Re: [Teep] draft-ietf-teep-protocol-05
Dave Thaler <dthaler@microsoft.com> Wed, 03 March 2021 21:06 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF893A1B0A for <teep@ietfa.amsl.com>; Wed, 3 Mar 2021 13:06:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.35
X-Spam-Level:
X-Spam-Status: No, score=-2.35 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ax8oKrajPS3L for <teep@ietfa.amsl.com>; Wed, 3 Mar 2021 13:06:24 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2122.outbound.protection.outlook.com [40.107.236.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E80A3A1B09 for <teep@ietf.org>; Wed, 3 Mar 2021 13:06:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iF/7LjubstjmilyXAa+YPnnkGohqy0F4ldUoi32EBvIhQEZdVlWKiFzFYHHoYxSRxF3FJiIrrXkhmrfGoZo8TNJ+34KU85DTuuA2R504Ub1/8rpfEQNd0z/gFuxULF/OKiV/EekeQvwjyPYYvD96sd1wA1D+kkURV/uvsshQXLBVrPa6kPVrjFUNZGWOSadSXVutWq7Xmyp9sAXCjA7HdnRXBB/5+VqDOFwTDzoq30e9rLM8SXCHw8XYJ6xnAxdyIorxN3jL7X6QjMEeq508aMiidCXHSyQopieckdpACT+Dxd31a53g8mvtYuE+I/47gg8i1hWj/EMdqXLgJr26rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5QOjMEP6c1kwu0b68r7sKBM0UYL7LS4tv69vV44B044=; b=SG8wjYiw1itQnfGTvrMxDVvJG3YlY5IXgwkQ8qHN0J7TA5A50kyjyF+hXO7fjJZlV8gy46OFNQ5S7qTz5oqajA9BOrIYq2qV0W+LP+1GBiF1hfxbOFnV4uGYDYl6FrwVKZycIgHlLpE9O5cbl+5BY8Dwqz5z+aC9QtZpQPrHm78ZvZ80dlmNUfF6sSZ9IiLaG/jw+lFhn0kDe7PiaCurnPebs8vWoRIBaWKf4FxtAMKdQb+Vd2te3YFAuyCmYWQ5KxfoLJmGKhmHcxUgLMRZOgCs34geAxoKk3tQ4UrvgsZiCkh71p0KFwEidXZl8B9PoJiWeqd1PJkLf0d9GqPPnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5QOjMEP6c1kwu0b68r7sKBM0UYL7LS4tv69vV44B044=; b=I2un/vkjpqXxP8cgqz6zTbHkKPetI8YFyPXLaoiXPdFvx0EBvJCZA/NXbkzmDDwqDyELzL6a7l47/BqeLJgHC5LG7J3kzEBDCNwAMoLLouL1ib5FTR/49s6BwMZmZxNjea/M3H00Nc2EmFCRZj7xW8iQjUk8+TiJ4GME7tPZapE=
Received: from BYAPR21MB1736.namprd21.prod.outlook.com (2603:10b6:a02:ca::18) by BY5PR21MB1428.namprd21.prod.outlook.com (2603:10b6:a03:21d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.14; Wed, 3 Mar 2021 21:06:22 +0000
Received: from BYAPR21MB1736.namprd21.prod.outlook.com ([fe80::95ed:4bac:b403:58ed]) by BYAPR21MB1736.namprd21.prod.outlook.com ([fe80::95ed:4bac:b403:58ed%9]) with mapi id 15.20.3912.003; Wed, 3 Mar 2021 21:06:22 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, teep <teep@ietf.org>
Thread-Topic: [Teep] draft-ietf-teep-protocol-05
Thread-Index: AQHXEG/IpUw3iAOZTE6ldzN7ThgVMqpyvtEg
Date: Wed, 03 Mar 2021 21:06:21 +0000
Message-ID: <BYAPR21MB1736075E23E9DFD56D4BF360A3989@BYAPR21MB1736.namprd21.prod.outlook.com>
References: <161403830667.29287.12752318662076741729@ietfa.amsl.com> <4891DF28-2482-4507-A023-FF676A23DD80@vigilsec.com>
In-Reply-To: <4891DF28-2482-4507-A023-FF676A23DD80@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-03-03T21:06:21Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=506dd41f-bbdf-44aa-a6b1-37f028baaa5d; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none; vigilsec.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:9700:15e:e1b5:22:e8d4:7519]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c86ed3b1-95f8-488b-e9a5-08d8de8832d2
x-ms-traffictypediagnostic: BY5PR21MB1428:
x-microsoft-antispam-prvs: <BY5PR21MB14281C200E291E5136E97C3DA3989@BY5PR21MB1428.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5OsWHj+zw0zv/Krl7+TdacBheJGsPJNTJsp1cV6pNHHjg5j7tXnP6dvISN28ViVIvwG+rTgJ3nmnve4Rcx7DoSWKxpmYvYQlWcWTozEIsAGwHin3NGqVj/fSYghhdMK04JHlGUGyRGz7J9sg7vrGUXPDlJK2wDTR1X+8n/kmoeV1js/4XSkpy/J57AlMdQOcC7YXPuWm/v/3jHv+5uDSaP00POiKl7oNxoDCZ2TBAxIUI2indacNBCk0nXGpUXW1ge11skmkG0UbSudMtnV2yMCZGNNJjmgNg/qEjww4P018JmrSXrQAvVCUtFbMJ9ztF6VK/vyPeogbsbpLbm/WVy3Ei2KVM9dqwJeE5unus2D3JskUfuisVXpaCa3D2+iViEWBIkyZOXj6Eshx3GfOccbOJsmeu7Xj2kUVbZTcpqWwnqOTY2DnRucxgwAm0IxEd28hngpADyZ0Oemi7I+u3VMIOmhBhzDRnJoY4/ouYADdRaubVRf8mZDKvp0jbwr259aUggPQTNpONzjJDlf9Vpdp1Xjt8ytCGtAfKRWi9o1q18dif1PKNAEprnxreRTT
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR21MB1736.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(39860400002)(366004)(136003)(376002)(346002)(8936002)(5660300002)(66446008)(52536014)(7696005)(66556008)(8676002)(10290500003)(6506007)(82950400001)(82960400001)(83380400001)(55016002)(478600001)(186003)(71200400001)(33656002)(86362001)(8990500004)(110136005)(2906002)(76116006)(316002)(66946007)(66476007)(64756008)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 8c1TWHTjE1Y4OygqG3xh9dG6XZ8OEAJuUb3/i65yhcnjJKImEhZ7HgW7vuJKYInVvRNqKgh+t07b8N/XVPSaQOqBGMBKrCROZIDa2aNEiAAyUZN7abFjv+ctpOZKKmK8hR5g9WRJyX6MDe5iUcsotI6AM60q/sDkV/f8DA9HnOVkBcyzNrAGmpYfFpnRTiEPbgZT6EHraJHn2mJAfRtjoixvd47tp+0DgbghAfJzIjanHDfXqIDXM393qxJuTzn2HSo/XtwXLg2cb5eVas1J5o7F3eHIpsl/OJ/SSd+/OfoD6pbmFiqyKFsuoZBnRI8WQyV6x/LjwgTtujkgA85B4RMU2u70lQMwhpLsNe9BZDzOks9QA3kil58PtT0i84sEABdlhFzRgXs3Wmi4w1L3jhBPk7XI27aFX5fqULZtjCTJ/Fc2A+OJY2qy660EhCRBN89dVz+E6QIz7hFcSTlYE6O7tMYQBNxqFgPesmeqC53CTisV9L54C8xduAyjLrdKX6uSDTSPbUhg5y8Q2oe0Vxma41Ex7RuyXa/p+BZxbDl3WahIKbGvZ3PIWMnXivgh2z3bBMqe1S2SMA8nTFEhLE+ZWzFMYSFWhD654urzEHb9JZAlEm6i27eaAV19TXg0L2dgfBiyoiwlHqnXA0dRsi4jh9PrehGcQV5WMHSm8+xyA1aKCjSejSGwRUvyTsqIZvmPC3Zjqe8mtIXialMWylfpoefjwKCw1so1NW8Zs6EtEwJABTu1xvTUyfphJ4iI9m5CO5dZyHqZ5tg2NS8M34oQBLnfy5dkylztS8yiE2OCEyjvPdtLdNlrt5N93D6m266ki6rTniSmg1t1NgYrN5b5vXIwrRHfguifISbV1l+b0ST3+N6iu5XzNy5L39uENbh+1Foi6wJbL0O8xyFIqxjSB5BFHcDv482oB6xe56Mktp9dg591KDMkS1SLdKkl4DE5vpt5Ehj+stEgrDOb9zKogx8+F8ffuzVVUuqJM8t1GxWsqusvNI89gBaVsqeDsm3KDEoHQGTpLEDC0IzTWrAjDwvAPT9fidE6O2VNVsy++YsF2NF8p99ngmCawqwZzn+vBhQcxrv4mGheUbmYSNsh90VFwUzrUp7vzb3sTp7yC0gOmFadX8Gq9i4fpP/HAz7CwvxtcjRg/NtYBTCPWXlYchb9/zoJ/aK5Shc1Wyws3UuvKfpJOaH0AA2WRf+Sh+pKvP59msTCk9V9ljh5yL5+1CMckV8+aOz5lojLio/E90G5+EbZp1hZRzgPuAPqlN/LBIr9DeJbXLf4NRaP7llX78oSgOdK4wXPPcRHfcu+mUcLRk5C/eE12DS/FhC7ZQci/7qH0aTadiP29zxapkc8s2SBu0B+/wNkC+yazjA=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR21MB1736.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c86ed3b1-95f8-488b-e9a5-08d8de8832d2
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2021 21:06:22.1667 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iusaSIbIIUnPSSxNbk/HNyopsQMRqYwf0HJGfrnXYPl8f72uHptvGnouSdDzmDPKY5OdZlpsa5PccMJwGv8WChOcgeWBY5TzPZoiDzperYU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR21MB1428
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/Skeq81rHMsBfb4d9OLVzR0QITpE>
Subject: Re: [Teep] draft-ietf-teep-protocol-05
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 21:06:27 -0000
Russ Housley wrote: > TECHNICAL QUESTIONS AND SUGGESTIONS > > In Section 4.2, tes discussion of token says: > > The TAM MUST expire the token value after receiving the first > responce from the device and ignore any subsequent messages that > have the same token value. > > Should this say the first response that has a valid signature? Otherwise, we are creating an opportunity for an attacker to quickly respond with a matching token but otherwise garbage. Then a legitimate responder will be ignored. Yes, although there is also some discussion of possibly getting rid of the token (but no consensus yet to do so) and using other mechanisms instead. For the real answer to your question, section 6.1 second paragraph says to drop the message if it is not valid according to the rules in 4.1.2. Section 4.1.2 explains that the TEEP message fields are only looked at in step 6, so by the time you get to the text in section 4.2 you've already passed steps 1-5, so you get the meaning you stated. > In Section 4.2, the discussion of ocsp-data says: "certificates up to the root certificate". I do not think we want an OCSP response for the trust anchor (a.k.a., root certificate). I suggest: "certificates up, but not including, to the root certificate". Acknowledged. > In Section 7, I think that future ciphersuites should allow MAC algorithms other than HMAC, such as GMAC. Do you believe any text change is needed? > In Section 9, please say whether future registrations will allow integrity-without-confidentiality ciphersuites. Let's settle this now instead of dumping on the IANA Expert. > > For the reference to OCSP, please use RFC 6960 (not RFC 2560). > > The document talks about certificates, so it should reference RFC 5280. Acknowledged. > EDITORIAL SUGGESTIONS Got them, thanks! Dave
- [Teep] I-D Action: draft-ietf-teep-protocol-05.txt internet-drafts
- [Teep] draft-ietf-teep-protocol-05 Russ Housley
- Re: [Teep] draft-ietf-teep-protocol-05 Dave Thaler
- Re: [Teep] draft-ietf-teep-protocol-05 Russ Housley