►
From YouTube: RATS Architecture Design Team, 2020-01-07
Description
RATS Architecture Design Team, 2020-01-07
A
D
C
E
E
F
H
E
F
F
C
F
D
C
C
F
I
Since
we'd
previously
reviewed
the
table
of
contents
right,
this
is
fleshing
out
the
top
washing
out
section
that
had
to
include
message,
flows
and
architectural
models.
So
the
two
documents
I
think
we'd
already
agreed
on
where
it
goes
to
the
document-
and
this
is
just
taking
the
two
sections
and
merging
the
text
on
the
two
documents.
Yeah.
C
Yeah,
it
might
be
not
fine
I'm
talking
to
you
know
it
might
not
be
the
finer
block
of
text,
but
it
most
certainly
better
than
this
than
before
so
I'm.
Absolutely
with
this
one
but
I'm.
Assuming
that
why
we
go
through
the
text
and
address
other
pull
requests,
we
might
add
to
the
constellations
completely
agree.
Yeah.
E
The
structure
of
the
architecture
addresses
things
at
different
layers,
and
so
it
wasn't
clear
to
me
if
the
security
considerations
was
really
out
of
place.
If
we
had
a
section
wicked
so
for
each
section
that
talks
about
a
particular
layer,
we
can
address
security
considerations
there
or
we
don't
have
a
section
for
more
layer
security
as
far
as
I
can
tell,
and
so
it
seems
like
that
becomes
the
place
to
put
the.
C
Saying
we
probably
will
have
a
somewhat
fleshed
out
section
about
the
ways
how
to
our
roles
interact
with
each
other,
and
it
was
at
least
requested.
It
might
become
a
thing.
Then
we
could
outsource
some
of
this
into
the
appropriate
sections
for
the
moment,
I
think
using
its
ibaka.
Everything
viable
on
any
layer
is
fine
with
me
and
we
can
cut
out
pieces
if
appropriate
body
sections
appear.
I
C
Only
that
this
is
very
layer
specific,
it's
talking
about
Transport
Security
and
it's
assuming
that
it
exists.
Of
course,
we
also
exist
some
other
properties
of
the
roles
where
they
reside
on
the
entities
that
reside
on
that.
Of
course,
all
we
also
true
it's
lacking
that's,
but
maybe
we
have
a
section
for
that,
so
maybe
it
doesn't
really
has
to
go
into
the
security
consideration.
That's
my
point
here.
C
Maybe
this
is
that
this
is
the
easiest
thing
to
write
it
to
the
security
concentration
section
so
and
it
should
not
be
lost
and
therefore
including
it
for
now
is
fine
from
my
point
of
view
and
yeah
I
also
acknowledge
net,
that
it
is
not
complete
and
maybe
some
texts
of
the
disability
security
will
not
go
into
a
section
level.
You
know
because
they
will
have
its
own
section
yeah
the
whole.
C
F
F
J
C
So
yeah
because
I
reviewed
this,
but
without
reviewing
it
because
I'm
also
a
little
bit
I
was
quick
reviewer,
so
I
started
from
the
top,
which
is
a
stupid
idea
effectively
because
was
the
youngest
one,
so
I
think
it
makes
the
diagram
more
complicated,
which
is
unfortunately
the
truth.
It
is
more
complicated
and
the
the
initial
question
is:
are
we
going
to
do?
C
Are
we
confronting
the
reader
with
a
composite
device,
as
the
tests
are
to
start
with
I
think
it
puts
a
lot
of
emphasis
on
the
tester,
which
is
fine,
because
the
big
box
is
not
bigger
actually,
and
it
also
resonates
with
the
each
claim
set
thing
interesting,
and
this
is
the
next
thing
they're
basically
talking
about
in
that
raft.
So
I
think
that
aligns
with
the
other
adopted
document
and
Dave
seems
to
be
as
they
fail
in
this
case.
Steve's
also
be
okay
with
it,
because
you
reviewed
it
I
think
and
very
short.
I.
I
Was
skimming
it
five
minutes
before
the
call
and
so
I've
not
actually
reviewed
the
technical
points
in
there
I
quickly,
skimmed
it
just
to
see
if
it
was
formatted
correctly
and
so
on.
It
does
to
your
point
before
about
the
topological
models.
Looking
a
bit
lengthy,
this
one
does
look
a
bit
lengthy
and
I
wonder
if
we
do
this
or
then
we
can
also
have
sections
about.
I
You
know:
equivalent
link,
sections
about
chained
claims
and
sorry,
not
change
claims
I
mean
what's
the
term,
a
testing
versus
a
test
in
environments
that
are
chained,
and
so
you
get
this
chain
of
claim
sets
and
so
on,
because
here
there's
many
different
types
of
relationships
that
could
be
done
right
and
we
want
a
bunch
of
sections
about
each
of
the
relationships
in
there.
I
don't
have
a
strong
opinion,
either
way.
C
I
would
agree
with
that.
So,
if
interjected
and
squeezing
myself
in
again
yes
and
what
you
are
calling
Shane's
attestation,
sometimes
I
think
NAB
cards
that
layered
attestation,
my
yeah
exactly
so
so
as
we
want
that
I
think
and
I
think
there's
no
objection
to
delve
into
the
topic
of
layer
to
the
station
in
this
document,
and
this
helps
to
do
that
still
I
think
it's
well.
This
is
no
a
diagram.
C
It's
just
skin
over
it
and
get
the
picture.
You
really
have
to
read
it
now,
and
so
that's
my
only
concern,
but
maybe
that's
not
bad.
Maybe
it's
good
that
people
have
to
think
twice
before
reading
along
and
see
all
the
things
here
and
see
the
big
box.
The
only
thing
here
is
the
composite
network
that
I
am
looking
right
now
at
I'm
I'm,
not
sure
that
that
that
is
always
a
network.
That
is
the
box.
J
They
are,
you
know,
messages
they,
for,
like
you
know,
is
not
with
the
internet
for
the
composite
networks.
I'm
I
want
to
mean
that
our
network,
composed
of
some
several
devices
and
which
only
one
device
can
be
a
great
way
to
communicate
with
verifier
and
others.
Just
cannot
communicate
with
the
verifier
and
the
gateway
device
can
be
the
proxy
or
some
kind
or
afire
to
do
the
remote
attestation.
C
Think
the
interconnect
just
as
different
and
one
cases
so
semantically
I
think
these
two
diagrams
say.
Actually
it
works
the
same
way.
You
only
have
different
ways
of
communicating
images,
interconnect
and
the
network
diagram
probably
is
IP
and
the
other
one
is
just
internal
buses
or
yeah.
Well
interconnects.
If.
I
The
shape
of
the
diagram
is
identical
and
the
only
difference
is
a
label
or
two
then
I'm
wondering
if
we
could
combine
them
into
one
document
and
deal
with
the
differences
in
text
text
file,
because
I'm
looking
at
the
two
and
forcing
the
reader
to
go
back
and
forth,
display
it
to
play
spot
the
difference.
This
is
tedious,
yeah,.
E
K
I
F
J
J
G
J
E
So
one
of
the
the
virtues
of
the
role
model
is
it
allows
you
to
abstract
away
the
a
bunch
of
a
bunch
of
deployments.
The
correctness
implementation-specific
detail
and
talk
about
the
roles.
Interactions
seems
as
though
that
this
is,
among
other
things,
a
use
case
describing
what
might
become
a
nested
layered
nation
and
there's
an
example
of
some
of
some
hybrids
models
as
well
that
have
multiple
verifiers
and
multiple
testers
and
so
forth,
or
at
least
multiple
relying
parties.
E
J
You
know
acts
before
I.
First,
don't
want
to
write
this
I.
J
Kept
eating
our
testing
and
a
tested
environment
and
that
the
section
but
yeah
I
write
right
in
right
away.
I
wrote
this
I.
Also
thinking
about
the
tester
component
verifier
component
with
versus
a
tested
in
a
testing
environment.
I
can't
for
now
I
can't
explain
very
well,
but
I
can't
think
about
more
and
trying
to
be
more.
E
Threat
on
the
email
list,
with
some
polls
that
involved
myself,
Monty,
Wiseman
and
Lawrence
London,
and
maybe
others
tried
to
walk
through
an
example
based
on
a
secure
boot
use
case.
That
might
be
useful.
A
thread
to
read
up
on.
It
basically
showed
how,
in
a
secure
boot
scenario,
where
the
word
verification
happens
as
part
of
the
boots
that
you
could,
you
could
essentially
do
an
attestation
do
a
measurement
and
attestation
a
verification
and
then
transition
to
the
next
layer.
G
It
might
be,
it
might
be.
I
do
think
that
the
there's
interesting
stuff
in
the
leader
and
subordinate
but
I'm,
worried
about
including
it
in
this
diagram,
because
some
of
the
attestation
for
remotes
might
be
one
device
that
depends
on
another
which
again
goes
back
and
depends
on
the
assessment
of
an
external
verifier,
so
I
kind
of
like
where
Ned
was
saying
and
that
by
separating
the
idea
of
leader
and
subordinate
out
of
this
to
an
external
role,
get
more
flexibility
in
the
kind
of
models
that
you
would
want
to
or
be
able
to
support.
G
E
F
E
So
that
the
top
half
seems
like
it's
redundant
and
not
not
useful
and
describing
the
concept
of
nested
attestation
and
and
the
it's
really
for
this,
not
even
talking
about
nested
remote
attestation,
which
is
which
is
maybe
something
that
belongs
in
that
others,
the
other
section
that
talks
about
passport
and
some
hybrid
models.
That
seems
to
be
focusing
on
alcohol
attestation,
where
there's
a
composite
device
and
my
to
compose
that
device,
some
sort
of
have
station
and
verification
along
the
way.
That's
that's
an
interesting
topic
and
no
nice
to.
J
E
K
F
K
C
I,
also
think
that
the
composite
device
scenario
is
very
easier
to
understand
and
the
composite
network
scenario
based
on
Eric's
input
now,
because
I
think
there's
some
merit
to
the
fact
that
sometimes
you
are
leader
in
some
scenarios,
and
sometimes
you
notice,
like
the
layer
at
the
station.
The
roles
are
exchanged
depending
on
time
of
sequence.
For
example,
if
you
go
through
process
here
are
on
hierarchy
from
whatever,
if
sometimes
your
leader,
sometimes
you're,
so
probably
baby
you're
both-
and
this
cannot
be
represented
in
this
kind
of
diagram.
C
I
I
I
Is
a
good
point?
Well
I.
Certainly
we
should
talk
about
the
relationship
between
them,
because
that's
one
of
the
open
questions
I
have
is
I,
don't
understand
whether
leader
and
subordinate
are
the
same
or
different
from
two
types
of
environments
and
I
think
there
needs
to
be
text
that
explains
the
relationship
between
two.
If
you're
using
well
terms.
E
I
E
Well,
you
know
components
or
sub
components
or
endpoint
decomposition
into
components.
That
would
that
would
put
you
into
a
use.
Case
may
be
on
the
level
complexity
that
this
diagram
is
trying
to
address,
which
is
to
say
that
there
could
be
multiple
components
and
within
those
and
sub
components,
and
within
those
components
and
subcomponents,
there
could
be
a
testing
environments
and
a
tested
environments
or
not
what
they
could
also
be.
There.
I
I
I
Is
just
the
standard
for
when
you
have
a
chain
of
things
where
you
have
an
attested
and
an
testing
environment,
and
there
could
be
multiple
layers
and
there
could
be
a
tree
of
the
chain
to
the
same.
A
testing,
environment
and
Ned
is
saying
it
might
be
possible,
have
multiple
testing
environments,
in
which
case
you
might
have
multiple
trees
of
our
chains
of
stuff.
C
So
this
has
come
out
as
a
little
bit
later.
Very
sorry,
I
think
what
this
important
to
highlight
here
is
even
if
these
two
things
that
are
testing
and
tested
environment
are
differentiated,
there
are
not
necessarily
isolated
as
I.
Don't
know,
then
they're,
not
that's,
not
a
chemical
last
and
I
think
I'm
taking
on
Lawrence's
heavier
right
now,
because
he
wants
to
have
the
option
to
have
the
tested
environment,
the
a
testing
environment
to
be
the
same
environment.
C
I
E
I
Only
true
for
certain
cases
like
SGX,
it's
not
necessarily
always
true,
mmm-hmm,
some
arm
trusts
own
environments.
You
do
not
have
to
have
a
manufacturer's
environment,
it
becomes
more
there's
other
operational
issues
for
how
you
establish
trust
in
it
that
are
solvable,
but
you
don't
have
to
have
a
manufacturer
search.
That's
just
a
one
way
to
scale.
E
E
I
I
E
I
D
So
I
want
to
step
back
a
second
you
mentioned.
You
know,
I,
think
manufacturing
in
the
trust
zone.
Environment
is
a
little
more
or
call
it
vague,
I,
guess
or
flexible
than
in
other
environment.
So
what
do
you
mean
by
a
manufacturer
here?
The
SOC
vendor?
Certainly
I,
don't
think
it's
the
end
owner
is
is
making
these
proofs
or
assertions
I.
Think.
G
F
B
C
F
I
D
C
J
I
D
D
D
E
E
L
F
Not
you,
okay,
so
we've
called
that
the
testing
environment,
because
it
creates
measurements
of
the
attested
environment
and
we'd
like
to
replace
that
term,
a
testing
environment
with
something
else.
So
the
comment
III,
don't
think
of
surveying,
as
necessarily
being
as
active
as
you
think,
in
the
definitions
it
says
you
know
the
general
surveys,
the
battlefield
which
doesn't
mean
he
necessarily
goes
so
it
looks
at
it
could
look
through
his
telescope.