Re: [Rats] RATS Architecture continued

Thomas Fossati <Thomas.Fossati@arm.com> Tue, 30 June 2020 19:06 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF2173A0062 for <rats@ietfa.amsl.com>; Tue, 30 Jun 2020 12:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=0NOVYnXl; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=0NOVYnXl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsW3RYnE8U0I for <rats@ietfa.amsl.com>; Tue, 30 Jun 2020 12:06:33 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70042.outbound.protection.outlook.com [40.107.7.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 980FB3A0064 for <rats@ietf.org>; Tue, 30 Jun 2020 12:06:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E+xu1sfX4aNVwFzusl/K0sqINPu4XdzW4Vp5d6jchmI=; b=0NOVYnXlAjMSTYY/sBwFhK6Z0GeLrU4XJFn//jfOPa325AH3eJX1k9kdHLulTEbt1tqQC2MF9NRMWRdYafGCTPjjXX2UEOeyqGSf113z034I6Ot0v6Bvunu5RWvhKa9pJn1fUZjZsCQ0I75IY1+AI2HCW94mN6H2GSv3Fe0pra4=
Received: from DB3PR06CA0001.eurprd06.prod.outlook.com (2603:10a6:8:1::14) by HE1PR0802MB2491.eurprd08.prod.outlook.com (2603:10a6:3:de::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.21; Tue, 30 Jun 2020 19:06:28 +0000
Received: from DB5EUR03FT023.eop-EUR03.prod.protection.outlook.com (2603:10a6:8:1:cafe::67) by DB3PR06CA0001.outlook.office365.com (2603:10a6:8:1::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.21 via Frontend Transport; Tue, 30 Jun 2020 19:06:28 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT023.mail.protection.outlook.com (10.152.20.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.20 via Frontend Transport; Tue, 30 Jun 2020 19:06:28 +0000
Received: ("Tessian outbound aa49e94c93f4:v61"); Tue, 30 Jun 2020 19:06:28 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 5375acadc217c1a8
X-CR-MTA-TID: 64aa7808
Received: from 9a5098ad2f1b.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 356126E0-238F-4464-A705-A62F17597A28.1; Tue, 30 Jun 2020 19:06:23 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 9a5098ad2f1b.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 30 Jun 2020 19:06:23 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UMKGTko6IFGuYezco/JKZao2PFmxoSAuAqLJlaICapECYk5iwe6xCrAkf9bEFugYabtCmnc8v9OdMdfmxuV7MQLfMS3vh1HCMyiDar7QcPIx2kiWDbwvaV+B7pBmgVUU/fVzwaeumD/Kl8qU4NowhOL9NoFvVjSmmwuIJt7y9HNGpO2dhHOIDhEwUtgDedT6EtJlVIH1Xz3UgNHobc7vYZxICWAr47WgbD6at+kqnr8ARrvk3v3hm0WNPh6G4SbchzUDvQZZsajDFklYNYlWmIsnMzwPzd0Y2UR7KbiRbwAN79mWjcu6ieW8A1IgWXpIEh01QuOM1+jNdUgYHxwhUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E+xu1sfX4aNVwFzusl/K0sqINPu4XdzW4Vp5d6jchmI=; b=KzfqlMlKWwxX4HWmrMqhEvvarSS46d/TQJCrm1bgZT8xYZvGbuHnTU/ANW94SkKOWmEL3BdROgn7Mewh2azGiwGmduVhkiEUjrbm+xRyhQMcu5KjgCdQ7jne3copiTVwmxtK71alfnIMB8T/HBVPX6wlqRStSeMU5dCT7HCK9LJv+TEcjszNwdCaNCENai4TOOc8xgR8Ya2DYlvwAwjki+ZOm32NJycRL1xxnAnhfwZP+Ut9Ja/lWEbEpANuIhPhsjsPfgJ231v1YzUVdaoYsmsuNqVY1ANsmLhWz1RapqOgNEdmpLVqvw3kAt1IezQ7ffHn0+WogmKMOSSKdJ1MlA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E+xu1sfX4aNVwFzusl/K0sqINPu4XdzW4Vp5d6jchmI=; b=0NOVYnXlAjMSTYY/sBwFhK6Z0GeLrU4XJFn//jfOPa325AH3eJX1k9kdHLulTEbt1tqQC2MF9NRMWRdYafGCTPjjXX2UEOeyqGSf113z034I6Ot0v6Bvunu5RWvhKa9pJn1fUZjZsCQ0I75IY1+AI2HCW94mN6H2GSv3Fe0pra4=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (2603:10a6:20b:73::23) by AM6PR08MB4935.eurprd08.prod.outlook.com (2603:10a6:20b:d5::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.21; Tue, 30 Jun 2020 19:06:21 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::459b:bcf3:b888:c906]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::459b:bcf3:b888:c906%6]) with mapi id 15.20.3131.027; Tue, 30 Jun 2020 19:06:21 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Rats] RATS Architecture continued
Thread-Index: AQHWMGWdazT03iq/bECLJLRetgUHcajx0wwA
Date: Tue, 30 Jun 2020 19:06:21 +0000
Message-ID: <52EC2B8C-578E-49E5-ADBD-037B5F3738FF@arm.com>
References: <CAHbuEH5g_KoFTYpWdWYbkBqabhsRHU_3uqjYzs2APsV=KF-bsQ@mail.gmail.com>
In-Reply-To: <CAHbuEH5g_KoFTYpWdWYbkBqabhsRHU_3uqjYzs2APsV=KF-bsQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
Authentication-Results-Original: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.11.185.80]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: ff9281c4-c88e-4b7b-9b1b-08d81d28b179
x-ms-traffictypediagnostic: AM6PR08MB4935:|HE1PR0802MB2491:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <HE1PR0802MB249189B3BFAAD3E18C01616D9C6F0@HE1PR0802MB2491.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
x-forefront-prvs: 0450A714CB
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: uWymWLja2137KX8871DMFHhBlc1luZGdW60kFVCWmFOa1HRpjgiMSOqLLfQNzQTerlwJeEZTS0TcNPgaIVN17HggVLaJJsQCU28NA9TQdHjuoblxrcsDO6ytqIoNsWwK/gpkrmP93ZBLlSaJh0pzdDi8FiR1P0Ghqwdsm+9QdMW2VOqPWaKSeCwbEFGu3K0vZyKX0fc7PtsiesweSx2R3+JCEfUd4qCjlCIHAviaoKXpkSwfOQ27XmbUsC80+zpCJLHvRCWwfh3YJgPAlTH1ZER3EUnDRg64YwBI2upxVphRtzqCOdJrlXAKlCsor/5ixSZnjKm9uWAHFd+thV6VRiJrFmYH7Qh4L9y089XuE6AEwzHPXQXBLBsbh1HfMmfk8R318Kne93SO7uWKCMvuRA==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4231.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(136003)(346002)(366004)(396003)(39860400002)(2906002)(2616005)(26005)(186003)(6486002)(9326002)(76116006)(33656002)(8936002)(66946007)(966005)(64756008)(66446008)(66556008)(91956017)(478600001)(8676002)(66476007)(66574015)(71200400001)(316002)(110136005)(86362001)(5660300002)(166002)(83380400001)(30864003)(4326008)(36756003)(6506007)(6512007)(579004)(559001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: COG228K/IEoELP3/5F6MwD8LgRfm+xrTn65xpvIphmkwFxR3jKw3uTsT1CCbPW2ly3+m+DI8H/epW+E8PiTTJDPPXlq6EQeK6meud2V77N4w3/fL6u5UiFMUSwboP8W/Jmmuoux9U3NnKc98Kc5wQn0fzbNQon7WAAJ/O42rJvAIXLOvyWUfRWnC8qmNMXonFTfVJ1gso8dIR2mNMdJMjFd+X6xGkmn9tN/8ArjIj1OscGbBZxFRCYdlONkeUV+41rjZUV37EEu/UvYyfLVB9LQ/brg6pndJblQvQeEnePb+2Nd9JVzrtuPGRSYjZkiagTI+AKhfT6aPUaxdddY1DEyYuiCK+1HKKGq8UtYulD4x98UGynTC3UcirT9iqQobiVQDRVLBpnUZnDxoYgVkj7oKVSwWB1Goy0AjzpZsuDPOhAjCpwYoOCuiEu4iu42X1osoHwYddODt/Ai2D4dg5c/kXvgKgRjCYiOoaN+4Yjc=
Content-Type: multipart/alternative; boundary="_000_52EC2B8C578E49E5ADBD037B5F3738FFarmcom_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4935
Original-Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(346002)(376002)(39860400002)(46966005)(186003)(66574015)(478600001)(83380400001)(6486002)(2906002)(45080400002)(26005)(36756003)(47076004)(5660300002)(336012)(2616005)(6506007)(30864003)(33964004)(6512007)(166002)(110136005)(8676002)(70206006)(70586007)(316002)(82310400002)(9326002)(4326008)(966005)(33656002)(86362001)(81166007)(82740400003)(8936002)(356005)(579004)(559001); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 0cd34a0e-9fbc-49ab-41b3-08d81d28ad2d
X-Forefront-PRVS: 0450A714CB
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: KC4CIH8Txmv0z+u9s8Xnw91VhuRxuVm8t2/MXcOFUdGnXuILo/kRnxufjllf7dQQpu4gr78mPxcT2DXLw3hGvcX3h7NMKU5MkjsgWd6MKGDmsHj8pSpjLLMHDtZLjLXormdCjJlo34o85dlIlPDrGdnBawjA5ULm6N/f/mr5tRnL/HLP7xpivL5G0r6ShVc7wxtQ4zmP2RbZxhppZrp89oGq5NEqgp0xr1ZgLAbG+4LEGKtC1EM3ogGCFc05y90vaqsnQPnuCtWDRn/bZPxgdblz7vbvRh2BhQXzIMduFqrK+b2sNqoR8vvFJvG/ZFKUjxGkhCWXy4i8l60O5VPYwxN6G+mEdGmC5iBPJlo92gVLJqDFp8hO67zF/X0Mt43cV9KkxuKAhFU3bm7zVlmlJ+jjumB0MG6EE222Rp1wHxKL7zSu2ouMLuGinsZJ8jjn5UdCkKZCgfNxkn9rWsn/skuRiD4S1JfMf6im+/U9CuI=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jun 2020 19:06:28.6289 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ff9281c4-c88e-4b7b-9b1b-08d81d28b179
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2491
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/HE70JilffsHnOfs9ONLV6XoSKz4>
Subject: Re: [Rats] RATS Architecture continued
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 19:06:37 -0000

Hi Kathleen,

Thanks again for your review!

I’ve split your editorial suggestions in to a bunch of PRs, one per impacted section.
I’ve done so in order to constrain the scope and ease review, but also because you mentioned you wanted to do another pass on some of the sections.
So I guess you can provide any further suggestion directly on the PRs?

Here’s the list:

  *   https://github.com/ietf-rats-wg/architecture/pull/117
  *   https://github.com/ietf-rats-wg/architecture/pull/118
  *   https://github.com/ietf-rats-wg/architecture/pull/119
  *   https://github.com/ietf-rats-wg/architecture/pull/120
  *   https://github.com/ietf-rats-wg/architecture/pull/121
  *   https://github.com/ietf-rats-wg/architecture/pull/122


I have made Issues for those comments that needed some more discussion:

  *   https://github.com/ietf-rats-wg/architecture/issues/114
  *   https://github.com/ietf-rats-wg/architecture/issues/115
  *   https://github.com/ietf-rats-wg/architecture/issues/116



And finally a couple of things I’m having a bit of trouble understanding, for which I need your help:

Section 4.2 “Two Types of Environments of an Attester” (A)

I find the following grouping a bit confusing:

            "Places that Attesting Environments can exist include Trusted Execution Environments (TEE), embedded Secure Elements (eSE), and BIOS firmware."

This has an attesting environment as a processor, an element, and as compiled code.  That doesn't seem right, especially when you refer to the attesting environment as a "place".  Do you mean where BIOS is executed perhaps?  I would expect a TEE and maybe other components where security functions are offloaded, which is in some cases to a processor other than a TEE like a GPU (I'm not making a recommendation to do that here, just stating what is happening in ecosystems that exist).

Here I don’t understand your comment fully and therefore I find it difficult to formulate an action.  Could you provide a suggestion?

Section 7.4. Verifier

Then with the following sentence,

"The component that is implicitly trusted is often referred to as a Root of Trust."

I think it would be worth mentioning that a hardware RoT is immutable and mutable RoTs in software are also possible, offering different levels for an assurance of trust/security.

Here you mean purely software RoTs?  I’m not aware of any, can you provide an example please?

That should be all.

Cheers, thanks!


On 22/05/2020, 19:20, "RATS on behalf of Kathleen Moriarty" <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org> on behalf of kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:

Greetings!

I got as far as I could with time constraints through the rest of the document.  There are a few sections I'll likely go back over again as I was short on time when reviewing them, but do hope this is helpful towards improving the document..  This review is from the editors revision on github that I started my review earlier int he week.

Section 4.2:
I find the following grouping a bit confusing:
"Places that Attesting Environments can exist include Trusted Execution Environments (TEE), embedded Secure Elements (eSE), and BIOS firmware."

This has an attesting environment as a processor, an element, and as compiled code.  That doesn't seem right, especially when you refer to the attesting environment as a "place".  Do you mean where BIOS is executed perhaps?  I would expect a TEE and maybe other components where security functions are offloaded, which is in some cases to a processor other than a TEE like a GPU (I'm not making a recommendation to do that here, just stating what is happening in ecosystems that exist).

The following text is a little confusing, in particular, the last sentence:
"An execution environment may not, by default, be capable of claims collection for a given Target Environment. Attesting Environments are designed specifically with claims collection in mind."

If the attesting environment is a place, TEEs and other processors were not necessarily designed with claims in mind.  If you can help to explain an attesting environment better, I can help to phrase it more clearly to convey the intended set of points as I think there are several.

Section 4.3
Consider changing from:
"By definition, the Attester role takes on the duty to create Evidence."
To:
"By definition, the Attester role creates Evidence."

The following sentence is a run on and I think some additional information will help provide clarity. I don't think it's the role that is composed of nest environments.  Current:
"The fact that an Attester role is composed of environments that can be nested or staged adds complexity to the architectural layout of how an Attester can be composed and therefore has to conduct the Claims collection in order to create believable attestation Evidence."
How about:
"An Attester may be one or more nested or staged environments, adding complexity to the architectural structure.  The unifying component is the root of trust and the nested, staged, or chained attestations produced.  The nested or chained structure should include claims, collected by the attester to aid in the assurance or believability of the attestation Evidence."

The following sentence should be broken into two:
"This example could be extended further by, say, making the kernel become another Attesting Environment for an application as another Target Environment, resulting in a third set of Claims in the Evidence pertaining to that application."
Proposed:
"This example could be extended further by making the kernel become another Attesting Environment for an application as another Target Environment. This results in a third set of Claims in the Evidence pertaining to that application."


How about changing the following sentence from:
"Among these routers, there is only one main router that connects to the Verifier. "
To:
"A multi-chassis router, provides a management point and is the only one that connects to the Verifier. "

For the following sentence, trying to remove the use of a word twice in a row and convey the same intent.
Old:
"After collecting the Evidence of other Attesters, this inside Verifier verifies them using Endorsements and Appraisal Policies (obtained the same way as any other Verifier), to generate Attestation Results."
Proposed:
"After collecting the Evidence of other Attesters, this inside Verifier uses Endorsements and Appraisal Policies (obtained the same way as any other Verifier) in the verification process to generate Attestation Results."

I may try another pass at section 4 to improve readability.

Section 5,
Consider breaking this into 2 sentences, from:
"This section includes some reference models, but this is not intended to be a restrictive list, and other variations may exist."
To:
"This section includes some reference models. This is not intended to be a restrictive list, and other variations may exist."

Section 5.1
Two result words together is not necessary.
Change from:
"The second way in which the process may fail is when the resulting Result is examined by the Relying Party, and based upon the Appraisal Policy, the result does not pass the policy. "
To:
"The second way in which the process may fail is when the Result is examined by the Relying Party, and based upon the Appraisal Policy, the result does not pass the policy. "

I suggest making the last paragraph the second paragraph.  It's easier to read than the others and provides an introduction to the model before you begin talking about how it might fail.

** I may come back to this section to provide wording suggestions.

Section 5.2
I suggest moving the last paragraph to the first in this instance.  It also provides a nice high-level overview.  The current paragraph 1&2 flow well together, hence this order suggestion.

The third paragraph is a really long way of stating that interoperability is required.  Entities must be able to create, send, receive, and process data (hence the need for a standard).  It's fine, but could be shorter.

Section 5.3:
OLD:
"One variation of the background-check model is where the Relying Party and the Verifier on the same machine, and so there is no need for a protocol between the two."
Proposed:
"One variation of the background-check model is where the Relying Party and the Verifier are on the same machine, performing both functions together.  In this case, there is no need for a protocol between the two."
I think the addition is necessary or you could scratch your head wondering why no protocol is needed.  If they are separate functions on the same system, you'd need some way for the relying party to access the results of the verifier.

The next sentence could benefit from being made into several.
OLD:
"It is also worth pointing out that the choice of model is generally up to the Relying Party, and the same device may need to create Evidence for different Relying Parties and different use cases (e.g., a network infrastructure device to gain access to the network, and then a server holding confidential data to get access to that data). As such, both models may simultaneously be in use by the same device."

If the server holds confidential data, why does it need to create evidence to access the data?  I'm not following the second example as written, so my proposed text may not be as intended.

Proposed:
"It is also worth pointing out that the choice of model is generally up to the Relying Party.  The same device may need to create Evidence for different Relying Parties and/or different use cases.  For instance, a network infrastructure device may attest evidence to gain access to the network or a server holding confidential data  may require attestations of evidence to gain access to the data. As such, both models may simultaneously be in use by the same device."

Section 6:
The first 3 sentences are fine, but if you wanted to reduce it, it could be one sentence.
Current:
"An entity in the RATS architecture includes at least one of the roles defined in this document. As a result, the entity can participate as a constituent of the RATS architecture. Additionally, an entity can aggregate more than one role into itself. "
Proposed:
"An entity in the RATS architecture includes at least one [or more] of the roles defined in this document. "
Or more is redundant, so that really isn't necessary to convey the same point.

Then the last sentence:
I'd change it a little from:
"In essence, an entity that combines more than one role also creates and consumes the corresponding conceptual messages as defined in this document."
To:
"In essence, an entity that combines more than one role may create and consume the corresponding conceptual messages as defined in this document."

It might not, it could be the verifier and relying party.

Section 5:
Consider changing from:
"That is, it might appraise the trustworthiness of an application component, or operating system component or service, under the assumption that information provided about it by the lower-layer hypervisor or firmware is true. "
To:
"That is, it might appraise the trustworthiness of an application component, operating system component, or service under the assumption that information provided about it by the lower-layer hypervisor or firmware is true.. "

Section 7:

I'd say it's really a stronger level of assurance of security rather than a stronger level of security in the following:
"A stronger level of security comes when information can be vouched for by hardware or by ROM code, especially if such hardware is physically resistant to hardware tampering. "

Then with the following sentence,
"The component that is implicitly trusted is often referred to as a Root of Trust."
I think it would be worth mentioning that a hardware RoT is immutable and mutable RoTs in software are also possible, offering different levels for an assurance of trust/security.

Section 9.

Since ROLIE [RFC8322] has been added to SCAP2.0, it would be good to list that as an option since a lot of time and effort went into how to secure the exchange of formatted data for that protocol.

Section 11. Privacy
This is a good start.  Remote attestation also provides a way to profile systems as well as the user behind that system.  If attestation results go higher in the stack to include containers and applications, it could reveal even more about a system or user.  The scope of access needs to be emphasized, including the administrators access to data (or restrictions).  If there is a way to make inferences about attestations from their processing, that should be noted as well.

Section 12:
This will need to state an explicit requirement for transport encryption.  In the introductory paragraph, the text is as follows:
"Any solution that conveys information used for security purposes, whether such information is in the form of Evidence, Attestation Results, Endorsements, or Appraisal Policy, needs to support end-to-end integrity protection and replay attack prevention, and often also needs to support additional security protections. For example, additional means of authentication, confidentiality, integrity, replay, denial of service and privacy protection are needed in many use cases. "
Proposed:
"Any solution that conveys information used for security purposes, whether such information is in the form of Evidence, Attestation Results, Endorsements, or Appraisal Policy must support the security properties of confidentiality, integrity, and availability.  A conveyance protocol includes the typical transport security considerations:
o  end-to-end encryption,
o  end-to-end integrity protection,
o  replay attack prevention,
o  denial of service protection,
o  authentication,
o  authorization,
o  fine grained access controls, and
o  logging in line with current threat models and zero trust architectures."


--

Best regards,
Kathleen
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.