Re: [Suit] [Tsv-art] Tsvart last call review of draft-ietf-suit-architecture-11
Bob Briscoe <ietf@bobbriscoe.net> Tue, 11 August 2020 12:50 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12013A1045; Tue, 11 Aug 2020 05:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.048
X-Spam-Level:
X-Spam-Status: No, score=-3.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.949, SPF_HELO_FAIL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTTb7fHzQ7eX; Tue, 11 Aug 2020 05:50:35 -0700 (PDT)
Received: from cl3.bcs-hosting.net (cl3.bcs-hosting.net [3.11.37.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C7F23A1044; Tue, 11 Aug 2020 05:50:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=irfW56tut+wjI19OT1d2iipJNqmNrvWUHMdoxCqpetM=; b=2GdEJp78q1NqFF45otniabAmMU 3swAtxLFZ0g+WVdW679Fzz+cXLJ4la+dzc0CNt0QVS7gDqKxCZ9vFi3kzbASLpYn4qNl19Rgojoc/ NmCcbWZ8ZWjHLroG1gvIo6lV239rGPnvATN2yrF1jjt+rzFaZ2BiEzxkmHUiu3xAldQDycgXIBJ/3 PdmQNqTi1Yb5EGh6ekMpqtGg0BN9G6K05xEkZhDnP8TwelkrwsWqUXPZalE03y3VwUYC9AOfKyeFP YS5Ln03P/NsJGAQ+W4ZdwHXKEok1vlkpcG+BK/wADO61R1KZ462tT58JMg9Utyp4adNLf2pJL6sAO DIsEoPWg==;
Received: from [31.185.135.177] (port=49332 helo=[192.168.0.6]) by cl3.bcs-hosting.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <ietf@bobbriscoe.net>) id 1k5Tjc-004S31-3k; Tue, 11 Aug 2020 13:50:32 +0100
To: Bob Briscoe <ietf@bobbriscoe.net>, tsv-art@ietf.org
Cc: last-call@ietf.org, draft-ietf-suit-architecture.all@ietf.org, suit@ietf.org
References: <159701600789.9734.7112047200124687933@ietfa.amsl.com>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <214f0c65-8d04-a168-3781-d2c38e6b0477@bobbriscoe.net>
Date: Tue, 11 Aug 2020 13:50:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <159701600789.9734.7112047200124687933@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cl3.bcs-hosting.net
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: cl3.bcs-hosting.net: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: cl3.bcs-hosting.net: in@bobbriscoe.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/WiQyuboi-WXZayvEaeTy-nkVE00>
Subject: Re: [Suit] [Tsv-art] Tsvart last call review of draft-ietf-suit-architecture-11
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 12:50:39 -0000
I notice that the review upload process has munged some of the line wrap. I've re-instated it below. On 10/08/2020 00:33, Bob Briscoe via Datatracker wrote: > Reviewer: Bob Briscoe > Review result: Ready with Issues > > This document has been reviewed as part of the transport area review team's > ongoing effort to review key IETF documents. These comments were written > primarily for the transport area directors, but are copied to the document's > authors and WG to allow them to address any issues raised and also to the IETF > discussion list for information. > > When done at the time of IETF Last Call, the authors should consider this > review as part of the last-call comments they receive. Please always CC > tsv-art@ietf.org if you reply to or forward this review. > > This review is long. For the benefit of busy readers, it is structured with 7 > important issues listed first (and tagged either as technical or editorial), > followed by minor editorial comments for the authors. > > Altho' it is ostensibly from the Transport Area Review Team, this review > identifies only one transport-related issue (see item #6a). Most of the major > discussion points are offered with a security hat on. > > First I want to say that there's a lot of useful stuff in the draft. So I'd > like to apologize that the review comments raise issues, and do not dwell on > praising all the good stuff. > > == Important Issues == > > 1. Motivation for publication by the IETF [Editorial] > > Until I reached the summary of the recent IoT IAB workshop in the first para of > the Security Considerations section, I was wondering why the IETF needed to > publish this. It seemed to be a description of what is already done in the > industry, but framed as an architecture. Most of this first para of the > Security Considerations section motivates this work, and ought to be moved to > the Introduction. > > Even then, a document that describes what the industry already does isn't a > sufficient response to a security problem. Given (I believe) the intention is > to encourage the industry to systematically cater for firmware updates, perhaps > the draft needs to be a little more hard-hitting (without being patronizing of > course). Rather than giving the impression (except in the abstract) that it is > just describing current industry practice. For instance, see item #2 below > about saying what not to do. I would also suggest that it should highlight the > simplest architecture, only giving optional more complex extras later (see item > #4 below). > > 2. Is Anything Not Allowed by this Architecture? [Technical+Editorial] > > a) A good architecture precludes as well as includes. Would it be useful to > list some common practices that are insecure, and perhaps some common > misconceptions about secure firmware update? > > b) I could hardly find anything in this draft that did not equally apply to > firmware update of "Non-Things". It would indeed be useful to define a 'Thing' > (at least what this document means by it). I suggest: > * unattended operation > * not within the operator's physical security control > > c) On the subject of ruling things out, I felt the list of items ruled out of > scope in the Security Considerations include some items that are so central to > IoT that they should not have been ruled out of scope, and in the first two > cases quoted below, they didn't need to be ruled out of scope, because the > document addresses them: > " > - installing firmware updates in a robust fashion so that the update > does not break the device functionality of the environment this > device operates in. > - the distribution of the actual firmware update, potentially in an > efficient manner to a large number of devices without human > involvement > - energy efficiency and battery lifetime considerations. > " > And, wouldn't it be better to move scoping statements to just after the Intro, > rather than in Security Considerations? (And, yes, I know that not all Things > are energy-challenged, but the size of the subset that are is significant.) > > 3. Relying on Software with Security Vulnerabilities to Patch Security > Vulnerabilities [Technical] > > The Intro only mentions 'software updates' generally, and doesn't explicitly > mention patching security vulnerabilities (altho the abstract does). Only > having read the Security Considerations section, do I discover that the draft > is primarily meant to be about patching firmware vulnerabilities. > > That raises the question of how secure it is to download new firmware from a > device booted from firmware that is potentially already compromised. As a > minimum, surely the draft needs to mention this point. And preferably: > * whether anything can be trusted once firmware is compromised, and if so what. > * whether it is still worth updating firmware, even once a vulnerability in the > firmware update process has been identified, given: > o identification of a vulnerability does not necessarily imply it has been > exploited, or not prevalently exploited > o a vulnerability might not make the firmware update process itself > vulnerable (with an explanation of how to tell) > * describe which aspects of the firmware update process need to be run within a > TEE (and which not if any) > * should the TEE lock the device against booting if a firmware authentication > or integrity check fails > o how to prevent tampering with firmware integrity from itself being used as > an attack, e.g. > - by ensuring that, once a device is locked against booting, firmware > re-update is never completely disabled > - by ensuring firmware updates are not immediately retried without an > exponentially increasing timer back-off, otherwise retries could lead to > the devices flooding their own network with fruitless update traffic. > > 4. Please Focus More on the Simplest Architecture [Technical] > > All the following increase system complexity, but are not /essential/ for > strong security: > a) Status Tracking Per Device > b) Confidentiality of the firmware binary > c) Robustness against rendering the device unbootable > d) Supporting both Message Authentication and Object Authentication (see item > #5) > e) Broadcast Friendly (see item #6) > > This draft is meant to be persuading the 'industry of Things' to provide > built-in secure firmware update. It tends to fall into the common trap of > setting the security bar so high that practitioners might give up in despair. > > a) Per-device status tracking certainly might be preferred by many operators, > but the alternative of the operator not knowing the status of each individual > device might be acceptable (as in the example in Figure 5). Per-device status > tracking introduces the following complexity: > * a need to separately identify each device, both on each device, and in the > status tracker. > * a need to securely identify each separate device (to prevent compromised > devices masquerading as all the other devices to give a false sense of > security), requiring management of separate public or shared keys > > b) Confidentiality certainly might provide defence in depth against reverse > engineering the binaries, but it is ultimately security by obscurity, and so > ultimately optional. By definition (see item #2b) 'Things' are not in a > physically secure environment. So, unless all devices decrypt all downloaded > binaries within a TEE and store them in tamper-proof memory, once the binaries > are stored on each device, they will be accessible to external inspection > anyway. So the document should be less dogmatic about confidentiality > protection (3rd para of Intro), and at least explain that, with IoT, > confidentiality on the wire is moot unless there is also confidential device > storage as well. > > c) Robustness against rendering the device unbootable > Often, when I initiate an (attended) firmware update, the OS warns me that this > is a sensitive process that could render the device useless if the power fails > part-way through. So clearly, this is a cost-tradeoff that device designers are > willing to compromise on. Therefore, I don't think the IETF is entitled to > pronounce a requirement against this practice. I would rather see this text > moved from Requirements to somewhere else in the doc, as a commentary on the > implementation issues, rather than stating it as a requirement. Climbing down a > bit at the end by saying it is only an implementation requirement doesn't help. > > 5. Both Message Authentication and Whole Object Authentication? [Technical] > > Message authentication codes aren't specifically mentioned, until sections 7 & > 8, where they are mentioned as if they might be used, without saying why or > how. The document needs to discuss the merits of MACs vs. authentication of the > whole manifest and/or the whole firmware binary. > > Ultimately, if an object's authenticity and integrity will be verified once it > is fully delivered, there is no need for MACs as well. However, using message > authentication reduces the risk that the device is talking with an imposter at > an early stage in the transmission, rather than having to wait until it is > complete. And it is easy to arrange message authentication to cumulatively > authenticate the whole object, without additional infrastructure for > whole-object verification. Therefore using MACs could avoid the need to provide > enough storage for a complete update of the firmware as well as the current > version - after verifying the manifest and the first message, the device could > even start to overwrite the firmware it is currently booted from. > > The above strategy would not be without risk, but my point is not just to > suggest this particular strategy. The document ought to at least discuss the > trade-offs between MACs and whole-objection authentication, and whether both > are really necessary. > > 6. Friendly to Broadcast Delivery? [Technical] > > Section 3. states this as one of the "Requirements", although the text softens > it to "may be desirable for some networks". However, broadcast delivery > introduces the three significant problems below, wrt a) reliable transport; b) > device energy efficiency; and c) broadcast message authentication. > > a) Reliable Broadcast Transport > Delivery of binary objects needs to recover lost or corrupt packets. Reliable > broadcast delivery at scale is extremely challenging. It needs either fountain > coding [1] or reliable multicast. > * Fountain coding delivers an object in a continually repeating stream and > ensures that the data in any missing packet can be reconstructed from data in > a subsequent different packet. But this would increase device complexity. > * For broadcast delivery, per-packet acknowledgements (ACKs) from each device > do not scale. Negative ACKs (NACKs) can be used but they also do not scale. If > a loss is experienced close to the root of the broadcast/multicast, it still > causes an implosion of negative ACKs (NACKs) on the sender. Reliable multicast > (e.g. PGM [RFC3208]) arranges a spreading tree of delivery nodes each of which > handles NACKs solely from its next-degree downstream neighbours. Clearly this > increases network or CDN complexity. > > b) Broadcast Energy Efficiency > If the IoT device is wireless and needs to take care with its energy > consumption, it will need to initiate all communications, rather than have to > sit with its radio powered up listening for an incoming message. However, of > course, it is not possible for each device to independently initiate an > incoming broadcast. It would be possible for a broadcast to be scheduled, and > for each device to poll for the schedule. But this would add complexity, > particularly because all the device clocks would have to be fairly closely > synchronized. > > c) Broadcast Message Authentication > Message authentication has potential advantages over whole-object > authentication (see #5). When MACs are used over unicast, typically the cost of > asymmetric crypto for each message is avoided by using asymmetric crypto just > once to transmit a shared key, which is then used to verify each MAC. However, > that process is only secure for unicast. For broadcast or multicast delivery, > the sender only sends each message once, using one key for the MAC that would > therefore have to be shared with every receiver. Then any receiver could > masquerade as the genuine sender. TESLA is a solution to this [RFC4082], but it > would again increase the complexity of each device and the servers, not least > because it requires loose clock synch (nonetheless, uTESLA has been implemented > for challenged devices [2]). > > Aside regarding broadcast encryption: > In section 3.3. "Use state-of-the-art security mechanisms", it says: > "The information that is encrypted individually for each device must > maintain friendliness to Content Distribution Networks, bulk storage, > and broadcast protocols." > That implies a magic encyption scheme that is beyond any state-of-the-art that > I am aware of! If information is encrypted individually for each device, surely > by definition it will not be friendly to broadcast protocols. Actually, I > suspect the authors did not mean to say "encrypted individually for each > device", because a shared group key is adequate for confidentiality - a shared > group key is only problematic for message or source authentication (see above). > > 7. Missing Security Concerns [Technical] > > a) Avoiding Reliance on the Device's System Clock > > I suggest that the document makes the point that it is preferable for the > firmware update process not to rely on the device's system clock. > > Reasoning: Even if the TEE maintains the system clock, protection against > attacks on this clock rely on voting between multiple time sources. No amount > of authentication provides any proof of message timing. So, it is hard for a > TEE to protect against tampering with the timing of its messages, given they > pass via the untrusted execution environment of the rest of the device, similar > to the problem of a secure time source for virtualized functions [3]. > > I think IoT developers can be reassured that none of the requirements for > firmware update need to rely on the system clock. For instance roll-back attack > prevention (section 3.4) only requires comparison between version numbers, not > comparison between a release time and the clock. > > However, I think not relying on the clock is worth mentioning, because key > expiry and key revocation have to be designed carefully to avoid relying on > secure time, and this is a subtle point that might not be appreciated by IoT > device designers. > > b) Key revocation > > When keys are in tamper-resistant storage but otherwise not within a physically > secure site, the question of revocation surely has to be addressed. In > particular, there should be a discussion about the advisability or otherwise of > pre-loading the same keys into multiple devices. > > == Minor Editorial Issues == > > 1. Intro > "Updates to the firmware of an IoT device are done to fix bugs in software..." > This would be a good place to highlight the focus on patching security > vulnerabilities. > > "This version of the document assumes... Future versions may also describe..." > I assume this aspiration needs to be deleted now? > > 2. Terminology > > There are ~22 occurrences of lower case 'must' in this document, and one > 'should' (excluding multiple uses in rhetorical questions). I'm not sure > whether it is intentional to make it seem like this is an RFC that is mandating > behaviour, perhaps for readers who don't understand the subtleties of the IETF > informational track. I would prefer it to be clear that this document is not > mandating anything, by using alternatives to 'must' like 'ought to' or 'has > to'. Otherwise it could be considered disingenuous. > > "The term ’system on chip (SoC)’ is often used for these types of devices." > Perhaps more useful: > "The term ’system on chip (SoC)’ is often used interchangeably with MCU, but > MCU tends to imply more limited peripheral functions." > > "The following entities are used:" > The list is a mix of stakeholders and functions, which tends to show that the > authors themselves might not be clear about the distinction. It would be useful > to split into two lists. > > "The terms device and > firmware consumer are used interchangeably since the firmware > consumer is one software component running on an MCU on the > device." > I didn't notice them being used interchangeably. If they are anywhere, why not > just edit to use whichever term is more appropriate and delete this sentence? > > Status Tracker > "While the IoT device itself runs the client- > side of the status tracker it will most likely not run a status > tracker itself unless it acts as a proxy for other IoT devices in > a protocol translation or edge computing device node." > The client-side of a status tracker surely does run a status tracker itself > (the clue is in the name). I know what is intended, but the writer was clearly > in two minds as to whether a status tracker is the combination of client and > server or just the server. > > 3. Requirements > > 3.5 "High reliability" -> 'Robust against becoming unbootable'. > The title for this requirement otherwise implies a much more general > requirement than the description under it. > > 3.6 Small bootloader > "...again using firmware updates over serial, > USB or even wireless connectivity like a limited version of > Bluetooth Smart." > Don't see why it has to be "...a limited version of...". Suggest these words > are deleted. > > s/poses a risk in reliability/ > /poses a reliability risk/ > > s/must fit in the available RAM/ > /must fit in the available memory/ > (not necessarily RAM) > > s|there are not other task/processing running| > |there are not other tasks/processes running| > > s/unlike it may be the case/ > /unlike that which may be the case/ > > s/Note: This is an implementation requirement./ > /Note: This last paragraph is an implementation requirement./ > (Otherwise, 'this' could ambiguously refer to the whole requirement) > > 3.7 Small Parsers > "Since parsers are known sources of bugs they must be minimal." > To be honest, I suspect the target audience will find this sentence and others > like it rather pious. Given the purpose of this document is meant to be to > encourage implementers to provide secure firmware update, I think these > peripheral "requirements" will just serve to make any implementers reading this > feel they are being patronized. > > As with the earlier requirement about 'robustness against becoming unbootable', > I think many of these 'requirements' would be easier to stomach within a > discussion of tradeoffs, rather than as a list of pronouncements that demand > perfection. > > 3.8 > s/Minimal impact on existing firmware formats/ > /No impact on existing firmware formats/ > Reason: This is what the text underneath says. > > 3.9 Robust permissions > > "...the authorization policy is separated from the > underlying communication architecture. This is accomplished by > separating the entities from their permissions." > I'm not sure whether either of these sentences makes much sense (at least not > to me). Perhaps the first sentence means to say that > "...the authorization policy is separated from the > firmware it applies to" > And then the second sentence could be deleted. I'm not sure the second sentence > would ever be necessary, because entities are always separate from their > permissions (otherwise you would have to access an entity to find out you > weren't allowed to access it). To be honest, I don't really see the point of > the whole requirement. So if it is important, maybe its meaning needs to be > clarified for people like me. Otherwise, if it's just stating the obvious, > maybe it's not necessary at all. > > 3.10. Operating modes > Later, in S.5. the term 'delivery modes' is used. If these are meant to mean > the same thing, then the same term should be used consistently. In my > experience, the term 'interaction model' is used to describe things like polled > request-reply, push, publish-subscribe, etc. > > "The pre-authorisation step involves verifying..." > When describing a distributed system, pls avoid passive sentences like this, > which don't specify which entity is performing the action. It is followed up > later by "...the firmware consumer must also...", which implies the subject is > the firmware consumer, but it's best not to rely on implication, especially not > if it requires two passes to understand. > > "Pushing a manifest and firmware image to the transfer to > the Package resource of the LwM2M Firmware Update object" > Garbled? > > "...it may need to wait for a trigger from the > status tracker to initiate the installation, may trigger the update > automatically, or may go through a more complex decision making > process to determine the appropriate timing for an update" > I had to read this a few times before realizing it was a list. > How about: > "... to initiate the installation, it may either need to wait for a trigger > from the status tracker; or trigger the update automatically; or go through a > more complex decision making process to determine the appropriate timing for > an update" > > 3.11. > s/Suitability to software and personalization data/ > /Suitability for software and personalization data/ > > The document suddenly jumps into a different style at the start of 3.11, more > like an log of WG activity than a requirement. Pls consider making the style > consistent, especially given it switches back after the first sentence of the > 2nd para. > > 4. Claims > s/Only install firmware with a matching vendor/ > /Only install firmware with a matching author/ ? > > 5. Communication Architecture > > The document often repeats that it's agnostic to the communication > architecture, then this section starts with the phrase: > "Figure 1 shows the communication architecture..." > Perhaps it means 'firmware update architecture'? > Or, possibly this implies that the authors are in two minds as to what > 'communications architecture' means. Or the heading was intended to be > 'Communications Architectures' (plural) and the first phrase was meant to say > "Figure 1 shows an example communication architecture..." > > The text needs to make it clear that a status tracker is optional in the client > pull case but not in the server push case (see item #4a earlier). > > It would be useful for the doc to say what it means for an operator circle to > enclose a function. For instance the 'Device Operator' in Fig 1 encloses the > status tracker, which to me implies it controls the status tracker. However, > the network operator encloses the device, which probably doesn't imply it > operates the device. Perhaps an enclosing circle means 'within the physical > security control of'? The network operator isn't mentioned in the text - why is > it in the diagram, given it has no role in the firmware update, other than as a > common carrier of opaque bits? > > "The following assumptions are made to allow the firmware consumer to > verify the received firmware image and manifest before updating > software:" > The following three bullets aren't really assumptions. Perhaps 'statements > about the verification process' would be a better phrase. Would another > reference to suit-information-model here be useful, to explain why the details > are not given here? > > See item #4b) above about highlighting that confidentiality is optional, not > just 'deployment specific'. > > "There are different types of delivery modes, which are illustrated > based on examples below." > Shouldn't this sentence start section 5? (Also see my earlier point about > 'operating modes' / 'interaction modes' terminology). > > Fig 3 is inconsistent with Fig 1, in that it omits the firmware consumer > function. > > Fig 4 is inconsistent with Figs 1 & 3, in that there is also an arrow from the > status tracker to the author. What does this imply? > > "This architecture does not mandate a specific delivery mode but a > solution must support both types. > Whatever for? This requirement surely over-plays the IETF's hand, which is not > in a position to make such a demand? Is the intention really that being > agnostic to the delivery mode means every solution must support all delivery > modes? > > 6. Manifest > > Given each of the items in the second bullet list addresses one of the > questions in the first bullet list, it would be useful to tabulate them > side-by-side and to put them in a more meaningful order, e.g. in the order they > occur during firmware update. Also, the the first question bullet (author > trust) is not specifically addressed in the second list - implied within the > last bullet, but not explicitly stated. > > 7.1 > s/Combined with the non-relocatable nature of the code/ > /Due to the non-relocatable nature of the code/ > > 7.3 > "This configuration has two or more CPUs in a single SoC that share > memory (flash and RAM). Generally, they will be a protection > mechanism to prevent one CPU from accessing the other’s memory." > I know what is intended, but it reads as if line 1 contradicts line 3. Perhaps: > "... > mechanism to prevent one CPU from unintentionally accessing memory currently > allocated to the other." > > 9. Example > > In at least one example figure, it would be useful to show the initial > pre-loading of keys, policy logic and trust anchor into the firmware consumer / > bootloader. > > s/starting with an author uploading the new firmware to firmware server/ > /starting with an author uploading the new firmware to the firmware server/ > > "This setup does > not use a status tracker and the firmware consumer component is > therefore responsible for periodically checking whether a new > firmware image is available for download." > It needs to be much clearer that the status tracker has both a monitoring > function and an update triggering function. So, altho it is essential in the > server push model - to trigger updates, it's monitoring function means it is > not ruled out for the client pull model. > > Fig 5 & 6 are inconsistent, in that the former omits the IoT device box around > the Firmware consumer and bootloader. > > s/Figure 6 shows an example follow with the device using a status tracker./ > /Figure 6 shows an example with the device using a status tracker./ > > "For editorial reasons the author publishing the manifest at > the status tracker and the firmware image at the firmware server is > not shown." > How about: > "Depiction of the author publishing the manifest at > the status tracker and the firmware image at the firmware server would > be the same as in Figure 5. So for brevity they are not shown." > > 11. Security Considerations > > Between > "A report about this workshop can be found at [RFC8240]." > and > "A standardized firmware manifest format..." > there either needs to be some glue text to explain that the initial manifest > format was an output of the workshop (if it was), or a new para if the second > sentence really doesn't follow from the first. > > Note also that I suggest (item #1) that the motivating text about the workshop > should be moved to the introduction. I also say (in item 2c) that the scoping > bullets would be better at the end of the Intro too. However, I can also see a > case for them remaining under Security Considerations; to admit that the > document does not fully address all possible security concerns. > > Given this could leave nothing in the Security Considerations section, it would > be appropriate to merely point to all the sections of the document that already > cover security matters. > > == References == > [1] Byers, J.; Luby, M.; Mitzenmacher, M. & Rege, A. A Digital Fountain > Approach to Reliable Distribution of Bulk Data Proc. ACM SIGCOMM'98, Computer > Communication Review, 1998, 28 > > [2] Perrig, A.; Szewczyk, R.; Wen, V.; Culler, D. E. & Tygar, J. D. SPINS: > Security Protocols for Sensor Networks Proc. ACM International Conference on > Mobile Computing and Networks (Mobicom'01), 2001, 189-199 > > [3] Briscoe (Ed.), B. & others Network Functions Virtualisation; Security; > Problem Statement ETSI NFV Industry Specification Group (ISG), ETSI NFV > Industry Specification Group (ISG), 2014 > > > > _______________________________________________ > Tsv-art mailing list > Tsv-art@ietf.org > https://www.ietf.org/mailman/listinfo/tsv-art -- ________________________________________________________________ Bob Briscoe http://bobbriscoe.net/
- [Suit] Tsvart last call review of draft-ietf-suit… Bob Briscoe via Datatracker
- Re: [Suit] [Tsv-art] Tsvart last call review of d… Bob Briscoe
- Re: [Suit] Tsvart last call review of draft-ietf-… Hannes Tschofenig
- Re: [Suit] [Tsv-art] Tsvart last call review of d… Bob Briscoe
- Re: [Suit] [Tsv-art] Tsvart last call review of d… Hannes Tschofenig