[T2TRG] Last polish review of draft-irtf-t2trg-taxonomy-manufacturer-anchors
Sini Ruohomaa <sini.ruohomaa@ericsson.com> Mon, 23 March 2026 08:39 UTC
Return-Path: <sini.ruohomaa@ericsson.com>
X-Original-To: t2trg@mail2.ietf.org
Delivered-To: t2trg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 61609CFC10F4 for <t2trg@mail2.ietf.org>; Mon, 23 Mar 2026 01:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlCLbefNJw6z for <t2trg@mail2.ietf.org>; Mon, 23 Mar 2026 01:39:12 -0700 (PDT)
Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazlp170100001.outbound.protection.outlook.com [IPv6:2a01:111:f403:c201::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 76611CFC10EF for <t2trg@irtf.org>; Mon, 23 Mar 2026 01:39:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=D+h6uUfTg/9Z0Gru2MINqNG+yS7Lak4U3BZbQBiRBCDKn8TDQvOJ1dwWI8l55pUIO9ORlIjBcH/WjqY2fA+Ti1kwTnn92b5rXlDUBe9SRTx9PJoxmsNQWWs62g9Mjz95PIeFZSUTkUl80jY5H3m+yA60B3VuJrFYKRPeFggAbEDzz+PmR6CZtM/Qa4M3i0uhowiHO7nargTlycbRKgZKZGc7AMXIerRX9Qr2JsRia1UHgt8XFCYtirRrUajznvYyOi/asUObiHeLNsKVlpeSHvAXZGv0VsFDOsY4wEU/TSCfHElZija50O1MFBJO67AGXTkWrzM3YXJ1RO6mmeoXwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+n32MJNqkquaChbfAAJCvozV1szzfuSCzQlEYlzcY9A=; b=m9NlJlcX5hlgsMtEPG1AwKvt4FSVpiv3zkTxXQ7B5I5VmrsOtIrWhzSGasjCN3lV/osEDjGgok7d3PclQlbby6GUuOfQ3FF5ffslmUyUOtCEBTzVyqbN5l45XovciigHp1sKqPT8fScjSyQQtoKqVLRYSqS7FKfI/eZtxMHWQ0ocMqnWFXUDg9Ev/wen77GZDTDxvlMw+u2VGtqKd81J+kE3cOZfP7zG/t1///rZKgbFnOAuHCHXUvv2xdAwCe8NPQGqh5gicXQg6U/MOjALj3YfUCQP5OSNLjcqGMyN0l0Xo+E7zCCR/EVdnjEc/wkxHFk4BP9H8t0jwU2+xDjXRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+n32MJNqkquaChbfAAJCvozV1szzfuSCzQlEYlzcY9A=; b=v9EbKr91JNNuIFFeQKQJkr9HDGSNApF/NF562P25jXIliY99hEUGRm7/bZln0dGJlJq7I528zjMo0EN+Z5bX4wbZdn15dnecE1KUon23vPq1ez4iTK+5xeUSLaxwX+21UCF9Uq8L5oCTTf28qzs9a3bceHgnrccB9BkWQ7hGHjitIl0m3yL8X74alL248a7F1Gs1HWoIbfMUJ1uwHyI/RoYOHLCEt9wzCLLRYAuF2RcE3AmndFhfogysve5XLla6yQ+NSqAfGcYta0OVHDce7F/63WX/FPiLlP4E7VN6ey+UUitFggJyeKKJSkaIQv3R25/iC5diZ/N6EZ20t3Bplg==
Received: from PAVPR07MB9237.eurprd07.prod.outlook.com (2603:10a6:102:319::22) by DU0PR07MB9116.eurprd07.prod.outlook.com (2603:10a6:10:404::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9723.25; Mon, 23 Mar 2026 08:39:02 +0000
Received: from PAVPR07MB9237.eurprd07.prod.outlook.com ([fe80::1731:ed1a:a911:aaaf]) by PAVPR07MB9237.eurprd07.prod.outlook.com ([fe80::1731:ed1a:a911:aaaf%6]) with mapi id 15.20.9723.022; Mon, 23 Mar 2026 08:39:02 +0000
From: Sini Ruohomaa <sini.ruohomaa@ericsson.com>
To: "t2trg@irtf.org" <t2trg@irtf.org>
Thread-Topic: Last polish review of draft-irtf-t2trg-taxonomy-manufacturer-anchors
Thread-Index: AQHcuqCAWlBnAsx3/0e7NjZtNOV4zQ==
Date: Mon, 23 Mar 2026 08:39:02 +0000
Message-ID: <971693575917fa23f32a4d43046f0b902194c233.camel@ericsson.com>
References: <04474d4b76340c0c93be4fbd4e679377f57abdc7.camel@ericsson.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.52.3-0ubuntu1.1
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PAVPR07MB9237:EE_|DU0PR07MB9116:EE_
x-ms-office365-filtering-correlation-id: 6a9abfda-7f8e-4d59-1fdc-08de88b7a2c4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|10070799003|366016|1800799024|3613699012|56012099003|18002099003|38070700021;
x-microsoft-antispam-message-info: vSgYiLm8ZMR7RS+lLFadX4+OzxNOZEOWswLre87/kNCoXliANH+Vc+6MCG8ByNRPqJnw+8XYiUtgFs0Mp6obloHJnUj1Q5AsBOzzpHGXvC4Lo/ovuYt0i6idu8cy8n6/5L19f0/PRxNU6hrqxoFI+RDkfc8RSps2H/4+9s01tvJTbicy5qPIVCoPmNLTiWUG9AtkXMrLBD4dRfxamF4DltnWMvl9ZW4eEJaxAhAOG1DPFSj1xvc80X0NNhxUFdDPvQyr3H1lv+zHKvTqDIeS3Cf3UA4xWNl8ErCYT7KUA45uk+cQMY8C0EcRE1nuAe3MbHvmbCEBYjEaZNHNm5Vi5O5bNXqvL6GnhX0/T5drlXBRPj6mB6ji8XBgzv7Og4TXhpbHbokt0NQFFYz+MASbhemJSTTpE06IIHU+qVF6q2zc2Kro1xnoBVpGRLohf8QRqBudKcdtA0ADXA2V6GN99hE9LNlQ8Ce2dIfwPVWoE73tWDJV5HdPtBFQS6fz4S5EIExV6nMdT0LhdXNyIiREw5qp0jF6YGmvnC7ciR5RfuMMQft4b5ejQz89O7LjWLh3vZs9hjkoJ17iNRoVUNLppDvzIKYhJ7IQ0g5jv3LNQcKiYKrcyhH7TYWc/Ln/SNm7LV3SBoy8l6GHnhxGxT4VHmIu/wVFRqm+LIPOsjcum4TwfR2PC+0Gde+w4NnwR3ezMk2YwOCvFlfm5Zkjzj2WOIBA2cucvpdEKPtPIc5V59KxHKqLoH56vihHkz/rw4Z3ezzn0Ep4L94r23qHofEC8RSv5LXQscWXzqNjUGDUIo7cM6oTmjPIjxGMrmRvNfyk
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAVPR07MB9237.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(10070799003)(366016)(1800799024)(3613699012)(56012099003)(18002099003)(38070700021);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: 9Y/9SPbwle/zPqztG5VS9akeeDRH9hR4nQ0A9n9NQHFTiARkxtHDqkiCq3rneD0aYiGCmXYeiHjEAgEicWJb2h/3bn1wltpOpiBi1LdYlCUOLntCdKzgSfl09Oy0Mf7iGSiSjLU/z2Jo5uWl1CluH7Jc2jTOXQpi8eGzfJNHTRdqr+ZAT23vgynVuJq/U12GrsymL0fYIM7wgrqkt0c68DJaG83vS1hGSo41LYAwQLFrXR0CNTnkMM2ZvIaqeUkO1K0wBRhm6ozXrp9dhUIXhGoRN828l6hGC1iFWxMZKq9sYguESk1P2ScSDNuC6ZG/esks6oUFzdjMS3YrgILh7kqc7iTPdkP67UMpIiO0xWbjqyiH1E9KKEhk1XdEmvf4uwu5Gc0RxnEzRP1kbWUPV8bqhuuCINZCGKxZvSEYOtwHMX0+g2oWR2YOh66yxgmAZhd8+g0VEFFBnlX3/1QJRIolfKChAfHwEUKbOwOKRR19V7fPSyFeJahJoPknxACqcyCKbhCK7yoUffJa+aAwilxeWoB66iuXy2ftFZlr7SGIhLEjeNqZXFjPfRnuF81fcWSjYAYhna9839yW1hc7aXnT+g2Ue7fuv3EhClR5pZ4D/ulDEiSJtVxprHHLjC6senvsku5W+BTustnmwHpnermAdQ/gOIorbNmBs66lCy/ULmPWwIPbmiUy/eVyZEqKfV25gDJdr7tkBbqL/WdD5Hb2/vhOgtYWcDsKMnReDlZgAeXCWi6nbyl4EB+Ffsl+bTmdCjJGmmli6EaWYk3Vu7ZA0Atmt66+7RqAnN/zrUaLD+u1ntS0E8zDAiQvWs4kBjY2jbPxgjRrvBkZ3vjmCx0tcJwWHvBTldOPhV6QsE2Z1AO3YB8M8bDQuZG5wjIoKFG3a07D3N4LsRRtPSJulnetQ7LPO1ypWPmQRH9Meh/aBcJR6ML8kmmnUXrsLTAeuLNSmSqsQa5eEH7i+uTCsz06t8aNzod38BCoZcNZKCVuQvb7qvybYmgk+YBv1leXwGaXbO0/acAkmgBJ9J+rI16yNMMtoY8Fzm9A76u1pVn+btakCNTkfOd4Md2n8OeqdKRfJaQQ8HRdd+nXP7nUr/3qjfJWsAHqY2rH7GopC90TDkjRrk1b1tODPmgBWt/J9ghHe5Cmtd1+a5s/SXQrTX6xaDES3qT/qRKAIoOK5Cqfwh8jkdWfbJatnJf4E922l8m/1mpIhDhHPvmFGeYbkm09f7xHg0MirtvfpvTMDrPc7x4LX6jmc+XsW260/w0AaMLhWsNjZMkJkUJJ6EqBxB7w9Xd0kzwQc8seW65HOYjBetbiirbcVSLRokjGGF/OopA51+aMz/cFQQh4wL472EUJ1mcQK1leTlycB7Ty+dgs+16DbwsYAjI+s7tetwJ4i8oi4u/E6oquaZp3gKaO0Ppthbd5kHFQb8TYaginEl1f/hAJngH8Z054mpePO2Xv9jdukc0MQLXvZvbs72R9L3XvKCQaq2WlSNSphE8AGaU80DuTWAE/uGQxPjdq61ioPW+B3nA33bP9mGQ4wSyYWcsxbxfAQev+5OROPjX01z6o0PU5zUF7GFagEDZlC0XUb28ZNslJgfMuI2fmMbKCbycNFXLWCYwGqGaAHeS36+LV6d5Gb3e4UEDzAriPSRe0ZeA0WYY88SnxoO+k8DuA4NhC4YWxbHrIwwuiClLEUhYOhUErijoQWg2c7+D6XSKSPiVgRHwgQYAgrLXi/yu+JqNuPgsz15h/oVurO0WeDXqKtlVbGTwAM3I7c2l3ZntDGbrzdh3q
x-ms-exchange-antispam-messagedata-1: 3rRf9eH6hnDo9Bjk9q+2aeecK5lqrIKvTjU=
Content-Type: text/plain; charset="utf-8"
Content-ID: <2B1EDA1EFA9E0445A811187BA66A4C45@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAVPR07MB9237.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6a9abfda-7f8e-4d59-1fdc-08de88b7a2c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2026 08:39:02.3714 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cLq1/+Bt/i6aP/FQa4jlgCVc70vqB8xEiopUoGYs+Ovz5oQazbMP7Ds5OJaqNA5L7nuXsEZk6Ncn1SqsW8jMRBqkfNnC1Po/mX8J3jZKqNE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR07MB9116
Message-ID-Hash: RTWI22IOA5WVF7CVE73DQCM734LJTDDN
X-Message-ID-Hash: RTWI22IOA5WVF7CVE73DQCM734LJTDDN
X-MailFrom: sini.ruohomaa@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-t2trg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [T2TRG] Last polish review of draft-irtf-t2trg-taxonomy-manufacturer-anchors
List-Id: IRTF Thing-to-Thing Research Group <t2trg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/4YaI3SjAalJZNbZWtkigiAjkkFE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Owner: <mailto:t2trg-owner@irtf.org>
List-Post: <mailto:t2trg@irtf.org>
List-Subscribe: <mailto:t2trg-join@irtf.org>
List-Unsubscribe: <mailto:t2trg-leave@irtf.org>
Hello, T2TRG, Apologies, I realized I seem to not have ever successfully received the replies back in 2022, I finally saw them now in the web archive but have written the review below prima vista on just the current document version, as I only emerge from the barrel I live in usually on rare occasions such as this. ;) Thank you for this draft. It provides a concrete informational exploration of initial device identity certificates as witnessed in their natural habitats, and an excellent public reference for comparing different approaches taken. I am additionally always happy to see RFC 7168 and mnemonic produce in good use, and close proximity to origin manufacturing seems particularly appropriate. :) I have very minor comments that I compensate for by a large number, while regretting the late timing of the feedback. Most of the below is typographic notes for your consideration, coming from non-native speakers with at least level 3 grammatical special interests. Onwards! In the context of the introduction, if so desired, one might also mention our personal telecom equipment favourites, the 3GPP-specified Vendor Credentials. The design pattern is similar to IDevID; TS 33.310 can be referred to for more information. It is slightly confusing to a literal mind to see in 1.1 a list of hyphenated terms, many of which are not in fact hyphenated. Enclosing "The TAM is a piece of software (...)" in parenthesis in 2.1 seems unnecessary. In 3, I disagree with "authorizations implicitly attached" when discussing the nature of trust anchors, due to the access control meanings attached to the word "authorization". Generally in access control, the presence of a signed certificate should definitely not imply authorization, but authenticity and to some degree origin, and confusion about this leads to security mishaps. Authorization should be attached to a specific identity represented by the certificate, not the presence of one; this way authorization can be added and revoked without modification of the certificate. Or in other words, trust anchors carry trust about what/who a public key is representing, but I can locally still decide what I do with that information (in software): is Alice getting in or not with her certificate depends on policy, but the certificate allows us to tell her apart from Eve and Melissa. I try to use the term 'trust' in this context over authorization to avoid this conceptual collision, but 'authenticity protection' or some more technical term could also be considered. The term is mentioned also in the list item 2 in section 3. In the sixth paragraph of section 3, a "on" may be missing after "based". In list item 4 in section 3, there may be a 'd' missing from "associate private key". A period may be missing after [leakedmsikey] and at the end of section 3.2. An extra space may be present in 3.4 "web sites". In 3.1, it may be considered to point out explicitly that extremely controlled modification to a key the attacker controls is generally the desired target (integrity vs. availability attack), lest the reader wonder about replacing the close-proximity gamma ray attack with a sharp tap with a hammer and a nail to similarly render a device unbootable. In 3.8, an 'and' may be missing in the last sentence after 'operator'. In 4.1, it is proposed that IDevID could be used to decrypt software updates. I cannot recommend this approach, as using the same RSA key both for decryption and signatures is generally considered a security issue - among other things because the usage pattern of signing and decrypting is different (you sign what you generate or trust yourself, but decrypt external information you usually do not trust, and as the decryption operation is using the same trapdoor function as signatures, you "sign whatever you decrypt" to extensively simplify). Additionally, NIST has deployed new quantum resistant key agreement algorithms in KEM form only, which means that dual-use keys are in practice a thing of the past. I would definitely recommend to provision a separate key for decryption purposes. In section 4.1.1, a comma may be missing after 'However' in the third paragraph, and an extra space may be present in "can not" in the seventh paragraph (this repeats also elsewhere in the document). In the last paragraph, "manufacturers'" may be intended as "manufacturer's". A comma may be missing after "a light bulb" and "airplanes". In 4.1.2, "Certification Signing Request" is maybe intended as the more commonly used "Certificate Signing Request" (RFC 2986 speaks of PKCS#10 as certification request, and for example RFC 9646 of Certificate Signing Request, CSR). In section 4.1.3, "256-bits" seems to have inadvertently captured one of the hyphens left over by the hyphenated terminology section and should maybe release it. In the third paragraph of the same section, "then is" maybe should be "is then". It is worth noting that the component manufacturer has their own manufacturing line and likely needs to plant the seed into their component there, so it will in that sense be exposed to a physical factory (paragraph 7 in 4.1.3), just a different one, so while this is explained in the further paragraphs the statement is locally confusing here. The comparison to a carrot as a biennial plant is very apt. It would seem that once the private key management is delegated to the component manufacturer, it would also make sense to outsource certificate issuance and its complexities to them. If the device manufacturer only receives the public key of the chip in a signed certificate embedded with relevant metadata to identify which key is which, they can extract the public key (or get an associated ready self-signed CSR together with the certificate) to issue their own certificates and never need to deal with the seed and private key security. (It is possible that this is even the intended message all along, but in the paragraphs 9-11 it seems that we are talking about the second year of the carrot, not the first. Related, it should be noted that both actors are in fact manufacturers so '(the) manufacturer' alone in those paragraphs is ambiguous.) One reason to not do this and risk compromise of private key material in transit is when the seed can be used as ground input to generate a number of different keys, not all of which the silicon provider can or needs to invent beforehand. This provides several angles of cryptographic agility but also does add the security headaches of having to ship around symmetric secret key material across organizations. It may be worth mentioning out loud that the PRNG generated key pair does release us from the pre-installed key strictness as the key that is generated can be chosen more flexibly. In 4.1.4, is the reason that using a discrete TPM turns a squash into an avocado that our security boundary for the purposes of this model changes from the device (on-whole-device, using secure element) to the TPM (on-TPM, using itself, as opposed to on-whole-device, using TPM)? In 4.1.5, list item 1, "suppliere" maybe has an excess 'e'. In the fourth paragraph, "But," is maybe intended as "However,". In the second last paragraph, "Not that" is maybe intended as "Note that". The exclamation marks in paragraphs 1 and 5 are surprising and maybe not needed. The addendum about a inventory specific to for each client maybe applies also to the carrot seed shipping model, unless the intention is to say that the inventory must be long-lived for CA operation purposes, while the carrot model seeds can be deleted as the responsibility is on the second-year manufacturer. In section 5, "doing enrolment" (or enrollment) is maybe best expressed as "performing enrolment" or simply directly "mechanisms of enrolment". In case of multi-level certification authorities in paragraph 3, would not the operating rules be clarified in the certification policy (CP) and certification practices statements (CPS) of the CAs (RFC 3647)? Assuming, of course, that the CAs follow the RFC. In the 7th paragraph in section 5, possibly "public/private key pair" should be in plural since the identities are, although this is not technically necessary as attackers, bless their heart, are not required to maintain appropriate opsec posture. In the 8th paragraph, "which it is not authorized to do so" should probably end "to sign". CRLs could be explicitly mentioned here as a local technical recovery mechanism, while high-visibility process failures such as the one cited at Comodo seriously undermine the trust in any public CA. (CRLs only come up as a new item two paragraphs later as a part of a validation authority failure pattern.) Section 5.2 third paragraph has a surprise capitalization of "Ceremony". In the last paragraph of 5.3, which mostly speaks of CAs, steps to the side about signing code releases, which are typically not signed as a certificate but by an end entity key that has a certificate. It may be best to keep CA signing of certificates and code signing conceptually separate. In the same paragraph, the mitigation of a "compromise between situations" is maybe technically not a mitigation of a compromise but e.g. "To address the conflicting needs, some levels of the PKI may be kept offline, and some levels online." This division is mentioned at the end of 5.1 as well. In section 5.3 "deals with attacks" is maybe a bit ambiguous since 5.2 is about protection levels, not defenses as such; a more "direct" though wordier expression might be "The protections discussed in the previous section aim to thwart attacks". In the same paragraph, a comma may be missing after "undetected". Technically, the devices are not the source of the danger if the attacker has access to CA private keys. The danger comes from the "intended-untrusted" devices (and non-device processes) that are NOT the devices with real certificates, but fake certificates, that are attacker controlled. Section 5.3 repeats much of the disaster pattern identification material in the introductory part of Section 5. Some of those could be potentially merged. In the fifth paragraph of 5.3, generalize "forgets a password" to "CA key staff lose access to authentication secrets, such as a password", as CAs (hopefully) do not generally operate on password protection. Incapacitation seems sufficient to mention here, since staff dying can in a secular world view be considered a special case of it. In the sixth paragraph, "deals with" could be replaced with "addresses the risk of" (physical damage). In the seventh paragraph: suggest replacing "becomes: how are the backups unlocked, or activated" with "becomes how the backups are unlocked or activated." This section could potentially be condensed slightly as its style includes quite a few question marks and a detective story style which departs from the earlier tone of the document. If there is a reference available for the DNSSEC Root anecdote, that would be an interesting addition. 5.3.1 a more commonly recognized name of the Shamir scheme seems to be "secret sharing" as opposed to splitting. It may not be necessary to describe here as it gets quite specific, but I see no harm in it. I recommend not underlining staff death here too, as readers may find it overly dramatic. Incapacitation is sufficient for a key executive to not be motivated to prioritize coming to work to unlock keys on that particular day. In the 7th paragraph fo 5.3.1, "However" should probably be followed by a comma in this kind of use. The #1 benefit of secret sharing as opposed to simply backing up the secret to multiple executives is omitted: unlike secret copying, the scheme tolerates at most k-1 executives to become corrupted. The speculation for handling a code signing key at the end of 5.3.1 with a secret sharing scheme seems unnecessarily elaborate, refer to the earlier mention of staff inventing workarounds when their work is too hard. In section 6.1, sentences formed as a question could be reordered to not need a question mark (which is missing), for example "how far does a board travel" should end in a question mark, but "how far a board travels" does not need one (first-second-stage-gap). Others in e.g. 6.2 have question marks but maybe could be reorganized. In 6.2, "n-components" has captured an extra hyphen. identity-shared-split-continents may be an unnecessary pattern for any organization that is not international across continents. 'Sites' may be more general-purpose. As an ultimate meta nitpick, section 9 maybe "provides" should be "provided". ;) Thank you again for this work! As noted the above list is just for consideration. Best regards, --Sini
- [T2TRG] Last polish review of draft-irtf-t2trg-ta… Sini Ruohomaa
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Michael Richardson
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Carsten Bormann
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Michael Richardson
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Carsten Bormann
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Esko Dijk
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Carsten Bormann
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Michael Richardson
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Michael Richardson
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Michael Richardson
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Michael Richardson
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Michael Richardson
- [T2TRG] Re: Last polish review of draft-irtf-t2tr… Sini Ruohomaa