IETF Logo Mail Archive

Re: [Anima] Ownership Concept

"Max Pritikin (pritikin)" <pritikin@cisco.com> Fri, 27 March 2015 01:14 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB76D1A039F for <anima@ietfa.amsl.com>; Thu, 26 Mar 2015 18:14:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvEPdoHnhbkv for <anima@ietfa.amsl.com>; Thu, 26 Mar 2015 18:14:15 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 860341A1A62 for <anima@ietf.org>; Thu, 26 Mar 2015 18:14:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2611; q=dns/txt; s=iport; t=1427418855; x=1428628455; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Z0MzwYhBmxN+axuG/9G7DePZHZPKRm1N6Tm7M2BWW+E=; b=Mq/TPo1oPi7M/oAY2zDND+TZjpJElq/LMyOY6oCYrp4z+qPqtLdPKawb EyMpyBRQ+zMg7Y39fiL7Pchbwd+M3mP4EoEG/lHmdzz5EfPEl0poqlZwk hZYl44sefR2TBtTSKz/+vqVp+4QCvivEXxM/9xHeL4q1JpyDoIevC8/e+ U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AYBQCHrRRV/40NJK1SCoMGUlrFKgqFdQKBRUwBAQEBAQF9hBQBAQEDAQEBAWsLBQsCAQgYLicLJQIEDgWIJwgNzA0BAQEBAQEBAQEBAQEBAQEBAQEBAQEXiyiEHCkzB4MXgRYFkFCDb4YAi2SISSKDbm+BBCSBGwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,476,1422921600"; d="scan'208";a="135829598"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-7.cisco.com with ESMTP; 27 Mar 2015 01:14:14 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id t2R1ECE3005480 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 27 Mar 2015 01:14:12 GMT
Received: from xmb-rcd-x03.cisco.com ([169.254.7.184]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.03.0195.001; Thu, 26 Mar 2015 20:14:12 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [Anima] Ownership Concept
Thread-Index: AQHQZn+Wm4eAxWuLS02QOiRijuPZe50siH6AgAErG4CAAORAgIAAqhaAgAAKs4CAAAlUAIAARe8A///txpI=
Date: Fri, 27 Mar 2015 01:14:11 +0000
Message-ID: <5AD9C83C-2BA8-40AA-9801-01AF8C3550B1@cisco.com>
References: <5511E12E.9050002@gmx.net> <5511E359.10600@gmail.com> <5512DE41.6030209@gmail.com> <77FA386512F0D748BC7C02C36EB1106D956D45@szxeml557-mbs.china.huawei.com> <7912.1427385447@sandelman.ca> <77FA386512F0D748BC7C02C36EB1106D95700F@szxeml557-mbs.china.huawei.com> <1F85BE1D-44A3-420A-8852-A4BA0DE213AC@cisco.com>, <9929.1427404766@sandelman.ca>
In-Reply-To: <9929.1427404766@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima/R4Ixh1ZNeSu22kuAB4tjeRPQjPo>
Cc: "anima@ietf.org" <anima@ietf.org>
Subject: Re: [Anima] Ownership Concept
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 01:14:16 -0000

Inline,

> On Mar 26, 2015, at 3:19 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Max Pritikin (pritikin) <pritikin@cisco.com> wrote:
>> I don’t think its possible to track and identify the correct owner via
>> sales channel security, which is my primary concern about the
>> “ownership validation” approach taken in the netconf draft. The MASA
>> approach cares strongly about providing logs about entities that have
>> “owned” the device without requiring that any central source actually
>> know who those entities are. Meaning that I think it is sufficient to
>> know that somebody “pwned” it but I don’t think it is necessary to know
>> the authenticated name of the pwner.
> 
> Which document are you talking about?

The two bootstrapping docs being discussed: Pritikin-anima-bootstrapping-keyinfrastructures (MASA concepts) and the netconf alternative (owner validation). 

> Can you comment on whether the MASA would be selected by the device, by the
> vendor, or by the operator?  Is there a competitive market for providing the
> MASA service?

The drafts assume vendor provides the cloud service for their devices. Because the MASA concept doesn't require sales channel integration it could be provided by a third party more easily. 

I think there would be a market for 3rd party MASA servers that provide the service for multiple manufacturers. I have not explored that as a business case though. 

> I had previously assumed that the MASA would be operated by some entity in
> the supply chain of the device.  Probably the vendor, but as has been
> discussed, it could also be delegated to VARs, and even into parts of the
> customer (I imagine some piece of .mil might run one for all of the US
> military.  I was looking for the name of that entity, found:
> http://en.wikipedia.org/wiki/Military_acquisition and gave up)
> 
> But, if there are more than one place to find this log, how do I know that
> I've looked in all the right places?

If consensus were to support more than just the vendor we'd have to signal the NE behavior (eg MASA servers it trusts) in a secure manor. Off the cuff this could be embedded in the IDevID certificate similar to an AIA etc. 

- max 


> 
> 
> -- 
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email