Document: draft-ietf-rats-eat-measured-component-10
Title: EAT Measured Component
Reviewer: Henry S. Thompson
Review Date: 2026-02-03

*Summary*

  This draft proposes an additional specific format of Measurement
  claim within the RFC9711 Entity Attestation Token framework.  This
  format would be useful for "object[s] within the attester's target
  environment whose state can be sampled and typically digested using
  a cryptographic hash function. This includes, for example: the
  invariant part of a firmware component that is loaded in memory at
  startup time...".

  This is basically ready to go, with minor points and niggles listed below.

*Minor points*

Section 4.1

  It took me 15 minutes of searching to find (in RFC9741) a definition
  of .b64u, which occurs in the very first production.  I'm sure
  regular users of CDDL won't need any help, but for the rest of us
  please include, either in Appendix A or a separate Appendix, a list
  of all externally defined CDDL types and controls and where their
  definitions can be found, and add a clause to the last sentence in
  section 2 pointing to that list.

Figure 4

  The use of escaped double-quotes inside a double-quoted string makes
  this example close to unreadable by humans, and makes me worry about
  a design flaw.  Is this a property inherited from 9711?  I don't see
  any examples therein which have this level of double-double-quoting?

*Niggles*

Section 4

  "a JSON and CBOR data model that implements" -> "coordinated JSON
  and CBOR data models that each implement"

Section 4.3.2

  "For example, as in Unified Extensible Firmware Interface (UEFI)
  Secure Boot [UEFI2] and Arm Trusted Board Boot [TBBR-CLIENT]."

  That's not a sentence.  Something like "Boot-time examples include
  Unified Extensible Firmware Interface (UEFI) Secure Boot [UEFI2] and
  Arm Trusted Board Boot [TBBR-CLIENT]" would be better.

Section 11.2

  Should include 8792