From 5bae471906871b39760878b6f244673365c57e93 Mon Sep 17 00:00:00 2001
From: Spencer Judd <spencercjudd@gmail.com>
Date: Tue, 17 Dec 2024 14:48:57 -0500
Subject: [PATCH] Add TODOs following PR discussions

---
 .../fixed-location-reusable-hardware-procurement.md    |  4 ++++
 .../src/fixed-location-reusable-laptop-ceremony.md     |  2 ++
 .../operator/coins/pyth-spl/sign-transaction.md        | 10 +++++++---
 .../fixed-location/provisioner/procure-hardware.md     |  2 ++
 .../src/hardware-procurement-and-chain-of-custody.md   |  4 ++++
 5 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md
index 59176ff..25c9e34 100644
--- a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md
+++ b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md
@@ -26,10 +26,14 @@
 
     * Seal the screws on the bottom of the laptop using glitter of chosen color
 
+        * TODO: Add detail around using glitter with larger pieces and layering several types, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-996
+
     * Take photographs of the inside of the laptop, then of the outside after it's sealed
 
     * The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
 
+        * TODO: Add information about verifying the authenticity of the Purism signing key, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-961
+
     * The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape 
         
         * TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
diff --git a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md
index a9612ec..f1f3658 100644
--- a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md
+++ b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md
@@ -34,6 +34,8 @@ The primary tamper proofing methods for the fixed location device are:
 
     * Approximate time of entry
 
+    * TODO: Document how this access log is implemented.
+
 4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
 
     * Ensure that no individual is bringing in any electronic devices. A hand-held or gate metal detector can be used for this.
diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md
index e684ab0..ee47fb8 100644
--- a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md
+++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md
@@ -4,6 +4,8 @@
 
 ## Requirements
 
+* TODO: Move this into the "provisioner" document, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1002
+
 * 2 primary operators will be operating the offline machine and online machine
 
     * Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key)
@@ -68,7 +70,7 @@
 
 0. Plug in SD card labelled "Trusted Keys"
 
-    * Load well known PGP keys of proposer and approver, and sign them using operator keys (NOT IMPLEMENTED)
+    * Load well known PGP keys of proposer and approver, and sign them using operator keys (TODO: NOT IMPLEMENTED)
 
         * `gpg --import <keyfile_name>`
 
@@ -107,13 +109,13 @@
 
 1. Plug in SD card with transaction payload
 
-2. Wait for the screen to display the transaction information. (NOT IMPLEMENTED)
+2. Wait for the screen to display the transaction information. (TODO: NOT IMPLEMENTED)
 
     * In the background:
 
         * The transaction is constructed
 
-        * Signatures of tx data are verified against well known keys which were loaded by operators into local GPG keychain and signed by operators (NOT IMPLEMENTED)
+        * Signatures of tx data are verified against well known keys which were loaded by operators into local GPG keychain and signed by operators (TODO: NOT IMPLEMENTED)
 
 3. If any issues are detected with data you will be prompted and should initiate [incident response (todo)](todo)
 
@@ -135,6 +137,8 @@
 
 * Shut down the air gapped machine
 
+* TODO: Add information about material disposal, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
+
 #### Sealing
 
 {{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
index 664eb64..97d876b 100644
--- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
+++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
@@ -40,6 +40,8 @@ This guide contains specific equipment models: [guide](../../../../tamper-eviden
 
 * SD cards
 
+    * TODO: Add clarification around formatting and labeling SD cards, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
+
     * [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb)
 
     * [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248)
diff --git a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md
index ad534a9..db34f13 100644
--- a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md
+++ b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md
@@ -20,6 +20,8 @@ The following steps must all be completed under the continued supervision and wi
 
 3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which is ideally just a access controlled space. The bag MUST be a sealable see-through tamper evident bag.
 
+    * TODO: Add sources for suitable tamper evidence bags, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-897
+
 4. At the processing location, one of the individuals is responsible for observing while the other opens the back of the laptop and removes:
 
 * Radio cards (wifi, bluetooth)
@@ -32,6 +34,8 @@ The following steps must all be completed under the continued supervision and wi
 
 Each laptop model is laid out slightly differently so use an online reference and/or read the names of the components which are found in the laptop to determine which parts to remove.
 
+    * TODO: Add example online reference, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-898
+
 5. Apply a [tamper proofing](./tamper-evidence-methods.md) method to the device depending on the [device designation](TODO)
 
 ## Tested Hardware (AirgapOS Compatibility)