IETF Logo Mail Archive

Re: [Teep] Security domain default 1-to-1 mapping to a TA proposal in TEEP

Mingliang Pei <Mingliang_Pei@symantec.com> Fri, 08 March 2019 15:39 UTC

Return-Path: <Mingliang_Pei@symantec.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F751313FE for <teep@ietfa.amsl.com>; Fri, 8 Mar 2019 07:39:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.311
X-Spam-Level:
X-Spam-Status: No, score=-2.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symantec.com header.b=MwHS7JBq; dkim=pass (1024-bit key) header.d=symantec.com header.b=LPutFkP0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSUbVH0yHy7X for <teep@ietfa.amsl.com>; Fri, 8 Mar 2019 07:39:09 -0800 (PST)
Received: from tussmtoutape02.symantec.com (tussmtoutape02.symantec.com [155.64.38.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75162130F01 for <teep@ietf.org>; Fri, 8 Mar 2019 07:39:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=Symantec.com; s=1; c=relaxed/simple; q=dns/txt; i=@Symantec.com; t=1552059544; x=2415973144; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=4KcmI3DfrVOagUjV95dYytw0+qcevHJ0LNfs1RX3fsc=; b=MwHS7JBq70QcNkOk/DcYeXy7uw+cM+wwUyq1MGx+qY8cMkNzO1yVXRZG6q1vNJSo Od7RjsjoU1FC0gx1dMbz50wUMPmqydKZGTymMPC0LouhfmbmXZkoWzdMXHbiULm/ z2PnH8+IdVqHUiE800FXl/g6FFJy8lFakh8OmfumB2g=;
Received: from tussmtmtaapi01.symc.symantec.com (tus3-f5-symc-ext-prd-snat1.net.symantec.com [10.44.130.1]) by tussmtoutape02.symantec.com (Symantec Messaging Gateway) with SMTP id C4.50.48042.89C828C5; Fri, 8 Mar 2019 15:39:04 +0000 (GMT)
X-AuditID: 0a2c7e32-dbbf09e00000bbaa-b1-5c828c98033b
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (tus3-f5-symc-ext-prd-snat4.net.symantec.com [10.44.130.4]) by tussmtmtaapi01.symc.symantec.com (Symantec Messaging Gateway) with SMTP id 68.C9.05782.89C828C5; Fri, 8 Mar 2019 15:39:04 +0000 (GMT)
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 8 Mar 2019 07:39:04 -0800
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (10.44.128.1) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Fri, 8 Mar 2019 07:39:04 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symantec.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4KcmI3DfrVOagUjV95dYytw0+qcevHJ0LNfs1RX3fsc=; b=LPutFkP0kJzY0X+tdghJf2TFO9BXLxU3Z2Q5S6RvD9UfCs7xpZN+5JqONhfdixvajZJxfgIC8XCGJFbw8Wz8MeKNvlZavN28YTdhdsoD+5zFoEy/lMYkYP64u5K+esjmLtUbOxbtoTILE7IpRqqsVyBDe+6KA7Bwod08+D/Q8ls=
Received: from BY2PR16MB0854.namprd16.prod.outlook.com (10.164.172.140) by BY2PR16MB0839.namprd16.prod.outlook.com (10.164.172.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.18; Fri, 8 Mar 2019 15:39:02 +0000
Received: from BY2PR16MB0854.namprd16.prod.outlook.com ([fe80::7cd8:ec4e:f89c:82a6]) by BY2PR16MB0854.namprd16.prod.outlook.com ([fe80::7cd8:ec4e:f89c:82a6%7]) with mapi id 15.20.1665.021; Fri, 8 Mar 2019 15:39:02 +0000
From: Mingliang Pei <Mingliang_Pei@symantec.com>
To: Andrew Atyeo <andrew.atyeo@intercede.com>
CC: "teep@ietf.org" <teep@ietf.org>
Thread-Topic: Security domain default 1-to-1 mapping to a TA proposal in TEEP
Thread-Index: AQHU1VKRZgbX2HkEAk2k301Fswqim6YBZXtwgAB5yXo=
Date: Fri, 08 Mar 2019 15:39:02 +0000
Message-ID: <BY2PR16MB0854FBE72F059CDA5C0D45DDEC4D0@BY2PR16MB0854.namprd16.prod.outlook.com>
References: <F78A61D4-9B6B-4E83-8CF7-0C49E08718A9@symantec.com>, <DB7PR10MB23489BA35BD7CDF8406DC6A9954D0@DB7PR10MB2348.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB7PR10MB23489BA35BD7CDF8406DC6A9954D0@DB7PR10MB2348.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mingliang_Pei@symantec.com;
x-originating-ip: [40.90.240.34]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: da3a20c5-fbd6-4a3f-0f7a-08d6a3dc30a7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BY2PR16MB0839;
x-ms-traffictypediagnostic: BY2PR16MB0839:
x-ms-exchange-purlcount: 3
x-microsoft-exchange-diagnostics: 1;BY2PR16MB0839;23:d3iNjcR+fMjAaErArax7Zi1Ij7XOEL1/ldx0xml8H5Stn8fEvNF90mmSXOWBhRoUpctT6Ue2nOh5MIuSVvcJ0Mno850LussH7l3oW8nCt+u7oKZ0RWpn9DD4czTpGWbi2h4eQ8u/nlutIU3esyzQbHcaN2T7VpYe6XnLwokmAPVQtbqJOMR9yKCdEdH8m9TDmalKBy6BQ9Ddk7jeDIdWnCqmcmQAojZdRstqwICINLCPIyiu2s6s/SZfBBS+GT5Bb1pdMIMH+rdR5w0FK3pugxwIrmCwjtDFcosYYlx9nFXkEfIieOSm9/FxZS5E7fUPKTLCQciSApOatmVm3Z2Y4R30+e9tsAkmYlFgp8dboAnG23bdN/xzcqqGtLkwuXpOiE5b8KepDjh50KqWWkheLmi6vnl5o4hGQ2VbiKBCvggJTsuTrsxC22YAAi8RRQ/qGkIHi8XTI0wDYi9uWFqylYU+zVk+64d4Vhlp8oZU1FzbZJx1hvZ52r2XAFfF4Qm/1XEaEIJe1Eu4JarrqgBRhLBAklsobKKMp7KHoEH92lhfv/apF2FROKrqh43ScsaUJnxPdH8585OtEZo5xwMchWHIyZR8WGVqP6jD8ZGmAEm5HFWhyj1yEumVA7jkJpdmeAQsuXNIbrEdS+cfSqkCHrX9gQOp6gXMUKIRijob+T6hw5yKPlgSfKO+A50xOz/o96Z8jmK8sAtBYtrPi3HKDwQV0PlqF0I96mMP8+8wVIR2wwfUcA+IC/YBz4n9r7iC5ip7UREPo253MF5KC/XjTIYkusz37tIZchpuzzvjOTE5t1MXXFyIwaLnVZLrSnl0KTuLoJMnJAZ9QdYf94bY0dA/ljsjYdOFhENsNnlD+kDeiuE/Ijlr54GrhcOigWJTs3fWiFFQL1byR98I0m06Qt1aY4w5n49Aqf9gz5yY8S3FENWaZQaXmc7q+8ynJ2CClxWS8gzq5UGzYcZ23aTNL3khZZ5hctpLD3xnMNAW0kP2eSXzZo6oIs3PkVJoE48Vh7vnbqylCBO1LnGVzF5mgoetJHSbMyv/xc2hnzwByYHoZYj5U4vm/KhwZgu+w62REvhsDDh2t8aZLXug0ULnqbMI7kDkzgGT1sIPbIA+NNYhvr1S2Is587BEi19MRBtUDZbrkiIEzRXXswd7UzdWsl2koyZDlYdoFvcUuZmAqOvOlR3HFC2oVuo7mSt0WDV1SMDdrAZzgm4G7bw5C4yFgWq4KXp7W8/QVVeVD9ATy7Y/tktmSpTcPHiWREElkvaWUHC9fF7HcVgq/ht5q50i8rGvk/gu6S35YGbwnOVD6hTwsAbh1bHHLC05y/n6/hhPsK9q4y0C+33CsKY7/1HPExRusqKWIL547e3qqPm1DQ+oE7iW5YOr6iSjL/AnvTDLRipRVDj3GcWOwTfJRZ46TdCyGjVc+lgjO7bnzrlqSoo=
x-microsoft-antispam-prvs: <BY2PR16MB08399A453BEEB05D7D124223EC4D0@BY2PR16MB0839.namprd16.prod.outlook.com>
x-forefront-prvs: 0970508454
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(346002)(136003)(396003)(376002)(199004)(189003)(966005)(606006)(14454004)(68736007)(72206003)(33656002)(97736004)(80792005)(6436002)(561944003)(53936002)(7736002)(55016002)(54896002)(6306002)(236005)(9686003)(71190400001)(71200400001)(5660300002)(52536013)(105586002)(106356001)(6916009)(4326008)(25786009)(6116002)(3846002)(478600001)(10290500003)(74316002)(6246003)(14444005)(256004)(8936002)(229853002)(2906002)(476003)(86362001)(81156014)(81166006)(486006)(316002)(446003)(76176011)(186003)(53546011)(6506007)(7696005)(102836004)(26005)(8676002)(11346002)(99286004)(15650500001)(66066001)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR16MB0839; H:BY2PR16MB0854.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: pty9sQhESvXByzjOCsMvcSczgI+B2zxcIQAsCt5dBUQtjhZVc+rJ7XWrWGY/jsmpqKrHPiJ4s4GS3beo665gIRL0uG2oJgM3Tu5L5VdDnKXCzAaiWELoeOB0v98IjsudUnA9jMr6KpSc1+Kpf8fkMDRec3+V+R3RRBQ6H1GOU7/tXNTLSU9Fyq+K66/261juk7UIOQbUb6DhdlBLGa/FZ5BzG6i/gwpI22LBRkpDNgJFTOHyRiyf4+H10XqVwTp9tPQ5lLTw3sQKMhJBN4yIBOoPfWunedT9B9e7auMu/SjPLUCYER2V2NmVwN0gfiVq4q9MenCnFEHhZYIUuRyQxkBLg1S6wHEs245ZwVLpXUIPQpI0wubFSGKO7wo9z0fdui1vS1OjaP4dViTPQg8E/rxvIWg06eLhbGwPWWDFyfU=
Content-Type: multipart/alternative; boundary="_000_BY2PR16MB0854FBE72F059CDA5C0D45DDEC4D0BY2PR16MB0854namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: da3a20c5-fbd6-4a3f-0f7a-08d6a3dc30a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2019 15:39:02.2009 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR16MB0839
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0iTURjHOe/FvRstT1PzYWHpKihJnWIlYmHf/KAQKAWl1NCXad7G3ila VjrXB6eSlZWa5SXNS6LDJMwMcWqgYYpdME3SMivKGMNrmrXtTPDL4Xee/+/wnPNwOFrWwcq5 pDQdr01TpShcJIzkkB75lRXpY5Xv2kNCOpd6qJD69SU6nIqoq1ulIkzV09RJ6owkLIFPScrk tQHHz0sS51r0tGZCj7J6a7bnorKrRiTmAAdDw4tcxogknAxbEawYXok2A2P1a2RnGV5BYO3a Q6QBBC1TG4hsviPo+/WAtW8YXEJDd/En55FSCqzzR4k1g+BbUZMt4DgXrITRj2l2xx37wSfD ssOn8V4Y6ep3sbMbjoSF3kci4kRB7Y07NOFQaKkfYOzM4H1Q2jjpcKQ4Frra10SkVwmC6rsF rD0Q4zhovWlyHEZ4JywPtVCkmSdMzFZR5J0Y6rpHaMIe8OPLBkv8OFg1TCNS94amx9edc/GC sapCZz0KNmoLHMMD/AHB+6qvDAl8wfi7wslyqBlZEBGpzQ1urxpcSJAMxeMGqgQFVmy5FOF0 6Mz742Ap3gGD5bNMhW14ND4IbV0BRPGB0sIZEeEDcK3yvmhrvRqJmpG3LkMQUnXpGTqVhlcG +QvZqfH2RWX7SfH+8emp7cjxl64EdSKrKdKMMIcU26SVgj5WxqoybaYZAUcr3KWKPFtJmqDK vshr089pM1J4wYx2cYzCU+rF6s7KsFql45N5XsNrN1OKE8tzkdIwzKtzp07UjumiXS0x+c/f UOLWuEI9zFzQNIf55zwT3EPVHT3h+1nTqUXL4siTQZ+kw7V9qfLkOEt0zj3D2wG2cbds/VjW ZOj82q0SVnh4eghZMj0mhi2DT9vKkwOVP0UvL9X0j6cNNLip86TLrj3B5s9/Y/Ivz/07Mrg4 qmCERFWgL60VVP8B9N/zU0cDAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRmVeSWpSXmKPExsXCpdPEojujpynGYME+I4sd3/YzWSz9843Z gcljyZKfTB4bFjxgCmCK4rJJSc3JLEst0rdL4Mp4tqaJueBWE2PFwYV8DYwz6rsYOTkkBEwk uhacYwSxhQR+MEp82iXfxcgFZB9llFhz9x8jhPOCUeLwm3msIA6LwARmiT2996FapjBJfHpr DlH1kFHiec9KoAQHB5uAgcSFO3kgNSICuhL3W76D1TMLKEuc33WEDcQWFvCR+HJwGTtEja/E oonTmCFsK4k1S4+ygNgsAioSU1bcBqvhFYiR2LXpNzvErgmMEgumd7KCJDgFYiXWTdoA1swo ICbx/dQaJohl4hK3nsxngvhTQGLJnvPMELaoxMvH/1gh6mMlfrY8YISIK0isXN3PDmHLSlya 3w0V95X4t6iTBWSxhMBNRolr85+yQCS0JLrezYKypSQWnv/CDlG0Xlhi6s8WNohEtkTvjRYm UKhICMhI/DwiAxFewyZx4xXzBEbdWUhuhbDzJXY0/gKzeQUEJU7OfMIyC6ibWUBTYv0ufYgS RYkp3Q/ZIWwNidY5c9mRxRcwsq9iVCgpLS7OLcktSUwsyDQw1CuuzE0GEYnAdJSsl5yfu4kR nJKcJXYw7vvjc4hRgINRiYc3Iq8pRog1sQyo8hCjNAeLkjhvQOSXaCGB9MSS1OzU1ILUovii 0pzU4kOMTBycUg2Mk1WkDGY1Z0x5z1Gp5KPpEJdae9xwkge3uuz8Xxu1BMTlY/dYKPzhv6RT 8TXCu7gldsGt1gpmv4Za9amGczNNoru+BZzcLXJLtSP32d6/nivm/Jk7c84MbhaFUFd2fw2Z dU4ttaeff5Rz6qlXejG5PGj/6gvLzGW+Zy6quGq67dXJHtcHXycrsRRnJBpqMRcVJwIAj/cz 7SoDAAA=
X-CFilter-Loop: TUS03
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/34ElF1rIZlWEaqUW-ImhzaHzrg4>
Subject: Re: [Teep] Security domain default 1-to-1 mapping to a TA proposal in TEEP
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 15:39:18 -0000

Thanks Andy, will follow up updates on the github, Ming

Sent from iPhone

________________________________
From: Andrew Atyeo <andrew.atyeo@intercede.com>
Sent: Friday, March 8, 2019 1:42 AM
To: Mingliang Pei
Cc: teep@ietf.org
Subject: RE: Security domain default 1-to-1 mapping to a TA proposal in TEEP

Hi,
I have updated the github issue with my comments
https://github.com/ietf-teep/architecture/issues/7<https://clicktime.symantec.com/3DtasvM638D48u9sEW2edx47Vc?u=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F7>

basically I understand that there are some deployment types that might prefer a simpler approach, but I want to make sure that we know what would be ‘lost’ by not having a SD that is created separately. It might be that for some deployments the loss is no problem, or it might be that there could be alternative ways to give the same functionality but without need for a separate createSD that are worth exploring.
The github issue (link above) hopefully explains this better.

Regards,

Andrew Atyeo
Security Architect
Intercede
Digital trust    people ǀ devices ǀ apps
Office: +44 (0) 1455 558 111
www.intercede.com<https://clicktime.symantec.com/3Gqczp4aRiNtTy5rmhmPUeK7Vc?u=https%3A%2F%2Fwww.intercede.com%2F>
Legal Disclaimer <https://clicktime.symantec.com/3NQrLHmW1wfB1dzjQvLeV5f7Vc?u=https%3A%2F%2Fwww.intercede.com%2Fprivacy-cookies>
From: Mingliang Pei <Mingliang_Pei@symantec.com>
Sent: 08 March 2019 02:00
To: Andrew Atyeo <Andrew.Atyeo@intercede.com>
Cc: teep@ietf.org
Subject: Security domain default 1-to-1 mapping to a TA proposal in TEEP

Hi Andy,

We are working on to close this issue #7: clarifying meaning of Security Domain (SD)

https://github.com/ietf-teep/architecture/issues/7<https://clicktime.symantec.com/3DtasvM638D48u9sEW2edx47Vc?u=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F7>

We want to simplify it, and propose to create a SD per TA by default, without completely removing the SD for some existing use cases. It will be good to also have your input on the implications, considering you have more involved in this with a prior OTrP TAM POC implementation. Could you review the issue, and provide comments there?

Here is a quick recap on some discussion reasonings.

Historically we consider Security Domain as a first class entity in TEEP (OTrP). There have been some desires to simplify it, or not require it in the TEEP architecture as some use cases don’t use it as much as potential IoT use cases. On the other hand, we know that existing TEE implementations and other secure element related practices uses SD to isolate and associate protection boundary. There was some resource constraints on number of SDs that can be allocated in a TEE device.

To achieve broad support of both worlds, we consider to move to an “implicit” model as follows:


  *   One SD is created per TA when a TA is going to installed. This allows creation of TA without going through explicit SD creation and so on.
  *   The prior deletion of SD will delete all TAs within the same SD. Now each TA will be required to be explicitly deleted.

Thanks,

Ming

v2.23.0 | Report a Bug | By Email