Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 10 July 2019 21:15 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7EE1200B6; Wed, 10 Jul 2019 14:15:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bs3qJvJ8deNu; Wed, 10 Jul 2019 14:15:19 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F667120025; Wed, 10 Jul 2019 14:15:18 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id B10C03818E; Wed, 10 Jul 2019 17:13:13 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A1F21729; Wed, 10 Jul 2019 17:15:17 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Roman Danyliw <rdd@cert.org>
cc: The IESG <iesg@ietf.org>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, Toerless Eckert <tte+ietf@cs.fau.de>, anima-chairs@ietf.org, anima@ietf.org
In-Reply-To: <156277529950.15124.2390956674545685683.idtracker@ietfa.amsl.com>
References: <156277529950.15124.2390956674545685683.idtracker@ietfa.amsl.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 10 Jul 2019 17:15:17 -0400
Message-ID: <7673.1562793317@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/BsC5rtp0jpjuYOhUhFADcXNR0DU>
Subject: Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 21:15:22 -0000
Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > (4) Thank you for documenting “manufacturer control issues” in Sections > 10.3 and 10.4. It helpfully lays justifies the current design > approach. I strongly concur with the premise that “facilitate[ing] a > few new operat[i]onal modes without making any changes to the BRSKI > protocol” is exactly what is needed. > My concern is that even with the current applicability statement in > Section 9, the current text appears to have only standardized the first > part of the lifecycle that BRSKI equipment might see -- equipment on > first sale as long as the manufacturer supports it or stays in > business. The text doesn’t appear to cover the practical aspects of > the proposed mitigations in Section 10.5 or the situations described in > Section 10.3/10.4 – various situations possible in the full lifecycle > usage of a BRSKI device and needed support the “additional operational > modes”. Specifically: > ** There appears to be little discussion on how > owners/manufacturers/vendors can facilitate second sale/used equipment > beyond narrative words (in Section 10.3 and 10.4) > ** There is appears to be little discussion on how to practically > implement a MASA (i.e., the offline use case). For example, (Per > Section 10.5) “A manufacturer could provide a mechanism to manage the > trust anchors and built-in certificates (IDevID) as an extension. This > is a substantial amount of work, and may be an area for future > standardization work”. Without the ability to change anchors on the > device the additional operational modes such as offline mode seems > challenging. Our goal here has been to provided bootstrapping... the beginning of the lifecycle. It would be great to be able to provide full lifecycle specification. There are quite a number of non-technical issues (i.e. layer 8 and 9) involved in supporting a second sale process. Updating the trust anchors that are used to verify the voucher is, I think, a pretty big deal, and I just don't see that we can deal with this in a general way for a variety of product types. Some vendors would see this as meaning that the TPM has to be opened up. Some operators would be concerned that if this was possible, that they would no longer be able to be certain that a secure boot process would still be secure. I would be happy if this work was chartered a "RATS 2.0", or became part of NETMOD. I don't see how we can do justice in this document. As for operational notions as to how to operator a MASA, and as you say, one that supports off-line vouchers, I agree that we are not that helpful. Note that off-line vouchers are ones without nonces and without expiry dates, transfered to the Registrar by store-and-forward (USB key, scan from QR code on invoice, etc.). They are still signed by the primary manufacturer, and still bind to the primary owner. They are not bearer tokens, and they do not require changes to the trust anchors, and they do not facilitate second sale. Perhaps there is something I can change in that section to clarify this point. To use an HTTP 0.9 analogy, it's like asking the http (1.0) WG to comment on how whether Model-View-Controller vs Presentation-Abstraction-Control is the right way to build social media sites. Having said that, I am pretty sure that we need to write an Operational Considerations document for both MASA and Registrar. I suspect that the first draft will mostly be a list of things not to do. ("Doctor it hurts when I move my harm like this...") -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Roman Danyliw's Discuss on draft-ietf-ani… Roman Danyliw via Datatracker
- Re: [Anima] Roman Danyliw's Discuss on draft-ietf… Michael Richardson
- Re: [Anima] Roman Danyliw's Discuss on draft-ietf… Michael Richardson
- Re: [Anima] Roman Danyliw's Discuss on draft-ietf… Michael Richardson
- Re: [Anima] Roman Danyliw's Discuss on draft-ietf… Michael Richardson
- Re: [Anima] Roman Danyliw's Discuss on draft-ietf… Michael Richardson
- Re: [Anima] Roman Danyliw's Discuss on draft-ietf… Max Pritikin (pritikin)
- Re: [Anima] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw