Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
Toerless Eckert <tte@cs.fau.de> Tue, 30 July 2019 21:08 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475AF120143 for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 14:08:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfWOiHPkgG31 for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 14:08:05 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A164C120105 for <anima@ietf.org>; Tue, 30 Jul 2019 14:08:04 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id C0C8554802C; Tue, 30 Jul 2019 23:07:59 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id AE21F440041; Tue, 30 Jul 2019 23:07:59 +0200 (CEST)
Date: Tue, 30 Jul 2019 23:07:59 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: "Mendelson, Tsippy" <tsippy.mendelson@intel.com>
Cc: "tte+ietf@cs.fau.de" <tte+ietf@cs.fau.de>, "anima@ietf.org" <anima@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "Michael.H.Behringer@gmail.com" <Michael.H.Behringer@gmail.com>, "kwatsen@juniper.net" <kwatsen@juniper.net>, "Ruan, Xiaoyu" <xiaoyu.ruan@intel.com>, "Jayanna, Prabhu" <prabhu.jayanna@intel.com>
Message-ID: <20190730210759.yaubbw2pit73a6sh@faui48f.informatik.uni-erlangen.de>
References: <27D27ED4408AA64998F40FB212076767DC26B25F@hasmsx109.ger.corp.intel.com> <27D27ED4408AA64998F40FB212076767DC282548@hasmsx109.ger.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <27D27ED4408AA64998F40FB212076767DC282548@hasmsx109.ger.corp.intel.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/JLGfQFSrGMWaLm8-SBX0JVhn3yU>
Subject: Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 21:08:07 -0000
Ideally i would like to negotiate you into liking and accepting the text
as it stands, and if then - if you are interested - to help write a small
followup document amending the solution space to other pledge IDevID
formats (e.g.: without these easy identifiers). The reason for me saying this
is that the authors and i think the industry well understands the
workflows in which these device identifiers are also communicated via
sales integration, appear on printed labels and all the like. So we feel
safe that we have a rock solid solution when we do have this identifier
in the IDevID.
>From what i understand (and please correct me if you are coming from a
different angle), you may be able to reduce cost in manufacturing of
low-cost and/or constrained device by not having to have IDevID securely
installed with such serialNum, but instead just having a
self-signed certificate or maybe even only a self-generated key-pair -
and then for example just using a simple registration process at the
manufacturer to remembrer the public key pair there - manufacturer
doesn't need to create any other device tracking space other than the
public key. Not good for humans, but good enough for automated
mechanisms. This is i think what we discussed during a BRSKI/ACME side-meeting
last week (see also notes sent by Owen and I).
I think it is perfectly feasible to adopt BRSKI to support these type
of environments, probably with only few changes, but it would be a lot
easier to conclude on HOW to do it through the aforementioned separate
followup document.
For example, i am not sure if TLS can authenticate just with public key
pair, or not (if not we would always ask to create self-signed
certificate), then we might need to amend the voucher format (not sure),
and ultimately, there may need to be some form of standardized sales
integration signaling so that the owner learns about the public keys of
the devices he bought. E.g.: something like this.
Cheers
Toerless
On Tue, Jul 23, 2019 at 09:26:54AM +0000, Mendelson, Tsippy wrote:
> Hi,
>
> Sending again to wider ANIMA audience - as I received no response.
>
> Thanks,
> Tsippy
>
>
>
>
> From: Mendelson, Tsippy
> Sent: Sunday, June 30, 2019 11:18
> To: tte+ietf@cs.fau.de
> Cc: Ruan, Xiaoyu <xiaoyu.ruan@intel.com>; Jayanna, Prabhu <prabhu.jayanna@intel.com>; Mendelson, Tsippy <tsippy.mendelson@intel.com>
> Subject: Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
>
> Hello,
>
> We have identified a reference to an old spec in BRSKI draft draft-ietf-anima-bootstrapping-keyinfra-22.
>
> The draft refers to:
>
> [IDevID] "IEEE 802.1AR Secure Device Identifier", December 2009,
> <http://standards.ieee.org/findstds/
> standard/802.1AR-2009.html>.
> However there is a later spec: https://standards.ieee.org/standard/802_1AR-2018.html
>
> The specific quote from 802.1AR-2009 that we would like to ask about is in section 2.3.1 "Identification of the Pledge":
>
>
> The following fields are defined in [IDevID] and [RFC5280]:
>
>
>
> o The subject field's DN encoding MUST include the "serialNumber"
>
> attribute with the device's unique serial number. (from [IDevID]
>
> section 7.2.8, and [RFC5280] section 4.1.2.4's list of standard
>
> attributes)
>
> In 802_1AR-2018 we could not find that the "serialNumber" attribute MUST be included rather we found SHOULD:
> [cid:image002.jpg@01D54150.D86DC7C0]
> Here it says: An IDevID certificate subject field shall be non-null and should include a unique device serial number.
>
> We would be happy for a clarification.
>
> Thanks,
> Tsippy
>
>
>
>
>
>
> Tsippy Mendelson,
> Manageability Chief Architect,
> IP Technologies Group, SecIP - CSE FW Architect
> Intel Israel Design Center
> Phone: +972-2-589-2468
> Cellular: +972-54-7885061
>
>
>
>
> ---------------------------------------------------------------------
> Intel Israel (74) Limited
>
> This e-mail and any attachments may contain confidential material for
> the sole use of the intended recipient(s). Any review or distribution
> by others is strictly prohibited. If you are not the intended
> recipient, please contact the sender and delete all copies.
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
--
---
tte@cs.fau.de
- Re: [Anima] Clarification reg old reference in th… Mendelson, Tsippy
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert
- Re: [Anima] Clarification reg old reference in th… Michael Richardson
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert
- Re: [Anima] Clarification reg old reference in th… Brian E Carpenter
- Re: [Anima] Clarification reg old reference in th… Mendelson, Tsippy
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert
- Re: [Anima] Clarification reg old reference in th… Toerless Eckert