Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture

Dave Thaler <dthaler@microsoft.com> Tue, 07 January 2020 19:44 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFC44120113 for <teep@ietfa.amsl.com>; Tue, 7 Jan 2020 11:44:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bpqx0OFCnBBx for <teep@ietfa.amsl.com>; Tue, 7 Jan 2020 11:44:22 -0800 (PST)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700095.outbound.protection.outlook.com [40.107.70.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F13D612010E for <teep@ietf.org>; Tue, 7 Jan 2020 11:44:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XeGKt3wh2GjPLUhVIy8TAWVzkmEbSMxlRnX8Au7CPB/bN4KXt4Q6syTEvHyiqKib55BKBiqQqFmnjG3Re6eZlFpClsefOA8eJ8JYmzN2m6rUGLems1KudOrT4Vw2psedwSq53qQUUuWDyopVLeScSl+v8V6+WLHvNiCEWgixoD7IT5oHAzwZ16Zr2sUn/LgGwvQZCbWjAbNTEjNJUjWacstzDLss6+06dYNF/eamY0ZrhbMWsYlj+KqJoFI3h1SrhfunW179LYMilT7CA39gV8ti/IEc6/SVfrDIwFAYUK59W+PrFUP1njy8uNhphkwM8L3X7kAjoXzXoxkbofqcbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7toTyZ7QM0w4RAjTpAl1QvRlRIARYhevjwQuC58BNHs=; b=IIyvWVTq6XNW3Kvy841GTcjYX+LnVdV5laCtvX+vUSlf7juT+QuDfVm5Ly4KKnMgq2+sAgJ5oAlxmUNHWSaAvDcDunb/efgYlUCkb8olL/BqiGPOk0jAcLgW2356drKTS8YDxLzajlpiYBEWa5gn8LpYLPooCXKILqOTBSBkfeUFMxOEZKkeAG37S6x7v8dSFP10DRFKAwfgiWokt4YKGztY+oAmQH6KnHNIJLrX/MRqesi7PreurRF8XVVFlz7ZmaKPzd7kywb5gtK0TBhMLNqBvk/6c0duEgFIEZnstxjb0DHmAhdaawo1q+U4tPN+ETiBzWJCW7jg0B51MOlapA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7toTyZ7QM0w4RAjTpAl1QvRlRIARYhevjwQuC58BNHs=; b=KJh0WlDwN5DK+he9BEiekvCSKPn/vqMyI24gJqxBuRbMaVSZQ6HOEI8CZM6W9nTvtP+hEcfU2AUKOcq5cmtOIGMGHWEBhzuycF/QEk5DnB6Lt05T+dX4cQCLDxIa0uD4jV0yf9AQ9fCPLNWjtzkWDufKKF7/4qAYfGdJPayrqPE=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (52.132.20.161) by BL0PR2101MB1026.namprd21.prod.outlook.com (52.132.20.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.3; Tue, 7 Jan 2020 19:44:19 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::c50e:86ef:6bf3:d535]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::c50e:86ef:6bf3:d535%9]) with mapi id 15.20.2644.002; Tue, 7 Jan 2020 19:44:19 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "teep@ietf.org" <teep@ietf.org>
Thread-Topic: Working Group Last Call for draft-ietf-teep-architecture
Thread-Index: AdW5iepOELmpRRFXSAWsc0EhHQP19ALfbySAAAc0BIAABIf9gAAWBUMg
Date: Tue, 7 Jan 2020 19:44:19 +0000
Message-ID: <BL0PR2101MB1027BB4B1FDB272B61D04468A33F0@BL0PR2101MB1027.namprd21.prod.outlook.com>
References: <CY4PR1601MB1254CD83B0DAADAA67A54CF3EA2E0@CY4PR1601MB1254.namprd16.prod.outlook.com> <BL0PR2101MB10278417515DEF077714D693A33F0@BL0PR2101MB1027.namprd21.prod.outlook.com> <CY4PR1601MB125400678B0DA9EE37683FBBEA3F0@CY4PR1601MB1254.namprd16.prod.outlook.com> <AM6PR08MB5285F0C0209A745F1FAABA23FA3F0@AM6PR08MB5285.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB5285F0C0209A745F1FAABA23FA3F0@AM6PR08MB5285.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-01-07T03:14:02.9467153Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=113fc599-cef6-4df9-bb00-5e0a626ea5d7; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2601:600:9780:16f0:cdf6:f878:752c:9d87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b5af03db-9033-433c-d6c5-08d793a9fc83
x-ms-traffictypediagnostic: BL0PR2101MB1026:
x-microsoft-antispam-prvs: <BL0PR2101MB102676838FE11C4FF43D9ED3A33F0@BL0PR2101MB1026.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 027578BB13
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(346002)(136003)(366004)(39860400002)(53754006)(51914003)(40434004)(189003)(199004)(186003)(110136005)(316002)(33656002)(7696005)(71200400001)(8936002)(81166006)(8676002)(81156014)(53546011)(6506007)(66476007)(64756008)(66946007)(66556008)(76116006)(52536014)(66446008)(2906002)(5660300002)(8990500004)(66574012)(966005)(86362001)(10290500003)(55016002)(478600001)(9686003)(30864003)(579004)(559001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR2101MB1026; H:BL0PR2101MB1027.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yvnC982Briw9HtGDURraSoNryhgALR2YgxSfjiVHC1rZ3/Sm+VvFHZGs4YEb02AvttE/ZL5W/bo/57g1sYthVm08qhRZwGAWhLR02OITAReLK5T3L/eCnz57C2K0B8ahmlyc9mkm1bhwa+YDPAxKsUpxR+WGlQrpp+NeDeZgvJiSFEPSbcYYORp95OskfXlQmWQR8MyILIg6Bw7yGVtdIaiCVnKT5pxb0BK9wK4qxk7RHdX+qrMv3y1u51OcN9KM/fFrCXFLfdG8BLznL2YpHnhMQmdmEuP+jRyEjU+kR4obBdrIA7pi+p7brOPk2bgvuHfZrfv6ZISkZp69dRn2+6VhT3dcDDJAYafCROMxXOe7U2NsG3Hkd+5kk0F8mReboFcOH2HU62twP67qIb5B1njXQeYQmAR+YqDwA4LfOJmnpWZ6mCGAqajZsifI+1mBM/m1bMwvTzBwuv03lP0r2j/SviiUC4zrlCzAiPdJcCCSG80xZunn4cxVyZcxMwRX/OJlJ5vZHty8S3ToO41WW73ecmpO9cyffZwgSjy0F12Hvfcuy3MOvKpwap2/69uOUcp7xjEA7Ri5ZTjueAQ5euBA4f4B6a6AzbcWY97L4Ik=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR2101MB1027BB4B1FDB272B61D04468A33F0BL0PR2101MB1027_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b5af03db-9033-433c-d6c5-08d793a9fc83
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jan 2020 19:44:19.0359 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +GMRqaer4uigQzWrCWV7n1jtDRcDseP8oI7v8eCfbigp9pULx5rNf/Dvql31aJkLenXrgy5r20PilmSnMWt9W7BD8iFyYqlifWSGKvfFW0k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR2101MB1026
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/zmqBawQGLAnYX9xLppr8JS7cKYU>
Subject: Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 19:44:27 -0000

Below

From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Sent: Tuesday, January 7, 2020 1:28 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>om>; Dave Thaler <dthaler@microsoft.com>om>; teep@ietf.org
Subject: RE: Working Group Last Call for draft-ietf-teep-architecture

Hi Tiru,

Thanks for the review. There is clearly room for improving the write-up.

A few remarks below.

From: TEEP <teep-bounces@ietf.org<mailto:teep-bounces@ietf.org>> On Behalf Of Konda, Tirumaleswar Reddy
Sent: Tuesday, January 7, 2020 7:39 AM
To: Dave Thaler <dthaler@microsoft.com<mailto:dthaler@microsoft.com>>; teep@ietf.org<mailto:teep@ietf.org>
Subject: Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture


[As an individual]

Hi Dave,



I have reviewed the draft and have comments and nits listed below:



a) It is not clear from the Introduction how TEE is different from a Closed OS like Google Chromebook or Windows 10S ?

     The benefit of Payment application running in Closed OS verses in TEE is not evident from the description. What part of the Payment application runs in the REE and TEE respectively ?

     If biometric identification information is securely stored in TEE for identification, how does the TEE identify the biometric identification information is not retrieved by an malicious agent in the REE.

     Section 3.3 (Internet of things), How does the architecture ensure the sensitive data is retrieved by a legitimate application in the REE and not by an malicious application ?



[Hannes] The TEE adds another layer of software isolation. To protect one TA to steal data from another TA the two TAs need to be isolated against each other. Depending on the TEE technology you are using this is accomplished via different means.



It is up to the application developer to decide how they best want to separate the REE and the TEE part, which in part depends a bit on what type of payment protocol they are using. In some other cases (probably more realistic) they may be using an already existing payment system, which is provided as a TA, and they are just using it. In general, it does not strike me as a great idea to have random smart phone app developers writing their own payment software.



The document (intentionally) makes no statement about whether a "close OS" as you put it, is or is not a TEE.   The question is really about whether such an OS prevents code injection attacks (e.g., due to buffer overruns or whatever else), prevents data modification attacks, etc.



b) Why should the list of trust anchors on the device be managed by the Device's network carrier ?

     (you may want to define the term "network carrier").



This is issue #112 that I filed.   Personally I think the term "carrier" should be removed from the doc.



[Hannes] The text says the following:



"
The list of Trust Anchors is normally modifiable
      by the Device's owner or Device Administrator.  However the Device
      manufacturer and network carrier may restrict some modifications,
      for example, by not allowing the manufacturer or carrier's Trust
      Anchor to be removed or disabled.

"



This describes current practice in the mobile phone industry and may not necessarily be applicable to other deployment scenarios. Hence, there is no required behavior here.





c) If the REE is compromised (for example by malware), it could terminate the TEEP broker in REE. How is this attack mitigated ?



[Hannes] If the REE is compromised then that's typically not a good thing but the REE side still cannot access anything on the secure world, if implemented correctly. It could, however, indeed terminate the TEEP broker and avoid any calls to the secure world. This would be a DoS attack. It would be possible to periodically schedule an interrupt that is processed by the secure world to let the secure world double-check the state of the normal world.



Right.  DoS attacks by the REE are, in general, not prevented (some TEEs may prevent them but most won't).

The TEEP architecture doesn't change this.



d) What happens if the malicious agent acting as TEEP broker launches attacks (e.g. garbage data, replay attack, DoS of messages etc.,) on the TEEP agent, and how will the TEEP agent defend itself ?



[Hannes] The TEEP agent dispatches calls to the trusted applications. It is typically a shim layer that just checks parameters of the requests and then relays them to the TAs. Having a rock solid implementation of the TEEP agent is important and of course the TAs need to be implemented properly as well.



The GP TEE Client API is meant to provide a reference design for an API that allows data passing back and forth. So, implementing that API properly will be important. This is why there is this open source project to implement that API so that other developers can just use it.



The TEEP Agent implements a secure protocol (the TEEP protocol) between it and a TAM.
That protocol must be secure against attacks by untrusted intermediaries, including routers, HTTP proxies, and TEEP brokers.



e) The below line is not clear to me:

Enumeration and access to the appropriate TEEP Broker is up to the Rich Execution Environment and the Untrusted Applications..



[Hannes] There may be multiple TEEP Brokers on the system and the interaction between untrusted apps and the TEEP broker is up to a policy implemented by the developer.



I agree the line is confusingly worded.



h) A use case explaining the use of multiple TAM, multiple TEEP brokers on a device, and multiple TEE would be useful to the reader of the specification.



Isn't that what Figure 2 already provides?  Can you elaborate on what you're looking for?



[Hannes] Definitely a good idea to add text with use cases.

Here is my quick response:


-        Multiple TAMs: you could think about this as having multiple code repositories. Different SPs may prefer to use certain TAMs for their software distribution.
-        Multiple TEEP brokers: this can occur when you have a broker offered by the OS and one bundled with the untrusted app.
-        Multiple TEEs: This depends on the TEE technology. In the TrustZone case you may have a multi-processor system and each processor comes with TrustZone support.



i) When a TEEP Broker receives a request from an Untrusted Application

   to install a TA, a list of TAM URIs may be provided for that TA, and

   the request is passed to the TEEP Agent.  If the TEEP Agent decides

   that the TA needs to be installed, the TEEP Agent selects a single

   TAM URI that is consistent with the list of trusted TAMs provisioned

   on the device invokes the HTTP transport for TEEP to connect to the

   TAM URI and begins a TEEP protocol exchange.



Comment> I am not sure why the architecture draft is discussing the protocol aspects like HTTP for TEEP ?



[Hannes] I believe it does not need to mention HTTP but it could list it as an example.



Sure.



On the other hand, we have a WG document, and the architecture document can mention it as explaining how that doc fits into the architecture and relates to the other docs.



j) What if the malware in REE instructs the TEEP agent via TEEP broker to keep installing/uninstalling TA (over-whelm the TEEP agent and TEE or installing un-necessary TA to have no memory for the required TA) ?



An REE can always conduct DoS attacks against a TEEP agent as discussed in your question (c) above.

However the word "instructs" is incorrect since the TEEP Agent is authoritative, your question should say "requests" instead, since the TEEP agent is free to ignore/reject the request.  (This is why section 6.2.1 has "RequestTA", as does the transport spec.)



[Hannes] Having a compromised REE environment that causes all sorts of apps to be installed is possible (assuming the TEE is authorizing the installation of those apps). An implementation of the secure world, most likely the TEE OS, will have to make sure that the device does not install TAs and overwrite the memory space they have been configured to use.



i)                 What is the use case for "Personalization data" ?



There is an example in section 4.4:

Ø  an example of

Ø  personalization data might be a secret symmetric key used by the TA

Ø  to communicate with the SP



[Hannes] Personalization data is meant to make each instance of the TA unique and potentially tie it to a specific user. Imagine a TA that implements biometric functionality: there has to be something in TA that relates this instance of the TA to a specific human, for example by storing a fingerprint alongside the TA as configuration data.



j) Why is Section 4.5 discussing Case 1 when it not in use ?



[Hannes] We just describe the possible approach and illustrates how things are done today. There is, however, a lot of development going on in the area of TEEs and I suspect that we will see all sorts of different use cases showing up in the future as the technology gets used in different environments.



Agree with Hannes.



k) The below line is not clear to me (please elaborate):

Consequently, a TAM generally communicates with an Untrusted Application about how it gets messages that originate from a TEE inside a device.



[Hannes] The key point of that paragraph is that today TEEs do not communicate with the outside world but require the cooperation with something on the REE side.



That whole paragraph is confusingly worded, and I currently plan to rewrite it based on my marked up hard copy :)



l) What is the use case for one TA and multiple SP ?



[Hannes] I am not sure. I let Ming, DaveW, or DaveT respond.



No idea, I'd propose deleting that section.   I was confused by it as well.



m) what is the use case for keeping the TA binary secret from the TAM ?



[Hannes] it is more and more common today to protect binaries from inspection because this gives attackers a lot of information. If you don't want to use it and only sign the binaries that's fine too. But the option is there for you to protect the confidentiality of the binary.



I believe the use case is where the app developer considers the TA binary itself to be secret (e.g., intellectual property worth protecting), but wants to allow it to be distributed through a TAM that is run by another organization, one with more hosting capacity.   Thus the developer puts an encrypted binary in that TAM, and then runs their own lighter weight TAM that just hands out decryption keys which doesn't need nearly as much much capacity/bandwidth.



n) We allow a way for an Untrusted Application to check the trustworthiness of a TA.



Comment> You may want to re-phrase the above line, and remove "we".



[Hannes] I think we should delete this paragraph:

"

   We allow a way for an Untrusted Application to check the

   trustworthiness of a TA.  A TEEP Broker has a function to allow an

   application to query the information about a TA.

"



Agreed it should be deleted.  This was the second point of issue #116 that I filed.



o) A notification that an incoming TEEP session is being requested by a TEEP Agent.



Comment> What you meant by "incoming TEEP session" ?



[Hannes] Dave should respond to this one because it relates to the HTTP transport, I believe.



The TEEP protocol requires the agent to connect to the TAM.   This is a notification about the initial connection.

See the transport spec for more details.



p) How does the TEEP broker communicate with the TEEP agent ?



[Hannes] Via an API, for example the GP TEEP Client API.



Right, implementation-specific detail.



q) Section 5.3 says the architecture uses PKI but Section 9.1 discusses self-signed certificates. Please fix.



[Hannes] We need to clarify the statement about the self-signed TA binaries.



Sure.  Figure 4 talks about multiple certificates.   5.3 is a general statement about multiple types.

9.1 is about one specific type of cert that may or may not have a PKI.

So they are not in contradiction but yes clarification would be good.



r) In Figure 4, for the purpose of "Code signing" my understanding is the location of corresponding CA certs is both TEE and TAM.



[Hannes] I believe it would be useful to also store the CA cert that is used for code signing at the TAM because then it can verify the signed TAs.



I don't believe there is any such requirement on a TAM.   It might be "useful" but is not required in my view.



If we indeed believe the text in Section 9.1 is correct then that code signing CA cert also needs to be made available to the TEEP Broker and potentially even to the untrusted app.



I don't believe the text in 9.1 is correct.



s)I have seen several malicious apps in App store in both Android and iOS, it is possible for an malicious App developer to publish both malicious untrusted applications

   and malicious trusted applications.  I don't think the TEEP architecture prevents this attack and it is the responsibility of TAM and App store to remove such apps

    (see https://android-developers.googleblog.com/2018/01/how-we-fought-bad-apps-and-malicious.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fandroid-developers.googleblog.com%2F2018%2F01%2Fhow-we-fought-bad-apps-and-malicious.html&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908969481&sdata=gNv0t73IFUqZmdnXjWmpb9bAyoYGfczM6oRe66Qlaog%3D&reserved=0>)



[Hannes] Yes, it would be the responsibility of the TAM, the device manufacturer and the SP / developer to ensure that they do not distribute malicious TAs.



It's the responsibility of the TAM to not install malicious trusted apps, only authorized ones.

I don't think it's correct to say it's the responsibility of the TAM to "remove" malicious trusted apps, since it shouldn't have installed it in the first place.

The only case where "removal" might make sense is if the TAM previously authorized a trusted app, and later changed its policy that such TA is no longer authorized (e.g., because it was determined to be buggy or malicious or whatever else).



Ciao

Hannes



Cheers,

-Tiru


From: Dave Thaler <dthaler@microsoft.com<mailto:dthaler@microsoft.com>>
Sent: Tuesday, January 7, 2020 8:44 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; teep@ietf.org<mailto:teep@ietf.org>
Subject: RE: Working Group Last Call for draft-ietf-teep-architecture


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
I opened one pull request for editorial issues (https://github.com/ietf-teep/architecture/pull/109<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fpull%2F109&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908969481&sdata=S36SLw%2F2T7yK210awwzbpWTE0LAN9r1WFtkE5qG%2Bfl0%3D&reserved=0>)mp;reserved=0>),
and filed seven other issues listed at https://github..com/ietf-teep/architecture/issues<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908979441&sdata=5aqxPRt0miAe5DsoenjkTn2qbJlVWTeciLtw9SBVn1E%3D&reserved=0>

110) Service Provider discussion is confusing<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F110&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908979441&sdata=KPNhnXV43eP8ZmdSqv3Vkbcj%2FPUlt5G3qYUgWPOBT%2F0%3D&reserved=0>
111) Terminology section is not consistently ordered<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F111&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908979441&sdata=Y%2FwhR2qzEc86xYboYueIlwI7jGUlIUnUp03qQ%2FclAMs%3D&reserved=0>
112) Text about carriers is confusing<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F112&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908989393&sdata=R1xs7Zt7GAt%2Bj0cv8rE273CmG4Y%2FPSQ5bB1SXVVjUS0%3D&reserved=0>
113) Section 6.2.3 contradicts section 4.2<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F113&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908989393&sdata=fYt0nEoCNSxthFVKq%2FmxutxQgpThx8L1Vn3h%2BxLhKxE%3D&reserved=0>
114) Figure 3 is too hard to understand<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F114&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908989393&sdata=o%2F6RQy0IdDZQ1Z5wDYg5WVamJ31SS6JUzU8nCLB8ksk%3D&reserved=0>
115) Reference to IANA number<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F115&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908999352&sdata=xPDRcUGvaicejeAxxLOt5Cc%2BaFAEpe1X1XBnW8TOrY8%3D&reserved=0>
116) Incorrect/obsolete statements about TEEP Broker<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-teep%2Farchitecture%2Fissues%2F116&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861908999352&sdata=O8lfJd0TAW1aEU50xAO7U09PPsCtcrCCPBFNHlPC2pA%3D&reserved=0>

I have ideas about how to address all of them, but if others have comments, please speak up.

The possibly(?) contentious one might be that in #110 I am proposing to use the term
"App Developer" throughout, instead of using "Service Provider" in some places and "App Developer" in others
and then saying they're synonymous like it does now.   (I'd be ok with mentioning that in some contexts an App Developer
might be known as a "Service Provider" if that is important to GlobalPlatform folks.)

Dave

From: TEEP <teep-bounces@ietf.org<mailto:teep-bounces@ietf.org>> On Behalf Of Konda, Tirumaleswar Reddy
Sent: Monday, December 23, 2019 4:17 AM
To: teep@ietf.org<mailto:teep@ietf.org>
Subject: [Teep] Working Group Last Call for draft-ietf-teep-architecture

Hi all,

This message starts a Work Group Last Call (WGLC) for TEEP architecture.  The version to be reviewed is https://tools.ietf.org/html/draft-ietf-teep-architecture-05<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-teep-architecture-05&data=02%7C01%7Cdthaler%40microsoft.com%7Cbcf3b2c5f95b4c4c31fa08d79353ece5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637139861909009306&sdata=jkSiFYpG8FFVJUPk7nzK4VCH2j3im3RyFYtQj7ieHCw%3D&reserved=0>

The WGLC will last for 4 weeks and will end on 20 January 2020.

Please send your comments to the list before this date and your assessment of whether or not it is ready to proceed to publication.

Regards,
Tiru & Nancy
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.