Re: [Rats] Yangdoctors early review of draft-ietf-rats-yang-tpm-charra-03

"Eric Voit (evoit)" <evoit@cisco.com> Thu, 17 December 2020 15:10 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5D123A094E; Thu, 17 Dec 2020 07:10:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.602
X-Spam-Level:
X-Spam-Status: No, score=-9.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UjmbZX5d; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=YkVgq0/K
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6bR7YP206jS; Thu, 17 Dec 2020 07:10:26 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E51FD3A0962; Thu, 17 Dec 2020 07:10:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19491; q=dns/txt; s=iport; t=1608217826; x=1609427426; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=VYCphbQJqceBk7ZTLMdoY3e/7rtQhT7u1nQUeKpiUys=; b=UjmbZX5d0pqEcnmGEJhYK7VBZpBQON48DVVPrQG8jPfdk9jzuKdYfV0c jSpshgjfT9qZYXCJA2V+zIcFrVEG4zpgK1DGHH5qxmN9FVq/ku3Zkdr9Q 1TYqWzd6CIU6nkoqvXWHJuYCIx04Qho17VTmsFBEF5f7aKxWV4cebClkf s=;
X-Files: smime.p7s : 3975
X-IPAS-Result: A0AmBAA2dNtfkIQNJK1KGB0BAQEBCQESAQUFAYIPgVIpKHwtLi8uCoQ1g0gDjVsDmQyBQoERA1QEBwEBAQoDAQEjCgIEAQGESgKBcwIlOBMCAwEBAQMCAwEBAQEFAQEBAgEGBBQBAQEBAQGGOAyFcgEBAQECARIRHQEBKQ4BBAcEAgEIDgMBAwEBDgYXAgICMBcGCAIEAQ0FCAYNB4I5SwGBflcDDhEPAQ6ibwKBPIhpdoEygwQBAQWBMwGDcBiCCQcDBoE4gVOBIoowFhAbgUE/gRFDglY+gl0CgRoIIxwFECECgl0zggoigVlvXwEDFA4FFAgQHwJdBhIzER8HCwQkj1sSinyBHYpokTYKgnSEXIJogV+Gc4YdhTqDJoonBJRtlAeLDZFdIoQeAgQCBAUCDgEBBYFtIYFZcBWDJFAXAg2OIQsBDgmDToUUhUR0AjUCBgoBAQMJfIkvLYEGAYEQAQE
IronPort-PHdr: 9a23:pvi6wx8gRG8fW/9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+7ZRCN6vBkjVuPVoLeuLpIiOvT5qbnX2FIoZOMq2sLf5EEURgZwd4XkAotDI/gawX7IffmYjZ8EJFEU1lorH6+OElRXs35Yg6arni79zVHHBL5OEJ8Lfj0HYiHicOx2qiy9pTfbh8OiiC6ZOZ5LQ69qkPascxFjA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,428,1599523200"; d="p7s'?scan'208";a="638457657"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Dec 2020 15:10:24 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 0BHFAOen003329 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Dec 2020 15:10:24 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 17 Dec 2020 09:10:24 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 17 Dec 2020 10:10:23 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 17 Dec 2020 09:10:23 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HEoKDGUU7tmmNkzDKAVebinqsf9kcBiAIKH/1tWTEIuN3G+XjC+VJS7BI1r2cqKa5bqDRxk8MWB9XGcN3lDQrldF3bgHo66teY3nk4ULnS62bdbAoANJiRvCgPC/WBCsKXTzzmmhF1lc6fWd2tx6BILi84Hj19YeAejfT8tQHB/ArODq+9KKYeCjK88Jx6+HG44hnf6LNP6r8G4PDee2Jv8MfLS4wyipTHKc5qXyqWrdMFtOTZvZWQt9LuDlF0vecWXtmDPcuniK8eOoycLJ/KDDQGN8UxFJHau1IMiLUPhkOtxRKXQ8oPsbOYuM/LZVhLJTNi7aKbtMqtxqZeh3WQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bTNSCfb0tE+X4MbKsVdwJUNLrqWNi/uNjKcCB+/qfm0=; b=eyGsj/V/orBccS5OyQ9nu5K51eItAeJ2O79LV2rC30eBGIj84gddIChZALxnvz3UWWXuv+Oh67ZJv8ZwKdybjTUCmVl+lPFI6ScczKG68KZlEhw11XIswQgM+1ztRgI7EWkBTcNzSdnOZ2Lvra3Wi2ImHCDGcPwKjgB4+20R7MJta6hCqBBrqM9FKlFV/gN5WkSr6pG1jRpJ5EQuIXMYRO1upcH5PCuRHIqq1Q/pprAwAGLcMHliO043oGR1ubOMSFSjkIyao7dzddxaf+ZLbLahsmdOfZw9Do0PuxLHkDST8xOEol2UcWg54kBvNmfGZQWWF17Hkq3oWqtz5dKe7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bTNSCfb0tE+X4MbKsVdwJUNLrqWNi/uNjKcCB+/qfm0=; b=YkVgq0/KcNo9wri4F8ZNjfqi22kimbo/iFQLMDlbh8qdIhUF40AcXu3URZ8DFbDyOcw5IkTbIDEbYioscOXzZ/A3mVbu9WooP8t0oQzOuz44rgz/fAsEfRPfuPcuS2BZLx3B+npMbhP29xpAJ/g4gLVxzA8xiYHOQnGOBebG4og=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4566.namprd11.prod.outlook.com (2603:10b6:208:24e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.14; Thu, 17 Dec 2020 15:10:21 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9851:12ed:f9df:af4f]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9851:12ed:f9df:af4f%7]) with mapi id 15.20.3654.025; Thu, 17 Dec 2020 15:10:21 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
CC: "draft-ietf-rats-yang-tpm-charra.all@ietf.org" <draft-ietf-rats-yang-tpm-charra.all@ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Yangdoctors early review of draft-ietf-rats-yang-tpm-charra-03
Thread-Index: AQHWx49CdyHurObiZkSRrQSixsXfm6n6G4uQ
Date: Thu, 17 Dec 2020 15:10:21 +0000
Message-ID: <BL0PR11MB312282F1458D9860F6F4B74BA1C40@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <160679209099.28362.11316215091867915118@ietfa.amsl.com>
In-Reply-To: <160679209099.28362.11316215091867915118@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [108.18.114.139]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 071099db-72b8-4487-7cc8-08d8a29ddfa1
x-ms-traffictypediagnostic: MN2PR11MB4566:
x-microsoft-antispam-prvs: <MN2PR11MB45666A241AE67EA1452C77E1A1C40@MN2PR11MB4566.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jbjQ0Jp2fIFNutP3GG7w5lWCtWPT8XccTDqVjJCBRhy1+0Pien16p5oByJ5LgJFAIdkq638azhAAhIBc/J/BCx3wujB+jHSuvV9uZIE6cu6PHOwcSySud9oS5c48sGByrx8Wf+4kyXN5HL5HAe384riKSZKoUt00D0CDkHX6iwvzSt2a0wn49GM73qLyHqou6jPaQglzx2B+jeoIz7MuxfeJjVE7qYxOMi6C+gqLQFlVVYGaripCR6ShRS87SRd0qgUXF6l9EndHiABUm81Bek5s3xDIM+VwlzatrYM4fUI49IIlrhmKxBZOgzMsuBrom4+wLGASpe0+xgABwSFy8uxfI+/4p4D5eOgvYQj38jQzwu6X4gr6X6/hhCPVs+ixS2i3OI4WcHfH5ZXjkUuBJA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(376002)(396003)(39860400002)(366004)(346002)(2906002)(33656002)(110136005)(53546011)(8676002)(966005)(83380400001)(55016002)(71200400001)(186003)(66476007)(6506007)(66446008)(316002)(66556008)(52536014)(66616009)(66946007)(7696005)(76116006)(9686003)(54906003)(86362001)(8936002)(26005)(99936003)(64756008)(4326008)(30864003)(5660300002)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: i4iFOukSUg4ihapi9szLLJ1TXmcuBGipDAMU1FFvA8URq9RqPUJKo8vrIlQNhasU5jtSC7vJ4D2ipZxt7YUhzx8jfV6LdOlpUrr4HkK9PLuzoHq2tTxWUswXjQMHhRqW7icBDMmX4q+mXrM8nmM6rH6wk5WwY/+o5vn39yc0Au6pCD1wrCcy6BPJUwUI1lHlK8TR34c+qepOjDet9WpsvEJ8XoBzONXPfISoc3lfvlOOIbs47/tofy9dD8IJ3lqljjLGt2LjsmGTDzqXW5AgYkmYzg7mFOCFKOR6CWgPZskT8WWabRlV8uzNho88hpjyT35g1AZXeXCyNgtOMsSqRXw3yklwt0UNn7p+HrMC2fO2HbHKRaxGrN9FfL1HRybE6t6EEpNf6MFHyfrZASDidRyG9tLWj3mKZykAzJ9raeRVnRORsYwonxKeehlg6El9NATdJLSOnkAPh8FKew6TXF/M1LnVCH4oHtlhf+N4vzUi/WLWOaFSHf+oaz/JISzyuAOKotEMa+I1157wbteks0eaAGcqVrz/7nMsKe3YUD/Jk72lkkg0nKWlS00URnUCE1I/WgGh3SXRAx1Xu5Og6Eoy+ZJRiDzXCfS8RmfqMumD3uvaAgdDC8uil7KWVI5/sdZfDUCv7LpDKHEygD4nDkgDJFZ4AgmLkpuNWV6kaJwgluAFC9G7qp8svucaJH0jwB1PWf7k/Yq8X/NvHx9B2WVRUSv+bB89rqIQ/CmpzCckGrdE30utFQjl6LeOIfj3J3aoLXK9HmzjAoQoWdBrDGs+NrkAQWYbO7x7BBoB1wi28UsKM54CpAuFlWdE9IRU8HyMfNS02TxKp3inmMvibEUqVP0l3x+pw0B6wEim3LOVvCBNzmGP8OLYbICnHGEy2r8DYyVPkYEW6hHgwb+zof3xUSI3I9Fqq7tsmBKxywm/U6s0qtgkre2WYyK+FM/KWrLQ5NZ6b4158XZ3diyjpzGPbomh0nfC7meK8AkZeZA=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_016B_01D6D45C.CFDB3DE0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 071099db-72b8-4487-7cc8-08d8a29ddfa1
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2020 15:10:21.7623 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: At6zXIQP1hAaozlAimrY/6/hSwDk6UsT8/w7qKmu1DMq34+oCowAzyiOLJkiai2m
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4566
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/omeKahxO9W6kFpmTmmr7y1Ov9nA>
Subject: Re: [Rats] Yangdoctors early review of draft-ietf-rats-yang-tpm-charra-03
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2020 15:10:29 -0000

Thanks Mahesh for the review!    Some updates based on your review below, one 
question** and other thoughts in line...

> -----Original Message-----
> From: Mahesh Jethanandani via Datatracker <noreply@ietf.org>
> Sent: Monday, November 30, 2020 10:08 PM
> To: yang-doctors@ietf.org
> Cc: draft-ietf-rats-yang-tpm-charra.all@ietf.org; rats@ietf.org
> Subject: Yangdoctors early review of draft-ietf-rats-yang-tpm-charra-03
>
> Reviewer: Mahesh Jethanandani
> Review result: On the Right Track
>
> Status:
>
> I am not an expert in Trusted Platform Module (TPM). If my understanding of
> TPM, feel free to educate me and everyone else. This review is looking at
> the
> draft from a YANG perspective. With that said, I have marked it as On the
> Right
> Track, because of some of the points discussed below.
>
> Summary:
>
> This document defines a YANG RPC and a minimal datastore required to
> retrieve
> attestation evidence about integrity measurements from a device following
> the
> operational context defined in
> [I-D.ietf-rats-tpm-based-network-device-attest].
>
> General:
>
> The YANG modules uses groupings that are used only once

There are groupings which are used only once in this document, by are used 
again within augmenting YANG
models in other drafts.  See:
draft-birkholz-rats-network-device-subscription, 
ietf-tpm-remote-attestation-stream.yang
which uses groups:
tpm20-attestation, tpm12-attestation, TPM12-hash-algo, bios-event-log, 
ima-event-log, network-equipment-boot-event-log

> or a grouping that
> has only left e.g. tpm-name. Please collapse these grouping where they are
> used.

We can certainly do this.   I thought it would be helpful to unify to a single
place the definition of tpm-name.
**Is there a place in the IETF YANG documentation which suggests that
unifying definitions in this way is not a good practice?

> And there are groupings like TPM20-asymmetric-signing-algo and TPM12-
> asymmetric-signing-algo that are not used. Please remove any unused
> groupings.

done

> The draft has problems with extraction of the modules. See message below.
>
>  ERROR: 'draft-ietf-rats-yang-tpm-charra-03.txt', Line 373 - YANG module
> 'ietf-
> tpm-remote-attestation' with no <CODE BEGINS> and not starting with
> 'example-'
>
> Extracting 'ietf-tpm-remote-attestation'
>    WARNING: 'draft-ietf-rats-yang-tpm-charra-03.txt', Line 1917: misplaced
>    <CODE ENDS> ERROR: 'draft-ietf-rats-yang-tpm-charra-03.txt', Line 1967 -
>    YANG module 'ietf-tcg-algs' with no <CODE BEGINS> and not starting with
>    'example-'
>
> Extracting 'ietf-tcg-algs'
>    WARNING: 'draft-ietf-rats-yang-tpm-charra-03.txt', Line 2824: misplaced
>    <CODE ENDS>

Looks like quotes were needed around the file name.  Fixed.

> The draft lacks examples, and therefore there is no way to validate the
> model(s).
> Please add an example.

This is a good ask, I will ask another author do help with this as it will 
show a common understanding of the model.

> Is there a reason for TPM 1.2 and TPM 2.0 to not have symmetry in the model
> definition? See the portion of the tree diagram below.
>
>        |     +--rw TPM12-hash-algo?        identityref
>        |     +--rw TPM12-pcrs*             pcr
>        |     +--rw tpm20-pcr-bank* [TPM20-hash-algo]
>        |     |  +--rw TPM20-hash-algo    identityref
>        |     |  +--rw pcr-index*         tpm:pcr

The is not symmetry in what is returned from the two quotes.   As we are in 
charge of carrying the TCG defined structures, symmetry can only be imposed by 
applying unnecessary complexity on TPM1.2 solutions.

> Is it possible for a TPM 1.2 to call a TPM 2.0 RPC and vice-versa? I
> understand
> there is a feature statement, but if I understand from one of the authors, a
> device can conceivably support both TPM 1.2 and TPM 2.0.

It is conceivable that one device might have both types of TPMs.  However one 
TPM cannot call another, as they only react to external requests.

If a device happens to support both, you will know by both features being 
exposed.  And as a client you will have to call both RPCs.  As this will be 
uncommon, it seems a better optimization than having one RPC call.  This RPC 
would have an unnecessarily complex union of input parameters.

> Nits:
>
> This description statement can be simplified:
>         description
>           "A components in this composite device that RATS which
>           supports TPM operations.";

Made it:
          "A component within this composite device which
          supports TPM operations.";

> This sentence construct does not sound right:
>
>           description
>             "When there is more that one TPM, this indicates for which
>             compute node this TPM services.";

Made it:
          "Indicates the compute node measured by this TPM.";

> s/agross/across/

done

> Comments:
>
> The module has plenty of errors as reported by pyang.
>
> ietf-tpm-remote-attestation.yang:65: warning: RFC 8407: 3.1: The IETF Trust
> Copyright statement seems to be missing (see pyang --ietf-help for details).

Looks like one of the copyright statements was duplicated.  It is now removed

> ietf-tpm-remote-attestation.yang:144: error: keyword "must" not in canonical
> order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:148: error: keyword "type" not in canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:155:
> error:
> keyword "default" not in canonical order (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:164: error: keyword "must" not in canonical
> order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:168: error: keyword "type" not in canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:175:
> error:
> keyword "default" not in canonical order (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:185: error: keyword "must" not in canonical
> order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:188: error: keyword "type" not in canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:194:
> error:
> keyword "default" not in canonical order (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:203: error: keyword "must" not in canonical
> order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:206: error: keyword "type" not in canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:214:
> error:
> keyword "default" not in canonical order (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:599: error: keyword "mandatory" not in
> canonical order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:600: error: keyword "type" not in canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:900:
> error:
> keyword "must" not in canonical order, expected "type" (see RFC 6020,
> Section
> 12) ietf-tpm-remote-attestation.yang:903: error: keyword "type" not in
> canonical order (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:945: error: keyword "must" not in canonical
> order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:948: error: keyword "type" not in canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:1178:
> error:
> keyword "must" not in canonical order, expected "type" (see RFC 6020,
> Section
> 12) ietf-tpm-remote-attestation.yang:1181: error: keyword "type" not in
> canonical order (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:1278: error: keyword "when" not in
> canonical
> order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:1278: error: keyword "when" not in
> canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:1288:
> error:
> keyword "when" not in canonical order, expected "type" (see RFC 6020,
> Section
> 12) ietf-tpm-remote-attestation.yang:1288: error: keyword "when" not in
> canonical order (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:1298: error: keyword "when" not in
> canonical
> order, expected "type" (see RFC 6020, Section 12)
> ietf-tpm-remote-attestation.yang:1298: error: keyword "when" not in
> canonical
> order (see RFC 6020, Section 12) ietf-tpm-remote-attestation.yang:1308:
> error:
> keyword "when" not in canonical order, expected "type" (see RFC 6020,
> Section
> 12) ietf-tpm-remote-attestation.yang:1308: error: keyword "when" not in
> canonical order (see RFC 6020, Section 12)

All canonical order items fixed in PYANG

> Having 3 pages of a tree diagram is helpful in an appendix. Maybe an
> abridged
> diagram with explanation for the different sections of the tree diagram
> would
> be more helpful. Suggest that --tree-depth and --tree-path options be used
> in
> pyang to reduce the size of the tree and to break it up into smaller pieces
> that
> can then be explained.

I will do that.

> A terminology and acronym section would be nice for folks who are not
> familiar
> with all the terms and acronyms used in the document. If terms are defined
> in
> some other document, a statement to that effect would be nice.

This should be covered.  Terms are inherited from the parent document: 
draft-ietf-rats-tpm-based-network-device-attest.   Indicating this a first 
sentence of the Intro section, which is:
   This document is based on the terminology defined in the
   [I-D.ietf-rats-architecture] and uses the operational context defined
   in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the
   interaction model and information elements defined in
   [I-D.birkholz-rats-reference-interaction-model].

> Section 2.2.1
>
> A reference is made to ietf-tcp-algs.yang but is missing a reference (to
> this
> document).

Reference made.

> Section 2.2.1.1
>
> Is an implementation supposed to support all the types of attestation? If
> not,
> should each of them be features?

Good point.  Made them features.

> A idnits run of the draft reveals a few issues. Please address them.
>
>   Checking boilerplate required by RFC 5378 and the IETF Trust (see
>   https://trustee.ietf.org/license-info):
>   ----------------------------------------------------------------------------
>
>      No issues found here.
>
>   Checking nits according to
> https://www.ietf.org/id-info/1id-guidelines.txt:
>   ----------------------------------------------------------------------------
>
>      No issues found here.
>
>   Checking nits according to https://www.ietf.org/id-info/checklist :
>   ----------------------------------------------------------------------------
>
>   ** The abstract seems to contain references
>      ([I-D.ietf-rats-tpm-based-network-device-attest]), which it shouldn't.
>      Please replace those with straight textual mentions of the documents in
>      question.

Fixed

>   == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
>      in the document.  If these are example addresses, they should be
> changed.

Don't see any IP addresses used.  Tool parsing error perhaps?

>   Miscellaneous warnings:
>   ----------------------------------------------------------------------------
>
>   == Line 144 has weird spacing: '...version    ide...'
>
>   == Line 148 has weird spacing: '...sh-algo    ide...'
>
>   == Line 217 has weird spacing: '...r-index    pcr...'
>
>   == Line 242 has weird spacing: '...-number    uin...'
>
>   -- The document date (September 30, 2020) is 61 days in the past.  Is this
>      intentional?
>
>   Checking references for intended status: Proposed Standard
>   ----------------------------------------------------------------------------
>
>      (See RFCs 3967 and 4897 for information about using normative
> references
>      to lower-maturity documents in RFCs)
>
>   == Missing Reference: 'TPM20-hash-algo' is mentioned on line 147, but not
>      defined
>
>   ** Downref: Normative reference to an Informational draft:
>      draft-birkholz-rats-reference-interaction-model (ref.
>      'I-D.birkholz-rats-reference-interaction-model')

Checking the process question with WG chair

>   -- Unexpected draft version: The latest known version of
>      draft-ietf-netconf-keystore is -19, but you're referring to -20.

As this auto-generated, this looks to be a tooling issue.

>   == Outdated reference: A later version (-07) exists of
>      draft-ietf-rats-architecture-06

Due to the test being run well after the document was generated.

>   ** Downref: Normative reference to an Informational draft:
>      draft-ietf-rats-architecture (ref. 'I-D.ietf-rats-architecture')

Checking the process question with WG chair

>   == Outdated reference: A later version (-05) exists of
>      draft-ietf-rats-tpm-based-network-device-attest-04
>
>   ** Downref: Normative reference to an Informational draft:
>      draft-ietf-rats-tpm-based-network-device-attest (ref.
>      'I-D.ietf-rats-tpm-based-network-device-attest')
>
>   -- Possible downref: Non-RFC (?) normative reference: ref. 'TCG-Algos'

This is correct

>   -- Obsolete informational reference (is this intentional?): RFC 5246
>      (Obsoleted by RFC 8446)

Fixed

>      Summary: 4 errors (**), 0 flaws (~~), 8 warnings (==), 4 comments (--).
>
>