| draft-ietf-teep-otrp-over-http-04.txt | draft-ietf-teep-otrp-over-http-05.txt | |||
|---|---|---|---|---|
| TEEP WG D. Thaler | TEEP WG D. Thaler | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Informational February 10, 2020 | Intended status: Informational March 31, 2020 | |||
| Expires: August 13, 2020 | Expires: October 2, 2020 | |||
| HTTP Transport for Trusted Execution Environment Provisioning: Agent-to- | HTTP Transport for Trusted Execution Environment Provisioning: Agent-to- | |||
| TAM Communication | TAM Communication | |||
| draft-ietf-teep-otrp-over-http-04 | draft-ietf-teep-otrp-over-http-05 | |||
| Abstract | Abstract | |||
| The Trusted Execution Environment Provisioning (TEEP) Protocol is | The Trusted Execution Environment Provisioning (TEEP) Protocol is | |||
| used to manage code and configuration data in a Trusted Execution | used to manage code and configuration data in a Trusted Execution | |||
| Environment (TEE). This document specifies the HTTP transport for | Environment (TEE). This document specifies the HTTP transport for | |||
| TEEP communication where a Trusted Application Manager (TAM) service | TEEP communication where a Trusted Application Manager (TAM) service | |||
| is used to manage TEEs in devices that can initiate communication to | is used to manage TEEs in devices that can initiate communication to | |||
| the TAM. An implementation of this document can (if desired) run | the TAM. An implementation of this document can (if desired) run | |||
| outside of any TEE, but interacts with a TEEP implementation that | outside of any TEE, but interacts with a TEEP implementation that | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 13, 2020. | This Internet-Draft will expire on October 2, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 10, line 36 ¶ | skipping to change at page 10, line 36 ¶ | |||
| 6.4. Error handling | 6.4. Error handling | |||
| If any error occurs where the TEEP/HTTP Server cannot get a message | If any error occurs where the TEEP/HTTP Server cannot get a message | |||
| buffer (empty or not) back from the TEEP implementation, the TEEP/ | buffer (empty or not) back from the TEEP implementation, the TEEP/ | |||
| HTTP Server generates an appropriate HTTP error response. | HTTP Server generates an appropriate HTTP error response. | |||
| 7. Sample message flow | 7. Sample message flow | |||
| The following shows a sample TEEP message flow that uses application/ | The following shows a sample TEEP message flow that uses application/ | |||
| teep+json as the Content-Type. | teep+cbor as the Content-Type. | |||
| 1. An application installer determines (e.g., from an app manifest) | 1. An application installer determines (e.g., from an app manifest) | |||
| that the application has a dependency on TA "X", and passes this | that the application has a dependency on TA "X", and passes this | |||
| notification to the TEEP Broker. The TEEP Broker picks a TEE | notification to the TEEP Broker. The TEEP Broker picks a TEE | |||
| (e.g., the only one available) based on this notification, and | (e.g., the only one available) based on this notification, and | |||
| passes the information to the TEEP/HTTP Cient for that TEE. | passes the information to the TEEP/HTTP Cient for that TEE. | |||
| 2. The TEEP/HTTP Client calls the TEEP implementation's "RequestTA" | 2. The TEEP/HTTP Client calls the TEEP implementation's "RequestTA" | |||
| API, passing TA Needed = X. | API, passing TA Needed = X. | |||
| skipping to change at page 11, line 11 ¶ | skipping to change at page 11, line 11 ¶ | |||
| installed, but that it can be obtained from a given TAM. The | installed, but that it can be obtained from a given TAM. The | |||
| TEEP Agent passes the TAM URI (e.g., "https://example.com/tam") | TEEP Agent passes the TAM URI (e.g., "https://example.com/tam") | |||
| to the TEEP/HTTP Client. (If the TEEP implementation already | to the TEEP/HTTP Client. (If the TEEP implementation already | |||
| had a cached TAM certificate that it trusts, it could skip to | had a cached TAM certificate that it trusts, it could skip to | |||
| step 9 instead and generate a QueryResponse.) | step 9 instead and generate a QueryResponse.) | |||
| 4. The TEEP/HTTP Client sends an HTTP POST request to the TAM URI: | 4. The TEEP/HTTP Client sends an HTTP POST request to the TAM URI: | |||
| POST /tam HTTP/1.1 | POST /tam HTTP/1.1 | |||
| Host: example.com | Host: example.com | |||
| Accept: application/teep+json | Accept: application/teep+cbor | |||
| Content-Length: 0 | Content-Length: 0 | |||
| User-Agent: Foo/1.0 | User-Agent: Foo/1.0 | |||
| 5. On the TAM side, the TEEP/HTTP Server receives the HTTP POST | 5. On the TAM side, the TEEP/HTTP Server receives the HTTP POST | |||
| request, and calls the TEEP implementation's "ProcessConnect" | request, and calls the TEEP implementation's "ProcessConnect" | |||
| API. | API. | |||
| 6. The TEEP implementation generates a TEEP message (where | 6. The TEEP implementation generates a TEEP message (where | |||
| typically QueryRequest is the first message) and passes it to | typically QueryRequest is the first message) and passes it to | |||
| the TEEP/HTTP Server. | the TEEP/HTTP Server. | |||
| 7. The TEEP/HTTP Server sends an HTTP successful response with the | 7. The TEEP/HTTP Server sends an HTTP successful response with the | |||
| TEEP message in the body: | TEEP message in the body: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/teep+json | Content-Type: application/teep+cbor | |||
| Content-Length: [length of TEEP message here] | Content-Length: [length of TEEP message here] | |||
| Server: Bar/2.2 | Server: Bar/2.2 | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| X-Content-Type-Options: nosniff | X-Content-Type-Options: nosniff | |||
| Content-Security-Policy: default-src 'none' | Content-Security-Policy: default-src 'none' | |||
| Referrer-Policy: no-referrer | Referrer-Policy: no-referrer | |||
| [TEEP message here] | [TEEP message here] | |||
| 8. Back on the TEEP Agent side, the TEEP/HTTP Client gets the HTTP | 8. Back on the TEEP Agent side, the TEEP/HTTP Client gets the HTTP | |||
| skipping to change at page 12, line 7 ¶ | skipping to change at page 12, line 7 ¶ | |||
| 9. The TEEP implementation processes the TEEP message, and | 9. The TEEP implementation processes the TEEP message, and | |||
| generates a TEEP response (e.g., QueryResponse) which it passes | generates a TEEP response (e.g., QueryResponse) which it passes | |||
| back to the TEEP/HTTP Client. | back to the TEEP/HTTP Client. | |||
| 10. The TEEP/HTTP Client gets the TEEP message buffer and sends an | 10. The TEEP/HTTP Client gets the TEEP message buffer and sends an | |||
| HTTP POST request to the TAM URI, with the TEEP message in the | HTTP POST request to the TAM URI, with the TEEP message in the | |||
| body: | body: | |||
| POST /tam HTTP/1.1 | POST /tam HTTP/1.1 | |||
| Host: example.com | Host: example.com | |||
| Accept: application/teep+json | Accept: application/teep+cbor | |||
| Content-Type: application/teep+json | Content-Type: application/teep+cbor | |||
| Content-Length: [length of TEEP message here] | Content-Length: [length of TEEP message here] | |||
| User-Agent: Foo/1.0 | User-Agent: Foo/1.0 | |||
| [TEEP message here] | [TEEP message here] | |||
| 11. The TEEP/HTTP Server receives the HTTP POST request, and passes | 11. The TEEP/HTTP Server receives the HTTP POST request, and passes | |||
| the payload up to the TAM implementation. | the payload up to the TAM implementation. | |||
| 12. Steps 6-11 are then repeated until the TEEP implementation | 12. Steps 6-11 are then repeated until the TEEP implementation | |||
| passes no data back to the TEEP/HTTP Server in step 6. | passes no data back to the TEEP/HTTP Server in step 6. | |||
| skipping to change at page 12, line 48 ¶ | skipping to change at page 12, line 48 ¶ | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| This document has no actions for IANA. | This document has no actions for IANA. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [I-D.ietf-httpbis-semantics] | [I-D.ietf-httpbis-semantics] | |||
| Fielding, R., Nottingham, M., and J. Reschke, "HTTP | Fielding, R., Nottingham, M., and J. Reschke, "HTTP | |||
| Semantics", draft-ietf-httpbis-semantics-06 (work in | Semantics", draft-ietf-httpbis-semantics-07 (work in | |||
| progress), November 2019. | progress), March 2020. | |||
| [I-D.ietf-teep-protocol] | [I-D.ietf-teep-protocol] | |||
| Tschofenig, H., Pei, M., Wheeler, D., and D. Thaler, | Tschofenig, H., Pei, M., Wheeler, D., and D. Thaler, | |||
| "Trusted Execution Environment Provisioning (TEEP) | "Trusted Execution Environment Provisioning (TEEP) | |||
| Protocol", draft-ietf-teep-protocol-00 (work in progress), | Protocol", draft-ietf-teep-protocol-01 (work in progress), | |||
| December 2019. | March 2020. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
| DOI 10.17487/RFC2818, May 2000, <https://www.rfc- | DOI 10.17487/RFC2818, May 2000, <https://www.rfc- | |||
| editor.org/info/rfc2818>. | editor.org/info/rfc2818>. | |||
| skipping to change at page 13, line 40 ¶ | skipping to change at page 13, line 40 ¶ | |||
| framework-open-trust-protocol/>. | framework-open-trust-protocol/>. | |||
| [I-D.ietf-httpbis-bcp56bis] | [I-D.ietf-httpbis-bcp56bis] | |||
| Nottingham, M., "Building Protocols with HTTP", draft- | Nottingham, M., "Building Protocols with HTTP", draft- | |||
| ietf-httpbis-bcp56bis-09 (work in progress), November | ietf-httpbis-bcp56bis-09 (work in progress), November | |||
| 2019. | 2019. | |||
| [I-D.ietf-teep-architecture] | [I-D.ietf-teep-architecture] | |||
| Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler, | Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler, | |||
| "Trusted Execution Environment Provisioning (TEEP) | "Trusted Execution Environment Provisioning (TEEP) | |||
| Architecture", draft-ietf-teep-architecture-06 (work in | Architecture", draft-ietf-teep-architecture-07 (work in | |||
| progress), February 2020. | progress), March 2020. | |||
| [I-D.ietf-teep-opentrustprotocol] | [I-D.ietf-teep-opentrustprotocol] | |||
| Pei, M., Atyeo, A., Cook, N., Yoo, M., and H. Tschofenig, | Pei, M., Atyeo, A., Cook, N., Yoo, M., and H. Tschofenig, | |||
| "The Open Trust Protocol (OTrP)", draft-ietf-teep- | "The Open Trust Protocol (OTrP)", draft-ietf-teep- | |||
| opentrustprotocol-03 (work in progress), May 2019. | opentrustprotocol-03 (work in progress), May 2019. | |||
| Author's Address | Author's Address | |||
| Dave Thaler | Dave Thaler | |||
| Microsoft | Microsoft | |||
| End of changes. 10 change blocks. | ||||
| 15 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||