Re: [Suit] Parameters and Commands

Adrian Shaw <Adrian.Shaw@arm.com> Thu, 27 February 2020 17:27 UTC

Return-Path: <Adrian.Shaw@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA8DF3A0D87 for <suit@ietfa.amsl.com>; Thu, 27 Feb 2020 09:27:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=vWbUG6+q; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=vWbUG6+q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kIIq8MNcCbLw for <suit@ietfa.amsl.com>; Thu, 27 Feb 2020 09:27:06 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70044.outbound.protection.outlook.com [40.107.7.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 094313A0D83 for <suit@ietf.org>; Thu, 27 Feb 2020 09:27:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2xGuQRdFFbb0BEihaxadP+6xA+KeCQV1fnHBp+eGP1M=; b=vWbUG6+qRlwxKm6Qg85oGzCEhlBgtH713kcS2GIB3MtNCnoR6mSSGJJr/QoJBaBaHjU5RGqvnJYfCCbxgLmtOPLCNHzYak9YLRFB3vnNAdxiptn6tgnxIoTo0NNme68loqboFxwfpFAJmFUiV0xdmnooueQ9XEkGAXlXkjCdNss=
Received: from VI1PR08CA0262.eurprd08.prod.outlook.com (2603:10a6:803:dc::35) by AM5PR0801MB1954.eurprd08.prod.outlook.com (2603:10a6:203:4a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Thu, 27 Feb 2020 17:27:01 +0000
Received: from DB5EUR03FT012.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::203) by VI1PR08CA0262.outlook.office365.com (2603:10a6:803:dc::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15 via Frontend Transport; Thu, 27 Feb 2020 17:27:01 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT012.mail.protection.outlook.com (10.152.20.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14 via Frontend Transport; Thu, 27 Feb 2020 17:27:01 +0000
Received: ("Tessian outbound efdea641ed36:v42"); Thu, 27 Feb 2020 17:27:01 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 643b60623a7a458c
X-CR-MTA-TID: 64aa7808
Received: from 5121a4bd87a0.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id B905B274-B108-421A-91DF-9AF8F45E30C3.1; Thu, 27 Feb 2020 17:26:56 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 5121a4bd87a0.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 27 Feb 2020 17:26:56 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AI9Rx2gUx9IzFpk8O2lUz2PYonUwm+0xJBEc6t6vlO+9EAuOCxs9hZJptOdhzXuUnnZZc1Cd6QIHEYBSsByEjVZgzdS/hI6K2I1Oob6LM2KWAC41lWuzbOdq9cJVLb1JVk/oFEymLYRDpn0fG9L0S2zXas+vzzupBaGSqR2aBXhxV5LbjiE6mCMM7EQAuUic6AA81NT+AMnl8eom08KeN0RVfQXLWWq4oE+jSv7F5tbAwiPcIyr1410X3JE0dc5rAQJ1KnS0p688uleOeBgKEG+HrdL4p8TZXtJp81ijgM5R+rW92acIcfK4EhdvvwNE1OJKnAkEw0G0welc+vbuWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2xGuQRdFFbb0BEihaxadP+6xA+KeCQV1fnHBp+eGP1M=; b=Y4RMnp+HseX+SgP3yT/EUNTVyuYH9ToU7pMrcy6lPFnz0qGZDDBvjwjvINZ5eh4SLYFSoReZlEMdt2VywdmTkT6Icx4JRXGwrleEzadjMNywoOJpnRF7vHeKY1yKVewAdkRh29sdvLkRMRTABhnn4HTpjzpHeSP4KNg9SfNhEiquJL4nx794b5g3MHIKE24OJjmOlcc+hxDyQPufZMlomzBjXlZlT5CkgRegEB0TTJByZD+Twt44tUkXDkenEopo9n+a9Hu7+6j8SF3YrkAKdppRLGjmTRBKSu3+ynGcUDOYKssrfMI0aauRf7lkzueobgRs+gsMo0I3RHrNpO2PHA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2xGuQRdFFbb0BEihaxadP+6xA+KeCQV1fnHBp+eGP1M=; b=vWbUG6+qRlwxKm6Qg85oGzCEhlBgtH713kcS2GIB3MtNCnoR6mSSGJJr/QoJBaBaHjU5RGqvnJYfCCbxgLmtOPLCNHzYak9YLRFB3vnNAdxiptn6tgnxIoTo0NNme68loqboFxwfpFAJmFUiV0xdmnooueQ9XEkGAXlXkjCdNss=
Received: from VI1PR08MB3568.eurprd08.prod.outlook.com (20.177.59.211) by VI1PR08MB3424.eurprd08.prod.outlook.com (20.177.62.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Thu, 27 Feb 2020 17:26:54 +0000
Received: from VI1PR08MB3568.eurprd08.prod.outlook.com ([fe80::9c45:88d7:93fb:15a7]) by VI1PR08MB3568.eurprd08.prod.outlook.com ([fe80::9c45:88d7:93fb:15a7%4]) with mapi id 15.20.2750.021; Thu, 27 Feb 2020 17:26:53 +0000
From: Adrian Shaw <Adrian.Shaw@arm.com>
To: Brendan Moran <Brendan.Moran@arm.com>
CC: suit <suit@ietf.org>, Koen Zandberg <koen@bergzand.net>, Emmanuel Baccelli <Emmanuel.Baccelli@inria.fr>
Thread-Topic: [Suit] Parameters and Commands
Thread-Index: AQHV7XQQQA0i3AEJykizdfj2dpCACagvGNGAgAAgvYCAABG9gA==
Date: Thu, 27 Feb 2020 17:26:53 +0000
Message-ID: <F1C51257-B3F9-4890-B33D-E9FCD99AC872@arm.com>
References: <27913A6B-F42C-4AA9-8A7A-64B1D546C13C@arm.com> <5CBBCF38-5431-4BF7-891D-E4451ECDEAC5@arm.com> <D2CE89E8-BCBA-4BBF-BCAD-2A2C2A558786@arm.com>
In-Reply-To: <D2CE89E8-BCBA-4BBF-BCAD-2A2C2A558786@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Adrian.Shaw@arm.com;
x-originating-ip: [217.140.106.53]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: a07392df-fa36-4ce5-391f-08d7bbaa4190
X-MS-TrafficTypeDiagnostic: VI1PR08MB3424:|VI1PR08MB3424:|AM5PR0801MB1954:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM5PR0801MB1954C1E4C7047E8198165B51F9EB0@AM5PR0801MB1954.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03264AEA72
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(376002)(366004)(136003)(396003)(346002)(39860400002)(199004)(189003)(37006003)(4326008)(64756008)(86362001)(66556008)(66946007)(36756003)(54906003)(91956017)(66446008)(2906002)(316002)(966005)(6512007)(76116006)(6486002)(66476007)(53546011)(6636002)(186003)(2616005)(6862004)(81156014)(33656002)(5660300002)(8676002)(26005)(81166006)(478600001)(71200400001)(8936002)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3424; H:VI1PR08MB3568.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: iNVMYOKdIWBeQ5MvMVJvWusixR8HFVyrNn9BD6+/eYXNLjeU1B2FcTN3pTji4ZFth75JKgROjvfQ17gWyFwcU/0B5VDCdggPjbvwNi90fDnVgzJvjHAEkGjYFR138h8bX+d2K57+pH/gc2Bqfue5fSxnCju5yVez+NLYQaHMzJkSWRZFXO7YwiqrokZUEOpzynK7ruaAFd1xEH5LjSAy5MrKq4ewizUm+liYdb1jGnMfjFXA6WaWA03v5KmF0ISg2j7u1OPETa1Fnu086uk+1c8jKkQIRJAM8A0iM2c/tlXslrRBDJ1C7pnmiOif6sX5qFpOvH5HBpwv3YxfIM2BDHUPa8qlk8Da8arRULk+g8AODiI1TNh5/RbB2JOFV+N1KpcX+1THOJWaaruKPo8zjl4kiZk0JjuRCi+XNtDpNUCRCnrB/FMxbjxaF0DhUIn1+mXtHDYuUbN4zw+nrSNxta2CbAowjU1tm5e3YB8qESqnLMjsYZy/1ifTFqGO7RNNFvMtTGJ7LDSjOZ6d5qQDaA==
x-ms-exchange-antispam-messagedata: nbKi8dXMpuTJHq/0HJ0fk+qrNfdApEoKYzM+TxrXxVAt6az2LQkmTNczfmQfwuWevAOXqcQlnCrGVb2gJOJ2F5jxuK6hgaMHFFl3wUq9M43idC13ZMQ6J9vTlpleVTgh+qsrjMX3eySvNgCl1SPOsQ==
Content-Type: multipart/alternative; boundary="_000_F1C51257B3F94890B33DE9FCD99AC872armcom_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3424
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Adrian.Shaw@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT012.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(39860400002)(346002)(376002)(189003)(199004)(26005)(6506007)(107886003)(2616005)(6486002)(53546011)(70206006)(36756003)(70586007)(186003)(356004)(6512007)(54906003)(8936002)(966005)(6862004)(4326008)(336012)(86362001)(8676002)(478600001)(81156014)(33656002)(81166006)(45080400002)(316002)(33964004)(26826003)(5660300002)(37006003)(6636002)(2906002)(30864003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5PR0801MB1954; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 531a426a-b0d5-4df6-5857-08d7bbaa3d12
X-Forefront-PRVS: 03264AEA72
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: UtT3jakVjDA5j+S4TgUU2eT7xLR17kmIj4MbG7ZQo5sRoQD1buVvTXLZk1jTq8agNfQEcljZ5oj43hyCoyZNTEYfLwNdYFSJLRQzde6A9g1lnpJRdq5HG7LxRX4DGB7jngr1poOHF5GNvSAINCvIGJ77zRJwyQnJO/QM9zGSWEVoS9rMuN4g6vx5bBvWWaA9zu9+6HrOXlFopw/+q4FEd9zkjm5+YhdQ3PftK0Lwm0PEGBTNfAFjivDS39lFkmCb3PUJ4JO9tkAM9AivGl3gbjU+7O+vINhtZS+2vFLBSafu1Os21jPAC/aK38wwSiyeBDtlJKLewM5pe+koIRdiFiQW4XIQ3Emij31/J8VO06GoVuaILCvLv9vUwS60kKa5sT5c/c27lQZjPjWwVPyP45AqZqr8quivtcsOB2eXF+y1v45flbPBMPZOoZIgbPfo+znSAQpSuWI/iwqkzgNTWmd4kZHlGYgaSzRAEck/caZR1p8lX0JDrVQetk2gfonQ1trV+acTdtdOSMMA69t8fQ==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Feb 2020 17:27:01.4939 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a07392df-fa36-4ce5-391f-08d7bbaa4190
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1954
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/idNa2mSNaFysR0sP3SuOQWDnaZc>
Subject: Re: [Suit] Parameters and Commands
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 17:27:11 -0000

Hi Brandan,

Thanks for rephrasing. I’m ok provided that the bootloader implementation and remote verifier can decide (if they wish) to enact their own policies independently of the image signer. Which seems like what you’ve confirmed would be possible.

Best,
Adrian

On 27 Feb 2020, at 16:23, Brendan Moran <Brendan.Moran@arm.com<mailto:Brendan.Moran@arm.com>> wrote:

Hi Adrian,

I think I have not explained the idea behind this attestation policy concept well enough. The idea here is that the attestation policy for a given component is defined by the signer of that component. The loader/verifier of a component is the one who executes the policy. This allows the loader/verifier to apply a super-set of the policy if appropriate. For example, BL1 loads BL2. BL1 trusts the author of BL2 (which is the basis of secure boot). BL1 executes the policy laid out by BL2’s signer. BL1 could additionally mandate that certain items in BL2’s policy must always be attested, such as the digest of BL2, refusing to boot the device if the attestation policy is wrong, or overriding the manifest’s attestation policy.

I don’t believe that this introduces a privilege inversion.

There is an additional point that may not have been clear: The verifier of the attestation report requires a policy to verify against. Where does this policy come from? It could be a (Co)SWID. It could also be the manifest itself. Regardless, that must be signed by some authority. Which authority should sign the (Co)SWID? Is it the same as the Manifest signing authority? Or at least derived from the same trust anchor? If not, why not?

Finally, there is the question of how an attestation report is verified. If it is verified against the manifest, then the verifier has the opportunity to examine the policy set by the manifest. This means that the verifier can detect any “opt-out” scenarios as you describe them.

Does that make sense?

Best Regards,
Brendan

On 27 Feb 2020, at 14:26, Adrian Shaw <Adrian.Shaw@arm.com<mailto:Adrian.Shaw@arm.com>> wrote:

Hi Brendan,

We have also discussed the possibility of defining attestation policy within SUIT. This would mean that we need flags to indicate to the parser which measurements should be reported. For example, a Vendor ID, an image digest, or a component offset might need to be reported in the attestation report. Each of these is checked by a condition. Each of those conditions will consume a parameter under this model. Then, the argument can indicate: report a measurement, do not report a measurement, report a measurement only if comparison is successful, or perhaps other attestation-related policies. Bear in mind that attesting a failed condition may be helpful for attesting why a manifest has failed, as we discussed in the hackathon and virtual interim meeting.

To me it doesn’t make much sense for the signer to define the measurement policy. The signer shouldn’t be trusted for that particular purpose.

Just as a simple example:

If a signer of a non-secure image decides to say "don’t measure me”, and the platform blindly obeys that directive, then the platform cannot accurately describe what the software state is during an attestation.

Alternatively, the manifest may decide to tell the installer to measure things that are not security relevant, whilst deliberately avoiding the parts that are security sensitive. Yes, the metadata is signed, but that only tells you who made the image. In the real world a firmware image wouldn’t tell a secure boot system what to verify and what not to verify, and is a similar case here.

There is also the possibility where, for some particular scenario, you don’t necessarily trust whoever signs the non-secure image, but you want to be able to convey to a remote party what image _is_ installed. In this case, you shouldn’t be trusting the measurement instructions from the non-secure manifest.

In essence, the thing being measured should not have any influence on the measurer, since that would not be a chain of trust. It should be the root of trust’s responsibility to decide what is reported.

Let me know if I’ve misunderstood something, as I may not have the full context.

Cheers,
Adrian

On 27 Feb 2020, at 13:44, Brendan Moran <Brendan.Moran@arm.com<mailto:Brendan.Moran@arm.com>> wrote:

During the hackathon, I discovered that my examples and my manifest generator tool are generating incorrect sequences for testing vendor ID and class ID.

There are currently two ways to handle commands (conditions or directives):

  1.  The command consumes an argument (that is the value that follows the command's key)
  2.  The command consumes a parameter (that is a value set by the “set-parameters” or “override-parameters” commands)

This duality led to my error in setting up the Vendor and Class ID tests in the demo code.

The reasons for each mode are:

  1.  Command consumes an argument
     *   Encoding is more compact (encoding via parameters takes 2-3 more bytes, depending on the situation).
     *   Less storage needed (the argument is consumed immediately)
     *   Does not require matching parameter key
     *   More explicit association between command and argument
  2.  Command consumes a parameter
     *   More compact when the parameter is used more than once (e.g. image digest)
     *   Allows override by dependencies, when set-parameters is used


We’ve talked before about “only one way to do things” and I think I can see a path to making that the case here. Here is my proposal:

Commands consuming a parameter are absolutely necessary due to override and deduplication concerns. Conditions testing against an argument are convenient and more explicit. Therefore, harmonising around a single option probably means that we have to select parameters instead of arguments:


  1.  Eliminate arguments from most commands (see below)
  2.  Match most parameter keys with command keys to simplify the association, make “arguments” more explicit

Only these commands require arguments, since they either deal with setting parameters, setting parameter scope, or with flow control, which requires nested command sequences.


  *   Set Component Index
  *   Set Dependency Index
  *   Set Parameters
  *   Override Parameters
  *   Try-each
  *   Run Sequence
  *   For Each Component

This leaves the majority of commands with NUL arguments. This is actually quite useful for another feature.

We have also discussed the possibility of defining attestation policy within SUIT. This would mean that we need flags to indicate to the parser which measurements should be reported. For example, a Vendor ID, an image digest, or a component offset might need to be reported in the attestation report. Each of these is checked by a condition. Each of those conditions will consume a parameter under this model. Then, the argument can indicate: report a measurement, do not report a measurement, report a measurement only if comparison is successful, or perhaps other attestation-related policies. Bear in mind that attesting a failed condition may be helpful for attesting why a manifest has failed, as we discussed in the hackathon and virtual interim meeting.

If we are making the majority of commands are using parameters instead of arguments, this becomes trivial: the arguments are replaced with attestation policy arguments. This allows us to tell the attestation engine explicitly what to report from the manifest, which allows secure, dynamically updatable attestation policy.

This doesn’t introduce a substantial change to either the parser or the format. If there is some appetite for simplifying the correlation between commands and parameters, I think it might make sense to spend some effort aligning parameter keys with command keys. This could simplify the parser by allowing a generic parameter lookup to be done in one place, rather than by each handler.

Best Regards,
Brendan
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.