IETF Logo Mail Archive

Re: [Suit] suit-firmware-encryption-00

Dick Brooks <dick@reliableenergyanalytics.com> Wed, 02 June 2021 13:03 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983713A4257 for <suit@ietfa.amsl.com>; Wed, 2 Jun 2021 06:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBzhgR7Xn0In for <suit@ietfa.amsl.com>; Wed, 2 Jun 2021 06:03:43 -0700 (PDT)
Received: from forward5-smtp.messagingengine.com (forward5-smtp.messagingengine.com [66.111.4.239]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7C13A4252 for <suit@ietf.org>; Wed, 2 Jun 2021 06:03:43 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailforward.nyi.internal (Postfix) with ESMTP id A51CC19411E0; Wed, 2 Jun 2021 09:03:42 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 02 Jun 2021 09:03:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :reply-to:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=xJ1joZxal/FuZav0dgmIXH5PNmXX0 kTCyq8Nin05UfI=; b=l1ONKK6w8c6OdZ4hqns/tRTxiM/byvYMfhM4mzqMClqOH KrGNWqwzGdfBXip6eL/GIddFBARcLGMMq8qFyGhfb7ldbAHoe3CKBV/ln+Tjl+Gf 7snDUH2lbGHoUp76W+F63CLbmzJVGQYGIjnH43dFEnmOPokMrxI36FM+jaNRzdwW E0liwdW/srOWdqzFIrTEcsxmnME1IEvuMzbA2+cjkFfX1q5ikf+ZBqJz9x3NFK3X FALULz4/pAWEdAnHDS8Vby6Z4pkUKL/fBIH4938zKY85XFleccjpwW2ST2aUwAgh Iv3W4QsUIWH7cwb1QjVJoCmQ2gYvJF4tNFIk7Tu5g==
X-ME-Sender: <xms:rYG3YGApWKtUT564QFZMK2gxc4bQR2meDoVx4OMt-26dNZOGpFJ91g> <xme:rYG3YAj6K9Y4onyhAL4zPJEbJYRts7oiws4jf_HyrZzcij3X5kk9_mHLJVDG67C88 vmVJ5Ok2jVtdb1jyw>
X-ME-Received: <xmr:rYG3YJn9HBp0MnNBBHPQ-WhRqt9-CrmBHrTaBz26TV1_L7dxk4P3YGw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdeljedgheelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheprhfhvfhfjgfuffhokfggtgfgofhtsehtjehgtddvtddvnecuhfhrohhmpedf ffhitghkuceurhhoohhkshdfuceoughitghksehrvghlihgrsghlvggvnhgvrhhghigrnh grlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeethfevieeffeehleekgeef vdfhgfdtvdejheegheevkeevteegffevtdefuedvleenucffohhmrghinhepihgvthhfrd horhhgpdhrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmpdgvnhgv rhhghigtvghnthhrrghlrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomhepughitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhih thhitghsrdgtohhm
X-ME-Proxy: <xmx:rYG3YEzcHubp_vWEmvnGzCc6aQ61SbZ5IRLJcy5S3faNR1ptixCXew> <xmx:rYG3YLTYY-9FT--tvVRaoCFO9M-NW9X4BGvjONDpseynZV1518FQtw> <xmx:rYG3YPaYCwFWNM7CyxBXb9w7pAqwwgjLe5TU-vcNwpgNt51nAEGbmg> <xmx:roG3YGfIRbqDec0ORRyjUZp1ZlUwCi87CN6Kw5yCJtHPIDr3elYBQg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 2 Jun 2021 09:03:40 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Brendan Moran' <Brendan.Moran@arm.com>
Cc: 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>, 'Russ Housley' <housley@vigilsec.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, suit@ietf.org
References: <19586.1622075797@localhost> <DBBPR08MB5915CEC125579D78C108D540FA3F9@DBBPR08MB5915.eurprd08.prod.outlook.com> <F6C86CC2-3AF8-4CC5-BB47-AC6579DAA0C4@vigilsec.com> <13894.1622479289@localhost> <64BDF7A0-4B70-4EB3-A764-2BD6CAA3921A@vigilsec.com> <132601d7563d$7097f680$51c7e380$@reliableenergyanalytics.com> <E2D893E5-8462-4F69-88D0-29167B6DB1B3@vigilsec.com> <140a01d7563f$65d2a130$3177e390$@reliableenergyanalytics.com> <DBBPR08MB591549CB964EA7E18C8640C2FA3F9@DBBPR08MB5915.eurprd08.prod.outlook.com> <18b401d75657$880bfef0$9823fcd0$@reliableenergyanalytics.com> <DBBPR08MB59158723623695EB0473637FFA3E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <223201d756d9$af8bddb0$0ea39910$@reliableenergyanalytics.com> <DBBPR08MB5915C1F5529E8801DF5AFD09FA3E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <272401d756e8$c446ba90$4cd42fb0$@reliableenergyanalytics.com> <DBBPR08MB59159E70B7ED1575EF82A745FA3E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <32f301d7570b$316490d0$942db270$@reliableenergyanalytics.com> <010627E5 -A66D-48D5-8F89-B1BC11F2714D@arm.com>
In-Reply-To: <010627E5-A66D-48D5-8F89-B1BC11F2714D@arm.com>
Date: Wed, 02 Jun 2021 09:03:36 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <031a01d757af$b5bdb100$21391300$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQI/QDB0THmT0m+iwpMcIJ7U5AyVWwGeOG6MAhV23QADMtNZAgELPwAdAnBC4M8B5S+ZkQG9GBtkAvvy+dYCdoomoQLkXmLkAmxgmzgCFyi88ACA9OzHAiJ3M0ECElLqHAG0CJmoqSaZGiA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/8cTuoeLU70BAdX6U76hPlUsRLlU>
Subject: Re: [Suit] suit-firmware-encryption-00
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2021 13:03:49 -0000

Brendan,

I agree that a trust anchor is specified in SUIT, however when you look at
the basis for this trust anchor (COSE) you find this information

https://datatracker.ietf.org/doc/html/rfc8152#section-4.4 
COSE's Signing and Verification process contains the following guidance:

  In addition to performing the signature verification, the application
   may also perform the appropriate checks to ensure that the key is
   correctly paired with the signing identity and that the signing
   identity is authorized before performing actions.

The problem seems to be that there is no formal/standard define method for a
SW consumer to verify that a signer has been authorized by the original
source supplier to sign software on their behalf. Anyone can sign anyone's
software package, and it is verified as successful by Microsoft's signtool.
This is a problem for the SCRM community.

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Brendan Moran <Brendan.Moran@arm.com> 
Sent: Wednesday, June 2, 2021 8:53 AM
To: Dick Brooks <dick@reliableenergyanalytics.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Russ Housley
<housley@vigilsec.com>; Michael Richardson <mcr+ietf@sandelman.ca>;
suit@ietf.org
Subject: Re: [Suit] suit-firmware-encryption-00



> DB>> Currently software consumers do not have a standard method to 
> DB>> verify
> that a signing party has been authorized to sign on behalf of a 
> software source supplier, when performing digital signature 
> verification on a software package. Many people "assume" that the 
> signing party is the software source supplier.  A digital signature 
> alone is insufficient at identifying the software source supplier 
> because anyone with a code signing key can sign any software package, as
demonstrated in this article:
> https://energycentral.com/c/ec/who-ya-gonna-trust

This may well be true in the general case, but this is not true for SUIT.
SUIT manifests must be verified all the way back to a trust anchor.

https://datatracker.ietf.org/doc/html/draft-ietf-suit-manifest-13#section-5.
2

>    Delegation Chains allow a Recipient to establish a chain of trust
>    from a Trust Anchor to the signer of a manifest by validating
>    delegation claims.  Each delegation claim is a [RFC8392] CBOR Web
>    Tokens (CWTs).  The first claim in each list is signed by a Trust
>    Anchor.  Each subsequent claim in a list is signed by the public key
>    claimed in the preceding list element.  The last element in each list
>    claims a public key that can be used to verify a signature in the
>    Authentication Block (
> Section 5.3).
See also
https://datatracker.ietf.org/doc/html/draft-ietf-suit-manifest-13#section-8.
3

This is also described in the information model:
https://datatracker.ietf.org/doc/html/draft-ietf-suit-information-model-12#s
ection-3.25

See also REQ.SEC.ACCESS_CONTROL:
https://datatracker.ietf.org/doc/html/draft-ietf-suit-information-model-12#s
ection-4.3.13

>    If a device grants different rights to different actors, then an
>    exercise of those rights MUST be validated against a list of rights
>    for the actor.  This typically takes the form of an Access Control
>    List (ACL).  ACLs are applied to two scenarios:
>
>    1.  An ACL decides which elements of the manifest may be overridden
>        and by which actors.
>
>    2.  An ACL decides which component identifier/storage identifier
>        pairs can be written by which actors.
>
>    Mitigates: THREAT.MFST.OVERRIDE (Section 4.2.13),
>    THREAT.UPD.UNAPPROVED (Section 4.2.11)

Best Regards,
Brendan


> DB>> I plan to raise the need for a formal method to verify authorized 
> DB>> code
> signing parties on behalf a software source supplier during digital 
> signature validation as a topic during NIST's EO workshop in 6/2-3.
>
> (It is not unlikely that the delegation mechanism would benefit from 
> more
> details...)
>
> Ciao
> Hannes
>
> -----Original Message-----
> From: Dick Brooks <dick@reliableenergyanalytics.com>
> Sent: Tuesday, June 1, 2021 3:20 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; 'Russ Housley'
> <housley@vigilsec.com>
> Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
> Subject: RE: [Suit] suit-firmware-encryption-00
>
> Hannes,
>
> Will the SUIT manifest contain an attestation of a clean malware scan 
> that can be verifiably validated for the encrypted software in hand? 
> That would help, if a malware scan is not an option.
>
> The other issue that needs to be addressed is the ability for a 
> software consumer to verify that the signing party of a software 
> object has been given authorization to sign code on behalf of a 
> software source supplier (VENDOR ID) in the manifest, using a standard 
> method - something similar to DNS CAA records, but for digital signatures,
e.g. maybe DNS DSA records.
>
> Ref: "Vendor ID is not intended to be a human-readable element.  It is 
> intended for binary match/mismatch comparison only."
>
> Thanks,
>
> Dick Brooks
>
> Never trust software, always verify and report! T 
> http://www.reliableenergyanalytics.com
> Email: dick@reliableenergyanalytics.com
> Tel: +1 978-696-1788
>
> -----Original Message-----
> From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Sent: Tuesday, June 1, 2021 9:05 AM
> To: dick@reliableenergyanalytics.com; 'Russ Housley' 
> <housley@vigilsec.com>
> Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
> Subject: RE: [Suit] suit-firmware-encryption-00
>
> It is a challenge.
>
> The SUIT manifest provides the capabilities to give authorized parties 
> extra information (via the manifest meta-data and software 
> description*) while providing less info to adversaries.
>
> (*): I am assuming that the info offered via MUD, COSWID, and the 
> textual description is of any help to you. If it is not, then you need 
> to let us know what other pieces of information will have to be 
> included in the manifest to become valuable to make the risk assessment.
>
> Ciao
> Hannes
>
> -----Original Message-----
> From: Dick Brooks <dick@reliableenergyanalytics.com>
> Sent: Tuesday, June 1, 2021 1:32 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; 'Russ Housley'
> <housley@vigilsec.com>
> Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
> Subject: RE: [Suit] suit-firmware-encryption-00
>
> Hannes,
>
> I definitely see your point, it seems the real problem to solve is:
> - How do we (1) prevent the bad guys from discovering SW details 
> (source
> code) from binaries while simultaneously (2) providing end use 
> customers the ability to conduct malware scans, and other risk management
functions?
>
> If we encrypt a binary distribution we achieve 1 but not 2 If we do 
> not encrypt we achieve 2, but not 1
>
> Are we really looking at a mutually exclusive choice?
>
> Both of these objectives are trying to achieve the same thing: Keep 
> the bad guys from causing harm.
>
> Thanks,
>
> Dick Brooks
>
> Never trust software, always verify and report! T 
> http://www.reliableenergyanalytics.com
> Email: dick@reliableenergyanalytics.com
> Tel: +1 978-696-1788
>
> -----Original Message-----
> From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Sent: Tuesday, June 1, 2021 6:40 AM
> To: dick@reliableenergyanalytics.com; 'Russ Housley' 
> <housley@vigilsec.com>
> Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
> Subject: RE: [Suit] suit-firmware-encryption-00
>
> Dick, I understand your line of argument.
>
> At the same time I want to create awareness for the attacker point of
view.
> They need to get access to plaintext firmware of an embedded device 
> (unless the attacker already knows what the source was used). This is 
> why there are advanced disassemblers available (such as IDA Pro, 
> Binary Ninja, and Ghidra
> -- to name a few).
>
> As a way forward I am proposing to use the additional data carried in 
> the manifest for doing the SCRM risk assessment step. I believe that 
> this should work.
>
> Ciao
> Hannes
>
> -----Original Message-----
> From: Dick Brooks <dick@reliableenergyanalytics.com>
> Sent: Monday, May 31, 2021 10:00 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; 'Russ Housley'
> <housley@vigilsec.com>
> Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
> Subject: RE: [Suit] suit-firmware-encryption-00
>
> Thanks, Hannes. I just submitted a concern regarding the problem 
> encryption creates for malware scanning, which is one of the SCRM risk 
> assessment steps, performed before installation
>
> Thanks,
>
> Dick Brooks
>
> Never trust software, always verify and report! T 
> http://www.reliableenergyanalytics.com
> Email: dick@reliableenergyanalytics.com
> Tel: +1 978-696-1788
>
> -----Original Message-----
> From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Sent: Monday, May 31, 2021 3:57 PM
> To: dick@reliableenergyanalytics.com; 'Russ Housley' 
> <housley@vigilsec.com>
> Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
> Subject: RE: [Suit] suit-firmware-encryption-00
>
> Hi Dick,
>
> with the SUIT manifest format I hope we can make information available 
> to trusted third parties (MUD, COSWID and alike) and at the same time 
> use encrypted binaries. Having access to the plaintext binary is 
> essential for adversaries to mount attacks. (Happy to give a tutorial 
> about how this
> works.)
>
> Like-wise differential updates may make it difficult for SCRM vendors 
> to make their analysis but the information in the manifest can help them.
>
> Severable fields allows to remove information from the manifest before 
> it is sent to the device. This reduces overhead and prevents untrusted 
> parties from gathering information from the manifest.
>
> Ciao
> Hannes
>
> -----Original Message-----
> From: Dick Brooks <dick@reliableenergyanalytics.com>
> Sent: Monday, May 31, 2021 7:07 PM
> To: 'Russ Housley' <housley@vigilsec.com>
> Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; Hannes Tschofenig 
> <Hannes.Tschofenig@arm.com>; suit@ietf.org
> Subject: RE: [Suit] suit-firmware-encryption-00
>
> I agree, Russ.
>
> Parties subject to the 5/12 Executive Order 
> (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05
> /12/ex
> ecutive-order-on-improving-the-nations-cybersecurity/) will likely 
> want to perform a proactive SCRM risk assessment prior to 
> installation, if my interpretation of the EO is accurate.
>
> Thanks,
>
> Dick Brooks
>
> Never trust software, always verify and report! T 
> http://www.reliableenergyanalytics.com
> Email: dick@reliableenergyanalytics.com
> Tel: +1 978-696-1788
>
> -----Original Message-----
> From: Russ Housley <housley@vigilsec.com>
> Sent: Monday, May 31, 2021 12:56 PM
> To: Dick Brooks <dick@reliableenergyanalytics.com>
> Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Hannes Tschofenig 
> <Hannes.Tschofenig@arm.com>; suit@ietf.org
> Subject: Re: [Suit] suit-firmware-encryption-00
>
> Dick:
>
> Yes, and there are other use cases that require encryption.
>
> Russ
>
>
>> On May 31, 2021, at 12:53 PM, Dick Brooks
> <dick@reliableenergyanalytics.com> wrote:
>>
>> " If a trustworthy party in the middle of the distribution path is 
>> able to detect a problem with cleartext (but signed) firmware, they 
>> can report a vulnerability and refuse to pass the update along."
>>
>> This is precisely the function SCRM vendors are performing today.
>> Encrypting a binary object would be an impediment to software supply 
>> chain risk assessment functions in place today.
>>
>> Thanks,
>>
>> Dick Brooks
>>
>> Never trust software, always verify and report! T 
>> http://www.reliableenergyanalytics.com
>> Email: dick@reliableenergyanalytics.com
>> Tel: +1 978-696-1788
>>
>> -----Original Message-----
>> From: Suit <suit-bounces@ietf.org> On Behalf Of Russ Housley
>> Sent: Monday, May 31, 2021 12:49 PM
>> To: Michael Richardson <mcr+ietf@sandelman.ca>
>> Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; suit@ietf.org
>> Subject: Re: [Suit] suit-firmware-encryption-00
>>
>> Michael:
>>
>>>>> I agree that there are also challenges with certification schemes 
>>>>> that prevent developers from seeing the source code (or from 
>>>>> publishing the source code). That's yet another issue.
>>>
>>>> SUIT is using signature for the authentication and integrity of the 
>>>> firmware.  If the signature remains in place, a party in the middle 
>>>> of the distribution cannot insert any malware.
>>>
>>> The encryption of the firmware keeps third parties from auditing the 
>>> software updates to determine if malware has been inserted at the
>> "factory"
>>> Both white and black hats are currently using binary diff systems to 
>>> look at patches.  Black hats use this to develop exploits in the gap 
>>> between 9am EST and 9am PST!
>>> I am suggesting that this is a "Security Consideration"
>>
>> Yes, this is a reasonable thing to add to the Security Considerations.
>>
>> If a trustworthy party in the middle of the distribution path is able 
>> to detect a problem with cleartext (but signed) firmware, they can 
>> report a vulnerability and refuse to pass the update along.
>>
>> Russ
>> _______________________________________________
>> Suit mailing list
>> Suit@ietf.org
>> https://www.ietf.org/mailman/listinfo/suit
>>
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose 
> the contents to any other person, use it for any purpose, or store or 
> copy the information in any medium. Thank you.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose 
> the contents to any other person, use it for any purpose, or store or 
> copy the information in any medium. Thank you.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose 
> the contents to any other person, use it for any purpose, or store or 
> copy the information in any medium. Thank you.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose 
> the contents to any other person, use it for any purpose, or store or 
> copy the information in any medium. Thank you.
>
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email