Re: [Teep] AD review of draft-ietf-teep-otrp-over-http-12
Dave Thaler <dthaler@microsoft.com> Mon, 28 February 2022 22:59 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 999C23A16AB; Mon, 28 Feb 2022 14:59:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpZiu_sjlTXq; Mon, 28 Feb 2022 14:59:12 -0800 (PST)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam08on20714.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8c::714]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC6B43A16A9; Mon, 28 Feb 2022 14:59:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K6BF54KTTLvpBnwHgpm3Ftr2ZlI7KAQ9R9P1MukcVAuP/l2AN7wFMONxikLtfpL0/ycEfF10l/+Dgp6C+isqmbg0voEeHJnxiLZXXebdT05nG5Ip9YxIF/SFq8Ebjynoj9/mpJSM95fpOXilko+8KPOfhqNQmo74IyA4V2QmBQPpApzuvyjsE4lxyJ/ud8a9ldGj7+p+4UmrW3UCm79yl9P/MweCbdDicM1o6tdagSRYOUedzAOzJQdDCUKW13e4SSvWDrdCSx/7VHuyhBm9sXOcN01Sw302X7kzdPtqO+fdFmxJliAdlLoNE750m+L5iQEBR2b39QRp35XITYvXag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wNxLdlZgolH7WW+SpD7pNCBwpUd1jAdpZByH3qlGtfA=; b=dQpZoE/+8ElSPC3cbjNZiu0OWVUHf8ONRY+zqu5mmx9FXMMUoAmtEnFJNlTmrml7zC8fh3napGc0qFdtHu0HJjE3x3mMfOwJ8XTTKDmG+4jaX6rUKmXkLu773Dsv37ETjqS913093nd8zJ4lZ6G1SoFtE7garkQqWtyKrCcup85RJ3BczZXqxymIwhn9mksOhZNyNs0vbyHVaCK2XJ7o9JxP30dvK/up6+w0SV6T73AVR6LlIYJRkKjpT52t0BSQSLy1xgeonqFwWrWJmDC7Zku85ZqAw/iY6+BF8H7o/mfNlIt8nclDkjn4C0d1jj23SHOlg86fnKF7o9Qx2Jmh8g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wNxLdlZgolH7WW+SpD7pNCBwpUd1jAdpZByH3qlGtfA=; b=Yr9kgzWgveGTWRd7DKmHX4T959RPlh5ZhkZO8fdq9dDHtQPC+Qf5IgnPCM8tPivsKgXVGld4GAcbmUlp0bPJx7VCdkzL9Uw0GS46AVTFRBtx9MyxB3DrTIkjTVLLdeR2ES3AW38Huf+ygFq7L3G0J3obrq7Lh/VZDUMrxkURBN0=
Received: from MN2PR21MB1470.namprd21.prod.outlook.com (2603:10b6:208:20d::7) by MN2PR21MB1375.namprd21.prod.outlook.com (2603:10b6:208:a6::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5061.1; Mon, 28 Feb 2022 22:59:04 +0000
Received: from MN2PR21MB1470.namprd21.prod.outlook.com ([fe80::359f:6a94:6c3c:2ee2]) by MN2PR21MB1470.namprd21.prod.outlook.com ([fe80::359f:6a94:6c3c:2ee2%7]) with mapi id 15.20.5061.003; Mon, 28 Feb 2022 22:59:03 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-teep-otrp-over-http.all@ietf.org" <draft-ietf-teep-otrp-over-http.all@ietf.org>
CC: "teep@ietf.org" <teep@ietf.org>
Thread-Topic: AD review of draft-ietf-teep-otrp-over-http-12
Thread-Index: AQHYBAGzqnbfmELl5kKsKG8qGnavHKyp4Eaw
Date: Mon, 28 Feb 2022 22:59:03 +0000
Message-ID: <MN2PR21MB1470275892DF8B03005CD025A3019@MN2PR21MB1470.namprd21.prod.outlook.com>
References: <20220107200334.GQ11486@mit.edu>
In-Reply-To: <20220107200334.GQ11486@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=e2f0dafc-1fb7-4b67-898a-2c5f35811e94; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-02-28T22:40:10Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e2a7d15a-0d49-41d9-011b-08d9fb0deaa4
x-ms-traffictypediagnostic: MN2PR21MB1375:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <MN2PR21MB137513D7E930F63709DFED9AA3019@MN2PR21MB1375.namprd21.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NBW6JaQnGKUtQBhBh4rCO0kwZkVPXMXr6K/+KGOnZMvOPJoYWWaGijBeDf2XXtLRoNhI6eE6gw9kEuLg0yq99cUB79dxNjrPJuRT9U0/vACw7iNAnZbQuvWbk3P4bCyGHbs6CRX1WPnrpF376onm8yYLAqZo79HM1DGwI9SxZk15gLuEZ4yO6rGC5Q4Vrf8ML8gjveSolcch8UdeHnjzk31RTJ0CcPTjBLkwo29u8XrnUqDyr9S9OCFiNzftvoLSCmRsPpN4DCg/BQ1vLBgTm3OGN9YWK6u/Q+Qk19j2nUjeY9SgQM3I+2BVfsHXpiN0AghRuJlC5oxZhTirAU42iJISK53PvMIK2KPCJpXFlhT4ia+ewTy5p5XIXry79Hu0H2Cy9UBRJEV7tL8KU62yvSkhtydzufFPEO4fTU99OZJbBKAMPYiii3a1ZbQ2tTcOBSoR4q/hfM5atlhu/rHCP49+FkZWwzjkhi+sl1oQK3dR3WWdiXlAg4bgvffFqNy3ogGfaxaGMOeg6EqrEgJuNKTzcHOjC3+1C7E7VHVWs/u7R5WzxotCDp3BXTYei8xuz8lndeDw5xX1KR0vH/eWG75XJp1QriJNF0CA7LNV/SSN/IoI8R7NzDx/N+6mmwA8UyZ2wCCJTjoIQLQTSB9b+reSQAvWTPxAosAdBTcRc20JufZzoCB9mHB2oQLMWOcsjfucPK17EJ+t5v9CkqLcdfOsbZmxM3IUcevxcfLN72wE8DJk49e7RzZXd4CbUFDerO+mNz5SMpha9/zE1cQaw2Z2320AAvL9jm4qOy7w6ig6llE5mh+oQe1U+/jhJh/4YDQEERxmjp4EPsxoa/UlRKn4PtcJxCHVzHTfBhp4vsHpWYJ4aRLpkGO7jzhqCStX
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR21MB1470.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(508600001)(2906002)(38100700002)(64756008)(38070700005)(10290500003)(83380400001)(6506007)(5660300002)(86362001)(82960400001)(76116006)(122000001)(66476007)(66446008)(166002)(8676002)(71200400001)(110136005)(8990500004)(55016003)(82950400001)(4326008)(33656002)(186003)(7696005)(9686003)(316002)(53546011)(966005)(8936002)(66946007)(66556008)(30864003)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: OEwPQh1gLVzTGgnoT5FqPP5c4l86RQpQj3W5urgogqf+idbl0YxHoZ1VN6dpvArC+NREVmj0xFZuZEm+GtaY713DesXHmrD6Q0yEJQ0i2BcXG2i3c+emlYfuiqwU59Fo4J3bk0Ql/dzH46D5N1uVhdqZz+VcdXPnm3nXQb9/MRt8lzPM6jGwTpeNd4WRA+IXMzIShv8MpooxFtOvxY1o0o+00VSHWxJ5Oxjz2h8cw0z0EnZCcOYQBBBkFe6ZzTqfKusoAEijQ/Dmeys0a6PXrLGEFT3k+n1Xyat7czsEnWsp4B0QeFQn4bQUaZ97xmnvJs7zY9pGMidBeXHiDjeQ6iU8DY0E8/vbj1ij+tDCOF6kJNLCQk6ro5xFPY77/leavlWaHh5IZ+2p+sC289aL6sCAQTBszyvnp90uWvfX9d8eFBRnU+YH1fGfUlPYuAeX4m8oKbVDnbtwpMyt1KeeemAgwKW5qYfsz8FB11xeYGQgIOhnvPcWBs2Kvk5Uk95xRms7l0/9MqCjJ+OWlQvs1/CRRMAPD6xL5EEV8qhKfhGFAKc6MXjDAy2pt0EsHeJS9FGHmNjpx/rUcdonWAafNgkMeVHrgYg96yASJAhE9dSfmeos5awaAsAY7+e6qMEioeO/SS0Nb8puG5b45Um6/6oCElZy0jLoBpj/k1LlNiCeKcODM44J/WiDK2ljy7f/meKBoYYuWNulBhx4OwK+Oq7GxK0+PVF/9TQxDV2Lmnqtbrmk6mqGOGfzN4umVYdQFrgo8RoPdmcwJsoZobyirtofvMTdGBvu05uIIw3AzhTZU1v8PLrBaivBgg/d2YmSbJpGrH20BeLkA1m7WQOwri2O+bDeaC970NzdC9g6k3VjDTDeno09YD5ShG9hie97VPDpmk/uC2Av0hLkVPMsemhJ9YbIYouOLj89+pmeEJ9CENLvc7HYtoWe3eYS/J/s6q5kZf7fS0PynSGxY8kTx1yBTV96wUMKfqIox53L3XU2dKCPdxtwN6tg2unulca28fRShks+9kzCDY+2iJDx+pATsiN6YPKDvq/x6JxW+3avtO4MF6mbMWiyBFIuIOHPcAiIRd51LzezABSFP23+MfUMwkeDfNuwvYJ9zVjqQEMLjdauqrOEVsa6xb/cGPEoTgeB/DHcSMo+RoKVwHa8ZLnGCcMm4R9Yr8JDTpwogrDne3giacVL7ihMQK++gzlGG/4gtSYzlgetzk4/CLzzTcGd68K6INtWNGdOwT3mm2tb8gUcCry997tSknjcQ4NH9yCvms8hnibfk4dAS4m7txPvIWzec/eEAI0gfMhPxk2LnRVdtELea3tzQMOGBttzymLDBFJ7olnAACjM4u5PXmh5v2pZvQ2gfzVcRCe7yhBrkk+1oz+BbtO4/Mah6b8VOfxu+e3Hx7dXyBF+rq/QVtTlz+FLynHG7WqHOPYt0H59aakxUJH9I/FxnomOThAuFbuctJnxLArnCyaJLBap3EUa06AF/rUcwVNhNMoaYA1y8wyW/G7WO3oMDflNjBH9uy9IobEbChbXzI4v2/wl1Q==
Content-Type: multipart/alternative; boundary="_000_MN2PR21MB1470275892DF8B03005CD025A3019MN2PR21MB1470namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR21MB1470.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e2a7d15a-0d49-41d9-011b-08d9fb0deaa4
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2022 22:59:03.8299 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PQPqkYaOflj0vZjVlFCdZec1O5vJjpkK1Efk83I6aFQn34tN1ZqDl1FCsL7o3i+ArUEaniIf4XsSKpfuMJ83irEjvKBUYj0d8/mqK8etF8s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR21MB1375
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/DW_H2BsPNVdtIkdk64d7cbL6zYg>
Subject: Re: [Teep] AD review of draft-ietf-teep-otrp-over-http-12
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Feb 2022 22:59:17 -0000
I've updated the transport document and will post -13 shortly. See responses below with [DT]. -----Original Message----- From: Benjamin Kaduk <kaduk@mit.edu> Sent: Friday, January 7, 2022 12:04 PM To: draft-ietf-teep-otrp-over-http.all@ietf.org Cc: teep@ietf.org Subject: AD review of draft-ietf-teep-otrp-over-http-12 This is also in good shape, modulo §5.2, and will want a new I-D before IETF Last Call. -Ben It's possible that some of these topics might be more properly addressed in the architecture doc than here; I didn't put a huge amount of thought into that division, and trust that the author overlap will help make the right thing happen. I put some editorial nits in https://github.com/ietf-teep/otrp-over-http/pull/34 [DT] PR merged. Thanks! Section 4 When HTTPS is used, clients MUST use the procedures detailed in Section 6 of [RFC6125] to verify the authenticity of the server. See The RFC 6125 procedures rely on the consuming specification to provide a couple more inputs to the procedure. In particular, the client needs to have a list of acceptable reference identifiers, and protocols using the RFC 6125 procedures usually will say that the client needs to match against a particular type of name (I would expect DNS-ID here), and how to obtain the specific name to use for a given interaction. In this case, the DNS-ID would probably be obtained from the authority component of the TAM URI ... which is basically the same procedure described in https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-semantics#section-4.3.4. So we might consider using that as the primary reference, mentioning that it incorporates the RFC 6125 procedures but not directly incorporating the RFC 6125 procedures ourselves. [DT] Replaced reference to 6125 with reference you mentioned which is already in the RFC editors queue. After reading the text, I didn’t see a need to specifically mention it incorporates the 6125 procedures since that is obvious by following the reference and there’s no text in our doc that would make one look for 6125 discussion elsewhere in the doc. [BCP195] for additional TLS recommendations and [RFC7925] for TLS recommendations related to IoT devices. I note that both RFC 6125 and RFC 7525 (BCP 195) have active "bis" drafts in UTA. If I remember correctly, some of the 6125bis changes are "big", but even so, we would likely want to pull in the updated versions if they are available by the time we are ready for publication, with the caveat that if we defer to httpbis-semantics, that would take precedence. (Since we'll be waiting for draft-ietf-teep-protocol, it's a little hard to predict exactly when that will be.) [DT] No change, since they’re only drafts. But we can pull in later if they are available before draft-ietf-teep-protocol is done, as you mention. Section 5.1.1 If the TEEP Agent passes back a TAM URI with no message buffer, the TEEP/HTTP Client attempts to create session state, then sends an HTTP(S) POST to the TAM URI with an Accept header with the TEEP media type requested, and an empty body. [...] I'm having a bit of trouble around "with the TEEP media type requested", as it seems to imply that the TEEP Agent has requested a specific media type, and that media type request needs to be propagated through to the TAM. But in the previous section we only talked about a TAM URI being passed back, not a TAM URI and some other (meta)data. This makes me wonder if we're just saying "populate the Accept header field with the single media type application/teep+cbor", since that's the single defined media type for TEEP. But elsewhere in the document we seem to be careful about providing flexibility about what media type is in use. [DT] The wording around media types was a holdover from when draft-ietf-teep-protocol included multiple ones (JSON vs CBOR). Now that it only has one, I have updated the text throughout the transport spec to just reference “the” media type defined by the protocol spec. Section 5.2 This section overall seems kind of incohesive. It's supposed to be about what to do when an application tells a broker that a previously installed TA is not needed anymore; an "uninstall request", as it were. But then we go on to say: * Optionally, any requirements that may affect the choice of TEE, if multiple are available to the TEEP Broker. and When a TEEP Broker receives such a notification, it first identifies in an implementation-dependent way which TEE (if any) is appropriate based on the constraints expressed, as in Section 5.1. that talk about picking a TEE in the same way we would for an installation, as if there is no advance knowledge that the TA is already installed in some specific TEE. Now, it may not be feasible for the broker to track state on which TA is installed in which TEE at behest of which rich application, so we probably can't just say "use the TEE that had this TA installed due the request of this rich application", but we could frame the discussion to acknowledge that there *is* some single TEE that has the copy of the TA that we're trying to uninstall, and we're trying to use as reliable a procedure as possible to direct the uninstall-request to the right TEE. So, instead of the above, we might refer to any requirements "that would have affected the choice of TEE to originally install the TA into" and having the broker identify "which TEE is believed to contain the TA in need of uninstallation". [DT] Updated text as suggested. The TEEP/HTTP Client then informs the TEEP Agent in that TEE by invoking an appropriate "UnrequestTA" API that identifies the unneeded TA. The TEEP/HTTP Client need not know whether the TEE actually has the TA installed. We also jumped from the TEEP Broker to the TEEP/HTTP Client, here, whereas in §5.1 we had the Broker delegate the action to "the TEEP/HTTP Client for that TEE". We should probably have a similar transition in this section. [DT] Updated text as suggested. The TEEP Agent will either (a) pass no data back, (b) pass back a TAM URI to connect to, or (c) pass back a message buffer and TAM URI to send it to. The TAM URI passed back may or may not be the same as the TAM URI, if any, provided by the TEEP/HTTP Client, depending on the TEEP Agent's configuration. If they differ, the TEEP/HTTP Client MUST use the TAM URI passed back. This looks like just a copy/paste of the text from §5.1 ... but we didn't mention the possibility of getting a TAM URI from the application installer in this section, so (b) feels out of place without such a previous lead-in. [DT] Updated, added such a previous lead-in for consistency. Processing then continues as in Section 5.1.1. I might consider (but might not end up actually) mentioning here that we still have to create session state even for the UnrequestTA action, since the session state relates to an ongoing/active TEEP Agent/TAM exchange, and is not persistent during normal TA operation. [DT] Ok I considered and didn’t end up actually mentioning it 😊 My opinion is that the text is already clear enough and since you figured out the correct meaning and suggested you might not mention it either, I didn’t do so. Section 5.3 When a TEEP Agent passes a message buffer (and TAM URI) to a TEEP/ HTTP Client, the TEEP/HTTP Client MUST do the following, using the TEEP/HTTP Client's session state associated with its API call to the TEEP Agent. As written, this only covers case (c), but I'm inferring that we intend for it to also cover case (b). In order to cover case (b) as well as case (c), we'd need to not require that a message buffer is passed back (or at least, clarify that this buffer might be empty), and could instead talk about the client having an outstanding HTTP request (which might entail pushing the construction of the request back into an earlier section in the "got a message buffer" case). [DT] Updated section heading and text so that it is more clear that it does cover both (b) and (c). The TEEP/HTTP Client sends an HTTP POST request to the TAM URI with Accept and Content-Type headers with the TEEP media type in use, and a body containing the TEEP message buffer provided by the TEEP Agent. The HTTP request is then associated with the TEEP/HTTP Client's session state. The Content-Type requirement is already in place for responses due to the text in §4. It seems like we might incorporate the requirements on HTTP requests into that section (which, after all, is "Use of HTTP as a Transport") and avoid repeating them here. [DT] No change, since I think the repeating is helpful to implementers and you only said “might” so sounded like you didn’t feel strongly. Will reconsider if others complain during IETF Last Call. Section 5.6 If any HTTP request results in an HTTP error response or a lower layer error (e.g., network unreachable), the TEEP/HTTP Client calls the TEEP Agent's "ProcessError" API, and then deletes its session state and informs its caller of a failure. The lower-layer errors are often very unauthenticated (e.g., ICMP), and in some scenarios we see guidance to not act on such signals *immediately*, to give a competing successful response a chance to arrive. But I'm okay classifying such behavior as "quality of implementation" and leaving this text unchanged. [DT] Yes. No change, which you said you’re okay with too. Section 6 It seems like there needs to be some out-of-band agreement between TAM and TEEP/HTTP server as to what media type(s) are supported. That is probably worth mentioning somewhere, though I'm not sure if this is quite the best place to do so. [DT] As in my response earlier above, the TEEP protocol now only has 1, so updated text here accordingly. No out-of-band agreement is needed now. Section 6.1 If the TAM does not receive the appropriate Content-Type header fields, the TAM SHOULD fail the request, returning a 415 Unsupported Media Type response. Similarly, if an appropriate Accept header Media Type response. Similarly, if an appropriate Accept header field is not present, the TAM SHOULD fail the request with an appropriate error response. [...] I just want to confirm that "SHOULD" is the right requirements level here. I do see that §4.13 of BCP56bis only indicates a need to require *clients* to fail on the wrong Content-Type, and this section applies to the server, so we may not want/need to have a hard requirement. [DT] It is the right requirements level. BCP56bis doesn’t require it so it’s not a MUST, but the WG believes it is useful to prevent bugs and encourage interoperability so leaving it as SHOULD which passed WGLC. When an HTTP POST request is received with an empty body, the TEEP/ HTTP Server invokes the TAM's "ProcessConnect" API. The TAM will then pass back a (possibly empty) message buffer. I'm a little confused at when the resulting message buffer would be empty, as the ProcessConnect API appears to exist in order to create a session so that TEEP Agent and TAM can communicate. At this point we don't have any information at all about which TEEP Agent is initiating the session, and thus it seems premature to make a conclusion that this TAM has nothing further to say to that TEEP Agent. Would the empty buffer only result in an error or execption case, e.g., if the TAM was shutting down? (I recall that the empty buffer will be treated by the TEEP/HTTP Client as a signal to destroy session state and make not further requests to that TAM.) [DT] It can never be empty in that case (draft-ietf-teep-protocol section 6 says the TEEP Agent will always send a QueryRequest message), so updated text to remove the “possibly empty” phrase. Section 8 A few more topics that we might want to cover in these security considerations: Part of the design/requirements is a periodic check for policy changes (§5.5); the listed options here all seem to place the Broker or TEEP/HTTP client in the critical path for the policy-check workflow. Since these are (to some extent) untrusted components, we could talk about the possibility for the periodic policy check to be missed, what risks that exposes the TEE/TAs to, and perhaps mention that there are countermeasures available to the TEEP Agent (with caveat that a "dead-man's switch" would give no service rather than vulnerable service and be subject to DoS attack). Similarly, the Broker as an untrusted component is involved in the mechanics of installing new TAs. It might be worth reiterating that the authority for what TAs are running in a given TEE is assigned amongst the TEEP Agent and the TAM, and while the Broker can in effect "make suggestions", it doesn't actually decide or enforce what runs where. (Modulo the ever-present DoS risk, of course.) In contrast to the previous point, the Broker does seem to have full control over which TEE a given installation request is directed at, and there might be some security considerations relating to how the broker picks amonst multiple TEEs to try to use. The authorization model for the UnrequestTA operation is quite weak, with essentially any untrusted application in the rich execution environment being able to request the operation. We might be able to do something vaguely like a "capability URL" where the "unique identifier of the TA" is hard to guess and acts as a bearer token, but I don't think the architecture allows anything better. I don't have a great sense for what countermeasures are available to respond to a (successful) malicious UnrequestTA operation; the main thing that comes to mind is to have the application in the rich execution environment that still needs the TA to notice its absence and request it back, but there are probably others, possibly even within the TEEP Agent or TAM. [DT] Agree these are good considerations, but going back to your comment at the top I think these are best addressed in the architecture document since they are really independent of what the transport protocol is and we may have others in the future (like where HTTPS is in the opposite direction, TAM-to-TEEP Agent). So I’ve added them there, and a sentence here that points to the TEEP architecture security considerations section. See https://github.com/ietf-teep/architecture/pull/232 for the additions to the architecture document. Dave
- [Teep] AD review of draft-ietf-teep-otrp-over-htt… Benjamin Kaduk
- Re: [Teep] AD review of draft-ietf-teep-otrp-over… Dave Thaler