IETF Logo Mail Archive

Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 31 July 2019 02:18 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1A6A1200A4 for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 19:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duRaC3u0IqZe for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 19:18:10 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47F3312004E for <anima@ietf.org>; Tue, 30 Jul 2019 19:18:10 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id r1so30897435pfq.12 for <anima@ietf.org>; Tue, 30 Jul 2019 19:18:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=66pjT5Madz8DdmWMyw7EgqidntlWceBK+knaV6Xg2Rc=; b=HrBbIJUo4pXBklJZnmXQEhjhBG9iY0ukjzkSFOk3r2BQLIn8jEqKF3PRzBFHP0gbGH Cx2a7qw84fbmHYfyIWK0JmYaBkZvIGZnZURtNDmdOAiOcf4IiWj3wBVKJWWY5Cv6cCNA mx+j0qResVkhPVtM1aXjMGJeNQ19X46z+1/iw0+cMhA5dqM8Cv1OGHikl6Q/YLd3SJq8 HAJGQC46DSbmvQsxzwMuo1cXqtXzdVayP2g8KpJiNMr6mqdiPAT9d2PV24S1whRMRule HkqrVerULSWSGOrVsiBcQHJc6Np4k5ct0C0Slvm0KDasUG2bMoXAxLfK6BZgn30JB10t VWCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=66pjT5Madz8DdmWMyw7EgqidntlWceBK+knaV6Xg2Rc=; b=Ovyj1XUICCMPpLG0jxwz7uLk27NqX5EqGyeVHTIDFczGWkDeiqmFVdbDZsiX7q8YzY iVKUi/JKr2EU/s4d4P/aQkv5zBoMp1Ew5cxyuK4rSln4k+IsCpVor7biED0o/1dOp4Yh ap4YNnN2pKdtGSbeivdigl6kk1hJ0mJJNbGN9mqo4F79Ly0WvkQ/tFd6Y16PLoh/WfmW VvYjEe84Wdlhr8p4GEo1BXIEsfUi6J30p5eScteVdA+HLkoHm/1VcCdhksuGFFDBlQ5z e10fSG4rtsoUv+UkMRxWZcL5ScIoOB9Fa3xR9TdKjrGJswpPuB0TaAisF1NIFCgrLuJu ZNiQ==
X-Gm-Message-State: APjAAAUv1xzJ476h5DkuGU5Lh6KlWEvxJ4A/jH+NWxg6SgHAtYxUe0Sx X8EFW6COlWhWaghXYBa+j8Q=
X-Google-Smtp-Source: APXvYqzpnwc1HD3FJicCFJsc9LFgCRqrrKQygY5sYlVHBDEQbcGScTBQxizjnjriFxAWDQB8oJM3ig==
X-Received: by 2002:a17:90a:a410:: with SMTP id y16mr438108pjp.62.1564539489559; Tue, 30 Jul 2019 19:18:09 -0700 (PDT)
Received: from [192.168.178.30] ([118.148.73.254]) by smtp.gmail.com with ESMTPSA id q8sm160608pjq.20.2019.07.30.19.18.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jul 2019 19:18:08 -0700 (PDT)
To: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "Jayanna, Prabhu" <prabhu.jayanna@intel.com>, "Mendelson, Tsippy" <tsippy.mendelson@intel.com>, "anima@ietf.org" <anima@ietf.org>, "Ruan, Xiaoyu" <xiaoyu.ruan@intel.com>
References: <27D27ED4408AA64998F40FB212076767DC26B25F@hasmsx109.ger.corp.intel.com> <27D27ED4408AA64998F40FB212076767DC282548@hasmsx109.ger.corp.intel.com> <20190730210759.yaubbw2pit73a6sh@faui48f.informatik.uni-erlangen.de> <31027.1564525417@localhost> <20190730231136.x6oehxkjokspgcxn@faui48f.informatik.uni-erlangen.de>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <4fb6a7b6-4684-6b77-5ab5-db0387554e49@gmail.com>
Date: Wed, 31 Jul 2019 14:18:08 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <20190730231136.x6oehxkjokspgcxn@faui48f.informatik.uni-erlangen.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/yv_SBu_v0T8HMQ1CjS8W8CYpWdY>
Subject: Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 02:18:13 -0000

Let's be clear in the BRSKI text that our standard makes this a MUST
*even if* it is not mandatory in the IEEE standard. Of course we can do
that (and not including the serial number seems very sloppy), but we
should be explicit that our requirement is stronger than the IEEE.

Maybe it means that some light bulbs cannot be BRSKI pledges. I don't
think we care, because our model is that nodes containing management
smarts such as an ASA need to join the ACP, but managed nodes themselves
do not.

Regards
   Brian

On 31-Jul-19 11:11, Toerless Eckert wrote:
> On Tue, Jul 30, 2019 at 06:23:37PM -0400, Michael Richardson wrote:
>>
>> Toerless Eckert <tte@cs.fau.de> wrote:
>>     > From what i understand (and please correct me if you are coming from a
>>     > different angle), you may be able to reduce cost in manufacturing of
>>     > low-cost and/or constrained device by not having to have IDevID
>>
>> I didn't get that all from the original poster.
>> I think you are jumping to a conclusion that is not supported by text here.
> 
> Yes, i was elaborating about why one would want an IDevID without the
> serialNumber and what would need to happen to support that. But i also
> said this should be out of scope for the current BRSKI document.
> 
>> They simply say that serialNumber is not a MUST in 802.1AR-2018, but rather a SHOULD.
>> And, that's not the point at all, really.
>> IF you want to do BRSKI, then you MUST include a serialNumber in the DN.
> 
> Agreed.
> 
>> 802.1AR-2009, has section 7.2.8:
>>
>> 7.2.8 subject
>>       The DevID subject field shall uniquely identify the device associated
>>       with the particular DevID credential within the issuer???s domain of
>>       significance. The formatting of this field shall contain a unique X.500
>>       Distinguished Name (DN). This may include the unique device serial
>>       number assigned by the manufacturer or any other suitable unique DN
>>       value that the issuer prefers. In the case of a third-party CA or a
>>       standards certification agency, this can contain the manufacturer???s
>>       identity information.
>>
>>       The subject field???s DN encoding should include
>>       the ???serialNumber??? attribute with the device???s unique serial number.
>>
>> Note lack of RFC2119 language (or a reference to it).
>>
>> So if the 2018 has "SHOULD" here, then that's a strengthing of the language,
>> not a weaking.
>> The first paragraph does have weasel words "any other
>> suitable unique DN", but 
> 
> Ok, i currently can't access the IEEE standards, so i can not compare
> myself. My reading of the OP was that it was a weakening.
> 
> 
>> I really think that a serialNumber DN attribute
>> (as opposed to the serialNumber certificate attribute) is needed for BRSKI
>> to interoperate well.
> 
> Agreed.
> 
>> If someone has a 10 million devices in the field which can be field upgraded
>> to run BRSKI (while still in a not-yet enrolled state in a box), then let's
>> talk about this.  Maybe it's actually 10,000,000 TPM devices with IDevIDs
>> already generated, but no serialNumber in it.  Getting the JRC code right
>> to do other things can be a pain, but it can be done.
> 
> Right, this was my question to the OP as well. I was guessing its more
> about minimizing cost for future built 10 million devices. Today you
> would need to burn-in during manufacturing identity elements such as
> specifically the serialNumber, so you need to devise a protected burn-in
> process. If you just et the device generate a public key pair and you
> simply capture the public key during manufacturing, maybe that is a
> significant simplification when you talk 10 million devices. Just
> guessing. In any case, serialNumber is a lot more useful when humans are
> involved, but they may become less relevant when everything is
> automated.
> 
> Cheers
>     Toerless
> 
>> -- 
>> ]               Never tell me the odds!                 | ipv6 mesh networks [
>> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
>> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>>
> 
> 
> 
>> _______________________________________________
>> Anima mailing list
>> Anima@ietf.org
>> https://www.ietf.org/mailman/listinfo/anima
> 
>

v2.29.0 | Report a Bug | By Email | System Status