Re: [Anima] I-D Action: draft-richardson-anima-masa-considerations-02.txt
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 21 January 2020 00:51 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B177D120832 for <anima@ietfa.amsl.com>; Mon, 20 Jan 2020 16:51:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WEuWEGDwqN1 for <anima@ietfa.amsl.com>; Mon, 20 Jan 2020 16:51:56 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0016120801 for <anima@ietf.org>; Mon, 20 Jan 2020 16:51:55 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 7A3583897C; Mon, 20 Jan 2020 19:51:22 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8A44A39; Mon, 20 Jan 2020 19:51:53 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
cc: Anima WG <anima@ietf.org>
In-Reply-To: <27700b3a-8ef8-d716-e894-23ef785ce313@gmail.com>
References: <157558079151.16429.14274182498632037900@ietfa.amsl.com> <27700b3a-8ef8-d716-e894-23ef785ce313@gmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 20 Jan 2020 19:51:53 -0500
Message-ID: <1771.1579567913@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Zo40-a0SOkWvadsECt1T-doOXas>
Subject: Re: [Anima] I-D Action: draft-richardson-anima-masa-considerations-02.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 00:51:59 -0000
Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: >> There are a number of options of how to get the public key securely >> from the device to the certification authority. This transmission >> must be done in an integral manner, and must be securely associated >> with the assigned serial number. The serial number goes into the >> certificate, and the resulting certificate needs to be loaded into >> the manufacturer's asset database. This asset database needs to be >> shared with the MASA. > The first sentence made me stop and think. Normally, a "public" key > can and must be revealed in public, so doesn't need to be moved > securely. I *think* you are saying that the association of a given > public key with a given serial number must be kept secret. If so, > please say that explicitly. The association between the public key and the serial number must integral. This isn't about privacy, but about integrity. I'm not saying that the association with a serial number must be secret, but that it must be very difficult to be interferred with. >> One way to do the transmission is during a manufacturing during a Bed >> of Nails (see [BedOfNails]) or Boundary Scan. > I think that needs a bit more description. okay. I will ask a few friends in the electronics business what kind of reference they would make. Was https://en.wikipedia.org/wiki/In-circuit_test#Bed_of_nails_tester insufficient, or do you want something inline? >> There are other ways >> that could be used where a certificate signing request is sent over a >> special network channel after the system has been started the first >> time. > What's special? Couldn't it just be a TLS session? It depends a lot about the environment. It neededn't be TLS at all: it could be just a special network cable that is plugged in. What matters is that the system be secure against interloppers. >> There are risks with these methods, as an attacker with >> physical access may be able to put device back into this mode >> afterwards. > You could recommend that the device sets a hard flag that > makes this impossible. Maybe it should simply *delete* its > public key after uploading it once. Yes. I mean to read some of the documentation for TPM chips. I believe that they blow a fuse. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- Re: [Anima] I-D Action: draft-richardson-anima-ma… Brian E Carpenter
- Re: [Anima] I-D Action: draft-richardson-anima-ma… Michael Richardson