**Session Date/Time:** 11 Jun 2025 19:00 # [SUIT](../wg/suit.html) ## Summary This SUIT Working Group interim meeting was held as a check-in before IETF 123 in Madrid. The primary goal was to review the status of active drafts, address open issues and comments, and establish author priorities to facilitate progress towards publication. Significant discussion focused on the SUIT MTI draft, particularly regarding post-quantum cryptography (PQC) and the deployability of HSS-LMS, while acknowledging the need to move existing drafts forward. ## Key Discussion Points * **Meeting Logistics**: The session began with technical difficulties in sharing slides via Meetecho, which were eventually resolved by a co-chair. A note-taker volunteer was secured. * **SUIT MTI Draft (draft-ietf-suit-mti)**: * The author provided updates on recent changes, including those from IANA early review (March 12), Deb's comments (e.g., changing "streaming" to "on the fly," clarification on AES-CTR use for security when combined with digest algorithms, and payload encryption for intellectual property/PII hiding), and security director Magnus Westerlund's review (May). * Clarifications were added for HSS-LMS post-quantum algorithm impact, the rationale for multiple profiles, and changing "FIPS qualified" to "FIPS validated." * Hannes Tschofenig (author) indicated he still needed to formally reply to Magnus's comments but felt the document had improved. Deb, as AD, noted that replying and justifying positions is sufficient, and the document doesn't need to await Magnus's explicit approval to move forward. * Brendan Moran expressed concerns regarding Magnus's comments on firmware encryption as a security defense, noting that the draft already clearly explains the risks for commodity devices and that the text has been refined multiple times. He suggested it might be a matter of pointing to existing text. * **Post-Quantum Cryptography (PQC) Discussion**: Brendan Moran strongly urged consideration of the draft's viability given the 2030 PQC migration deadline and the difficulty of deploying HSS-LMS. He questioned the value of publishing non-PQC algorithms, suggesting a replacement using MLDDSA and ML-KEM should be started immediately. Hannes Tschofenig argued for publishing the current draft swiftly to unblock other work, deferring PQC algorithm debates to a separate document due to complexity, especially for constrained devices. Hank LeStourgeon concurred with both points, emphasizing the need to publish what is ready while simultaneously preparing for its PQC replacement. * Deb (AD) highlighted the existing backlog of five drafts (Trust Domains, MTI, Update, Report, Manifest) and urged authors to focus on completing current work before starting new PQC-focused drafts. * **SUIT Report Draft (draft-ietf-suit-report)**: * Brendan Moran reported significant recent updates, addressing most of Michael's and Deb's GitHub issues, with only four remaining. The goal is to finish and publish a new version soon. * **SUIT Update Management Draft (draft-ietf-suit-update)**: * Brendan Moran noted he had not focused on this draft recently. * Deb (AD) confirmed it's in the publication queue but will remain there, as no direct dependencies were identified during the discussion. * **SUIT Trust Domains Draft (draft-ietf-suit-trust-domains)**: * Brendan Moran had not recently focused on this draft. * Deb (AD) reiterated that there are two `discuss` items from Ory and Med, which require author response, a new draft version, and their clearance. These, along with other comments, must be addressed. * The deadline for Internet-Draft submissions before IETF 123 is July 7th. * **SUIT Manifest Draft (draft-ietf-suit-manifest)**: * The draft is currently in the RFC Editor Queue. * IANA questions, including those from Amanda, have been addressed, and the status appears to be "closed." * An older IANA comment regarding the `data item` field needing to read "map" was noted. It appears to be resolved in version 34, but the AD will follow up with IANA for confirmation and registry updates. * Ken advised that examples in the manifest (and potentially firmware encryption) might need updating due to changes in algorithm identifiers (e.g., from ES256 to ESP256 or EdDSA) in the MTI draft, requiring tooling updates. Brendan offered to verify these. * **SUIT Firmware Encryption Draft (draft-ietf-suit-firmware-encryption)**: * This draft is in the RFC Editor Queue and currently sitting in `misref` (missing reference) pending other SUIT drafts. * **SUIT Bootstrapping (MUD)**: * This draft is also in the RFC Editor Queue, in a similar situation as firmware encryption. ## Decisions and Action Items **Decisions:** * The current SUIT MTI draft will proceed towards publication, acknowledging that the working group must immediately begin drafting a replacement document addressing post-quantum cryptography (PQC) requirements for the 2030 migration deadline. * The following priority for authors' work on pending drafts was established: 1. SUIT Trust Domains 2. SUIT MTI / SUIT Report (Report is very close to completion) 3. SUIT Update Management **Action Items:** * **Hannes Tschofenig**: Formally reply to Magnus Westerlund's security review comments on the SUIT MTI draft by end of day tomorrow (June 6th). * **Brendan Moran**: Finish the remaining four issues on the SUIT Report draft and publish a new version promptly. * **Brendan Moran / Ken**: Address the `discuss` items from Ory and Med, and all other comments, on the SUIT Trust Domains draft by the I-D submission deadline of July 7th. Ken was offered support from Brendan on this. * **Deb (AD)**: Follow up with IANA regarding the old comment on the SUIT Manifest draft's `data item map` field to confirm it is resolved and request an update if necessary. * **Ken / Brendan Moran**: Prepare to update examples in the SUIT Manifest draft (and potentially the SUIT Firmware Encryption draft) to reflect algorithm identifier changes (e.g., ES256 to ESP256/EdDSA) and verify signatures, including necessary tooling updates. * **Chairs**: Discuss scheduling a virtual interim meeting in August (avoiding the first week) to allow sufficient lead time for announcements and accommodate holidays. ## Next Steps * Authors will continue work on drafts according to the established priorities, aiming to resolve open issues and publish new versions before the I-D submission deadline of July 7th for IETF 123. * The SUIT MTI draft will continue its path to publication while parallel considerations for a post-quantum successor draft begin. * The working group will hold a virtual interim meeting post-IETF 123, likely in August, to continue progress on all drafts.