[Teep] Genart last call review of draft-ietf-teep-otrp-over-http-13

Russ Housley via Datatracker <noreply@ietf.org> Mon, 28 March 2022 17:49 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Russ Housley via Datatracker <noreply@ietf.org>
To: gen-art@ietf.org
Cc: draft-ietf-teep-otrp-over-http.all@ietf.org, last-call@ietf.org, teep@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <164848978367.9339.3663967634701398406@ietfa.amsl.com>
Reply-To: Russ Housley <housley@vigilsec.com>
Date: Mon, 28 Mar 2022 10:49:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/FYTE11liwgEB4_7G8DmEcsec4Hk>
Subject: [Teep] Genart last call review of draft-ietf-teep-otrp-over-http-13

Reviewer: Russ Housley
Review result: Almost Ready

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-ietf-teep-otrp-over-http-13
Reviewer: Russ Housley
Review Date: 2022-03-28
IETF LC End Date: 2022-04-07
IESG Telechat date: unknown


Summary: Almost Ready


Major Concerns:

Section 1 says:

   This document specifies the middle layer (TEEP-over-HTTP), whereas
   the top layer (TEEP) is specified in [I-D.ietf-teep-protocol].

I think this should be expanded to provide a reference for the HTTP
layer as well.  Something like:

   TEEP implementations MUST support HTTP [RFC9110].
   
I realize that this document references I-D.ietf-httpbis-semantics,
which talks about HTTP/1.0, HTTP/1.1, HTTP/2, and HTTP/3, and it says:

   All three major versions of HTTP rely on the semantics defined by
   this document.  They have not obsoleted each other because each one
   has specific benefits and limitations depending on the context of
   use.  Implementations are expected to choose the most appropriate
   transport and messaging syntax for their particular context.

Therefore, it might appropriate for this document to select a version
of HTTP for interoperability.


Minor Concerns:

The Abstract says: "An implementation of this document can (if desired)
run outside of any TEE, but interacts with a TEEP implementation that runs
inside a TEE."  This is a little bit confusing.  I think that it is trying
to say that one oc the TEEP implementations must be running inside the TEE
that is being managed by the TAM, but the TAM side on the protocol does
not need to be implemented in a separate TEE of its own.  I hope that I
got that right.  The most straightforward clarification might be to add
a sentence about the client side of the protocol, TEEP "Agent", runs in the
TEE that is being managed by the TAM.  Please clarify.

Section 8 should be expanded.  In Section 4, the document says:

   However, there may be constrained nodes where code space is an issue.
   [RFC7925] provides TLS profiles that can be used in many constrained
   nodes, but in rare cases the most constrained nodes might need to use
   HTTP without a TLS stack, relying on the end-to-end security provided
   by the TEEP protocol.

Section 8 ought to discuss this a bit more.  That is, when TLS is not
used, what are the additional security considerations?


Nits:

Section 1, s/A fuller discussion of/A more complete discussion of/


IDnits reports:

  -- Possible downref: Normative reference to a draft: ref.
     'I-D.ietf-httpbis-semantics' 

This document will be published on the standards track, so it will not
be a downref.

[Teep] Genart last call review of draft-ietf-teep… Russ Housley via Datatracker
Re: [Teep] Genart last call review of draft-ietf-… Dave Thaler
Re: [Teep] Genart last call review of draft-ietf-… Russ Housley