Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14)
Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 03 April 2019 06:35 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 556F3120395 for <teep@ietfa.amsl.com>; Tue, 2 Apr 2019 23:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a7KaOQPqrEIq for <teep@ietfa.amsl.com>; Tue, 2 Apr 2019 23:35:43 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E48BF120494 for <teep@ietf.org>; Tue, 2 Apr 2019 23:35:42 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id k17so19648379wrx.10 for <teep@ietf.org>; Tue, 02 Apr 2019 23:35:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=HmzTfMMaPV9pGBKGv700rHhe3boi5EzluT9Iy/IU+JE=; b=MW4lhRApa6gEOsZFeGmCpkuTGO0h0J1wKIMo196/HQ+NsvdB2QZXPntnCxlk2b7Qhh ZH2uK1PY44P2f0Da5HjkBBED1HIkPGwu4iUQcyVfYNOXW0NVAtKGhk5agq9y2R3LcD3m +D7b6Cb6LvsyW9G0gJdAnJBzNt8+eLYu635VJ8co0D10oRxr16Yaj8HDIgT5FW5w6DX+ H2jxyyv00rxucoY9aCaAt6D/OFfRdMvBgUvBK3YXVLaaUgViL8il25erQqwoFITj5Jzx Y5FjNOg3HrQ/+BeuFOhrWMRONGtEoUXPvUGB8Ip+OyZT823dLh7tnyQMXO0Lau67gg6s NbDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=HmzTfMMaPV9pGBKGv700rHhe3boi5EzluT9Iy/IU+JE=; b=IY0+K33sWxvH7GOr6Q0HXOBM1yPqskl399m/kpZzcldFjVnlVzYYC8/UqW886pQXwd g4vyMKevhuIAWQpQ+Rm7IQP5j3liCQPCUhymwQTbOSa+0aw+CMFO6jWTv3tMcabDZxya 75zdbpleN9BsEB7USXafIFsFP9VE0jmJbQTzvcdHSnALm6jsedxVpCoHfPnpxiQ9OJEJ mbJYY/8KUj8fxKNym6HsuPWX2AVQth8QOOQmfwzlcJ12eiJDZFi2bCvD/NL3nNhj/YgC MqGY85W3PBKKJZim780kYkGHLM7Xvq7YcVW0rVNmuKWGgHpYjzROO7GmYPFmEh8/UC/h Y9ZA==
X-Gm-Message-State: APjAAAXwGXBIj6PFcHfldM1ph6Rzidbq1eVlWFJfgToc7JNjVUrLgkuy HWYbmiPPOOo56q5sigw05xZSB1TL
X-Google-Smtp-Source: APXvYqyZtWYHUt+H/YTzPqQR06lLBiOVipl1xJOVvfqSHSlyWxq3eVuaTpNNL0gwK6cuVog4euzZwA==
X-Received: by 2002:adf:f607:: with SMTP id t7mr15382537wrp.191.1554273340837; Tue, 02 Apr 2019 23:35:40 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id e9sm24445001wrp.35.2019.04.02.23.35.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Apr 2019 23:35:38 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>, teep <teep@ietf.org>
References: <ietf-teep/OTrP/issues/14@github.com> <CY4PR21MB0168D9DB7A27245D2B5A354FA35A0@CY4PR21MB0168.namprd21.prod.outlook.com> <e361de94-f219-cee7-0aa4-45c3d14e2732@gmail.com> <f6a98861-d517-d388-939d-b835612a0a35@gmail.com>
Message-ID: <7d9cd927-9184-e85b-a2c4-cce166a664cc@gmail.com>
Date: Wed, 03 Apr 2019 08:35:34 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <f6a98861-d517-d388-939d-b835612a0a35@gmail.com>
Content-Type: multipart/alternative; boundary="------------382803E6A391D3DF98C4E8C8"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/ZMIcQOZV6uYpBCBgNON-LqVE4vk>
Subject: Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14)
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 06:35:46 -0000
Maybe there are actually multiple and quite different cloud use cases? 1. The one I mentioned is when the cloud account admin (user side) in some way have obtained a TA which they want to host at the cloud SP (push/upload). 2. If the cloud SP rather is a one-stop shop there is probably no need for a protocol. The cloud SP would at the customer's request install a designated TA using a method specified by the cloud OS. 3. If the cloud SP relies on external TA vendors, they could use the client (pull/download) protocol variant alternatively simply fetching an image. Does this sound reasonable? https://tools.ietf.org/html/draft-thaler-teep-otrp-over-http-01 "To be secure against malware, an OTrP implementation (referred to as an OTrP "Agent" on the client side, and a "Trusted Application Manager (TAM)" on the server side) must themselves run inside a TEE" With respect to the client side, I don't believe this an absolute truth, it is rather a consequence of the TEEP architecture: https://github.com/ietf-teep/architecture/issues/52 Well, of course some parts MUST run inside the TEE, but they can be considerably reduced in size and complexity as well a becoming more powerful. Anders On 2019-03-30 07:10, Anders Rundgren wrote: > A shorter way of expressing the differences is that a mobile phone scenario is a TA pull/download scheme while a cloud scenario seems more like a TA push/upload thing. > > Anders > > On 2019-03-29 10:37, Anders Rundgren wrote: >> On 2019-03-29 08:45, Dave Thaler wrote: >>> >>> I would suggest we should keep issue discussion on the list, and just use the github comments to summarize. >>> >> >> Fine with me. >> >>> Comments below as an individual participant: >>> >>> *From:*Anders Rundgren <notifications@github.com> >>> *Sent:* Friday, March 29, 2019 8:12 AM >>> *To:* ietf-teep/OTrP <OTrP@noreply.github.com> >>> *Cc:* Subscribed <subscribed@noreply.github.com> >>> *Subject:* [ietf-teep/OTrP] HTTP Bindings (#14) >>> >>> It seems that cloud based TEEs and client based TEEs would work differently (protocol wise) during provisioning, at least when HTTP is used as transport. >>> >>> *Client based TEE*: >>> Request is coming from the client side (outbound) which means that the TAM request data must be delivered in a HTTP /response body/ while the TEE response is delivered in a subsequent HTTP POST request. >>> >>> Correct. >>> >>> *Cloud based TEE*: >>> Request is coming from an outside service in the from of an HTTP POST request while the TEE response is returned in the associated HTTP response body. >>> >>> That’s not how it’s defined right now, it’s defined to work the same as the client based TEE summary above. >>> >> >> I'm aware of that which was the reason for filing this issue. >> >>> This means that the TAM only needs to support one transport protocol mechanism, not two. >>> It also allows the timing to be TEE-driven, i.e., when the TEE actually needs to do attestation or remediation, etc. >>> >>> Do you have any reason it **needs** to be different? I’m not currently aware of one, so prefer simplicity of one mechanism instead of two. >>> >> >> Well, the traditional way of implementing cloud services over HTTP is client-service-to-cloud-service. I haven't looked into this https://docs.microsoft.com/en-us/azure/key-vault/ <https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli> but I would be surprised if it doesn't work approximately as I described. If the communication also needs to be asynchronous (highly unlikely), more substantial changes would be needed. >> >> The TEE provisioning API would (hopefully...) not change by offering two variants of HTTP bindings. >> >>> Another difference is that in a cloud based scenario, the requester (TAM) must also be authenticated as a legitimate cloud service account user. This is a part of an HTTP binding scheme as well. >>> >>> In both cases the TEE needs to authenticate the TAM, so I don’t think this is a difference either. >>> >> >> I thought the TEE rather attested its identity etc. to the TAM. In a client scenario (like provisioning mobile phone TAs) the user authenticates to an "App Store" which in turn presumably provides whatever is needed for TAM access. >> >> In a cloud scenario like for a hosted Certificate Authority it is not obvious that there actually is a regular TAM. Where is it and what would it do? >> >> Cheers, >> Anders >> >>> Dave >>> >>> >>> _______________________________________________ >>> TEEP mailing list >>> TEEP@ietf.org >>> https://www.ietf.org/mailman/listinfo/teep >> >
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Dave Thaler
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Anders Rundgren
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Anders Rundgren
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Anders Rundgren
- [Teep] Cloud based HSM using TEE/TA/OTrP Anders Rundgren