IETF Logo Mail Archive

Re: [Anima] gen art issue 7: serial-number in voucher issue #95

Kent Watsen <kwatsen@juniper.net> Fri, 30 November 2018 17:37 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6F4130E8D for <anima@ietfa.amsl.com>; Fri, 30 Nov 2018 09:37:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.16
X-Spam-Level:
X-Spam-Status: No, score=-4.16 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUV5bw_Q9GGL for <anima@ietfa.amsl.com>; Fri, 30 Nov 2018 09:37:14 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA25128CF3 for <anima@ietf.org>; Fri, 30 Nov 2018 09:37:13 -0800 (PST)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wAUHXo2F006453; Fri, 30 Nov 2018 09:37:12 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=T3wO8WeL3CGOH4r76VFCLOqZ6bx9yjMcFBaV6TmhOpU=; b=NNcRWyOZJBSyDtE8VI72MPKNa/tLMHQvvJVLS+E3SgC65WGOSNe3OXqmSe38AArD83Vf ApKffgqKBPUuqGxJBfxkc7E889JTSRqzSoh1NWSicDaqMzkVGS1vOqbBslqoWeSWbH6U Vu8avEqANN1vjL/FOL0PBi/yHyaf4pxlccfX1JfOk5OEGJDD2DV140ZDgDbqDnp7ByQt 4TlFDO9cUUlLPrDTqxSA0ipuAeEEMQdepHCyjgvDaCCpwurIip47HYf9RCyXA2iwPJLU GW2uDZNv1XQp+bOmsDkXre82k2kASeq69BbUMOz1phdJ60Mt5E+8tRafOjxrW0dHHkhw Ug==
Received: from nam01-by2-obe.outbound.protection.outlook.com (mail-by2nam01lp0177.outbound.protection.outlook.com [216.32.181.177]) by mx0b-00273201.pphosted.com with ESMTP id 2p32x40qxs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Nov 2018 09:37:12 -0800
Received: from BYAPR05MB4664.namprd05.prod.outlook.com (52.135.233.78) by BYAPR05MB4181.namprd05.prod.outlook.com (52.135.200.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.7; Fri, 30 Nov 2018 17:37:09 +0000
Received: from BYAPR05MB4664.namprd05.prod.outlook.com ([fe80::20a5:a6d5:3691:a35e]) by BYAPR05MB4664.namprd05.prod.outlook.com ([fe80::20a5:a6d5:3691:a35e%3]) with mapi id 15.20.1404.009; Fri, 30 Nov 2018 17:37:09 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] gen art issue 7: serial-number in voucher issue #95
Thread-Index: AQHUiFB02w20zS7NWkOBNxOyHLAE3KVoQi8A
Date: Fri, 30 Nov 2018 17:37:09 +0000
Message-ID: <E79F03FA-E4D7-4ED1-9552-F00300C6DD9D@juniper.net>
References: <153826253306.18743.9250084704876465818@ietfa.amsl.com> <153874289877.989.15433226866680411112@ietfa.amsl.com> <24358.1543530974@dooku.sandelman.ca> <480.1543543174@dooku.sandelman.ca>
In-Reply-To: <480.1543543174@dooku.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.4.181110
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4181; 6:4AzWRZANUKw83kOIupzLYhtlSBWrxkDyr22tL5SRFzzzK/N127uPI7seTKOUApu1GAhG/YWk44T8yOqks8WOKfBBAb51yalRxRSReyzT5d3iS/VQkded7k/AvIEvVrhQe83in5vSAv0jql0UjYHrTCmyMXr4t82EgEAeLpSdfJFWzHzdJpe+SWwhNTYC+FgvADb+OhLoIV60W95cFTQgDPDXvMiKQoECUrDgh0zqKPqswVm7VZ7fQzYxkQmK7CBUKP6KdEgTa3mPdoRwLqV0qKv4vcNvIaMlItI0cngZl7flsVBGWSiNV/Xij/JPBfBW+uFRn2W83DLYHiNHnCwiwx3zKqTDULdylolaALSDRZk0nq0SxVvj5EsnDjwrXXBUqjGlfEKG8HV0b++K4GMbgsRygsc+3WEDynNK2SI/bZtlOfyxvh1UxuhahkaKFxkiisUTAPOkR2Nv8I4kEK3/jg==; 5:icy8OsceENO4QuBbcEe3+D7T8sA+ic2QZNBmASzC0ogE+XsjggHZuhrV7dsiRw7L+btHROxxGVscOf8wXoU8CnezupMXJBac0wX+lgcewGFTWaO2almm85sDwVIj9XDG40HS3NQjnBwkcqh60FAXoQgFraZ4zH90qzxfzJvezBk=; 7:A+FWSyfAVGB6pjPgF9oy0M8TdNqtGlqH+VBcMnlR0GYwy6CvvqXpSoqvVQ2EWOAUsfkDOCKmYZ6jV6gNU+5ak+tvVpKAQ/Uyzr78jLt3RcRCyWIJO8+nu+KRkhy77nmDCoecTrQGzVoQwN5jmaeuuQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 52b22f40-48fb-4a50-a4a2-08d656ea7496
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4181;
x-ms-traffictypediagnostic: BYAPR05MB4181:
x-microsoft-antispam-prvs: <BYAPR05MB4181A4D7B0B7FFCD7E35B2C2A5D30@BYAPR05MB4181.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231453)(999002)(944501410)(52105112)(93006095)(93001095)(10201501046)(3002001)(6055026)(148016)(149066)(150057)(6041310)(20161123560045)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:BYAPR05MB4181; BCL:0; PCL:0; RULEID:; SRVR:BYAPR05MB4181;
x-forefront-prvs: 087223B4DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(376002)(346002)(136003)(39860400002)(13464003)(199004)(189003)(5383002)(40224003)(76176011)(2501003)(53546011)(33656002)(82746002)(36756003)(58126008)(5660300001)(6246003)(256004)(316002)(6512007)(14444005)(99286004)(93886005)(8936002)(6306002)(106356001)(305945005)(25786009)(81166006)(81156014)(66066001)(478600001)(7736002)(8676002)(53936002)(110136005)(97736004)(14454004)(71200400001)(71190400001)(83716004)(6436002)(105586002)(6486002)(86362001)(966005)(2906002)(102836004)(26005)(446003)(11346002)(229853002)(3846002)(6116002)(476003)(2616005)(486006)(68736007)(6506007)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4181; H:BYAPR05MB4664.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: kAk9OvmLfHIXU/L7pelzKNFH1o8BXQiHfZ3ept1LFO7zGzqgtk0gmC6L6Fpbn+rmRUX9sGVilAMwWWEVGKm4m7grE65+7ZgXfU7qWlR8IH8ebBTaYWT0jE2alkBOD0TJsfoH1PicG7gc0uycwln2IfNc4sM52ii7UFAt4mq/qqtgTieNK0+YgZFBeTLGhyRyxnmrfynAI+hwpJRH9gEvb9h2Die7HgTVlgH+/+VMcF2gi1MZAv1mu2zna3AA6CwUse6lleHnwHn+CDA60h0+rh+3k28OLvJ00xMHDoCXRPii9NxrBEmFinUXfhuc2xu3GX12GkvW1SqjhR0cReqjMrlImUJ+7eiQdqEsiokBYtU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E09ACB41F3BE7B4DAF58EAE06B1BC70A@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 52b22f40-48fb-4a50-a4a2-08d656ea7496
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2018 17:37:09.6618 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4181
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-30_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1811300150
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/UZJ3wDMlvwAnkzD_N2mxURnErBg>
Subject: Re: [Anima] gen art issue 7: serial-number in voucher issue #95
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 17:37:16 -0000

IEEE 802.1AR-2018 says:

  An IDevID certificate "subject" field shall be non-null and should
  include a unique device serial number encoded as the "serialNumber"
  attribute (RFC 5280, X520SerialNumber).

Maybe the voucher (RFC 8366) could've called it "unique-id", and then
bootstrapping protocols could likewise guide implementations to put
a "unique-id" into the DevID's serialNumber field.  Thus, from a
standards perspective, IETF is not requiring the use of the device's
serial number.  But to what end?

I believe that this is a privacy issue more so than a security issue.
That is, the security of a device should not hinge on knowledge of
its serial number, or any information that might be derived from 
the serial number (e.g., model number, manufacturing facility,  
manufacturing date, etc.).


Separately, as long as we're raising issues with RFC 8366, I strongly
believe that the pinned-domain-certificate should've be a list of 
certificates.  Or, in crypto-types [1] terms, a trust-anchor-cert-cms,
not a trust-anchor-cert-x509.  To enable the pinned-domain-certificate
for an intermediate CA to be a chain that includes the root self-signed
certificate, thus supporting tooling unable to validate partial-chains.

[1] https://tools.ietf.org/html/draft-ietf-netconf-crypto-types

Kent


-----Original Message-----
From: Anima <anima-bounces@ietf.org> on behalf of Michael Richardson <mcr+ietf@sandelman.ca>
Date: Thursday, November 29, 2018 at 9:00 PM
To: "anima@ietf.org" <anima@ietf.org>
Subject: [Anima] gen art issue 7: serial-number in voucher issue #95


https://github.com/anima-wg/anima-bootstrap/issues/95

    Jari> Section 3.1:

    Jari> grouping voucher-request-grouping
    Jari> +---- voucher
    Jari> +---- created-on? yang:date-and-time
    Jari> +---- expires-on? yang:date-and-time
    Jari> +---- assertion enumeration
    Jari> +---- serial-number string

    Jari> I'm not sure it is necessary to base everything on a serial number.

I wrote this down, and then went back for context, and found little.
So, let's discuss this.  You have another idea?

The serial-number, as explained in section 2.3.1, the serial-number is pretty
critical.  It goes into the certificate and the MASA uses it as it's primary
key.

So I'm not really sure how to proceed with this comment.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email