[6tisch-security] ***SPAM*** 5.568 (5) authz in the form a cert chain.. from SIDR work
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 16 May 2014 19:52 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8458F1A033B for <6tisch-security@ietfa.amsl.com>; Fri, 16 May 2014 12:52:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 5.568
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.568 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_111=0.6, J_CHICKENPOX_12=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_16=0.6, J_CHICKENPOX_17=0.6, J_CHICKENPOX_19=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_26=0.6, J_CHICKENPOX_28=0.6, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_MIME_NO_TEXT=0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hD2Rrk4QzjMc for <6tisch-security@ietfa.amsl.com>; Fri, 16 May 2014 12:52:07 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.252.184]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C62321A0339 for <6tisch-security@ietf.org>; Fri, 16 May 2014 12:52:06 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 4C18A2002A; Fri, 16 May 2014 15:54:02 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 39AA263B1C; Fri, 16 May 2014 15:51:54 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 2306163B17; Fri, 16 May 2014 15:51:54 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: tisch-security <6tisch-security@ietf.org>
X-Attribution: mcr
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Fri, 16 May 2014 15:51:54 -0400
Message-ID: <13616.1400269914@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch-security/2kObJLkLlhuI-HU9s5yqfRm0n00
Cc: Robert Moskowitz <rgm@htt-consult.com>
Subject: [6tisch-security] ***SPAM*** 5.568 (5) authz in the form a cert chain.. from SIDR work
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 May 2014 19:52:08 -0000
In my original 802.1AR enabled device claim idea, I imagine a certificate chain rooted in the Factory CA that would already be present in the mote. To make it easier to explain, and talk about, I'm going to give some names. Factory: ACME National-VAR: Cadabra Regional-Var: Sesame Plant: Coyote So, the manager (Wiley) at the Coyote Plan, has just received 1000 new (wireless) Road-Runner Detector, and plans to spread them along the highway. The detectors are IDevID 210001 through 210999. Each Detector has an 802.1AR certificate pre-installed that looks like: Issuer: C=US, ST=New Jersey, L=Fairfield, O=ACME Rocket-Powered Products, OU=Sensor-Network-Division Validity Not Before: Feb 17 19:51:50 2010 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: CN=roadrunner210001 Data: Serial Number: 21:00:01 Subject Public Key Info: ... When ACME Factory's Sensor Netowrk Division ships 100 crates of sensors to Cadabra, it issues a certificate: Issuer: C=US, ST=New Jersey, L=Fairfield, O=ACME Rocket-Powered Products, OU=Sensor-Network-Division Validity Not Before: Feb 17 19:51:50 2010 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: C=US,ST=Washington,L=Seattle,O=Cadabra,OU=Logistics RFC3779-Like-Extension: Range(210000, 219999) When Cadabra ships cases 1-20 to Sesame, it issues a certificate: Issuer: C=US,ST=Washington,L=Seattle,O=Cadabra,OU=Logistics Validity Not Before: Feb 17 19:51:50 2010 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: C=US, ST=Arkansus, L=Bentonville, O=Sesame Bix Box Retail, OU=Small Stuff Distribution RFC3779-Like-Extension: Range(210000, 211999) When Coyote Inc buys those 10 boxes of 100 sensors, the bill of sale includes: Issuer: C=US, ST=Arkansus, L=Bentonville, O=Sesame Bix Box Retail, OU=Small Stuff Distribution Validity Not Before: Feb 17 19:51:50 2010 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: C=US, ST=Nevada, L=Tonopah, O=Coyote Inc, OU=Supper RFC3779-Like-Extension: Range(210000, 210099) RFC3779-Like-Extension: Range(210200, 210299) RFC3779-Like-Extension: Range(210400, 210499) RFC3779-Like-Extension: Range(210600, 210699) RFC3779-Like-Extension: Range(210800, 210899) RFC3779-Like-Extension: Range(211000, 211099) RFC3779-Like-Extension: Range(211200, 211299) RFC3779-Like-Extension: Range(211600, 211699) RFC3779-Like-Extension: Range(211800, 211899) (cause, a shipper sent them every other box, the ranges are not contiguous) The mote/sensor when it sees this certificate, can verity that it's DevID is in the range, and therefore knows that it has found the right network. Should Coyote find that they had too many, they can sell some of these sensors to Sheepdog Sam Inc, by issuing a certificate: Issuer: C=US, ST=Nevada, L=Tonopah, O=Coyote Inc, OU=Supper Validity Not Before: Feb 17 19:51:50 2010 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: C=GB, ST=Scotland, L=Edinburgh, O=SheepsRUs, OU=Sheepdog RFC3779-Like-Extension: Range(210050, 210099) RFC3779-Like-Extension: Range(211611, 211623) of course, since Coyote actually still has a valid certificate, all parties would be advised to use the Enrollment over Secure Transport or an API into 802.1AR, to put an operational certificate in place. Getting back to factory default might be impossible (WirelessHart does this, I think), or at least, will wipe the private key associated with the new certificate from the device. BTW: the extension is likely about 20 bytes base, with 5 bytes per IDEVID. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [6tisch-security] ***SPAM*** 5.568 (5) authz in t… Michael Richardson