Re: [Teep] TEEP Architecture Last Call Review
Ben Schwartz <bemasc@google.com> Mon, 24 October 2022 14:20 UTC
Return-Path: <bemasc@google.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7935C14CE20 for <teep@ietfa.amsl.com>; Mon, 24 Oct 2022 07:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.597
X-Spam-Level:
X-Spam-Status: No, score=-22.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4RGEHmkh19P for <teep@ietfa.amsl.com>; Mon, 24 Oct 2022 07:20:24 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9DEC14CF19 for <teep@ietf.org>; Mon, 24 Oct 2022 07:20:24 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id s9so1273074ilu.1 for <teep@ietf.org>; Mon, 24 Oct 2022 07:20:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7Ab9LjU5Ok/Lydxo94gpmhsihLYRCzX9MZN4OyTC9go=; b=Z+485fE/AjFaDYiziv6KqIIPi5SFIxWJIe9ODT14+/IuVXlL2UATqhzIwd9jzXHTMk mL8TgapGMC17fgOVUA4v7m6sGoJFscBZUP0/G158LwEXaeqFATf3mM5ggsoHLN7zCuL9 YtkgbdFbpZU40Fd0djdg2jnDj3e1GF4b3Yib6F3p95MJ8cQ4NcW+rcE5LRgIvP8PMRnz PecQmqk9zVtFuh3c/1MibApSAx2v/Q4QQP5rvh6DaucOEVwfhi/nAiPkeniURKrNeUIv zf5O8R5+3OpjMI4ZJl/wai8FDQKUFgtAGiKtWrx+zz4LRzEFRxNEOQwu+VwfQgtA8mmt H+9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7Ab9LjU5Ok/Lydxo94gpmhsihLYRCzX9MZN4OyTC9go=; b=t6G2fIXDaafWdtSPwHPv+HBdXRacLWfzap9uTkz6Bykxlt73We8lvfLkDChc4u4qzV BurekCGWwsblFsumElIBKcDleTh7v5I7AfFAHsCqDgWh1dg7HIOD7cXR7+DLRNTP0oUF VZFCQlrGCvZjI1fn0lb87XMEM99ZLlOplmOfwcaJIj3t7uIKETFFAU7FBMrrSmtZZtHU tcCdjTo7GDEDIvlBMabbNjNivNrARb9tj8WOjcTxzFpZ0mYKMX2Dw8Xb8hC/HAaMa1KO D956VKJOnhYcmWm/OI9QeQr8hxEwLnjPNcBigaE1nLERiA/ue5mxvxFQF5gTJj7a6f6k aiNA==
X-Gm-Message-State: ACrzQf3f4aJr+DZE7Q9UPTGeDxaIIu9K85bEJTg6vCAZEn5m8OJCz62L CUGCKmCywuYHUyRi6Cr+cRHymA0URLdvxNtLbIEqsA==
X-Google-Smtp-Source: AMsMyM6LpOQpa2FlykBYKvMQL3MuTX9XDmWjyaGI/UwPsfsPYO91kwMctpRAx4g3N/n+yeDijfDAowCv2nuKN7clVic=
X-Received: by 2002:a05:6e02:15c9:b0:2e1:a5b6:7e25 with SMTP id q9-20020a056e0215c900b002e1a5b67e25mr20174972ilu.185.1666621222911; Mon, 24 Oct 2022 07:20:22 -0700 (PDT)
MIME-Version: 1.0
References: <CABDGos5jh-DUr4Tmv=yp7S+5tVMAUuvrrxq85TZBbt+REf=c1Q@mail.gmail.com> <CAHbrMsDinGqS36YiGQYROpbUjw2BSJVkrT5zsMQfpNGHEg8wuw@mail.gmail.com> <CABDGos5y8a7eW+jDJjevrXNqhNz5ipUrZV5F87WmmJ3V4=5H0w@mail.gmail.com> <CAPmVn1PWJ1zQ3Ome-XLjYqpPJQgVVhC+ybAQjvk8FLDCZQo1Hg@mail.gmail.com> <CAHbrMsDj_O2tgSnGZhLcDX4sZBKqZ0L857sg3p6-Ju6-iX9njQ@mail.gmail.com> <CABDGos4yBAaNi_gS0rwMM37NdWjrRt9wYoaT_rU5KDsyXtzEYw@mail.gmail.com>
In-Reply-To: <CABDGos4yBAaNi_gS0rwMM37NdWjrRt9wYoaT_rU5KDsyXtzEYw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 24 Oct 2022 10:20:11 -0400
Message-ID: <CAHbrMsAtDtc5RS=WV5AQOz_9s5iXWco3XPE-6N7N8g8gezHuRA@mail.gmail.com>
To: Mingliang Pei <mingliang.pei=40broadcom.com@dmarc.ietf.org>
Cc: Brendan Moran <brendan.moran.ietf@gmail.com>, teep <teep@ietf.org>, teep-chairs@ietf.org, Paul Wouters <paul.wouters@aiven.io>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000003966605ebc87e39"
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/0L_KMigRB0bTr1Wi3RpHfwEkAtA>
Subject: Re: [Teep] TEEP Architecture Last Call Review
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 14:20:29 -0000
OK, this seems good to me. Thanks for the adjustments! On Fri, Oct 21, 2022 at 9:31 PM Mingliang Pei <mingliang.pei= 40broadcom.com@dmarc.ietf.org> wrote: > Hi Ben, > > Could we have your review of the following replies on three issues we > think remain to confirm our updates to meet your thoughts? Thank you! > > *Issue 1: An Trusted UI example (*Section 3.1), Dave had the following > comments in addition to Brendon's input in the thread: > > TEEP is not just for mobile phones, but also POS devices like chip-and-pin > readers, > and that facility is present in some of those, not theoretical. > > We have changed the the following > > A trusted user interface (UI) may be used in a mobile device > > to > > A trusted user interface (UI) may be used in a payment device > > and updated the text in the preceding paragraphs to say "mobile device or > point-of-sale device". > *Issue 2: An IoT device example (*Section 3.3), Dave Thaler gave the > following example: > > "The GlobalPlatform architecture discusses this so there are GP compliant > devices that do. I demoed one (just a demo, not a product, but it > actually did so) myself at Hannover-Messe (the largest industrial fair) a > few years back." > > With your last email, we updated the doc (PR #265 > <https://github.com/ietf-teep/architecture/pull/265>) to add a reference > to [GPTEE] for examples: > > "A TEE can be one of the best ways to implement such IoT security > functions. *See GlobalPlatform {{GPTEE}} for examples of such devices." > See * > > Issue 3: For your first two comments about the use of the word > "application" and your suggestion to make them "software" and "component" > respectively. > > We authors discussed, and think that the doc already elaborates the > definition as follows. > > >> "An application component ... is referred to as a Trusted > Application": This is > > confusing. A component, explicitly not an entire "application", is > referred to > as an "application". "Trusted Component" would be more consistent. > > The protocol spec already uses the term "Trusted Component". The > architecture doc has defined a TA to mean either an "application component" > or "an application" in the Terminology Section as follows: > > "- Trusted Application (TA): An application (or, in some > implementations, an application component) that runs in a TEE" > > Note that Trusted Application is actually a common terminology for the > field, for example, Global Platform (GPTEE > <https://globalplatform.org/specs-library/tee-system-architecture/>) has > been referring to it this way. The OP-TEE > <https://optee.readthedocs.io/en/latest/architecture/trusted_applications.html> > also uses this terminology. > > Could you review and let us know if this is OK to leave it as is? > > Thanks, > > Ming > > On Fri, Oct 21, 2022 at 7:03 AM Ben Schwartz <bemasc= > 40google.com@dmarc.ietf.org> wrote: > >> Thanks. I would suggest adding informative references for the examples >> that exist, and clarifying that the actuator example is hypothetical if >> there is no worked example. >> >> On Thu, Oct 20, 2022 at 9:41 AM Brendan Moran < >> brendan.moran.ietf@gmail.com> wrote: >> >>> >>> >>> On 19 Oct 2022, at 21:22, Ben Schwartz <bemasc= >>> 40google.com@dmarc.ietf.org> wrote: >>> >>> > Section 3.1 >>>> "trusted user interface" ... can you cite an example of a mobile device >>>> with a >>>> trusted peripheral that is not accessible to the REE OS? This seems >>>> theoretical. >>>> Need help from co-authors here too. >>> >>> >>> There are a few examples in industry. The PCI-SIG has announced some >>> relevant work: >>> >>> TEE Device Interface Security Protocol (TDISP) >>>> This document defines the TEE Device Interface Security Protocol >>>> (TDISP) - An architecture for trusted I/O virtualization providing the >>>> following functions: 1. Establishing a trust relationship between a TVM and >>>> a device. 2. Securing the interconnect between the host and device. 3. >>>> Attach and detach a TDI to a TVM in a trusted manner. >>> >>> https://pcisig.com/specifications >>> >>> Apple’s Platform Security Guide has a few relevant sections on pages >>> 17-21. For us, I suspect these two excerpts are most relevant: >>> >>> Face ID and Touch ID security >>>> ... >>>> Apple’s biometric security architecture relies on a strict separation >>>> of responsibilities between the biometric sensor and the Secure Enclave, >>>> and a secure connection between the two. The sensor captures the biometric >>>> image and securely transmits it to the Secure Enclave. >>> >>> >>> Built-in Touch ID channel security >>>> Communication between the Secure Enclave and the built-in Touch ID >>>> sensor takes place over a serial peripheral interface bus. The processor >>>> forwards the data to the Secure Enclave but can’t read it. It’s encrypted >>>> and authenticated with a session key that’s negotiated using a shared key >>>> provisioned for each Touch ID sensor and its corresponding Secure Enclave >>>> at the factory. >>> >>> >>> https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf >>> >>> Between the PCI-Sig work and Apple’s platform security guide we have an >>> example of a specification for trusted I/O and an example of a mobile >>> device manufacturer implementing trusted I/O. This is not theoretical; it’s >>> in production. >>> >>> > Section 3.3 >>>> Similarly, are there any examples of IoT devices that prevent the REE >>>> OS from >>>> operating certain actuators? >>>> We will follow up on this. >>> >>> >>> While I can’t provide specific examples of where this was done, I can >>> provide specific examples of where it should have been done. Medical >>> devices with network or radio connectivity (therefore IoT medical devices) >>> should place all sensors and actuators under the control of a TEE. >>> >>> Best Regards, >>> Brendan >>> >>> On Wed, Oct 19, 2022 at 9:34 PM Mingliang Pei <mingliang.pei= >>> 40broadcom.com@dmarc.ietf.org> wrote: >>> >>>> Thanks Ben. Just update you that we have additional comments and fixes >>>> based on your suggestions, in particular, expanded on "hostile TAM" and >>>> administrator notification in the Threat Consideration section, and several >>>> comments Dave's added that were left open in the last email. Please refer >>>> to the Github Issue 251 >>>> <https://github.com/ietf-teep/architecture/issues/251> for details. >>>> Thanks, >>>> >>>> Ming >>>> >>>> >>>> On Wed, Oct 19, 2022 at 1:23 PM Ben Schwartz <bemasc@google.com> wrote: >>>> >>>>> Thanks for considering this input! I haven't read the draft recently, >>>>> so I don't have more to add on how to address these issues. >>>>> >>>>> On Wed, Oct 19, 2022 at 5:32 AM Mingliang Pei < >>>>> mingliang.pei@broadcom.com> wrote: >>>>> >>>>>> Hi Ben, >>>>>> >>>>>> Thank you very much for your review and suggestions as tracked here >>>>>> <https://datatracker.ietf.org/doc/review-ietf-teep-architecture-16-secdir-lc-schwartz-2022-04-04/>. >>>>>> Somehow we didn't notice it until recently and we have tracked it as Issue >>>>>> #251 <https://github.com/ietf-teep/architecture/issues/251> in >>>>>> Github TEEP project. >>>>>> >>>>>> We have added inputs for each of your suggestions or questions, and >>>>>> adopted suggestions into the doc revision. There are a few comments that we >>>>>> would like to follow up with you. Please see full replies below. I am >>>>>> copying the comments from #251 issue here. It will be great if you can >>>>>> reply as comments in the github issue above. It is fine too we exchange >>>>>> here, and we will incorporate our discussions to the issue tracker for >>>>>> further revision references. >>>>>> >>>>>> ----- >>>>>> >>>>>> > Section 1: >>>>>> The use of the term "applications" carries an implication of a >>>>>> client-side >>>>>> device with installable software, but TEEP seems to extend also to >>>>>> server >>>>>> software sharing a kernel, hypervisors sharing a mainboard, etc. A >>>>>> term like >>>>>> "software" would be more neutral. >>>>>> >>>>>> This would be a major change in the doc. We authors will review for a >>>>>> consensus. >>>>>> >>>>>> > "An application component ... is referred to as a Trusted >>>>>> Application": This is >>>>>> confusing. A component, explicitly not an entire "application", is >>>>>> referred to >>>>>> as an "application". "Trusted Component" would be more consistent. >>>>>> >>>>>> The doc has defined a TA to mean possibly an "application component" >>>>>> in the Terminology Section as follows: >>>>>> >>>>>> "- Trusted Application (TA): An application (or, in some >>>>>> implementations, an application component) that runs in a TEE" >>>>>> >>>>>> The change would be a significant change across the doc, including >>>>>> APIs to be consistent when "Trusted Application" is replaced with "Trusted >>>>>> Component" everywhere. Can we continue to use the above definition to cover >>>>>> both cases? >>>>>> >>>>>> > Also, "trusted" seems to be the wrong adjective here, as it is the >>>>>> environment, and >>>>>> not the software, that carries an elevated level of trust. "Isolated" >>>>>> might be >>>>>> a better descriptor. >>>>>> >>>>>> > If this is common terminology for the field, a citation would be >>>>>> good. >>>>>> >>>>>> Not sure that a name "Isolated Component" is more natural than >>>>>> "Trusted Component". >>>>>> >>>>>> > I would appreciate some discussion of whether the Device Owner >>>>>> needs to trust >>>>>> the Trusted Application, i.e. interaction between enclaves and >>>>>> sandboxes. >>>>>> >>>>>> Sounds good. A Device Owner may not always have control over TAs that >>>>>> go to its device regardless of the owner's trust. A Device Administrator >>>>>> may often decide when the Administrator is different from the owner. >>>>>> Secondly, the trust to a TA is delegated to the TAMs that may manage the >>>>>> TAs for installation to devices. >>>>>> >>>>>> @dthaler <https://github.com/dthaler> @hannestschofenig >>>>>> <https://github.com/hannestschofenig> how do you think? >>>>>> >>>>>> > "verify the ... rights of TA developers": "rights" is a loaded >>>>>> term. Rather >>>>>> than get into constitutional law, consider "permissions". >>>>>> >>>>>> Agreed. Fixed. >>>>>> >>>>>> > "so that the Untrusted Application can complete" -> "so that >>>>>> installation of >>>>>> the Untrusted Application can complete". >>>>>> >>>>>> Agreed. Fixed. >>>>>> >>>>>> > "is considered confidential" -- By whom? From whom? Consider "A >>>>>> developer who >>>>>> wants to provide a TA without revealing its code to the device >>>>>> owner..." >>>>>> >>>>>> Agreed. Just note that the developer may not even want to share the >>>>>> code with a TAM that distributes the binary. So it isn't only protecting >>>>>> from a device owner. Proposed fix: >>>>>> >>>>>> A Trusted Component might also be encrypted, >>>>>> if the code is considered confidential, for example, when a developer wants to >>>>>> provide a TA without revealing its code to others. >>>>>> >>>>>> > "A TEE ... wants to determine" ... excessive personification. I >>>>>> suggest >>>>>> "needs". >>>>>> >>>>>> Agreed. Fixed. >>>>>> >>>>>> > Section 2: >>>>>> "it is more common for the enterprise to own the device, and any >>>>>> device user >>>>>> has no or limited administration rights": Grammar issue. Perhaps "and >>>>>> for any >>>>>> device user to have ...". >>>>>> >>>>>> Agreed. Adopted in fix. >>>>>> >>>>>> > Section 3.1 >>>>>> "trusted user interface" ... can you cite an example of a mobile >>>>>> device with a >>>>>> trusted peripheral that is not accessible to the REE OS? This seems >>>>>> theoretical. >>>>>> >>>>>> Need help from co-authors here too. >>>>>> >>>>>> > Section 3.3 >>>>>> Similarly, are there any examples of IoT devices that prevent the REE >>>>>> OS from >>>>>> operating certain actuators? >>>>>> >>>>>> We will follow up on this. >>>>>> >>>>>> > Section 4.1 >>>>>> the TAM cannot directly contact a TEEP >>>>>> Agent, but must wait for the TEEP Broker to contact the TAM >>>>>> requesting a particular service. This architecture is intentional >>>>>> in order to accommodate network and application firewalls >>>>>> >>>>>> > This is true in many use cases, but for Confidential Cloud the >>>>>> reverse logic >>>>>> applies. In fact, the TAM could be operating on-site inside an >>>>>> enterprise, >>>>>> requiring a firewall exception to be reachable from the TEEP Broker. >>>>>> This >>>>>> architecture is also unnatural: it converts an event-driven "update >>>>>> command" >>>>>> into a polling loop that adds delay and wastes resources. Why is this >>>>>> part of >>>>>> the TEEP architecture? Surely it could be handled by a >>>>>> reversal-of-control >>>>>> pattern one layer below TEEP (e.g. Server-sent events)? >>>>>> >>>>>> > I think the real motivation here is (1) installation is presumed to >>>>>> be >>>>>> triggered locally, by the Untrusted Application, so the TAM must be >>>>>> reachable >>>>>> as a "server", and the other side naturally should keep the client >>>>>> role; (2) >>>>>> the TAM is intended to have O(1) state while serving N devices. >>>>>> >>>>>> Right, that was the main use case and motivation for the architecture. >>>>>> >>>>>> > For a TAM to be successful, >>>>>> it must have its public key or certificate installed in a device's >>>>>> Trust Anchor Store. >>>>>> This needs discussion of threat model. What damage can a hostile TAM >>>>>> do? What >>>>>> does the device administrator need to know for adding a trust anchor >>>>>> to be safe? >>>>>> >>>>>> This has been addressed in "Section 9.5 Compromised TAM" in a version >>>>>> after the review was posted. >>>>>> >>>>>> > Section 4.4 >>>>>> Implementations must support encryption of >>>>>> such Personalization Data to preserve the confidentiality of >>>>>> potentially sensitive data contained within it, >>>>>> >>>>>> > Implementations of what? >>>>>> >>>>>> Changed to "Implementations of TEEP protocol" >>>>>> >>>>>> > and must support >>>>>> integrity protection of the Personalization Data. >>>>>> >>>>>> Lower-case "must" without explanation. Why, and is this a normative >>>>>> requirement? >>>>>> >>>>>> We chose to not use MUST in the doc to differentiate "normative" from >>>>>> "informal" requirements. To discuss this. @dthaler >>>>>> <https://github.com/dthaler> @hannestschofenig >>>>>> <https://github.com/hannestschofenig> >>>>>> >>>>>> > Section 4.4.2 >>>>>> "e.g., OP-TEE" -> What is this? >>>>>> >>>>>> Changed to "e.g., OP-TEE, an open source TEE" >>>>>> >>>>>> > Section 5.4 >>>>>> >>>>>> > When a PKI is used, many intermediate CA certificates can chain to a >>>>>> root certificate, each of which can issue many certificates. >>>>>> >>>>>> > Intermediate CAs have a troubled history (e.g. [1]), and techniques >>>>>> that make >>>>>> them safer (e.g. x.509 name constraints) can't be deployed as a >>>>>> retrofit. Does >>>>>> TEEP need some rules about supported x.509 extensions? >>>>>> >>>>>> We leave this to the device provider for the constraints on X509 >>>>>> extensions it supports and uses in Trust Anchor validation. They may select >>>>>> to trust only a selected intermediate CA instead of the root as the Trust >>>>>> Anchor. >>>>>> >>>>>> *Is this fine?* >>>>>> >>>>>> > Section 6.2.1 >>>>>> >>>>>> > If an Untrusted Application is summarily deleted, how do you avoid >>>>>> leaking the >>>>>> TA? >>>>>> >>>>>> Similar to the removal of a buggy or malicious TA, this is up to a >>>>>> device to have some scheme to contact TAM or be contacted to initiative a >>>>>> removal of TAs that are not needed anymore. >>>>>> >>>>>> > Section 7 >>>>>> >>>>>> > TEEP is format-agnostic for attestations, but what about >>>>>> message-sequence-agnostic? Can it tunnel arbitrary challenge-response >>>>>> sequences? >>>>>> >>>>>> There are some limitations in TEEP about supporting arbitrary >>>>>> challenge-response sequences. It generally complies with RATS recommended >>>>>> sequence. A single pass attestation and verifier flow is assumed. A >>>>>> challenge may be supported by sending it in a request from a TAM to the >>>>>> device where the device will combine the challenge in its attestation >>>>>> evidence generation. >>>>>> >>>>>> > Section 9.3 >>>>>> >>>>>> > We have >>>>>> already seen examples of attacks on the public Internet with billions >>>>>> of compromised devices being used to mount DDoS attacks. >>>>>> >>>>>> > Citation please. Also, are you sure it has reached into billions? >>>>>> >>>>>> Changed to "a large number". >>>>>> >>>>>> > Section 9: >>>>>> >>>>>> > Nothing here seems to discuss attacks on the TEE's properties, and >>>>>> the >>>>>> post-compromise implications of those attacks. For example, if all >>>>>> instances >>>>>> of a TA share a secret key, used for decrypting the Personalization >>>>>> Data, then >>>>>> a single successful attack on a TEE is sufficient to decrypt all >>>>>> Personalization Data (previous and future). Given the prevalence of >>>>>> such >>>>>> attacks (especially via hardware fault injection), it seems likely to >>>>>> be worth >>>>>> mentioning. >>>>>> >>>>>> In general, we expect that a different secret key is used for >>>>>> different devices for Personalization Data encryption. Such a secret key is >>>>>> delivered to a TA using the public key of the TEE in the device. Such a >>>>>> shared secret key for all TA instances isn't a common case. >>>>>> >>>>>> To mitigate this happening, I think we can add a statement to require >>>>>> that Personalization Data must not be encrypted with the same key for all >>>>>> devices. >>>>>> >>>>>> How do you think? I will also get other co-authors's inputs on this. >>>>>> >>>>>> Again, thank you very much for your detailed review and suggestions. >>>>>> >>>>>> Best, >>>>>> >>>>>> Ming >>>>>> >>>>>> >>>>>> >>>>>> This electronic communication and the information and any files >>>>>> transmitted with it, or attached to it, are confidential and are intended >>>>>> solely for the use of the individual or entity to whom it is addressed and >>>>>> may contain information that is confidential, legally privileged, protected >>>>>> by privacy laws, or otherwise restricted from disclosure to anyone else. If >>>>>> you are not the intended recipient or the person responsible for delivering >>>>>> the e-mail to the intended recipient, you are hereby notified that any use, >>>>>> copying, distributing, dissemination, forwarding, printing, or copying of >>>>>> this e-mail is strictly prohibited. If you received this e-mail in error, >>>>>> please return the e-mail to the sender, delete it from your computer, and >>>>>> destroy any printed copy of it. >>>>> >>>>> >>>> This electronic communication and the information and any files >>>> transmitted with it, or attached to it, are confidential and are intended >>>> solely for the use of the individual or entity to whom it is addressed and >>>> may contain information that is confidential, legally privileged, protected >>>> by privacy laws, or otherwise restricted from disclosure to anyone else. If >>>> you are not the intended recipient or the person responsible for delivering >>>> the e-mail to the intended recipient, you are hereby notified that any use, >>>> copying, distributing, dissemination, forwarding, printing, or copying of >>>> this e-mail is strictly prohibited. If you received this e-mail in error, >>>> please return the e-mail to the sender, delete it from your computer, and >>>> destroy any printed copy of it. >>>> _______________________________________________ >>>> TEEP mailing list >>>> TEEP@ietf.org >>>> https://www.ietf.org/mailman/listinfo/teep >>>> >>> > This electronic communication and the information and any files > transmitted with it, or attached to it, are confidential and are intended > solely for the use of the individual or entity to whom it is addressed and > may contain information that is confidential, legally privileged, protected > by privacy laws, or otherwise restricted from disclosure to anyone else. If > you are not the intended recipient or the person responsible for delivering > the e-mail to the intended recipient, you are hereby notified that any use, > copying, distributing, dissemination, forwarding, printing, or copying of > this e-mail is strictly prohibited. If you received this e-mail in error, > please return the e-mail to the sender, delete it from your computer, and > destroy any printed copy of it.
- Re: [Teep] TEEP Architecture Last Call Review Mingliang Pei
- Re: [Teep] TEEP Architecture Last Call Review Mingliang Pei
- Re: [Teep] TEEP Architecture Last Call Review Ines Robles
- Re: [Teep] TEEP Architecture Last Call Review Mingliang Pei
- Re: [Teep] TEEP Architecture Last Call Review Ben Schwartz
- Re: [Teep] TEEP Architecture Last Call Review Mingliang Pei
- Re: [Teep] TEEP Architecture Last Call Review Brendan Moran
- Re: [Teep] TEEP Architecture Last Call Review Ben Schwartz
- Re: [Teep] TEEP Architecture Last Call Review Mingliang Pei
- Re: [Teep] TEEP Architecture Last Call Review Ben Schwartz
- Re: [Teep] TEEP Architecture Last Call Review Mingliang Pei