IETF Logo Mail Archive

Re: [Anima] security review issue 11: what if MASA refuses to provide a voucher #88

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 02 December 2018 19:42 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D89581294D0 for <anima@ietfa.amsl.com>; Sun, 2 Dec 2018 11:42:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XVatsPZvpZwo for <anima@ietfa.amsl.com>; Sun, 2 Dec 2018 11:42:39 -0800 (PST)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD748126CC7 for <anima@ietf.org>; Sun, 2 Dec 2018 11:42:39 -0800 (PST)
Received: by mail-pl1-x62d.google.com with SMTP id k8so5296057pls.11 for <anima@ietf.org>; Sun, 02 Dec 2018 11:42:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=wlpgyJdfgFnbe8Q63YkdS7OUhhYlaXJa5eKsun3T1uM=; b=a31Ov+MMi3Usz9Y6aovihqHfsa/I2bBSBgRgDuoY5Ig4unER8+O4W+mSt3UPjjTLyx vKNZ2jgeKZ3js8Ts+bSO/xkgysXL+5Ao1g93vrgYGpPiHnXszclmQ18dcmzGszmMf9P/ 9dvbD2OtVDrSmGje0ip7xmIQ5b6eJ0kJz5w0A56FYD/Tu/bDAw5ybi7tTZyai1UBghw2 QiWYkrRQT5MumBOtp7y+kNELcnUIdckHjgSXMhbYDIuqZOWHKZZC9GkGZH9DRFm+/TCt xJYJ5NiOH3J6RYwNe6nL3bOLvXwE98BM/x0x8/BZhEiVn0DAN/jpFJFBks3QqiS+Wki1 SGmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=wlpgyJdfgFnbe8Q63YkdS7OUhhYlaXJa5eKsun3T1uM=; b=l4JZ8w013QfWErF6/Oz650iToa3/6G7G0PmvDGEZJZG08BTezVB5vYchIddC69UR9s razL63TaYf1LFf5h/tIm5X+sNqeNT7ekR4Fx1uzXy98IIt/4dr4+ip7UlLBw+Mdbhbd+ arzwR5qssMshs3mW9umVUJHCXFdzvvCOlBe2HbGIOP/H8UZYGKqui36KB4mO8SZRo6XU kk+LB7vvSoqzuB2n5DpytkZpOLtfcVrRVJpOgwq31j+cwX+Qb5Z8gSgEtkNtwpkfyxYY UqYILRIFTSV3BE5NmNgkOvR3CJFOKZ16QiX8h/i3slzmgHT4fH88UZCniG05hBoa6Zk7 y8aw==
X-Gm-Message-State: AA+aEWZZ+pa9cvFQ6Ilu8IrNkowvTmRjO6nonUEDL8eKLsy7J2jNrfyT dpXOjG5bJJCGLW2pEl6TZrKYBkfj
X-Google-Smtp-Source: AFSGD/VTCVtCuSua0UvzPj0qjp+3xQvEPJizViQZ8Ur8aQBO0i6G9A+v6MZJ86Xpjl2CU1nhpDICfw==
X-Received: by 2002:a17:902:7882:: with SMTP id q2mr13651382pll.305.1543779759139; Sun, 02 Dec 2018 11:42:39 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id z14sm18155756pgv.47.2018.12.02.11.42.37 for <anima@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 02 Dec 2018 11:42:38 -0800 (PST)
To: anima@ietf.org
References: <153826253306.18743.9250084704876465818@ietfa.amsl.com> <153874289877.989.15433226866680411112@ietfa.amsl.com> <24358.1543530974@dooku.sandelman.ca> <7970.1543544813@dooku.sandelman.ca> <2e4d2c8f-67be-a78e-5930-b078e60f694b@gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <0f875bcf-9b99-977f-ce3b-11ed63ae4273@gmail.com>
Date: Mon, 03 Dec 2018 08:42:33 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2
MIME-Version: 1.0
In-Reply-To: <2e4d2c8f-67be-a78e-5930-b078e60f694b@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/vjBKB-Uyi0tcfZLEp8VjslL9hVA>
Subject: Re: [Anima] security review issue 11: what if MASA refuses to provide a voucher #88
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Dec 2018 19:42:42 -0000

A small clarification below...

On 2018-11-30 16:45, Brian E Carpenter wrote:
> On 2018-11-30 15:26, Michael Richardson wrote:
>>
>> https://github.com/anima-wg/anima-bootstrap/issues/88
>>
>>> What happens if the MASA refuses to provide a voucher, or provides a wrong
>>> voucher? Can the MASA be used to restrain commerce with specific countries?
>>> Is that a feature or a bug?
>>
>> BRSKI does not eliminate other mechanisms of enrolling devices.
>> If the vendor eliminates all other ways of enrolling devices, then yes, it
>> could be used as a restraint.  But, many vendors already restrict which
>> firmware can be used in which countries, and by which customers.
>>
>> It's a feature that the MASA can be used to defer theft.
>> It's a bug that the MASA can be used to prevent resale.
>> I'd love to resolve the situation, but I don't know how.
> 
> The feature is good. The bug is a regulatory issue; IANAL
> but in any case (as with DRM) it's completely outside the IETF's
> control.
> 
> Imagine a military device in such a context. You pull the trigger
> and the gun pops up a window saying "Not authorised for use
> in Elbonia." From most viewpoints, that's a Good Thing.

To be clear, the gun won't shoot because it failed to enrol
when the Elbonian army deployed it. BRSKI happens, or doesn't
happen, at enrolment time, not later.

   Brian

v2.23.0 | Report a Bug | By Email