IETF Logo Mail Archive

Re: [Ace] Stephen Farrell's Yes on draft-ietf-ace-usecases-09: (with COMMENT)

"Kumar, Sandeep" <sandeep.kumar@philips.com> Thu, 22 October 2015 21:47 UTC

Return-Path: <sandeep.kumar@philips.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90BD51A8981; Thu, 22 Oct 2015 14:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GkX6dMxbOSEA; Thu, 22 Oct 2015 14:47:29 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0778.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe04::778]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E7911A1B15; Thu, 22 Oct 2015 14:47:29 -0700 (PDT)
Received: from AM3PR04CA0018.eurprd04.prod.outlook.com (10.242.16.18) by AMSPR04MB209.eurprd04.prod.outlook.com (10.242.84.15) with Microsoft SMTP Server (TLS) id 15.1.300.14; Thu, 22 Oct 2015 21:47:10 +0000
Received: from DB3FFO11FD037.protection.gbl (2a01:111:f400:7e04::102) by AM3PR04CA0018.outlook.office365.com (2a01:111:e400:8814::18) with Microsoft SMTP Server (TLS) id 15.1.306.13 via Frontend Transport; Thu, 22 Oct 2015 21:47:09 +0000
Authentication-Results: spf=none (sender IP is 23.103.247.180) smtp.mailfrom=philips.com; cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=philips.com;
Received-SPF: None (protection.outlook.com: philips.com does not designate permitted sender hosts)
Received: from 011-smtp-out.Philips.com (23.103.247.180) by DB3FFO11FD037.mail.protection.outlook.com (10.47.217.68) with Microsoft SMTP Server (TLS) id 15.1.306.13 via Frontend Transport; Thu, 22 Oct 2015 21:47:09 +0000
Received: from DB5PR9001MB0167.MGDPHG.emi.philips.com (141.251.190.211) by DB5PR9001MB0166.MGDPHG.emi.philips.com (141.251.190.210) with Microsoft SMTP Server (TLS) id 15.1.293.16; Thu, 22 Oct 2015 21:47:04 +0000
Received: from DB5PR9001MB0167.MGDPHG.emi.philips.com ([141.251.190.211]) by DB5PR9001MB0167.MGDPHG.emi.philips.com ([141.251.190.211]) with mapi id 15.01.0293.007; Thu, 22 Oct 2015 21:47:04 +0000
From: "Kumar, Sandeep" <sandeep.kumar@philips.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Carsten Bormann <cabo@tzi.org>
Thread-Topic: [Ace] Stephen Farrell's Yes on draft-ietf-ace-usecases-09: (with COMMENT)
Thread-Index: AQHRDM2hj5ReQhaYXUij9SmMGT4SqZ53ihQAgAAB+ICAAH9fAA==
Date: Thu, 22 Oct 2015 21:47:04 +0000
Message-ID: <13a9cf15d35c4889ada98e789680e047@DB5PR9001MB0167.MGDPHG.emi.philips.com>
References: <20151022132903.23826.2689.idtracker@ietfa.amsl.com> <9727B59F-CD2D-4A32-8F7B-F5C89EE2E388@tzi.org> <5628ED5D.7070508@cs.tcd.ie>
In-Reply-To: <5628ED5D.7070508@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [85.150.192.178]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; DB3FFO11FD037; 1:SX2aAzP+oEVLdogbGjkx+Uu9vZPJDpP8jcbYUXS81qzkUGX8tv+H3uVK8d1Xix9oILbUol8/fapGQHT8nm4OHKsENziKJRkXcVOlxHu+pNUmJXkorcb7aa4okOW8apmlRomplOznnILxZU0AdBqRIFMJVe/m3b1SWBUfghDlkR4cvd1zLqyH8D7aX9Z++190fKoB+8JE6Cqa2aGoAOlHHp2UbR314soVykY9cgHDj4lVrUILqUix9dguPkfYlMJccODSPWnrLJKu+DWxFfZ4IwZiL9wvphIc+aRMQ6nn2P4HjdSYBjFo8jeiNxCqQ6hMmPIWJYWaF3nWa/e0PZAg5n4WZVR24LGIjbP64HZe6x4=
X-Forefront-Antispam-Report: CIP:23.103.247.180; CTRY:; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(428002)(479174004)(374574003)(85714005)(55904004)(199003)(377454003)(24454002)(189002)(13464003)(52044002)(24736003)(47776003)(97736004)(86362001)(87936001)(33646002)(5003600100002)(69596002)(19580405001)(50466002)(19580395003)(5001960100002)(189998001)(16796002)(92566002)(81156007)(54356999)(5001770100001)(76176999)(101416001)(50986999)(5008740100001)(6806005)(5004730100002)(2950100001)(102836002)(11100500001)(15975445007)(106116001)(2900100001)(105586002)(230783001)(10400500002)(106466001)(108616004)(23676002)(66066001)(5007970100001); DIR:OUT; SFP:1102; SCL:1; SRVR:AMSPR04MB209; H:011-smtp-out.Philips.com; FPR:; SPF:None; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; AMSPR04MB209; 2:8f2NldDsTMFlrmco1ohcGW7aj+Ipn3v/lVXswtA/XfpF0m6H9NKcMfiqd7k5GSVFDrTUevhwdOuq4F0c8VXWw7pqdETsqtnCTF5Ehx2g3AjIwDlhDx4YSnsODT+0aLAINQvv0S9xiXzRpNy6brVy/j63ngK64Jek1ScwW6wsagE=; 3:ZJRTdijjFDqJ4BrTgE2hs9MnhTh0v4Ei6Btn4Z29a2PSyU1fZbRjwJtqe90+Uq+/OckK1unLjfk6VbWhJZYDYw1o3hdwLrwRV6FaV8zGUDEzma1WnBz1+P1gn25kBlI2T4Fxl800i67tObpKr8UALgxQw/UI0b+Fo1S1r2HUthrNrCl0sbX+frI9jR0BHJRfX7ek5Wf+MQPUxkpb+ehol72vtBY4y52yzu9Pc1h52AY=; 25:AjZNHzBI4wOg2gmUpjg9AEbkzi4qXZejRUP6zp6PMmiNIMyNZCRVKFNiY1RLqh8SHFuKp1jRrVtpLRdWGzQ6sMmyrFSFVf+LlhfgZmo06OBuydlYb97osHHN3qtcqBvE6cDWwlUMRzDuf4ho8+CwwjDhFZo+gSoBNtSN79WQC5o6CY+55K4NGADZ9MauzrytLBTktAjCYrU0SAh7NbDGQpP8x4NExREY7xYdX7lsJhY6/DyH+D/DFDvHkG1ncbUBYnLxymLhTZY/t8KrAe7m8Q==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AMSPR04MB209;
X-Microsoft-Exchange-Diagnostics: 1; AMSPR04MB209; 20:vIWb6zllDqYT8ZQ5EwORHP79U43fD6ODwNSSngoluHkvhTxew7mbTMZvCpbTO78Lmcvrn2RPl6jQuVf4QyBGaWls0bUfh3Yt6jePWaPbpcxBEz1PAf6D/aEgJoPROIzPkTQluc1p8UMSp3l2kb4lgX4NQokNpVSQ8vTY6joptBBVoZ+Q3C1AJc0Za9xzBZB/eSR9QmBoc0iq0Hj27WNlIrDjvePsNTM1RJ8Er7ySCStiiuWWqa/GDo+zOWmUARH6Gcdob2sMpnkOqjONMawfeIhQf3NfrJxhZ4iumOHgp/7LcQXgJoJm4mqfCj/Qrls8VlhbvH0JMwjqJ6GnupXimXdUQt3UgDFnGUON3IIdMkfiQwo2imUIfzrVg/mFJ/wVoGmRVhB8J6WywBqTdBhgv209DjgLb2vurq4COKcl4j8V8MLXSUMF8/u55+/fqIw/f4eFP6CRrbr4nzd8jKVQfXvizC9y/9oocUBWFLSHKU4XVf18MATpE986SODt3d4r; 4:D5t/ScaA0fWW/1lrRZlwwrKpjsQUtESV/JjEjHSKhadXHNfzpil+ImGp7aEo3HL8+7D1+GZfdJJmUP0WTlCD9a+uzc5feFZTFPJt0Vm9xxw+oL+SbKoJWyIzh7fUsRA5/jzPiIFRB9xNQM62b+cjiMw3NHSyzTgTmeO+vd9s0hPEWgV/j2YqkPNT8AdwBzGVoofP4qOhZpTVhGkRj+pmtKplpnxW9bRDlvqySmM9rnnVIenweJk+LzhiPJ2ZWa7EJ2T1UIEAFFK0w08+Ppxzgk+m1Gz2wKxZxGzcYXeTJz+mIUUNU9aacXUO+9k1+jtUuuSm+aQCtt87/ZC/9nRHBS3K1p1O0uKBU69msJZo4b2iw8p8LDj99+QtE/hwxazc
X-Microsoft-Antispam-PRVS: <AMSPR04MB209F581B11B887EDEB6CF6EE4270@AMSPR04MB209.eurprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(32856632585715);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(520078)(3002001)(102215026); SRVR:AMSPR04MB209; BCL:0; PCL:0; RULEID:; SRVR:AMSPR04MB209;
X-Forefront-PRVS: 0737B96801
X-Microsoft-Exchange-Diagnostics: 1;AMSPR04MB209;23:BC6lb/29XIvAYc0gUBc8P+xZRk2tQEpVqbtukMdG3KPBU4BQPlz+H9yPHXRYmNccpmeh7n3WOwCKQLlxhGlyaybT7CiyhJ1F56zVDPAdlJjj3i+8F+umvqjGT1rURNPEwYHa7SMQ0gwRrPHaIhVf8JdfirOeH7K7Jn22vwkVEB+b1yb8xTqPDk+HUdwPN6FxplyMYzanOJ1Oy2BJtwuVp1p0YqEhzrwNVIPIvh1+fBQoxfnM+fY3sdqK+DCkrumLRUYD9eqTC5YjtsCOwwd+ZrG61sKr+bersgtQLpwn+0vEyh7iBoEAS606Aw5EQefZ9nB0WtGz04J9rEUCMvK3cNiyXqjiWV48PXQBOX4cIbFh4RIkrLZ7DnQ+ZxOVGnL7kEnGzkUBCqTet53E6xEiQHbE/sE33UAjKqHpIParFgwVUYalAhfS/BTeeptqO1p0Uonz+66nvYNSWiT778trrv75agw06ddDp/sEKLrmXGH8MfUmelpFihcYrBEVXDMkMNXtSLS28oiURipexT5fRXmg9Uh/LrgARbp9VTknlNlM8rXACuQjX+AUYYDnguwfSDIuN4lk7hxUkXvjYCpALM2MiJTdXU+LfFaka+9fYMaBYi9foyLnT25qLkSk8m9bmPPZ6UE+9d3Ai4qc8ttywBI5dpGLbARZkMcFa8crlEQxVMHADkrfH4E1+pOrMx84bAxJ0eDO9Tu5hT9iAnf0aRK4ct0rnMwXBEFgHpP7DRJO5XH+lrdSqR+I24GXDS0Zx6YeNUOh9GixTH8tqDMGk0xm5SaSqXCL3ONEVOrvx9g0W/JKvFqttD4tPO4U1ltdtw/ZLlqz1jzauJp2AORel15XYFpGTXhhjioienzxZAQoJeGzn6cc53N3wc907O9+0Tasx4IgCfRtJcjINnqgb0y6XnZFkKU9pfCMDkgfSHn9hM8g9My6hjqhLo6z3vO6bNmHdr3WlN1InfDqQmHShqh+gnb/p3ShLmcPGjn9k14v2ayrNjfIHEy+a8Tr0vQa8UyS8H7f6xvCzo3U9F5l5AYqiOtXvx+1i56ocxK7Ida50UQjoCsviH30dnJrW5vC7YM/Da7pRUA4F/fX+NjeinByI8ydjbjh1wYf7wEtPl9TS7IR6GToKRpue9pXm95/d6oqgeLOLv2E63iWGIv8hVAIh95pg9H2uw5mnVajxl2jhyzKfYgwGeKjSPtcbpqz94BYOeKlKKhLZY1CmcxZMkKI9RfobeRgabT6sCBL8rbawVdNuRyAtMg3XbkKQShWd81UuyeUXvFuAnA23gdQfiNdPTB47w2dUFTCS/sTRnkyZmnIGRfcWWNjYBrdEgW1kuuIJO0SWdJ73KcGBTyfeg==
X-Microsoft-Exchange-Diagnostics: 1; AMSPR04MB209; 5:cxKpILEo3AbvQHPC23GXakZcDRDVQeNYk46HaWUoME0NBvP/O3Nq4verstSE1H/CZ/L8yVHiJDs2KGpPyqOvb6DGLGyZ9ZuzxuQqDO9wHaFvTJkQXXqoHR2O4Ateuf0eks2VGshaFztYBmSWLU2tow==; 24:vL8/gzd1x0MHDHhbBrZynY82pLaZJn9Of94w6t9hPFvDCwPFUc9H1voYxsevQvSRE3ssV4VsLJ+4JkuSx23Y5Zknbq5hqXz+AT6wwfhrY40=; 20:PDxwO6epSKfV1W0CiOrGTUaZDremz9dqQUS7f7x742B7I4mBflOqLLcaqv4o9zzvxt4D9fGyUektLj8FKiYuUQ==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: philips.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2015 21:47:09.3579 (UTC)
X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4; Ip=[23.103.247.180]; Helo=[011-smtp-out.Philips.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMSPR04MB209
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/u6jKoWDLz2WbG2Ar5WVB-jQSsBA>
Cc: "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "draft-ietf-ace-usecases@ietf.org" <draft-ietf-ace-usecases@ietf.org>, The IESG <iesg@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Stephen Farrell's Yes on draft-ietf-ace-usecases-09: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 21:47:33 -0000

draft-garcia-core-security-06 was such an attempt. Maybe a good time to resurrect it.

Sandeep

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
Sent: Thursday, October 22, 2015 4:06 PM
To: Carsten Bormann
Cc: ace-chairs@ietf.org; The IESG; ace@ietf.org; Hannes.Tschofenig@gmx.net; draft-ietf-ace-usecases@ietf.org
Subject: Re: [Ace] Stephen Farrell's Yes on draft-ietf-ace-usecases-09: (with COMMENT)



On 22/10/15 14:59, Carsten Bormann wrote:
> Hi Stephen,
>
> I agree with all of these. However, they are not specific to ACE; they
> are general security considerations for constrained devices (or IoT
> things in general). I think what we need to do is collect the security
> considerations we have in, say, RFC 7252, RFC 7228, etc., combine this
> with the points below and a few more that came up, and generate a
> referenceable “Security Considerations for Constrained Devices on the
> Internet” document.  I’d love to reference that from any document I’m
> working on.

Such a document would indeed be a fine thing. Do we have folks who are willing and able already?

That said, I do think there may be ace-specific use-cases to be derived from (some of) the points raised, e.g. handling end of life is maybe not the same as a handover after the vendor is off the stage.

S.

>
> Grüße, Carsten
>
>
>> On 22 Oct 2015, at 15:29, Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> wrote:
>>
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-ace-usecases-09: Yes
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut
>> this introductory paragraph, however.)
>>
>>
>> Please refer to
>> https://www.ietf.org/iesg/statement/discuss-criteria.html for more
>> information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found
>> here: https://datatracker.ietf.org/doc/draft-ietf-ace-usecases/
>>
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>>
COMMENT:
>> ---------------------------------------------------------------------
>> -
>>
>>
>>
>>
Excellent and well written document, thanks. I think there are
>> five things you could usefully add, see below. That said, I agree
>> that this cannot and should not try to be fully complete so I won't
>> argue (much:-) if you prefer to omit these. We/you can figure out
>> what if any text to add I'm sure, but I'm happy to chat about that.
>>
>> 1. Software update is really needed and often missing and usually
>> hard. There's at least a need to authenticate and authorize new
>> firmware, when there is any update. That may not be the same as
>> authorizing a new config.
>>
>> 2. Alice buys a new device, and would like to know if it is calling
>> home or what it is doing before she configures it, or perhaps before
>> she accepts it in her network. Even if she accepts it, she may want
>> to be able to monitor the data it is sending "home" e.g.
>> to ensure her TV is not sending data when she inserts a USB stick, if
>> that is undesired.
>>
>> 3. Device fingerprinting is a threat that ought be considered by
>> solution developers, especially if there is no reliable software
>> update. Probably the best to be done is to try to make it hard for
>> unauthorized parties to fingerprint a device, but that's also hard.
>>
>> 4. Commercial Devices will be end-of-lifed by vendors, and yet Alice
>> still needs to be able to use, and perhaos to update, the device.
>> That calls for some kind of authorization handover which is not quite
>> the same as a change of ownership.
>>
>> 5. Penetration testing will happen and devices should not barf even
>> then. Maybe that's a security consideration worth a mention.
>>
>> See also the secdir review. [1] It'd be good to see a response to
>> that.
>>
>> [1]
>> https://www.ietf.org/mail-archive/web/secdir/current/msg06101.html
>>
>>
>> _______________________________________________ Ace mailing list
>> Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
>>
>

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

v2.23.0 | Report a Bug | By Email