IETF Logo Mail Archive

Re: [Anima] RFC 8995, Voucher Signing, MASA Certificate Chain provisioning

"Fries, Steffen" <steffen.fries@siemens.com> Mon, 18 March 2024 07:24 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00A0C151080 for <anima@ietfa.amsl.com>; Mon, 18 Mar 2024 00:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfso3be3wEGa for <anima@ietfa.amsl.com>; Mon, 18 Mar 2024 00:24:02 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2045.outbound.protection.outlook.com [40.107.21.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F6D7C14CE52 for <anima@ietf.org>; Mon, 18 Mar 2024 00:24:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hJCQL29wZvvN0U2twhE1lt4SH1yu0LCdP8CTTtms3ofAN4B40EvZ1TZsovhaAW6+/A/NMFR1ywNl4yYWLeV+NuoL74f8tHWt4wdOQA8fHljSrw73vUb9BSyGCbpCaMDlZRdKc9TUlNNJfwh33xf9Kcg+NqWL+Ds1Lp8OvHRuD54ToMMo6TATEFAcpmj6TKQ4GJEYYjry0zzaDZlYQv+xLCuHJAFLit3x8My3EKRi8WNc6pWrrX4av7u0CkP5v+Z62UCpbvwP9pmRocckpfPFxr1WO9quwT+bxDwEVRwLk2VtP1/hNRZ2FXhkb+z513DGLydXFQlHwXUkaBg+HC81Bg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=m4QKC0+6R4vFcGD82P2fvz2NuPnvtMvIkzT+xxK9mnM=; b=ZrAyFbiVeydeQNJcHGda7vsMrmnC6DTAyfTxHgR+JpF7bk/9dXYWJRDhMqDl75vP6N55emPIuFGN2lcZYjSZjFDW3gnlKGY1rZPT1JQ/C2sO3MHE7bQkQ73ZB57TcJ0dA9spXfo7kin+vmeCj5mEq5mZYnVwdIZAsZ5gzF+Rg+kz3fp2iPOxaPn7t3mFHlkpkjPkrhmzXhvK5tWQTB+r8Nm9VrETPNqQ0JHmh/SjedzYGhsOhKR8JebwcWnrZuFmGJwKocTyj/bYwVftTyNzfENXHXZQGkSkL6vbvDOe9MuRiQAEuDnHDmMXsNRWH75aZ+MDC3q4QsM8dsHjdNxFZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m4QKC0+6R4vFcGD82P2fvz2NuPnvtMvIkzT+xxK9mnM=; b=VPRkRzlfrtP5JgzfwMi4vnDkn2EzML7zqt3X6ENS2vvXYotVQ5pnLlcvMTdiYSZnQ+bkIQS6xg+DL0VTn8m0vne1eGiCptvU4w6rj3nG3Vf2B5Q11Ho73A1M2Rx6p+scKEJr+ol7nckXf5dUiIgXZsDHj22FVH8uN6R7p/+F0LjkedwurbD5RUNSTlgH70+Gx41ePNK16qXASAOa8Yjdx3inUwYadg4CTwyy5YhDc40AEofiU0tm51pOSZAcvg71/iKAkHKj30vf3N1H3RGh8lfe/ID338/A+lDkzfzbaKRFyzwchy4VVKItzBTtMx6W9hTN1wx8eIbCe4MvyJCS6g==
Received: from DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3c6::22) by PAWPR10MB6806.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:336::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.26; Mon, 18 Mar 2024 07:23:59 +0000
Received: from DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM ([fe80::57b2:15e6:d4b7:db1c]) by DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM ([fe80::57b2:15e6:d4b7:db1c%4]) with mapi id 15.20.7386.025; Mon, 18 Mar 2024 07:23:59 +0000
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Esko Dijk <esko.dijk@iotconsultancy.nl>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] RFC 8995, Voucher Signing, MASA Certificate Chain provisioning
Thread-Index: Adpv3K+TPoDqaeexTk+xGPLlI930RgHXSTwNAHKQ3MA=
Date: Mon, 18 Mar 2024 07:23:59 +0000
Message-ID: <DB9PR10MB6354768E2C5FB66DBD584776F32D2@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
References: <DB9PR10MB6354C2A6F6C4D5B3E0CA5C8CF3212@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM> <DU0P190MB197821318310FEF4AAEA6633FD272@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <19897.1710549305@dyas>
In-Reply-To: <19897.1710549305@dyas>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=b4336b4a-b5e7-449d-8c0b-4640e0103e83; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-03-18T07:15:44Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR10MB6354:EE_|PAWPR10MB6806:EE_
x-ms-office365-filtering-correlation-id: 4eb544b1-77ac-45e5-957a-08dc471c6107
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vLfU9oicJs940SErGqVedVCCae7HxRdcu4qYqzx7A8yEG00qNA43+fGhO+gfmk+issLO5DEM9bifzjsbcga5rqApDl8EmYOtcJSTTx0fK1GJTG6xoZ0uvhyWHR+0vT48RqNd3e1mU9JM6DIoP+iinzDzmTsCIZq5CUggq4MU0z5m0OxT9HRpqWIemVFEiDG96GxqZ8/k6uNs3Xt4WQhDWw3SblNv5QPMLKbSrTgFysNWT59uvX7SOaxAo+UQZE+JhgPp9ROzq2drO/Q3mjce0q38N2m/UfYxDiv+s6MNmOkf+7vMXrghxFcwxqAiTNgKiE8WY7M5i20BHivxPGx3jb1T7bHJgWR7Cf8PG5Kv+ljOhDAGCVxXUsFUEbD0wg6hd8v5zjyi+3ngmbrWStnSf6aCb+3bnNEZmzsyD1ElXxLjhPdBwQumkPn1V/zM1Q92dE0p98ejlez5TmRGQD4doGxZ18L166ZuxL8ef70cVYURvhFLbpLBmBP0a6zXYj9edx+iRx9XI0eRfwQUN4sR5OOMUG6sUtlQ/6WR/4LndJpgVuOV6svYVMhfn+OmkLy3lN4QkLSAtnZSVSZZrkr8NjHUSGWhfbxBBX22K8Di4/JiPJSdidIOG5kSUMsM1Aifmh6QoUbZ6LaIvrIgUlgC9rrdqKeQODKO4td6We11uKk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gTsBWWNBHHHAQNBS0WhHPXdkAoGt+1rhiEIqaaOkjZyExljB6UvmEtbcqEdatJ5aqIQn0wG7gIMlrxijy6PjWAOMp1jUQ7eQww+kxb++AueTU5F07Bq6MHwQ/0vB8PNnZlsvb8UelBwnmYxKkG9790N2btr1NC7PKBHUyGngIkZiefduzxoc0hxYZVfIXiDv90FbYa7w/SVlLSz4tUPzxzGXhhAnmEUXetMRE+zba66DEWRPuUg36UEGiHJjHIKFK0k6Jmratmj13pvJ+5KVm+EvX+c75NTCsNI4iiw6l3MX+Hv+uVxykXJbKuHtb1iVxZF9cECPtwneg8EisT40CDIkWMEs+gy9ynL5ha0lqRxOEu20KLYoPT7/9TVQKXVsFxcwlQ8Q2VGMj4QWh3+VUMJ9aa7chZGxz+UF5VCxUALzmiAlMA0dXGkvmeijxFNbAKUclYoQygjd7Voq5m9AC0YWuiwpB1hspW6a5RiXBa1pZkkBDKNO+EBr0ibCh+sYV6xRlNYK4rDy9/CeZQz1/Mm/V0WGW9NY1Y0w6ERUQUgflX7XcfsYf7bDhPdfW3bgJInX78JeHNZecIZxkS2XvCxlHbecq/JC/lam78uW1VdY864UvvkRh3/+Dy8SOa1LjA771Yo7bvRVZsptE1sv8k5uT3q4HfP6d92xz8BxHpDthoXLW8cSZDtHgGbFonImvstfecS+T5sPkD0sGigEIp+5kbH1w9z9Ugn+OAygecBex+nTKyudjkusN6R0UsZLAYZ5ry+UAjSnq7HopYK3agkfdBK011wDT88rJbCB0l4i8NDDgeSzTxnJ4R7UycUlkJH84m+OtJ8ElXdSNatvzLiDTWYUcaygIQb74dWfa2gUbc0OCP+NEvJVWW9bWTC887DwGYa781TCjgVJ5kOHxiUeW+66wWseM0vrB+qlrtTSR1rbW3z5AML1Y+XFTSDe9vQSli0OcQmwTqlf0G34ykRJZsquhs3CpqoxYiDmTOxwCmSMfcWCNi+FzisJscggvNMrMm4c09eGLnBq3X6ChlsUmH/DTp0t+qQag4jAhoDyMCUAJi1g5Ssc4YKL4SU/pfeMHTmTt8eCIMLLGpc54B11lRM8yNesZvK3GxD1r9vm2tKX+RvzJcF4+r/evcmPIQsvZHf9HXCBbW//pjQlm0GRU/xDJfwWzLKj47NaiWjvoogZvQ/F1+X4fN/C6Y9qhH8kx3w9qJWtsmIlzknr1hP1ZDr8Pd0AfZjiFb+YetRWbk30WfWWpTXs+1aobVEyuJhmdUKTn2Y+iKkXBOZqcgbnztwYLnwNVELX9SCbWEfg9Ya3AlhHePBKUy3Z6fNKinQYHmyY72Xr7CSH9oFMMITgW/5IyXnrWdZJlUEM6o+fB0AWRqy1PSZTVlhsgLXHy920UL/JGASSNmuNamGr0evNtt1sKTcFI/AFWRknWnDWcWa18cx9QjGdA/VglJoTY0sfBMap076AUSNa5WshCedJt52UBAiBP2TpDpZXSyKsNb6JTN/kpYMLGxpZWVjvd8h+yNbX4Z4gDnjcXIkb5GbRR24uDt8/8IHfUd3muSWVynPJ7iaVteMfJMwdziwA
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4eb544b1-77ac-45e5-957a-08dc471c6107
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2024 07:23:59.2118 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h0e+GBK0gQMxAhw5O8suWjeTYnF+AjIgSYhkqvRTU3/CXOcA6wrlxDZ1whIqoGvMFSRuaqwA7f9TC80Ehvdn5Q66S+fz7ev5lHb5fIinEoE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR10MB6806
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/yk_xYY36aMg5C14rFUqbi5ohb9o>
Subject: Re: [Anima] RFC 8995, Voucher Signing, MASA Certificate Chain provisioning
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 07:24:06 -0000

Hi Michael, 

> -----Original Message-----
> From: Michael Richardson <mcr+ietf@sandelman.ca>
> Sent: Saturday, March 16, 2024 1:35 AM
> To: Esko Dijk <esko.dijk@iotconsultancy.nl>; Fries, Steffen (T CST)
> <steffen.fries@siemens.com>; anima@ietf.org
> Subject: Re: [Anima] RFC 8995, Voucher Signing, MASA Certificate Chain
> provisioning
> 
> 
> Esko Dijk <esko.dijk@iotconsultancy.nl> wrote:
>     > The requirement for the Pledge in RFC 8995 is (5.6.1): The pledge MUST
>     > verify the voucher signature using the manufacturer-installed trust
>     > anchor(s) associated with the manufacturer's MASA
> 
>     > This leaves quite some vendor flexibility I think on how exactly to
>     > verify: against 1 public key, against multiple public keys, against a
>     > chain baked into the device, against a single root CA cert, against a
>     > single root CA cert taken from the chain baked into the device, etc
>     > etc.
> 
> Thank you for expounding on the variations.
> We have the advantage that pledges are controlled by manufacturers and they
> can decide how simple or complex they want to make their process.
> 
> The gotcha is registrars that want to verify the resulting voucher.
> It's not entirely required by RFC8995, but maybe enouraged.
> So I'd love to collect more of this kind of consideration in the masa-considerations
> or the registrar-considerations.
[stf] In BRSKI-PRM, we also recommended (SHOULD) the registrar to verify the received voucher before signing it in https://www.ietf.org/archive/id/draft-ietf-anima-brski-prm-12.html#section-7.3.4. This emphasizes the statement in RFC 8995. 

Best regards
Steffen

> 
>     >> I would propose to also allow the submission of the certificate chain
>     >> of the MASA signing certificate in the SignedData part of the CMS
>     >> container of the voucher.
> 
>     > I expect this is already allowed by RFC 8995, given the text in 11.6:
> 
> Yes, it's not just allowed, but I would say, encouraged.
> The question is how do we do it on a constrained voucher.
> The cbrski document says some things already about this.
> 
>     > There are good cryptographic hygiene reasons why a manufacturer would
>     > not want to maintain access to a private key for many decades. A
>     > manufacturer in that situation can leverage a long-term CA anchor,
>     > built-in to the pledge, and then a certificate chain may be
>     > incorporated using the normal CMS certificate set. This may increase
>     > the size of the voucher artifacts, but that is not a significant issue
>     > in non-constrained
>     > environments.¶<https://datatracker.ietf.org/doc/html/rfc8995#section-11.6-
> 3>
>     > So this effectively says a vendor may want to not use the "simplest
>     > solution" for security reasons, and include a cert chain of the signer.
> 
> I think that we have not done enough interoperability testing lately.
> Particularly between Registrar and MASA.
> I'd like to change this, and I'm thinking that the Paris hackathon might be a good
> target date.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        | network architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>

v2.23.0 | Report a Bug | By Email