draft-ietf-teep-otrp-over-http-08.txt   draft-ietf-teep-otrp-over-http-09.txt 
TEEP WG D. Thaler TEEP WG D. Thaler
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Informational October 09, 2020 Intended status: Informational November 02, 2020
Expires: April 12, 2021 Expires: May 6, 2021
HTTP Transport for Trusted Execution Environment Provisioning: Agent-to- HTTP Transport for Trusted Execution Environment Provisioning: Agent-to-
TAM Communication TAM Communication
draft-ietf-teep-otrp-over-http-08 draft-ietf-teep-otrp-over-http-09
Abstract Abstract
The Trusted Execution Environment Provisioning (TEEP) Protocol is The Trusted Execution Environment Provisioning (TEEP) Protocol is
used to manage code and configuration data in a Trusted Execution used to manage code and configuration data in a Trusted Execution
Environment (TEE). This document specifies the HTTP transport for Environment (TEE). This document specifies the HTTP transport for
TEEP communication where a Trusted Application Manager (TAM) service TEEP communication where a Trusted Application Manager (TAM) service
is used to manage code and data in TEEs on devices that can initiate is used to manage code and data in TEEs on devices that can initiate
communication to the TAM. An implementation of this document can (if communication to the TAM. An implementation of this document can (if
desired) run outside of any TEE, but interacts with a TEEP desired) run outside of any TEE, but interacts with a TEEP
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 12, 2021. This Internet-Draft will expire on May 6, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 29 skipping to change at page 4, line 29
Section 6 of the TEEP architecture [I-D.ietf-teep-architecture] Section 6 of the TEEP architecture [I-D.ietf-teep-architecture]
defines a TEEP "Broker" as being a component on the device, but defines a TEEP "Broker" as being a component on the device, but
outside the TEE, that facilitates communication with a TAM. That outside the TEE, that facilitates communication with a TAM. That
document further explains that the protocol layer at which the TEEP document further explains that the protocol layer at which the TEEP
broker operates may vary by implementation, and it depicts several broker operates may vary by implementation, and it depicts several
exemplary models. An implementation is free to choose any of these exemplary models. An implementation is free to choose any of these
models, although model A is the one we will use in our examples. models, although model A is the one we will use in our examples.
Passing information from an REE component to a TEE component is Passing information from an REE component to a TEE component is
typically spoken of as being passed "in" to the TEE, and informaton typically spoken of as being passed "in" to the TEE, and information
passed in the opposite direction is spoken of as being passed "out". passed in the opposite direction is spoken of as being passed "out".
In the protocol layering sense, information is typically spoken of as In the protocol layering sense, information is typically spoken of as
being passed "up" or "down" the stack. Since the layer at which being passed "up" or "down" the stack. Since the layer at which
information is passed in/out may vary by implementation, we will information is passed in/out may vary by implementation, we will
generally use "up" and "down" in this document. generally use "up" and "down" in this document.
3.1. Use of Abstract APIs 3.1. Use of Abstract APIs
This document refers to various APIs between a TEEP implementation This document refers to various APIs between a TEEP implementation
and a TEEP/HTTP implementation in the abstract, meaning the literal and a TEEP/HTTP implementation in the abstract, meaning the literal
skipping to change at page 5, line 49 skipping to change at page 5, line 49
using HTTPS for transport, since HTTPS can provide additional using HTTPS for transport, since HTTPS can provide additional
protections as discussed in Sections 4.4.2 and 6 of protections as discussed in Sections 4.4.2 and 6 of
[I-D.ietf-httpbis-bcp56bis]. [I-D.ietf-httpbis-bcp56bis].
However, there may be constrained nodes where code space is an issue. However, there may be constrained nodes where code space is an issue.
[RFC7925] provides TLS profiles that can be used in many constrained [RFC7925] provides TLS profiles that can be used in many constrained
nodes, but in rare cases the most constrained nodes might need to use nodes, but in rare cases the most constrained nodes might need to use
HTTP without a TLS stack, relying on the end-to-end security provided HTTP without a TLS stack, relying on the end-to-end security provided
by the TEEP protocol. by the TEEP protocol.
When HTTPS is used, TLS certificates MUST be checked according to When HTTPS is used, clients MUST use the procedures detailed in
[RFC2818], as well as [RFC6125] if PKIX certificates are used. See Section 6 of [RFC6125] to verify the authenticity of the server. See
[BCP195] for additional TLS recommendations and [RFC7925] for TLS [BCP195] for additional TLS recommendations and [RFC7925] for TLS
recommandations related to IoT devices. recommendations related to IoT devices.
5. TEEP/HTTP Client Behavior 5. TEEP/HTTP Client Behavior
5.1. Receiving a request to install a new Trusted Application 5.1. Receiving a request to install a new Trusted Application
In some environments, an application installer can determine (e.g., In some environments, an application installer can determine (e.g.,
from an app manifest) that the application being installed or updated from an app manifest) that the application being installed or updated
has a dependency on a given Trusted Application (TA) being available has a dependency on a given Trusted Application (TA) being available
in a given type of TEE. In such a case, it will notify a TEEP in a given type of TEE. In such a case, it will notify a TEEP
Broker, where the notification will contain the following: Broker, where the notification will contain the following:
skipping to change at page 12, line 35 skipping to change at page 12, line 35
Tschofenig, H., Pei, M., Wheeler, D., Thaler, D., and A. Tschofenig, H., Pei, M., Wheeler, D., Thaler, D., and A.
Tsukamoto, "Trusted Execution Environment Provisioning Tsukamoto, "Trusted Execution Environment Provisioning
(TEEP) Protocol", draft-ietf-teep-protocol-03 (work in (TEEP) Protocol", draft-ietf-teep-protocol-03 (work in
progress), July 2020. progress), July 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, <https://www.rfc-
editor.org/info/rfc2818>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
2011, <https://www.rfc-editor.org/info/rfc6125>. 2011, <https://www.rfc-editor.org/info/rfc6125>.
[RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer
Security (TLS) / Datagram Transport Layer Security (DTLS) Security (TLS) / Datagram Transport Layer Security (DTLS)
Profiles for the Internet of Things", RFC 7925, Profiles for the Internet of Things", RFC 7925,
skipping to change at page 13, line 24 skipping to change at page 13, line 20
<https://globalplatform.org/specs-library/tee-management- <https://globalplatform.org/specs-library/tee-management-
framework-open-trust-protocol/>. framework-open-trust-protocol/>.
[I-D.ietf-httpbis-bcp56bis] [I-D.ietf-httpbis-bcp56bis]
Nottingham, M., "Building Protocols with HTTP", draft- Nottingham, M., "Building Protocols with HTTP", draft-
ietf-httpbis-bcp56bis-09 (work in progress), November ietf-httpbis-bcp56bis-09 (work in progress), November
2019. 2019.
[I-D.ietf-quic-transport] [I-D.ietf-quic-transport]
Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed
and Secure Transport", draft-ietf-quic-transport-31 (work and Secure Transport", draft-ietf-quic-transport-32 (work
in progress), September 2020. in progress), October 2020.
[I-D.ietf-teep-architecture] [I-D.ietf-teep-architecture]
Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler, Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler,
"Trusted Execution Environment Provisioning (TEEP) "Trusted Execution Environment Provisioning (TEEP)
Architecture", draft-ietf-teep-architecture-12 (work in Architecture", draft-ietf-teep-architecture-12 (work in
progress), July 2020. progress), July 2020.
[I-D.ietf-teep-opentrustprotocol] [I-D.ietf-teep-opentrustprotocol]
Pei, M., Atyeo, A., Cook, N., Yoo, M., and H. Tschofenig, Pei, M., Atyeo, A., Cook, N., Yoo, M., and H. Tschofenig,
"The Open Trust Protocol (OTrP)", draft-ietf-teep- "The Open Trust Protocol (OTrP)", draft-ietf-teep-
 End of changes. 8 change blocks. 
14 lines changed or deleted 10 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/