IETF Logo Mail Archive

Re: [Danish] Charter Text and the Problem Statement

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 17 June 2021 06:43 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A783B3A0DFC for <danish@ietfa.amsl.com>; Wed, 16 Jun 2021 23:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=yx8xuWn0; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=yx8xuWn0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnSR374pEksI for <danish@ietfa.amsl.com>; Wed, 16 Jun 2021 23:43:36 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2071.outbound.protection.outlook.com [40.107.20.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CDCC3A0DFB for <danish@ietf.org>; Wed, 16 Jun 2021 23:43:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GS+mlz+cO3cj/3fjK/icjmkwTg/eDKOvPRhoL4Go6r4=; b=yx8xuWn0J6kcpIbI5P75EMPrVgVSqlR9Aekq5kXWa7A5opJyefpSdtxp+ac/GbfS5rKtMYYlYHSHlDJsNEfW7RJJSv+IRhpcwlSXJVtJOabfChz59C1+kvwy1jFe7T9OnTh9AzBvyDH6WoGq8QEaUOX4ygagtQ6csB51GX6foHo=
Received: from DU2PR04CA0354.eurprd04.prod.outlook.com (2603:10a6:10:2b4::7) by AS8PR08MB6629.eurprd08.prod.outlook.com (2603:10a6:20b:319::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Thu, 17 Jun 2021 06:43:31 +0000
Received: from DB5EUR03FT015.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:2b4:cafe::97) by DU2PR04CA0354.outlook.office365.com (2603:10a6:10:2b4::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.19 via Frontend Transport; Thu, 17 Jun 2021 06:43:32 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT015.mail.protection.outlook.com (10.152.20.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Thu, 17 Jun 2021 06:43:30 +0000
Received: ("Tessian outbound d5fe3fdc5a40:v93"); Thu, 17 Jun 2021 06:43:30 +0000
X-CR-MTA-TID: 64aa7808
Received: from b12d3c4efbe2.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 05EF7E5F-6934-4A13-8EFC-564581F505FB.1; Thu, 17 Jun 2021 06:43:24 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id b12d3c4efbe2.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 17 Jun 2021 06:43:24 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=byzzogEdo21qzgB+NffjD2wPJgSDSSzNLkw3qzxHPbqlw3HheBMcdrDfy0DsPaxYTSta+tDfIFU+O7FgSlFULzwWw7HA1r70Ord6nRtj8K/vV1mAs5ShrW99umM10txdzuDIHVO26HWaXy9Dvj0FWUKmima++/F11lU9WkB8DTUWLjYtT71vrnX/rOIFjUrNDtBFcGiZgI5LXUfmzqKfbfOspG8U/aMXxWCyI7CtT5T5hl5gUavLyFpTAgZkr0KznFviZrMCcF6tJS6nTk0CKpz5suLb6TS9gjJrIEcqDsUADMYmQ7nTTBjOq1XuS2+iUyKV8SR0lB4+YCI9OgGWXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GS+mlz+cO3cj/3fjK/icjmkwTg/eDKOvPRhoL4Go6r4=; b=JIr2IKU5GUjnJ8TbifzoRzmUCcXR16DPFfEpuf8urbHJfAAxZ2nCkBytcyS2V/rT2oUMrGGe0jb8+TsZdUq3owiTDGLLj4jAFvbYfcv9bpZVQsorqWXqBQJozigIEPYfz+7v9fcIG71GcWelv6T1YCn9Aq39al1hZzhH7gLeGUC+OfOYqZmuYOyhWe6LApBGfEwAJObToVUOMRPYmdKSGHLMWaCc1kmIidqNLmj4j2uBsTdn3Y+QbHmXIl3ZWy8il9h4FyUaykn3/Kag+flhhiaAmJZDzV+gWOJgv0Cw0sRqcfH+3FQHHNLuTk9GTQQ2Kyt6sWh3ZXslSLojrpe2gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GS+mlz+cO3cj/3fjK/icjmkwTg/eDKOvPRhoL4Go6r4=; b=yx8xuWn0J6kcpIbI5P75EMPrVgVSqlR9Aekq5kXWa7A5opJyefpSdtxp+ac/GbfS5rKtMYYlYHSHlDJsNEfW7RJJSv+IRhpcwlSXJVtJOabfChz59C1+kvwy1jFe7T9OnTh9AzBvyDH6WoGq8QEaUOX4ygagtQ6csB51GX6foHo=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB6PR0801MB1735.eurprd08.prod.outlook.com (2603:10a6:4:3a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.23; Thu, 17 Jun 2021 06:43:21 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41%3]) with mapi id 15.20.4242.019; Thu, 17 Jun 2021 06:43:21 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Ash Wilson <ash.wilson@valimail.com>
CC: "danish@ietf.org" <danish@ietf.org>
Thread-Topic: [Danish] Charter Text and the Problem Statement
Thread-Index: Addin8Z32g6ibl9RQiW6iIvXVU0WhwAVq2gAABL3x4A=
Date: Thu, 17 Jun 2021 06:43:21 +0000
Message-ID: <DBBPR08MB5915D8FC201DFEB31F7D8EA8FA0E9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915066E1CE5BDB2D695A8DAFA0F9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAEfM=vQehhvSNeBNitJJjisEbimn_gizoo8VTtHWUJ1zSU+rQg@mail.gmail.com>
In-Reply-To: <CAEfM=vQehhvSNeBNitJJjisEbimn_gizoo8VTtHWUJ1zSU+rQg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 06B08EAA017DD84BB7E682E8CD23E7B6.0
x-checkrecipientchecked: true
Authentication-Results-Original: valimail.com; dkim=none (message not signed) header.d=none; valimail.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.119.239]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: bca79ebe-bccc-4f18-735c-08d9315b37fe
x-ms-traffictypediagnostic: DB6PR0801MB1735:|AS8PR08MB6629:
X-Microsoft-Antispam-PRVS: <AS8PR08MB66291AC002BBBE7DCFEF67B4FA0E9@AS8PR08MB6629.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: KqpuAEJrcvj7O7yQVARaYLSN2pYooEmD9BOLBUb0qL5rSBuMBOHnf2qgUuxPXDY4vhIFSlOWtvTw73mt5cc7ZASTfvyyS7li60wQ7n47pOS++ZCFfbiIVYvNn4MpfOiVRr8P4b2btbtyAS47uVE5NvCjuRfDhROYoLGdlu/D2E51XRhx0LzY21XYgyg0OiUORpnbxN6ieh6APxMa0RiGVJDWLUXzpRf5WC1EACHD9pVUEypjqzseXfz0/2Bod6dD7CZeTnJAA5QuTzqmg3JrVFVSMjmho00Q52iWNvsBoi/Vh7DWLbCSfD9YElEkAuVN7TTyX/h/yZjqdImgGJdZaYjkRZlHWjfzX3E0mUqpdM3tbKKiHM30MZcu7xLxJzO+QLkTK6yzir5OHcyLxAdaitmzyhmSWaGrKEEhKp7EnhrTVdNk9niSleQoSaJg0zJQpOqbDhJykct3UAmxKvx0mf7KSLbzvB6WzOOcrshW+X96XpMgtPYl2X4VpEM/xQTkXFplhuaJStiS+K57qGryUhcj3C507bSb8BqnVvhax0lbHl8sNCLs6LxLZLbfkBiTQpsESaJnUePDTFovrwEb05LAnCjWZ0NQJDjiIsNLtXM6hOIiV3LXWK77dYVTfbYqV3kxHsKvyA2IrHPQ9vg8MhDtHLtF0ivu3RfXpZtseUq0b1ek8xKlJXDoKY+sP+3bMQO026rmWwfzUHUIW3oeLC/FDEjbOP9eztF93vY5fgA=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(366004)(39850400004)(136003)(2906002)(966005)(478600001)(33656002)(83380400001)(166002)(4326008)(8936002)(316002)(6916009)(8676002)(9686003)(55016002)(71200400001)(38100700002)(64756008)(66556008)(122000001)(66446008)(66476007)(76116006)(66946007)(5660300002)(53546011)(6506007)(52536014)(7696005)(186003)(86362001)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: a6LDBXD+CPxNeVsWkl001e3/5bvseKNczW5OX7gFgMHA8+iSmqK+k4fsWW7hA88dryVtFtu51edwndY560PxoWfya4nNmDIJv4+3HBReKfG6iHA7+VYecz93DrSNJY4oG3+VrxDDlZzYsViN3NvvRYmG0tc2om6KxsnEYfEJn0pCIruQ49y9HJKhFNXgMrGXQuD2f1wZZgOkJ2Hlq/lbaXrvTvlKYtX8DKPS7wviv1+teBigw+o9UCXP7mwVCUw/go265RA6WAslN2ZIFpAj8lVczo7CCxfHW4tnnG+KGxr1mgi+sbDC3YFtmycN4dGqadwdZDL/CtHIdeAwE8TPS1mlA2Z+cFFl5Z/ZJqYMFCqOUPt9vCaU1jdDrvBPsk7t9+ZtOKxnl4NNmjmP/pcVxaTMb98tMjgC/UcfjNrO/bvDqukqafpQtoGYyftufGiAf+GGO+voxbB0bEJeYZSTK301exCIySamLLHqFM2P3drWFTullAk3Y/8aeekkL6gEubIa9iAONLFg63yiQz6sbD9CTsn2tC8RfjIgUIXPgJY7ztiqSm/DRT8YJrTX1ZWvx5Cg0epch9GeVWgY5vEqzKRGHpZOf7/M0jxTlMrjGT2zJqCmi/p7VOXuIzZUtj9Rk5fM7gYIieSO5I1fbwiWF9b69spzh1B1jJa5+rZ6RvjOvA0/Tj5/ihVqGJknP18bsJ8bUFCrAue+aHmpQ187wdEDglXYJyICWNcCHGnpiAGCEHuT5pSeVQlOqD6zk9bm13Mvg/r6gfreZTE9wgYD7iyi9rAz+37BniwR2dsCd6i0tWqNMFyAYPiwLkF//dvkUcD19JntIo3nD3Iq9XyXLCYwzDU2q7NFVjv2kKTQGi7L7ujGXEUOyoK/0c75lxpDOL0MWNFwMR1FqhmmXrx1AGmaB9fnZsZx9n0ifKswhAFoVp/vF0KMu+nsSGmhg2+wJfpGch0FJMHfVpBw84so4s4p+78VMJatQWp9xbJIW+ujNUHcZD56bp4Zo3ErW/K86FdPsdU5OoTa0PW1L3w6lQ8ZGunZG8+VlvlgqsYmP7+uTtxDIvEttDQPpPhQeZQNm99ONC5ugtD8xD40A+mOhhRD7isjiSuCvchHPI+qdziJX6p8NnyMS32vN+HYDhBuXfEmDDP0lxvBAEwRNfZ/xTu09ZsxKzwoh1eaGjP2L2yYzr7cl/J8avFrImdAKdWgLkqYUqhISbcB2no5XjyINmZALrPfE7Y9m/kICrTUNZ7jc5CGVwPJNI0eu6PNU60H5eCxZ9sPqrelgcc49y67KskNAJg0qkTdjfy/jYDfmy+qtnEUKaKgWjoLGd9X+wR5
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB5915D8FC201DFEB31F7D8EA8FA0E9DBBPR08MB5915eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1735
Original-Authentication-Results: valimail.com; dkim=none (message not signed) header.d=none; valimail.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT015.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 931f3580-2382-4dca-35c4-08d9315b3302
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OsUME4ahMqNAQV1kcmK5Oxu1Wa3Rh4bV7dv3h24ylh0UZ8hTJWXY3mpO7fxXeqXJdpNr6TIkEJgEC1lEijnm97cRRx4qTnRosZNcEXzmojYkwVzTuZu7ugSE41wCBfWN/W39ZoxUXUflGYRxlLCZN/Hl/LJoxbf+fCvqkC5ziEwOZPzrbZiHdkAbIqDWUOTLnJwzb1pELPFhzo+zmc14IlXKaM6r+e5CQ/vmP2uP0XMMon4p+fX1d/lJJVgNkhLafdKdTb3V9nIM2BbidKtXWQ5NzUeWig82bSnC2NwK3G92lFIg+6FDk5Zv7hU9oLf6UJBLjqu/NbeFzEroThlKoVlkjqJRGF/JkGUy/0ymcoFdzntyDN5/voviCTqqxjgzt12qaRig4vA6hlcil4R+8k+h+CSjEiwESgMsY1DDiiLRf2TH+lbWYzZ2OvpBTVqhnze9r2/t3Doj9OQXFWSuDyiOonBiFyOgrifWitu/XIxHpH5JF0ULa9kcRTMYjl7r0W18WUUUBjtEyFRam83u1r75agfoTze/rY8amAx2ozrBm8p/MnYS7cmVf24jylHTbFVm+RpQ1uRzV3m81H379B6WMFzWYQeQxujn3BztPUEPJBaKarqDgtSpypeVWQPehkL1DeEb2yIlid3o+zrbNYkkDWWhpkRpqsFK34hFuLvLVUCwNkrpzdM6V3HO1qOP9g0/CqXxfoQs1a0NeGl+OFaMz67BhEuIzD8bhJq8RVzWfT8NvKpypIrhiaThLrNFZj6a/GOCmz4o4NhFOTBnig==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(39860400002)(346002)(396003)(136003)(376002)(46966006)(36840700001)(6506007)(4326008)(86362001)(6862004)(70586007)(70206006)(9686003)(53546011)(33964004)(30864003)(33656002)(55016002)(7696005)(81166007)(82310400003)(336012)(26005)(5660300002)(47076005)(2906002)(166002)(478600001)(316002)(83380400001)(52536014)(966005)(186003)(8676002)(8936002)(82740400003)(356005)(36860700001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2021 06:43:30.0743 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bca79ebe-bccc-4f18-735c-08d9315b37fe
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT015.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6629
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/1K6Ht6C2KyrwRTj4Ii3rQE7ejCc>
Subject: Re: [Danish] Charter Text and the Problem Statement
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2021 06:43:42 -0000

Thanks for your feedback, Ash.

It is interesting that you mention the network access authentication use case. Do you envision EAP-TLS in combination with Danish to work architecturally differently than the current EAP-TLS-based approach?

You write:
“Credential issuance very often requires the device and the person bootstrapping the identity to be in the same place”

Binding the user to his or her device typically takes some time. It often requires the user to log into some service and to “add” the new device often by demonstrating physical possession. Of course, this is the way how it works for end consumer products, where scalability is less of an issue because you are probably not going to buy thousands of smart coffee machines. For a commercial setup, the process often works different but it very much depends on the type of industry vertical you are in. There is often a non-irrelevant configuration step involved as well. For example, with commercial indoor lighting professionals need to configure different lighting themes.

I don’t see any of this user-related interaction being covered as part of the chartered work.

Ciao
Hannes

From: Ash Wilson <ash.wilson@valimail.com>
Sent: Wednesday, June 16, 2021 11:28 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: danish@ietf.org
Subject: Re: [Danish] Charter Text and the Problem Statement

Hi Hannes,
Thanks for the questions, and apologies for keeping you waiting on answers/clarification.

On Wed, Jun 16, 2021 at 4:12 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Hi all,

I have been reading through the charter text in an attempt to understand the problem statement.

Two problems are mentioned:


1)  Challenges with naming collisions in the IoT space.



2)  Credential issuance is time consuming.


Ad 1: Reading through the text it feels like naming collisions are a big thing in IoT. I have not heard about those problems. Could you elaborate?
Certainly. I'll use a hospital as an example environment.

Within a hospital, it is desirable to implement 802.1x authentication using EAP-TLS for access to protected networks. EAP-TLS enables the use of PKI-based identity to authenticate an entity for network access.

When implementing EAP-TLS for network access, RADIUS is a common protocol/server used for authentication behind the switch or wireless access point. Guidance for configuring RADIUS recommends the use of only one CA certificate for authenticating supplicant certificates. This guidance can be found in the wild in Freeradius configuration files for EAP-TLS, related to the 'ca_file' configuration directive.

CAs guarantee the uniqueness of an entity's name within the scope of the CA, but have no method for enforcing name uniqueness across other CAs. For instance, CA1 and CA2 may both sign certificates for entities with the same name. If CA1 and CA2 are both trusted by the RADIUS server, and two entities named "medicaldevice123" exist, one per CA, then the resulting ambiguity makes it difficult to appropriately apply access controls. This ambiguity is mitigated by operating a single organizational PKI, and requiring identities issued by that single organizational PKI for EAP-TLS authentication.

Onboarding devices to organizational PKI requires time and effort. Oftentimes some sort of skilled labor and/or dedicated infrastructure for automating the onboarding process is involved. DANE allows us to bind a DNS name to a public key, and mitigates the ambiguities introduced by the use of multiple CAs. An organization can only issue working identities within its own namespace in DNS. Since naming ambiguity can be mitigated using DANE, we may now choose to use manufacturer-issued PKI, represented in DNS, for authenticating entities.

From the hospital's standpoint, the IT staff no longer needs to manage the process of onboarding devices to organizational PKI. The device arrives on-site with an identity which can be immediately used for network authentication.

You add that “In response to the challenges related to

ambiguity between identities issued by different CAs, application owners

frequently choose to onboard IoT devices to a single CA.”. Is that a good or a bad development?
It is a good development if the organization really wants to directly manage all of the credentials for all of the application participants. The effort and rationale behind BRSKI (RFC 8995) suggests a desire to make onboarding to organizational PKI easier to automate.

If a supplier issues a trustworthy identity for a device, and DNS prevents another PKI from issuing working credentials under the same name, then issuing another identity via organizational PKI becomes superfluous. This is where we think that time and effort can be saved, because the skills required for onboarding do not need to include the management and issuance of identities under organizational PKI.

Ad 2: Is it really true that credential issuance is time consuming? Why is that? For whom is it time consuming?
Credential issuance very often requires the device and the person bootstrapping the identity to be in the same place. Some platforms and protocols exist to make that process easier (like BRSKI) or less human-involving. The time investment seems to be on the part of both the manufacturer (in issuing the IDevID) as well as the organizational IT staff, who manage the organizational PKI.

Ciao
Hannes

PS: You use the term “Certificate Authority (CA)”. It is actually called “Certification Authority”.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Danish mailing list
Danish@ietf.org<mailto:Danish@ietf.org>
https://www.ietf.org/mailman/listinfo/danish


--
Ash Wilson | Technical Director
e: ash.wilson@valimail.com<mailto:ash.wilson@valimail.com>
[https://hosted-packages.s3-us-west-1.amazonaws.com/Valimail+Logo.png]

This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email