Re: [Anima] teap-brski
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 04 June 2019 15:09 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FEC312007C for <anima@ietfa.amsl.com>; Tue, 4 Jun 2019 08:09:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.441
X-Spam-Level:
X-Spam-Status: No, score=-0.441 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhDKK9I64JQt for <anima@ietfa.amsl.com>; Tue, 4 Jun 2019 08:09:45 -0700 (PDT)
Received: from tuna.sandelman.ca (unknown [209.87.249.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4700E120025 for <anima@ietf.org>; Tue, 4 Jun 2019 08:09:44 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id DD5A138184 for <anima@ietf.org>; Tue, 4 Jun 2019 11:08:30 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 404AD1056; Tue, 4 Jun 2019 11:09:43 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 3DD6FDC9 for <anima@ietf.org>; Tue, 4 Jun 2019 11:09:43 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
Reply-to: anima@ietf.org
In-Reply-To: <EF010659-7F19-4B70-A572-E01464C0FED1@cisco.com>
References: <8432c42a-6c4d-6597-accf-4ba13a4bc821@lounge.org> <EF010659-7F19-4B70-A572-E01464C0FED1@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 04 Jun 2019 11:09:43 -0400
Message-ID: <26245.1559660983@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/dW9JeMV9dVibGt1R6OTVT25RvXI>
Subject: Re: [Anima] teap-brski
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2019 15:09:48 -0000
In a private thread on teap-BRSKI, it was asked how the BRSKI Registrar
("server", aka "authentication server" in 1X terminology) validates the
provisional TLS connection with the pledge (aka "supplicant").
While there are a number of possible operational modes for BRSKI, but in all of
them, the authentication of the pledge IDevID comes back to RFC7030,
https://tools.ietf.org/html/rfc7030#section-3.3.2
The server validates the TLS client certificate using the EST server
Explicit and, if enabled, Implicit TA database(s). The server MUST
maintain a distinction between the use of Explicit and Implicit TA
databases during authentication in order to support proper
authorization.
i.e. the Registrar has a list of trust anchors for the manufacturers that it
expects to have join.
This clearly is a difficulty for most residential applications and an
operational headache for industrial uses. So the question then becomes, how
does the Explicit TA database get easily extended?
My suggestion, and this is entirely an implementation detail, is that a
Registrar accept, but fail, connections from devices with unknown
manufacturers, and then ask a human. I've never liked the "TOFU" term,
because many use it to mean "SSH-client" like, and but SSH clients do
not trust on first use. They ask human on first use, and then pin
(AHFUTP is way less pronounceable than TOFU).
And it's AHFUTP is what we want.
A registrar could go further, contacting the MASA and attempting to obtain
a voucher. A registrar could assign some higher value to a MASA that can be
validating via public WebPKI when asking a human.
There is an extension point here that we could consider: a Registrar could
ask the MASA for a list of trust anchors used to sign IDevID. This could be
the /.well-known/est/cacerts end point; it's certainly correct from the MASA
point of view, but maybe it's an abuse. I don't feel strongly either way.
This would validate the Manufacturer's IDevID CA using the TLS connection
validated by the WebPKI. Many would find this acceptable, but perhaps some
would not.
-- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- Re: [Anima] teap-brski Michael Richardson