IETF Logo Mail Archive

Re: [Suit] SUIT Architecture document review

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 16 October 2019 09:14 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E889120889 for <suit@ietfa.amsl.com>; Wed, 16 Oct 2019 02:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=9HQJ/7gU; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=dnmkVh74
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3vE6RsKUF6m for <suit@ietfa.amsl.com>; Wed, 16 Oct 2019 02:14:11 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50087.outbound.protection.outlook.com [40.107.5.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 173CB120121 for <suit@ietf.org>; Wed, 16 Oct 2019 02:14:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FprLgfcAGpPM5N6a9QcENCLwgqLgNEe4OMCugg9myHY=; b=9HQJ/7gU0Op4nb1oj0npaoZTddddh9UV/scc6oodns2Q0yIJGria138Tgd1IMHCrrQSIN4vHFfvVBirmLPJ3eCfRBepEdlYhZ9topE9Kxj1Gyl3M8q0qffX5ryjjAhbop4UYApOYvM8zLghsUXL9ozIg/qGC9oPco27qYu6WmRI=
Received: from DB6PR0802CA0035.eurprd08.prod.outlook.com (2603:10a6:4:a3::21) by VI1PR08MB5312.eurprd08.prod.outlook.com (2603:10a6:803:139::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Wed, 16 Oct 2019 09:14:04 +0000
Received: from DB5EUR03FT013.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::209) by DB6PR0802CA0035.outlook.office365.com (2603:10a6:4:a3::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2347.16 via Frontend Transport; Wed, 16 Oct 2019 09:14:04 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT013.mail.protection.outlook.com (10.152.20.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Wed, 16 Oct 2019 09:14:02 +0000
Received: ("Tessian outbound 3fba803f6da3:v33"); Wed, 16 Oct 2019 09:14:02 +0000
X-CR-MTA-TID: 64aa7808
Received: from 1eb851c5b1e3.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.10.57]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id BA6FB8CB-9193-49B9-8454-237397AEF545.1; Wed, 16 Oct 2019 09:13:57 +0000
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp2057.outbound.protection.outlook.com [104.47.10.57]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 1eb851c5b1e3.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Wed, 16 Oct 2019 09:13:57 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=czBr7D2CZGE8uTmR6dh7ib1uu1QSAOLHBMEdOTwCLzcz37nm2GzWtRqxZl0VljygCacvlpvmAvISkoY3N3H7qh6/6aGUSuOR2su/EVDpUBwKW1tfPg0Dl0RSdThbgoz3n0fbxRbmTYl4Se7vTMkftQNEwwbukvIYJpvdFO2YgdJZ2V/OSjI/sG1w0FvPvEceW7ICiFmOaG3aohV0txO1OYIC7HMbBBSvPkLYK+3Un/LrAZS56sZIMUU2hf1Vnx/nTgxWQklOQg/4ehu9ABbAa0l2/dcmqGo+yoqDQKI4ud3GnuSehCygm7yuynEgxCB/C2QC8eSxvsCTLb6bLjjIBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=teGIZKzp80lLR7c1hC5tdM3SgNMkUWzILbG9Zk5rOwU=; b=dZT4YrqpNIHcwW8xTOH+C4BMEXlQmFerkj0tUT2Chj0eEaXLZc7cVCdb52n2JqItpS/3HQfiaPeznP0FZFxXXDe5064PIUBiW1bZFfBTVXb8Vx0W4mZcKdsat/PrQZLwTbFs6RLNhhCJwZYWLzxuvZGrzLCKtjMVVgGYAsMiX+lp0bhmnoP4QZ3OgYSljyR054aq5qFglGuzRrRN3V3OpWt4W8o+ECr9vFqITAwMYl4zOcSa1BBJs3MSYEJbSxwLGVp+ni0bRPSiO+cdDCja18MRNyH1XlJ0m+a5LlmNiBt/OpQcmNtJ9+skSvroot1sm32eg1IR9LFZPb9SvDE3MQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=teGIZKzp80lLR7c1hC5tdM3SgNMkUWzILbG9Zk5rOwU=; b=dnmkVh74q7NqoRaiorLlV3FulltI662bypqahmoxyx2PbctAtLaIRFwPzYd4YeW5PTCDAFUum2PrBIjjx2NsZIEiMLwuVAop9QVccW1MiLg6esNZr1Tei8wQhDV0sYk68sGG27OybrMCktj8a09Yd72Haj+hYRGIlRSK2S2r+Vo=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.245.74) by VI1PR08MB5392.eurprd08.prod.outlook.com (52.133.245.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.19; Wed, 16 Oct 2019 09:13:56 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::b003:8767:35c7:e31]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::b003:8767:35c7:e31%2]) with mapi id 15.20.2347.023; Wed, 16 Oct 2019 09:13:56 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] SUIT Architecture document review
Thread-Index: AQHVfi5MFcuuBhgJPUC100r00P0hL6db5a9Q
Date: Wed, 16 Oct 2019 09:13:56 +0000
Message-ID: <VI1PR08MB53604B1D9121DC24D28D4B4AFA920@VI1PR08MB5360.eurprd08.prod.outlook.com>
References: <CAHbuEH6h7Ojc1RDLqGDOvKCqcB6UWu4sg-cozsLFnDsZPm+xCg@mail.gmail.com>
In-Reply-To: <CAHbuEH6h7Ojc1RDLqGDOvKCqcB6UWu4sg-cozsLFnDsZPm+xCg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: b2b8ba01-7d5e-4566-b2ea-a449689e3078.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.83]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 619f8a63-168c-4ab2-9193-08d752192fd6
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: VI1PR08MB5392:|VI1PR08MB5312:
X-Microsoft-Antispam-PRVS: <VI1PR08MB5312BFCB6F38BF220D77429DFA920@VI1PR08MB5312.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
x-forefront-prvs: 0192E812EC
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(346002)(396003)(376002)(136003)(39860400002)(366004)(51444003)(51914003)(199004)(189003)(790700001)(66556008)(476003)(229853002)(6506007)(486006)(55016002)(6246003)(478600001)(81156014)(71190400001)(9326002)(81166006)(6436002)(110136005)(316002)(9686003)(33656002)(54896002)(6306002)(71200400001)(3846002)(186003)(102836004)(6116002)(66946007)(86362001)(66476007)(64756008)(76116006)(26005)(66446008)(446003)(76176011)(11346002)(8676002)(7736002)(7696005)(74316002)(256004)(2906002)(14444005)(66066001)(14454004)(99286004)(66574012)(25786009)(52536014)(2501003)(5660300002)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB5392; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 8mLCzBx/ux+rmz6ucqHnoV4jivEh7BQfQ13ysAg5D+KbdgAWYQIs3znNOMSkCPLh9ssofVAkVqRkuFj2vebugJZlLoAhNkAv2b7Q1R1Y2TNdQzAB8odjohzK+YIkiinPsLqpSI0gGxGaxq98w0nySYP9sa19b1u4DwKXLr4sqLwM4X8bzhyHu0VP0gm1RacNjYLU2kA9qg+2/GVeWXvzf1NIYzyVNOu4mEtsgFrVKKYelBaj/rzF5tM6FnirmKoXIJIwVxAKPMPV9Lwan7jkfnysUQqJ/g8ArnV0wp5o3t+9AYJB5uvlDvmWzhIrHnYfvtA0sC0+d8ljyLISB6BrwX+y5Eph8S8bbIOc0uENnWY9VdMrm/my2nQWBjTSqUQg7eVzN6UY0kuxuT3Nq8tCISwz/+a+t3Re+qhstGpVfsw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB53604B1D9121DC24D28D4B4AFA920VI1PR08MB5360eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5392
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT013.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(39860400002)(136003)(396003)(51914003)(189003)(199004)(51444003)(40434004)(8676002)(336012)(63350400001)(81166006)(81156014)(446003)(11346002)(99286004)(186003)(66574012)(2501003)(14454004)(2906002)(26005)(790700001)(22756006)(102836004)(25786009)(6116002)(3846002)(5660300002)(316002)(86362001)(70206006)(6246003)(229853002)(7696005)(30864003)(26826003)(7736002)(486006)(33656002)(356004)(478600001)(70586007)(126002)(8936002)(74316002)(476003)(110136005)(6506007)(6306002)(66066001)(9686003)(9326002)(54896002)(55016002)(76130400001)(71190400001)(33964004)(52536014)(76176011)(14444005)(5024004)(16586007); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB5312; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: e8fc1a71-8dd0-4ffa-aed8-08d752192c23
X-Forefront-PRVS: 0192E812EC
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: t6FBfId85Za1QmHkWNvUGkoFs84HbGKioXsEeQgeDo8SQefXKNb7OMqiAnF4n28GNTgPKvn5MDTenOavTD0J15YuhHY7pkATTywfQyb+W0QCe3+KKqMP1+0Sknkhv75yRpTPmyGshW47jVWXsIqYS2pJChKZDycracVpjuCHNs+cgGbBOLGGjKZRKJSgpRb4xbexrHWoziaAmxjApLfaRgXxpEZyRO5SxHLDmfsrL0qnnYEmbrVOKAaUJMAzWsJCplkO36wu/7oAT/gIwVleIlOjX+EuwjFAidY7Te3KlH3892NrhngAdP8+1lgA8m5D1yj/d10h6vfC2PP/WRBbiiXc9tZTZrg6qg0fFqFqZl3VuXdD2EsH7h80zvZuKp3/b2uRO6dIEh7C++V+TooDj1smAvP2mbGumV+Xkez3eWY=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Oct 2019 09:14:02.5785 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 619f8a63-168c-4ab2-9193-08d752192fd6
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5312
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/Y0FlE5y2PO4XOyu2ITbj_yP8rk4>
Subject: Re: [Suit] SUIT Architecture document review
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 09:14:15 -0000

Hi Kathleen,

Thanks for the review.
A few remarks below:

Abstract:
I thought one of the goals was to update firmware for IoT, but also to scale up to larger systems as well.  The abstract seems very specific to constrained devices.  Should the language be adjusted or has the focus changed?
[Hannes] When you say “larger systems” what do you mean? There are Windows, Linux and mobile devices out there that already have a perfectly fine software update mechanism and we are not trying to replace it with this work. For those devices that run regular operating systems the lightweight design of the software update mechanism is apparently less of a concern compared to the design of a firmware update mechanism for low end IoT devices, as you have witnessed in the discussions on this list. When you say “large system” are you then referring to a system that runs Windows, Linux or something similar or do you have some other system in mind?

Introduction:
If the scope does include larger devices, then this is a problem for them as well for both security and inconsistency across platforms.  It's harder than it needs to be and that's amplified when you think about IoT.

[Hannes] See above.

Section 2:
For the Firmware definition, is the last sentence referring to both "firmware" and "image" as interchangeable or something else?  I think adjusting the last couple of sentences may be helpful to some readers.

[Hannes] Corrected the definition to refer to firmware image, firmware, and image.

Section 3.2:
If not link, network, or transport layer security, what does this rely upon?  If it is object-level security and I am assuming it is, please state that explicitly possibly referring to where confidentiality protection is specified.

[Hannes] Clarified that we are talking about protecting the manifest and firmware rather than the underling transport of them. Here is the new text I came up with:

------

## Friendly to broadcast delivery

This architecture does not specify any specific broadcast protocol.
However, given that broadcast may be desirable for some networks,
updates must cause the least disruption possible both in metadata
and firmware transmission.

For an update to be broadcast friendly, it cannot rely on link
layer, network layer, or transport layer security. A solution has
to rely on security protection applied to the manifest and firmware image
instead. In addition,
the same manifest must be deliverable to many devices, both those
to which it applies and those to which it does not, without a
chance that the wrong device will accept the update. Considerations
that apply to network broadcasts apply equally to the use of
third-party content distribution networks for payload distribution.

------


Section 3.3:

Current text:
"The use of post-quantum secure signature mechanisms, such as hash-
   based signatures, should be explored."
Since this is the architecture document, if they are defined elsewhere, the document should point to that rather than saying "should be explored".

[Hannes] I changed the text in the following way:

------

## Use state-of-the-art security mechanisms

End-to-end security between the author and the device is shown in
{{architecture}}.

Authentication ensures that the device can cryptographically identify
the author(s) creating firmware images and manifests. Authenticated
identities may be used as input to the authorization process.

Integrity protection ensures that no third party can modify the manifest
or the firmware image.

For confidentiality protection of the firmware image, it must be done in such a
way that every intended recipient can decrypt it. The information
that is encrypted individually for each device must maintain
friendliness to Content Distribution Networks, bulk storage, and
broadcast protocols.

A manifest specification must support different cryptographic algorithms
and algorithm extensibility. Because of the nature of
unchangeable code in ROM for use with bootloaders the use of
post-quantum secure signature mechanisms, such as hash-based
signatures {{I-D.ietf-cose-hash-sig}}, are attractive because they
maintain security in presence of quantum computers.

A mandatory-to-implement set of algorithms has to be defined offering
a key length of 112-bit symmetric key or security or more, as outlined
in Section 20 of RFC 7925 {{RFC7925}}. This corresponds to a 233 bit
ECC key or a 2048 bit RSA key.
------

Some other well received architecture documents provided pointers to the related documents that filled out stated components of the architecture.  If the WG were to hold this to be published until other document were complete, this could provide the same mapping between the requirements, architecture, and implementation of the architecture with the various specifications.


Section 3.6
I think this is the first time "fw" is used.  Maybe just spell out firmware with a search and replace?

[Hannes] Changed the figure where I abbreviated “Firmware Consumer” with “fw consumer”.

Section 3.11:
Typo in the following sentence:
   "TEEs may obtain TAs from different authors and those TAs may
   require personalization data, such as payment information, to be
   securely be conveyed to the TEE."
s/to be securely be conveyed/to be securely conveyed/

[Hannes] Fixed.

Section 4;
Typo in the following sentence:
   "The credential used to must be directly or indirectly
   related to the trust anchor installed at the device by the Trust
   Provisioning Authority."
s/The credential used to must/The credential used must/

[Hannes] Fixed.

Section 8
This says downloads can be large, so I think that's to accommodate more than IoT, is that right and the abstract/intro can be updated?

[Hannes] I replaced the term “large” with the following explanatory text:

“
(*) Because firmware images are often multiple kilobytes, sometimes
exceeding one hundred kilobytes, in size for low end IoT devices and even
several megabytes large for IoT devices running full-fletched operating systems
like Linux the protocol mechanism for retrieving these images needs
to offer features like congestion control, flow control, fragmentation
and reassembly, and mechanisms to resume interrupted or corrupted transfers.
 “

The point I was trying to get across is that you actually need to implement a number of
transport protocol features to transfer a firmware image.

The following sentence is readable, but super long:
   If the application image contains the firmware consumer
   functionality, as described above, then it is necessary that a
   working image is left on the device to ensure that the bootloader can
   roll back to a working firmware image to re-do the firmware download
   since the bootloader itself does not have enough functionality to
   fetch a firmware image plus manifest from a firmware server over the
   Internet.
Perhaps break it up?

[Hannes] Here is a try:

“
If the application image contains the firmware consumer
functionality, as described above, then it is necessary that a
working image is left on the device. This allows the bootloader to
roll back to a working firmware image to execute a firmware download
if the bootloader itself does not have enough functionality to
fetch a firmware image plus manifest from a firmware server over the
Internet.  A multi-stage bootloader may soften this requirement at
the expense of a more sophisticated boot process.
“


Security considerations:
Should this mention the end-to-end encryption?  Is it provided at the object level?

[Hannes] Encryption is now discussed in the requirements section, as explained in one of my earlier comments.

Also, if the intent is to scale above constrained devices, the text should state that as this section also specifies IoT.


Thank you for all of your work on the document.  It's easy to read and comprehensive.

Best regards,
Kathleen


Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email