IETF Logo Mail Archive

Re: [Acme] Use cases / trust model for device certs

"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 23 April 2019 22:41 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A97212063A for <acme@ietfa.amsl.com>; Tue, 23 Apr 2019 15:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=fXgEg6fb; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=TNI0dwpj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0bQY6FHy9m4 for <acme@ietfa.amsl.com>; Tue, 23 Apr 2019 15:41:34 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4BD8120636 for <acme@ietf.org>; Tue, 23 Apr 2019 15:41:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18630; q=dns/txt; s=iport; t=1556059294; x=1557268894; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=7onCU3cJd+Q5I0awC9RvEV+8vpLN/0qZMUmNytHsYTg=; b=fXgEg6fbzwmdu+TD0DkTK0oMp1wZSBmrrNZ1waxwQ7ztFD9o/OD0Wz+R Tw3d6U7NxqQZonGGYfZz8Qd7Db12yRYNofPwJViT2x9ChShd7IKHeVmx9 D3L1B/40q9y67YaNG7xq+PZ4d9079s62sbRMwbwQ5R7yF9o0tSbxDFFhG U=;
IronPort-PHdr: 9a23:psaqBBbEvrSpHrMCaSDLeAv/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20Q6bRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavtYTY7EcBqX15+9Hb9Ok9QS47z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ASAAAslL9c/5ldJa1dCRoBAQEBAQIBAQEBBwIBAQEBgVEFAQEBAQsBgQ4vUANoVSAECygKhASDRwOEUopFgld+hCeEFAGJDwiETIEuFIFnDgEBLYRAAheGECM0CQ4BAwEBBAEBAgECbRwMhUoBAQEBAyMKEwEBNwEPAgEIEQQBARYSAwICAh8RFAkIAgQBDQUIgxuBHUwDHAECnX4CihRxgS+CTyoBAQWFAg0Lgg0JgTIBi0kXgUA/gRFGghc1PoIagWUbLDQJgksxgiaKaUADggWEPx6HUIwYLDgJAoIIjmCDZYILihCIeYNoiByIBYw2AgQCBAUCDgEBBYFPOIFWcBU7gmyCD4NvilNygSmMeSuBBAGBIAEB
X-IronPort-AV: E=Sophos;i="5.60,387,1549929600"; d="scan'208,217";a="264003109"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Apr 2019 22:41:12 +0000
Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x3NMfCgp026737 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 23 Apr 2019 22:41:12 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 23 Apr 2019 17:41:11 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 23 Apr 2019 17:41:11 -0500
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 23 Apr 2019 17:41:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7onCU3cJd+Q5I0awC9RvEV+8vpLN/0qZMUmNytHsYTg=; b=TNI0dwpj8zFjnvww3fbEqJ+0BKQnMYqtceedLv6qpFZjzRMjIJI4PMi8CzyMhkrz2B+PEBegbaot5epMlHIWRLMjvX0U8zql/lXhoe6gKzkzPwCT75n7ocAEYHV3H0OM2DLuGCQmUCSkhIq15Dn7NvWHN/2u/C83ODLHUjdsB/s=
Received: from DM6PR11MB3385.namprd11.prod.outlook.com (20.176.123.12) by DM6PR11MB3067.namprd11.prod.outlook.com (20.177.218.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.16; Tue, 23 Apr 2019 22:41:10 +0000
Received: from DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::6566:36bc:6b9c:6c01]) by DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::6566:36bc:6b9c:6c01%6]) with mapi id 15.20.1835.010; Tue, 23 Apr 2019 22:41:10 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Richard Barnes <rlb@ipv.sx>
CC: IETF ACME <acme@ietf.org>
Thread-Topic: Use cases / trust model for device certs
Thread-Index: AQHU9UBYYfCDccrozkSvmm8nbyfxlqZAv3cAgAmbLcA=
Date: Tue, 23 Apr 2019 22:41:09 +0000
Message-ID: <DM6PR11MB3385A866E463497B5C19EA0CDB230@DM6PR11MB3385.namprd11.prod.outlook.com>
References: <CAL02cgT1hY_wm8d0zpa3hpx926B3_of+=cnDEwikMHS90gVyjw@mail.gmail.com> <CAGL6ep+8MiQNj1e6HGTeVownaS1nfn-TUjCa3aafRPeZ02AdiQ@mail.gmail.com>
In-Reply-To: <CAGL6ep+8MiQNj1e6HGTeVownaS1nfn-TUjCa3aafRPeZ02AdiQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.54]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7f39d336-d70f-41e2-e099-08d6c83cc840
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DM6PR11MB3067;
x-ms-traffictypediagnostic: DM6PR11MB3067:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM6PR11MB30677B951A977EA6E81313CBDB230@DM6PR11MB3067.namprd11.prod.outlook.com>
x-forefront-prvs: 0016DEFF96
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(396003)(366004)(346002)(39860400002)(199004)(189003)(14454004)(478600001)(99286004)(186003)(66446008)(64756008)(73956011)(66946007)(66556008)(66476007)(110136005)(446003)(476003)(66066001)(74316002)(316002)(7736002)(26005)(486006)(229853002)(55016002)(86362001)(3846002)(53936002)(790700001)(6116002)(33656002)(561944003)(4326008)(6436002)(236005)(11346002)(9686003)(6246003)(102836004)(97736004)(6506007)(71200400001)(54896002)(256004)(2906002)(76176011)(7696005)(81156014)(76116006)(5660300002)(81166006)(25786009)(68736007)(14444005)(8676002)(71190400001)(53546011)(9326002)(6306002)(8936002)(52536014); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3067; H:DM6PR11MB3385.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 8Q2pWF7VOuydMk/uS5a83eztfXoGoKgHBSgRYJWfRv2XdGGZWaPOWhb3bWjoMrvO3hxudPFZcvXtoWmMrZlnJxeveJc94D0ctgESgCK2sdyHtWNHU2uJ9NMcDdYMGFHxtFnIfBonJwjU44deSp6hBjswmKFvue6SJ7IBmO4E22uSxH2Ukt0Jfx6sGx9XduomsWjNS10ij0Z4yFbWk6tKXVSo7q2TplYwKyMacFke69YXAfkGC7oIuiYj94tGowflgGebhdJCD2t513jRKnHM6X4mec29HNjdNHJNEvg2v6KfF9WhTPZ+BkXFyzPflftF8rz40tRL3Vvdc0kFcAXNoNtTw88kSG3C8NkbDX74e1MAsdzxsl3OdIxzCQeaHbPAC2LeUi/HbkUJsP+1Q0TK2q+BeOcJoY+YICGAFzt02oc=
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB3385A866E463497B5C19EA0CDB230DM6PR11MB3385namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f39d336-d70f-41e2-e099-08d6c83cc840
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2019 22:41:10.0119 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3067
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.16, xch-rcd-006.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/foZbhmtBPma2_AX8DL5gVc_tpXg>
Subject: Re: [Acme] Use cases / trust model for device certs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 22:41:38 -0000

Hi Rifaat,
Inline.

From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Sent: 17 April 2019 20:37
To: Richard Barnes <rlb@ipv.sx>
Cc: IETF ACME <acme@ietf.org>; Owen Friel (ofriel) <ofriel@cisco.com>
Subject: Re: Use cases / trust model for device certs

Hi Richard,

I was not aware of the ANIMA work before the meeting in Prague, so I will definitely look into that in details.

One use case that I have in mind is a way to make sure that a specific device can only be used by a specific party.
If you rely on RP to request identities for the device, then any party that has a valid ACME account can use any device.
[ofriel] This is one of the use cases that BRSKI enables. Read the sections relating to Ownership Tracker.

For example, if party A purchased a device from the vendor, and party B gets a hold of that device, then there
is nothing that prevents party B from getting a valid ACME certificate for that device.
[ofriel] With strict ownership tracking, BRSKI is flexible enough to prevent devices from bootstrapping against a network without proof of ownership.

If instead you reply on a token from the Device Authority, then the CA will only issue a certificate to a specific party and specific device.
[ofriel] The Device Authority appears to perform a similar function to the MASA audit log function. The Client (i.e. customer.com) can claim devices from the DA (via some sales channel/integration API), the DA issues JWTs indicating that the device is claimed by a specific Client, and ACME checks that the requesting Client matches that in the JWT which the DA has logged. The BRSKI MASA service audit logs every single domain that a device has registered against, and does not preclude Registrars claiming devices/proving ownership via some sales channel integration/API. It appears that this proposal is trying to address similar issues as BRSKI.

Regards,
 Rifaat


On Wed, Apr 17, 2019 at 1:09 PM Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
Hey Rifaat,

Owen and I were chatting about ACME and device certs this morning, and it seemed like it might be useful to rekindle discussion on the topic here on the ACME list.

I'd like to push a little more on the trust model here.  Just to establish some terminology:

- Device: Uses certificates to authenticate identifiers
- Vendor: Makes the device that will get the end certificate
- Customer: Buys the device from the vendor and operates it
- CA: Validates identifiers and issues certificates
- Relying Party: Uses certificates to verify authentication for identifiers
- Device Identity: MAC address or similar

In the flows Owen and I have been discussing (more based on ANIMA/BRSKI), the model is basically broken in two, with the customer in the middle:

1. The customer validates devices' device identity as part of the ANIMA flow, based on the customer trusting the vendor, and assigns the device a domain name
2. The customer uses ACME to issue domain name certificates (the CA is unaware of the device identity)

That all pretty much just works with BRSKI and ACME as they are today.  But it presumes that the RP is authenticating the device by domain name, as is prevalent in most uses of TLS today.

In contrast, it seems like your draft presumes that the RP needs to know the device identity; it's not satisfied by a domain name alone.  Can you elaborate a bit more on what scenarios you have in mind for this?  If all you care about is the customer tracking things, then the model above is sufficient; the customer can simply assign domain names that encode the device identity however it likes.

Thanks,
--Richard

v2.23.0 | Report a Bug | By Email