IETF Logo Mail Archive

Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009

"Mendelson, Tsippy" <tsippy.mendelson@intel.com> Wed, 31 July 2019 11:12 UTC

Return-Path: <tsippy.mendelson@intel.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5510C120114 for <anima@ietfa.amsl.com>; Wed, 31 Jul 2019 04:12:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YRbz6gmoTBP for <anima@ietfa.amsl.com>; Wed, 31 Jul 2019 04:12:02 -0700 (PDT)
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 859641200F6 for <anima@ietf.org>; Wed, 31 Jul 2019 04:12:02 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Jul 2019 04:12:00 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.64,330,1559545200"; d="scan'208";a="256111785"
Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by orsmga001.jf.intel.com with ESMTP; 31 Jul 2019 04:12:00 -0700
Received: from fmsmsx609.amr.corp.intel.com (10.18.126.89) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 31 Jul 2019 04:12:00 -0700
Received: from fmsmsx609.amr.corp.intel.com (10.18.126.89) by fmsmsx609.amr.corp.intel.com (10.18.126.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 31 Jul 2019 04:11:59 -0700
Received: from lcsmsx153.ger.corp.intel.com (10.186.165.228) by fmsmsx609.amr.corp.intel.com (10.18.126.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Wed, 31 Jul 2019 04:11:59 -0700
Received: from HASMSX109.ger.corp.intel.com ([169.254.3.134]) by LCSMSX153.ger.corp.intel.com ([169.254.8.138]) with mapi id 14.03.0439.000; Wed, 31 Jul 2019 14:11:55 +0300
From: "Mendelson, Tsippy" <tsippy.mendelson@intel.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "Jayanna, Prabhu" <prabhu.jayanna@intel.com>, "anima@ietf.org" <anima@ietf.org>, "Ruan, Xiaoyu" <xiaoyu.ruan@intel.com>, "Smith, Ned" <ned.smith@intel.com>, "Bhargav-Spantzel, Abhilasha" <abhilasha.bhargav-spantzel@intel.com>
Thread-Topic: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
Thread-Index: AdUvGpUo2g/H2b+cQWiZ9uaJTHYs9ASHR2sAAXKBXoAAAqQ3gAABrQEAAAaDvQAAGBeysA==
Date: Wed, 31 Jul 2019 11:11:54 +0000
Message-ID: <27D27ED4408AA64998F40FB212076767DC286696@hasmsx109.ger.corp.intel.com>
References: <27D27ED4408AA64998F40FB212076767DC26B25F@hasmsx109.ger.corp.intel.com> <27D27ED4408AA64998F40FB212076767DC282548@hasmsx109.ger.corp.intel.com> <20190730210759.yaubbw2pit73a6sh@faui48f.informatik.uni-erlangen.de> <31027.1564525417@localhost> <20190730231136.x6oehxkjokspgcxn@faui48f.informatik.uni-erlangen.de> <4fb6a7b6-4684-6b77-5ab5-db0387554e49@gmail.com>
In-Reply-To: <4fb6a7b6-4684-6b77-5ab5-db0387554e49@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiM2FjYTA0NzEtZGMwMi00MGVkLTlhZTYtZDZjYzI4Yzg5YTVkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiYXVwMUloZGlhSE16U0JJY281ZzVWRDBQVkJoUUZSZWQ5aFVzTkxhUmkrUm5tR1QxN1RLOXd2STdYbGpMRWU2bSJ9
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.600.7
dlp-reaction: no-action
x-originating-ip: [10.184.70.11]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/VuBPwV3gHogLXGe-rnuCSeqtHZw>
Subject: Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 11:12:05 -0000

Hi,

My remark was about the inaccurate reference to IEEE 802.1AR requiring Serial Number as a MUST in the IDevID - this can be easily fixed by saying that IEEE 802.1AR recommends this but BRSKI enforces this - makes this a MUST.

But behind the scenes this question was coming from considerations related to complexity that this adds to the manufacturing flow when required to provision every device with a certificate that includes its Serial Number :-).
This creates usability and security issues on the manufacturing line.

We are devising a solution for this manufacturing problem by using an embedded CA in a RoT / Hardware TEE in the platform for this purpose - but there are concerns with this implementation as well. Therefore I wanted to clarify this requirement. (Although I agree that it makes perfect sense).

Regarding: 
" If you just let the device generate a public key pair and you simply capture the public key during manufacturing, maybe that is a significant simplification when you talk 10 million devices"

This is a very interesting remark as we are actually thinking of a solution where the Platform Identifier in the Ownership Voucher (that the OEM uploads to their inventory from the manufacturing line) would include 2 components:
1. The Serial Number assigned by the OEM to the platform - this could be a Service Tag or perhaps a hash of all serial numbers of devices included in the platform - or something else the OEM chooses - but as it can be a hash we allocate 32 bytes for it.

2. A hash of the Public Key of a key pair that is generated by the Platform RoT for identity / TEE - this would be the public key in the IDevID certificate. When using an embedded CA (in the RoT hardware) to issue IDevID certificates, this would be the Public Key in the certificate of the embedded CA that the IDevID Certificate is rooted to.

Altogether 64 bytes.

Using an embedded CA enables revoking and replacing the key and certificate used for identity attestation easily, after a FW update that increases the security version number. 

Regards,
Tsippy

-----Original Message-----
From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] 
Sent: Wednesday, July 31, 2019 05:18
To: Toerless Eckert <tte@cs.fau.de>; Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Jayanna, Prabhu <prabhu.jayanna@intel.com>; Mendelson, Tsippy <tsippy.mendelson@intel.com>; anima@ietf.org; Ruan, Xiaoyu <xiaoyu.ruan@intel.com>
Subject: Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009

Let's be clear in the BRSKI text that our standard makes this a MUST *even if* it is not mandatory in the IEEE standard. Of course we can do that (and not including the serial number seems very sloppy), but we should be explicit that our requirement is stronger than the IEEE.

Maybe it means that some light bulbs cannot be BRSKI pledges. I don't think we care, because our model is that nodes containing management smarts such as an ASA need to join the ACP, but managed nodes themselves do not.

Regards
   Brian

On 31-Jul-19 11:11, Toerless Eckert wrote:
> On Tue, Jul 30, 2019 at 06:23:37PM -0400, Michael Richardson wrote:
>>
>> Toerless Eckert <tte@cs.fau.de> wrote:
>>     > From what i understand (and please correct me if you are coming from a
>>     > different angle), you may be able to reduce cost in manufacturing of
>>     > low-cost and/or constrained device by not having to have IDevID
>>
>> I didn't get that all from the original poster.
>> I think you are jumping to a conclusion that is not supported by text here.
> 
> Yes, i was elaborating about why one would want an IDevID without the 
> serialNumber and what would need to happen to support that. But i also 
> said this should be out of scope for the current BRSKI document.
> 
>> They simply say that serialNumber is not a MUST in 802.1AR-2018, but rather a SHOULD.
>> And, that's not the point at all, really.
>> IF you want to do BRSKI, then you MUST include a serialNumber in the DN.
> 
> Agreed.
> 
>> 802.1AR-2009, has section 7.2.8:
>>
>> 7.2.8 subject
>>       The DevID subject field shall uniquely identify the device associated
>>       with the particular DevID credential within the issuer???s domain of
>>       significance. The formatting of this field shall contain a unique X.500
>>       Distinguished Name (DN). This may include the unique device serial
>>       number assigned by the manufacturer or any other suitable unique DN
>>       value that the issuer prefers. In the case of a third-party CA or a
>>       standards certification agency, this can contain the manufacturer???s
>>       identity information.
>>
>>       The subject field???s DN encoding should include
>>       the ???serialNumber??? attribute with the device???s unique serial number.
>>
>> Note lack of RFC2119 language (or a reference to it).
>>
>> So if the 2018 has "SHOULD" here, then that's a strengthing of the 
>> language, not a weaking.
>> The first paragraph does have weasel words "any other suitable unique 
>> DN", but
> 
> Ok, i currently can't access the IEEE standards, so i can not compare 
> myself. My reading of the OP was that it was a weakening.
> 
> 
>> I really think that a serialNumber DN attribute (as opposed to the 
>> serialNumber certificate attribute) is needed for BRSKI to 
>> interoperate well.
> 
> Agreed.
> 
>> If someone has a 10 million devices in the field which can be field 
>> upgraded to run BRSKI (while still in a not-yet enrolled state in a 
>> box), then let's talk about this.  Maybe it's actually 10,000,000 TPM 
>> devices with IDevIDs already generated, but no serialNumber in it.  
>> Getting the JRC code right to do other things can be a pain, but it can be done.
> 
> Right, this was my question to the OP as well. I was guessing its more 
> about minimizing cost for future built 10 million devices. Today you 
> would need to burn-in during manufacturing identity elements such as 
> specifically the serialNumber, so you need to devise a protected 
> burn-in process. If you just et the device generate a public key pair 
> and you simply capture the public key during manufacturing, maybe that 
> is a significant simplification when you talk 10 million devices. Just 
> guessing. In any case, serialNumber is a lot more useful when humans 
> are involved, but they may become less relevant when everything is 
> automated.
> 
> Cheers
>     Toerless
> 
>> -- 
>> ]               Never tell me the odds!                 | ipv6 mesh networks [
>> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
>> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>>
> 
> 
> 
>> _______________________________________________
>> Anima mailing list
>> Anima@ietf.org
>> https://www.ietf.org/mailman/listinfo/anima
> 
> 
---------------------------------------------------------------------
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

v2.23.0 | Report a Bug | By Email