IETF Logo Mail Archive

Re: [Acme] Use cases / trust model for device certs

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 24 April 2019 18:30 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2B2120100 for <acme@ietfa.amsl.com>; Wed, 24 Apr 2019 11:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jK4bxUrlTAXD for <acme@ietfa.amsl.com>; Wed, 24 Apr 2019 11:30:46 -0700 (PDT)
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EE701200D8 for <acme@ietf.org>; Wed, 24 Apr 2019 11:30:46 -0700 (PDT)
Received: by mail-io1-xd44.google.com with SMTP id a23so12961494iot.4 for <acme@ietf.org>; Wed, 24 Apr 2019 11:30:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9YwGfbr2gwjPk4R0qwvK37Y+CAewzIEp6JSX0nYYZdo=; b=t9iL0w/W7HB6lX7QoICfwFbbofWcjpiegWO3H9L8rcuqqWDDkTndiP887PPy1B8mhK oTd8K/1iqrDZ8Ypwl61FE6tirJLTRYcz1sNyCMuZxzGY6N0eTBbO5qChUgwe7x1SCgHn BgF/zFGnPJYGqzO9GmbIgjCWq4qtxWrsLpw5Jtq/U0/tzM2gwofzI5QLlPfyWau1e2X8 hO/w13LMS/eDDGJfOY2a5fvF1EEx75pIcInvUqnQKgiywpKeWqIi7FeYsLgn6lKmqqP4 B8pHXJ89p7pAJ3ODhuJzEi2cuNI1iFvKpaRSYYKuyuY4aMOPj/0LAxD3YZMNm8QKmQ2R L/BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9YwGfbr2gwjPk4R0qwvK37Y+CAewzIEp6JSX0nYYZdo=; b=WHwrUKmr2bV4gTMlF/xQjTwDuJWFMg4rohSoUkJxoDZZr8uZNBheYwagTpRu1GLF0p stgNYL5y1WkPQ/hcN+dfx0qsmYLML7uh9BPGXMFSvWtM9pDO3WhqphMgstVa6Hn9/ohe rkzWHKq0w+twBmIRZR7CFhmuCsKY5xRLpKi9Mv3F88AZgAomFDtLxZyHifLc063nPmDy kWibeC5+mGZ4RjJMS76nGiFCvfkYv29cEf+ugb8rsWBWFeYNfJBtxqg1Am2NafaxCndj KxUzr98AJXmGQ4460n5daUdBvXiKjJCEJNxLQ6lE7KP/ObeVqp4vWG6YfXvdDZ9GKCXj 1oNQ==
X-Gm-Message-State: APjAAAWN41829XWQDNDQsEVbJt1g+IOfZf4b+axCiSrJTd6Jnao1afE3 K0evMPBDK6i5c6ubZdv5qZs342jW89SF+/i/EKc=
X-Google-Smtp-Source: APXvYqytCl2ZF2/8DwhC150k104aKt2SJdoRduZdX0oxJGZr45Sq7g1dppQHpc7CI3x1g/f/W/qRN7qRbv5xeiKFQk0=
X-Received: by 2002:a5d:8597:: with SMTP id f23mr4706693ioj.148.1556130645706; Wed, 24 Apr 2019 11:30:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgT1hY_wm8d0zpa3hpx926B3_of+=cnDEwikMHS90gVyjw@mail.gmail.com> <CAGL6ep+8MiQNj1e6HGTeVownaS1nfn-TUjCa3aafRPeZ02AdiQ@mail.gmail.com> <DM6PR11MB3385A866E463497B5C19EA0CDB230@DM6PR11MB3385.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB3385A866E463497B5C19EA0CDB230@DM6PR11MB3385.namprd11.prod.outlook.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Wed, 24 Apr 2019 14:30:34 -0400
Message-ID: <CAGL6epKd+ooPS5s2VT6yPBtaxJxk0KtLuRLQr_dbJEg4-VTaMg@mail.gmail.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
Cc: Richard Barnes <rlb@ipv.sx>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c8cc805874ae64e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/nMbEe7_5d2Kg_yi_puT1Tz6F5qQ>
Subject: Re: [Acme] Use cases / trust model for device certs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 18:30:49 -0000

Thanks Owen,

I honestly did not have a chance to look BRSKI yet.

Just to make sure that I understand you correctly, are you saying that
BRSKI has a solution for my use case with ACME?
If so, can you please point me to the right document?

Regards,
 Rifaat



On Tue, Apr 23, 2019 at 6:41 PM Owen Friel (ofriel) <ofriel@cisco.com>
wrote:

> Hi Rifaat,
>
> Inline.
>
>
>
> *From:* Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> *Sent:* 17 April 2019 20:37
> *To:* Richard Barnes <rlb@ipv.sx>
> *Cc:* IETF ACME <acme@ietf.org>; Owen Friel (ofriel) <ofriel@cisco.com>
> *Subject:* Re: Use cases / trust model for device certs
>
>
>
> Hi Richard,
>
>
>
> I was not aware of the ANIMA work before the meeting in Prague, so I will
> definitely look into that in details.
>
>
>
> One use case that I have in mind is a way to make sure that a specific
> device can only be used by a specific party.
>
> If you rely on RP to request identities for the device, then any party
> that has a valid ACME account can use any device.
>
> [ofriel] This is one of the use cases that BRSKI enables. Read the
> sections relating to Ownership Tracker.
>
>
>
> For example, if party A purchased a device from the vendor, and party B
> gets a hold of that device, then there
>
> is nothing that prevents party B from getting a valid ACME certificate for
> that device.
>
> [ofriel] With strict ownership tracking, BRSKI is flexible enough to
> prevent devices from bootstrapping against a network without proof of
> ownership.
>
>
>
> If instead you reply on a token from the Device Authority, then the CA
> will only issue a certificate to a specific party and specific device.
>
> [ofriel] The Device Authority appears to perform a similar function to the
> MASA audit log function. The Client (i.e. customer.com) can claim devices
> from the DA (via some sales channel/integration API), the DA issues JWTs
> indicating that the device is claimed by a specific Client, and ACME checks
> that the requesting Client matches that in the JWT which the DA has logged.
> The BRSKI MASA service audit logs every single domain that a device has
> registered against, and does not preclude Registrars claiming
> devices/proving ownership via some sales channel integration/API. It
> appears that this proposal is trying to address similar issues as BRSKI.
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
> On Wed, Apr 17, 2019 at 1:09 PM Richard Barnes <rlb@ipv.sx> wrote:
>
> Hey Rifaat,
>
>
>
> Owen and I were chatting about ACME and device certs this morning, and it
> seemed like it might be useful to rekindle discussion on the topic here on
> the ACME list.
>
>
>
> I'd like to push a little more on the trust model here.  Just to establish
> some terminology:
>
>
>
> - Device: Uses certificates to authenticate identifiers
>
> - Vendor: Makes the device that will get the end certificate
>
> - Customer: Buys the device from the vendor and operates it
>
> - CA: Validates identifiers and issues certificates
>
> - Relying Party: Uses certificates to verify authentication for identifiers
>
> - Device Identity: MAC address or similar
>
>
>
> In the flows Owen and I have been discussing (more based on ANIMA/BRSKI),
> the model is basically broken in two, with the customer in the middle:
>
>
>
> 1. The customer validates devices' device identity as part of the ANIMA
> flow, based on the customer trusting the vendor, and assigns the device a
> domain name
>
> 2. The customer uses ACME to issue domain name certificates (the CA is
> unaware of the device identity)
>
>
>
> That all pretty much just works with BRSKI and ACME as they are today.
> But it presumes that the RP is authenticating the device by domain name, as
> is prevalent in most uses of TLS today.
>
>
>
> In contrast, it seems like your draft presumes that the RP needs to know
> the device identity; it's not satisfied by a domain name alone.  Can you
> elaborate a bit more on what scenarios you have in mind for this?  If all
> you care about is the customer tracking things, then the model above is
> sufficient; the customer can simply assign domain names that encode the
> device identity however it likes.
>
>
>
> Thanks,
>
> --Richard
>
>

v2.23.0 | Report a Bug | By Email