Re: [Fud] Editorial Charter Update
Russ Housley <housley@vigilsec.com> Tue, 03 October 2017 13:43 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: fud@ietfa.amsl.com
Delivered-To: fud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3DEE1345E3 for <fud@ietfa.amsl.com>; Tue, 3 Oct 2017 06:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwDu179t1BY6 for <fud@ietfa.amsl.com>; Tue, 3 Oct 2017 06:43:08 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E784913243A for <fud@ietf.org>; Tue, 3 Oct 2017 06:43:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 09CAC300563 for <fud@ietf.org>; Tue, 3 Oct 2017 09:43:06 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lWtcO6OSWWdS for <fud@ietf.org>; Tue, 3 Oct 2017 09:43:04 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 6160B300558 for <fud@ietf.org>; Tue, 3 Oct 2017 09:43:04 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 03 Oct 2017 09:43:03 -0400
References: <c14c92bf-cf99-efdb-6693-0e33519fbb0a@gmx.net>
To: "Fud@ietf.org" <fud@ietf.org>
In-Reply-To: <c14c92bf-cf99-efdb-6693-0e33519fbb0a@gmx.net>
Message-Id: <578DD8B8-E786-4913-AE6A-65FFA29019AD@vigilsec.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/fud/putTJQOigqIey-utRi1uTI-jqS4>
Subject: Re: [Fud] Editorial Charter Update
X-BeenThere: fud@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: FUD - Firmware Updating Description <fud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/fud>, <mailto:fud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/fud/>
List-Post: <mailto:fud@ietf.org>
List-Help: <mailto:fud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/fud>, <mailto:fud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2017 13:43:10 -0000
Here is an update to the charter text based on the comments. Note that the WG name is still FUD. Any name change will be handled by the IESG. Russ = = = = = = = Firmware Updating Description (FUD) [Alternative proposal: SUIT (Software Updates for Internet of Things)] Vulnerabilities in Internet of Things (IoT) devices have raised the need for a secure firmware update mechanism that is also suitable for constrained devices. Security experts, researchers, and regulators recommend that all IoT devices be equipped with such a mechanism. While there are many proprietary firmware update mechanisms in use today, there is a lack of a modern interoperable approach of securely updating the software in IoT devices. A firmware update solution consists of several components, including: * A mechanism to transport firmware images to IoT devices. * A manifest that provides meta-data about the firmware image (such as a firmware package identifier, the hardware the package needs to run, and dependencies on other firmware packages), as well as cryptographic information for protecting the firmware image in an end-to-end fashion. * The firmware image itself. RFC 4108 provides a manifest format that uses the Cryptographic Message Syntax (CMS) to protect firmware packages. More than ten years have passed since the publication of RFC 4108, and greater experience with IoT deployments has lead to additional functionality, requiring the work done with RFC 4108 to be revisited. The purpose of this group is to produce a second version of RFC 4108 that reflects the current best practices. This group will focus on defining a firmware update solution for Class 1 devices, as defined in RFC 7228, that is -- IoT devices with ~10 KiB RAM and ~100 KiB flash. This group will not define any transport mechanisms. In June of 2016 the Internet Architecture Board organized a workshop on 'Internet of Things (IoT) Software Update (IOTSU)', which took place at Trinity College in Dublin, Ireland. The main goal of the workshop was to foster a discussion on requirements, challenges, and solutions for bringing software and firmware updates to IoT devices. This workshop also made clear that there is a lack of regulatory requirements, which contributes to challenges associated with misaligned incentives. It is nevertheless seen as important to create standard building blocks that help interested parties implement and deploy a solid firmware update mechanism. In particular this group aims to publish three documents, namely: * An IoT firmware update architecture that includes a description of the involved entities, security threats, and assumptions. * The manifest format. * A revision to RFC 4108 that reflects the current best practices. This group will use draft-moran-fud-architecture as a starting point for discussion of the "Architecture" document. This group will use draft-moran-fud-manifest as a starting point for discussion of the "Manifest Format" specification. This group does not aim to create a standard for a generic software update mechanism for use by rich operating systems, like Linux, but instead this group will focus on software development practices in the embedded industry. "Software update solutions that target updating software other than the firmware binary (e.g. updating scripts) are also out of scope. This group will aim to develop a close relationship with silicon vendors and OEMs that develop IoT operating systems. Milestones: Dec 2017 Submit RFC 4108bis document as WG item. Dec 2017 Submit "Architecture" document as WG item. Dec 2017 Submit "Manifest Format" specification as WG item. Jul 2018 Submit "Architecture" to the IESG for publication as an Informational RFC. Nov 2018 Submit RFC 4108bis document to the IESG for publication as a Proposed Standard. Nov 2018 Submit "Manifest Format" to the IESG for publication as a Proposed Standard. Additional calendar items: Mar 2018 Release initial version of the manifest creation tools as open source. Apr 2018 Release first version of manifest test tools as open source. Jun 2018 Release first IoT OS implementation of firmware update mechanisms as open source.
- [Fud] Editorial Charter Update Hannes Tschofenig
- Re: [Fud] Editorial Charter Update Hannes Tschofenig
- Re: [Fud] Editorial Charter Update Hannes Tschofenig
- Re: [Fud] Editorial Charter Update Chris Rouland
- Re: [Fud] Editorial Charter Update Carsten Bormann
- Re: [Fud] Editorial Charter Update Russ Housley
- Re: [Fud] Editorial Charter Update Emmanuel Baccelli
- Re: [Fud] Editorial Charter Update Hannes Tschofenig