IETF Logo Mail Archive

Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14)

Anders Rundgren <anders.rundgren.net@gmail.com> Sat, 30 March 2019 06:11 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B0B7120161 for <teep@ietfa.amsl.com>; Fri, 29 Mar 2019 23:11:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9uhNpmtlBG8 for <teep@ietfa.amsl.com>; Fri, 29 Mar 2019 23:11:00 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A569120158 for <teep@ietf.org>; Fri, 29 Mar 2019 23:11:00 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id k17so5091934wrx.10 for <teep@ietf.org>; Fri, 29 Mar 2019 23:11:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=m2yz3xvZhqTNcgnDucBb9q+hAj3S+i1KU+piqIOr8O4=; b=uwmOGom1/cRKZiaNTyi5qY7YZeLSXo9J+BGre8gokupX3UopXO1ekLQDKfIEYVMJn2 yc8XmFVyDypWO/bWqNoY0auUKVSfAdMOYR/kqDXq/mM9Th+6TOPtoN/DNVXjpEXEXhid 3JGHIkE3vItjlnQeIMEXMXZ+utulvT10Marxd6y6g8ekD5xhWG9LvXIGL+A6nI0yJyOg zyAP1+efnMBL4Jrpqk14WMiI9WhcdaBTR3JAW8IHD6tOIhYeEb41pYZQhDR/8wM80dHG t8TSoJBcVttqyDdTQ8K79BxnGpElWSkuQAMLLGepj/i7eqwn5AZIrSDW8d/n1cPvf+5B /e0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=m2yz3xvZhqTNcgnDucBb9q+hAj3S+i1KU+piqIOr8O4=; b=mKqM580y9txDRsQtbGsTsR3DPPqvOllFEjCjDtiJ+6bQ3nfkP5tJbVioDrZg7b2kob QeANRM9MN1RaOWa2vdiG+syYv4DonjfJE2GvB0kESClfTEhbdgK538boKW/HzxwkU1n/ zZnDVp93bFEMlQvsiHtMdyRU0Csih9Dw3IC8jLBMVfUePzVGWxXC009HdlHMVoi87qbL FI1N0SdajVSFRuQdiwlrAQJ9DDKy4CNvANHWZUaMF5RKhlWuLwbeu9M4IV5sJAAWHwn2 kW7vGUdjKT+5l/VBUqO9jnD5ekQ4IjTRqPC7tHbR9WJoTsHJmLMpiOwwhBqtUVaSelVw QUNg==
X-Gm-Message-State: APjAAAXiAbqp4P3SPzrzsguAO8fqokx4Q/n4XwZq4vUCLFcRQPOJxYm+ +FfbrwYoJXTthcGyCbEdZcACuWIV
X-Google-Smtp-Source: APXvYqwREsupVZ/Zjh0oUE38tim8iejHjVcczOldr8W37sXDlaDNHENFvZVBavrgQiERP78xTchQkQ==
X-Received: by 2002:a5d:4b01:: with SMTP id v1mr27172718wrq.48.1553926257905; Fri, 29 Mar 2019 23:10:57 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id x5sm6331499wmi.37.2019.03.29.23.10.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Mar 2019 23:10:56 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>, teep <teep@ietf.org>
References: <ietf-teep/OTrP/issues/14@github.com> <CY4PR21MB0168D9DB7A27245D2B5A354FA35A0@CY4PR21MB0168.namprd21.prod.outlook.com> <e361de94-f219-cee7-0aa4-45c3d14e2732@gmail.com>
Message-ID: <f6a98861-d517-d388-939d-b835612a0a35@gmail.com>
Date: Sat, 30 Mar 2019 07:10:51 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <e361de94-f219-cee7-0aa4-45c3d14e2732@gmail.com>
Content-Type: multipart/alternative; boundary="------------D8E9ABBC4424479C4BC709A7"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/NrLdgMApKpst_vV7QVYwcvwof28>
Subject: Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14)
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2019 06:11:04 -0000

A shorter way of expressing the differences is that a mobile phone scenario is a TA pull/download scheme while a cloud scenario seems more like a TA push/upload thing.

Anders

On 2019-03-29 10:37, Anders Rundgren wrote:
> On 2019-03-29 08:45, Dave Thaler wrote:
>>
>> I would suggest we should keep issue discussion on the list, and just use the github comments to summarize.
>>
>
> Fine with me.
>
>> Comments below as an individual participant:
>>
>> *From:*Anders Rundgren <notifications@github.com>
>> *Sent:* Friday, March 29, 2019 8:12 AM
>> *To:* ietf-teep/OTrP <OTrP@noreply.github.com>
>> *Cc:* Subscribed <subscribed@noreply.github.com>
>> *Subject:* [ietf-teep/OTrP] HTTP Bindings (#14)
>>
>> It seems that cloud based TEEs and client based TEEs would work differently (protocol wise) during provisioning, at least when HTTP is used as transport.
>>
>> *Client based TEE*:
>> Request is coming from the client side (outbound) which means that the TAM request data must be delivered in a HTTP /response body/ while the TEE response is delivered in a subsequent HTTP POST request.
>>
>> Correct.
>>
>> *Cloud based TEE*:
>> Request is coming from an outside service in the from of an HTTP POST request while the TEE response is returned in the associated HTTP response body.
>>
>> That’s not how it’s defined right now, it’s defined to work the same as the client based TEE summary above.
>>
>
> I'm aware of that which was the reason for filing this issue.
>
>> This means that the TAM only needs to support one transport protocol mechanism, not two.
>> It also allows the timing to be TEE-driven, i.e., when the TEE actually needs to do attestation or remediation, etc.
>>
>> Do you have any reason it **needs** to be different? I’m not currently aware of one, so prefer simplicity of one mechanism instead of two.
>>
>
> Well, the traditional way of implementing cloud services over HTTP is client-service-to-cloud-service.  I haven't looked into this https://docs.microsoft.com/en-us/azure/key-vault/ <https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli> but I would be surprised if it doesn't work approximately as I described.  If the communication also needs to be asynchronous (highly unlikely), more substantial changes would be needed.
>
> The TEE provisioning API would (hopefully...) not change by offering two variants of HTTP bindings.
>
>> Another difference is that in a cloud based scenario, the requester (TAM) must also be authenticated as a legitimate cloud service account user. This is a part of an HTTP binding scheme as well.
>>
>> In both cases the TEE needs to authenticate the TAM, so I don’t think this is a difference either.
>>
>
> I thought the TEE rather attested its identity etc. to the TAM. In a client scenario (like provisioning mobile phone TAs) the user authenticates to an "App Store" which in turn presumably provides whatever is needed for TAM access.
>
> In a cloud scenario like for a hosted Certificate Authority it is not obvious that there actually is a regular TAM.  Where is it and what would it do?
>
> Cheers,
> Anders
>
>> Dave
>>
>>
>> _______________________________________________
>> TEEP mailing list
>> TEEP@ietf.org
>> https://www.ietf.org/mailman/listinfo/teep
>

v2.23.0 | Report a Bug | By Email