Re: [Anima] comments about draft-richardson-anima-masa-considerations

Toerless Eckert <tte@cs.fau.de> Tue, 10 March 2020 21:29 UTC

Date: Tue, 10 Mar 2020 22:29:30 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr@sandelman.ca>
Cc: "anima@ietf.org" <anima@ietf.org>
Message-ID: <20200310212930.GA29966@faui48f.informatik.uni-erlangen.de>
References: <20200310052318.GA26481@faui48f.informatik.uni-erlangen.de> <1808.1583873086@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1808.1583873086@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/fpQQXezeP47b6tHOiDC_WV5ljjk>
Subject: Re: [Anima] comments about draft-richardson-anima-masa-considerations
Precedence: list

On Tue, Mar 10, 2020 at 04:44:46PM -0400, Michael Richardson wrote:
>     > 1. tooling: would be great if you had a makefile that automatically
>     > updates the .txt when you do a commit in github. .mkd is just 'ok',
>     > but not 'great' to read (like .txt is).
> 
> I do.  And I regularly commit the .txt file too.
> I just don't use the all-singing-all-dancing one, and I don't generate it via travis-ci.

I thought when i read it yesterday, the .txt file was quite behind..

>     > 2. "A three-tier PKI infrastructure is appropriate"
> 
>     > I was confused by that statement vs. the followig text. When i heard for
>     > example "intermedia CA" in other contexts (enterprise PKI
>     > architectures), it meant that there was another layer of CA below the
>     > intermediate CAs, namely the "assigning CA(s)". And they called that a
>     > three-tier PKI infrastructure too.
> 
> The point you are making is whether we count End-Entity certificates or not.
> I assumed one did, that the leaves were the third tier.
> You are making the point that if we count only CAs, then I have described a
> two-tier system.
> My understanding is that all CAs which are not the root CA are intermediate
> CAs, and that seems to be how they are described in most documentation I have
> used.
> 
> But, I don't operate a commercial CA, so I don't really know, which is why I
> want these parts reviewed....

Right. My information came from some enterprise that has a three tier "CA" system.
But of course we should ask actual PKI experts.

But beside the naming, i did like the organization reasons of
enterprises to actually have three tiers of CA as i explained, not only two.
Aka: as soon as you got two separate organizational entities (security
overlords and actual working parts of a company) AND you want the
offline root CA (which i think we agree, you MUST), you probably want
three instead of two tiers of CA.

>     > The reason for three tiers of CA is when you have multuple functions
>     > within an organization that need to run CAs. The root CA is the offline
>     > magic you described, so it not really for day to day work. The
>     > intermediate CA are run by the enterprise security department which sets
>     > policies which department can do what with their CAs. The departments
>     > (like manufacturing) run the assigning ("leaf") CA.
> 
> I think that, for the purposes of produces and IDevIDs, that the manufacturer
> should not mix their internal business CA (which has a "marketing" or
> "manufacturing" department) with their product CA.

Are you talking root-CA now ? I think to avoid having the overhead of
multiple root-CAs (and associated overhead) that's exactly why there
are three-tier CA ssytems.

> Except in the smallest of entities, they should not share the same root-CA,
> and even in a 30-person operation, I still think that would be a mistake.

Would be good to get opinions from folks with more experts for this than
i think we have in ANIMA. WHats a good IETF group to join and ask for this ?

> I can rewrite this to say it is a two-tier system, and clearly describe it
> (probably add a diagram) as having a root, and a minimum of one intermediate
> CA.  I have no objection if someone wants to have more levels :-)

Sure, i have no strong opinions about how much we want in this document,
but am curious about the subject matter. Ideal hallway talk for an
in-person IETF... and then i might have had a stronger opinion *sigh*

>     > Related: Whether or not you want a CA in the manufacturing plant also
>     > depends on the trust model to your likely outsourced manufacturing plant
>     > and the tracking/control you want to exercise on it. Your headqaurter
>     > based CA will not sign IDevIDs for the plant cousins grey market plant
>     > across the street ;-)
> 
> Exactly.  I have been trying to get Cullen to contribute to this document, as
> he has direct experience dealing with the "across the street" problem.
> Depending on the model of how/where the private key is generated, it could be
> that no signing ever needs to occur in the plant.  Or access to the signing
> system requires that some VPN be up to HQ.

Any big manufacturer with interest in security would be indeed an interesting
contributor to this, but i fear there is today little room between
"OMG, lets not document how bad we are" and "OMG, this is competitively a great differentiator"
At least in the perception of i think many players in the industry.

So, one of the good things this document could do is to educate
non-manufacturer readers about the details of the maufacturers process
that they need to inquire with the manufacturer so that they can vet the
trust they can have in the manufacturer, for example re. leakage or
government agency (ab)use of private keys.

A similar transparency which i think was forced upon manufacturers
by i think the government and security sensitive custsomers is how/what
parts of a product need to be destroyed in which manner to prohibit
later retrieval of customer proprietary data. 

>     > 3. Title etc..
> 
>     > Something like "IDevID, MASA and voucher considerations for BRSKI infrastructures"
>     > would be better matching the content.
> 
> I like that title, and I will use it.
> I am concerned that MASA needs to be expanded in the title, though.
> Doing so, makes it very long.

Look at the length of titles in research papers and feel better. ;-)
Even if you expand, pls. still expand the abbreviation, its important
for searches.

>     > The text also reads more like design and not operations, maybe consider
>     > if where you say "operations" (also in the text) it is really design.
> 
> I see your point.
> I am laying out considerations on how to design the system based upon
> operational concerns.

Sure.  Security concerns, Reliability concerns, Cost concerns could
be called part of operational concerns, but i think it would help
to also explicitly mentiong them in the beginning. You do discuss
them in the text.

>     > 4. "There are two fundamental ways to generate IDevID certificates ..."
> 
>     > But then you have 3 bullet points.
> 
> There are 10 kinds of people in the world... fixed.
> 
>     > 5.  Key generation process
> 
>     > I think the different mechanisms you describe also exist to support
>     > other systems than those that we have constrained BRSKI to so far, e.g.:
>     > also systems without certificates, but ... hmm, forgot name, the stuff
>     > we discussed with ACME ?
> 
> Section 2 is about provisioning of secrets into devices, and it is hardly
> unique to BRSKI.   The Intel SDO/ARM Pelion system, Rambus has a product that
> is apparently widely used... part of the point of this document is to make it
> clear that provisioning IDevID is a solved problem.

Hah!. Then you should say so explicitly. Because one of the takeaways i
took reading from the text was that there are many options and its not obvious
how to choose between them.

>     > Maybe just note that these systems have additional pro and cons when
>     > used outside of the realms of BRSKI with IDevID generation, but that
>     > those differences are out of scope of this document. Until they are not,
>     > because someone brings that stuff into BRSKI)
> 
> I'm not sure I understand what your objection :-)

Remember the side meeting we had with ACME, if i remember about some of
the ssytems where you are not using actual certificates but some other
form of credentials (forgot name). We discusssed those initially in
BRSKI, and i think there are still mentions of them in the voucher doc,
but so far they are out of scope of the current ANIMA solutions. But
they may not stay out of scope, and if this document wants to be
proactive include them, then maybe it could be split up more explicitly
between the options to provision any type of secure keying material into
devices and a second part that refines this for the case when that
material is an IDevID.

But it would be more work, so only useful if sufficienly beneficial.
Maybe for the larger IETF right now (ACME), but not ANIMA alone.

>     > 6.  why should i read this
> 
>     > The intro would be helped if it outlined example target readers and what
>     > they would get out of reading the document.
> 
> Agreed, opened an issue.
> 
>     > 7. From where we are to BRSKI
> 
>     > I think one mayor reason why to read this are manufacturers that may
>     > have have or plan to have one of the described IDevID designs and now
>     > want to understand what is needed to add support for MASA to their
>     > designs. That could be called out in the introduction, but i think
>     > the IDevID section itself could better distinguish between the
>     > description/judgement that is independent of MASA and then the
>     > new MASA considerations. Maybe structure, put MASA text always at end of
>     > options "When adding/using MASA in this option, the following
>     > applies...".
> 
> okay.

Thanks for the work. Might make sense to present to other WGs where you
might find more contributors/co-authors.

Cheers
    Toerless

[Anima] comments about draft-richardson-anima-mas… Toerless Eckert
Re: [Anima] comments about draft-richardson-anima… Michael Richardson
Re: [Anima] comments about draft-richardson-anima… Toerless Eckert