Re: [Suit] How are firmware and firmware versions expressed in manifest?

Dick Brooks <> Fri, 05 June 2020 17:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 645493A0C63 for <>; Fri, 5 Jun 2020 10:41:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KfGhzGNkHQY5 for <>; Fri, 5 Jun 2020 10:41:29 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6173E3A0C0B for <>; Fri, 5 Jun 2020 10:41:29 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id B8C8B5C01EF; Fri, 5 Jun 2020 13:41:28 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute1.internal (MEProxy); Fri, 05 Jun 2020 13:41:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=xHgM2sQjZYPfMhol2hUhjt1xNFnMWbTYVmcZatkqy Os=; b=MV5U2rP8Mf9J4E3X3RRg6QJQ5CazZtJ10rAnv+Udw+Xr2rLMOe/4FdDaT PpEnRg8Nw4BjLD19Axozwsd5InydpQv8r8u9RMqVdoQkSwHF/MBHjm3Vz7s4y9XQ monb32TnLt9n1hsGUNtJ6PI8xUtM/GPMyRQBjcUU5Dsm6Bt5XyC/pLxLRFBiUGSA 0WYss0c260zyzZuldgTJe/WfL0q6wpGTlkB8ZYw5a75pUtuu0bqyqZHbqNv9TYy3 DDY0Y2IVOvcIkPX+UbYEQeYD1VmhKJzl5zHYCD2Ps7Tc+5vvJ8EMvft5vGaAyfrQ 0K29HuKHJgRUi6oAYa12j0w76MqjQ==
X-ME-Sender: <xms:yIPaXjQLDsVSFgZB3Fl5kcZetJhzkAJ2cX87IUk1pwQYQ2iyG9ZVWw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudegfedguddtvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfhfjgfuffhokfggtgfgofhtsehtjeertddvtddvnecuhfhrohhmpedf ffhitghkuceurhhoohhkshdfuceoughitghksehrvghlihgrsghlvggvnhgvrhhghigrnh grlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpedvjeduieeghedutdekvdet hfdukeekheelieeggffgvdfgjeelkeefgfelgeefleenucffohhmrghinheprhgvlhhirg gslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomhenucfkphepvdduiedrudelfedr udegvddrvddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepughitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:yIPaXkyZ8TgVhS-U62KnaZz8NoEaeybh5AN1_5ut-OS-X-o8B7Z11w> <xmx:yIPaXo3lCIA-wONzOvdk8qAOyZcmvjirFYpbX6elBSlOEN33r4BEKQ> <xmx:yIPaXjDX5aqcXYVONwTuy4tHG-cxz33L6lud8Spb8kxXY28d1gRQJw> <xmx:yIPaXoaYjs3PmfkJKRu0WbQ6UcCF6Uaxdw_OlyWeU3vw8gSiayfEnw>
Received: from farpoint (unknown []) by (Postfix) with ESMTPA id CA2D93280063; Fri, 5 Jun 2020 13:41:27 -0400 (EDT)
From: "Dick Brooks" <>
To: "'Michael Richardson'" <>
Cc: "'Hannes Tschofenig'" <>, <>, "'Saad EL JAOUHARI'" <>, "'Eliot Lear'" <>, "'Henk Birkholz'" <>
References: <> <8b6d01d639d0$62614150$2723c3f0$> <> <20437.1591317129@localhost> <1076601d63b3a$d53f5d90$7fbe18b0$> <11051.1591378588@localhost>
In-Reply-To: <11051.1591378588@localhost>
Date: Fri, 5 Jun 2020 13:41:18 -0400
Organization: Reliable Energy Analytics
Message-ID: <11c4101d63b60$8a2136a0$9e63a3e0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEpJGg3Q76y3b59AZfDOO6eGr7fRAJUo0s2Am+d4lkB06Pk1ADWaYOUAe4xceOp2ZN+0A==
Content-Language: en-us
Archived-At: <>
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Jun 2020 17:41:38 -0000

Thank you, Michael. I need to think through this a bit more.

Thanks to all for your insights.


Dick Brooks

Never trust software, always verify and report! T
Tel: +1 978-696-1788

-----Original Message-----
From: Michael Richardson <> 
Sent: Friday, June 05, 2020 1:36 PM
To: Dick Brooks <>
Cc: 'Hannes Tschofenig' <>om>;; 'Saad EL
JAOUHARI' <>om>; 'Eliot Lear' <>om>; 'Henk
Birkholz' <>
Subject: Re: [Suit] How are firmware and firmware versions expressed in

Dick Brooks <> wrote:
    > Thanks, Michael Richardson. I'm uncertain that MUD has exactly what
    > looking for to meet NERC CIP-010-3 R1, Part 1.6 expectations, after a
    > cursory look at the standard. I don't see where the MUD process would
    > support deep introspection and corroborating evidence within a risk
    > assessment control prior to deployment, which is what I need for NERC
    > CIP-010-3.

It does not offer any of those things.

It offers an attribute/value mechanism signed by the manufacturer, possibly
specific to a given firmware revision, in which you can put a pointer to
some kind of SBOM that would provide you the right information.

We can also do this from the SUIT Manifest, but I suspect that the extra
layer of indirection will benefit the ecosystems.

Michael Richardson <>ca>, Sandelman Software Works  -=
IPv6 IoT consulting =-