IETF Logo Mail Archive

[Teep] Security domain default 1-to-1 mapping to a TA proposal in TEEP

Mingliang Pei <Mingliang_Pei@symantec.com> Fri, 08 March 2019 01:59 UTC

Return-Path: <Mingliang_Pei@symantec.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC761311A1 for <teep@ietfa.amsl.com>; Thu, 7 Mar 2019 17:59:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symantec.com header.b=GYVznXcB; dkim=pass (1024-bit key) header.d=symantec.com header.b=CJMzfkit
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SOYEbmvSK0EN for <teep@ietfa.amsl.com>; Thu, 7 Mar 2019 17:59:35 -0800 (PST)
Received: from tussmtoutape02.symantec.com (tussmtoutape02.symantec.com [155.64.38.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05B951310FF for <teep@ietf.org>; Thu, 7 Mar 2019 17:59:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=Symantec.com; s=1; c=relaxed/simple; q=dns/txt; i=@Symantec.com; t=1552010374; x=2415923974; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=6yojQWDdhu7rz42wKSKHZeH3YWmb+sJNuBIHABWMQjY=; b=GYVznXcBCXyVDBKbwKnWdOEUEWFk895CCChMNF0Pa6gm1f8K7oipMejJN5h0PpMR ghH9F05l8KdT9dZNWBCDgUc25d/kQtoQPXUY2F8GnlI8JI3y1YdEuxO33Mo0FZMO o137LzfvpsiKIeaE2XPBKc7QYqdlcOzJ6LiMPrLIKjQ=;
Received: from tussmtmtaapi02.symc.symantec.com (tus3-f5-symc-ext-prd-snat5.net.symantec.com [10.44.130.5]) by tussmtoutape02.symantec.com (Symantec Messaging Gateway) with SMTP id 23.D9.48042.68CC18C5; Fri, 8 Mar 2019 01:59:34 +0000 (GMT)
X-AuditID: 0a2c7e32-dbbf09e00000bbaa-97-5c81cc861c06
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (tus3-f5-symc-ext-prd-snat10.net.symantec.com [10.44.130.10]) by tussmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id F7.6B.05507.68CC18C5; Fri, 8 Mar 2019 01:59:34 +0000 (GMT)
Received: from TUSXCHMBXWPI01.SYMC.SYMANTEC.COM (10.44.91.33) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 7 Mar 2019 17:59:34 -0800
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (10.44.128.3) by TUSXCHMBXWPI01.SYMC.SYMANTEC.COM (10.44.91.33) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 7 Mar 2019 17:59:34 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symantec.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6yojQWDdhu7rz42wKSKHZeH3YWmb+sJNuBIHABWMQjY=; b=CJMzfkit/ajPi8zlbldFZR2gZwU/hiVNnxTrq2TVSOG4mSG9C/Hq8dEmwDAqZxEg/HN0jD1qBJvZ42arHlVzPsmBCiFp7fJXHtvTSQsFrxD38P10eUQ6HBrRHzLBtZBqZejiy7NrxJl9oyMRxlnPfiDcgNnvq+86jHwDM5Rj0WI=
Received: from BY2PR16MB0854.namprd16.prod.outlook.com (10.164.172.140) by BY2PR16MB0838.namprd16.prod.outlook.com (10.164.172.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.19; Fri, 8 Mar 2019 01:59:30 +0000
Received: from BY2PR16MB0854.namprd16.prod.outlook.com ([fe80::7cd8:ec4e:f89c:82a6]) by BY2PR16MB0854.namprd16.prod.outlook.com ([fe80::7cd8:ec4e:f89c:82a6%7]) with mapi id 15.20.1665.020; Fri, 8 Mar 2019 01:59:30 +0000
From: Mingliang Pei <Mingliang_Pei@symantec.com>
To: Andrew Atyeo <Andrew.Atyeo@intercede.com>
CC: "teep@ietf.org" <teep@ietf.org>
Thread-Topic: Security domain default 1-to-1 mapping to a TA proposal in TEEP
Thread-Index: AQHU1VKRZgbX2HkEAk2k301Fswqimw==
Date: Fri, 08 Mar 2019 01:59:30 +0000
Message-ID: <F78A61D4-9B6B-4E83-8CF7-0C49E08718A9@symantec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.d.1.180523
x-originating-ip: [155.64.23.38]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8b1fd89d-4b11-4f6b-2bd6-08d6a369b416
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BY2PR16MB0838;
x-ms-traffictypediagnostic: BY2PR16MB0838:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 1;BY2PR16MB0838;23:3MY6SGEUVlBcqPobJZR2OOD8b7h1LG85YFzsxqv2qkJBpXuWCkpDDq+iAXLLK02RdUXTGVK9TzgIj+el/BwuZqH74vUMZ5yluvGnGVcUctpw8AoXowFhJsvkMh+Tvgyq6k+qvG1ehhGw+hzentx/Vv3xWWSaCM48qVsgO8oTILlYA9RugFhcydaOGo48Txb63uqqeElSAdxGgm4OxEkk9IJUapif05XVmC3RTgc0xL3A3hbzhxsWRTJbEFWI+RCCcZRygUOYSNnQ5lj5WUPwy6lZ2jBo8AwRF72Zz1zc1npbMW+RZVk6SDkkxDCh8H/q+Rrq7DgSIjgw7F6JnoJHaL5cD5NYWWZjEesugYRnUiOzEkx8JLwjzJdUoZOmJXh1QG+pQyMBjmY5KIHmkQiXP04oTddbWyBWWSdDkPBg8lqF4SLnhbw7KaJwfL1sMatlLZkbMbXrF06zHITqQkVR2LuULZ4TJ1QQnrkYeAqltrkZnn40FJmImwXj/VsmXDqcNVDVzaz659ENrFRfIFwv7T4U9nkvflsxhe5l1S0EmFEgHYk3fBGTduh9O0KbZNbbG02jB3p4N9uuk9fvKYRVkLhqb5WrWftM/ZG9ANczOSguihZUmmbSrRfhW4WfwsaCDtlhwGIZYGtbyl7IqS4ksJDNn8eMmlWcHB8P1uVA7ixMzGufQ8LGRP/TLfd6vI/PL+FpHZQuoluA1h+BnMUaRRuQtpVwn0tncEZdLKsKtcYgIDwsrgPQi+rCDvu4H2QqDtOiOOZEyS/dzxacB2+gV5E1D1vxKATYMSlrgFoleaB2PRcCNXgr7y8nGHa9N8If0U9CAmOVQE3HxPnx1OdNWQ87sDPcxPYn5BqlST26J8DG5ZB+SIVp1oMStvV0B3wufHf+jirHya9sw9BSyafiw4d+s/o7nrXqYRg8Yn+j49Tad8nm/nDPqe8vkAF2k7c5am14dKpgv7HnkvcFHpetVVomiHKDuMHY24BTVd5+Za/zL6iCORS4SN6tIstdD0CNM93Igw9VszYuIRYPH3tTAknAsLH9lC6KfJqZbWkqZ80xpYNqFegjtOBXYalSEFrDGTz7FtGi8yWYs0uw9p5ZbZlV+N4MXaIRlpXaN4EABTuLHzuTUMAUR4Rxn825rf1qeDPPymQV/q+nV57Qh5Gj9pi77vCAsi4BY8sl2uwYMZds21zQzHRooxWgbpX+IubJpmf1XGV+Lv7YBT2SAslONUOgU/+msX6gSnGGpxM630vXiQ39oUySVT1qvtZ35dH8r9YT1TKWFC9xquobLmw7JT5IL27WHvV4es5NZGnNdSO1FWuFvVK5Z6jMxbkPqnSpAZYfDnXpepe7SDMeyDtjytAcCzLV7MyrRywVe1QTFmfdEpwcIl8LfZGN5watQ5X9aftrAKSYEgg4PM/70CDS05Za5xR/CAAiQMI3wnj3vyoYriz//jkC2WM53EhDeyjw
x-microsoft-antispam-prvs: <BY2PR16MB08386186B1B300FA85A70D0FEC4D0@BY2PR16MB0838.namprd16.prod.outlook.com>
x-forefront-prvs: 0970508454
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(376002)(366004)(39860400002)(346002)(396003)(189003)(199004)(3846002)(476003)(6506007)(6116002)(486006)(7736002)(33656002)(2616005)(6346003)(102836004)(790700001)(81156014)(81166006)(25786009)(8676002)(10290500003)(99286004)(66066001)(316002)(14454004)(15650500001)(5660300002)(478600001)(72206003)(58126008)(2420400007)(2906002)(10710500007)(606006)(966005)(105586002)(26005)(4326008)(186003)(36756003)(6916009)(106356001)(14444005)(82746002)(9326002)(71200400001)(8936002)(68736007)(6306002)(6512007)(54896002)(236005)(7110500001)(53936002)(256004)(97736004)(80792005)(6436002)(6486002)(83716004)(86362001)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR16MB0838; H:BY2PR16MB0854.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mingliang_Pei@symantec.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: +Kd1JVLc75uYjZeitWWGCdaC/aUgYgxITRalsc3oA8C/1BaaQ1Cjny7fjEai3IWRhu2jmGl6tmr2mQ82TP3jw5kmfFiDlKL7IcLYdWb8NMlEnR27ZVC9mOSVzW3NF0gpLxnvVWO/uCLrjW5dEwok4A0rgVq1asiIEWkUwhTxNA+CakngEFKlY0LR4mbcAvmt93J0UZinFkfdq/i+1iQEQOO9izg4HW+woJibY66aYLoVTFMDZn+cdpCyAtCUf8QCNYgAE8gyecDEcFevJHpncLJXW7gisidECZDwG0+YGurqxKW4ZrzByLo0tGMdRopB20uNzv3Ns0kwpxeiTxloxhQefvbdZEuOHoBLtCAAxY2ez5fvs2uHbFx38+Y/6Ix+Ut3a93dKbvDKLZefhrRFP6FjYN5K2uOcZJP18CK6B0k=
Content-Type: multipart/alternative; boundary="_000_F78A61D49B6B4E838CF70C49E08718A9symanteccom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b1fd89d-4b11-4f6b-2bd6-08d6a369b416
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2019 01:59:30.6298 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR16MB0838
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrNKsWRmVeSWpSXmKPExsXCpdPEqtt2pjHG4H+LrMWOb/uZLJb++cbs wOSxZMlPJo8NCx4wBTBFcdmkpOZklqUW6dslcGX8vfOFtWBefEXfqp9MDYznY7oYOTkkBEwk lhztYO9i5OIQEvjEKNH+fTsbTGLNxjdQiV+MEtebGlhAEkICRxgl5kwLhbCfM0rMfy8IUsQi MIFZYtL6ZmaIxBQmiS1zQyG6HzJKXLl3GmgUBwebgIHEhTt5IKaIgK7E4RPqIOXMAsoS53cd AVssLOAhMX/fREYQW0TAV2LRxGnMELaexL/te1hBbBYBFYkVb/czgdi8AvYS2y5vB7MZBcQk vp9awwQxU1zi1pP5TBDPCEgs2XOeGcIWlXj5+B/YHFGgmT07r0I9rCCx8fN7FghbVuLS/G5G kDMlgG7Y0ewC8omEwE1GidVP37NCxLUktl+phSiXkjhx8SgrRM19YYlbB1dDzcyWWPtzOTtE vYzEzyMyEDUb2CQ+NdxlncBoMAvJqRB2skTT5uVss8BeE5Q4OfMJyyygdmYBTYn1u/QhShQl pnQ/ZIewNSRa58yFsj0k3vYuYkRWs4CRYxWjQklpcXFuSX5pSWJBqoGRXnFlbjKISAQmqGS9 5PzcTYzgJFVntIPx0wafQ4wCHIxKPLyahxtjhFgTy4AqDzFKcDArifCuPggU4k1JrKxKLcqP LyrNSS0+xCjNwaIkzivLWhItJJCeWJKanZpakFoEk2Xi4JRqYOQo27lXwuqUa97kkxZ9Vfpa 0U0Rrhul5D/s+378WsgHtiU/LFQ9bnr2XthZn+3Pur781/W8BhtLQcFHfM1PDhZ+6LwsraSQ tuxd5xHbeS8aVaJ4oncI9Mf1v+DhDrvNF5770IZR49iRkgezSoKu/GA/JMxkNY8xcZF63Jzz z59Mb13WWyftpcRSnJFoqMVcVJwIADgt9fJOAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA02SfyzUcRjH9/l+787XcfVxyIOr+bWRnaNWzZbFRLu22u6P1JTS7foOcdjd oZ/bodqiGu1SDCcpQkOsk5H5kaQ2FVaZ/BgtkTSJnWHd9z7+8M9nr32e1/Pe82wPQ4tL+W5M QrKO1SQrk7wEQp5QmiUMuPE+Myao8Y1zcPNSOxX8eHWJDqPkFRVmSl5fNk4pqJPCkHNsUkI6 qwk8cFYYvzayyE8tjb1wp9pM6VF/TA6yZQDvgdqGXzY5SMiI8QqCz1l6HlcQ424ExQVRhH8g MM47cBIP59Fwty6bJgUDBU0lUaR7AsHg6DtLFMMIcBB8GEnm0AkHQFevL6fT2Bv6W7oFHDti ORhf5SOOnfBRKM8voAnLYN3UyueYh32gaq6d4liEQ+HFgMnKCG+D5b5aimS6wPCUkSLLYKho 7acJO8PPyXVrjrMl89bLIQH594CGv/M8wtvhkzEXcWOCZYbm7AhuE8BfEdR8n+eTf38wDV4l uhv0fnzNJ86YIwx31GxkJsIzc6UN8SVg7pYQp14AC/pv1hwxZsH0wJeMfxrM18ZRHpIWbdqA sAqyGisFRdaNHeBt4RSvyNJN451Q1xJIFE8w5E7YEPaD68UlGyyHudvlaLNThphq5KFL02rV OrVOqUxNCNot015Uq7hHaTknlUyVon6OrAd10LUZda4e6USYQV72IsX+zBgxX5luMTuRO8Pz chEpohdPiXGcUscmsmwqq4nVpCWx2k5EMbZuenS46+GCYfl+isPx8wrPNuFMX0r6vxPh0j9P w2/O1NsJ42rEJgnzZdqQESaTRwz5Odyb83l02XykrTBybHo2NI9tGRmTeW/NDIlUiXpGz/D3 zs7gKzbyjI4nq8ZL7Xb7etb6+U32BQMr7r+rUlwit6Bjk9HSQ1kVfTskVRIXaZurF08br9zl T2u0yv/knPTBMQMAAA==
X-CFilter-Loop: TUS02
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/YMQuXSlN9ds6qwIr4zDfB2b-fZA>
Subject: [Teep] Security domain default 1-to-1 mapping to a TA proposal in TEEP
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 01:59:37 -0000

Hi Andy,

We are working on to close this issue #7: clarifying meaning of Security Domain (SD)

https://github.com/ietf-teep/architecture/issues/7

We want to simplify it, and propose to create a SD per TA by default, without completely removing the SD for some existing use cases. It will be good to also have your input on the implications, considering you have more involved in this with a prior OTrP TAM POC implementation. Could you review the issue, and provide comments there?

Here is a quick recap on some discussion reasonings.

Historically we consider Security Domain as a first class entity in TEEP (OTrP). There have been some desires to simplify it, or not require it in the TEEP architecture as some use cases don’t use it as much as potential IoT use cases. On the other hand, we know that existing TEE implementations and other secure element related practices uses SD to isolate and associate protection boundary. There was some resource constraints on number of SDs that can be allocated in a TEE device.

To achieve broad support of both worlds, we consider to move to an “implicit” model as follows:


  *   One SD is created per TA when a TA is going to installed. This allows creation of TA without going through explicit SD creation and so on.
  *   The prior deletion of SD will delete all TAs within the same SD. Now each TA will be required to be explicitly deleted.

Thanks,

Ming

v2.23.0 | Report a Bug | By Email