[Teep] Éric Vyncke's Yes on draft-ietf-teep-architecture-18: (with COMMENT)
Éric Vyncke via Datatracker <noreply@ietf.org> Wed, 07 September 2022 14:23 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: teep@ietf.org
Delivered-To: teep@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CF63C15258E; Wed, 7 Sep 2022 07:23:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Éric Vyncke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-teep-architecture@ietf.org, teep-chairs@ietf.org, teep@ietf.org, kondtir@gmail.com, kondtir@gmail.com, mariainesrobles@googlemail.com, rthalley@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 8.15.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Éric Vyncke <evyncke@cisco.com>
Message-ID: <166256061010.48578.13132860451242608214@ietfa.amsl.com>
Date: Wed, 07 Sep 2022 07:23:30 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/Iqbr0igt3L1G43dVxdBF2JIc8K4>
Subject: [Teep] Éric Vyncke's Yes on draft-ietf-teep-architecture-18: (with COMMENT)
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2022 14:23:30 -0000
Éric Vyncke has entered the following ballot position for draft-ietf-teep-architecture-18: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-teep-architecture/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- # Éric Vyncke, INT AD, comments for draft-ietf-teep-architecture-18 CC @evyncke Thank you for the work put into this document. I really like the approach (except perhaps the role of TEEP broker). Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education). Please note that Ines Robles (iot dir) and Bob Halley (int dir) have also reviewed the I-D at my request (thank you both !). I would appreciate it if you considered their reviews as mine (including replying by email to their reviews): * https://datatracker.ietf.org/doc/review-ietf-teep-architecture-18-iotdir-telechat-robles-2022-09-04/ (esp for her point about RFC 7228 classification) * https://datatracker.ietf.org/doc/review-ietf-teep-architecture-18-intdir-telechat-halley-2022-08-27/ (esp for his point about section 4.1, thanks Ming for your reply) Special thanks to Tiru Reddy for the *one-year old* shepherd's write-up including the WG consensus but missing the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric ## COMMENTS ### Role of TEEP Broker After reading the I-D, I am still a little unclear about the role of the TEEP Broker ? Is it simple a store/forward cache ? I.e., it does not authenticate to any party and does not have any access to any message? If so, it would be nice to say so early in the text (before section 5 when my own penny dropped) and perhaps rename it in 'TEEP relay'. ### Section 1 ``` In a system with multiple TEEs, this also means that code in one TEE cannot be read or tampered with by code in another TEE. ``` Should this rather be `code and data in one TEE` ? To be honest, this is the first time I read 'Rich Execution Environment'; should there be some explanations (shorter than the one in the terminology section)? How different is it from the 'commodity operating system' (used in the paragraph above). ### Section 2 physical only ? `Device: A physical piece of hardware`... I would have guessed that a TEE could exist in a virtual machine provided that the hypervisor offers the same 'physical' security as the HW. I.e., TA in the VM could be 'isolated' from other untrusted app in the same VM. See also section 3.4 and the cloud use case. ### Section 2 no TEE definition ? A lot of terms are nicely and clearly defined, but 'TEE' itself is not defined. ### Section 2 only TA in TEE ? The definition of 'TA' implies that it runs in a TEE, but are there only TA running in TEE ? ### Section 4.1 TEEP broker is not trusted ? Should the TEEP broker itself run in a TEE ? Of course, this is chicken and egg... ### Section 4.1 CA Nothing dramatic, but the role of a CA is explained in the text while there is no CA in fig 1 ### Section 4.4.1 reference Should there be an informative reference about SGX ? ### Section 4.5 wrong direction ? Is the arrow (step 4) in the wrong direction as this is up to the TEEP broker to contact the TAM per previous text? or add a similar text as in step 3. ### Section 5.4 and constrained devices As PKI cert chains can be very long, should there be some text about constrained devices/networks where several kBytes are too many ? Even if only to say 'TEEP is not usable on constrained networks/devices' ? ### Section 9.3 While I do not contest that REE can be compromised, I think that claiming `billions of compromised devices` is too many and should require a reference. ### Section trusting time As PKI relies on correct time information and as some devices relies on NTP, GSM, GNSS, ... time information and as those can be spoofed, should there be a sub-section on time attack ? (this would be a DoS or allowing the use of an old - compromised - TA / trust anchor). ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments
- [Teep] Éric Vyncke's Yes on draft-ietf-teep-archi… Éric Vyncke via Datatracker