Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
Eliot Lear <lear@cisco.com> Thu, 11 July 2019 22:00 UTC
Return-Path: <lear@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6F31120156; Thu, 11 Jul 2019 15:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xr8IhjpnfWG; Thu, 11 Jul 2019 15:00:12 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C94E01200F8; Thu, 11 Jul 2019 15:00:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5450; q=dns/txt; s=iport; t=1562882411; x=1564092011; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=wBcAk9Hm9AwGMKHVpIWTE2+KMZirKN3fJTv/YqOedTU=; b=BCyTPs7FFHatphkEp7TzNBxtm97MN1zVlBM5sVlcC0uw0I5qLVsVkgOE Q0vKUwidbGPEHE7Kokg6VetJGvOe7ra5b2VmfGAsl2EJoj/aGMe9ZERsM r1/x2QtSuYvmpuXAxb/ChvkpqDxD8cl7S/Vxr4Qhe2YaRZyp6wFSu6xZz 4=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAABvsCdd/5xdJa1lDgsBAQEBAQEBAQEBAQEHAQEBAQEBgVMEAQEBAQELAYIWgTsBMiiEHIgcikWBaiWSdoYCgXsCBwEBAQkDAQEvAQGEQAKCUyM0CQ4BAwEBBAEBAgEFbYVIhUoBAQEBAgEjVgULCwQUIwcCAlcGCgmDIgGBew+sJoEyhUeEZhCBNAGBUIoOF4F/gREnDBOCTD6HTjKCJgSMNYg3lW8JghuCH4EMkF0bmAOhcoMLAgQGBQIVgVA4gVgzGggbFTsqAYJBPoIOGBSNUj09AzCQBgEB
X-IronPort-AV: E=Sophos;i="5.63,480,1557187200"; d="asc'?scan'208,217";a="592565205"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Jul 2019 22:00:07 +0000
Received: from rtp-vpn3-403.cisco.com (rtp-vpn3-403.cisco.com [10.82.217.149]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x6BLxwjI006048 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 11 Jul 2019 22:00:00 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <29C66B88-3927-4243-BE69-A8148ADDE50A@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_7FA8DA14-C215-4313-A005-95036CC7AE05"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 11 Jul 2019 23:59:57 +0200
In-Reply-To: <20190711214847.GA16418@kduck.mit.edu>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, Adam Roach <adam@nostrum.com>, anima-chairs@ietf.org, The IESG <iesg@ietf.org>, Toerless Eckert <tte+ietf@cs.fau.de>, anima@ietf.org
To: Benjamin Kaduk <kaduk@mit.edu>
References: <156282703648.15280.17739830959261983790.idtracker@ietfa.amsl.com> <17580.1562874933@localhost> <ACEB4033-707F-47AF-B58A-5227B444BEAB@cisco.com> <20190711214847.GA16418@kduck.mit.edu>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.82.217.149, rtp-vpn3-403.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/36g5ym1nl36tJcjnYirv-YRnoM4>
Subject: Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 22:00:14 -0000
> On 11 Jul 2019, at 23:48, Benjamin Kaduk <kaduk@mit.edu> wrote: > > On Thu, Jul 11, 2019 at 11:44:55PM +0200, Eliot Lear wrote: >> One thought: >> >> I think the simplest way to address the bulk of both Adam’s and Warren’s concern is to require the device to emit via whatever management interface exists, upon request, a voucher that it has signed with its own iDevID. It would have to be nonceless with perhaps a long expiry, and that would cover a number of other use cases as well. That way if the manufacturer goes out of business, or if the owner wants to transfer the device without manufacturer consent, there is a way forward. > > An interesting thought. Would there be a way (or a need) to usefully audit > such voucher issuance? > Now you’re asking tough questions ;-) “Usefully audit” is a bit loaded, but let me posit the following functions: Produce a voucher with an expiry of X pinned to domain Y Show a record of vouchers you’ve produced Add (the hash of) voucher X to a revocation list. Again, I would be hesitant to mandate a particular protocol for this sort of thing, but simply require the functions. In some cases it could be CIP (Common Industrial Protocol) while in others it might be Profinet, and perhaps it could be something we could shove into the TEAP draft (draft-lear-eap-teap-brski), though I am not a big fan of that approach. In other cases, it could be as simple as “Alexa [do one of the above]” ;-) The key point here is that at least the first buyer should be able to enjoy a seamless zero-touch onboarding experience. Eliot
- [Anima] Adam Roach's Discuss on draft-ietf-anima-… Adam Roach via Datatracker
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Ted Hardie
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Benjamin Kaduk
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Brian E Carpenter
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Max Pritikin (pritikin)
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel M. Halpern
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Brian E Carpenter
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel M. Halpern
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Brian E Carpenter
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel M. Halpern
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel Halpern Direct
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel M. Halpern
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Barry Leiba
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel M. Halpern
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Brian E Carpenter
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel M. Halpern
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Adam Roach
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Toerless Eckert
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Toerless Eckert
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Joel M. Halpern
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Michael Richardson
- Re: [Anima] Adam Roach's Discuss on draft-ietf-an… Eliot Lear