[Anima] cBRSKI
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 30 April 2023 18:41 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736A0C14CEFF for <anima@ietfa.amsl.com>; Sun, 30 Apr 2023 11:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cD2CDmoRxaFm for <anima@ietfa.amsl.com>; Sun, 30 Apr 2023 11:41:36 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7149C14CEFA for <anima@ietf.org>; Sun, 30 Apr 2023 11:41:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 2572A3898F; Sun, 30 Apr 2023 14:59:45 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8dMM3gUd7eKL; Sun, 30 Apr 2023 14:59:42 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id CA1E13898E; Sun, 30 Apr 2023 14:59:42 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1682881182; bh=ati6iM213ntSLYh/tTr7ktroodwAcYbjiDZ9M3NgnKk=; h=From:To:Subject:Date:From; b=SJpQm2adAY2phnJ4l99M+T1q+k96YjpQOf2ohkkFkABt1tP7M9TtrI7BuGEOlkuEY q2U8LfpmkDi6FXBhZnoGPFOPbBzK2VhhWmiBBj609N+ghlLK/MYb+Q3BXW5vzm1WN9 bpiQaSfot+PH7T2G20B/8YwzkLBjGGycQfkt65cEAB1wdIOYngJClkRImlFmp+dFZo iriTHxn+dygNX3SZJU5s20Y17wgD09moVRc42DbkQWrJj4ipIaC3rlSC9M8QGCEZGU UTx1u8xWLJgtBRBs1iHMckLLuqINno88esHik6DOnMjZwWF5/HcNDC1AQxv8xyFk9k MBFRHht1MeFhQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8B746449; Sun, 30 Apr 2023 14:41:32 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christian Amsüss <christian@amsuess.com>, anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 30 Apr 2023 14:41:32 -0400
Message-ID: <15797.1682880092@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/paVetYZvWeAWiHhwO1MSmGwYfLg>
Subject: [Anima] cBRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Apr 2023 18:41:42 -0000
> * What's the assumption of voucher-artifacts on the the IDevID's private > key's secrecy once BRSKI has completed? The private key is private. Nothing needs to be revealed. It can be stored in a TPM/fTPM or SecureElement. Whether the LDevID certificate(s), have the same private key or a newly minted one is a topic that 802.1AR section 6. > Will the now-owner be able to read it? If so, once you see a logged > assertion you can already not trust that device again. Non-owners would have no access to the secret. In many devices, owners would also have no access, but it depends upon the device. > Or the owner still can't? Then why the logging in the first place, the > IDevID will only be used in BRSKI if the device is pristine (or has been > factory-reset). The logging is about witnessing that the device became owned. Subsequent owners can review this information to determine if they device is still useable. While we think about malware and root kits and the like, other users might also think about wear and tear, such as for a braking system. > Or is this a matter of security-in-depth, where the owner has better > chances of exploiting weaknesses, so we better make as-sure-as-we-can that > there was never an owner who could have done so? Yes, that's certainly a concern. An owner might be permitted to load whatever code they want, and depending upon many concerns, that might include getting access to the IDevID private key, if it is stored on an fTPM or not secured at all. To my mind, the smallest of IoT microcontrollers likely will be without secred storage for private keys for a few generations, but many have secure boot mechanisms, so in theory, the entire device is secured, and will not run arbitrary code. > Is delegated-voucher The (only) Way to oboard a resold device (or a device > from a domain that suffered critical infrastructure collapse) without > taking a programmer to it? No. A device could go through a controlled factory reset so that it no longer knows it's LDevID, or network credentials, at which point, it would start over. The only evidence of the previous owner would be in the MASA audit log. This could be via button push, via software command. delegated-voucher has two purposes: 1) to enable resale without talking to the original MASA (infrastructure collapse), 2) to enable aggregation of devices into sub-systems. I think, and I think that there will be regulatory processes that go with this, that in the event of infrastructure collapse one of two things will occur: a) a new MASA will be operated, and a new set of code will be produced from escrowed sources. (Back when software was expensive, in the hundreds of thousands of dollars/copy, source code escrow was a normal thing to do) If done in an orderly fashion, the old supplier would produce a new firmware image with new anchors and would deploy that before going out of business. b) the devices would be marked a regulator as no longer safe, since they have no one to patch them, and would be forced out of service. > If an owner can take complete control over a device (like, switch over the > firmware, as you can do with a PC or a device that contains GPL-3 > software), would the issuer of such a new firmware also need to provision > the device with a new IDevID? Maybe. Probably be a good idea. The MASA URL would be wrong in the existing IDevID. RFC8995 provides for the Registrar to have the ability to override that URL under operator control. That would apply to all devices from that manufacturer, probably, so it's a big hammer. Replacing the IDevID would be simpler. There are many different ways in which one can switch over the firmware. On a PC, one does not typically replace the BIOS, so it might be that one is just using a secure boot shim, or a replacing trust anchors. For a PC, my notion is that BRSKI would not be used for the main CPU, but rather for the BMC. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] cBRSKI Michael Richardson
- Re: [Anima] cBRSKI Christian Amsüss
- Re: [Anima] cBRSKI Michael Richardson
- [Anima] ANIMA and ACE, IDevID terminology (was: R… Christian Amsüss
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Benjamin Kaduk
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Christian Amsüss
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Russ Housley
- Re: [Anima] [Ace] ANIMA and ACE, IDevID terminolo… Michael Richardson