Skip to main content

Last Call Review of draft-ietf-teep-architecture-16
review-ietf-teep-architecture-16-artart-lc-housley-2022-03-28-00

Request Review of draft-ietf-teep-architecture
Requested revision No specific revision (document currently at 19)
Type Last Call Review
Team ART Area Review Team (artart)
Deadline 2022-04-07
Requested 2022-03-17
Authors Mingliang Pei , Hannes Tschofenig , Dave Thaler , Dave Wheeler
I-D last updated 2022-03-28
Completed reviews Secdir Last Call review of -16 by Benjamin M. Schwartz (diff)
Artart Last Call review of -16 by Russ Housley (diff)
Genart Last Call review of -16 by Paul Kyzivat (diff)
Intdir Telechat review of -18 by Bob Halley (diff)
Iotdir Telechat review of -18 by Ines Robles (diff)
Assignment Reviewer Russ Housley
State Completed
Request Last Call review on draft-ietf-teep-architecture by ART Area Review Team Assigned
Posted at https://mailarchive.ietf.org/arch/msg/art/36nMMxfb8U7oiAJBh4BqwYby1L4
Reviewed revision 16 (document currently at 19)
Result Almost ready
Completed 2022-03-28
review-ietf-teep-architecture-16-artart-lc-housley-2022-03-28-00
I am the assigned ARTART reviewer for this Internet-Draft.

Document: draft-ietf-teep-architecture-16
Reviewer: Russ Housley
Review Date: 2022-03-28
IETF LC End Date: 2022-04-07
IESG Telechat date: unknown

Summary: Almost Ready

Major Concerns: None.


Minor Concerns:

Section 3.3 says:

   Weak security in Internet of Things (IoT) devices has been posing
   threats to critical infrastructure that relies upon such devices.

I'm a bit confused by this opening sentence.  IoT devices usually depend
upon an infrastructure.  This seems to be talking about an infrastructure
that depends upon a collection of IoT devices.  I suggest a minor edits
to help the reader understand that this sentence is not talking about
network infrastructure.

Section 9.3 says that a compromised REE "might drop or delay messages".
This discussion should be expanded to include the replay of messages.

Section 9.4 says:

   A root CA for TAM certificates might get compromised or its
   certificate might expire, or a Trust Anchor other than a root CA
   certificate may also expire or be compromised.

I do not understand the difference between a Root CA and a Trust Anchor.
These are usually used a synonyms.  Please explain the difference that
in intended here.


Nits:

Section 1 says:

   ... The problems in the bullets above, on the
   other hand, require a new protocol, i.e., the TEEP protocol, for TEEs
   that can install and enumerate TAs in a TEE-secured location and
   where another domain-specific protocol standard (e.g., [GSMA],
   [OTRP]) that meets the needs is not already in use.

Recommend breaking this long sentence up into at least two sentences.
There are two points.  First, the need for a protocol to address the
items listed earlier.  Second, where an existing domain-specific
protocol does not already exist, a new more general protocol is needed.

Section 4.4 says:

   ... Implementations must support encryption of
   such Personalization Data to preserve the confidentiality of
   potentially sensitive data contained within it, and must support
   integrity protection of the Personalization Data.

Why not say that implementation must support mechanisms for the
confidentiality and integrity protection of such Personalization Data?
Also, it seems like draft-ietf-suit-firmware-encryption offers one
mechanism for such protection.  Should it be referenced here?

Section 4: Is an "App Store" a place where apps are stored, or is it a
place where apps a purchased?  The term seems to be used both ways, and
in one place, the document is very general by saying, "an app store
or other app repository".  Elsewhere, the term "Trust Anchor Store" is
clearly a place for storage of trust anchors.

Section 9.7: Please consider changing the section title to be something
like: "TEE Certificate Expiry and Renewal".  There is an earlier section
that talks about expiration of Root CA certificates.