TPM-based Network Device Remote Integrity Verification
draft-ietf-rats-tpm-based-network-device-attest-14
Yes
Roman Danyliw
No Objection
Erik Kline
Francesca Palombini
Murray Kucherawy
(Alvaro Retana)
Note: This ballot was opened for revision 10 and is now closed.
Roman Danyliw
Yes
Erik Kline
No Objection
Francesca Palombini
No Objection
Murray Kucherawy
No Objection
Zaheduzzaman Sarker
No Objection
Comment
(2022-02-03 for -11)
Not sent
Thanks for working on this specification. This was good read. (I was dishearten to find ,my interest, "virtualization and containerization" was out of scope :-() Supporting Benjamin Kaduk's discuss.
Alvaro Retana Former IESG member
No Objection
No Objection
(for -11)
Not sent
Benjamin Kaduk Former IESG member
(was Discuss)
No Objection
No Objection
(2022-03-10 for -13)
Sent for earlier
Thanks for addressing my previous Discuss point and the preponderance of my previous Comments! I retain a couple here, as I think they still apply to some extent. Section 1.5 3. Conveyance of Evidence reliably transports the collected Evidence from Attester to a Verifier to allow a management station to perform a meaningful appraisal in Step 4. The transport is typically carried out via a management network. The channel must provide integrity and authenticity, and, in some use cases, may also require confidentiality. It seems like there is some subtlety here if we insist that the communications channel to a potentially untrustworthy endpoint will provide integrity and authenticity (let alone confidentiality). I suggest giving more clarity on what threats these technical measures are protecting against in relation to the potentially untrusted endpoint. [ed. I do see the added text to indicate that the TPM signing key does provide a separate signature over the critical evidence, but that does not explain why we still say we want integrity and authentication (and in some cases confidentiality) of the channel that conveys such evidence.] Section 3.3 In this application, each device may need to be equipped with signed RIMs to act as an Attester, and also an Appraisal Policy for Evidence and a selection of trusted X.509 root certificates, to allow the device to act as a Verifier. An existing link layer protocol such as 802.1X [IEEE-802.1X] or 802.1AE [IEEE-802.1AE], with Evidence being enclosed over a variant of EAP [RFC3748] or LLDP [LLDP] are suitable methods for such an exchange. Should we say that the details of those "variant"s being out of scope for this document? (What we do say is pretty far from a complete solution.)
Lars Eggert Former IESG member
No Objection
No Objection
(2022-02-03 for -11)
Sent
Agree with Ben's DISCUSS. This Informational document seems to want to normatively talk about and reference quite a few other documents. However, that's not really something an Informational document can really (normatively) do. Found terminology that should be reviewed for inclusivity; see https://www.rfc-editor.org/part2/#inclusive_language for background and more guidance: * Term "native"; alternatives might be "built-in", "fundamental", "ingrained", "intrinsic", "original" (matched "native" rule, pattern ((\bnative\w*\b)\w*)). Thanks to Linda Dunbar for their General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/uJfSJiH2jjpTrxAlux60VNEDF-0). ------------------------------------------------------------------------------- All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Section 1.5. , paragraph 7, nit: > station Result, used to inform decision making. In practice, this means comp > ^^^^^^^^^^^^^^^ The noun "decision-making" (= the process of deciding something) is spelled with a hyphen. Section 1.5. , paragraph 8, nit: > ation expected by the Verifier. Subsequently the Appraisal Policy for Evidenc > ^^^^^^^^^^^^ A comma may be missing after the conjunctive/linking adverb "Subsequently". Section 1.6. , paragraph 3, nit: > attestation of Linux or other multi-threaded operating system processes aft > ^^^^^^^^^^^^^^ This word is normally spelled as one. Section 2.1.1. , paragraph 8, nit: > ader | 8 | 9 | | (e.g GRUB2 for Linux) | > ^^^ The abbreviation "e.g." (= for example) requires two periods. Section 2.3. , paragraph 16, nit: > arly system startup (e.g., BIOS, boot loader, OS kernel) are essentially sing > ^^^^^^^^^^^ This word is normally spelled as one. Section 2.4.1. , paragraph 5, nit: > d in [I-D.ietf-rats-architecture]. However additional prerequisites have been > ^^^^^^^ A comma may be missing after the conjunctive/linking adverb "However". Section 4. , paragraph 10, nit: > redundant information, or add an additional layer of signing using external > ^^^^^^^^^^^^^^^^^^^^^^^ This phrase might be redundant. Consider either removing or replacing the adjective "additional". Document references draft-ietf-rats-yang-tpm-charra-12, but -13 is the latest available revision. Document references draft-birkholz-rats-reference-interaction-model-03, but -05 is the latest available revision. These URLs in the document can probably be converted to HTTPS: * http://www.uefi.org