IETF Logo Mail Archive

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 16 July 2019 19:58 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3841D1200C5; Tue, 16 Jul 2019 12:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9Zyvy-OV3PJ; Tue, 16 Jul 2019 12:58:54 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 936991200C4; Tue, 16 Jul 2019 12:58:54 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id CB8A23808A; Tue, 16 Jul 2019 15:58:49 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 914E0B52; Tue, 16 Jul 2019 15:58:52 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@cisco.com>
cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, Adam Roach <adam@nostrum.com>, anima-chairs@ietf.org, The IESG <iesg@ietf.org>, Toerless Eckert <tte+ietf@cs.fau.de>, anima@ietf.org
In-Reply-To: <A85B0B81-842C-4826-BDEB-8A2124F33622@cisco.com>
References: <156282703648.15280.17739830959261983790.idtracker@ietfa.amsl.com> <17580.1562874933@localhost> <ACEB4033-707F-47AF-B58A-5227B444BEAB@cisco.com> <1692.1563030627@localhost> <A85B0B81-842C-4826-BDEB-8A2124F33622@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 16 Jul 2019 15:58:52 -0400
Message-ID: <8217.1563307132@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/mr1OryqAV-xTasGgUBg1duADK4A>
Subject: Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 19:58:57 -0000

Eliot Lear <lear@cisco.com> wrote:
    >> On 13 Jul 2019, at 17:10, Michael Richardson <mcr+ietf@sandelman.ca>
    >> wrote:
    >> 
    >> Signed PGP part
    >> 
    >> Eliot Lear <lear@cisco.com> wrote:
    >>> I think the simplest way to address the bulk of both Adam’s and
    >>> Warren’s concern is to require the device to emit via whatever
    >>> management interface exists, upon request, a voucher that it has
    >>> signed with its own iDevID.  It would have to be nonceless with
    >>> perhaps a long expiry, and that would cover a number of other use
    >>> cases as well.  That way if the manufacturer goes out of business, or
    >>> if the owner wants to transfer the device without manufacturer
    >>> consent, there is a way forward.
    >> 
    >> 1) would it have a pinned-domain-cert for the new owner, or would it
    >> be some kind of wildcard/bearer voucher?

    > Again, I think this is a matter for the seller, and also a matter for
    > the seller as to when the voucher is generated, so that it doesn’t need
    > to lie around.  I was also thinking that this would be the sort of
    > thing that could be printed out, either in a QR or OCR form, if
    > necessary.

But, the pledge has to be programmed to do the validation we describe.

    >> 2) what would the management interface be, specifically, how would it
    >> be secured?

    > The reason I mentioned CIP and Profinet in a previous message is that
    > once the device is bootstrapped, if it has a management interface, that
    > is what should be used.  Adding new services on a device is
    > undesirable. This covers the case when the manufacturer becomes
    > unavailable.  However, it should be viewed as a backstop.  See below.

I am completely unfamiliar with those protocols.
I would very much like to define a way to update voucher validation trust
anchors in that.

    > Another way to look at this would be to for the manufacturer to ping
    > the owner periodically to reconfirm ownership.  If the owner fails to
    > respond, allow another owner to transfer the device.  Or… simply ping
    > the owner when a transfer request is made.  But these require that the
    > MASA be present.

This is a good sales channel integration point, and might be a win-win for
many manufacturers and operators.
Why pay for support on devices that are no longer used?
Why generate security patches for devices no longer used?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email