Re: [Teep] Roman Danyliw's No Objection on draft-ietf-teep-architecture-18: (with COMMENT)
Mingliang Pei <mingliang.pei@broadcom.com> Tue, 18 October 2022 05:36 UTC
Return-Path: <mingliang.pei@broadcom.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C92CDC14F725 for <teep@ietfa.amsl.com>; Mon, 17 Oct 2022 22:36:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.674
X-Spam-Level:
X-Spam-Status: No, score=-2.674 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsSaSWfyBTv5 for <teep@ietfa.amsl.com>; Mon, 17 Oct 2022 22:36:12 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 670D4C14F72B for <teep@ietf.org>; Mon, 17 Oct 2022 22:36:12 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id 13so29647741ejn.3 for <teep@ietf.org>; Mon, 17 Oct 2022 22:36:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zmec18e6fhWywGIJ35zB+AQtPhCKlXhjKL1c/8HXTXc=; b=Gen5zMK4NiqibEhwKGOMmHDLv6eOgWxKfsovYJA3NGxVO7laRZPAE5dP32mSSQhttC Dv8xKT0oYA3lru4VrRsOVW9ZXJ5yEnX90WifbuR2pwvWP8OxHIpvTM8Tq0HLTEz9lU/0 h/NDwLH7doyjflj/irbDQ+akrct9fxpbURIqs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zmec18e6fhWywGIJ35zB+AQtPhCKlXhjKL1c/8HXTXc=; b=eoPhsdz/mHtw7MPdU5a/8rY7oj2SIbmgZmINs6x7HycpFfHuBUg7VlNTXQlOOIm1tu O/dvjg+4c7nE5B10+xT2fjdmXR6WYiNzTZ5zX++MqHefduUnu/+1plR0Zi0rz7lpKZqe l7TnrTUte352ZGg0t/6kQKLYn4e7K2xleo7bgfm3hl0lTwQGxAj5E92huKAbMk00Z5c0 XT1834zoYWeXy8H6wXBCgFVC6aGW8ZNfcxLWvY+i+oyvtSpJ1C68Z8aRLUjoxXom9YWu aW71lmWA9gQuhpnDu54Xk1nwg/64SrdJ/Qtq8MkJxS0TlMKfMmWsPr3KiZR8vpLcHWkL P8Ww==
X-Gm-Message-State: ACrzQf08+CzoB4wzHbxoIRQspb/cXEReIIlI+k9e/yRcWFcM1/19H4Tv Qk8YS5lKaufeWc3OKRsVM4u9q1vvv/lx8FDN8DMg8vbasnKlKYHTNt6X6vSWbeKstGRrOmKjQWe e2W9ZblnGYXc=
X-Google-Smtp-Source: AMsMyM4pWETVfCjE814N1kq8ylDYtGD0PkmgKV1eaia14Wzw9ZkUEuiSys+HJtmA2UC3suM3Badq2ZFQZqhvymIX6Jw=
X-Received: by 2002:a17:907:97d0:b0:787:c0e9:ed0e with SMTP id js16-20020a17090797d000b00787c0e9ed0emr1017295ejc.274.1666071370764; Mon, 17 Oct 2022 22:36:10 -0700 (PDT)
MIME-Version: 1.0
References: <166260032152.13685.5540177274749697658@ietfa.amsl.com>
In-Reply-To: <166260032152.13685.5540177274749697658@ietfa.amsl.com>
From: Mingliang Pei <mingliang.pei@broadcom.com>
Date: Mon, 17 Oct 2022 22:35:58 -0700
Message-ID: <CABDGos7X8tSCAxq9tjASKnn53jmXg59YBJEKE12vHTgqPqSzrg@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-teep-architecture@ietf.org, teep-chairs@ietf.org, teep@ietf.org, kondtir@gmail.com
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000003f1e0b05eb487829"
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/R5pa9uzKWFN28U3xFh8c4PdwHXE>
Subject: Re: [Teep] Roman Danyliw's No Objection on draft-ietf-teep-architecture-18: (with COMMENT)
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2022 05:36:16 -0000
Hi Roman, Thank you very much for your review. Sorry for the late reply. We are revising the draft to incorporate your suggestions along with others. We have captured the fix in this issue and follow up comments: https://github.com/ietf-teep/architecture/issues/255 Would you mind reviewing the response there? I can reply inline below too otherwise. Thank you very much, Ming On Wed, Sep 7, 2022 at 6:25 PM Roman Danyliw via Datatracker < noreply@ietf.org> wrote: > Roman Danyliw has entered the following ballot position for > draft-ietf-teep-architecture-18: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-teep-architecture/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Ben Schwartz for the SECDIR review. Please review his > feedback. > > ** Section 1. > The > danger of attacks on a system increases as the sensitivity of the > applications or data on the device increases. As an example, > exposure of emails from a mail client is likely to be of concern to > its owner, but a compromise of a banking application raises even > greater concerns. > > Based on the example, is it the “danger of attacks” or the “consequences of > attacks”? > > ** Section 1. There are two different threat models implicitly described in > this section. The first paragraph seems outline the risk of multiple > applications on the same devices and the complexity of those > applications. The > fourth paragraph describes the threat of threat actors with physical > access. > Are we talking about both? > > ** Section 3.1. Is a “trusted user interface” something that needs to be > defined? Is it an example of a trusted TA? > > ** Section 3.3. > A TEE can be the best way > to implement such IoT security functions. > > This seems like a strong but unsupported claim. Consider something weaker. > > ** Section 4.4. > Implementations must support encryption to > preserve the confidentiality of such Personalization Data, which may > potentially contain sensitive data. Implementations must also > support mechanisms for integrity protection of such Personalization > Data. > > Please clarify what it means to “support encryption.” Is this saying that > all > personalization data at rest must be encrypted? No personalization data > can be > sent in the clear? > > ** Section 6.2 > A TEEP Broker abstracts the message exchanges with a TEE in a device. > > What does it mean for the broker to “abstract” the message exchange? > > ** Section 7. What is the relationship between the attestation process in > Figure 6 and the conceptual message flow described in 6.2.1? > > ** Section 7. > > Different Verifiers may require different degrees of > confidence in attestation proofs and not all attestations are > acceptable to every verifier > > Why is the first instance of “verifiers” a proper noun (capitalized) but > the > second is not? > > ** Section 9. This section notes a few instances where a TEE should detect > that something potentially suspect is happening. How, if at all, should > logging of this phenomenon occur? How would someone managing devices > become > aware of it or be notified? > > ** Section 9. From the SECDIR review: > ==[ snip ]== > Nothing here seems to discuss attacks on the TEE's properties, and the > post-compromise implications of those attacks. For example, if all > instances > of a TA share a secret key, used for decrypting the Personalization Data, > then > a single successful attack on a TEE is sufficient to decrypt all > Personalization Data (previous and future). Given the prevalence of such > attacks (especially via hardware fault injection), it seems likely to be > worth > mentioning. [1] > ==[ snip ]== > > ** Section 9.1. In the spirit of inclusive language, consider if there is > an > alternative term for “man-in-the-middle”. > > ** Section 9.1 > While a TEEP Broker broker can in effect make suggestions, it cannot > decide or enforce what runs where. > > -- Editorial. s/Broker broker/Broker/ > > -- What suggestions can a Broker make? Per Section 6.1, I thought the > Broker > only relayed messages between the Agent and the TAM. > > ** Section 9.3 > > We have > already seen examples of attacks on the public Internet with billions > of compromised devices being used to mount DDoS attacks > > Can a reference be provided for a single DDoS having billions of > compromised > devices as sources. > > ** Section 9.3. > > A compromised REE might also request initiating the full flow of > installation of Trusted Components that are not necessary. > > With this technique, could a compromised RRE fill up all of the secure > storage > of a TEE preventing future legitimate installations from occurring? > > ** Section 9.7 > > A TAM certificate usually has a moderate > lifetime of 2 to 5 years > > Is this a recommendation or an observation? If the former, what is the > basis > of these numbers? > > ** Typos > -- Section 4.1. Typo. s/Administators/Administrators/ > > -- Section 6. Typo. s/.././ > > > > -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
- [Teep] Roman Danyliw's No Objection on draft-ietf… Roman Danyliw via Datatracker
- Re: [Teep] Roman Danyliw's No Objection on draft-… Mingliang Pei