Re: [Rats] I-D Action: draft-ietf-rats-eat-15.txt

[Michael Richardson <mcr+ietf@sandelman.ca>]

internet-drafts@ietf.org wrote:
    > The IETF datatracker status page for this draft is:
    > https://datatracker.ietf.org/doc/draft-ietf-rats-eat/

    > There is also an HTML version available at:
    > https://www.ietf.org/archive/id/draft-ietf-rats-eat-15.html

    > A diff from the previous version is available at:
    > https://www.ietf.org/rfcdiff?url2=draft-ietf-rats-eat-15

I wish I could read the diff.
You did not fix the too-long lines.

I edited -14 and -15 to truncate the long lines in the appendix, and put that
onto github (since iddiff has a limited set of places it will read from), and
readers can try:

https://author-tools.ietf.org/diff?url_1=https://raw.githubusercontent.com/mcr/eat/eat-diff-short/draft-ietf-rats-eat-14.txt&url_2=https://raw.githubusercontent.com/mcr/eat/eat-diff-short/draft-ietf-rats-eat-15.txt

iddiff is not yet as good rfcdiff, and generates some additional diffs around
page breaks and the like.

Some comments:

1) you've changed the section names of the claims:

Universal Entity ID Claim (ueid) ->  ueid (Universal Entity ID) Claim
I see why this might be a good idea, but it sure isn't pretty.
I will think on this.

2) "DEB" is gone, thank you.
3) I like the changes to the Intro.

4)"This document registers no media or content types for the
   identification of the type of EAT, its serialization format or
   security envelope.  That is left for a follow-on document."

I'm okay with this, but maybe to say,
    That is left for to follow-on documents, or may be defined by
    by documents that define EAT Profiles.

5) Can Detached EAT Bundles contain a mix of CWT and JWT?
   Up in the introduction, it seems to imply this, but I think section 5 says no.

6) "Each claim defined in this document is added to the $$Claims-Set-
   Claims socket group. "

The term "socket group" is a CDDL-ism.  I know what it means, but it might be
confusing to some (pointy haired manager) who don't know what CDDL is.
It might be worth adding to the terminology section.  I'm not sure here.

7) 4.2.13.  bootseed (Boot Seed) Claim

   The "bootseed" claim contains a value created at system boot time
   that allows differentiation of attestation reports from different
   boot sessions of a particular entity (e.g., a certain UEID).

   This value is usually public.  It is not a secret and MUST NOT be
   used for any purpose that a secret seed is needed, such as seeding a
   random number generator.

I guess that the second paragraph is needed because the word "seed" might
confuse people into thinking it has something to do with seeding PRNGs.
Maybe the problem is the name of the claim.
Maybe we can come up with a different name for the claim instead?
Maybe bootnonce, or bootinstance or ??

If I have bootcount, and I have a per-device identifier (UEID...),
can I use UEID as a key to CBC encrypt bootcount to make bootseed?

8) DLOAS: "This claim is typically issued by a verifier, not an attester."
would it be worth splitting 4.2 up into two or three sections?
* Claims from Attesters or Verifiers
* Claims from Attesters
* Claims from Verifiers
?
(Also measres claim)

9) section 4.2.18.1.2.2.  Six levels of subsection tells me that maybe
something is wrong.

Probably Submodules claim can go into claims area, but then forward reference
an entire Submodules *SECTION*

10) I did not review the CDDL changes.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-