draft-ietf-teep-otrp-over-http-04.txt   draft-ietf-teep-otrp-over-http-05.txt 
TEEP WG D. Thaler TEEP WG D. Thaler
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Informational February 10, 2020 Intended status: Informational March 31, 2020
Expires: August 13, 2020 Expires: October 2, 2020
HTTP Transport for Trusted Execution Environment Provisioning: Agent-to- HTTP Transport for Trusted Execution Environment Provisioning: Agent-to-
TAM Communication TAM Communication
draft-ietf-teep-otrp-over-http-04 draft-ietf-teep-otrp-over-http-05
Abstract Abstract
The Trusted Execution Environment Provisioning (TEEP) Protocol is The Trusted Execution Environment Provisioning (TEEP) Protocol is
used to manage code and configuration data in a Trusted Execution used to manage code and configuration data in a Trusted Execution
Environment (TEE). This document specifies the HTTP transport for Environment (TEE). This document specifies the HTTP transport for
TEEP communication where a Trusted Application Manager (TAM) service TEEP communication where a Trusted Application Manager (TAM) service
is used to manage TEEs in devices that can initiate communication to is used to manage TEEs in devices that can initiate communication to
the TAM. An implementation of this document can (if desired) run the TAM. An implementation of this document can (if desired) run
outside of any TEE, but interacts with a TEEP implementation that outside of any TEE, but interacts with a TEEP implementation that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2020. This Internet-Draft will expire on October 2, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 10, line 36 skipping to change at page 10, line 36
6.4. Error handling 6.4. Error handling
If any error occurs where the TEEP/HTTP Server cannot get a message If any error occurs where the TEEP/HTTP Server cannot get a message
buffer (empty or not) back from the TEEP implementation, the TEEP/ buffer (empty or not) back from the TEEP implementation, the TEEP/
HTTP Server generates an appropriate HTTP error response. HTTP Server generates an appropriate HTTP error response.
7. Sample message flow 7. Sample message flow
The following shows a sample TEEP message flow that uses application/ The following shows a sample TEEP message flow that uses application/
teep+json as the Content-Type. teep+cbor as the Content-Type.
1. An application installer determines (e.g., from an app manifest) 1. An application installer determines (e.g., from an app manifest)
that the application has a dependency on TA "X", and passes this that the application has a dependency on TA "X", and passes this
notification to the TEEP Broker. The TEEP Broker picks a TEE notification to the TEEP Broker. The TEEP Broker picks a TEE
(e.g., the only one available) based on this notification, and (e.g., the only one available) based on this notification, and
passes the information to the TEEP/HTTP Cient for that TEE. passes the information to the TEEP/HTTP Cient for that TEE.
2. The TEEP/HTTP Client calls the TEEP implementation's "RequestTA" 2. The TEEP/HTTP Client calls the TEEP implementation's "RequestTA"
API, passing TA Needed = X. API, passing TA Needed = X.
skipping to change at page 11, line 11 skipping to change at page 11, line 11
installed, but that it can be obtained from a given TAM. The installed, but that it can be obtained from a given TAM. The
TEEP Agent passes the TAM URI (e.g., "https://example.com/tam") TEEP Agent passes the TAM URI (e.g., "https://example.com/tam")
to the TEEP/HTTP Client. (If the TEEP implementation already to the TEEP/HTTP Client. (If the TEEP implementation already
had a cached TAM certificate that it trusts, it could skip to had a cached TAM certificate that it trusts, it could skip to
step 9 instead and generate a QueryResponse.) step 9 instead and generate a QueryResponse.)
4. The TEEP/HTTP Client sends an HTTP POST request to the TAM URI: 4. The TEEP/HTTP Client sends an HTTP POST request to the TAM URI:
POST /tam HTTP/1.1 POST /tam HTTP/1.1
Host: example.com Host: example.com
Accept: application/teep+json Accept: application/teep+cbor
Content-Length: 0 Content-Length: 0
User-Agent: Foo/1.0 User-Agent: Foo/1.0
5. On the TAM side, the TEEP/HTTP Server receives the HTTP POST 5. On the TAM side, the TEEP/HTTP Server receives the HTTP POST
request, and calls the TEEP implementation's "ProcessConnect" request, and calls the TEEP implementation's "ProcessConnect"
API. API.
6. The TEEP implementation generates a TEEP message (where 6. The TEEP implementation generates a TEEP message (where
typically QueryRequest is the first message) and passes it to typically QueryRequest is the first message) and passes it to
the TEEP/HTTP Server. the TEEP/HTTP Server.
7. The TEEP/HTTP Server sends an HTTP successful response with the 7. The TEEP/HTTP Server sends an HTTP successful response with the
TEEP message in the body: TEEP message in the body:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/teep+json Content-Type: application/teep+cbor
Content-Length: [length of TEEP message here] Content-Length: [length of TEEP message here]
Server: Bar/2.2 Server: Bar/2.2
Cache-Control: no-store Cache-Control: no-store
X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none' Content-Security-Policy: default-src 'none'
Referrer-Policy: no-referrer Referrer-Policy: no-referrer
[TEEP message here] [TEEP message here]
8. Back on the TEEP Agent side, the TEEP/HTTP Client gets the HTTP 8. Back on the TEEP Agent side, the TEEP/HTTP Client gets the HTTP
skipping to change at page 12, line 7 skipping to change at page 12, line 7
9. The TEEP implementation processes the TEEP message, and 9. The TEEP implementation processes the TEEP message, and
generates a TEEP response (e.g., QueryResponse) which it passes generates a TEEP response (e.g., QueryResponse) which it passes
back to the TEEP/HTTP Client. back to the TEEP/HTTP Client.
10. The TEEP/HTTP Client gets the TEEP message buffer and sends an 10. The TEEP/HTTP Client gets the TEEP message buffer and sends an
HTTP POST request to the TAM URI, with the TEEP message in the HTTP POST request to the TAM URI, with the TEEP message in the
body: body:
POST /tam HTTP/1.1 POST /tam HTTP/1.1
Host: example.com Host: example.com
Accept: application/teep+json Accept: application/teep+cbor
Content-Type: application/teep+json Content-Type: application/teep+cbor
Content-Length: [length of TEEP message here] Content-Length: [length of TEEP message here]
User-Agent: Foo/1.0 User-Agent: Foo/1.0
[TEEP message here] [TEEP message here]
11. The TEEP/HTTP Server receives the HTTP POST request, and passes 11. The TEEP/HTTP Server receives the HTTP POST request, and passes
the payload up to the TAM implementation. the payload up to the TAM implementation.
12. Steps 6-11 are then repeated until the TEEP implementation 12. Steps 6-11 are then repeated until the TEEP implementation
passes no data back to the TEEP/HTTP Server in step 6. passes no data back to the TEEP/HTTP Server in step 6.
skipping to change at page 12, line 48 skipping to change at page 12, line 48
9. IANA Considerations 9. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-httpbis-semantics] [I-D.ietf-httpbis-semantics]
Fielding, R., Nottingham, M., and J. Reschke, "HTTP Fielding, R., Nottingham, M., and J. Reschke, "HTTP
Semantics", draft-ietf-httpbis-semantics-06 (work in Semantics", draft-ietf-httpbis-semantics-07 (work in
progress), November 2019. progress), March 2020.
[I-D.ietf-teep-protocol] [I-D.ietf-teep-protocol]
Tschofenig, H., Pei, M., Wheeler, D., and D. Thaler, Tschofenig, H., Pei, M., Wheeler, D., and D. Thaler,
"Trusted Execution Environment Provisioning (TEEP) "Trusted Execution Environment Provisioning (TEEP)
Protocol", draft-ietf-teep-protocol-00 (work in progress), Protocol", draft-ietf-teep-protocol-01 (work in progress),
December 2019. March 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, <https://www.rfc- DOI 10.17487/RFC2818, May 2000, <https://www.rfc-
editor.org/info/rfc2818>. editor.org/info/rfc2818>.
skipping to change at page 13, line 40 skipping to change at page 13, line 40
framework-open-trust-protocol/>. framework-open-trust-protocol/>.
[I-D.ietf-httpbis-bcp56bis] [I-D.ietf-httpbis-bcp56bis]
Nottingham, M., "Building Protocols with HTTP", draft- Nottingham, M., "Building Protocols with HTTP", draft-
ietf-httpbis-bcp56bis-09 (work in progress), November ietf-httpbis-bcp56bis-09 (work in progress), November
2019. 2019.
[I-D.ietf-teep-architecture] [I-D.ietf-teep-architecture]
Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler, Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler,
"Trusted Execution Environment Provisioning (TEEP) "Trusted Execution Environment Provisioning (TEEP)
Architecture", draft-ietf-teep-architecture-06 (work in Architecture", draft-ietf-teep-architecture-07 (work in
progress), February 2020. progress), March 2020.
[I-D.ietf-teep-opentrustprotocol] [I-D.ietf-teep-opentrustprotocol]
Pei, M., Atyeo, A., Cook, N., Yoo, M., and H. Tschofenig, Pei, M., Atyeo, A., Cook, N., Yoo, M., and H. Tschofenig,
"The Open Trust Protocol (OTrP)", draft-ietf-teep- "The Open Trust Protocol (OTrP)", draft-ietf-teep-
opentrustprotocol-03 (work in progress), May 2019. opentrustprotocol-03 (work in progress), May 2019.
Author's Address Author's Address
Dave Thaler Dave Thaler
Microsoft Microsoft
 End of changes. 10 change blocks. 
15 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/