Re: [Suit] Review of draft-ietf-suit-manifest-09
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Mon, 27 July 2020 15:51 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9719C3A1A1E for <suit@ietfa.amsl.com>; Mon, 27 Jul 2020 08:51:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kc8PcxihQL_X for <suit@ietfa.amsl.com>; Mon, 27 Jul 2020 08:51:20 -0700 (PDT)
Received: from mail-edgeDD24.fraunhofer.de (mail-edgeDD24.fraunhofer.de [192.102.167.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 945BD3A1A00 for <suit@ietf.org>; Mon, 27 Jul 2020 08:51:18 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2GdDQBkpYde/xoHYZlmHQEBAQkBEQUFAYF7gX0sbANVLyoKhBGQXS2ZYIErFyUKAQEBAQEBAQEBBgEBIwoCBAEBAoFlgl0CgkckOBMCEAEBBgEBAQEBBQQCAmmFVgyCdl08CTkBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFAg02HhodEgEBHQEBAQEDIw8BBTMDAgkMBAkCEQEDAQEBAgIjAwICRgECBggGAQwBBQIBAYMdBAEBKgGCIAMtBQuTP5sEdYEyhDUBE0FBgngDbIE4BoEOKosSgR8PgUw/gREnD4JaPoJnAQECAQEYgRQBEgEPPoJmgl4EjWUHKiSCRYYnmHN5B4FJd3wEhm+FXIQ/hRUjgkwziAWEMQWMRo8uBIFSh1GSegIEAgkCFYFpIw1acE0kT4JpUBgNjiYDF4EEAQKCSYUUhUNyAgGBJo0ZAYEPAQE
X-IPAS-Result: A2GdDQBkpYde/xoHYZlmHQEBAQkBEQUFAYF7gX0sbANVLyoKhBGQXS2ZYIErFyUKAQEBAQEBAQEBBgEBIwoCBAEBAoFlgl0CgkckOBMCEAEBBgEBAQEBBQQCAmmFVgyCdl08CTkBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFAg02HhodEgEBHQEBAQEDIw8BBTMDAgkMBAkCEQEDAQEBAgIjAwICRgECBggGAQwBBQIBAYMdBAEBKgGCIAMtBQuTP5sEdYEyhDUBE0FBgngDbIE4BoEOKosSgR8PgUw/gREnD4JaPoJnAQECAQEYgRQBEgEPPoJmgl4EjWUHKiSCRYYnmHN5B4FJd3wEhm+FXIQ/hRUjgkwziAWEMQWMRo8uBIFSh1GSegIEAgkCFYFpIw1acE0kT4JpUBgNjiYDF4EEAQKCSYUUhUNyAgGBJo0ZAYEPAQE
X-IronPort-AV: E=Sophos;i="5.72,341,1580770800"; d="scan'208";a="33274488"
Received: from mail-mtas26.fraunhofer.de ([153.97.7.26]) by mail-edgeDD24.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jul 2020 17:51:15 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AmBwCP9h5f/1lIDI1gHAEBAQEBAQcBARIBAQQEAQFAgUoCgXkvbwNUMCwKhCqRIJojgWkLAQMBAQEBAQYBASMKAgQBAYFtgl8CgicCJDgTAhABAQUBAQECAQYEbYVcDEMWAYUXAQEBBCMPAQUzAwIJDAQJAhEBAwEBAQICIwMCAkYBAgYIBgEMAQUCAQGDHQQBASoBgiADMguSMJsEdoEyhDsBE0FCgl0DbIE6BoEOKgGGRYIzgmaBHg+BTD+BEScPglo+glwBAQIBARWBEQESAQ8+gmqCYASPIQcrJIJlhn+bClwpB4FZgQiBCAQLhz+GOoUAhVIFCh6CezaJEoR9Bo4ekhIEgWiIRpRsAgQCCQIVgWojDVpwTSRPgmlQFwINjicDF4ECAQKCSYUUhURBMQIBNAIGAQcBAQMJfIoig2IBgRABAQ
X-IronPort-AV: E=Sophos;i="5.75,402,1589234400"; d="scan'208";a="118444867"
Received: from mailext.sit.fraunhofer.de ([141.12.72.89]) by mail-mtaS26.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jul 2020 17:51:13 +0200
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 06RFpCMh017474 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Mon, 27 Jul 2020 17:51:12 +0200
Received: from [192.168.16.50] (79.206.156.41) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Mon, 27 Jul 2020 17:51:07 +0200
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Brendan Moran <Brendan.Moran@arm.com>, Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
CC: suit <suit@ietf.org>
References: <BL0PR2101MB1027152EC8DAD9B3847C3E89A3770@BL0PR2101MB1027.namprd21.prod.outlook.com> <70453005-8DFA-4DBE-8C04-9882839D5005@arm.com> <3ff3915e-c61c-2c00-f780-a77c9ab494cc@sit.fraunhofer.de> <CH2PR09MB425185528F6ECB5E00B4CB07F0720@CH2PR09MB4251.namprd09.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <4d3ed839-c495-0c47-fcbb-931944166090@sit.fraunhofer.de>
Date: Mon, 27 Jul 2020 17:51:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CH2PR09MB425185528F6ECB5E00B4CB07F0720@CH2PR09MB4251.namprd09.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.206.156.41]
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/1D-FyClr7-osQ1DdCscnR6D9IDE>
Subject: Re: [Suit] Review of draft-ietf-suit-manifest-09
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 15:51:24 -0000
Hi Dave, yes exactly. This I-D is now revitalized due to some re-occurring requirements - SUIT being one of the domains of interest. Viele Grüße, Henk On 27.07.20 17:43, Waltermire, David A. (Fed) wrote: > By CBOR OID are your referring to draft-bormann-cbor-tags-oid? > > https://datatracker.ietf.org/doc/draft-bormann-cbor-tags-oid/ > > Dave > > -----Original Message----- > From: Suit <suit-bounces@ietf.org> On Behalf Of Henk Birkholz > Sent: Monday, July 27, 2020 11:15 AM > To: Brendan Moran <Brendan.Moran@arm.com>; Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org> > Cc: suit <suit@ietf.org> > Subject: Re: [Suit] Review of draft-ietf-suit-manifest-09 > > Hi Brendan, > hi Dave > > thanks for your extensive summary, Brendan! This is very useful. Just two small additions. > > While CBOR OID seems to be a good match, that unfortunately introduces a timing problem (as does packed), but maybe we can devise a way around that. > > As PEN are not a rare choice in CBOR-based representations, I'd just want to voice support for the notion of being very careful here. We can of course start to create a qualified name that involves a PEN (among other things), but we are not the only ones that might attempt such a thing and therefore might require some ealignment. > > Viele Grüße, > > Henk > > On 27.07.20 16:42, Brendan Moran wrote: >> Hi Dave, >> >> Thank you very much for your very detailed review! Of course, it will >> take me some time to work through this review. I will do my best to >> clarify these technical comments as I work through. In general, the >> issues you’ve listed look to me like the “right” answer is fairly >> obvious, so I will straighten them out. There are several comments >> that I think deserve a little more clarification. >> >> 6. SUIT_Report >> >>> SUIT_Report and Reporting Engine text is added but does not appear to >>> be about what goes in a SUIT manifest, so I argue that it doesn’t >>> belong in this spec (and is arguable as to whether it’s in scope for >>> SUIT at all) >> >> You’re right. This has not been raised on the list. If it’s more >> appropriate to put it in a new draft, I’m happy to do that. However, >> it’s a natural consequence of adding the SUIT_Reporting_Policy, which >> was discussed at the virtual interim. It seemed to me that if a >> reporting policy was specified, then an implementor would naturally >> want to know how to report that information. If there is a need for >> logging SUIT commands, along with their arguments and results, this >> seems very specific to SUIT in general and the SUIT manifest in >> specific. I struggle to see what document would be more appropriate >> than the SUIT manifest for the SUIT_Report. >> >>> Furthermore, it says SUIT_Report can go in an attestation report. >>> What’s the rationale for that as opposed to some more typical >>> logging/reporting mechanism that might integrate with existing error >>> reporting mechanisms and trouble ticketing? >> >> SUIT_Reporting_Policy has two output channels: “system information,” >> that is the “actual” values compared against in conditions, and >> “command records” which are effectively logs of command execution. For >> an update case, these are adequately served by logging infrastructure. >> However, in a bootloader case, this is inadequate because the >> bootloader and the booted application are different security domains. >> This means that any system information or command records need to be >> protected from modification by the application. Typically, this would >> be done with a signature; I don’t see how this is different from attestation. >> >> The discussion of a Reporting Engine seems necessary: it’s the thing >> that consumes reporting policy. >> >>> 7.Defining a new identifier space (UUIDs) for vendors is not >>> motivated. So a vendor can’t use an existing OUI or IANA private >>> enterprise number that can be easily looked up? You have to instead >>> use an opaque identifier with no way to directly look up its meaning? >>> What is the rationale for inventing a new space rather than being >>> able to reuse an existing one that can be looked up to get an org >>> name, contact info, etc.? (Yes there is suit-text-vendor-domain but >>> that’s severable and optional to implement at all.) And a UUID takes >>> up more bytes than either an OUI or a PEN, so is worse for >>> constrained devices, so why not use an existing space that is shorter >>> and hence more applicable to constrained devices? >> 7. Vendor IDs >> I’d argue that I have not defined a new identifier space. It was >> defined in RFC4122. That said, I think that PEN could be beneficial if >> we can work around some of the complexities associated with it. >> >> OUIs may be prohibitive for small manufacturers (US $2,995). For >> example, I have seen small manufacturers avoid building USB devices >> due to the cost of obtaining a USB VID. Class IDs still require a UUID >> Name Space Identifier. There is no rule I can find for constructing an >> OUI UUID, so it cannot be used as a UUID Name Space Identifier. >> >> >> Private Enterprise Numbers seem manageable by small manufacturers. >> There is a UUID Name Space Identifier for OIDs, however this gets a >> bit confusing. You would need to construct a class ID as follows: >> >> Vendor_UUID = uuid.uuid5(uuid.NAMESPACE_OID, EncodeOID(‘1.3.6.1.4.1.’ >> + >> PEN)) >> Class_UUID = uuid.uuid5(Vendor_UUID, Class_Information) >> >> The problem here is that EncodeOID() is not specified at all in RFC4122. >> The closest we get is: >> >>> For example, some name spaces are the >>> domain name system, URLs, ISO Object IDs (OIDs), X.500 Distinguished >>> Names (DNs), and reserved words in a programming language. >> So Class IDs become unpredictable because OID encoding is >> underspecified in RFC4122. I can see the Vendor_UUID being computed >> with several different versions of EncodeOID: >> - Encode as dotted-integer string >> - Encode as DER OID >> - Encode as value of DER OID (no tag/length) >> - Lots of other ASN.1 encodings possible. >> - Future CBOR OID? >> >> I do not believe we should specify the use of OUIs because 1) they >> cost $3000, 2) there is no UUID namespace for OUIs >> >> I’m not against using a PEN, but we would also need to provide >> extremely strict encoding guidelines for constructing Vendor UUIDs, >> since the Vendor UUID is needed as the Name Space ID for the Class >> UUID. For encoding in the manifest I think we should insist on using >> the PEN directly rather than the full OID. But what would we do with a >> PEN sub-assignment? >> >> There’s a lot more complexity here than just “use a PEN.” >> >> >> Best Regards, >> Brendan >> >> >>> On 24 Jul 2020, at 23:51, Dave Thaler >>> <dthaler=40microsoft.com@dmarc.ietf.org >>> <mailto:dthaler=40microsoft.com@dmarc.ietf.org>> wrote: >>> >>> During the IETF hackathon week, I went through all of the suit >>> manifest draft and kept notes. >>> My full review in context is at >>> https://www.microsoft..com/en-us/research/uploads/prod/2017/05/draft- >>> ietf-suit-manifest-09.pdf >>> <https://www.microsoft.com/en-us/research/uploads/prod/2017/05/draft- >>> ietf-suit-manifest-09.pdf> which is too long to copy into email here. >>> Besides lots of editorial comments, there’s a few technical >>> comments/questions, including (but there may be more depending on >>> whether you interpret some others as editorial or technical): >>> 1.Apparent contradictions about whether on systems with a single >>> component, whether setting the component index should clear the >>> dependency index or not. >>> 2.What it means to “break” is underspecified (I’m guessing continue >>> on to the next command after try-each, as opposed to go on to the >>> next manifest, but it’s not stated in the doc). >>> 3.Section 6.7 seems to require using multiple processes, not just >>> multiple threads, without justification. >>> 4.The trust model when multiple manifest processors exist, in two or >>> more security domains, is underspecified, and not mentioned in the >>> Security Considerations section. >>> 5.Suit-text-version-required expression syntax is underspecified. >>> 6.SUIT_Report and Reporting Engine text is added but does not appear >>> to be about what goes in a SUIT manifest, so I argue that it doesn’t >>> belong in this spec (and is arguable as to whether it’s in scope for >>> SUIT at all). It reads like SUIT_Record is yet another alternative >>> to IPFIX, syslog, etc., and doesn’t state the rationale for defining >>> a new format. You might say that it could be used in an octetArray in >>> IPFIX if someone defined such a field, but this document doesn’t, and >>> indeed if SUIT_Record is not something that would appear in a SUIT >>> manifest, then I think it should not be in this document. >>> oFurthermore, it says SUIT_Report can go in an attestation report. >>> What’s the rationale for that as opposed to some more typical >>> logging/reporting mechanism that might integrate with existing error >>> reporting mechanisms and trouble ticketing? I don’t think this was >>> motivated in either the suit architecture or the suit IM document, >>> and I don’t recall it ever being discussed on the SUIT list or WG >>> meeting (but maybe it was and I forgot?) Again, I think my >>> preferred course would be to sever it from the SUIT manifest specification. >>> 7.Defining a new identifier space (UUIDs) for vendors is not >>> motivated. So a vendor can’t use an existing OUI or IANA private >>> enterprise number that can be easily looked up? You have to instead >>> use an opaque identifier with no way to directly look up its meaning? >>> What is the rationale for inventing a new space rather than being >>> able to reuse an existing one that can be looked up to get an org >>> name, contact info, etc.? (Yes there is suit-text-vendor-domain but >>> that’s severable and optional to implement at all.) And a UUID takes >>> up more bytes than either an OUI or a PEN, so is worse for >>> constrained devices, so why not use an existing space that is shorter >>> and hence more applicable to constrained devices? >>> 8.The time-of-day and day-of-week wait events are underspecified in >>> terms of whether they are in local time or UTC. >>> 9.If I understand correctly, if a dependency manifest sets Strict >>> Order to false, this will then carry over to the dependent manifest, >>> potentially leading to a source of unexpected bugs. Is my >>> understanding correct? >>> 10.For conditions that are optional to implement, I couldn’t tell if >>> that means that if not implemented by a manifest processor, they are >>> treated as passing, failing, or as parse errors. >>> 11.There are several commands where in certain contexts the doc says >>> they “MUST have no effect”. But why not make them illegal to appear >>> in such contexts? Why spend the extra space to include them in the >>> manifest just to have no effect? >>> 12.Swap directive is underspecified in terms of what should happen if >>> the destination doesn’t yet exist (i.e., fail vs move). >>> 13.IANA considerations section doesn’t yet meet the requirements of >>> RFC 8126. For example, it specifies Expert Review but contains >>> insufficient information to instruct an expert how to review, per the >>> guidelines in that RFC. >>> I know the doc is long (109 pages) so forgive me if some answers are >>> elsewhere in the doc and I just missed them, which just means maybe a >>> cross-reference would be sufficient.J Dave >>> _______________________________________________ >>> Suit mailing list >>> Suit@ietf.org <mailto:Suit@ietf.org> >>> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww >>> .ietf.org%2Fmailman%2Flistinfo%2Fsuit&data=02%7C01%7Cdavid.walter >>> mire%40nist.gov%7Ce1a91bc27b184eb4affa08d8323ff57b%7C2ab5d82fd8fa4797 >>> a93e054655c61dec%7C1%7C0%7C637314597580328389&sdata=1HJE9Qiicoe%2 >>> BTGq7kaodbBn23m6L31VL5OQLI3mHoAY%3D&reserved=0 >> >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose >> the contents to any other person, use it for any purpose, or store or >> copy the information in any medium. Thank you. >> >> _______________________________________________ >> Suit mailing list >> Suit@ietf.org >> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. >> ietf.org%2Fmailman%2Flistinfo%2Fsuit&data=02%7C01%7Cdavid.waltermi >> re%40nist.gov%7Ce1a91bc27b184eb4affa08d8323ff57b%7C2ab5d82fd8fa4797a93 >> e054655c61dec%7C1%7C0%7C637314597580328389&sdata=1HJE9Qiicoe%2BTGq >> 7kaodbBn23m6L31VL5OQLI3mHoAY%3D&reserved=0 >> > > _______________________________________________ > Suit mailing list > Suit@ietf.org > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsuit&data=02%7C01%7Cdavid.waltermire%40nist.gov%7Ce1a91bc27b184eb4affa08d8323ff57b%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637314597580328389&sdata=1HJE9Qiicoe%2BTGq7kaodbBn23m6L31VL5OQLI3mHoAY%3D&reserved=0 >
- [Suit] Review of draft-ietf-suit-manifest-09 Dave Thaler
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Henk Birkholz
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Waltermire, David A. (Fed)
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Henk Birkholz
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Dave Thaler
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Dave Thaler
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson