Re: [Anima] Feedback on constrained-voucher example voucher payloads (in Github / -09)
Peter van der Stok <stokcons@bbhmail.nl> Fri, 04 December 2020 14:56 UTC
Return-Path: <stokcons@bbhmail.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2D833A0C8B for <anima@ietfa.amsl.com>; Fri, 4 Dec 2020 06:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.116
X-Spam-Level:
X-Spam-Status: No, score=-2.116 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bbhmail.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DDO-OM7638NR for <anima@ietfa.amsl.com>; Fri, 4 Dec 2020 06:56:23 -0800 (PST)
Received: from smtprelay.hostedemail.com (smtprelay0126.hostedemail.com [216.40.44.126]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABA7A3A0D04 for <anima@ietf.org>; Fri, 4 Dec 2020 06:56:23 -0800 (PST)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay07.hostedemail.com (Postfix) with ESMTP id 28325181D302B; Fri, 4 Dec 2020 14:56:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbhmail.nl; h= mime-version:content-type:date:from:to:cc:subject:reply-to :in-reply-to:references:message-id; s=key; bh=sDbW1u/Dz2kBobfz8Z PaF7i1FzIOOV5x79onmr35lbA=; b=twan5EH4nOD8hH5VAPDYyCOu4ZQV7PQCwK 96EqYpK6gNl2TLsGnInSMmiOtZLmUbJWj1+dKnPrFGnF0hAMnnIbhU/WjWVeqA98 IJIm5PRCvgzxyBfvn0dHARhRiBJausTfYRbLafeJ53tbv4kxUwppjo3qy7QQORXv CkwMz2gwI=
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, -10, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, , RULES_HIT:41:72:152:327:355:379:582:599:800:962:967:973:983:988:989:1152:1189:1208:1212:1221:1260:1313:1314:1345:1359:1362:1431:1436:1437:1516:1517:1518:1575:1588:1589:1592:1594:1605:1616:1730:1775:1792:2068:2069:2194:2198:2199:2200:2525:2526:2527:2557:2568:2610:2629:2682:2685:2689:2693:2731:2859:2895:2901:2902:2917:2924:2926:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3421:3614:3622:3651:3769:3865:3866:3867:3868:3870:3871:3872:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4321:4361:4362:4379:4470:4860:5007:6119:6248:6261:6657:6659:6678:7875:7903:7974:8531:8603:8957:9010:9025:9036:9040:9080:9108:9177:10004:10026:10848:11232:11656:11658:11854:11914:12043:12291:12294:12379:12438:12555:12683:12698:12737:12740:12895:12986:13132:13138:13139:13149:13230:13231:13255:13846:13870:13972:14096:21060:21063:21080:21433:21451:21499:21611:21627:21740:21819:21939:21984:21990:30012:30022:30034:30054
X-HE-Tag: year66_1a11eae273c5
X-Filterd-Recvd-Size: 27859
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf14.hostedemail.com (Postfix) with ESMTPA; Fri, 4 Dec 2020 14:56:21 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_e356665438c138d45c2f830749d3d96e"
Date: Fri, 04 Dec 2020 15:56:20 +0100
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: consultancy@vanderstok.org, anima@ietf.org
Reply-To: consultancy@vanderstok.org
In-Reply-To: <AM8P190MB097940CB58A10875A656DDB2FDF10@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <AM8P190MB097940CB58A10875A656DDB2FDF10@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
User-Agent: Roundcube Webmail/1.4-rc2
Message-ID: <f29e50d9436f75fb5872e9921f870807@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
Organization: vanderstok consultancy
X-Originating-IP: [5.206.216.229]
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/JCC8UdWyI3f1AiTm7Co8jL4BUJc>
Subject: Re: [Anima] Feedback on constrained-voucher example voucher payloads (in Github / -09)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 14:56:27 -0000
Hi Esko,
thanks,
several oversights from me, especially forgetting the delta encoding for
SID is difficult to explain.
Once everythings is repaired, I will issue a new version with updated
examples.
Peter
Esko Dijk schreef op 2020-12-04 15:33:
>>
> Hi Peter,
>
> Here my feedback as result of reviewing the example voucher payloads:
>
> *** pledge-to-regis.txt:
>
> 1- there seems to be an error in the delta encoding of the numeric SID keys. If I decode the CBOR from the COSE payload in pledge-to-regis, I get the following
>
> {2501: {2503: "2020-10-5T13:46:13-00:00", 2505: "2022-10-5T13:46:13-00:00", 2502: 2, 2508: h'29C7BAFB81A2C6160D3357D22911F510', 2514: "pledge.1.2.3.4", 2511:
h'30820239308201DEA0030201020214397374F3FA812A0D37103B68C18481C501BC7CFE300A06082A8648CE3D0403023073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C301E170D3230303930393037343230335A170D3231303930393037343230335A3073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C3059301306072A8648CE3D020106082A8648CE3D030107034200046A24A9E24BE234D17AD47E760C94B5E1DC4EE115AD89112AD4A6A64BB1BF68F9177D70E9109CB48C9B0DC7DF2641199D0C2DBFF21ED584038AC83F4781BE138EA350304E301D0603551D0E0416041425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2301F0603551D2304183016801425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2300C0603551D13040530030101FF300A06082A8648CE3D040302
0349003046022100A66D9E24F9DE08B7F0CF43C3C0EE57CCB660DEAE2E70CC61A1A2B33535025BBA022100BFFD746A99EBDA0177FC6C3795758AF4A09F998EBC4A906249F07AC96596DC75'}}
>
> while based on https://tools.ietf.org/html/draft-ietf-core-yang-cbor-13#section-4.2.1 [1] I would expect something like
>
> {2501: {2: "2020-10-5T13:46:13-00:00", 4: "2022-10-5T13:46:13-00:00", 1: 2, 7: h'29C7BAFB81A2C6160D3357D22911F510', 13: "pledge.1.2.3.4", 10:
h'30820239308201DEA0030201020214397374F3FA812A0D37103B68C18481C501BC7CFE300A06082A8648CE3D0403023073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C301E170D3230303930393037343230335A170D3231303930393037343230335A3073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C3059301306072A8648CE3D020106082A8648CE3D030107034200046A24A9E24BE234D17AD47E760C94B5E1DC4EE115AD89112AD4A6A64BB1BF68F9177D70E9109CB48C9B0DC7DF2641199D0C2DBFF21ED584038AC83F4781BE138EA350304E301D0603551D0E0416041425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2301F0603551D2304183016801425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2300C0603551D13040530030101FF300A06082A8648CE3D040302
0349003046022100A66D9E24F9DE08B7F0CF43C3C0EE57CCB660DEAE2E70CC61A1A2B33535025BBA022100BFFD746A99EBDA0177FC6C3795758AF4A09F998EBC4A906249F07AC96596DC75'}}
>
> This uses the delta encoding. In order to use the full SID number (e.g. 2503, 2505, etc.) these have to be prefixed with a CBOR tag. By default, delta encoding is to be used if that tag is not present.
>
> 2- for the Registrar certificate embedded in field '10' above, see my previous email about the certificates.
>
> 3- The Yang date-and-time format needs the date to be 2 digits always, so e.g.: "2020-10-05T13:46:13-00:00". For a constrained system the following equivalent string is even better: "2020-10-05T13:46:13Z"
>
> 4- The 'created-on' and 'expires-on' fields would typically not be included in the constrained Voucher request, because the Pledge doesn't have current time e.g. a Real-time clock in typical situations nor access to NTP over the network prior to bootstrap. So I would expect this to be not included typically. If included the expires time should be sufficiently far in the future, i.e. later than the 'created' timestamp. That's currently not the case. Leaving both out is the easiest solution :) - the nonce is anyway used for freshness verification.
>
> *** regis-to-masa.txt:
>
> The decoded COSE payload looks as follows in CBOR diagnostic:
>
> {2501: {2503: "2020-10-5T13:46:13-00:00", 2505: "2022-10-5T13:46:13-00:00", 2508: h'29C7BAFB81A2C6160D3357D22911F510', 2514: "pledge.1.2.3.4", 2506: h'433D4E4C2C2053543D4E422C204C3D48656C6D6F6E642C204F3D76616E64657273746F6B2C204F553D6D616E75666163747572696E672C20434E3D757569643A706C656467652E312E322E332E342C2073657269616C4E756D6265723D706C656467652E312E322E332E34', 2510:
h'D28444A101382EA1045820F8926F5BA385B7BCCF23592B97A73C1B00BFFC010230F647F06960870B1FD6EE5902ACA11909C5A61909C77818323032302D31302D355431333A34363A31332D30303A30301909C97818323032322D31302D355431333A34363A31332D30303A30301909C6021909CC5029C7BAFB81A2C6160D3357D22911F5101909D26E706C656467652E312E322E332E341909CF59023D30820239308201DEA0030201020214397374F3FA812A0D37103B68C18481C501BC7CFE300A06082A8648CE3D0403023073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C301E170D3230303930393037343230335A170D3231303930393037343230335A3073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C3059301306072A8648CE3D020106082A8648CE3D030107034200046A
24A9E24BE234D17AD47E760C94B5E1DC4EE115AD89112AD4A6A64BB1BF68F9177D70E9109CB48C9B0DC7DF2641199D0C2DBFF21ED584038AC83F4781BE138EA350304E301D0603551D0E0416041425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2301F0603551D2304183016801425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100A66D9E24F9DE08B7F0CF43C3C0EE57CCB660DEAE2E70CC61A1A2B33535025BBA022100BFFD746A99EBDA0177FC6C3795758AF4A09F998EBC4A906249F07AC96596DC7558473045022100FC28BE418E5F25152590E872B4BBDBE334CD31D1EBB0A806E7A172CAD5CFF604022056EE414DDAC438E7F51DDA9DDF6EC6E31A78CDDE6574717FE46DD3A7C60F5BB5'}}
>
> 1- see above comments on delta encoding and timestamps which shouldn't be equal.
>
> 2- when I take the Issuer from the pledge.hex cert, I get the following bytes:
>
> 306F310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31153013060355040B0C0C6D616E7566616374757265723115301306035504030C0C6D6173612E73746F6B2E6E6C
>
> This should be identical to the field 2506 (idevid-issuer) in above COSE payload, however in the decoded example it looks different. My ASN.1 decoder even can't decode it properly.
>
> 3- as already discussed in issue https://github.com/anima-wg/constrained-voucher/issues/59 [2] the COSE signing needs to be updated to include a certificate signing chain of the Registrar. (Can be length 1, 2, 3 or more) This can only be implemented of course once we resolve this issue.
>
> *** voucher-from-MASA.txt:
>
> Decoded payload:
>
> {2451: {2453: "2020-10-5T13:46:14-00:00", 2455: "2022-10-5T13:46:14-00:00", 2452: 3, 2458: h'29C7BAFB81A2C6160D3357D22911F510', 2462: "pledge.1.2.3.4", 2459:
h'30820239308201DEA0030201020214397374F3FA812A0D37103B68C18481C501BC7CFE300A06082A8648CE3D0403023073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C301E170D3230303930393037343230335A170D3231303930393037343230335A3073310B3009060355040613024E4C310B300906035504080C024E423110300E06035504070C0748656C6D6F6E6431133011060355040A0C0A76616E64657273746F6B31143012060355040B0C0B636F6E73756C74616E6379311A301806035504030C117265676973747261722E73746F6B2E6E6C3059301306072A8648CE3D020106082A8648CE3D030107034200046A24A9E24BE234D17AD47E760C94B5E1DC4EE115AD89112AD4A6A64BB1BF68F9177D70E9109CB48C9B0DC7DF2641199D0C2DBFF21ED584038AC83F4781BE138EA350304E301D0603551D0E0416041425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2301F0603551D2304183016801425CD9371B5A15F6D1EE8C37A5113BE0B8F132CC2300C0603551D13040530030101FF300A06082A8648CE3D040302
0349003046022100A66D9E24F9DE08B7F0CF43C3C0EE57CCB660DEAE2E70CC61A1A2B33535025BBA022100BFFD746A99EBDA0177FC6C3795758AF4A09F998EBC4A906249F07AC96596DC75', 2454: 0}}
>
> 1- see above on delta encoding and date values
>
> 2- the assertion value is 3, which is not defined, it should probably be 2 (proximity) here ?
>
> 3- the value of domain-cert-revocation-checks (2454) needs to be a CBOR boolean 'false'. Currently uses an integer 0. Since YANG Boolean translates to CBOR Boolean.
>
> 4- the "expires-on" field is not really needed in the Voucher. See BRSKI section 5.6: the expires-on field is set for nonceless vouchers (since the nonce is used for freshness by the Pledge - not really a need to have an additional expiry time sent.) See also RFC 8366 for examples, the expires-on field is there only used in nonce-less vouchers. And the Yang module code for "leaf nonce" also formally defines a "must not" condition on the "expires-on" field so the two cannot really be used together.
>
> But if we want to include this field for some reason (which seems to go against BRSKI and RFC 8366 so needs to be motivated!) then we would also rather set a shorter timespan for Voucher validity. E.g. BRSKI 5.6 recommends something like 20 minutes time as the expected time e.g. to complete the bootstrap process. 2 years seems really too long for this.
>
> Best regards
>
> Esko
>
> IoTconsultancy.nl | Email/Teams: esko.dijk@iotconsultancy.nl | +31 6 2385 8339
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
Links:
------
[1]
https://tools.ietf.org/html/draft-ietf-core-yang-cbor-13#section-4.2.1
[2] https://github.com/anima-wg/constrained-voucher/issues/59
- [Anima] Feedback on constrained-voucher example v… Esko Dijk
- Re: [Anima] Feedback on constrained-voucher examp… Peter van der Stok
- Re: [Anima] FW: Feedback on constrained-voucher e… Peter van der Stok