IETF Logo Mail Archive

Re: [Teep] Review of draft https://tools.ietf.org/html/draft-ietf-teep-otrp-over-http-06

Mingliang Pei <mingliang.pei@broadcom.com> Fri, 17 July 2020 01:36 UTC

Return-Path: <mingliang.pei@broadcom.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415443A0EDB for <teep@ietfa.amsl.com>; Thu, 16 Jul 2020 18:36:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXaGQzAm-Jj8 for <teep@ietfa.amsl.com>; Thu, 16 Jul 2020 18:36:36 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4634D3A0EDE for <teep@ietf.org>; Thu, 16 Jul 2020 18:36:36 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id q4so10792589lji.2 for <teep@ietf.org>; Thu, 16 Jul 2020 18:36:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jzkNMQfSr8PwePd4/uZklQJDQQMgxu0L/Cx5prX/Dpg=; b=gA40lvHp8BgvWsDuwPCr+L9ArlTEVoQ+onJtRuUgEsWAuBqiyc+0cobmqkPcR9rZ9M 5QQo6Zordvjp+8/9gZLk8mhzNda8BjaYA/XtetYZDM8gvPLRjP9VS4Tj64hWNGtBcSk2 ACJzo/M0lWO9e7nbsHfQ67v3djQ21lr5jbj30=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jzkNMQfSr8PwePd4/uZklQJDQQMgxu0L/Cx5prX/Dpg=; b=feiExDBEQr51+5Qeh6PVM4OcFgWA27/9p6FdocwXHEJ9h8LfwMXZIx08GAoq64wCDj WSctpNHtk8fdmkrjtJ5O6vnwpZ/0Rjb2p/VdQG688+gKn+riTuLGR8UMu2Ak2KYXr7NY lpFiQZOFSpZGpmQvZa8gcdVzn0KQliFx5WtX2C+Cu7yuDkbZdRozRQuXIjjowFQ8mg/6 7K3W5jNlWQeE7kGL+YcRVI75oVVh2/yEyuJ0h0CWHHSHi5VRWSm0ffgNjUEoqLdT+4Ss vvjUAkSwaVd+81fxjX4wWvTYDrzxmZTcTiuGeNUwTilNS5kiSRN294A+s87MoSHkXc2z 0x0w==
X-Gm-Message-State: AOAM5306n/KzL7kDs/Z60AOH0/WMGqA+ZqsdKcRQzboAwof327pgTMQ0 JbQNuWqWg2+gX1iTTZfj2uYbxeVZHHaj5BzfVqGpRg==
X-Google-Smtp-Source: ABdhPJxU3B8sMT2w+jeF5r7PlMYAs2ZS9GW+hWJJc2XTpbDEMYEmel2FiJ0t+TiMn8xRrQGhuIcKt5DL0sV5ZZY8Gy4=
X-Received: by 2002:a2e:9a47:: with SMTP id k7mr3332402ljj.96.1594949794068; Thu, 16 Jul 2020 18:36:34 -0700 (PDT)
MIME-Version: 1.0
References: <CABDGos7q25AYrMOCtkJP3+j1oVpBm61HywY5JthkVGHiYPSMdA@mail.gmail.com> <CABDGos4T2NYLU7KL_+phVMYyOwT6iB99zHNkYAu9+jo8dXSksg@mail.gmail.com> <BL0PR2101MB102755F22E8C32200EEA7A69A37C0@BL0PR2101MB1027.namprd21.prod.outlook.com>
In-Reply-To: <BL0PR2101MB102755F22E8C32200EEA7A69A37C0@BL0PR2101MB1027.namprd21.prod.outlook.com>
From: Mingliang Pei <mingliang.pei@broadcom.com>
Date: Thu, 16 Jul 2020 18:36:22 -0700
Message-ID: <CABDGos7Li-W1-h66__epf4RMboigTPuZ2VEZFNB5rt_QKBMs=w@mail.gmail.com>
To: Dave Thaler <dthaler@microsoft.com>
Cc: "teep@ietf.org" <teep@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ef646105aa992f02"
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/iCEuI2V8AEYpnZ6Y_fIZNBllWT0>
Subject: Re: [Teep] Review of draft https://tools.ietf.org/html/draft-ietf-teep-otrp-over-http-06
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 01:36:39 -0000

Thanks Dave. Please see replies inline. Ming

On Thu, Jul 16, 2020 at 6:02 PM Dave Thaler <dthaler@microsoft.com> wrote:

> Thanks Ming for the review!  I entered your feedback as
>
> https://github.com/ietf-teep/otrp-over-http/issues/16
>
> and made changes to the doc that you can review at
>
> * https://github.com/ietf-teep/otrp-over-http/pull/17
>
> * https://github.com/ietf-teep/otrp-over-http/pull/18
>
>
>
> Responses below:
>
>
>
> > 1) Abstract section says "is used to manage code and configuration data"
>
> >
>
> > Should it just say manage "Trusted Applications" as this can
>
> > assume the context defined in TEEP architecture and TEEP protocol
>
> > document.
>
>
>
> No. TEEP can also be used to manage code that isn't a "TA" per se.
>
> For example, it could also be used to update OP-TEE (or any other TEE
> "OS").
>

MP: Non-TA code management is out of scope for TEEP. TEEP architecture doc
only targets to support TA management per use cases and scope sections; it
doesn't have design to update OP-TEE or any other TEE OS. TEEP protocol
doesn't have methods for non-TA code. It defines only two methods:

TrustedAppInstall
TrustedAppDelete

The transport is to support TEEP protocol doc. I suggest that we limit the
scope of TA management across all three docs.


>
> > 2) It also says "a Trusted Application Manager (TAM) service
>
> >    is used to manage TEEs in devices that can initiate communication to
>
> >    the TAM."
>
> >
>
> > A TAM doesn't manage TEEs. Suggest change it to "manage Trusted
> Applications".
>
> > TEEs don't initiate communication to the TAM. Suggest change it to "TEEP
> Agent".
>
>
>
> Changed to:
>
> "is used to manage code and data in TEEs on devices that can initiate
> communication to
>
> the TAM."
>

MP: good


>
> > 3) Section 1 says "a "Trusted Application Manager(TAM)" on the server
> side) must
>
> > themselves run inside a TEE."
>
> >
>
> > This specification shouldn't set this as a requirement. A TAM in a
> secure data
>
> > center that passes certain security requirements could be acceptable to
> some devices.
>
>
>
> Context for the quote is that it was prefixed by "To be secure against
> malware,"
>
> and I still claim that to be secure against malware, a TAM would need to
> run
>
> in a TEE as well. However, I do agree that a TAM that is not fully secure
>
> against malware could be acceptable to some devices, and that was my
> original
>
> intent as well but I have clarified as:
>
>
>
> "... must themselves run inside a TEE, although a TAM running outside a TEE
>
> is also supported."
>
>
>

MP: I would use the word "SHOULD", not "MUST". I think that there are other
ways to be secure against "malware". "Must run inside a TEE" implies that
this is the only method.

> 4) Section 2 says "and TEEP Broker, and Rich Execution Environment (REE)"
>
> >
>
> > The first "and" could be removed?
>
>
>
> Yes, done.
>

MP: Good


>
> > 5) Section 3: The hyperlink of "Section 6" doesn't point to the TEEP
> architecture document.
>
>
>
> No hyperlink is in the draft. I think it's a bug in the html viewer for
>
> Internet drafts, which seems to be a little too smart in adding a hyperlink
>
> where it shouldn't.
>
>
>

MP: fine

> 6) Section 5.1: "The TEEP/HTTP Client then informs the TEEP
> implementation" and
>
> > "The TEEP implementation will either (a) pass no data back,..."
>
> >
>
> > Should this TEEP implementation mean the "TEEP Agent" inside the TEE?
>
>
>
> Yes, Section 1 explains the terminology:
>
> > ..., a TEEP implementation (referred to as a
>
> > TEEP "Agent" on the client side, and a "Trusted Application Manager
>
> > (TAM)" on the server side) ...
>
>
>
> But since the sentence in 5.1 is specifically about the client side then
>
> yes TEEP Agent is more precise.  Will update throughout, for both
>
> TEEP Agent and TAM.
>
>
>

MP: good

> 7) Section 5.4 says "An implementation MUST provide a way to periodically
> check for TEEP
>
> >    policy changes."
>
> >
>
> > TEEP policy hasn't been defined so far yet. Good to provide some
> examples of this,
>
> > and where they are defined and who defines them. Will it mean TEEP
> client policy
>
> > or TEEP server policy? The TA revocation status check in B) may not mean
> a policy; the
>
> > time frequency to check TA revocation would be a policy.
>
>
>
> Updated text to clarify with examples:
>
>
>
>    An implementation MUST provide a way to periodically check for TAM
> policy
>
>    changes, such as a Trusted Application needing to be deleted from a TEE
>
>    because it is no longer permitted, or needing to be updated to a later
>
>    version.
>
>
>

MP: this is fine.

> 8) Section 7 says "The TEEP/HTTP Client calls the TEEP implementation's
> "RequestTA"
>
> >         API, passing TA Needed = X."
>
> >
>
> > Should it be calling "TEEP Agent"? So far, we assume that all
> communications to
>
> > TEEP in TEE will go through TEEP Agent. In step 3 below, it indicates
> that
>
> > "The TEEP Agent passes the TAM URI..."
>
>
>
> Same as point 6.
>
>
>
> > 9) Step 8 says "Back on the TEEP Agent side"
>
> >
>
> > Does it mean "TEEP Broker side"?
>
>
>
> No. There can be a TEEP Broker on both the agent side and the TAM side if
>
> the TAM is in a TEE, so "TEEP Broker" isn't a side.
>
>
>

MP: the full paragraph reads

"8. Back on the TEEP Agent side, the TEEP/HTTP Client gets the HTTP
        response, extracts the TEEP message and pass it up to the TEEP
        implementation"

The above message means:

- it is inside TEE (On the TEEP agent side)
- gets HTTP response and extracts TEEP message
- passes it to "TEEP implementation" which is actually TEEP Agent here.

On the client side, it is the TEEP Broker that extracts HTTP response, and
passes it to the TEEP Agent. To avoid the vague side meaning, how is
something like:

"Back on the client side, the TEEP/HTTP Client gets the HTTP response,
extracts the TEEP message and passes it up to the TEEP Agent"

I will leave it to you to decide.

> 10) Step 9: shouldn't the TEEP Agent be involved in this communication?
>
>
>
> Same as point 6.
>
>
>
> > 11) Step 11 says "passes
>
> >         the payload up to the TAM implementation."
>
> >
>
> > To be consistent with step 5 above, "TAM implementation" changes to
> "TEEP implementation"
>
> > or "TAM TEEP Implementation".
>
>
>
> Updated as part of changes for point 6.
>
>
>
> > Nits:
>
> >
>
> > Section 4: s/upon a following such a redirect/upon following such a
> redirect
>
>
>
> Done, thanks.
>
>
>
> > Section 5.1: s/the TEEP/HTTP Client attempts to create session state/the
> TEEP/HTTP Client attempts to create a session state
>
>
>
> Disagree with grammatical change. "State" is used in the same sense as
>
> "data".  You create "data" not "a data", and you create "state", not
>
> "a state" which would sound like a specific state in a state machine.
>
>
>

MP: I saw some call out "session state data" if it means data, and some use
"a session state"...

https://www.c-sharpcorner.com/UploadFile/de41d6/view-state-vs-session-state-vs-application-state/
"By default, an ASP.NET session state is enabled for all ASP.NET
applications. Session state data is shared across all the web pages..."

But I trust you have the right usage. Good for me.

These changes will be in draft -07.
>
>
>
> Dave
>

v2.23.0 | Report a Bug | By Email