Re: [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 03 October 2018 14:37 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DDE91312B2; Wed, 3 Oct 2018 07:37:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1uxOavxtriz; Wed, 3 Oct 2018 07:37:36 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7A66131280; Wed, 3 Oct 2018 07:37:35 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 816C720090; Wed, 3 Oct 2018 10:37:32 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 502CC2352; Wed, 3 Oct 2018 10:37:33 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 4D5A4234D; Wed, 3 Oct 2018 10:37:33 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@cisco.com>
cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, anima@ietf.org, Security Directorate <secdir@ietf.org>
In-Reply-To: <83c2e4dd-e60a-158b-50aa-7e243216854a@cisco.com>
References: <153826253306.18743.9250084704876465818@ietfa.amsl.com> <m2sh1qkebi.wl-randy@psg.com> <057bd957-06b4-824e-a7c8-214383819621@huitema.net> <m2murxi8ws.wl-randy@psg.com> <b4a32733-c2df-6bea-17d2-4d45ee4d5136@cisco.com> <m2wor0h9vu.wl-randy@psg.com> <1fd9c9d5-508f-901e-818c-3cc87725c331@cisco.com> <m2d0ssh661.wl-randy@psg.com> <2555.1538506845@localhost> <6b2f2b80-5e9e-101f-4aac-f182f638f8b1@gmail.com> <23133.1538520783@localhost> <acea1a3a-b2ec-5381-128c-b13e903c1158@gmail.com> <10809.1538534121@localhost> <83c2e4dd-e60a-158b-50aa-7e243216854a@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 03 Oct 2018 10:37:33 -0400
Message-ID: <28811.1538577453@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/6wG0H2rMP7oolTZf2FxkpWft9wY>
Subject: Re: [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Oct 2018 14:37:38 -0000
Eliot Lear <lear@cisco.com> wrote: >> This lets you use nonced vouchers, potentially with expiry dates. >> Maybe very long expiry dates. Or maybe your personnel-safety-critical >> equipment has a best-before date, and so it's acceptable for you to >> have vouchers only until that date. > One approach I would like would be to get the voucher size down to the > point where it could reasonably fit into a QR code. Then it's a scan. > I see that as future work. current constrained voucher: dooku-[projects/pandora/highway](2.4.1) mcr 10028 %ls -l tmp/voucher_00-D0-E5-F2-10-03.vch -rw-r--r-- 1 mcr mcr 800 Oct 2 23:06 tmp/voucher_00-D0-E5-F2-10-03.vch Note that this does not include the key that did the signing (the MASA key), and I think that this pins a certificate rather than a Raw Public Key, so it could be smaller. (I have to check what I put in that one) It's okay not to include the signing key inside, as the pledge already has it. The Registrar ("owner's trust controller") would like to have that key to audit the signature, but that can be done outside of the voucher. It converts to QR code just fine: http://www.sandelman.ca/tmp/qr1.png Probably needs to have some URI or some such to tell things what is inside. However, not many devices we care about (whether routers or lightbulbs) have cameras. If there is some smartphone interaction, then that's a different thing, and DPP could work, provided we get the APIs that we need to make it deployable. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Secdir last call review of draft-ietf-ani… Christian Huitema
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Brian E Carpenter
- Re: [Anima] Secdir last call review of draft-ietf… Joel M. Halpern
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Christian Huitema
- Re: [Anima] Secdir last call review of draft-ietf… Eliot Lear
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Brian E Carpenter
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Eliot Lear
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Eliot Lear
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Ted Lemon
- Re: [Anima] Secdir last call review of draft-ietf… Christian Huitema
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Ted Lemon
- Re: [Anima] Secdir last call review of draft-ietf… Eliot Lear
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Brian E Carpenter
- Re: [Anima] Secdir last call review of draft-ietf… Joel M. Halpern
- Re: [Anima] Secdir last call review of draft-ietf… Ted Lemon
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Brian E Carpenter
- Re: [Anima] Secdir last call review of draft-ietf… Brian E Carpenter
- Re: [Anima] Secdir last call review of draft-ietf… Randy Bush
- Re: [Anima] [secdir] Secdir last call review of d… Uri Blumenthal
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Brian E Carpenter
- Re: [Anima] Secdir last call review of draft-ietf… Eliot Lear
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] Secdir last call review of draft-ietf… Michael Richardson
- Re: [Anima] [secdir] Secdir last call review of d… Max Pritikin (pritikin)
- [Anima] dealing with many the secdir and genart c… Michael Richardson
- Re: [Anima] [Gen-art] dealing with many the secdi… Brian E Carpenter
- [Anima] gen art issue 7: serial-number in voucher… Michael Richardson
- [Anima] security review issue 11: what if MASA re… Michael Richardson
- Re: [Anima] security review issue 11: what if MAS… Brian E Carpenter
- Re: [Anima] gen art issue 7: serial-number in vou… Kent Watsen
- [Anima] a multiplicity of pinned certificates Michael Richardson
- Re: [Anima] security review issue 11: what if MAS… Brian E Carpenter
- Re: [Anima] [Gen-art] dealing with many the secdi… Michael Richardson
- Re: [Anima] [Gen-art] dealing with many the secdi… Brian E Carpenter
- Re: [Anima] [Gen-art] dealing with many the secdi… Michael Richardson
- Re: [Anima] a multiplicity of pinned certificates Kent Watsen