[Anima] ANIMA and ACE, IDevID terminology (was: Re: cBRSKI)
Christian Amsüss <christian@amsuess.com> Mon, 01 May 2023 10:09 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2081C151996; Mon, 1 May 2023 03:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DIET_1=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9taThqWMepEk; Mon, 1 May 2023 03:09:10 -0700 (PDT)
Received: from smtp.akis.at (smtp.akis.at [IPv6:2a02:b18:500:a515::f455]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ECBCC14F73E; Mon, 1 May 2023 03:09:07 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by smtp.akis.at (8.17.1/8.17.1) with ESMTPS id 341A94TN020020 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 1 May 2023 12:09:04 +0200 (CEST) (envelope-from christian@amsuess.com)
X-Authentication-Warning: smtp.akis.at: Host 095129206250.cust.akis.net [95.129.206.250] claimed to be poseidon-mailhub.amsuess.com
Received: from poseidon-mailbox.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bf]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id B9B6A1FC2F; Mon, 1 May 2023 12:09:03 +0200 (CEST)
Received: from hephaistos.amsuess.com (hephaistos.lan [IPv6:2a02:b18:c13b:8010::d5b]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 6ACBB2205E; Mon, 1 May 2023 12:09:03 +0200 (CEST)
Received: (nullmailer pid 19153 invoked by uid 1000); Mon, 01 May 2023 10:09:03 -0000
Date: Mon, 01 May 2023 12:09:03 +0200
From: Christian Amsüss <christian@amsuess.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org, ace@ietf.org
Message-ID: <ZE+Pv0S2KqwtCO3/@hephaistos.amsuess.com>
References: <15797.1682880092@localhost> <ZE7pCI1yiQ/200I+@hephaistos.amsuess.com> <15204.1682893914@localhost>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="vtZ5nG4jBplv0pyu"
Content-Disposition: inline
In-Reply-To: <15204.1682893914@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Cs3KZKLOM5L1FZQgO-W0qENEaME>
Subject: [Anima] ANIMA and ACE, IDevID terminology (was: Re: cBRSKI)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 May 2023 10:09:12 -0000
Hi Michael, (CC'ing ACE list because what I think will be the larger part of the thread is hopefully relevant) > > there a generalization of the IEEE identifiers that also makes > > sense for constrained but more general-purpose-oriented devices, > > for which the ANIMA products can still be used? > > Yes, I agree: replacing the IDevID makes a lot of sense if the control over > the software-update trust anchor changes. When talking about such processes, can we still use the IDevID term (even though an IDevID is "stored in a way that protects it from modification"), or is the use of the term OK because we're not modifying but replacing it, or do we need to use a more general term, or do we not care? > > * Is there any document that describes (or has an example of) how ANIMA > > onboarding interacts with ACE's AS? My current -- maybe naive -- > > assumption is that a voucher in this countext would contain a > > pinned-domain-pubk which is the public key the AS will use to sign ACE > > tokens, and the est-domain would indicate the AS URI, but with the > > pinned-domain-pubk being described in TLS terms (whereas an ACE AS > > uses COSE keys), this may be skipping a step. > > Yeah, that makes sense to me. > I think that ace-ake-authz intended to describe things in terms of ACE. In the current document, the only ACE reference is in an older version's asssigned group. And I think that's good, for using-ANIMA-with-ACE is orthogonal to doing-ANIMA-over-EDHOC. It just may mean we need another document, unless we cram things together in one (which, apart from any good-practice discussions, is hard to convey to the initial reader, who'll need to understand that they can use either part w/o the other). > The AS == Registrar, I think. > Or, perhaps the AS uses a key that the local CA (mediated by the Registrar as > a trust anchor, /cacerts) has blessed in some way. How that works is TBD. So, what'd we need? * Does pinned-domain-pubk work also for COSE keys as used for signed CWTs? (If so, is there a key identifier to go with it?) * Some ACE profiles (eg. ACE-OSCORE, RFC9203) are typically used with a symmetric key shared between AS and RS (and that may be the only key material). Is it fine from an ANIMA PoV to only have such key material? (When such a key is used, it obviously needs to be encrypted; at least some methods of ANIMA, eg. EST, can do that). * (At least) When AS is used with asymmetric tokens, the RS needs to be told its audience identifier; I'd guess that'd be a new leaf. * Once onboarding onto ACE has completed, all the device's identity would be ACE (except for the IDevID that's left in place for a factory reset). Is that fine with an ANIMA setup? I figure that the alternative is to have a dedicated registrar that then hands out certificates to the AS that allow the AS to (temporarily) speak for the CA, but this probably just shifts the questions above down to how those points above would be expressed in a certificate. Skipping that middle step would allow implementing devices that have ANIMA-style onboarding (cBRSKI with ake-authz, maybe), but (eg. using ACE-OSCORE) don't ever need asymmetric operations at runtime. Or do I get the boundaries all wrong, and an ACE device would rather express the concepts of a voucher in a CWT? (But ANIMA already did all the hard work, and given such a device likely needs some CORECONF and thus YANG anyway, reducing extra weight). If not: Shall we just start a small and sleek document that registers some values, and evolve it with some help from Mr. Cunningham? BR Christian -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
- [Anima] cBRSKI Michael Richardson
- Re: [Anima] cBRSKI Christian Amsüss
- Re: [Anima] cBRSKI Michael Richardson
- [Anima] ANIMA and ACE, IDevID terminology (was: R… Christian Amsüss
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Benjamin Kaduk
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Christian Amsüss
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Russ Housley
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson