[Teep] Review of draft-ietf-teep-architecture-08
Russ Housley <housley@vigilsec.com> Fri, 17 April 2020 20:35 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC933A1430 for <teep@ietfa.amsl.com>; Fri, 17 Apr 2020 13:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIfAO0IbHYWx for <teep@ietfa.amsl.com>; Fri, 17 Apr 2020 13:34:59 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E2B03A143A for <teep@ietf.org>; Fri, 17 Apr 2020 13:33:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 29791300B3E for <teep@ietf.org>; Fri, 17 Apr 2020 16:33:50 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TLpv9Fabz-Yj for <teep@ietf.org>; Fri, 17 Apr 2020 16:33:48 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 270B4300ABE for <teep@ietf.org>; Fri, 17 Apr 2020 16:33:48 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Message-Id: <218509BB-AD51-4F29-8904-2BD5D4AF663D@vigilsec.com>
Date: Fri, 17 Apr 2020 16:33:49 -0400
To: teep <teep@ietf.org>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/59LKvGR0kivZUK6Rol5Rx4kmZuI>
Subject: [Teep] Review of draft-ietf-teep-architecture-08
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 20:35:07 -0000
On the last TEEP call, I agreed to review the TEEP Architecture document. Here are my comments and questions.
1) Section 1 says:
Typically, application components are chosen to execute inside a TEE
because those application components perform security sensitive
operations or operate on sensitive data.
Recognizing that this is the introduction, I was wondering if you could provide a bit more explanation here. Earlier in the paragraph, the document offers an example of a banking application. There would be components of such and application that are trusted, and other components would be untrusted. This concept is described, but the coupling to make a complete application could be more explicit to prepare the reader for the detail that is coming. Within such an application, it would be good to offer an example of a security sensitive operations and a separate example of operating on sensitive data.
2) Section 1 says:
To simplify the life of TA developers interacting with TAs in a TEE,
an interoperable protocol for managing TAs running in different TEEs
of various devices is needed.
This feels incomplete to me. Making sure that compatible trusted and untrusted components of an application are installed on the same device is vital when they are not bundled.
3) Section 1 offers:
- A TA developer wants to remove a confidential TA from a device's
TEE if the TA developer is no longer offering such TAs or the TAs
are being revoked from a particular user (or device). For
example, if a subscription or contract for a particular service
has expired, or a payment by the user has not been completed or
has been rescinded.
This implies that the TA developer has some of the privileges that I associate with the TAM. Yes, I see the note at the end of the bullets, but I think this is an indication that the privileges are not quite right for these roles. Also, if I was writing a TA for a subscription, I would have the TA perform some form of payment checking, and then refuse to decrypt the content if the payment checking fails. Perhaps the REE passes a signed proof of payment. This way, the TA developer does not need to actually have permission to remove a TA. Further, if the TA is on a multi-user device, removing the TA would adversely impact other users.
4) Section 2 says:
- Untrusted Application: An application running in a Rich Execution
Environment.
For alignment with the definition of a TA and te terms used in section 1, I think this should say:
- Untrusted Application: An application component that runs in a
REE.
It is also useful to indicate that the Untrusted Application may be dependent on one or more TAs.
5) Section 3.3 talks about the Internet of Things. It does not talk about the billions of devices being used to mount DDoS attacks. Can it cover that too? Without putting the network interface inside the TEE, I'm skeptical there is a solution.
6) Section 3.4 talks about Confidential Cloud Computing. Can something be said in Section 4.4.1 to make this less abstract?
7) Section 4.1 defines CA incorrectly. A CA is not "Certificate-based credentials". A CA issues certificates, and the certificates are then used for authentication and cryptographic key management. This bullet should begin: "A CA is ..." to follow the pattern of the other bullets.
8) Section 4.3 introduces the term "TA software author" and "TA signer." I hope we ca pick one. Please add the term that is chosen to Section 2.
9) Section 4.4 should require support for both confidentiality and integrity protection.
10) Should GlobalPlatform be added to Section 4.4.1?
11) Section 4.5 uses the term "TA binary signers" and "TA signer". Please see comment 8 above.
12) Section 5 says: "... encrypted with the TAM public key ...". This is not correct. The TAM public key is used to establish the key that is then used for encryption and decryption. Further the wording is aimed at RSA, which is a key transport algorithm. Please make the wording accommodate key transport and key agreement approaches.
13) Section 5.1 says that a TAM obtains "a TAM certificate from a CA"; however, Section 1 said that a trust anchor could be a raw public key. Can the TAM use the raw trust anchor key directly?
14) Section 5.2 and Section 5.3 should allow signatures to be directly by the trust anchor. The current working requires a certification path.
15) Section 5.4 says that "self-signed certificates" are allowed. I think this is the same as allowing signatures to be directly by the trust anchor. Please consider this comment in conjunction with comment 13 above.
16) Section 7 says that there are "different attestation algorithms". Does this mean different set of claims? Please be more clear here.
17) I think the discussion about "assumptions" would be better written as things that need to be considered when assessing the degree of confidence in the claim by the TEE,
18) Section 18: Asymmetric algorithms are also used to manage the symmetric keys. Symmetric algorithms are also used for data integrity.
19) Section 9.4: Please expand this discussion to cover compromised trust anchors and compromised intermediate CAs.
20) Section 9.7: You may want to point to Section 4.1.2.5 of RFC 5280, which tells how to make a device certificate that never expires.
21) Please add references for SGX and TrustZone, adding the citations in the body as appropriate.
22) Nits:
Section 3.1: s/trust about the hosting device/trust in the hosting device/
Section 3.1: s/unlocking the phone/unlocking the device/
Section 4.1: s/certificate/certificate [RFC5280]/
Section 4.2: s/Rich Execution Environment/REE/ (several places)
Section 4.5: s/and TA signer verification/and TA signature verification/
Section 4.5: s/nnetwork/network/
Section 5: s/chains up to some CA/chains up to some trust anchor/
Section 5: s/Figure 4: Keys/Figure 4: Signature Keys/
Section 7: s/different standards for/require different degrees of confidence in/
Section 8, sentence 1: s/algorithm suite/cryptographic algorithm suite/
Section 9.8: s/public key of the TEE that it can use to encrypt/public key of the TEE to establish a symmetric key for encryption/
- [Teep] Review of draft-ietf-teep-architecture-08 Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Hannes Tschofenig
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Dave Thaler