Re: [Anima] [Ace] ANIMA and ACE, IDevID terminology (was: Re: cBRSKI)
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 26 May 2023 17:08 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18F10C1519A6; Fri, 26 May 2023 10:08:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g_8o7tMOoet7; Fri, 26 May 2023 10:08:38 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2628C1516F3; Fri, 26 May 2023 10:08:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 02AC73898E; Fri, 26 May 2023 13:08:36 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6bPa96F7rdSS; Fri, 26 May 2023 13:08:35 -0400 (EDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:40a:34ff:fe10:f571]) by tuna.sandelman.ca (Postfix) with ESMTP id 3FE6F3898D; Fri, 26 May 2023 13:08:35 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1685120915; bh=Cj+ny/YzaPwShp38W5K5MhnwNlXWZAaV44F9SVAbMcA=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=rXt0wAxi0DAYc2HSOUeRRmAZPTqraOWBnE4FcVNsINXGbE8i8ljeryEHSGhwFMXqB 5LxyKlxpGTvfvRG+s5yRnNNZ+eq0QblngmyqxNyWr9j8F4+2wtVhL5ehIM+gHtHX5T TgtFoofWeR8gtN/XOKR+a8OleMF7pAbS+7ntrl/s+VjNLMU0HC7G2Eoo7urheGIfeP BeDZcYmyd9QBroeFXEZWY+Khs1LGfNEaYQNIHz5yEQE2UFfjQr5ym0GKeqUgB26Nax BCsG/9O8wvdsiqdtsnEcAwrM5S2E++qCOk88VNF9baGk4WA/quZ6wOXjdWO3bJ1Xxt 9ZY/DG3HFGYrA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1EAB4459; Fri, 26 May 2023 13:08:35 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Benjamin Kaduk <kaduk@mit.edu>, anima@ietf.org, ace@ietf.org
cc: Christian =?iso-8859-1?Q?Ams=FCss?= <christian@amsuess.com>
In-Reply-To: <ZFCijPd2M1qAnmrI@kduck.mit.edu>
References: <15797.1682880092@localhost> <ZE7pCI1yiQ/200I+@hephaistos.amsuess.com> <15204.1682893914@localhost> <ZE+Pv0S2KqwtCO3/@hephaistos.amsuess.com> <ZFCijPd2M1qAnmrI@kduck.mit.edu>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 26 May 2023 13:08:35 -0400
Message-ID: <26162.1685120915@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/NNPejBEfCbeS-rEGBHAkpA9WR8I>
Subject: Re: [Anima] [Ace] ANIMA and ACE, IDevID terminology (was: Re: cBRSKI)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 May 2023 17:08:43 -0000
Benjamin Kaduk <kaduk@mit.edu> wrote: > On Mon, May 01, 2023 at 12:09:03PM +0200, Christian Amsüss wrote: >> Hi Michael, (CC'ing ACE list because what I think will be the larger >> part of the thread is hopefully relevant) >> >> > > there a generalization of the IEEE identifiers that also makes > > >> sense for constrained but more general-purpose-oriented devices, > > >> for which the ANIMA products can still be used? >> > >> > Yes, I agree: replacing the IDevID makes a lot of sense if the >> control over > the software-update trust anchor changes. >> >> When talking about such processes, can we still use the IDevID term >> (even though an IDevID is "stored in a way that protects it from >> modification"), or is the use of the term OK because we're not >> modifying but replacing it, or do we need to use a more general term, >> or do we not care? > I don't have much of an opinion on this at the moment but could > probably be convinced that using IDevID is ok. I wanted to wait for other opinions. I begin to wonder if we should do our own 802.1AR. The document is 90% references to IETF RFCs, many of them old or vague. Another half is a pseudo-API, which nobody uses. I don't really understand the concerns that Ben and Christian have raised. >> * Does pinned-domain-pubk work also for COSE keys as used for signed >> CWTs? (If so, is there a key identifier to go with it?) > COSE key identifiers ('kid') are not exactly what you would typically > call a "key identifier" in unconstrained spaces. In particular, they > are just for optimizing lookup over trial decryption, and you have to > associate your authorization data with the full key entry, not with the > 'kid'. COSE 'kid' are not globally unique, and you might run into a > lot of places using kid of '0' and relying on context to infer which > one is meant. pinned-domain-pubk pins a specific public key, in the case of "pubk", but *value* the COSE kid is not really involved *at all* pinned-domain-pubk-sha256 pins by SHA256 hash, but for 256-bit ECDSA keys, that might not be much of an actual savings. >> * Some ACE profiles (eg. ACE-OSCORE, RFC9203) are typically used with >> a symmetric key shared between AS and RS (and that may be the only key >> material). Is it fine from an ANIMA PoV to only have such key >> material? (When such a key is used, it obviously needs to be >> encrypted; at least some methods of ANIMA, eg. EST, can do that). > It makes me nervous, but just because of the normal shared-key threat > model. (It is the group-shared threat model since you may have more > than one instance of AS for ANIMA purposes, but it's probably okay to > have "AS1 attacks AS2" as out of scope since the AS is assumed to be > trusted.) symmetric keys could be used with constrained vouchers, from the MASA to the Pledge. They couldn't be used in the other direction, where the Registrar, having no relationship with the Pledge, needs to validate the IDevID. I wouldn't want to do this though, and I see no advantage, only extreme risk. >> * (At least) When AS is used with asymmetric tokens, the RS needs to >> be told its audience identifier; I'd guess that'd be a new leaf. * >> Once onboarding onto ACE has completed, all the device's identity >> would be ACE (except for the IDevID that's left in place for a factory >> reset). Is that fine with an ANIMA setup? > Without the full context of the preceding thread, it's hard to be sure > I understand properly, but I think yes, ANIMA expects LDevID for > onboarded devices, so if you're building ACP using ACE crypto it should > be fine. I see no reason the (provisional)[D}TLS connection between Pledge and Registrar can't be used to initialize a symmetric key for OSCORE. Apply a suitable key exporter. The Registrar becomes (or communicates with) the AS. If you are using EDHOC, then a suitable key was already created by EDHOC. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] cBRSKI Michael Richardson
- Re: [Anima] cBRSKI Christian Amsüss
- Re: [Anima] cBRSKI Michael Richardson
- [Anima] ANIMA and ACE, IDevID terminology (was: R… Christian Amsüss
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Benjamin Kaduk
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Christian Amsüss
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Russ Housley
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson