Telechat Review of draft-ietf-teep-protocol-23
review-ietf-teep-protocol-23-iotdir-telechat-lear-2026-02-08-00
review-ietf-teep-protocol-23-iotdir-telechat-lear-2026-02-08-00
I've been asked to review this document for the IOTDIR.
TL&DR: Ready with issues.
In general I find the document well written and specified.
Big stuff to look at:
* Section 10.1 could get a big hair cut (see below).
* err-msg, err-code, and err-lang demonstrate a bit of a gap in the
explanation of the theory of operation, both in this draft and in
RFC 9397 that should be closed prior to publishing.
Caveat: I have *not* checked all of the CDDL in the Appendix.
Details:
Section 4.1.1:
> The TAM
> can decide, in any implementation-specific way, whether to
> include a token in a message. The initial token value generated
> by a TAM MUST be produced using a cryptographically secure random
> source. Subsequent token values MUST be different for each
> message the TAM creates.
>
Two problems with this paragraph:
1. I think you have a general consistency problem with how you want
tokens to be handled. Here you say they are optional, but in
Section 4.2 you say there is at least one case where they are not,
and then later, you say that their use must be ignored after
messages with valid signatures have been received. My suggestion is
that you add a subsection somewhere above to talk about tokens and
their use. This will simplify your text below.
2. "cryptographically secure random source" requires either a reference
or a definition. There are plenty. Pick one.
Then the next statement:
2. Create a COSE header containing the desired set of header
parameters.
"desired set" seems rather loose. Please be somewhat more specific,
again for interoperability's sake.
I'll admit to being somewhat nervous about Table 4 in IANA
considerations. Again, if the goal is interoperability, permitting
other than standards action (except perhaps 1 or 2 bits for
experiments), seems like a recipe for interoperability failure, given
these are the protocol primitives.
Section 6: Mapping of TEEP labels
> If future standards require additional messages beyond this
> range, implementations SHOULD be designed to handle gracefully any
> unrecognized labels, treating them as unknown optional parameters
> without failing to process the message.
A great way to assure that gracefulness is to define the behavior (e.g.,
produce an error/ignore/???).
Three other issues: about this section:
* It seems you are cutting it quite fine by wanting to squeeze in all
of the parameters into a single uint. Do you have enough
operational experience to know that you REALLY have this right? BTW,
a fine answer would be to simply rev this spec.
* That said, maybe it makes sense to at least indicate what you would
want of experiments.
* I see that these labels are repeated in IANA considerations. Again a
general preference for all IANA considerations would be to be a bit
more specific, such as "This document, Section 6".
Section 7.1.1.1 raises some concerns:
> If the TAM does not have
> permission to update such components (this can happen if
> different TAMs manage different components in the device), the
> TAM instead responds with an Update message containing an
> appropriate err-msg, and err-code set to
> ERR_ATTESTATION_REQUIRED.
Same with 7.1.2.
I was initially perplexed as to WHY the CDDL would have had err-msg et
al in Section 4.4 until I read the above, and then I wondered why you
don't have some sort of parameter flag to simply state in the first
place that attestation is required. Having revisited RFC 9397 and
reread these sections a few times, and perhaps I'm still missing
something, I think there is a hole in 9397 that you need to close, at
least minimally, in this document: how are errors processed and by whom?
You don't explain WHY a TAM would generate err-msgs in Section 4.4, and
it is not made clear to the reader what is supposed to happen with those
error messages in Section 10.1. I am also struggling a bit with the
security concept of providing an error back to the TA if the TA has
failed in some way its authentication.
Section 10.1:
This section is really quite general. You're writing a lot of words
that operators have to do for any number of mechanisms unrelated to
TEEP. Moreover, I am unsure that any operator would ever read this
text, since the draft is primarily written for implementors. That said:
> Implementations SHOULD support certificate status checks
> and have clear behavior when certificates are expired or revoked
> (see err-code behaviors such as ERR_CERTIFICATE_EXPIRED and
> ERR_BAD_CERTIFICATE).
I agree this is important, but I'm not sure you are doing that SHOULD
justice. It would be helpful to have at least an example of what you
mean. I write this because operators may be put into quite difficult
positions with ERR_CERTIFICATE_EXPIRED (there could probably be an
entire RFC on that), but the general choice is- let the device continue
to function and notify the operator, or take the device out of service
and notify the operator. Obviously a TAM may not be the correct element
to perform these tasks, but it may communicate with something that is.
Also, you might want to mention warnings that might take place
*prior* to certificate expiry.
On this point:
> * Time synchronization: Accurate device time is important for
> certificate validity checks and for some attestation freshness
> mechanisms. Operators SHOULD ensure devices maintain adequate
> time synchronization.
Of course this is true for certificates, but I don't think you are going
far enough in two ways:
1. How accurate is "accurate" and how adequate is "adequate"?
2. It feels a little like you've buried the lede: this is a strong
dependency and somehow we don't get to it until Section 10.
Next:
> * Transport and deployment-specific concerns: TEEP is transport
> agnostic; operators MUST ensure the chosen transport provides
> adequate confidentiality, integrity, authentication, and replay
> protection. See the HTTP binding draft
> [I-D.ietf-teep-otrp-over-http] for transport-specific operational
> details when that binding is used.
I'm not sure you get to MUSTify operators. If it's THAT important, then
MUSTify the implementations in your spec.
Nits:
The diagrams in Section 3 should be labeled.
The complete CDDL structure is
shown in Appendix C.
I prefer normative text to not be in appendices, because that matches
behaviors of other SDOs, but that is me.
In Section 7.2.1:
> If the QueryRequest is instead determined to contain Evidence, the
> TEEP Agent passes the Evidence (via some mechanism out of scope of
> this document) to an attestation Verifier
and
> The TEEP Agent MAY also use (in any implementation specific way) any
> SUIT Reports in the QueryRequest in determining whether it trusts the
> TAM.
Remove the parentheses as they are unneeded. The test here is to read
the text aloud to see if the sentence makes sense without parentheses.
If it does, just remove them. If it doesn't, then you should rewrite
the sentence so that it does.
Eliot