From nobody Wed Sep 6 15:03:11 2023 Return-Path: X-Original-To: rats@ietf.org Delivered-To: rats@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AF1F6C14CEE3; Wed, 6 Sep 2023 15:03:09 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Warren Kumari via Datatracker To: "The IESG" Cc: draft-ietf-rats-eat@ietf.org, rats-chairs@ietf.org, rats@ietf.org, ned.smith@intel.com, ned.smith@intel.com X-Test-IDTracker: no X-IETF-IDTracker: 11.10.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Warren Kumari Message-ID: <169403778969.57957.4295244570758062114@ietfa.amsl.com> Date: Wed, 06 Sep 2023 15:03:09 -0700 Archived-At: Subject: [Rats] Warren Kumari's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT) X-BeenThere: rats@ietf.org X-Mailman-Version: 2.1.39 List-Id: Remote ATtestation procedureS List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2023 22:03:09 -0000 Warren Kumari has entered the following ballot position for draft-ietf-rats-eat-21: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-rats-eat/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Be ye not afraid -- a DISCUSS ballot is a request to have a discussion -- https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ . 4: S 4.2.3.1. Random Number Based OEMID "They would perform this only once in the life of the company to generate the single ID for said company. They would use that same ID in every entity they make. This uniquely identifies the OEM on a statistical basis and is large enough should there be ten billion companies." It is very unclear what exactly the "life of a company" is here. America Online has been, variously: Control Video Corporation (1983–1985) Quantum Computer Services (1985–1991) America Online (1991–2009) AOL Time Warner (2001–2009) AOL (2009 - 2015) AOL, part of Verizon (2015 - now) At what point(s) in this tangled web (if ever) should "AOL" have generated a new "single SID"? Another example: "In April 2012, Facebook paid $1B for Instagram, a photo and video sharing software." -- which "single" SID should Facebook (whoops, Meta) used for Oculus headsets? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I mostly have a few comments: 1: It would have been really nice to have an example at the beginning of the document to help make this less abstract for the reader. Yes, there are examples further into the document, and a reader unfamiliar with the technology can always go look at one of those, but having a (very simple) example near the top of the document would help greatly... 2: S 4.2.1.1. Rules for Creating UEIDs For the IEEE EUI you say: "This uses the IEEE company identification registry.", but for 0x03 IMEI all you say is "This is a 14-digit identifier consisting of an 8-digit Type Allocation Code and a 6-digit serial number allocated by the manufacturer". This doesn't say who actually assigns the TAC -- I believe that it is GSMA. 3: S 4.2.3.1. Random Number Based OEMID "The OEM MAY create their own ID by using a cryptographic-quality random number generator." -- the use of uppercase MAY feels weird here, and I suggest that you s/MAY/may. 4: Nit. "Certain EAT claims can be used to track the owner of an entity and therefore, implementations should consider providing privacy-preserving options dependent on the intended usage of the EAT." The grammar here seems odd -- I'd suggest: "Certain EAT claims can be used to track the owner of an entity; therefore, implementations should consider providing privacy-preserving options dependent on the intended usage of the EAT."