IETF Logo Mail Archive

[secdir] draft-ietf-suit-report-14 ietf last call Secdir review

Russ Housley via Datatracker <noreply@ietf.org> Thu, 07 August 2025 21:20 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from [10.244.4.112] (unknown [104.131.183.230]) by mail2.ietf.org (Postfix) with ESMTP id D02CC515DECC; Thu, 7 Aug 2025 14:20:03 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Russ Housley via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.45.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <175460160369.618.18122085543723534498@dt-datatracker-6f95f9d9c-8g9j6>
Date: Thu, 07 Aug 2025 14:20:03 -0700
Message-ID-Hash: FAP33AEWSSTWFW5C64JZERFWTHQK3XSZ
X-Message-ID-Hash: FAP33AEWSSTWFW5C64JZERFWTHQK3XSZ
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-suit-report.all@ietf.org, last-call@ietf.org, suit@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Russ Housley <housley@vigilsec.com>
Subject: [secdir] draft-ietf-suit-report-14 ietf last call Secdir review
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/mKd-wlP9zgwi9hknZ8zj4huRzg4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Document: draft-ietf-suit-report
Title: Secure Reporting of Update Status
Reviewer: Russ Housley
Review result: Not Ready

I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-suit-report-14
Reviewer: Russ Housley
Review Date: 2025-08-07
IETF LC End Date: 2025-08-11
IESG Telechat date: Unknown

Summary: Not Ready


Major Concerns:

Section 5: I do not understand the meaning of "Manifest Processor & Report
Generator". This is part of a MUST statement, and it is unclear what is
required.

Section 5: The last paragraph begins with "This information is not intended".
I cannot determine what information is being referenced, , and it is unclear
what SHOULD be translated into general-purpose claims.

Section 7: This section does not have any information that will assist an
implementer.  It does not explain what makes an EAT measurements type
more consumable than a SUIT_Report on its own.  If this section is kept,
it should include a reference to EAT; the reference is several pages earlier.


Minor Concerns:

Section 4: It is not clear which algorithm will be used to compute
the SUIT_Digest.  The structure is defined in [I-D.ietf-suit-manifest],
and I copy it here:

   SUIT_Digest = [
     suit-digest-algorithm-id : suit-cose-hash-algs,
     suit-digest-bytes : bstr,
     * $$SUIT_Digest-extensions
   ]

For example, is the party that produces the SUIT_Reference that contains
the SUIT_Digest expected to use the same hash algorithm as was used in
the SUIT_Manifest?

Section 5: What does the term "well-informed" really mean here? I read
the sentence without this term an come away with the same understanding.
Can this be dropped?

Nits:

Section 3: s/well, however this/well; however, this/

Section 4: s/of SUIT_Records/of SUIT_Records as defined in Section 3/

Section 5: s/SUIT_report/SUIT_Report/

v2.35.0 | Report a Bug | By Email | System Status