Successful entitlement validation will no longer include `vmid` in the response

[theunrepentantgeek]

Context

In the original version of the software entitlement service REST API, the response returned for a successful entitlement verification included a unique identifier for the virtual machine in a vmid field.

The intention for vmid was to allow the hosted software package to verify that it was running on the correct host machine.

We introduced this check early in the design process to mitigate against man-in-the-middle attacks where an attacker ran a proxy server on the Azure Batch compute node to achieve token reuse.

Since we now only permit HTTPS connections and authenticate the server with specified intermediate Microsoft certificate authorities, a MITM attack is no longer possible and the vmid check adds no additional security.

We have also identified useful scenarios where the virtual machine identifier is not easily available. These scenarios include docker containers and Windows PaaS compute nodes.

Decision

We will revise the software entitlement service REST API to remove the vmid return value from the response to a successful entitlement verification.

Consequences

The revised API will use revise the api-version number to allow the introduction of the change without compromising the functionality of any existing packages already deployed.

Documentation within this SDK will be updated to remove references to vmid validation except as a historical note.

Supplied library code and the sesclient application will be updated to comply with the updated API specification.

The sestest application will be enhanced to support the new API specification. The server mode will support both the existing api-version and the new, to allow testing of integrated packages regardless of the API version used.