hannestschofenig
commented
3 years ago Addressed in https://github.com/suit-wg/information-model/pull/22
Closed hannestschofenig closed 3 years ago
hannestschofenig
commented
3 years ago Addressed in https://github.com/suit-wg/information-model/pull/22
hannestschofenig
commented
3 years ago Addressed in draft-ietf-suit-information-model-11
It might also be worth reiterating the topic that came up during one of the other review threads: firmware update is by definition remote code execution, so if you trust an entity to provide your firmware, you are trusting them to do the right thing. Many classes of attack involving malicious or modified payloads then become irrelevant, so we are left with just needing to verify that it did come from a trusted party and is not going backwards, topics that are covered quite well already (including TOCTOU).