Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14)
Dave Thaler <dthaler@microsoft.com> Fri, 29 March 2019 07:46 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C512D1201C1 for <teep@ietfa.amsl.com>; Fri, 29 Mar 2019 00:46:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOhtNim2WxME for <teep@ietfa.amsl.com>; Fri, 29 Mar 2019 00:45:58 -0700 (PDT)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700099.outbound.protection.outlook.com [40.107.70.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FB731201ED for <teep@ietf.org>; Fri, 29 Mar 2019 00:45:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Chv3KLE+lIDXMQx0rF62yNNOK0pTcPW1XMhxEH/GZnk=; b=OIpS//8bYDRWZZ9VVB8w/qE7hXpqZKhGWDUZqtOAX4BxDr13TaX5UpJ5qUJZl6nMrxlfXM1FP2FPyZ8tklh6/KAYseeOVZvNSORSz7Iv1VC73x8dl2KK4Vdvu1MU26yOtTZSo0naFjqJWp/mBgLw6QfjBeOQCY0SE94x9K6tsow=
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=QvDkexZNYeO+EeDaH9HJE5FQ2uSZIZjxpgi1xOvwcPJZGzBj0Zy5hhc7B/HulYP+Yto+NqnoohDfwl+f0rv04tfGn8OIE4L214X2aE7zXdQ5sPjf/MbowjKxXMXf4TLNd4/gMsNigsCWje4XoxSu9ssUMQfFI4paJeLVx0Aw/eg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Chv3KLE+lIDXMQx0rF62yNNOK0pTcPW1XMhxEH/GZnk=; b=vBxTAaPBYlYVwZhGHnpGqKWugIpVOo5h5MBiWlVi+1ivukapyTyq/m1/G724+wa1eEU1NOXZHY10g0B59Hmbem+uYfXX4HKiszWK1h5ptlRTh/1s3MpbHUg7hKbRoV2Dm/2sUitoSWzInGR+KSyYnaByKiEyn2Q8+so/nThVJuI=
ARC-Authentication-Results: i=1; test.office365.com 1;
dmarc=none action=none header.from=microsoft.com;
arc=none
Received: from CY4PR21MB0168.namprd21.prod.outlook.com (10.173.192.150) by CY4PR21MB0693.namprd21.prod.outlook.com (10.175.121.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.6; Fri, 29 Mar 2019 07:45:56 +0000
Received: from CY4PR21MB0168.namprd21.prod.outlook.com ([fe80::e4d9:80f9:fab1:345c]) by CY4PR21MB0168.namprd21.prod.outlook.com ([fe80::e4d9:80f9:fab1:345c%10]) with mapi id 15.20.1771.002; Fri, 29 Mar 2019 07:45:56 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: teep <teep@ietf.org>
Thread-Topic: [ietf-teep/OTrP] HTTP Bindings (#14)
Thread-Index: AQHU5f6y5sK98BiYHkC+dtRAGguMVKYiOM5A
Date: Fri, 29 Mar 2019 07:45:56 +0000
Message-ID: <CY4PR21MB0168D9DB7A27245D2B5A354FA35A0@CY4PR21MB0168.namprd21.prod.outlook.com>
References: <ietf-teep/OTrP/issues/14@github.com>
In-Reply-To: <ietf-teep/OTrP/issues/14@github.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-29T07:45:55.7496171Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=7c9f9dd5-191e-4c99-b02e-bdc469821304; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
x-originating-ip: [2001:67c:370:128:f06d:e00d:5825:384c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6a3fe8a-cc54-4c81-defb-08d6b41a93e5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:CY4PR21MB0693;
x-ms-traffictypediagnostic: CY4PR21MB0693:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR21MB06938D36711832D05D5EE311A35A0@CY4PR21MB0693.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0991CAB7B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(366004)(39860400002)(376002)(136003)(189003)(199004)(790700001)(81166006)(76176011)(7736002)(10090500001)(106356001)(68736007)(71200400001)(22452003)(256004)(74316002)(316002)(71190400001)(99286004)(97736004)(102836004)(105586002)(446003)(9686003)(2906002)(54896002)(6306002)(52536014)(478600001)(6436002)(14454004)(5660300002)(11346002)(55016002)(186003)(6246003)(53936002)(6916009)(6116002)(86362001)(8990500004)(6506007)(86612001)(7696005)(6346003)(81156014)(33656002)(10290500003)(8936002)(14444005)(486006)(53546011)(229853002)(476003)(8676002)(25786009)(46003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0693; H:CY4PR21MB0168.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ne57mPE/Wu1KURxpt065uKQlbTJVq49WabfGi4SaZsF0263RXv+m9vd2Gl6JBbpV3/5QMGYZRTYPM01Roh7QmXliNv6wwoIQPAzk/CVByx2hRjg1oM9IRQToQ47+LwENo+oy9wBjD3hXq0L+CeMm2zDzonipudQI8ZAgc35YhvsMVN8mTtlrhnuDAJjjmZuKo3VIbDs4gRG4RQ/qUPDZIFuR++H4nVi5lMH1KB+xZXfH8X0CkTLn6yKoy+tkt7sB8Sga/ZSSWsZll0DD84OVoIsMuU+31WAQ81yH5szP/0YgLraVsy6M3z89Cujowpj3o6rizhSnIl33CQrfObZYMYb8M7/7iVgsXSDQ2ZNuNdPKxf757pWMadRv945q81t+2aRAui1b5t3Vr1B6OMzQUV8omfc5Kual1XQVONqxQIA=
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0168D9DB7A27245D2B5A354FA35A0CY4PR21MB0168namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d6a3fe8a-cc54-4c81-defb-08d6b41a93e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 07:45:56.2298 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0693
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/pE4LX-OWW7f4FCeNL7zJsxAu71A>
Subject: Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14)
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 07:46:01 -0000
I would suggest we should keep issue discussion on the list, and just use the github comments to summarize. Comments below as an individual participant: From: Anders Rundgren <notifications@github.com> Sent: Friday, March 29, 2019 8:12 AM To: ietf-teep/OTrP <OTrP@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: [ietf-teep/OTrP] HTTP Bindings (#14) It seems that cloud based TEEs and client based TEEs would work differently (protocol wise) during provisioning, at least when HTTP is used as transport. Client based TEE: Request is coming from the client side (outbound) which means that the TAM request data must be delivered in a HTTP response body while the TEE response is delivered in a subsequent HTTP POST request. Correct. Cloud based TEE: Request is coming from an outside service in the from of an HTTP POST request while the TEE response is returned in the associated HTTP response body. That’s not how it’s defined right now, it’s defined to work the same as the client based TEE summary above. This means that the TAM only needs to support one transport protocol mechanism, not two. It also allows the timing to be TEE-driven, i.e., when the TEE actually needs to do attestation or remediation, etc. Do you have any reason it *needs* to be different? I’m not currently aware of one, so prefer simplicity of one mechanism instead of two. Another difference is that in a cloud based scenario, the requester (TAM) must also be authenticated as a legitimate cloud service account user. This is a part of an HTTP binding scheme as well. In both cases the TEE needs to authenticate the TAM, so I don’t think this is a difference either. Dave
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Dave Thaler
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Anders Rundgren
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Anders Rundgren
- Re: [Teep] [ietf-teep/OTrP] HTTP Bindings (#14) Anders Rundgren
- [Teep] Cloud based HSM using TEE/TA/OTrP Anders Rundgren