set of rules that direct
          how a Relying Party uses the Attestation Results regarding an
          Attester generated by the Verifiers.
    
    NEW(a)
       Appraisal Policy for Attestation Results: A set of rules that directs
          how a Relying Party uses the Attestation Results generated by a
          Verifier.
    
    or, if the Attester has to be mentioned:
    
    NEW(b)
       Appraisal Policy for Attestation Results: A set of rules that directs
          how a Relying Party uses the Attestation Results generated by a
          Verifier in response to appraisal of Evidence from an Attester.
    
    OLD
          [...]
          integrity of an Attester's various capabilities such as Claims
          collections and Evidence signing
    
    NEW
          [...]
          integrity of an Attester's ability to collect Claims and sign
          Evidence.
    
    OLD
       Relying Party:  A role performed by an entity that depends on the
          validity of information about an Attester, for purposes of
          reliably applying application specific actions.
    
    NEW
       Relying Party:  A role performed by an entity that depends on the
          trustworthiness of information about an Attester, for purposes of
          taking application specific decisions.
    
    [ 3.1.  Network Endpoint Assessment ]
    
    OLD
       [...] version of information of the hardware and software
    
    NEW
       [...] version information about the hardware and software
    
    
    In the sentence "[...] record maintenance and/or trending reports
    (logging)", it's not clear what "trending reports" have to do with
    "logging"?
    
    
    The para:
    
       Typically, solutions start with a specific component (called a "root
       of trust") that provides device identity and protected storage for
       measurements.  The system components perform a series of measurements
    
    is probably not a very accurate description of what happens with
    measured boot, i.e., that the measurer itself has to be part of the RoT.
    It can't be a generic component whose measurements are (blindly?) signed
    by the RoT.
    
    
    OLD
       the hardware, firmware, BIOS, software, etc. that is running.
    
    NEW
       the hardware, firmware, BIOS, software, etc. that is present.
    
    (Using "present" because hardware is not strictly "running".)
    
    
    OLD
       Relying Party:  A network infrastructure device such as a router,
          switch, or access point
    
    NEW
       Relying Party:  A network infrastructure device such as a router,
          switch, or access point, responsible for admission of the device
          into the network.
    
    
    [ 3.2.  Confidential Machine Learning (ML) Model Protection ]
    
    OLD
       This typically works by having some protected environment in the
       device go through a remote attestation with some manufacturer service
       that can assess its trustworthiness.
    
    NEW
       This typically works by having the ML application request attestation
       evidence from the device and engage with the manufacturer to assess
       the trustworthiness of said evidence.
    
    
    [ 3.3.  Confidential Data Retrieval ]
    
    The para:
    
       An assessment of system state is made against a set of policies to
       evaluate the state of a system using attestations for the system
       requesting data.
    
    is not exactly crystal clear.  What about:
    
       As part of attestation procedure, an assessment is made against a set
       of policies to evaluate the state of the system which is requesting
       the confidential data.
    
    
    [ 3.4.  Critical Infrastructure Control ]
    
    This section could be expanded to include the case where the roles are
    swapped: the sensor that provides critical input into a controller needs
    to provide evidence of its trustworthiness before the controller can
    comfortably act upon its stimulus (e.g., opening a valve.)
    
    
    [ 3.5.  Trusted Execution Environment (TEE) Provisioning ]
    
    Maybe an information reference to TEEP could be added here?
    
    
    [ 3.6.  Hardware Watchdog ]
    
    There seems to be some confusion here: initially it is said that the
    "Relying Party is the watchdog timer in the TPM."  Subsequently, the
    Relying Party is defined as "A remote server that will securely grant
    the Attester [...]".  So, what is it?
    
    
    [ 3.7.  FIDO Biometric Authentication ]
    
    The definition of Relying Party:
    
       Any web site, mobile application back end or service that does
       biometric authentication.
    
    seems slightly inaccurate: the web site doesn't do biometric auth.  The
    authenticator binds biometric to crypto material so that the web site
    can deal with usual crypto auth.
    
    
    [ 4.  Architectural Overview ]
    
    In Figure 1 there should be a mention to the Reference Value Provider.
    
    OLD
       pppraisal policy to make application-specific decisions such as
    
    NEW
       appraisal policy to make application-specific decisions such as
    
    
    [ 4.2.  Reference Values ]
    
    This seems to skip the relationship with the Reference Value Provider
    now that's been split from the Endorser role, and also seems to muddle
    the distinction between Ref-Values and Endorsements (i.e., Ref-Values
    could be a subset of the information carried in an Endorsement.)
    
    
    [ 4.3.  Two Types of Environments of an Attester ]
    
    OLD
       Other examples may exist, and the examples discussed could even be
       combined into even more complex implementations.
    
    NEW
       Other examples may exist.  Besides, the examples discussed could be
       combined into even more complex implementations.
    
    
    OLD
       [...] taking measurements on code
       or memory and so on of the Target Environment.
    
    NEW
       [...] taking measurements on code,
       memory or other security related objects of the Target Environment
    
    
    "An execution environment [...]" is introduced without a definition.  It
    might be not self-evident.  Is this an alias for TEE?  Or something
    else?
    
    
    The content of this para:
    
       By definition, the Attester role creates Evidence.  An Attester may
       consist of one or more nested or staged environments, adding
       complexity to the architectural structure.  The unifying component is
       the root of trust and the nested, staged, or chained attestation
       Evidence produced.  The nested or chained structure includes Claims,
       collected by the Attester to aid in the assurance or believability of
       the attestation Evidence.
    
    is a slightly confusing.  What do we really want to say?  Also,
    "nested", "staged", "chained": let's pick one and stick with it ;-)
    
    
    OLD
       Figure 3 depicts an example of a device that includes (A) a BIOS
       stored in read-only memory in this example, (B) an updatable [...]
    
    NEW
       The device in Figure 3 includes (A) a BIOS stored in read-only
       memory, (B) an updatable [...]
    
    
    OLD
       Therefore, these Claims have to be measured securely.
    
    NEW
       Therefore, the relevant Claims have to be measured securely.
    
    
    This para:
    
       In general, the
       number of layers may vary by device or implementation, and an
       Attesting Environment might even have multiple Target Environments
    
    introduces the capitalised "Attesting Environment" and "Target
    Environment".  Do they deserve their own entry in the Terminology
    section?
    
    
    [ 4.5.  Composite Device ]
    
    WRT the trust model of a composite device: it looks like the lead
    attester needs to be trusted to collect the most fresh evidence from the
    other slots?  Is this discussed anywhere?
    
    
    In this para:
    
       After collecting the Evidence of other Attesters,
       this inside Verifier uses Endorsements and appraisal policies
    
    Shouldn't Endorsements be Ref-Values instead?
    
    
    [ 5.  Topological Models ]
    
    The three sentences "There are multiple [...]", "This section includes
    [...]" and "This is not intended [...]" are slightly vague.  It doesn't
    seem to me that their information content is enough to justify them
    being independent sentences.  Maybe they should be combined?
    
    
    [ 5.1.  Passport Model ]
    
    Should this section have a forward ref to the freshness section, or
    otherwise discuss the freshness of the attestation results?
    
    
    This para:
    
       There are three ways in which the process may fail.  First, the
       Verifier may refuse to issue the Attestation Result due to some error
       in processing, or some missing input to the Verifier.  The second way
       in which the process may fail is when the Attestation Result is
       examined by the Relying Party, and based upon the appraisal policy,
       the result does not pass the policy.  The third way is when the
       Verifier is unreachable.
    
    not sure why is this relevant?
    
    
    [ 5.2.  Background-Check Model ]
    
    The para:
    
       Hence, the ability to let the Relying Party obtain an Attestation
       Result [...]
    
    seems to reshuffle the content of the preceding one.  The two can be
    combined / streamlined.
    
    
    [ 5.3.  Combinations ]
    
       It is also worth pointing out that the choice of model is generally
       up to the Relying Party
    
    I'm not sure it "is up to the RP", rather it "depends on the RP" because
    it's typically not a choice of the RP but of the use case / protocol
    flow in which the RP operates.
    
    
    [ 6.  Roles and Entities ]
    
    This sentence:
    
       An entity in the RATS architecture includes at least one of the roles
       defined in this document.
    
    creates a bit of cognitive dissonance: in the Terminology section the
    Endorser, Ref-val Provider, RP Owner and Verifier Owner are defined as
    "entities", however, they don't include any of the roles (Verifier, RP,
    Attester).
    
    
    In the sentence:
    
       Alternative channels to convey conceptual messages [...]
    
    maybe insert a forward reference to Section 8 (conceptual messages).
    
    
    OLD
       As a system bus entity, [...]
    
    NEW
       As a system bus-connected entity, [...]
    
    
    [ 7.1.  Relying Party ]
    
    OLD
       The scope of this document is scenarios for which a Relying Party
       [...]
    
    NEW
       This document covers scenarios for which a Relying Party [...]
    
    
    
    [ 7.2.  Attester ]
    
    OLD
       The Verifier might share this information
       with other authorized parties, according to rules that it controls.
    
    NEW
       The Verifier might share this information
       with other authorized parties, according to some predefined rules.
    
    
    OLD
       In some cases where Evidence contains sensitive information, an
       Attester might even require that a Verifier first go through a TLS
       authentication or a remote attestation procedure with it before the
       Attester will send the sensitive Evidence.
    
    NEW
       When Evidence contains sensitive information, an Attester typically requires
       that a Verifier authenticates itself (e.g., at TLS session
       establishment), and might even require a remote attestation before
       the Attester sends the sensitive Evidence.
    
    
    [ 7.4.  Verifier ]
    
    OLD
       is critical to the secure operation an Attestation system,
    
    NEW
       is critical to the secure operation of an Attestation system,
    
    
    
    [ 8.2.  Endorsements ]
    
    This section doesn't provide a clear and concise definition of what is
    meant by Endorsement.  Instead it goes in depth discussing the rather
    tangent topic of access authorisation based on one kind of Endorsement.
    
    I suggest this section is re-shaped to discuss:
    * What is an endorsement conceptually;
      * Why we need to make it a first class object distinct from ref-values
        and other inputs to the verifier;
    * A few instances of Endorsements;
    * One example usage in the attestation workflow
    
    
    [ 8.3.  Attestation Results ]
    
    OLD
       Attestation Results
       may be a Boolean simply indicating compliance or non-compliance with
       a Verifier's appraisal policy, or a rich set of Claims about the
       Attester
    
    NEW
       Attestation Results
       may carry a boolean value indicating compliance or non-compliance with
       a Verifier's appraisal policy, or a richer set of Claims about the
       Attester
    
    
    This para:
    
       In some cases, it may
       even indicate that the Evidence itself cannot be authenticated as
       being correct
    
    What does "authenticated as being correct" mean?
    I suggest dropping the paragraph altogether.
    
    
    OLD
       The simplest such policy might be to
       simply authorize any party supplying a compliant Attestation Result
    
    NEW
       The simplest such policy might be to
       authorize any party supplying a compliant Attestation Result
    
    
    But taking a step back, the whole para:
    
       The simplest such policy might be to
       simply authorize any party supplying a compliant Attestation Result
       signed by a trusted Verifier.  A more complex policy might also
       entail comparing information provided in the result against Reference
       Values, or applying more complex logic on such information.
    
    does not seem to provide useful information, so maybe another option is
    to drop it altogether.
    
    
    OLD
       Thus, Attestation Results often need to include detailed information
    
    NEW
       Thus, Attestation Results may need to include detailed information
    
    
    In the sentence:
    
       Finally, whereas Evidence is signed by the device (or indirectly by a
       manufacturer, if Endorsements are used), [...]
    
    I'm not sure what "or indirectly by a manufacturer, if Endorsements are
    used" means?  Is it that Endorsement has the very tight meaning of
    the "certificate of the device signing key signed by the manufacturer"?
    If so, can we make this explicit in the Endorsements section?
    
    
    [ 9.  Claims Encoding Formats ]
    
    This sentence:
    
       To enable remote attestation to be added to existing protocols,
       enabling a higher level of assurance against malware for example, it
       is important that information needed for appraising the Attester be
       usable with existing protocols that have constraints around what
       formats they can transport.
    
    it's quite hard to digest.
    
    But more generally, the motivating use case (OPC UA) is slightly
    convoluted, and I'm wondering whether it is really needed?  But
    assuming it were, the exposition needs to be improved to present
    a clear and compelling case.
    
    
    [ 12.1.1.  On-Device Attester and Key Protection ]
    
    OLD
       [...] a dedicated chip a TEE or such that [...]
    
    NEW
       [...] a dedicated chip, a TEE or such that [...]
    
    
    [ 12.2.  Integrity Protection ]
    
    OLD
       Any solution that conveys information used for security purposes,
       whether such information is in the form of Evidence, Attestation
       Results, Endorsements, or appraisal policy must support end-to-end
       integrity protection and replay attack prevention,
    
    NEW
       Any solution that conveys information used for security purposes,
       whether such information is in the form of Evidence, Attestation
       Results, Endorsements, Reference Values or appraisal policy, must
       support end-to-end integrity protection and replay attack prevention,
    
    
    [ 16.3.  Example 3: Handle-based Passport Model Example ]
    
    I have a bunch of nits on this but I think the whole section lacks
    clarity and conciseness.  I'd be happy to help with a makeover.
    
    
    cheers!