# CMW Shepherd write-up
## Document history
1. Does the working group (WG) consensus represent the strong concurrence of a
few individuals, with others being silent, or did it reach broad agreement?
Development of the draft began as a small-group effort. This snowballed as more
documents and use-cases found a need for it. It has been consistently discussed
at IETF meetings over the last few years.
Reviews and comments were received from many WG members, coming from many
backgrounds (e.g., IoT, confidential computing, PKIX) through the IETF
meetings, mailing list, and GitHub, resulting in lots of progress. This
feedback has brought improvements to the security and privacy considerations,
the design and semantics of newly proposed data structures, accuracy and
correctness of sections written in formal languages (e.g., CDDL), alignment
with other dependent drafts, and so on.
There is strong consensus among interested participants.
2. Was there controversy about particular points, or were there decisions where
the consensus was particularly rough?
Some discussions were lively and occasionally tense but ultimately led to rough
consensus. Some notable examples:
* CBOR-tagged CMWs [CN-tag-thread] - discussion on clarifying the usage of CBOR
tags to identify CMWs; consensus to keep TN-derived tags only
* Use of generic claims/extensions in JWT/CWT/ASN.1 [cmw-claim-issue]
[id-pe-cmw-issue] - discussions on the merits of keeping `cmw` claims for JWT
and CWT, and `id-pe-cmw` for ASN.1; (rough) consensus to keep the claims and
address some of the concerns in future documents ([generic-id-conclusion])
* Adjusting the precise wording and content for the Security Considerations
section, particularly when applied to the use of Collection CMWs for modelling
composite attesters. Both the PR ([security-cons-revamp]) and the reported
issue it stemmed from ([sec-channel-insufficient]) produced lengthy discussions
that ended in rough consensus.
Private feedback has also indicated worries regarding the length and complexity
of (using) the draft, particularly for high-level users. Document editors have
instead stressed the flexibility of the design, required towards enabling a
type system for RATS, and the simplicity of the existing CMW library (see
question 4).
[CN-tag-thread]
https://mailarchive.ietf.org/arch/msg/rats/q2pWU0MbbfddBZnngJHUqCR7FLM/
[cmw-claim-issue]
https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/issues/169
[id-pe-cmw-issue]
https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/issues/154
[generic-id-conclusion]
https://mailarchive.ietf.org/arch/msg/rats/BOuynAn0LVKJse1YCRaBqIxmiYI/
[security-cons-revamp]
https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/pull/226
[sec-channel-insufficient]
https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/issues/222
3. Has anyone threatened an appeal or otherwise indicated extreme discontent?
I am not aware of any such instances.
4. For protocol documents, are there existing implementations of the contents
of the document? Have a significant number of potential implementers indicated
plans to implement? Are any existing implementations reported somewhere, either
in the document itself (as RFC 7942 recommends) or elsewhere (where)?
The "Implementation Status" section of the document lists two existing
implementation: a Go one [Veraison-Go] and a Rust one [Veraison-Rust] which
cover all the features in the draft and are currently alpha-status.
[Veraison-Go] https://github.com/veraison/cmw
[Veraison-Rust] https://github.com/veraison/rust-cmw
## Additional reviews
5. Do the contents of this document closely interact with technologies in other
IETF working groups or external organizations, and would it therefore benefit
from their review? Have those reviews occurred?
Development of the document included coordination with the LAMPS WG as users of
the draft, as well as with the Trusted Computing Group SDO for a parallel
standardisation effort of the same data format. Members from both of those
groups have been involved in shaping CMW and keeping the efforts in sync.
6. Describe how the document meets any required formal expert review criteria,
such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
The draft requests IANA registrations for new media types, CBOR tags, JWT and
CWT claims, and CoAP Content-Formats. Early IANA review has been performed and
the feedback addressed [IANA-CF-fix].
[IANA-CF-fix] https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/pull/191
7. If the document contains a YANG module, has the final version of the module
been checked with any of the recommended validation tools for syntax and
formatting validation? If there are any resulting errors or warnings, what is
the justification for not fixing them at this time? Does the YANG module comply
with the Network Management Datastore Architecture (NMDA) as specified in RFC
8342?
Document does not contain YANG modules.
8. Describe reviews and automated checks performed to validate sections of the
final version of the document written in a formal language, such as XML code,
BNF rules, MIB definitions, CBOR's CDDL, etc.
The ASN.1 module for the X.509 extension has been reviewed and validated using
available tooling to check it compiles correctly [ASN1-check]. ASN.1 extension
request has been verified by IANA Designated Expert [ASN1-request].
The CDDL and ABNF included in the draft, and the associated ABNF specification,
have been reviewed and refined repeatedly, e.g. [ABNF-fix], [CBOR-tag-CDDL].
CDDL is validated on the draft repo CI (part of the `build` job in [CDDL-CI]),
and the standalone module is published alongside the draft version it belongs
to (e.g., [CDDL-module]).
[ASN1-check]
https://mailarchive.ietf.org/arch/msg/rats/o2yOGNf8EE2d5bSodCGQHsgLTHM/
[ASN1-request]
https://mailarchive.ietf.org/arch/msg/rats/GfpO6b1ZYVUcS057onps84BSC-4/
[ABNF-fix] https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/pull/161
[CBOR-tag-CDDL]
https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/pull/126 [CDDL-CI]
https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/actions/workflows/release-cddl.yml
[CDDL-module]
https://github.com/ietf-rats-wg/draft-ietf-rats-msg-wrap/releases/tag/cddl-draft-ietf-rats-msg-wrap-14
## Document shepherd checks
9. Based on the shepherd's review of the document, is it their opinion that
this document is needed, clearly written, complete, correctly designed, and
ready to be handed off to the responsible Area Director?
Yes. The document has gone through multiple cycles of WG and external review,
and has demonstrated both clear utility and solid design. It is ready for AD
evaluation.
10. Several IETF Areas have assembled lists of common issues that their
reviewers encounter. For which areas have such issues been identified and
addressed? For which does this still need to happen in subsequent reviews?
This document would benefit from a review from the Security Directorate. A
review from IoT Directorate has already been performed on an early version
(-04) [iotdir-review]. Since the response to the review was not ack'ed and the
draft has progressed considerably, it would be beneficial for the IoT
Directorate to provide another review.
Issues relevant to these areas will be handled during IETF Last Call and IESG
review. Any remaining feedback from area experts can be incorporated at that
stage.
[iotdir-review]
https://datatracker.ietf.org/doc/review-ietf-rats-msg-wrap-04-iotdir-early-sethi-2024-05-26/
11. What type of RFC publication is being requested on the IETF stream (Best
Current Practice, Proposed Standard, Internet Standard, Informational,
Experimental or Historic)? Why is this the proper type of RFC? Do all
Datatracker state attributes correctly reflect this intent?
Proposed Standard is being requested, which is appropriate given that the
document defines a protocol-level data structure intended for use across
implementations and specifications. Datatracker metadata reflects this intent.
12. Have reasonable efforts been made to remind all authors of the intellectual
property rights (IPR) disclosure obligations described in BCP 79? To the best
of your knowledge, have all required disclosures been filed? If not, explain
why. If yes, summarize any relevant discussion, including links to
publicly-available messages when applicable.
IPR disclosure reminders has been sent and acknowledged by all authors [IPR-Q].
No disclosures have been filed yet.
[IPR-Q] https://mailarchive.ietf.org/arch/msg/rats/wKBgthFLhZ6RKzpIzm6b5HN2zSM/
13. Has each author, editor, and contributor shown their willingness to be
listed as such? If the total number of authors and editors on the front page is
greater than five, please provide a justification.
Question was sent on mailing list [authorship-Q] and all authors have answered.
[authorship-Q]
https://mailarchive.ietf.org/arch/msg/rats/vdnat1HgZ3km-3CXTCxF6CGikMc/
14. Document any remaining I-D nits in this document. Simply running the idnits
tool is not enough; please review the "Content Guidelines" on authors.ietf.org.
(Also note that the current idnits tool generates some incorrect warnings; a
rewrite is underway.)
There are no outstanding, significant nits. The checker highlights a number of
non-ASCII characters being used and misidentifies part of a media type as a
FQDN. The document conforms to the IETF content guidelines.
15. Should any informative references be normative or vice-versa? See the
IESGStatement on Normative and Informative References.
No
16. List any normative references that are not freely available to anyone. Did
the community have sufficient access to review any such normative references?
All normative references are freely available.
17. Are there any normative downward references (see RFC 3967 and BCP 97) that
are not already listed in the DOWNREF registry? If so, list them.
No normative downward references are present.
18. Are there normative references to documents that are not ready to be
submitted to the IESG for publication or are otherwise in an unclear state? If
so, what is the plan for their completion?
No such references exist in this document.
19. Will publication of this document change the status of any existing RFCs?
If so, does the Datatracker metadata correctly reflect this and are those RFCs
listed on the title page, in the abstract, and discussed in the introduction?
If not, explain why and point to the part of the document where the
relationship of this document to these other RFCs is discussed.
No changes to the status of existing RFCs are being made.
20. Describe the document shepherd's review of the IANA considerations section,
especially with regard to its consistency with the body of the document.
Confirm that all aspects of the document requiring IANA assignments are
associated with the appropriate reservations in IANA registries. Confirm that
any referenced IANA registries have been clearly identified. Confirm that each
newly created IANA registry specifies its initial contents, allocations
procedures, and a reasonable name (see RFC 8126).
The IANA Considerations section is well-structured and matches the document’s
protocol content. It identifies each new registration clearly, specifies
allocation procedures, and uses consistent terminology. The new “RATS
Conceptual Message Wrapper (CMW) Indicators Registry” is defined with clear
initial contents and follows the guidance of RFC 8126.
21. List any new IANA registries that require Designated Expert Review for
future allocations. Are the instructions to the Designated Expert clear? Please
include suggestions of designated experts, if appropriate.
The draft introduces the “RATS Conceptual Message Wrapper (CMW) Indicators
Registry,” which uses the Designated Expert policy. The instructions for the
expert are clear and follow common IETF registry guidelines.
No designated expert is suggested.