Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
Toerless Eckert <tte@cs.fau.de> Tue, 30 July 2019 21:08 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475AF120143 for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 14:08:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfWOiHPkgG31 for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 14:08:05 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A164C120105 for <anima@ietf.org>; Tue, 30 Jul 2019 14:08:04 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id C0C8554802C; Tue, 30 Jul 2019 23:07:59 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id AE21F440041; Tue, 30 Jul 2019 23:07:59 +0200 (CEST)
Date: Tue, 30 Jul 2019 23:07:59 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: "Mendelson, Tsippy" <tsippy.mendelson@intel.com>
Cc: "tte+ietf@cs.fau.de" <tte+ietf@cs.fau.de>, "anima@ietf.org" <anima@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "Michael.H.Behringer@gmail.com" <Michael.H.Behringer@gmail.com>, "kwatsen@juniper.net" <kwatsen@juniper.net>, "Ruan, Xiaoyu" <xiaoyu.ruan@intel.com>, "Jayanna, Prabhu" <prabhu.jayanna@intel.com>
Message-ID: <20190730210759.yaubbw2pit73a6sh@faui48f.informatik.uni-erlangen.de>
References: <27D27ED4408AA64998F40FB212076767DC26B25F@hasmsx109.ger.corp.intel.com> <27D27ED4408AA64998F40FB212076767DC282548@hasmsx109.ger.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <27D27ED4408AA64998F40FB212076767DC282548@hasmsx109.ger.corp.intel.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/JLGfQFSrGMWaLm8-SBX0JVhn3yU>
Subject: Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 21:08:07 -0000
Ideally i would like to negotiate you into liking and accepting the text as it stands, and if then - if you are interested - to help write a small followup document amending the solution space to other pledge IDevID formats (e.g.: without these easy identifiers). The reason for me saying this is that the authors and i think the industry well understands the workflows in which these device identifiers are also communicated via sales integration, appear on printed labels and all the like. So we feel safe that we have a rock solid solution when we do have this identifier in the IDevID. >From what i understand (and please correct me if you are coming from a different angle), you may be able to reduce cost in manufacturing of low-cost and/or constrained device by not having to have IDevID securely installed with such serialNum, but instead just having a self-signed certificate or maybe even only a self-generated key-pair - and then for example just using a simple registration process at the manufacturer to remembrer the public key pair there - manufacturer doesn't need to create any other device tracking space other than the public key. Not good for humans, but good enough for automated mechanisms. This is i think what we discussed during a BRSKI/ACME side-meeting last week (see also notes sent by Owen and I). I think it is perfectly feasible to adopt BRSKI to support these type of environments, probably with only few changes, but it would be a lot easier to conclude on HOW to do it through the aforementioned separate followup document. For example, i am not sure if TLS can authenticate just with public key pair, or not (if not we would always ask to create self-signed certificate), then we might need to amend the voucher format (not sure), and ultimately, there may need to be some form of standardized sales integration signaling so that the owner learns about the public keys of the devices he bought. E.g.: something like this. Cheers Toerless On Tue, Jul 23, 2019 at 09:26:54AM +0000, Mendelson, Tsippy wrote: > Hi, > > Sending again to wider ANIMA audience - as I received no response. > > Thanks, > Tsippy > > > > > From: Mendelson, Tsippy > Sent: Sunday, June 30, 2019 11:18 > To: tte+ietf@cs.fau.de > Cc: Ruan, Xiaoyu <xiaoyu.ruan@intel.com>; Jayanna, Prabhu <prabhu.jayanna@intel.com>; Mendelson, Tsippy <tsippy.mendelson@intel.com> > Subject: Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009 > > Hello, > > We have identified a reference to an old spec in BRSKI draft draft-ietf-anima-bootstrapping-keyinfra-22. > > The draft refers to: > > [IDevID] "IEEE 802.1AR Secure Device Identifier", December 2009, > <http://standards.ieee.org/findstds/ > standard/802.1AR-2009.html>. > However there is a later spec: https://standards.ieee.org/standard/802_1AR-2018.html > > The specific quote from 802.1AR-2009 that we would like to ask about is in section 2.3.1 "Identification of the Pledge": > > > The following fields are defined in [IDevID] and [RFC5280]: > > > > o The subject field's DN encoding MUST include the "serialNumber" > > attribute with the device's unique serial number. (from [IDevID] > > section 7.2.8, and [RFC5280] section 4.1.2.4's list of standard > > attributes) > > In 802_1AR-2018 we could not find that the "serialNumber" attribute MUST be included rather we found SHOULD: > [cid:image002.jpg@01D54150.D86DC7C0] > Here it says: An IDevID certificate subject field shall be non-null and should include a unique device serial number. > > We would be happy for a clarification. > > Thanks, > Tsippy > > > > > > > Tsippy Mendelson, > Manageability Chief Architect, > IP Technologies Group, SecIP - CSE FW Architect > Intel Israel Design Center > Phone: +972-2-589-2468 > Cellular: +972-54-7885061 > > > > > --------------------------------------------------------------------- > Intel Israel (74) Limited > > This e-mail and any attachments may contain confidential material for > the sole use of the intended recipient(s). Any review or distribution > by others is strictly prohibited. If you are not the intended > recipient, please contact the sender and delete all copies. > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima -- --- tte@cs.fau.de
- Re: [Anima] Clarification reg old reference in th… Mendelson, Tsippy
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert
- Re: [Anima] Clarification reg old reference in th… Michael Richardson
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert
- Re: [Anima] Clarification reg old reference in th… Brian E Carpenter
- Re: [Anima] Clarification reg old reference in th… Mendelson, Tsippy
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert