Re: [Suit] SUIT rechartering: proposed text

["Waltermire, David A. (Fed)" <david.waltermire@nist.gov>]

Michael,

I like and agree with most of what Russ has proposed. I believe it is important to reflect that work that has been done, what work remains, and what new work is added. This will help the IESG evaluate the charter changes, and will help new participants in the WG to understand where we are in the effort.

I concur with your comments regarding tense. I like the changes you are suggesting.

I am on the fence about leaving in the charter the statement about "The SUIT WG continues to maintain a close relationship with silicon vendors and OEMs that develop IoT operating systems." This was important initially because there was prior work to consider and the need to have these stakeholders implement what we have produced. We have had a good deal of success in generating implementations through hackathon and external efforts. Perhaps we should replace this text with something that states that we will continue to do this?

Maybe:

} The SUIT WG will continue to work with silicon vendors and OEMs that develop IoT operating systems to produce implementations based on SUIT-related specifications (i.e., Hackathons).

Dave

-----Original Message-----
From: Suit <suit-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Monday, July 12, 2021 9:07 PM
To: Russ Housley <housley@vigilsec.com>; suit <suit@ietf.org>
Subject: Re: [Suit] SUIT rechartering: proposed text


Russ Housley <housley@vigilsec.com> wrote:
    > Putting the text provided by Brendan and a bit of context to the work
    > that has alrady been done by the WG, I propose the following re-charter
    > text.

I guess my only comment is that the wording and the tense does not reflect the work that has already been done.

    } The SUIT WG has focused on defining a firmware update solution,
    } that took into account learnings from RFC 4108 and other proprietary
    } firmware update solutions. The solution is usable on Class 1 (as defined
    } in RFC 7228) devices, i.e., devices with ~10 KiB RAM and ~100 KiB
    } flash.  The solution easily applies to more capable devices as well.  The
    } SUIT WG has not defined any new transport or discovery mechanisms, but
    } is still considering how to use existing mechanisms within the architecture.

...

    > The SUIT WG was already completed work on two documents: * An IoT
    > firmware update architecture that includes a description of the
    > involved entities, security threats, and assumptions.  * An information
    > model for the SUIT manifest.

    } Now that the information model is complete, and the SUIT WG has
    } selected the CBOR serialization formats and the associated COSE
    } cryptographic mechanisms to encode the SUIT manifest, the SUIT WG will
    } now consider a small number of additional formats in the future.
    } However, to reduce the complexity of a firmware management solution, a very
    } small number of formats is preferred. To support a wide range of
    } deployment scenarios, the formats have been designed to be expressive enough
    } to allow the use of different firmware sources and permission models.

no change:
    > The SUIT WG does not aim to create a standard for a generic application
    > software update mechanism, but instead the SUIT WG focus on firmware
    > development practices in the embedded industry. Software update
    > solutions that target updating software other than the firmware
    > binaries (e.g., applications) are also out of scope.

    > To support the SUIT manifest format, the SUIT WG will also define
    > formats and protocols that enable a Status Tracker to determine if a
    > particular manifest could be successfully deployed to a device and
    > determine if an operation was successful.

:
    > The SUIT WG will specify names or numbers will enable the use of SUIT
    > manifests, their precursors, and their successors within existing or
    > future protocols.

I don't know what this means anymore.

    } The SUIT WG continutes to maintain a close relationship with silicon
    } vendors and OEMs that develop IoT operating systems.

    > The SUIT WG aims to publish several additional documents, namely: * A
    > SUIT manifest format specification using CBOR.  * A firmware encryption
    > specification for use with SUIT manifests.  * A secure for IoT device
    > to reporting on firmware update status.  * A SUIT manifest extension to
    > include a MUD file as defined in RFC 8520.

Maybe past tense for some of these?

I think that at this point, we need some explanation of why the WG isn't done yet.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sandelman.ca%2F&amp;data=04%7C01%7Cdavid.waltermire%40nist.gov%7C3f83e01e7cc44561f92708d9459aa2dc%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637617352731763505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=1EjH4tH425e8qp7lO3hxYVwtz9lQtFdoFQfzASfOES4%3D&amp;reserved=0        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide