Re: [Teep] Implementation feedback on draft-ietf-teep-opentrustprotocol-01
Mingliang Pei <Mingliang_Pei@symantec.com> Tue, 17 July 2018 03:15 UTC
Return-Path: <Mingliang_Pei@symantec.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40801130F02 for <teep@ietfa.amsl.com>; Mon, 16 Jul 2018 20:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symantec.com header.b=dtBgQ9mm; dkim=pass (1024-bit key) header.d=symantec.com header.b=H9+l/RS3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOM2EtRWz_Xn for <teep@ietfa.amsl.com>; Mon, 16 Jul 2018 20:15:41 -0700 (PDT)
Received: from tussmtoutape01.symantec.com (Tussmtoutape01.symantec.com [155.64.38.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4016130EF8 for <teep@ietf.org>; Mon, 16 Jul 2018 20:15:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=Symantec.com; s=1; c=relaxed/simple; q=dns/txt; i=@Symantec.com; t=1531797340; x=2395710940; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/FLf+0xRWOwPFKDsC7Xy/xtLRmMLv9VErTFNGAMbaQU=; b=dtBgQ9mmsB40kjJ53WWrzgeicaORr9moOIG1esHVMYoSrDymJI/X3JgPPfMDHe9Q tUpjmiOXQ038XBksSjwYpM0ph2pP1QTTWdjv+hBgE7f7SJVssGmSqVHYd4Q8lEMj hh4KW4QsHXHx7zt3uyZqQFp75kDN03IGkyLBPxuzP1U=;
Received: from tussmtmtaapi02.symc.symantec.com (tus3-f5-symc-ext-prd-snat6.net.symantec.com [10.44.130.6]) by tussmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id BC.F4.35854.C5F5D4B5; Tue, 17 Jul 2018 03:15:40 +0000 (GMT)
X-AuditID: 0a2c7e31-ae2839e000018c0e-9e-5b4d5f5c9c69
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (tus3-f5-symc-ext-prd-snat10.net.symantec.com [10.44.130.10]) by tussmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id C3.7B.06107.95F5D4B5; Tue, 17 Jul 2018 03:15:37 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 16 Jul 2018 20:15:36 -0700
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (10.44.128.2) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Mon, 16 Jul 2018 20:15:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symantec.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/FLf+0xRWOwPFKDsC7Xy/xtLRmMLv9VErTFNGAMbaQU=; b=H9+l/RS38jwhb8s6k1DZ+gCE3mu48vCQePznPIpaycVp1aLtcxm3/kH7X7uIbe+60Z87iyVv4VQnfEZA0y0cbyAk/JM3KqL/fZtlTe/Miza+TjPfD261AKMx0nKQ02Wf7m4LWSng0MxolDfkiTJAORLRg2CqkIDyJc59pEYL0Cg=
Received: from BY2PR16MB0854.namprd16.prod.outlook.com (10.164.172.140) by BY2PR16MB0152.namprd16.prod.outlook.com (10.163.65.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.19; Tue, 17 Jul 2018 03:15:34 +0000
Received: from BY2PR16MB0854.namprd16.prod.outlook.com ([fe80::f45c:c55:6931:d9be]) by BY2PR16MB0854.namprd16.prod.outlook.com ([fe80::f45c:c55:6931:d9be%3]) with mapi id 15.20.0952.021; Tue, 17 Jul 2018 03:15:34 +0000
From: Mingliang Pei <Mingliang_Pei@symantec.com>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>, Andrew Atyeo <Andrew.Atyeo@intercede.com>, "teep@ietf.org" <teep@ietf.org>
Thread-Topic: [Teep] Implementation feedback on draft-ietf-teep-opentrustprotocol-01
Thread-Index: AQHUHXxtkKoaWsfgnUel1QbgYTRqxA==
Date: Tue, 17 Jul 2018 03:15:34 +0000
Message-ID: <F77F1C85-5AA1-4554-B565-246A376294FC@symantec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.d.1.180523
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mingliang_Pei@symantec.com;
x-originating-ip: [207.115.96.130]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR16MB0152; 7:otrZx3f1WNSLbh5SjZ5Xp9b0T/zNLtIV56XNtMzz3DS22idP76pNz4gzz6+Alc0kVSdSYQIT9+XR3TRBuiNkXKUyqrskqGuDPO40aG3O2bqMbeo9Nr393hFy87EWvChXqIIaQIOGL3qXJRW2XzoWRjA1E0xtZjFSi/Tkn84VRZcTAyUAl05TO+v6nWAu0/SzEA5tyffD0g5Ke8nM+AI6Kuf43q3lxZuB/RU3fu96j4ifUM3yfpxM+Rv/XZdmiMkH
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 0a8aeca0-6646-4193-18ff-08d5eb938fcd
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:BY2PR16MB0152;
x-ms-traffictypediagnostic: BY2PR16MB0152:
x-microsoft-antispam-prvs: <BY2PR16MB0152885F1F2BF8BFD2BD155FEC5C0@BY2PR16MB0152.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(149027)(150027)(6041310)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BY2PR16MB0152; BCL:0; PCL:0; RULEID:; SRVR:BY2PR16MB0152;
x-forefront-prvs: 073631BD3D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(39860400002)(136003)(346002)(366004)(60444003)(199004)(189003)(229853002)(58126008)(81156014)(6116002)(25786009)(83716003)(86362001)(478600001)(26005)(80792005)(66066001)(3846002)(68736007)(7736002)(5250100002)(72206003)(2616005)(102836004)(6486002)(790700001)(8936002)(8676002)(14444005)(110136005)(106356001)(81166006)(97736004)(186003)(10290500003)(256004)(105586002)(6512007)(54896002)(5660300001)(36756003)(2501003)(99286004)(486006)(82746002)(33656002)(316002)(6436002)(14454004)(6306002)(476003)(53936002)(2900100001)(53546011)(6506007)(2906002)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR16MB0152; H:BY2PR16MB0854.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: GK9mZ5wk4RdTykcQ2SCt6Mp5+p5y4AeENTnNc/qYcrbqkg3oAYVoFgDT2T5L+AaQvVA4+YHlgvgaZnzntWdfX86VQMNhZmi01iqkVfaMG7XujyOy1q2XCBrKtFbUk/ExBXz8NsYDrA3EcJ7UAQ6GDG/Q4qIEVpEXFBTpRa+nxFy9qpGzhqdEOfPhJxQlKoSlgUdUT8gXTLrKXtlfTcxFC8aF60wKMk1wTwChAgI6DEYbWoT+XEFxlw3TA74HFoVYiLfkQdBkU8ZVMyJMmlc/GVmF+zCkjw147prRDURX9nwkdS9NJN4fl3Vc59mszOg8ygkqRz69T8gx5Q2c4O3D+Na1YbBQaiJhDN4Kh3qtbgo=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_F77F1C855AA14554B565246A376294FCsymanteccom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a8aeca0-6646-4193-18ff-08d5eb938fcd
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2018 03:15:34.6835 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR16MB0152
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA01Sa0hTYRjmO+dsHpeLr6X5qmU1ElO8TAu0iC5/YpSiPyrCa0c9qKnTtikq ZOIVNFFJWw5FJS2wTFsiVoq1NOYFFE0kK/EWqClIpHPlpW3nCP75eL73eb7nex54aVIyKHCm ExVqVqlgkqVCESXyyhN6R0QHh8v6mx0DuzZ6icDp+nUisHlrg7xMyg3PvgjkTU0mQt7eMEOE kmGiC3FscmIGq/S9eEeU0Nz1HKXl7RCZI73bNrmo+A9RgmxpwGehULNOliARLcG/EbSNPxbu EZut2zYcYULwb+yHjYWQ4D4E09ogjlhEMFcwQlkuFK4gQVdXiTjmEQFLjcu88QyCr92rZmOa FmIZjH5XWKzscRGCSY2LZXwY34QXuxQ3vgUzjUYBh33gSU+VNRKF3WBVZ7JqxPgS9Cy/tiZC +AgYB19a+5DYEaYW6vluGJq6R0gOO8DS/I7V08Hs+fDthJB7GwmmghlkiQBYCu3zAZz8GIzV l1qrAO4g4INxgPfxhrXqah4Hw9ykTsiJRhEYyoz8x57wt6uIx0lgHBjm8TXYHS7nH7tCS9ks VYH8tftyczgWBt/oSa215yEYqFmgtOZ8JPaAtne+nOQkVJXO2nD4NBTW1vFYDpXfflL7NQ2I bkEn1OkqVYo6NV3NpLEyPx9VVkqs5WDM+xXrE5uaokPWDcvx60Jz7UF6hGkktRO7RQaHSwRM hlmpR0CTUntxUrh5JI5jsrJZZWq0Mj2ZVemRC01JHcUrYk2YBMczajaJZdNY5R5L0LbOucht XbH56WjUmdBAWWeO/0rV8RA6KyTG/aCpr/i+9sqSh8IpuiYhpj7Uw3R3zEnWUP5r82m8PJz5 qC+5MWSI6lg75TXl7avsN+jOb2wRrYufFXERiZW1189FXVXv5KcPvL/3KvuBdHjyQIV7gGZi Z3o8tPP2kLGoTONql5+J7FeWpJQqgfHzJJUq5j/oqrsgXQMAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPKsWRmVeSWpSXmKPExsXCpdPEpRsZ7xttsHOzocWOb/uZLO7N/8pk sfTPN2YHZo8Ty66weixZ8pPJY8OCB0wBzFFcNimpOZllqUX6dglcGUt3LGcsaPrHVHF+/1/2 Bsb2L0xdjJwcEgImEj/W/mXvYuTiEBL4ySjx+9JddpCEkMARRol7s3wgEi8YJR61nGcBcVgE JjBLbJo7kREiM5lJ4uXCV8wQzgNGiZt73rJ1MXJwsAkYSFy4kwcySkSgjVHi+nRpkLCwQKjE 6v8sEOEwiQcLv7NC2HoSM/ZOYQOxWQRUJd5u+glWwytgL7H31UawixgFxCS+n1oDdjazgLjE rSfzoV4QkFiy5zwzhC0q8fLxP7CZokAze3ZeZYPojZX42fKAEeQECQEliQ2PzSHKZSUuze8G e0VCYAuTxIHvJ6Hm6Ep8mDoVyvaVeHR9ExtE0QVGiRO936EWa0n82tEGZWdLfD95Bsr2kvh/ ph+qWU5iVe9DFojmTcwSbzpXs0MkZCQOrDnNNIFRbxaShyDsZIlTmw8xzwIHgKDEyZlPWGYB Hc4soCmxfpc+RImixJTuh+wQtoZE65y5ULaHxMTbT1mQ1Sxg5FjFqFBSWlycW5JbkphYkGlg pFdcmZsMIhKB6StZLzk/dxMjOIU5S+5gPPTH5xCjAAejEg/vjbk+0UKsiWVAlYcYpTlYlMR5 X3PdjBISSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXAWHCFb82bNWnGrZcbVh7OdevQaW/Y2D/l o9WuW98CZOeo9P1+1fv3+/kWx8j1brP8t763+sJst6o+gcWZsYb1xYR5jz4WvlhvVvcwzGjz q/Lo90q6s23vdN7pWM45XamEe+npOC0BB6npMt8ETLJezbvIr/U0rff4LPbeLP13TfMUXE49 M380V4mlOCPRUIu5qDgRAPGTq8JCAwAA
X-CFilter-Loop: TUS03
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/2EKvjj7lkHe2WjikzBosmdvtmos>
Subject: Re: [Teep] Implementation feedback on draft-ietf-teep-opentrustprotocol-01
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 03:15:45 -0000
Very good comments, Dave. Please see my comments inline (with [MP]), Ming From: TEEP <teep-bounces@ietf.org> on behalf of Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org> Date: Monday, July 16, 2018 at 11:00 AM To: Andrew Atyeo <Andrew.Atyeo@intercede.com>, "teep@ietf.org" <teep@ietf.org> Subject: Re: [Teep] Implementation feedback on draft-ietf-teep-opentrustprotocol-01 Andrew writes: … 1) Section 6.5 explains that the TAM needs to receive a list of one or more TA’s that are requested to be installed (S6.5.1 point 1A). However, no message is defined for doing so, which prevents interoperability. I think this message needs to be generated by the TEE (not the rich app), for reasons I will explain in #3 below. [AA] I don’t see the need for a message for defining the TAs that need to be installed. The OTrP messages are between the TAM and the TEE, but the desire to install TAs comes from the rich app. In practice, a rich app will have the identifiers of the TAs it requires built into its own code, since its own code will also be calling those TAs (e.g. once installed, to perform some DRM or payment authentication). Therefore a rich app is aware of the TAs it needs. I don’t think this info can come from the TEE – since at this point the TA is not installed yet, so which part of the TEE would have the knowledge of which TAs are needed? As I noted in my arch doc comments, I disagree that there needs to be any communication between the rich app being installed, and the TAM. A valid implementation model should be that the app store installer reads the metadata (including TA dependencies) about the rich app, and as part of installing the rich app (without ever needing to run it), the installer can communicate with the TEE to express those dependencies, which then triggers the TEE to generate a signed message to the TAM, which can be related by the installer. [MP] The requested TA by a Rich App can go by itself, or noted by an installer via its metadata. It fundamentally express the need. It may not matter it is the Rich App or an installer that does the job on behalf of the Rich App to make the call. That was intentionally left out of the scope. We left this choice to the Rich App itself. It can do itself, or leverage an installer or other program to do it. The main interface for interoperability is what TEE should prepare to accept from a Rich App or an installer in REE. This was the intent of an OTrP agent. There is one major difference in contacting TEE first vs. contacting TAM first. When a Rich App or an installer being its delegate lets TEE to generate a request, a TEE needs authorize such a request. There is some role relationship to agree on here. A device is managed by a TAM, and TAM’s initiated call can be authorized by a TEE. Now, does the TEE have to authorize both an installer / Rich App intent and also a TAM for a TA installation? Or you mean by “related by the installer” that the first authorization is delegated from TEE to TAM, and TAM will make a decision whether it will honor an installer’s request about a Rich App’s desire to use a TA that it manages, right? --- In the less efficient model where the rich app has to be run, as the doc implies, the same process can occur where the TEE generates the message in response to the rich app telling the agent it has a dependency. [MP] true, this is one of the models. … Putting my issue #1 and issue #2 together means there’s an extra round trip that is unnecessary. 6.5 says the TAM receive a list of TAs needed, and then the TAM just goes back and asks what is installed, just to get a list of what needs to be installed. This is unnecessary, the TEE can just send a list of one or more TAs that need to be installed and aren’t already. Hopefully this explains why I said in issue #1 above why I think the message needs to be generated by the TEE. [AA] but how could the TEE (which doesn’t have its TAs loaded yet) know what TAs should be loaded? The same piece of code that connects to the TAM tells the TEE what TA’s it desires. The TEE then generates a message with the list of TAs that aren’t already installed. [MP] See authorization comment above for how a TEE authorizes a request from a Rich App / installer. Delegated flow would mean that it always accept a request, and generates a request. Would this cause some spam and attack issue to the TEE? On the other hand, TAM is given to handle its clients being Rich App or an installer in a REE etc, which is out of the scope in our design. … 3) Section 6.5.1 point 9.A implies that to install a TA, one must have an extra round trip first to create an SD if one isn’t already there. I would expect one common case to be where there is one TA per SD, so that all TAs are isolated from each other. As such, requiring the extra delay is inefficient in time, bandwidth, and processing. All the fields in CreateSD are already present in an InstallTA message (except the “did” field mentioned above in issue #5), so it could be done automatically by the first InstallTA message itself. [AA] when the SD is created, an asymmetric keypair is generated (spaik), and the public part of this is returned. When a TA is installed, it is encrypted with this key. This enables some use cases where a TAM could interface to a SP and enable an SP to provide the TA encrypted such that the TA binary is not known by the TAM. The spaik is also used to encrypt the personalization data (that is also sent in InstallTA), and there is also a use case for a TAM interfacing to an SP in order that the SP encrypts perso data for that TEE such that it travels via the TAM to the TEE, but without the TAM having access to that data Since InstallTA requires knowledge of the public key returned from CreateSD, it is true that the extra round trip is required. So the question is whether there is a case for installing TA (and their accompanying perso data) without the ability to provide confidentiality between an SP and the TEE by making that layer of encryption optional, and by allowing the TA (and perso data?) to be bundled into CreateSD My main point is that it should be possible to combine CreateSD into the first InstallTA and be more efficient. Also remember that the TA binary need not come from the TAM. [MP] This could be an option, I think, when a TA binary encryption isn’t needed. However, we did elaborate this in the very beginning of protocol design whether we give such an option. We (OTrP Alliance at the time) agreed that the protection of TA binary itself is very valuable. You don’t want someone to reverse engineer your TA code that makes exploit finding easier. In the current design, a TA binary code is never given clear to any Rich App or MITM. It is only known by the developer and then the running device TEE itself. This was a very important design goal in this protocol. 4) The scope of uniqueness of the “rid” and “tid” fields is underspecified. They just say “unique”. I think “rid” is just supposed to be unique within a given {session,”tid”} but I can’t tell for sure. And I think “tid” is just supposed to be unique within a given session (not globally across all sessions, all TAMs, all devices), but I can’t tell. They’re also formatted as strings, but I’m not sure why they can’t be integers which I think would be much more efficient.. [AA] although it is not mandated, random guids can be a viable implementation choice for these (as it takes away the requirement to manage incremental counters) – so I would not want to see these become integers. By making them strings, a TAM can choose the mechanism it wants. I take your point about “rid” and “tid” being underspecified. The truth is that values contained in these fields don’t matter to the protocol much. (they are mostly for the convenience of the TAM in order to match up request and response messages (rid), and (tid) to understand which messages belong in a ‘conversation’) Unless there is a reason a guid is actually needed (e.g., global uniqueness), I would argue against that additional complexity. If all you need is uniqueness within a session, a simple sequence number would suffice. [MP] Open suggestion for this to be more normalized. It is used as an internal linking by the TAM itself, as Andy commented. 5) I found it confusing that the names of the messages don’t match the name values in the messages themselves (“GetDeviceStateResponse” vs “GetDeviceTEEStateTBSResponse”, etc.) Having these not match is bug-prone. [AA] I agree. Instead of having a mixture of GetDeviceStateXXX and GetDeviceTEEStateXXX they should all standardize on GetDeviceTEEStateXXX. Node that there are intentional differences at the end of those words (e.g. GetDeviceTEEStateTBSResponse vs GetDeviceTEEStateResponse is intentional as one of these is the ‘to be signed’ data and the other is the signed data. I don’t understand, and the terms seem to be interchangeable in the doc, so if there is a distinction, it’s not explained clearly in the doc. [MP] There is a difference there. The document says: “The final GetDeviceStateResponse response message consists of an array of TEE responses.” 6) It’s unclear whether a rich app can depend on two TA’s from different TAMs, and whether a TA can depend on a TA from a different TAM. In the use case where the device admin runs the TAM and controls all TAs on their devices the answer would be no. But in other use cases I’m not sure. If so, then the question arises about how dependencies are expressed and whether a dependency needs to express which TAM is used. This then begs the questions of whether a TA might be via more than one TAM, or might change TAMs over time. The answers here probably belong in the arch doc. [AA] TA inter-dependency is completely out of the scope of the OTrP protocol. (so the rich app vendor needs to know all the TA IDs they need installing, and which TAM(s) to get them from). TAs inherently can depend on other TA’s. I don’t think it should be out of scope for the WG. [MP] Let us discuss this more. In theory, there could be all chaining dependencies. It isn’t common today. When TA1 uses TA2, would TA1 installation by TAM and TEE will need to check existing of TA2? [MP] Overall, thanks for your great questions and suggestions of some alternative models. Dave
- [Teep] Implementation feedback on draft-ietf-teep… Dave Thaler
- Re: [Teep] Implementation feedback on draft-ietf-… Andrew Atyeo
- Re: [Teep] Implementation feedback on draft-ietf-… Dave Thaler
- Re: [Teep] Implementation feedback on draft-ietf-… Mingliang Pei
- Re: [Teep] Implementation feedback on draft-ietf-… Wheeler, David M
- Re: [Teep] Implementation feedback on draft-ietf-… Dave Thaler