Re: [Teep] Review of draft-ietf-teep-architecture-12
Dave Thaler <dthaler@microsoft.com> Tue, 28 July 2020 12:03 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81FDF3A0BAE for <teep@ietfa.amsl.com>; Tue, 28 Jul 2020 05:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZgxRDbxdU_n for <teep@ietfa.amsl.com>; Tue, 28 Jul 2020 05:03:44 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2139.outbound.protection.outlook.com [40.107.236.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 767363A0BAB for <teep@ietf.org>; Tue, 28 Jul 2020 05:03:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vi84ezjrlpyAmjDokdvnXV8XG6cjgL3waeduPTcIx76Pl00nyD/HS5glqL6gmnSyAdypTNxOqQwBrH2YWoQatk5gnHjq/G8rWVCrEb7uybHEun7bfOyR4fZ8598mf4OlZWMziK3AKvAPAlp3SpbQ9usx2R91SICoWfxJpsOIesK9v81L3kmM2mTrlPco6DfdcGmz77hKLIaAJZ5syt5PLQG8KnqQesmwkUVHRyJWA7hMc+RQ4XvCUKXOwL2KnyIY83GoNJcCntX/J7eIRp3azz75DWmwL6yRETQBAPZchkgdciRIg0n63+D1GEL6urPJnu05hwBO7YSuylsOF6skVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=218if4X3PgKxIqKZ7xYsKSuoV0o80ro6jnRt5rHivO4=; b=jmfGRgn58zBWfz3GRJWm/XlhzxROz9NKMsKt0ILTbduqLuvvDIh+Jq/w6xZHZZRlzunZcSRIHABeI0/IN43xfjCErQfK+ThtOM/SeZBK1h1yisYk2RHrxFev0I7WogX5Khfz3EbHWi6kRSnmMH8wyKfj49JUrFEiQO6/TETnBr1giK+vOHEj8+r/V+AHERaKsj149cuy0kJJOgp276xvy9UebSYqnQUKKRAHsLpKbSMk5s2Hf9Oy4O7pFR5OxvAH+d4Sl/Yao81iSm1+9gOn9k6W9JOfBDEazuq6JvwSv/Ruz/vFFvlIoQZxMC52dGCtdHjXWvMQSN9X9UwNueSMuw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=218if4X3PgKxIqKZ7xYsKSuoV0o80ro6jnRt5rHivO4=; b=WJrZKK2//13t3j0yxPrS8d0k8bHs8MIMYHtyHC46Bd23vk7DVinxKJTSegg7Im+EOAvG3ISjbaI6KPx2MNDWKlGyDR5m+5TtYAjdqz98SKt0kSFPxW9nK93omE5vuj9ZqkaRcXmFznxzjETrhEw+RoKqT3tmVta/Mabe6O1Xk/M=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (2603:10b6:207:30::33) by MN2PR21MB1485.namprd21.prod.outlook.com (2603:10b6:208:205::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.1; Tue, 28 Jul 2020 12:03:42 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::f9ee:91d4:b4ce:9ee4]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::f9ee:91d4:b4ce:9ee4%6]) with mapi id 15.20.3239.016; Tue, 28 Jul 2020 12:03:42 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, teep <teep@ietf.org>
Thread-Topic: [Teep] Review of draft-ietf-teep-architecture-12
Thread-Index: AQHWZE9RSWBnSjdq0kODAsZo565XIqkc5Yxg
Date: Tue, 28 Jul 2020 12:03:42 +0000
Message-ID: <BL0PR2101MB10271C7E74E725D4F225A044A3730@BL0PR2101MB1027.namprd21.prod.outlook.com>
References: <218509BB-AD51-4F29-8904-2BD5D4AF663D@vigilsec.com> <DD33DD2A-83C3-4C9E-BCC4-A104C4ADEA96@vigilsec.com>
In-Reply-To: <DD33DD2A-83C3-4C9E-BCC4-A104C4ADEA96@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-28T12:03:42Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=23a9c33d-5347-4333-bf47-e447021adee8; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none; vigilsec.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:9780:16f0:9438:ccb1:b4a8:f45f]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 85a9ca3a-0f62-44c9-bdee-08d832ee45d2
x-ms-traffictypediagnostic: MN2PR21MB1485:
x-microsoft-antispam-prvs: <MN2PR21MB1485C472E6FDD72D0CF16717A3730@MN2PR21MB1485.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5797;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eHKcIATASAY/x1c+ZpUgZntk70ACBKYHjzkFflaCOBTwP0jG9GN20w7fOiLXUm3TZaeJg1xqwrhiYCJbecsEEVvPTrKBdaBD1r7jPls3hnE+ur51okzocbnEPSoxjBx4K+znUoFyjBnwDH12uIrml5WUyuAyG7dLlVSYVrxh3zZwomwzKpSp/+PuumyBpp9obDGApVSuOrsDgFoy3Bm0sS/Xqdd/sm7tsLfzHUAYJKgCN5QG8YFxF2cm6weUgJcuJNISaUshdIqM5VgLV6KVLuiz5Alu/X1jRG5bFHctq6ehdEAvloaNOtSL5EKtDR5Nj6EV7HCd+ukQB9tcIgNM+u+f3gnlKBK0j0Acvdqtz7Y6CsdJUdGSmLyGisllc8p7bFpxbgU/0n3b2JNjBOe3VA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR2101MB1027.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(396003)(346002)(39860400002)(376002)(136003)(53546011)(5660300002)(33656002)(76116006)(966005)(8990500004)(186003)(478600001)(52536014)(8676002)(83380400001)(316002)(2906002)(9686003)(86362001)(8936002)(55016002)(7696005)(64756008)(66476007)(66946007)(6506007)(66556008)(66446008)(110136005)(10290500003)(66574015)(71200400001)(82950400001)(82960400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: VmZjNFNq21gQBbTykHmbCE22EH8pLVpTXy05EMxKRxmYU4k7NfS+fQX0UCLztw41sP7XqKSkTVgnu83rRPULbMZJiKFfw5ytEcYCSn8J/Z1Ccf9Yg7DD9gzcZDTmPuRc9tfXb5jmvK9NMz2PapvnCqAJZeOBBRO3dUK7pXkVJ26zCYgZsnusd3LyjNXc/BojZWqKAO1ABiHlTKx5AJC4RtnkB2cX4bcqNM9LFGC2VLB+SOh8t2GYx6sONflbIXDFnIc2Q52fNJMLioS/rk1JF7rM8CDhO4zEAkF2HV3mMjQKQEtvTp/KwaXAgHgmDqfYuygRmLpbNp10pfO4NdeV496nsv6OPA1Jl3ugyInPoQl8tXXsRYECjMXZVjzfrln64Xgu++UZlsDr0uU27bagnN95631ct6nmF1znABJLS/lPxGilaBvxw3NqESdtwkcBLurVpCZUFncu5JLz5Va04EuC+htdsBPVSYm/QcS9fwEkSNu6KSKGExUjmOYkSVPhlSugCJ0b51wtWYp+SLJ2CpVh2DHdYKQ85zk2oQ0LDE3OSfUpnl3yma2Mx6kAcs/7XZlyikMaUuet0QkQouJOkuzGn/air5FLGmGDVamoHkfDWT0WoScsgFRaUvxuZr1dUH2St0UtSsDPWLoKo92c/02pKaBkmebodoe4eD79scD+nL4wYfQ5mA9RQpQP4o0gRbU/GM9T5IX1ID1+GewKRA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR2101MB1027.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 85a9ca3a-0f62-44c9-bdee-08d832ee45d2
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2020 12:03:42.6920 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SufQ8waohyFbfR0dwJqJPhT/gGqSrbv2IElVaL6sUqCuPAYbhPk8EHF78/LGmgUrXrJrvcNnTmv4WNGkGi91HNjhivZzNaEiYw/VnTDBNmQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR21MB1485
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/sRWybp80fJ2ATJWyKNQXwsRV9f0>
Subject: Re: [Teep] Review of draft-ietf-teep-architecture-12
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 12:03:47 -0000
Thanks Russ for checking! I've now entered this as issue #206 (https://github.com/ietf-teep/architecture/issues/206). Dave -----Original Message----- From: TEEP <teep-bounces@ietf.org> On Behalf Of Russ Housley Sent: Monday, July 27, 2020 12:51 PM To: teep <teep@ietf.org> Subject: Re: [Teep] Review of draft-ietf-teep-architecture-12 I had previously submitted comments on the -08 version of the document. The following comments from the previous review do not seem to be addressed: > 5) Section 3.3 talks about the Internet of Things. It does not talk about the billions of devices being used to mount DDoS attacks. Can it cover that too? Without putting the network interface inside the TEE, I'm skeptical there is a solution. > > 6) Section 3.4 talks about Confidential Cloud Computing. Can something be said in Section 4.4.1 to make this less abstract? Regarding 6), the original Section 4.4.1 gone, and Section 1 does not seem like a good place to resolve this comment. In the current document structure, I think a sentence or two needs to appear in Section 3.4. In addition, I have a few new comments based on the revised document. Section 2: Since my last review, Raw Public Key was added. Please add [RFC5280] as the reference for a "PKIX certificate". Section 4.1: now says: ... A TA Signer or Device Administrator may run their own TAM, but the devices they wish to manage must include this TAM's public key/certificate [RFC5280], or a certificate it chains up to, in the Trust Anchor Store. The meaning of "/" is unclear. I think it means "or", Please spell it out. Section 5: s/content encryption key/content-encryption key/ Section 9.2: s/provides protection/provide protection/ Section 9.2 says: "... user/tenant ...". Again, I think the slash means "or". Section 9.2 uses the term "payload security". For alignment with Section 5.5, I think it should say "payload encryption". Section 9.4 talks about compromise and expiration. I do not think about expiration as a form of compromise, so I think the title of the section should be expanded. Russ _______________________________________________ TEEP mailing list TEEP@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep&data=02%7C01%7Cdthaler%40microsoft.com%7C786764eb45f742f8b79c08d8326672b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637314762885446719&sdata=i15FnuehPc9n8Eo81wvQG3bh9rdooYQIYI%2FocjJ3UsQ%3D&reserved=0
- [Teep] Review of draft-ietf-teep-architecture-08 Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Hannes Tschofenig
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Mingliang Pei
- Re: [Teep] Review of draft-ietf-teep-architecture… Russ Housley
- Re: [Teep] Review of draft-ietf-teep-architecture… Dave Thaler