[Suit] SUIT Architecture document review

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 08 October 2019 23:15 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D011200B6 for <suit@ietfa.amsl.com>; Tue, 8 Oct 2019 16:15:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odvMghcSJfcM for <suit@ietfa.amsl.com>; Tue, 8 Oct 2019 16:15:25 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D1A21200BA for <suit@ietf.org>; Tue, 8 Oct 2019 16:15:25 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id e11so90079otl.5 for <suit@ietf.org>; Tue, 08 Oct 2019 16:15:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=0rwcnrEaTxpDuLUBP95Dvmujzx2JPOqrWPCr540qsPk=; b=dAgaMHHHrjg6hfIBOa+mMXhYU1xHTg+/qIieQeMTUQHTFEMQTUhr4K+UTp7e1HNM/o pLtqDR9sT/HvCR1bNW0rFR14AAx7sxeqn5TkqeeN/1rpe5d+Aj8d+AHAQhc6YmUwfDT2 BqSDuE1kngnEA3mMgHX89SD+GxDHDiChUfYjXZfLKz3CG625x7SlITlf9s+/DNu/h7Md KLKtZMJKNJeBpJpMPtETTI3PVBvQq96Ll/v49OeIcfdbWHmbbP7DQxXN5AmXTQK8oEfn +/HH6jg1S2//KBSfOk9D6MzFMIYH1r1a2+qpwNrbWc06Qt6+i9xdsOEw77fg6TruSCp0 tKpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=0rwcnrEaTxpDuLUBP95Dvmujzx2JPOqrWPCr540qsPk=; b=owIPwxZKS+kdQY1Xwtp4NssKlF8OTkVzbQ/1Oxx6iKtnjSDOEqJqSAOjfkAD5+lPa1 kxzKZGD5IYUpyQlsnS+2UBSFswhmPIMCD9glARuXQIo31quIssqha/E9yX8dwRMwUtBs 4hQK1jyGlCDhAZeK/9A+Ns3g3vRl+f558QU7H0jU83uaPdV+xiQFeTk5E2XbhKK/fIUS +3plEmG9SqzoKRRNvpGoNj8AcHkP9qCVS/IiM54IErQu5KNWQgqdS1nqV4F3Nj91kV9I Y+i7A1/FI9beJ+B4T8NmjMbWyn0mJ/KntyBcYp4rGhGTjhyKxxj19zJ6IGgwUqvHpqck frmQ==
X-Gm-Message-State: APjAAAVeUt7panCueLtfj5O/Pxz0QgoqrEQ0Yo1fnldEytxnNftl9FST jvotru1FvMJgckRgMBcVf6azlAHt9WpB+lqaWRkY84+A3N8=
X-Google-Smtp-Source: APXvYqzZvO5B1R3zj8pWAB3zVlDPjuKHJwyaMsGs4uuATUzEXLfAuo/YrrpTf6svbnW6ca+4Wfge/rdxsP5L1QLHZYM=
X-Received: by 2002:a9d:3e4e:: with SMTP id h14mr608361otg.198.1570576524572; Tue, 08 Oct 2019 16:15:24 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 8 Oct 2019 19:14:48 -0400
Message-ID: <CAHbuEH6h7Ojc1RDLqGDOvKCqcB6UWu4sg-cozsLFnDsZPm+xCg@mail.gmail.com>
To: suit@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d6fbfa05946e577c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/utFCnP8MHkrg9-AJC9GRNngViYQ>
Subject: [Suit] SUIT Architecture document review
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 23:15:28 -0000

Hello,

I know I am late with a review, but since it has not gone to IETF last call
yet, I'd like to submit these comments.  I know another version is expected
soon, so some of these comments/nits may have been addressed already.

The document as a whole reads very well, thanks for all your work on it.  I
do hope it enjoys wide adoption.

Abstract:
I thought one of the goals was to update firmware for IoT, but also to
scale up to larger systems as well.  The abstract seems very specific to
constrained devices.  Should the language be adjusted or has the focus
changed?

Introduction:
If the scope does include larger devices, then this is a problem for them
as well for both security and inconsistency across platforms.  It's harder
than it needs to be and that's amplified when you think about IoT.

Section 2:
For the Firmware definition, is the last sentence referring to both
"firmware" and "image" as interchangeable or something else?  I think
adjusting the last couple of sentences may be helpful to some readers.

Section 3.2:
If not link, network, or transport layer security, what does this rely
upon?  If it is object-level security and I am assuming it is, please
state that explicitly possibly referring to where confidentiality
protection is specified.

Section 3.3:

Current text:
"The use of post-quantum secure signature mechanisms, such as hash-
   based signatures, should be explored."
Since this is the architecture document, if they are defined elsewhere, the
document should point to that rather than saying "should be explored".

Some other well received architecture documents provided pointers to the
related documents that filled out stated components of the architecture.
If the WG were to hold this to be published until other document were
complete, this could provide the same mapping between the requirements,
architecture, and implementation of the architecture with the various
specifications.

Section 3.6
I think this is the first time "fw" is used.  Maybe just spell out firmware
with a search and replace?

Section 3.11:
Typo in the following sentence:
   "TEEs may obtain TAs from different authors and those TAs may
   require personalization data, such as payment information, to be
   securely be conveyed to the TEE."
s/to be securely be conveyed/to be securely conveyed/

Section 4;
Typo in the following sentence:
   "The credential used to must be directly or indirectly
   related to the trust anchor installed at the device by the Trust
   Provisioning Authority."
s/The credential used to must/The credential used must/

Section 8
This says downloads can be large, so I think that's to accommodate more
than IoT, is that right and the abstract/intro can be updated?

The following sentence is readable, but super long:
   If the application image contains the firmware consumer
   functionality, as described above, then it is necessary that a
   working image is left on the device to ensure that the bootloader can
   roll back to a working firmware image to re-do the firmware download
   since the bootloader itself does not have enough functionality to
   fetch a firmware image plus manifest from a firmware server over the
   Internet.
Perhaps break it up?

Security considerations:
Should this mention the end-to-end encryption?  Is it provided at the
object level?

Also, if the intent is to scale above constrained devices, the text should
state that as this section also specifies IoT.

Thank you for all of your work on the document.  It's easy to read and
comprehensive.

Best regards,
Kathleen