IETF Logo Mail Archive

Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 08 June 2019 23:20 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05AE212010E; Sat, 8 Jun 2019 16:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-ut1wkWHiMq; Sat, 8 Jun 2019 16:20:52 -0700 (PDT)
Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7E81120058; Sat, 8 Jun 2019 16:20:51 -0700 (PDT)
Received: by mail-pf1-x442.google.com with SMTP id t16so3156682pfe.11; Sat, 08 Jun 2019 16:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=5oXnb143G6mZDgHWNQHmxYE6t8j85KfAFK89Cj5W73E=; b=peXIRApx0h18TtFWtypG9ULXAzF37k39hQoi0OFjo0RFhgWeieOn9RzAsClNvtUvjd Oj04BECr4oyecbMQJeN7FR+Z1QgLfpeIsjqfrMo/gxy1fLbf60a+/EK7LkpJ7arORPok xwAtfBmnNP3RFtT0Q0W2l67tyxdUXIDAKL8Zvxn4NdoHbUpIFxK2Uv0Q/qdPI4Sis7W8 lvdNk3p7ziIH5pZPmVwGVBnjIAQjJsaZ12NPE2IjhJbWxauO4L8qSEnsYfTXj7Uvio3k zdyJ9QQHlR4dPXNCpVLYqC6qa6CjoLQozE6F3wb1swDBgSekVrrsymbG0gKdAoFI5Zo/ r2hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=5oXnb143G6mZDgHWNQHmxYE6t8j85KfAFK89Cj5W73E=; b=oaWCMCPW9i2sLh7s0odydEYpUbfq7EcmA52RknY4KsebDssMFaVgQFpgYU5o5obLE6 AK/hwIQtH6iJBfb9dbW+GeFX/SjXpOlD14dc8Gol94XTyUR6ZBN+htcmIcfVD61AkgKo quDFKvd5+uo/8ds4gTyIapGI+mPmwTAp7y26kFYRnzYvBxiyAIdGEFwg/FYgifMh6g2N zstKdZYGxFzqiXK19lN5o4sxiBtVr0V6kjic4Nf7/UE+Jo80MxZrdjVsMo2YcOxjzjJM KgbC3S9TcG/JHxzvp9+WXYa2vptE7W2jUP+2c2oHO6cW+08zHMb4SsKAAOhw9EOvkbeJ sKEA==
X-Gm-Message-State: APjAAAWu4jh+6qNk5Lf+HMMt3f+nY2tT/15DvA1/qBFP30ob5olfV/PT L1surK+xF2JCFWZ0iy6eM4Rnh8Ev
X-Google-Smtp-Source: APXvYqzT/w+ksiBNap0PgUkPFWbOVTW21q3J050sw4r5SUAGDZ042fhhGhKoHKeQ9ONwBmovELgNfQ==
X-Received: by 2002:a63:ce08:: with SMTP id y8mr798065pgf.38.1560036051032; Sat, 08 Jun 2019 16:20:51 -0700 (PDT)
Received: from [192.168.178.30] (32.23.255.123.dynamic.snap.net.nz. [123.255.23.32]) by smtp.gmail.com with ESMTPSA id l38sm5592522pje.12.2019.06.08.16.20.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Jun 2019 16:20:50 -0700 (PDT)
To: Eliot Lear <lear@cisco.com>, Toerless Eckert <tte@cs.fau.de>
Cc: ibagdona@gmail.com, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, IETF discussion list <ietf@ietf.org>, anima-chairs@ietf.org, tte+ietf@cs.fau.de, anima@ietf.org
References: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com> <02DFBB01-F7BA-4BCA-B8C5-CF14E8B7A6F4@cisco.com> <20190604192843.gbavqofsq4btcgx3@faui48f.informatik.uni-erlangen.de> <045A7809-CB6F-493E-B9F2-FBF563AD5378@cisco.com> <20190607211720.y63ysayeqtkgi3lj@faui48f.informatik.uni-erlangen.de> <60BB0A11-A12B-4EA5-9379-12C75100D64C@cisco.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <77dc7db3-e281-2475-6909-c9c5a982f973@gmail.com>
Date: Sun, 09 Jun 2019 11:20:45 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <60BB0A11-A12B-4EA5-9379-12C75100D64C@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/6RnajXGSxAE5bMjqSvmhs-0wFcI>
Subject: Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jun 2019 23:20:55 -0000

On 09-Jun-19 01:37, Eliot Lear wrote:
> 
> 
>> On 7 Jun 2019, at 23:17, Toerless Eckert <tte@cs.fau.de> wrote:
>>
>> Ok, now i got you (i hope ;-).
>>
>> I really liked the c1sco example (not sure if we should mention a real
>> company name in such an rfc someone not reading the draft might take
>> offense, maybe examp1e.com insted though).
> 
> This is a bit tricky with the glyph attack, but certainly the base should be
> example.com.

Can you use null.example.com and nu11.example.com?

    Brian

>> But taking your thought into account: There is a fundamental difference
>> betwen TOFU and out-of-band-authentication/approval (pick a term),
>> and the fact that different such mechanisms may have (often human)
>> weaknesses does not change this fundamental difference ??
> 
> 
> I think the key is that humans oughtn’t rely solely on a visual inspection of whatever is presented in front of them, but rather that they might rely on alternative inputs, such as recommendations made by the registrar provider, or federated services.
> 
> 
>>
>> Maybe you want to propose text ?
> 
> Manual approval by administrator or selection by administrator.
> 
> Eliot
>>
>> Cheers
>>   Toerless
>>
>> On Wed, Jun 05, 2019 at 01:09:09PM +0200, Eliot Lear wrote:
>>> Hi Toerless,
>>>
>>>> On 4 Jun 2019, at 21:28, Toerless Eckert <tte@cs.fau.de> wrote:
>>>>
>>>> Thanks, Eliot,
>>>>
>>>> re-reading 10.3, my impression is:
>>>>
>>>> a) The use of TOFU in 10.3 seems to exceed the explanatory definition in 1.2.
>>>> The sentence stubs in 103 mentioning TOFU also don't seem to add value, the text
>>>> doesn't become IMHO worse if they are simply removed. And i am sure
>>>> there can easily be similar non-cyptographic leap of faiths in sales integration,
>>>> or consortium memberships trust chaing establishment.
>>>
>>> My point is that those are no longer leaps of faith.
>>>
>>> Eliot
>>>
>>>>
>>>> b) The text could IMHO be crisper:
>>>>
>>>> "will have no problem collaborating with it's MASA" ->
>>>> "will have no problem collaborating with it's malicious MASA" ->
>>>>
>>>> "the domain (registrar) still needs to trust the manufacturer" ->
>>>> "the domain (registrar) still needs to authenticate the MASA" ?
>>>> (i hope the latter is the correct interpretation of the text)
>>>>
>>>> Cheers
>>>>   Toerless
>>>>
>>>> On Tue, Jun 04, 2019 at 06:33:00PM +0200, Eliot Lear wrote:
>>>>> Just on this text:
>>>>>
>>>>> In Section 10.3 the following text exists:
>>>>>
>>>>>  o  A Trust-On-First-Use (TOFU) mechanism.  A human would be queried
>>>>>     upon seeing a manufacturer's trust anchor for the first time, and
>>>>>     then the trust anchor would be installed to the trusted store.
>>>>>     There are risks with this; even if the key to name is validated
>>>>>     using something like the WebPKI, there remains the possibility
>>>>>     that the name is a look alike: e.g, c1sco.com, ..
>>>>>
>>>>> First, this isn???t REALLY Trust-On-First-Use, and I would prefer that the term be replaced with something like "out-of-band approval".  This would also be a good area for certification services to step in to indicate the trustworthiness of a manufacturer.
>>>>>
>>>>> Eliot
>>>>>
>>>>>> On 21 May 2019, at 23:21, The IESG <iesg-secretary@ietf.org> wrote:
>>>>>>
>>>>>>
>>>>>> The IESG has received a request from the Autonomic Networking Integrated
>>>>>> Model and Approach WG (anima) to consider the following document: -
>>>>>> 'Bootstrapping Remote Secure Key Infrastructures (BRSKI)'
>>>>>> <draft-ietf-anima-bootstrapping-keyinfra-20.txt> as Proposed Standard
>>>>>>
>>>>>> This is a second Last Call. IoT Directorate review was done after the ANIMA
>>>>>> WG Last Call and consensus to request the publication, and that review resulted
>>>>>> in substantial changes to the document.
>>>>>>
>>>>>> The IESG plans to make a decision in the next few weeks, and solicits final
>>>>>> comments on this action. Please send substantive comments to the
>>>>>> ietf@ietf.org mailing lists by 2019-06-04. Exceptionally, comments may be
>>>>>> sent to iesg@ietf.org instead. In either case, please retain the beginning of
>>>>>> the Subject line to allow automated sorting.
>>>>>>
>>>>>> Abstract
>>>>>>
>>>>>>
>>>>>> This document specifies automated bootstrapping of an Autonomic
>>>>>> Control Plane.  To do this a remote secure key infrastructure (BRSKI)
>>>>>> is created using manufacturer installed X.509 certificate, in
>>>>>> combination with a manufacturer's authorizing service, both online
>>>>>> and offline.  Bootstrapping a new device can occur using a routable
>>>>>> address and a cloud service, or using only link-local connectivity,
>>>>>> or on limited/disconnected networks.  Support for lower security
>>>>>> models, including devices with minimal identity, is described for
>>>>>> legacy reasons but not encouraged.  Bootstrapping is complete when
>>>>>> the cryptographic identity of the new key infrastructure is
>>>>>> successfully deployed to the device but the established secure
>>>>>> connection can be used to deploy a locally issued certificate to the
>>>>>> device as well.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> The file can be obtained via
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/
>>>>>>
>>>>>> IESG discussion can be tracked via
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/ballot/
>>>>>>
>>>>>> The following IPR Declarations may be related to this I-D:
>>>>>>
>>>>>> https://datatracker.ietf.org/ipr/2816/
>>>>>> https://datatracker.ietf.org/ipr/3233/
>>>>>> https://datatracker.ietf.org/ipr/2463/
>>>>>>
>>>>>>
>>>>>>
>>>>>> The document contains these normative downward references.
>>>>>> See RFC 3967 for additional information:
>>>>>>  rfc8368: Using an Autonomic Control Plane for Stable Connectivity of Network Operations, Administration, and Maintenance (OAM) (Informational - IETF stream)
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Anima mailing list
>>>>>> Anima@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/anima
>>>>>
>>>>
>>>>
>>>>
>>>>> _______________________________________________
>>>>> Anima mailing list
>>>>> Anima@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/anima
>>>>
>>>>
>>>> --
>>>> ---
>>>> tte@cs.fau.de
>>>
>>
>>
>>
>>> _______________________________________________
>>> Anima mailing list
>>> Anima@ietf.org
>>> https://www.ietf.org/mailman/listinfo/anima
>>
>>
>> -- 
>> ---
>> tte@cs.fau.de
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email