[Teep] [Hackathon 2/3] Implementation experience with error handling in TEEP-over-HTTP
Ken Takayama <ken.takayama.ietf@gmail.com> Fri, 13 March 2026 13:05 UTC
Return-Path: <ken.takayama.ietf@gmail.com>
X-Original-To: teep@mail2.ietf.org
Delivered-To: teep@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 49928C960189 for <teep@mail2.ietf.org>; Fri, 13 Mar 2026 06:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZQ6Hjw_9rRs for <teep@mail2.ietf.org>; Fri, 13 Mar 2026 06:05:56 -0700 (PDT)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C9BA4C95F2D1 for <teep@ietf.org>; Fri, 13 Mar 2026 06:04:38 -0700 (PDT)
Received: by mail-vk1-xa33.google.com with SMTP id 71dfb90a1353d-56b679e72d9so179545e0c.3 for <teep@ietf.org>; Fri, 13 Mar 2026 06:04:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773407078; cv=none; d=google.com; s=arc-20240605; b=SstJcDR/OHHTEiMcRnsknUjsEWF2qClQmrXRXK51WDxlQQf397RY2luP2zlbNv5AvL SSAnGT/EWYrK2IT96BlHnpZ3q0QVyUBfLdBDUDtK0AZ0YFvIITuN0PncLOU0UJ6uEwkW viX3ERviOYacY7UXEWlogj4mZ/cZbp4WnlEZwhZVok+Ie77w9sMA4oXXG6qh7bS2Xlzn WYP5Q5EM5a/fDyAzXFQAabEMhusvc2Q2Dd/NDhKkjzY/MCgBZbBCNJlo16/YjHtiglKE GST8Vqq2xbQwMAF3BAop9tYxCknogI1B774tfB+GkNzbgafUxfkVMSWL3qZYBOdUWh/w cGZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=QDVi+ERLc96j8z7n90nY1DDxLkdttqu2QD48V7bZCfw=; fh=vzyWBmNqFP38n5etSvFEzLYtWvluUXW2lzDgnBzcR3M=; b=b+9HhC8/m6yuzLLxrqqAYIbmHA7XSdHvq+OG8+S/DFwF+eRkDawWFz+y6Xt3P42E7A qrF9tp2cIEZ4Xpf8V7SQnCj91C1vNtWrfaTDz1flTXM+C+hZBzQDjTQNYyna5RM5IyuO HYiRccYZeD777rmQw9KFjQN9mzjVjtq1kENtzdY3kNcf9fWbwnstjHZS3FRQNBipfFjZ LoWExGnmPihPDFqFWxDjft/1bE3M5EZN3/v6SF30BL7CEdHeIjAci/2ceyjJ+ujQp4Wn wAuijKHZgBbDzRpmEDj1an3hBY4urcUW4fzEaYXn8LovntkivA0wKsWR66Ro21qwc2Sn dYFw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773407078; x=1774011878; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=QDVi+ERLc96j8z7n90nY1DDxLkdttqu2QD48V7bZCfw=; b=DE6z2B77B6feouZ/lwVHMKwh3vozRhnvogeEaP1Kd5HBSOlMKSnhQhDCJ1vBHrDBME ragZ2HJsKcsUl0mSQxKz3SFxkff4TZAr0SQXTRMPE1hWk5fcX73i6R47y03qhiCZuygq RKACNKM0QLUrN9XeePNIL9SWTrNaO6G7RZ0qBK5451ZE1fLNpHKu2+PvUvMvN78H5e5H 6X8ez5T1oL94UDle3EfXwNjhaXZbFK3Ncy/X6Qpt47QIpEhUCIxEZ4+/k8MNfLrJ5VWE 8NQ28TYnKs9JMSSu4gaeIQpJuWh2i8SAjDb3xPh1CMHYdJAZ7AaiolGhnCdXed8JXtGn y69A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773407078; x=1774011878; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QDVi+ERLc96j8z7n90nY1DDxLkdttqu2QD48V7bZCfw=; b=l/inFJju/vZ4BY0Yhq/IpDk6V/Nj6TlDPNowiBZocfeGxI8ti91gxrv4RdgKsGIoY6 7stFeiWcfWO9yZWd+20dr0Ku0JPB6RZ4SpqOipBqthbZJ4sN7ZBbUDf6sdx8rvzdFyqh K5cF0poyVrSjjpnxB5EIMx9WSyexKJa56fQC9sZCPzy6IbmN75mAHbs6NW2AeEHOZNcn M55hpqjEQpJKkuysXL/ucLCs0bnpFN/j1T4BcrAWNHO/RM+bsJa3lEtkbYLsF81ZYeyv I8/pgRd2t9iWS9pzOKWtFjcivM5u5fWhVLmyoYQv6d0SXamaC4TY1ylMEuzN2x90zRnC whdw==
X-Gm-Message-State: AOJu0YygCbrC4q79Ahw9fVbr+ld50Jj/PA6Q0RJcKhBUqvoeVMkjargz 2QCb1eT3w+GZE5j/O+mlicWraimdIv7qPgl4ePrVRb74b3tyfOb3Blz5iMRDnJKzD8ZQ3kkwKFm XQKgC3LqijS5+1ifSvYWJcrVXIdgbVjNZPw==
X-Gm-Gg: ATEYQzwIMJIBBocbM7kAPAAkF+ylmczdFoOCVTYiGk0jnfXO0kDHSfsbI1otjF+GJuO myrjWJgl++PHq/M/i7qLNFsn2uVlLxIuAaG2EvWd36ibZTTYmjNwLHvzzppUWj0ATaatwKqy8bW T386cHyHKrVsPe6g2TqhaWOURK5UmYPxJS2M3qdh6zuiD6PA+utaXtQjXOni8+I0X/uvfFRXU2B kpwUr9V6qtdrlFFfD4hyg3s2078ojy1OpfCUcJbidvG8WGNnS3C6PpgTl3i8H2cLMIy/HABAf5O tlkG83Oxsd0ekajhzGN/YGlUhfR58uiYYxwhEqlQL9rKJTgx89laH/Ldps5Glf/n0cY=
X-Received: by 2002:a05:6122:3286:b0:56a:e0e2:69b3 with SMTP id 71dfb90a1353d-56b6268f695mr1135155e0c.0.1773407077910; Fri, 13 Mar 2026 06:04:37 -0700 (PDT)
MIME-Version: 1.0
From: Ken Takayama <ken.takayama.ietf@gmail.com>
Date: Fri, 13 Mar 2026 22:04:27 +0900
X-Gm-Features: AaiRm52kkhwooIrREDXBP4A_4U6raiRbJtbKWpxPtp2sEr1rmfdQKr9Y-XZfyOQ
Message-ID: <CAOZByRDbHqq6XJA8e=63HAuGhUv2ngY9zFsW9TaNw=Jkchg3xQ@mail.gmail.com>
To: "TEEP@ietf.org" <teep@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: 7R2H67HYGL6MBQ7HCOD3IZX75HQFJE3P
X-Message-ID-Hash: 7R2H67HYGL6MBQ7HCOD3IZX75HQFJE3P
X-MailFrom: ken.takayama.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-teep.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Teep] [Hackathon 2/3] Implementation experience with error handling in TEEP-over-HTTP
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/OfcRAKcNYuYXKQDhseQ-tlhWr88>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Owner: <mailto:teep-owner@ietf.org>
List-Post: <mailto:teep@ietf.org>
List-Subscribe: <mailto:teep-join@ietf.org>
List-Unsubscribe: <mailto:teep-leave@ietf.org>
Dear TEEP WG, While implementing a TAM that operates over TEEP-over-HTTP for the IETF 124 hackathon (and continuing the work toward IETF 125), I encountered several practical questions related to how error handling is expected to work in real deployments. Based on this implementation experience, I would like to share some observations and implementation patterns that we found useful when interpreting the current specifications. The goal of sharing this information is not to suggest protocol changes, but to document practical implementation experience that may be helpful for others building systems based on the TEEP specifications. Our TAM implementation is available at: https://github.com/kentakayama/AttesTAM ---------------------------------------------------------------------- Implementation experience ---------------------------------------------------------------------- While implementing a TAM that operates over TEEP-over-HTTP, I sometimes found it difficult to determine how error handling was expected to work in practice. Section 7.1 of the TEEP Protocol already provides some guidance: "When the ProcessTeepMessage API is invoked, the TAM first does validation as specified in Section 4.1.2, and drops the message if it is not valid. It may also do additional implementation specific actions such as logging the results or attempting to update the TEEP Agent to a version that does not send invalid messages." This text clearly indicates that implementations have flexibility in how they react to invalid messages. However, during implementation we found that it was often necessary to define an internal "error taxonomy" mapping concrete failure conditions to protocol behavior and existing err-code s. During this process we observed that TEEP provides several mechanisms that can be used when handling errors, including: - returning an Update message with an err-code - retrying the exchange with a new QueryRequest - sending a SUIT Manifest as part of an Update message - simply dropping the message This flexibility is useful, but it can also make it less obvious which mechanism should be preferred in different situations. As a result, some implementations may end up handling certain conditions at the HTTP layer rather than within the TEEP protocol. Our interpretation of the overall design philosophy of TEEP is that, whenever possible, protocol-level errors are preferably handled within the TEEP protocol itself. ---------------------------------------------------------------------- Implementation note: handling protocol-level errors ---------------------------------------------------------------------- During implementation we found it useful to follow an approximate order of preference when handling protocol-level errors. One possible implementation pattern was the following: 1. Report the error using a TEEP Update message containing an appropriate err-code (and optionally err-msg). 2. If the error condition is temporary, retry the exchange by sending another QueryRequest with a new token or challenge. Implementations may wish to apply rate limiting when retrying exchanges. 3. If the error cannot be handled safely, simply drop the message. This behavior is already described in Section 7.1 of the TEEP Protocol. 4. Only when the TAM has high confidence that a corrective action is appropriate should it attempt recovery actions that modify the state of the TEEP Agent, such as sending a SUIT Manifest. In practice we found it helpful to avoid automatically triggering device-management operations in response to protocol errors, since such operations may be destructive or irreversible. ---------------------------------------------------------------------- Implementation note: interaction with HTTP error handling ---------------------------------------------------------------------- When implementing TEEP-over-HTTP, it is also necessary to decide how HTTP-level error responses should be used. In our implementation we interpreted the specifications as implying that most protocol-related errors should preferably be handled within the TEEP protocol itself, for example by returning an Update message with an appropriate err-code. Using HTTP client error responses such as 400 Bad Request, 401 Unauthorized, or 403 Forbidden for protocol-level errors can be less informative for the TEEP Agent than returning a protocol-level error response. The TEEP Protocol also describes the behavior of "dropping" invalid messages. In the context of TEEP-over-HTTP, we interpreted this as completing the HTTP exchange without returning a TEEP message (for example by returning HTTP 204 No Content). This interpretation may also explain why the current draft primarily discusses HTTP 5xx responses when describing error handling behavior. However, there are still situations where HTTP-level error responses can be useful, particularly when the request cannot be processed before TEEP protocol handling begins. Examples include: 405 Method Not Allowed when a request other than POST is received at the TAM endpoint 413 Payload Too Large when the request body exceeds limits enforced by the HTTP server 415 Unsupported Media Type when the Content-Type or Accept headers are inappropriate (already mentioned in Section 6.1) 429 Too Many Requests to mitigate excessive retries, loops, or denial-of-service conditions In addition, we were aware that the current draft already mentions HTTP 5xx responses for situations where the TEEP/HTTP server cannot obtain a response from the TAM. In our implementation we therefore decided to use HTTP 5xx responses specifically for TAM-side failures. For deployments using the Background Check Model, this includes situations where the TAM cannot reach the Verifier service. In such cases our implementation returns: 503 Service Unavailable to indicate that the request could not be processed because a required backend service was temporarily unavailable. For other unexpected failures inside the TAM, we return: 500 Internal Server Error These choices are implementation-specific but may be useful examples for others implementing TEEP-over-HTTP systems. ---------------------------------------------------------------------- Conclusion ---------------------------------------------------------------------- The observations above reflect only our implementation experience while building a TEEP-over-HTTP TAM. Different deployments may choose different approaches depending on their architecture and operational requirements. I hope that sharing this implementation experience may be useful for others implementing TEEP-based systems. Best regards, Ken
- [Teep] [Hackathon 2/3] Implementation experience … Ken Takayama