[secdir] Re: [Last-Call] draft-ietf-scitt-architecture-20 ietf last call Secdir review
Henk Birkholz <henk.birkholz@ietf.contact> Tue, 30 September 2025 14:22 UTC
Return-Path: <henk.birkholz@ietf.contact>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5E9246B3C555; Tue, 30 Sep 2025 07:22:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.979
X-Spam-Level:
X-Spam-Status: No, score=-4.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-2.182, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ietf.contact
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-Pz7gGrNE9n; Tue, 30 Sep 2025 07:22:47 -0700 (PDT)
Received: from smtp04-ext3.udag.de (smtp04-ext3.udag.de [62.146.106.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F04C86B3C550; Tue, 30 Sep 2025 07:22:46 -0700 (PDT)
Received: from [192.168.12.186] (tmo-113-48.customers.d1-online.com [80.187.113.48]) by smtp04-ext3.udag.de (Postfix) with ESMTPA id 586CAE0605; Tue, 30 Sep 2025 16:22:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ietf.contact; s=uddkim-202310; t=1759242159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=l4hj063bG5CLdqO8o5/Q6R5it7bjQVttZHZ/ckmJn5U=; b=2QeMAlaxWrjUxuYIJrZtWvCIHNK5U98K4El5SqOfgmRAwRxsmL4RevoMHJ9AQVoI+wCg2a t2mU5eRBFfX7iUQHOF4ZFn0rLMo6h3d8daNhB6tq0VblBChdwmQRz5YCc3kShiOU5jREzL MOv4/6GypHM23Vuq6IdEJK8SnwPM7nmiLQkLhkS4X1JaTSiZVNECQOVAWtn5SSOC4FXQef qMar3XSyaQeeavFZXkwb8Oh56PitNG/X5+37C2rLo/YZcY3l3SqSfqoo/tpiIRHsm2wepM Np3XA6MPjA+fm4vIbbfSRExuMeIUX+SG1XYkkstt9bax4R5Xm7skPNJ/jfwQHA==
Authentication-Results: smtp04-ext3.udag.de; auth=pass smtp.auth=henk.birkholz@ietf.contact smtp.mailfrom=henk.birkholz@ietf.contact
Message-ID: <375e8ed9-37d9-d463-0e84-01412875a54c@ietf.contact>
Date: Tue, 30 Sep 2025 16:22:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Chris Lonvick <lonvick.ietf@gmail.com>, secdir@ietf.org
References: <175750319999.3575020.3693879648387522731@dt-datatracker-f7c8fdcb7-pjx77>
From: Henk Birkholz <henk.birkholz@ietf.contact>
In-Reply-To: <175750319999.3575020.3693879648387522731@dt-datatracker-f7c8fdcb7-pjx77>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: E52ACQ5XMLNNSTSFMZCS5OVZIXHZ4SRZ
X-Message-ID-Hash: E52ACQ5XMLNNSTSFMZCS5OVZIXHZ4SRZ
X-MailFrom: henk.birkholz@ietf.contact
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-scitt-architecture.all@ietf.org, last-call@ietf.org, scitt@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [secdir] Re: [Last-Call] draft-ietf-scitt-architecture-20 ietf last call Secdir review
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/h4DaeURq09LPxbOH9l9RiRr9aMY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Hi Chris, thank you for your feedback! We agree with your summary. While your review says "Ready", though, it also says "with nits" in one place? Is that "with nits" a nit? If so, we'll move on with a "Ready" - but well wait for your feedback. Viele Grüße, Henk On 10.09.25 13:20, Chris Lonvick via Datatracker wrote: > Document: draft-ietf-scitt-architecture > Title: An Architecture for Trustworthy and Transparent Digital Supply Chains > Reviewer: Chris Lonvick > Review result: Ready > > Hi, > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These comments > were written primarily for the benefit of the security area directors. Document > editors and WG chairs should treat these comments just like any other last call > comments. > > The summary of the review is READY (with nits). > > It is clear that the authors, contributors, and the Working Group have > extensively discussed this and have arrived at consensus for this document. My > compliments to them for pulling together a single document that covers such a > large concept. > > I am not familiar with the workings of supply chains to be able to provide a > comprehensive review. However, I found the Shepherd's writeup to be very > helpful. I believe that I can't add anything more useful than what was written > there concerning discussions around security. For convenience, I'll post it > here: > > There was a substantial amount of discussion around Security, some of which > were resolved by using a known signing format with provision for agility > (COSE). Discussion took place around steps that service operators could take to > secure their instances, and converged on a clear, minimal text. The definition > of the bytes to be signed was discussed extensively, and the tradeoffs and > benefits of including unprotected headers weighed at length, before consensus > was reached. Statement identification and references were also discussed, but > consensus could not be reached, and it was agreed that it may be addressed in a > separate, later document. > > I agree that it is ready to be handed off to the responsible Area Director. > > Best regards, > Chris > >
- [secdir] draft-ietf-scitt-architecture-20 ietf la… Chris Lonvick via Datatracker
- [secdir] Re: [Last-Call] draft-ietf-scitt-archite… Henk Birkholz