IETF Logo Mail Archive

Re: [Anima] cBRSKI

Christian Amsüss <christian@amsuess.com> Sun, 30 April 2023 22:17 UTC

Return-Path: <christian@amsuess.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63013C14CE40 for <anima@ietfa.amsl.com>; Sun, 30 Apr 2023 15:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ecR2WRlEQUpq for <anima@ietfa.amsl.com>; Sun, 30 Apr 2023 15:17:51 -0700 (PDT)
Received: from smtp.akis.at (smtp.akis.at [IPv6:2a02:b18:500:a515::f455]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30C84C14CF09 for <anima@ietf.org>; Sun, 30 Apr 2023 15:17:48 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com ([IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by smtp.akis.at (8.17.1/8.17.1) with ESMTPS id 33UMHk7p063743 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 1 May 2023 00:17:46 +0200 (CEST) (envelope-from christian@amsuess.com)
X-Authentication-Warning: smtp.akis.at: Host [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd] claimed to be poseidon-mailhub.amsuess.com
Received: from poseidon-mailbox.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bf]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 763A81FBE0; Mon, 1 May 2023 00:17:45 +0200 (CEST)
Received: from hephaistos.amsuess.com (hephaistos.lan [IPv6:2a02:b18:c13b:8010::d5b]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 1817521FEA; Mon, 1 May 2023 00:17:45 +0200 (CEST)
Received: (nullmailer pid 22051 invoked by uid 1000); Sun, 30 Apr 2023 22:17:44 -0000
Date: Mon, 01 May 2023 00:17:44 +0200
From: Christian Amsüss <christian@amsuess.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Message-ID: <ZE7pCI1yiQ/200I+@hephaistos.amsuess.com>
References: <15797.1682880092@localhost>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="DnoAPTAIFBOEr12P"
Content-Disposition: inline
In-Reply-To: <15797.1682880092@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/166ea8ZEcFV9_ywTW79kACLeC9M>
Subject: Re: [Anima] cBRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Apr 2023 22:17:53 -0000

Hello Michael,

thanks for the answers and the suggestion to move this onto the list.

Follow-up questions:

* On devices where the IDevID can be kept safe from owners, can't the
  device keep a log locally to the same effect as a MASA log on whether
  that device has been owned before? It'd appear that tamper-proofness
  would be the only difference to a logged voucher. (Then again, the
  MASA might also tamper).

> > If an owner can take complete control over a device (like, switch over the
> > firmware, as you can do with a PC or a device that contains GPL-3
> > software), would the issuer of such a new firmware also need to provision
> > the device with a new IDevID?
> 
> Maybe.  Probably be a good idea.  The MASA URL would be wrong in the existing
> IDevID.  RFC8995 provides for the Registrar to have the ability to override
> that URL under operator control.  That would apply to all devices from that
> manufacturer, probably, so it's a big hammer. Replacing the IDevID would be
> simpler.
>
> [...]  An owner might be permitted to load whatever code they want,
> and depending upon many concerns, that might include getting access to
> the IDevID private key, if it is stored on an fTPM or not secured at
> all.

* If the device can do a full firmware replacement (including the
  bootloader), even if the IDevID's private key is kept in a secure
  element, the new firmware could be used to sign[^1] with the IDevID in
  some scenarios. I think it'd be prudent for such upgrades to remove
  that IDevID. As IDevIDs are supposed to be immutable (if I read
  802.1AR correctly -- probably makes sense for the devices IEEE is
  considering): Is there a generalization of the IEEE identifiers that
  also makes sense for constrained but more general-purpose-oriented
  devices, for which the ANIMA products can still be used?

[^1]: Or use the key in any other limited way.

* Is there any document that describes (or has an example of) how ANIMA
  onboarding interacts with ACE's AS? My current -- maybe naive --
  assumption is that a voucher in this countext would contain a
  pinned-domain-pubk which is the public key the AS will use to sign ACE
  tokens, and the est-domain would indicate the AS URI, but with the
  pinned-domain-pubk being described in TLS terms (whereas an ACE AS
  uses COSE keys), this may be skipping a step.

BR
c

-- 
To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom

v2.23.0 | Report a Bug | By Email