Re: [Teep] Working Group Last Call for HTTP Transport for Trusted Execution Environment Provisioning: Agent-to-TAM Communication
Benjamin Kaduk <kaduk@mit.edu> Fri, 03 April 2020 02:06 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0119D3A0BD4 for <teep@ietfa.amsl.com>; Thu, 2 Apr 2020 19:06:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4TDX91g0pB4 for <teep@ietfa.amsl.com>; Thu, 2 Apr 2020 19:05:59 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C66B93A0BD1 for <teep@ietf.org>; Thu, 2 Apr 2020 19:05:59 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03325sT4022204 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 2 Apr 2020 22:05:56 -0400
Date: Thu, 02 Apr 2020 19:05:53 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
Cc: "teep@ietf.org" <teep@ietf.org>
Message-ID: <20200403020553.GB88064@kduck.mit.edu>
References: <BL0PR2101MB102751E84CB7D3F92D454AD5A3C60@BL0PR2101MB1027.namprd21.prod.outlook.com> <BL0PR2101MB1027EAFE442C4482B7830C86A3C70@BL0PR2101MB1027.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BL0PR2101MB1027EAFE442C4482B7830C86A3C70@BL0PR2101MB1027.namprd21.prod.outlook.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/tmYGcfgBzwN_EOtSXOjPFjoSfNs>
Subject: Re: [Teep] Working Group Last Call for HTTP Transport for Trusted Execution Environment Provisioning: Agent-to-TAM Communication
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 02:06:01 -0000
On Fri, Apr 03, 2020 at 12:13:33AM +0000, Dave Thaler wrote: > For point 4 (TLS considerations), I filed https://github.com/ietf-teep/otrp-over-http/issues/10 and > my proposal to address it is as follows: > > OLD: When HTTPS is used, TLS certificates MUST be checked according to [RFC2818]. > > NEW: When HTTPS is used, TLS certificates MUST be checked according to [RFC2818]. > NEW: See [RFC7525] for additional TLS recommendations. > > Rationale is that RFC 7525 (BCP 195) is what contains the answers to questions like Tiru asked in point 4, in a way that is > not specific to TEEP, and already has IETF consensus. For example, section 3.1.1 of that RFC deals with TLS versions > as Tiru asked about in point 4. My proposed approach also means we don't need to come up with TEEP-specific text, > since I don't believe there's anything TEEP specific here, given that TEEP messages are secured end-to-end inside so > anything really TEEP specific to say would be up in the TEEP protocol. Thanks, Dave, this sounds like a good plan. I note that we probably do want to pick up any future changes/updates to BCP 195, so we should probably cite that and not just RFC 7525. -Ben
- [Teep] Working Group Last Call for HTTP Transport… Konda, Tirumaleswar Reddy
- Re: [Teep] Working Group Last Call for HTTP Trans… Russ Housley
- Re: [Teep] Working Group Last Call for HTTP Trans… Konda, Tirumaleswar Reddy
- Re: [Teep] Working Group Last Call for HTTP Trans… Dave Thaler
- Re: [Teep] Working Group Last Call for HTTP Trans… Dave Thaler
- Re: [Teep] Working Group Last Call for HTTP Trans… Dave Thaler
- Re: [Teep] Working Group Last Call for HTTP Trans… Benjamin Kaduk
- Re: [Teep] Working Group Last Call for HTTP Trans… Dave Thaler
- Re: [Teep] Working Group Last Call for HTTP Trans… Benjamin Kaduk
- Re: [Teep] Working Group Last Call for HTTP Trans… Konda, Tirumaleswar Reddy