Reviewer: Tobias Gondrom

Review result: Ready

 

Overall, looks good. 

 

One nit: 

Page 5

s/not the MUD file primarily to due/ not the MUD file primarily due to

 

Comments: 

I have some mixed views about the MUD URL reference to the MUD file in the
SUIT manifest, it could lead to inconsistent security postures if one
signature works and the MUD signature doesn't verify and the complexity
might make it difficult to get consistent behavior across implementations.
Also loading the MUD file for a difference source may lead to issues if the
source can not be reached. Having said that, I can understand why the
authors have chosen this approach to extend the SUIT manifest in a more
flexible manner. The draft could specify more explicitly the rules
(MUST/MUST NOT) how a network shall react if either the URL can not be found
or if the MUD file signature does not verify. 

Also some concern with regards to how the MUD file will work together if a
SBOM would be present and whether overlap may occur and potentially cause
confusion by the management consoles. 

 

Just my 2 cents. 

 

Best regards, Tobias