Internet Engineering Task Force 108, 27 Jul 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF108 TEEP 20200727 1100

Description

TEEP session at IETF108
2020/07/27 1100

A

Okay, hannes you're recognized.

A

If you're speaking, we cannot hear you.

A

Oh okay, now you're coming in, but your voice is very faint. Okay,.

B

Some uh by the way, someone has the microphone a little bit too close to his mouth. um I can hear him him breathing. I don't know.

A

It must, it must be.

A

Thank you for that.

A

Okay, there's a participant I think in. I can't recognize the name, because it's in kanji.

A

And you wanted video, so I don't think if you want to speak, you should click on the um on the microphone, not the uh video okay. So with that we're already one minutes in so let's go ahead and get started.

A

uh Can everybody see my slides.

C

Yes, nancy, you can see your slides.

A

Great okay, so let's go ahead and get started good morning um good afternoon.

A

I think it's the afternoon for most everyone, uh oh and late evening, for those in asia, um so you are in the itf 108 first session. Welcome and you are participating in the trusted execution, environment and provisioning or teep working group. um So this is a formal ietf session. All of the notewell rules apply.

A

I think most everyone has participated in the past. So I'm just going to note this and not go over it. For the agenda. Note that we are using the codium d to take notes. um Do we have, uh I forgot to also introduce brett jordan. We are trying the session to have a a secretary. So please welcome brett jordan for that um we need to have at least one more other note taker did we have anybody volunteer?

A

We really can't move forward until we can get through the logistics. So we need a note taker and we need a jabber.

A

Scribe please, so we can move forward.

A

Russ was that you, volunteering for notes.

A

A

You ah michael volunteer too, thank you all those who volunteered robin and michael can we have a jabber scribe.

A

A

Okay, emmanuel you've requested video, not audio.

A

Okay, we can't move until we get a jabber scribe.

A

A

Nancy, besides myself, sorry who's, just speaking, oh bro yeah, um so we've got michael and robin also willing to take notes um and they can add themselves on the cody nd, so notice that the notes are being taken on the cody md. As I've noted.

C

A

The agenda we need one jabber scribe.

A

A

Okay, we're we're starting to eat into the agenda. Can we have a volunteer? Please.

D

I want jabber, I don't know what you would want me to do, though,.

A

um Okay, so if you can do the jabber, that also that'd be great. um Basically, if anybody types on the jabber questions or comments, you need to, let us know great.

E

I'll do that.

A

All right great, thank you, okay, so with that, let's move forward um on today's agenda and it is pretty full um we're going to have ming. I don't know if I noted him on the call, but main will go through the architecture.

A

Then after we'll have dave, provide us the updates on the transport um tape over http draft as well as the protocol, and then we can call the question if we need to do a second working group call for the transport one as well as whether we're ready to move forward to publication on the architecture. Draft oops, sorry.

A

Akira, I don't know if you, I noted you as the presenter for the hackathon report and then lastly, we'll go through the milestones as those need to be updated. So with that the agenda will be pretty full um soren. I didn't see um you submit slides too so, given that the agenda is full, I'm not sure we're gonna have time also, especially since we don't have the slides whether um we can get to that, but I've added it just in case um to the agenda.

A

So any other comments before we move to the presentations going once going twice. If not, um let me just share the architecture slides ming. Are you on.

A

I don't see ming on the call.

C

A

C

Trouble joining the call he's not able to join the call.

A

C

I think we should start with the other presenters I'll try to help him out.

A

Okay, thanks dude, so um dave are you okay? Moving next and.

F

Discuss the transport uh is there just to make sure right now, I'm using the uh override to present is there some particular thing that I should be doing to present here? I'm can also share.

A

I think, in the interest of time I was just going to present all the.

F

No, no I'm saying for for audio, then I just use the override mic.

F

Yes, okay, great, then I am happy to go if you want to go into if you can make it go into full screen, um which probably I don't know, I.

A

Can't win I'm using since I'm using acrobat. We have that issue, so I'm just going to try to expand this big. Is this big enough? It's okay.

F

For me all right, so let's go ahead and get started, then yeah, okay, so one change to this slide uh as soon as the window opened. uh Yesterday I posted draft007. This uh title slide says draft o6 for the transport. It's now on. Drafto 7.06 was what was posted at the time of the virtual interim meeting we had back in april, so I just wanted to let you know that I'm presenting the deltas between six and seven next slide.

F

Please all right! So as a reminder, this draft has gone through uh more than a working group. Last call. So there was a working group last call that started back in uh before november. We discussed it at ietf, 106., oh wow, sorry, draft 106 was the last thing before working group last call was started. We had a working call that started in february and completed before the intro meeting that we had in april. um We then in april solicited additional reviews after working with glass call so mark nottingham, hanas and ming all sent in reviews.

F

Mark dottingham's review basically said. Yep still looks good as far as uh https conformance and recommendations, hanus and ming bo sent a bunch of reviews and that's what I'm going to walk through today. So next slide.

F

All right, so, at the time of the april interim, the issues on the top half were discussed. All of the crossed out ones are the ones that we agreed were done, the three that are not crossed out of the three that we said. Oh we'll close these after we have.

F

You know the following thing happen, which I'll mention which we got agreements at the april interim, the ones down in the bottom, half of the ones that were filed newly as a result of hanus's review and ming's review, and so we'll walk through the non-crossed out ones. Next,.

F

Slide. Okay. So let me first talk about the things that uh we previously discussed at the april intro meeting and I did what I believe we discussed there. So the first one we had a discussion about that should say: bcp, 56 bis, that's a typo on the slide, uh that's the one that says how to use http as a transport for any application protocols like us that are doing it. What it used to say is that when not called out explicitly in this document, all implementation recommendations in 56 bis apply to here.

F

um That could arguably be read as normative, which was not intentional, and so that phrase has now changed to be informative, where the recommendations are in this document, it explains, but the motivation behind it is in 56 bits, and so, if you want to know why it recommends such and such with the header go, look there and so that's a clearly informative statement.

F

It already previously also referenced 56 bis for uh some security considerations, which is also not normative, and so uh that one is retained as an informative reference to back up and not have to re-motivate the header recommendations, and so that was the action taken for 21..

F

Unless there's any hands up, then I'm going to keep going so next slide.

F

Okay, the other two we discussed there um uh have are related to the same text, and so I put it both in the same slide. So one had to do with uh referring to rfc 7925, which is about tls considerations for iot devices, and then we had a discussion in april about uh what I should say about why it allows hdp rather than just requiring https.

F

We said that well, that was for constrained devices since there's already an end-to-end security protocol at the application layer and so there's new text, which is those three paragraphs or those three sentences. It's all one paragraph, but it's broken for readability here. That explains both of those two things and again.

F

My belief is that this text is consistent with what we already agreed on in april, and so for example, notably, it does not discuss the use of http for debugging, because we had a discussion of that and decided to leave that out of the spec and only talk about the uh constrained node issue as the reason why it might be allowed. But you can say it's strongly recommended that we use https and so again my belief is this has already been discussed and this text captures the conclusions that we had in the april entry meeting.

F

So unless there's any questions, let's uh keep going on next slide.

F

Okay, new issues that I'm going to start walking through so again uh mark nottingham did a review. Honest, did a review and ming did a review and I'm going to start with uh harnesses, because this one is related to the previous text. And so, um if you go back one slide temporarily nancy you can see in the in the text. That's there uh the bottom paragraph right when https is used. Tls certificates must be checked according to 2818 as well as 6125.

F

If pkix certificates are used and then they reference the other one so go for you can see that 6125 reference is there so go forward now. So in harnesses review um you can see he suggested we actually reference 6125. That was what I just showed you. So I took honest suggestion put that in there. Hopefully, the text is right.

F

uh You tell me if it's not, he had a suggestion to uh there's some diagrams that showed a layer of teep, a layer of tip over hdp, which is the transport and a layer of hdp, and he suggested removing the middle layer. So you see t over hdp as two layers. I did not make a change here and the reason was the point of those diagrams is to explain the relationship between documentation, so http at the bottom is in http rfcs.

F

This dock is that middle layer and the t protocol spec, is the top layer, and so I thought it was intentional and helpful to explain the relationship between the three docs, the one that each of them successively layers over the other one, and so that one I did not change, but that was the reason why I made no changes because they're actually specified in three talks.

F

um All right so uh huh suggested we put in points about. Are we using cookies, and so I took kind of suggestion that now it has a sentence into a paragraph about things that are used and not used. It says cookies are not used.

F

uh Number four hanus noted that, um and so this one we will have uh we'll, have a discussion of in the t protocol uh presentation, which is next, but in the transport spec there was a statement in the in the walk through of an example right. So this is already an example. Walk through it says, here's a particular way that the stuff might be used and, of course, there might be other variations, but as walking through a particular example, I had this sentence about another variation that could have occurred and hana said well.

F

Actually that statement is, in his opinion, not correct, and since it's not used in the actual flow, I just removed. That sentence right. So we'll come back to that issue, but this was trivial to resolve on the transport spec by not talking about a second variation in the middle of a first variation. So so again we'll come back to that in the next presentation.

F

uh Lastly, yep.

A

Go ahead, yeah, sorry, sorry dave! I saw in the um on the chat ben kade mentioned and sorry. This is on a previous. um He mentions that he's used to only seeing 61, 25 and 75 25 for certificate validation.

A

um He says uh it's almost strange to see 2818 listed as all well.

F

A

Hero is correct: yeah yeah! Oh, you see it go ahead. Yeah.

F

I have the chat room open as well as your screen, so yeah yeah yeah is correct and so right now it's following what 56 bis says, although augmented by uh you know harness and other people's uh points, because about iot and so on, and so yes, if we think that 2818 should be, I would want uh say, mark nottingham who's, the editor of 56 bis into the review to tell me to remove 2018, but that's why it's still there again. It's trying to keep full conformance with 56 bits.

F

Okay, shall I go on yes um well. Okay, last week, yeah sure.

A

F

You were you, were you were on the last one. Sorry, the the last point was just teach. The the the example showed it terminating in 204 no content, but the normative text said it just needs to end in a 2xx right and he said well. We should be explicit about if it should end in 204 or not, and so um I added it should be status 204, so you're still compliant. If you use the 200 with no content, but you should use a 204.

F

okay, as in the example already showed so next slide.

F

100 long list of uh points, which is great, thank you, honest, um so the next one um hanas added uh made another specific suggestion to make uh text me more explicit. It said uh if the tan, this is again what hana suggested. If the tam does not receive the appropriate content type and accept header fields, it should fill the request returning a 406, not acceptable response, and then it must include a content length header. I took the first sentence it that appears literally, as has suggested.

F

The second sentence I did not include, and the reason for that is if it should be a 204 content length, is illegal with a204, and so um it's you know present when you have a body, but it's absent if it's a 204, no content which must not contain a body. So since 204 is allowed, you can't say it must include a content length header so that one I didn't take, but the other sentence I did take and then. uh Lastly, the text said that the client uses the accept header.

F

We didn't see normative language there and my response, for that is whenever documents uh use uh it sends or it inserts or whatever that's implied normative right. There's the rfc editor guidance that says you know avoid overuse of of must and so on, and so my take is that the text was already normative. As is you can see, there's the actual quote of a sentence, and uh that is normative wording. Even though must does not appear, and so uh I did not make any change there.

F

Hopefully, people don't object so uh next slide yeah, I'm watching the chat room. So great thanks.

F

Okay, uh so the next one is the one that I was hoping uh mark nottingham could be here, for I don't know if mark has joined us or not, I'm just.

A

Checking he's not saying he couldn't.

F

Okay got it thanks. I did not check email uh when I got up this morning. So uh all right.

A

So yep, I don't know if you're taking uh questions hannes is on the queue. Okay, I can take questions absolutely.

B

I hope you can hear me um yes, my reading of the pcb is that you need most of those or these excessive lists of headers. In the case when you are when, on the server side on the client side, they can be confused with web communication, but in our case um like this is not like the classical web browsing type of scenario, but it's uh something completely different.

B

So I I my my thinking or my understanding of the pcb was that in this scenario this is not applicable but clearly mark nottingham would be the best person to answer that, and I think even his pcb should be crystal clear on those, because uh otherwise we are sending around a lot of stuff for no good reason.

F

Okay, so nancy go forward. A slide. Honest is actually talking about the slide. Eight.

F

Yeah, um so uh I'm going to say what hannah said, which will put his comments in the context there and then I'll respond here. So hanas is talking about uh the first bullet here, which is um the text is basically quoted in that second bullet says the current text says you should have those four headers as listed there right, cache control, note, store, etc and hanes's response was well. He thinks that three of those are overkill right, that uh of the three other than cash control.

F

He said those are overkill and that's what hanus was just saying. um My understanding in conversations with mark before and on other drafts is that what the concern is is that uh somebody can trick a browser into somehow sending information to that the server would consider a protocol message and have nefarious behavior as a result, and so my understanding is that uh the recommendations are.

F

If it's not meant to be used in browsers, then you should use these headers, which tells the server- um and you know the client that uh nothing to see here do not use this as a browser. If a browser ever gets this, you should, you know, do something not harmful and that's what these headers are trying to do is trying to prevent leakage into browsers for things that are not intended for browsers again. Mark is the most authoritative one. I would let him answer, but that is my understanding is.

F

These are indeed meant for things that are trying to keep browsers away from your protocol.

F

And so that's why I said propose keeping unless mark tells me to remove them, because my understanding is those are intentional for things that are not meant to be used in browsers.

F

But again we can explicitly ask mark, but I'm saying right now I did not make any change, because that is my understanding from previous conversations with mark um hanas then also mentioned that on the cash control law- and he said you know, say something like it should be set to disable cashing otherwise is the risk of still keep messages, and since that was not a technical change, it already had the cache control no store.

F

um This one actually explains that one, and so I did add uh that text as suggested after the uh after the current should list of things, and so that's what I've done on that one. So I said that was probably hannah's biggest comment and again I'm deferring to mark.

F

But my understanding is those are in there because mark said so and again we asked mark to do a re-review in april and he said still looks good to me um for how we're using these headers, and so I took that as confirmation that uh mark believes that we are doing the right thing with keeping all four of these headers in there as they should, um if you have a reason override them.

F

It's only a should, so you know if you think, they're overkill, you don't have to implement them, but uh my understanding is they're there for actual safety. So so I'm going to go on unless there's any other comments, I see nothing in chat. So next slide nancy.

F

Okay, next one it has to do with redirects, okay and so uh hannah's pointed out. The text currently says the redirects may be automatically followed. Okay. So how should a developer decide whether it wants to follow that may or not? Okay? Well, so what 56 bis says is uh you know a user agent is allowed to automatically follow a redirect right.

F

Even if you don't understand this, the semantics, but you are required to do so, and so, if you desi, if an application using http desires, redirects to be automatically followed, it needs to explicitly specify the circumstances when this is required.

F

So that text says well honest, is right right that it doesn't explicitly specify the circumstances when it's required, and so uh we weren't doing the right thing. Thank you hanus for uh pointing that out and so there's a couple cases to think about um that. 56 bis mentions right. What do you want the case to be when say a proxy requires redirection right. It redirects you, the proxy you have to log in or something like that.

F

What would you expect the behavior to be, and the second one is what happens if the server goes through some permanent change and moves, say the path or something that's going to be listening on? What would we want the right thing to be okay, and so I believe this one is uh still open that I haven't uh done a change this, because I wanted to ask the working group. um Probably the simplest thing to do is to say that redirects must not be followed automatically followed again. This is about automatic.

F

You know, without user intervention, okay, you just automatically do it, and probably the simplest thing to do is to say you must not do this, and that just says those two cases there won't work without human intervention, okay. Otherwise we have to explicitly come up with one of the cases that we want to have happiness. That's what I wanted to ask the working group.

F

um Would people be okay with saying redirects must not be automatically followed or uh the people say think that there's some case where we want to have uh circumstances where we do think it would be acceptable as a may uh to automatically follow redirects um and again 56 bits is not going to answer it 56. This says we get to decide.

F

So anyone have comments on this one. Otherwise, again, I'm proposing the simplest change, which is must not instead of me.

F

Calling for opinions, hearing silence so far.

F

Hana says must not is fine for me. Okay, let me put it this way. Is there anybody who would object to it saying it must not.

F

Okay, akira says, must not okay, so I don't. I don't see objections from people who are implementing and so uh nancy it uh can. We call this uh consensus due to lack of objection.

A

Yeah so I see michael you're on the cube, but I I don't see how to recognize your mic. I.

G

Think at this point I was just talking, it appears. Oh, I didn't mean.

A

G

That way um dave. So my question is so if, if I don't think I object to must not unless configured, but I'm I'm concerned here that you said the word user a couple times in this discussion and I don't know how users would ever actually be intelligently informed about that to be able to make a decision. So I think so I I don't understand that over how that override would work.

F

All right, let me answer that, but you are your assumptions are correct, that this is about automatic following right, as opposed to some other human intervention. An example of human intervention is, let's say, your whole tea flow was triggered by a user installing an untrusted app from an app store, and so it's the app store installer that kicks off the thing that says my untrusted app has a manifest. That requires this tab installed and that's what kicks off the whole deep flow, so you're in the context of user flow.

F

You could, in theory, do some integration that passes some requests back to the uh to the human doing the install of the untrusted application. It would be a bunch of work, but it wouldn't be completely impossible. So.

G

Okay, so that's how you're, imagining that someone would do that, would yeah override that yeah.

F

Human confirmation yeah, I can.

G

F

This application, if uh this looks okay to you or something like that, because.

G

I I don't I don't that doesn't feel like a very good way to do things to me, um and so um I was not mentioned anything in the text about users so well. The the issue is: if we don't automatically uh redirect- and we don't redirect into in particular cases that we would enumerate, um then it seems like we never redirect unless there's some override and I'm difficulty understanding what that override could possibly be, and so what I'm reading is we never wrote. We never redirect.

F

So I believe in practice, that is a fair uh assumption that if we change they must not and practice that there will never be any redirects followed. And so, if say, the server uri ever changes it's up to the tam to configure the tp or somebody to send out a new manifest or whatever. It is to to configure it some way because you're not going to get it through hcp through an hp redirect all right. And similarly, if you're, ever behind an authenticated proxy.

F

Sorry, not a supported.

F

Scenario: okay, hearing no other objections unless uh chairs tell me, otherwise I'm going to treat that as a direction so that the next version of this draft will change that made to a must. Not, uh I think, that's fine. Okay, next slide.

A

So you have two minutes left dave.

F

Okay, uh this one actually overlaps with the architecture document, and so, if I take two minutes on this one, it's taking it out of uh the other time because there's a corresponding slide near their deck, it's whichever one we got you first, uh there was a suggestion from hanas that section three, which talks about the broker architecture, okay and there's an example of the picture. That's in uh that section. This is the one that talks about how uh the line between what goes inside the te and what goes outside.

F

The te could be at different layers here right, in other words, the the http implementation in theory could be inside the te.

F

In most cases, it's a left line a, and so this section here is more about the whole relationship of how the things fit together and the protocol architecture than it is about the transport, so hana suggested taking this section in entirety or almost entirely, because the last part of the last paragraph of this section is actually about the transport uh by taking most of this section, just moving it to the architecture document, I actually agree with hannus, um and so um in the architecture document presentation. We think it's done.

F

This is the only remaining issue on the architecture document that the editors don't think has been resolved, and so um I think, and apparently hanas thinks and now ming thinks that it's fine to move this section, which everybody's already reviewed, because it's been through working group last call but to move it from one dock to the other dock, where there's already a broker uh section, but it doesn't have this level of detail, and so we move it. Presumably, underneath that same section, it's already in the architecture document just moving some content um again, the editors.

F

We believe that this is fine. We just want to let the working group know unless there's anybody that objects to this, because otherwise the default answer is we're going to go ahead and move this one.

F

Okay, if I don't hear anything else, you can go on, but again that was two minutes out of the architecture document since I covered this first I see ming is on now, so uh I guess I've covered that one so yeah go on. Let's see what do I have left I'll, try to zip through the rest, but that was uh two minutes of uh ming's time. Go ahead, nancy!

F

um So ming ming's comments. um There was a bunch of editorial fixes. All of them are done. For example, the most notable one was that there was text that could easily misremiss read right. There was text in there that was using lowercase text.

F

That could be implied as saying that the t that the tam side must have a te, and that was never the intent, and so um it talks about considerations as to why you might want it to either so now it's explicitly assured, which was uh how ming suggested moving the must implied to a should, which is now done.

F

So that was the thing that was arguable as to whether it was editorial or not, and so since that was the original intent, it was not really editorial, but it could be read as being a normative change, so hopefully, for the better. uh The last one, which is probably a larger issue to get consensus on here, is the the scoping so particularly there's some phrase there that appears in the abstract in the introduction.

F

Now it talks about that the scope of the protocol is update code and data in a tee, which I think is correct, but ming suggested narrowing that to say, the scope of the t protocol is to update tas and data in a dee, okay and so there's a key difference here, which I will explain my opinion on that uh the t protocol depends on rats for attestation and suit for manifest to install things. Okay, and so, although the the things that you request say you know, I need to install such and such a ta.

F

The suit manifests include dependencies and you can have depend, manifested depend on other manifest, whether they're, embedded or severed or whatever, and so that means that a suit manifest can install not just a ta, but it can express how to install any dependencies. Well. Dependencies from a ta could include other tas. It could include a trusted os like opti.

F

It could even include trusted firmware, you know, versions of that, and so, if you have a suit manifest for a ta that says I depend on having you know, opti version such and such or later and here's where to install that from you can actually express that with a suit manifest and carry it into the protocol.

F

And so my opinion is this would be natural in both rats and suit. Where rats you have the attestation the whole platform up through, maybe the ta or the cheap agent, as well as suit manifest to install not just tas, but at tas and their dependencies, and in my opinion it would be very unnatural to say sorry, you can only include suit manifest that don't go down below tas right.

F

That would be very odd to me and rule out things that would otherwise be natural and in my opinion it would incent people to use protocols other than teeth and would use rats and suit with these other dependencies. And so my opinion is. The text is correct, that it says code and data in a tee, it's just tas and their dependencies. But uh if people have other opinions, please bring them up now, because I don't know if ming has another opinion, but that's my rationale. So we want an explicit working group consensus on this.

A

Main is on thecube and dave: I'm going to eat up some of this time to let you go through with this one, um because you're you're now three minutes over but um ming. You had a comment.

H

uh Yeah hi, can you hear me yes, yep right yeah, so I just uh really reiterate that I had in my view here.

F

I mean just cut out.

A

F

Okay, shall we come back to this once me? Has.

I

F

Okay, yeah: let's go ahead and finish this presentation and uh since ming is presenting later with sure and at most I'm eating at my own time out of the tea protocol. Specs so uh is there? Is there another slide after this one? I think? Okay, all right so.

C

F

C

Was the last one so.

F

I'm I'm happy to go on and come back to this one and come back to this issue as soon as ming has stuff. But today.

A

Okay, well, hopefully, mink will will have audio, because I was going to let him present next.

F

Okay, that's fine.

A

So it it sounds like we did um and we'll go over and confirm this on the mail too, and and as we go through the milestone, so I'd forgotten that you'd had the second um that we had. The second working group last call. So the only action that I noted is that we just need to confirm with mark that, yes, indeed, everything is still okay, um we may be ready, barring your your next set of updates to go to publication. Is that correct.

F

uh That is my belief um unless you're right so there's two notes that I have one is to change that may to a must, not for the redirects. The other one is to move section three. Those are the two pending changes that I would have and then, after that, my belief is that we are done and have addressed all comments again. I want to confirm that we've addressed ming's comment, but uh that was that last point that we were having but yeah.

F

Those are the two no pending actions that I have noted.

F

A

All right, um ming you're still on the queue, are you there.

A

Anything on the.

A

A

Ming, can you speak? uh Can you send.

A

Audio you speaking now, because we can't hear you.

A

Yeah, we can't hear.

A

A

Okay, I suggest, while maine is resolving the audio that.

A

Let's continue on to the protocol because we're we're running behind schedule: okay,.

F

And again, you're welcome to call time on me this time if you want, since I ate up some of my own time here, so this is the protocol spec, which has not gone through working group. Last call that's why this one was at the end after the other two which have gone through last call so uh t protocol 03 um in progress. So next slide.

F

Okay, all right, so the reminder of the timeline on this one. Oh one was discussed at the virtual interim meeting. uh We had a bunch of discussion there shortly thereafter. O2 was posted to address things that were uh discussed there, uh which covered about 16 pull requests that were open at the time. uh Draft 03 was posted just after the suit hackathon, the suit hackathon.

F

uh I I at least was working on use of suit in teep, and so I posted draft 03, which included four pull requests, resulted from uh learnings during the suit hackathon in july, the virtual hackathon that happened what two weeks ago, and so in particular the most notable thing was something that could break interoperability, and so it turned out. There was a contradiction in the spec between the success message and error message.

F

The type numbers were something like I don't remember the numbers there were like five and six and they were in one way in the normative language in the body of the text and the cdl cddl had the opposite number assigned to the opposite message, and so, if one person had implemented off of the body of the spec, another person off of the cddl they'd have exactly backwards definitions of what the numbers were, and so I changed the cdl to match the normative text, and so since that one is a two character fix, as opposed to a bunch of other text that needed to change and so multiple other references.

F

So I changed the cddl to match the main text, and so anybody that implemented off of the cdl. Please note you'll need to change anybody that implemented off of the normative text. You've got it fine.

F

There are currently nine issues left um in github that are still open and again this has not gone through working with glass calls. So I imagine there's more than nine, but there's nine that I want to touch on some of so next slide.

F

Okay, so first issues related to the architecture document next slide.

F

So again, I've separated these things related to deep architecture. Things created a suit manifest and the things only related to this document, and if we don't get to those, then we get we call time. So these are the ones relevant to the architecture document. Okay, so um in here we have there's two issues: here's what the architecture document currently says. Okay, it says that- uh and this is in the information that is passed from the agent to the tam okay.

F

So it says you pass like a list of requested components which say: here's a list of zero or more say tas or things that are requested. So let's say you had an untrusted app. That depends on a particular ta and it wants to be installed. They can't really succeed without this ta, and so you pass this. I need such and such a ta and that gets passed up to the tam to decide whether it wants to grant that or reject it or whatever. So that's what the architecture document is talking about here.

F

Okay, there's two ways: you could, in theory, pass that information. You can pass those in attestation claims, in other words inside the body of, say, an eat, and this is actually what the architecture document says now or you could pass those in a separate query: query response field, okay and so the heap protocol. Since I don't know, we've explicitly asked this question, but if, for any reason we were to change from a to b, it would affect the architecture document.

F

If we stick with a it just means that we have to define the claims which is up to us to do the claimer claims to say here's the requested tas claim, and we just have to define that.

F

That is my assumption of what we've talked about before, but I just wanted to track that this was that issue that the t protocol document does not currently say anything about this. Nor does it define any explicit uh claim, and so you can't actually implement this yet until you actually have a specific claim defined. Okay. So that way I could not implement this yet, but he says this is architecture says we need to do this and that's why this is still open.

F

And so we either need to update the architecture document and put it in the query response or leave what the architecture document already says and define a claim that can appear in a need that can contain a list of zero or more sorry, one or more tas, because we just wouldn't put it in if it's zero.

F

Just checking all right so unless there's any objections, this is a track that still needs to be done and the default answer is a because it does not require changing anything in the arc dock, and so in the past, we've had a discussion about any type. Specific claims that are relevant to rat would be defined in the teeth, working group and reviewed by the rats working group. um I believe that was our previous agreement, but there's no draft that does that yet, but I believe that was the previous agreement between teep and rats.

F

So unless there's any other comments on that, you can go into the next.

F

Slide, okay, so the next question had to do with uh something that is not discussed in either place. So this one you remember. Let's say you had a ta that was installed because an untrusted app depended on it. Okay, now you want to uninstall the untrusted app okay, that removes the last reference of anything that would ever call into that ta.

F

What do you do? Is there a way to remove the ta? Well, certainly, the tam can always choose to remove an eta, but does the tam know that there's no nothing that would ever call into it anymore? How does it know that right now, there's no way for it to know, and so on. Some te architectures like sjs right, an untrusted installer can just delete a file right.

F

It can take a ta and it can just arbitrarily delete it out of the file system and that removes all trace of it and that's fine on sgx, because that's basically like deleting an entire te and we're not trying to defend against dos per se, just against you know, tampering and so on, and so on.

F

Some you can just delete the file, but on others right, you can't you don't have permissions to because maybe it's stored in some place, you can't touch unless you're inside they say a deep agent, so only the tam can actually clean up that ta, and so that means that if you have no way to inform the tam, only the team can delete it. Then you end up with these unused tas. It's just consuming space.

F

The tam doesn't even know about, doesn't know that it's not used, and so there's no discussion anyplace about this notion of maybe you'd want to pass a list of unneeded tas to attain not just requested ones, and so the question the working group is. Should we support this scenario of passing a list of no longer needed tas to the tank, just like requested tas again the terms authoritative?

F

Is there a way to pass a hint and again the possible answers that I know of are yes, we should add another attestation claim that can express that, um or maybe it's part of the same claim in another field or something but the attestation claims b via separate query response field and again a and b in my opinion would be consistent with the choices of a or b on the previous slide or the current answer. No, and if the answer is not no, then do we need a bullet in the architecture document.

F

This is my question off hand. My personal preference would be a which might entail adding a bullet or a sentence to the architecture document right next to the text about the previous slide. But what do others think.

F

And I'm going to propose a, but that does mean it's a change, the architecture document, which is why I'm calling it out here.

F

Are there any objections to going through uh a to say that requested, tas and and no longer requested or requested that they have no longer are, should be symmetric and be covered the same way in any documents? Let's see, I see russ plus one hanus and uh somebody who I don't know their name, because I can't read you sorry, uh a might be good uh and hanus asked. Do we really need to change the architecture document? um Technically, I would say no.

F

Although the architecture document does have an implied list of requirements for claims and if we think that this would be done via a then it's probably easiest, especially for moving section three and touching the architecture document anyway, uh akira says: maybe a both a or b are tough to implementing yep uh fair enough. Okay, so it looks like I see emerging consensus and nobody in the chat anyway objecting, and so if anybody has an objection to a please call it out.

F

Otherwise, when I propose a pull request for moving section three for harness request and from transport to architecture, I would also uh add a sentence or a phrase about this one. At the same time, okay, okay, thank you sucasa. Thank you all right next slide. Please thank you for giving me the pronunciation of okay all right so now I know uh brendan you're on the call here's issues related to you, uh issues related to manifest next slide.

F

Okay, so, as I was trying to implement this, uh the first question has actually come up in a meeting, and I can't remember if it was the team meeting of the suit meeting. I think it was the steep meeting where brennan was uh presenting before and it had to do with the notion of templates. Maybe it was in the suit meeting right. The suit manifest document has a number of templates for how you might accomplish various things.

F

You know and then there's examples and so on, uh and we said in the in one of the working group meetings before it might be nice to have a teep related template, okay and maybe a deep related example, and so you can see um here's three examples of things that might be useful to an implementer such as myself to have a template or an example, or both that actually walk throughs.

F

The first example would be one where a ta and a te are largely synonymous like sgx and there's no notion of a security domain or the ability to enumerate, and so on so sgx or anything. That's like sgx, um where you know there's you don't have to have any sd step, there's not even an implicit one. It's just automatically one to one. Second example is I've already got a security domain, it's a global platform compliance security domain and I want to install a ta into into one that already exists.

F

Okay and the third example would be. I want to install a ta into a brand new security domain that gets created right. It's implicit or explicit. The template, or example, would show that and and have that mentioned as to whether it's explicit or implicit, okay, and maybe one or two of these could be combined, but I think these are three kind of cases to cover now that we use a suit manifest right. The only all all these things are just down inside the suit manifest and as creation of a security domain.

F

In the past, we've said we did not want creation of security to be part of the t protocol, but we didn't say whether it should be implicit as part of a suit installation or whether there should be some separate suit command to create a to create a security domain that you could then install stuff into.

F

I guess the net, the most the most similar example might be in a suit manifest. If you were trying to copy a file into a path that didn't exist until you created the directory, would you want a create directory command or is creating the path implicit when you try to copy into that path? That would be the natural thing and, if brandon, if you have any comment on that, um okay, good I'll, stop and let brennan talk, go ahead.

J

Okay, so when it comes to uh creating security domains, uh what makes sense to me is that they should be lazily instantiated. I don't see a reason to instantiate one before you have a ta to put into it. uh Unless someone can give me a counter example, um and so I think that's probably the right answer um and once you've got a security domain. uh Installing a new ta into an existing security domain again looks to me, like uh lazy instantiation, solves that in exactly the same way as the the previous.

J

So uh if it's already there, you can install directly into it uh by using path, scoping you're able to uh make sure that you can define acls for exactly who has rights over what and if those acls are implicit in teep. That's completely fine, so I think it all sort of fits in, and we did actually discuss this uh at the suit virtual interim.

J

uh What the the conclusion that we came to at the end of that, as I recall, was that we would order the path segments in the suit component identifier, so that there was a an explicit security domain level and that tas would be installed underneath it.

F

Right, my question is: if it appears in the segments and that path component doesn't exist, and I could ask this in normal file system. Install too is the implied uh behavior in the suit manifest that you create such a directory. If it doesn't exist, is that the intent.

J

Yeah, that's the intent.

F

Okay, I don't know if the suit manifest document says that right now, if you call that out explicitly.

J

F

J

Fine, I don't think that's a suit, manifest uh specific situation. I think that the thing to do here is probably to uh well. I don't know what the right answer is here: either it needs to show up in the t, protocol spec or there needs to be a suit in deep draft. One of the two no.

F

I'm giving an analogy to a non-cheap example.

J

No, no, I I gather that, but what I'm saying is that when it comes to tip and suit integration, I don't know whether we need a separate draft for that or if that needs to be in the t, protocol spec.

F

uh uh Probably the key protocols back with the answer, but my uh so there's a meta question here about whether the examples and the template, if there's a template, whether that belongs, whether we put that into the teat protocol spec or under the suit manifest spec with the other templates um right now, my net my opinion as a suit coach here, is we're trying to be done with a suit manifest. So we either put it in now and be done if it's really easy.

F

Otherwise, it goes in a teak protocol spec, which is what would happen. Is anybody else that starts using it for a reason, after the suit manifest gets published. So I put it on.

J

Keep protocols.

F

J

Do you think I think I think it's very specific to teep and because it seems very specific to teep. I think that I would say: let's use a uh let's use a an example in the teapspec, because that seems to be where it belongs.

F

Okay agree: I mean that so you're you're agreeing with my original proposal, which is, let's put it in the deep protocol spec.

J

F

Okay and uh the part that I skipped on this slide is uh between those three examples. There's also the two different cases when a ta binary comes with a tam and then there's the case of when a ta binary is already on the device, and you just need the metadata. I think uh akira or somebody else followed an issue specifically on this, which I think I have on the next slide. So um so this other case about how do I put in this commands to install when the binary is already resident on the machine. So.

J

That should okay there's a couple of different approaches to that one of them is: it exists in a different component id, in which case you can copy it in and that's fine. uh The other is that you need a lazy fetch and when I say a lazy fetch, what I mean is that it needs to take the digest which is available to the the fetcher as well as the url and say I already have this digest. Therefore, I don't need to do a fetch.

F

Yep, no, I yeah. I agree with that. That makes sense to me.

J

If you've already got the payload.

F

Yep- uh and I like your suggestion of having two component ids or whatever as one way to do that, um so let's make sure that it appears in the notes um all right yeah. So there's an.

J

Explicit step for that in in suit, that's the uh that's the installation step so yeah. You separate fetch from install and that's already got examples in the suit manifest draft.

F

Okay, so to summarize the conclusion of this one: uh we're going to keep it being um explicit, rather that sorry, implicit for secretion of security domain by component id and not say add some suit directive or anything like that and we're going to have manifest, and example, stuff be done inside the t, protocol spec and then for the uh ta binary stuff.

F

We can show two examples: there, uh the a is just a natural one, using suit manifest and and b, when it's already a resident, we'll use that in like a specific example, maybe with component ids with like, like you mentioned or whatever so, okay, that sounds like sufficient direction to do it. A a a proposed uh text here for people to review with the next version, so yeah thanks brandon,.

A

No problem yeah.

F

All right, I can probably cover one more slide. Then go now go to the next one.

F

uh Yeah keep going so now we're now we're past the ones that affect any doctor now and the ones that are only this document. Okay, so here's one that uh issue number 13.. I don't remember who filed this one um filed it, and so the observation was that uh you know: can it be the question? The issue is something like: can it be used with sgx, I think was the name of the the title of the issue, and so sgx already has its own intel specified evidence format right, it's not rat's eat it's one!

F

That's already shipping and using people use it now right. Rats eat is still under still under specification, um and so sgx is already in use for their evidence, format and so the rats architecture discusses. You know multiple evidence formats that come into a verifier as an example. The verifier might then use a standard format for sciatic station results, so the rewind party only knows one, but the verifier has to deal with the heterogeneity.

F

That's one example way to use rats, and so the question is here: should the heat protocol should it support evidence, format, agility or in other words, should it uh have a way to say the uh evidence? Format is an eat or it's something else, that's custom.

F

That would be a to say, we recommend eat and it's designed for e, but you can use stuff other than eats. If you want to uh you just have to have a way to specify it in you know, media type or uid or whatever it says.

F

Here's the other format id option b is to say no, no, no, we are only going to support eats and if you got something else, you have to find a way to wrap it in each and then your evidence, format just gets bigger and you need two parsers okay and then c is sorry. No we're not going to support that we're going to use an eat and only an eat and sorry, if you don't like that, go away. Okay, that would be c and so which direction should we take with the cheap protocol?

F

Is my question for the working uh hana says depends on whether people want to use teep for sgx? I would say my opinion. Yes, the opinion for whoever filed. It is probably yes- and I assume I don't know if david wheeler's on here, but I assume he's uh he's on the architecture document as a co-author, because he wants the answer to be yes, so uh hannah says I would go for a, and I see somebody else b or a my own opinion myself.

F

I would probably pick a um but I could live with b, but a would be my preference, but not c, um and so so far hannah says a uh somebody else says uh b a would be. Okay, too.

F

uh Anybody else have a preference. Besides the three of us again. I know that uh david wheeler- I don't know if he's on, but he would say not c.

F

Okay, uh then I'm going to propose that as the author a looks good, okay, so fine, so the next verse in the document. Again it has not the last call or anything. So you get a chance to review this later is we'll take a shot at doing a in the document and see if people like that, so okay. So I think at this point you're going to call time on me and that's fine to stop nowadays.

F

A

We are running late um ming. Can you hear us.

A

Let me uh you can speak.

H

No, yes just say yes, I can no. Yes, I just to present mine.

A

Great great all right, you are on um you ready to present the architecture.

H

Yes, yes, hi, okay,.

A

I'm presenting I've got the slides if you're, ready.

H

Yes, yeah pretty good next slide.

H

Cool, so um we have a lot of group called: uh let's call it uh eighth version and we could receive reviews from ross and danielle and tyrion, and so on and many from russ and daniel have a long list of reviews. It's a very good feedback and we have three revisions since then. I have a 9 to 12 and that in next I'm going through the issue list that we filed. According to the comments given by russ and daniel yeah next slide.

H

So totally we filed uh with part of the issues most of russian ones that translate into individual ones, and if that is the one we catch up and we put into one issue at 201 and the rest of the issue is the most we captured in uh 170 285, that's 16 issues, so next I'm going through each one's, uh not all of them right. I just selected one. So I don't go through all that all the ones someone said just skip when it's a tutorial.

H

I have kind of an editorial change, or some issues are straightforward. I do not repeat here um so: um do you have uh 15 minutes.

A

You you have 12 minutes left.

H

12 minutes okay, so that means I need this 30 second or you just like. Okay, let's go.

H

This open issue.

A

Ming, we lost your audio.

F

This is dave, I can be a backup presenter in case we keep having problems with things audio.

A

Let me look at the chat.

A

Okay, I think in the interest of time dave, maybe you should go.

F

Okay, uh if ming gets his audio back I'd defer to him because he did the slides and I will be slower than he would so. We already talked about this issue. She can go on the next slide, that's the one that was moving section three.

A

Okay, so that's.

F

A

One that's the open issue, okay, which you discussed on the other one, so you have a way forward. Yep.

F

um Okay, so here the comment was to add some examples: to illustrate security operations and sensitive data by a ta, and so we added these two examples like a banking application and credit card numbers, um and so that's so that's the actual text that was added so for sticking about 30 seconds per slide. We can leave that up for a second here.

B

I

F

On nope, unless there's any questions, this is the text that was uh done as the example so next slide.

F

I think some of this I think, was suggested by russ, if I remember right so all right, so the next one was about application versus application component, where uh the text was not symmetric between uh untrusted app and trusted app, and so you can see the new text which now says an application that runs in a te, but uh for clarity we kept or in some implementations an application component and that's for people who would say well, I use sgx and I never call an enclave, an application that seems odd, and so that's just to clarify and then, after that, it's always application.

F

So that's why the or is still left in there, but now it's more in parallel. So.

F

Next, um let's stare at this one, I'm not as fast as this one as ming. So let's see revising the definition of ca. uh There was the old text, the new text, the c8 is an entity. You can see the previous one, it didn't say you know what a ca was right. It just talked about other things without explicitly saying that that what the ca was, and so the definition is actually a ca- is an entity that issues and so on. So that was cleaning up that definition. Next.

F

uh Okay, so here we made a change slightly different from the one that I think it was russ had raised, but that so there's three different terms and two concepts: not three concepts, not one concept but two concepts.

F

So between a ta software author, a ta, binary signer and a ta signer, there's now exactly two terms: uh there's ta developer and ta signer, with a note that a signer might or might not be the same entity as the ta developer, okay and so an example when they're not- and it's not walk through in here, but for those uh people uh familiar with suit suit, had a discussion of requirements for the manifest that you're going to have counter-signing, and so somebody else might have to have a second signature, and so the example here is, let's say, the device administrator has to authorize a particular ta, and so it's the device administrator signature that counts, not the ta author signature that counts, um and so that's why there's two different roles here, and so we didn't combine them into one term.

F

But we at least made other language be consistent, is only using those two terms. So next slide.

F

uh Brandon prefers authority in these scenarios, I'm not sure which scenario that is, if that was on the ca definition yeah guessing, that was about certificate authority versus uh the other. Ca has two expansions. I think that's.

A

What you should work.

F

A

Yeah, so maine got back on the queue.

F

um Hand it back to me.

H

Yeah, I have network issues and I'll come back okay, so this is that integration. Yes, this also says support both the competition integrity protection. There's a wording missing there. So the old context of the ssr preserved confidentiality of sensor data there and we changed at the um preserved confidentiality and added and support the integrated protection that will change and the rust was good. At that time you may change.

H

uh The both places will add that to an expanded confidentiality integrator to make that synthetic, complete and next slide.

H

So this was a key transfer agreement. uh This one says um what initially says equipped with time publicly directly. I think that was not com, not accurate. It's a it's! A public key user wrapper and station key right key equipment, so the contact will change, says below um it says uh uh very important. Particular I just said a content is a uh encrypted with a key that is established with a content encrypted key.

H

It started with t public key to provide confidentiality, so that was particular added to expand, says content keeps driver it's protected by public key. It's another encrypt.

A

A

Main we lost you.

A

Again, you, oh ben, took himself off okay.

A

Dave go ahead all right, so.

F

A

F

One I'll just make, I didn't I'll just try to finish what he was saying, uh but we tried to make russ's uh comment here and correct the text, and so you can see the new text on the bottom. That addresses uh russ's comment about what was incorrect right, that it doesn't encrypt it with the tam public key and encrypt it with the key created from the damn public key or you know, established with the tampa key, and so the new text should be saying that so yep. That makes sense.

F

Next slide: um okay, there was a discussion about raw public key. An earlier document didn't mention this, but there was a couple places that were still uh missing the similar text, and so it still talked about certificates, and so, if you're, using raw public keys rather than certificates, we tried to touch any remaining places like this one. You can see it must obtain a 10 certificate or the raw public key of a town, and so what goes in your trust, anchor store.

F

It could be a certificate in implementation or could be a raw public key on implementation. So there you know it's always or raw public key next slide.

F

um Discussion about a certificate that never expires, okay, and so there was, we should add a sentence because there's a reference that I think russ pointed out. Here's a place that our existing rfc that talks about how to do certificates that don't expire or considerations around recommendations around what to do, and so we added that particular text to reference the specific section that rest pointed out.

F

Okay, let's see this one is long discussion to cover compromise trust anchor. So rosa's comment was: please expand this discussion to cover compromise trust, anchors and compromised intermediate cas, so we added in uh those sentences to talk about this and since we've only got about 30 seconds per slide I'll leave it up there for a second here, as people want to scan through it in case there's something that jumps out at you that you want to talk about, because I don't know what to highlight here. What ming was going to highlight.

A

Did russ comment on all these updates, or did these updates just come recently.

F

uh I don't think that russ has commented since we addressed it so, okay, again russ. If this doesn't look good to you, please let us know the editors believe that this does what you were looking for. A discussion compromised trust anchors and compromised cas, not just intermediate case. We covered intermediate and in theory root case, but that's.

I

The way this is.

F

I

First time, seeing it so I'll.

F

Look so you can review it offline if you need to so yeah yeah, you don't have to give us an answer in 30 seconds. So all right, let's go on to the next slide, uh all right. So now we're on to the last parts, which is daniel's comments. Most of his comments were uh editorial, and so those are done, and so there's only a couple things to talk about here we fixed uh tam in one place probably doesn't need to be highlighted there device definition.

F

um There was this place where it talked about trust anchors in a device that was confusing trust anchors or in you know, the deep agent. So there was this table of where keys are stored, and now it always tries to match that and doesn't have any this generic hand wavy text before so those are pretty easy. Next.

F

Okay, so uh the use case uh daniel commented, it's unclear whether this is a single use case for many use cases. I'd like to have more okay, in particular, I'm gonna highlight the party says. Typically, it seems that the ui is part of the ta which guarantee trusted inputs, and he talks about. um It seems important to consider that anything coming out of the untrusted world can be tampered or replayed, even the output of a ta.

F

Given the example, it seems hard to me to understand how tas are used and so he's commenting on is he gets the part about trusted inputs, but it's also important to consider the output can be tampered with okay, and so you can see the change that we made there, because this is giving an analogy to things like you know, payment terminals and so on, and so uh it says, such an implementation often relies on a te for providing access to peripherals such as a pin, input, okay, and so that's referring to a case.

F

Your pin input might be a trusted peripheral, that's only accessible to the te right. That would be a a very typical global platform. Implementation on a payment terminal- and we extended that to say input or a trusted display so that the ree cannot observe or tamper with the user input or output right. So, for example, in such a payment terminal, you might have it wired such that the little lcd display is also only accessible to the tee and that the re can't you know take take over messages or view anything that you put on there.

F

You could do that too, so that's an or so it's not normative or anything, but it does try to cover that the outputs uh can be uh trusted or trustable in something like a global platform architecture. So in other words, this use case talks about not just input but also output. So that was the resolution of daniel's comments or daniel's comment on this one. So next slide.

F

um He says when a t broker receives your request.

F

Is such a request, a teep request or something more abstract, and so now he said when the t broker receives a request, see the request ta api. So it's actually not a t request. It's referring to an abstract api call. That's defined uh later in that same document. It's not. We just added a forward. Reference may be explicit, so it's neither a teep request per se. It's uh nor something more abs. Maybe it's more abstract! It's an api call. So next.

F

um Sorry ming, are you back.

H

F

Okay, go ahead. Thank you.

H

I know you could okay, so this is this one, so um this one, um this comment was uh uh just anchor started in in the te and suggest that that one should be in uh agent. I believe this one uh uh so um agency already preliminary, but not that to that network expect. So what we changed here is particularly point out. uh The uh just anchor trusted times provision in the t agent predict target agent and not just generally the device itself. So this is a quick fix and it's straightforward. So next.

H

One okay, uh so this one's about arrows. So I think um then the comments. Could you want to talk about the uh meanings of arrows? It's a who's who points to it's a it's. A gate like a top city will add error now say: gate is a wizard which is started, who's uh who's the source was destination. Then we changed below now uh indicate particular fixes like in store, right supply to apple developer, to app store and then for apple store to device. What's install now say who initiated that one?

H

We know it's from device, go to download from app store and then install then, when sitting in store, then look at who initiated what we now add explicit sentence says arrow indicates the direction of data transfer. It doesn't mean that who's the actor who's uh who is being changed. So it's a just purely indicate where the data flows from where to where so to clarify that.

A

You have minus.

H

One minute.

A

But go ahead and finish yeah.

H

Much release this one yeah, this one's up for the security consideration, part uh what we changed here.

A

As mink did we lose you again.

F

David, do you mind finishing since yeah daniel mentioned? uh I also believe that some additional considerations are needed for regarding tenants sharing a given device, um and so we added in- and we added in some other uh text about that. So, for example, um you know ta might be able to escape from malware detection or access other tas if a t provides isolation between tas, and so it's talking about um what uh you know to motivating we're removing of a malicious ta. And so I don't know what I'll say about that one.

F

So go ahead and finish to the next. I think there's one more slide, yeah um so hot that okay, sorry, we already talked about that one section, three openings, so we've talked all right.

A

Okay, good: let's move on um akira. Will you do the hackathon.

A

A

I

um I I introduced about idf. One wait tip some activities reports so guys talk to akira and I talks about these topics please next time. Okay, this is agenda business side.

I

I

In this itf, so you know last week's uh there are itf hacks on weeks. So but uh in this working group debugging groups there are no hacksaws events, so, but so the.

I

uh On on july 30, so in there sutaxon events, so that is a about, uh of course, literally a third working group, but that contains uh three project related with deep.

I

So there are some deepers in this action and there are three topics: uh first, one use of suit manifesting, deep and second encrypted by analysis and that command db agent using small test so dave and harness. uh Is there anything any information about your activities.

F

um This is dave as far as for me, um everything that was my learnings. um I talked about in the other two presentations and so yeah. I progress in my implementation, uh at least uh for some things, and I kept notes about what issues I was running into and that's what I already presented so yep making progress. So it's just the implementation sides of what I presented with the doc issues.

I

Okay, uh how about thanos.

B

Hi uh yeah, I I made some progress, um but not as much as I was hoping, I'm still on uh track for the encrypted da binaries, which uh I hope I can then contribute to the uh to the list and then maybe as examples to the draft as well. So that's that's still my plan, um but uh got quite far already not so much during the one day, upwards yeah.

I

Okay, thank you. Okay, please.

I

Next and that's okay, so now I worked with uh yuji, I'm a colleague, so that's project is a taman tea pageant using suit manifest. So what we plant is that adding certain implementation to cheap implementations so ut, I have developed the tip device size and I have developed deep server sites. So in this action we plan to add the support of suit for our deep implementations.

I

So in this action we achieved uh the success of adding implementation of handling tip message with static suit, manifest so at first we make an example address it up, instant message that contains suit static commands. That is static, not dynamics manifest.

I

And finally, two implementations can exchange the deep protocol messages with each other's implementations and some additional security mechanism for signing verify uh function is all fine and finally, uh we run so at first. I already said so.

I

There are some times to discuss and understand and to keep protocol message design.

I

So if the sample example a deep message uh that is very useful to understand and developing deep implementations- and especially so you know, uh manifest- can express the dependencies of applications, of course, so in deep side also, I use this same mechanisms so, but but that is a very complex for me for us for developers so that this example is for desire.

I

Please next slide.

I

Thank you. So this is a current step, implementations list, so they are in deep, so mainly two sites cheap devices such as trust zones and sdx and keystones contains device. So there are some implementations.

I

uh First one is uh tip devices deep device and that is uh developed by iced and aquila and uh and the other implementations are dave. Swann and hannes swan and uit provides uh leave deep. That is a c library and you can try from that. Url and the other side is a gif server thumb server. So that is a also divs and harness have a con.

I

Have a developing their implementations and.

I

ah Okay, so uh that's right shows us shishap. That is a mistake. That is a written. She was super fast. She prospers and uh my implementation is a thumbnail. uh That is also you can try and please give me a review and comments. Okay.

I

I

Okay, uh so this is a akira spot. Akira video introduce their activities. Okay,.

A

I'm not sure if akira wants to speak he's requesting video.

I

A

Here we go whoops. Oh, I carry you. Okay, akira! You! You have audio. You can see.

E

Is my mic working.

A

E

Oh yes, thank you. Yes, um this two slide is going to explain what we've been doing for past hackathon.

E

um We've been working on this for more than a year pro honestly, it's more than two years, but we never um open up the source code, anything so the person who was in the hackathon that was in the same table or something that only knew what we were doing. So this is something I'm try. I would like to explain what is what we've been doing?

E

um Initially, we did a initial prototyping on that board, more specifically 96 sports, and then we heavily customized that initial implementation on on the opt in aisd, so changing the data board or running on other update was all completely uh was very difficult, so we started with uh finally, after the hackathon in this february in berlin, we. Finally, we started to generalize our implementation, general q, healthy on qmu, and that that was really a big big job.

E

It wasn't really going to help the tip of implementation directly, but we had to make it more something generic, so we could move on and then we are moving to porting on risk. Five, not on any hardware or just just on qmu right now, we do have a board, but first we want to run it on the qmu, and so um that's the um entire story of what we've been doing and right side is the picture of the deep architecture, a slightly easier way to understand on arm and risk five risk.

E

Five and armies completely have different hardware implementation. However, writing on horizontal way is.

E

Something it's uh uh similar on risk five. So next page next page, please, yes, and for so this is the implementation. We've been um genera generalizing from some of the features we've been removing from what we watch, which does not relate to deep in our initial prototype, something we had our own um trusted blue or secure boot. So this is the tip broker deep agent, and um example, hello, app and hello, ta uh pair and and to test with our tpa tip device.

E

We've been using um um tip time, temp photo by developed by circum, is cohere and, and the left side is for. The person who is a little bit is new to risk. Five is a little bit of explanation.

E

Risk five has few favorite label, the highest level is n mode, and second level is s mode, so normally linux, kernel or any operating system will be running on s mode and your application will be running on m mode. A u mode and right now it's in the middle of defining and implementing um h mode, which is for a hypervisor mode.

E

But at this time we're not using h mode and on the right side, is the trusted world and there's already keystone project for providing te a program environment for the risk 5 from uc berkeley. So we using keystone infrastructure and adding global platform like api, it's honestly a subset of the global platform api. The reason we're using global platform. Api wrapper on top of the keystone is make it easier to port the application on da from.

E

Arm to um risk five, and also we have this gpa pi wrapper on sgx2, but right now we're just focusing on um compatibility between arm and um and risk five right now and to have to have the feature of the deep functionality and on inside asian ta we're using.

E

um We need cose and um seabor and coze feature and honestly we started for json and jose so so to have those feature um we we've been using the websocket library and embed tls and- and we haven't started to use it, but we would like we're definitely going to use uh uh qc board or is that a pronounced, correct one yeah and the other side of the linux side is a tip broker a and t broker.

E

We were also using libweb circuit for the http handling and also initially, we were doing json handling and holds the handling, so we've been using it, but it's bit over good for just handling http right now, but um right now we're just using it as it is, and the embed tier this is doesn't have to be embedded. This could be open, sso or anything, but it's using a similar make file from inside the te side.

E

Is it's easier to implement it right now, so we're just using the same pair and at the moment, mostly we've been poor, able to finish sporting, the generic qmu uh generic qmu on update and not perfectly working, but then and right now, on how it's right now in the risk five is we just managed to finish, build able to finish the build on teep agent, ta and hello ta on the qmu risk?

E

Five um still have a link error, but um what was really we helped having a gp api wrapper was really help because we're only able to um successfully able to build in about two weeks. If, if we didn't have a global platform api like a wrapper, then it will be taking much longer and the other side is still working on it on the linux side, yes, and that's for page finish for page nine, yes and yeah, all the people who contributed on the hackathon and implementation.

E

A

Thank you guys, um so I had just asked to note um and ku kuni yasu, just posted keith, the keystone is open source um and so on the chat he plays the uh the link for it great okay. So I have nine minutes left.

A

um What I wanted to go through is um we need to update our milestones because we're a little lagging okay, we may be a lot lagging, um and so what I've noted here on the left hand side when you look at in our tracker. These are the old dates um and so we're actually doing. Okay, we're we're running somewhat behind, as I suspect, given that we still have to discuss more on the open issues um for the protocol.

A

My suggestion is that we may be ready to do a working group last call on the protocol, but it sounds like we may need more time.

A

So speaking to the authors of the protocol spec, um when do you think the issues, I I'm getting a sense that we may not be ready until november? um Yes, okay, so dave, I think you're still.

F

A

F

Yeah, it's certainly not gonna august. You can see that uh I didn't actually make it to the end of the open issue, slides correct, but there are some things we have not had a chance to discuss as a working group which we can move to the list. But the point is that we're not going to be ready for working class call in august uh november is: okay, that's still aggressive, but it's still movie doable.

F

But since we're still in the middle of implementations, without full implementations, we don't have text in there for a bunch of things that are open issues. And so I think it's not even going to be ready for november myself, but.

A

Yeah, so I mean I'd rather err on the conservative or more realistic side. So if we're not going to be ready for november, the question is whether we'll be ready for the march.

F

We should yeah right now. I would put it in for say march 2021 that sounds like a fine. You know. Stake in the ground will review again that the next ietf would be my suggestion.

A

Okay, so I'm going to update it to um to march 2021. the architecture document. um It sounded like we needed to make a couple more updates, um especially based on the section three, and I forgot to take notes on that. One.

F

Right there was two things that I observed on the architecture document. One was moving section three, which is text. That's already been through. A working group last call he's moving it from one doc to another doc. So hopefully um that is uh hard to break um and then the other one was potentially a phrase about uh the requested, tas and also tas- that are no longer needed and just adding a couple words in there. You know and such and such in another sentence there. So those are the two things that I noted.

F

That would be good to change the architecture, but other than that, I think it's it's done um so yeah.

A

But you need an update, so will you be ready right? So, if you're ready by um in a couple weeks, because we're a week away from work right, those.

F

Are easy enough to do during iutf week here right, so we can do that before the end of this week.

A

Okay, so because it's not.

F

Really creating a new tech.

A

So we can actually progress it for publication. Then I can leave it as august 2020.

F

My opinion as an editor is that should be fine, um and the changes are simple enough that I can try to do those before friday. So of this week.

A

Okay, um I want to make sure I'm not missing anything on the chat.

A

Okay, so hannes is saying to move the completion date for september.

A

For the architecture.

A

So dave are you, okay, with that it gives you a little bit more time.

F

Affect what I'm going to do, and so I don't care because you can always you can always beat it right, so yep! Okay, if you submit the isg in august, then that still is ahead of the september milestone. So I don't have a preference between august and september. I'm gonna do the same thing anyway.

A

Okay, well, I'm gonna move it to september presuming I can update these uh this week. um Okay, so that speaks to the architecture. The transport, um when I did these slides I'd forgotten that we had that second working group last call- um and we do have the updates- um I mean we did get comments.

A

So I'm going to let dido speak for this too, because I think he actually looked at this draft also deeper than I did, um and the question for the authors is similar to the architecture um you needed to do a couple more updates there. We need to confirm with mark that everything is is still okay, um and so the question is, I can put it back to september, given those updates.

A

Will you have the draft ready for publication somebody's on the queue?

A

C

Okay, I see uh dave has already resolved most of the com open issues. So I think there are a few comments to address and I think they're good for publication for this.

A

Stuff, great so dave, um you also were on the queue you're recognized.

F

um My opinion is the transport spec should have the same date as the milestones as the architecture document- okay, meaning. I believe it is just as ready.

F

It needs another uh update just for some trivial things which we've already discussed, but I think both docs are basically in the same state as I already have been through we're working with last call and just addressing things now. uh If uh mark comes back and says hey, you know somebody's right, you should change the such and such texture on headers. That would change things, but right now my assumption is that mark is still just as good as he always has been, and it's in the same state as the architecture documents.

A

Okay, excellent.

A

Yeah, I have to admit- and this is me speaking as an individual- not as chair- I find it odd that we're moving forward with a transport, even though we're not solidified with the protocol, but I think, as a transport, we may be okay.

A

Coming back as a chair, I see hannes put in the chat as we're making progress uh as we're making progress. The protocol spec and the implementation we'll learn more about the transport. So hotness is your comment more that we may need to tweak the transport.

B

uh I was just wondering like uh whether we really need to be so aggressive on the on the transport. I think I'm fine with um completing the architecture as soon as possible, because we already have been working it for a while, but the transport like if it gets um done in in a few months later, let's say november, it would equally be fine. By that time we we got all the at least the protocol issues sorted out and if there's any spillover into transport, then then we know what I would like to avoid.

B

Is um we advance the transport having finished with once the protocol, and then we realized? Oh, we. There is actually an issue that we need to talk about in the in the transport and then it's already finalized. So then we're in a pretty stupid situation.

A

Yeah, I mean to me it makes more natural sense to um to have the transport advance at the same time as the protocol, but um it's up to the group as well go ahead. Dave.

F

um Yeah, I don't have a strong opinion, but uh my opinion of saying it's red is based on the fact that it was originally written for otrp, which was uh farther along in terms of you, know, implementations and things, and so we know the work for that and we just ported it over to there, and so, since we already have full implementations of it. Unlike the t protocol, I'm just explaining why I think it's unlikely to change. Is it possible sure just like we could find some issue with hdp? It's just very unlikely.

A

Yeah, well, so is there objections to holding it and advance it at the same time as the protocol?

A

I think right now it's it's more important that we move forward the architecture I mean, I'm I'm finding the way, but I mean as a chair, it's based on the group's consensus too.

F

If you hold it till the t protocol is done. That just means that probably the transport dock would have to keep being uh revved from expiring, which is just more work. So not okay, not out of the question, just more work to keep it from expiring. So.

A

Okay, so let me just confirm that one on the list, um because we're at a time- and we were asked to to complete on time- um so I think with that- we're ready um we'll just wait for the updates on the architecture and move that one forward I'll confirm the transport one on the list um and I think we're ready to go we'll continue with the protocol.

A

With that, let me close the meeting. Thank you, everyone for participating and we'll can you continue on the mail.

A

A