IETF Logo Mail Archive

Re: [Danish] Charter Text and the Problem Statement

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 21 June 2021 14:40 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188FD3A08FC for <danish@ietfa.amsl.com>; Mon, 21 Jun 2021 07:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMRLGMOJi4Ou for <danish@ietfa.amsl.com>; Mon, 21 Jun 2021 07:40:44 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADA1C3A08FE for <danish@ietf.org>; Mon, 21 Jun 2021 07:40:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id C90AD38ADE; Mon, 21 Jun 2021 10:42:13 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id oMf5sWqouh-r; Mon, 21 Jun 2021 10:42:11 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id AF6D738ADC; Mon, 21 Jun 2021 10:42:11 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 16F0A9E; Mon, 21 Jun 2021 10:40:39 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "danish@ietf.org" <danish@ietf.org>
In-Reply-To: <DBBPR08MB5915DB801CD6D3FFD8D69E96FA0A9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915066E1CE5BDB2D695A8DAFA0F9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAEfM=vQehhvSNeBNitJJjisEbimn_gizoo8VTtHWUJ1zSU+rQg@mail.gmail.com> <DBBPR08MB5915D8FC201DFEB31F7D8EA8FA0E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAEfM=vTHPmDcOimf9xOvkYgeObbHvpfG1uZUVjBJFhykrZNafg@mail.gmail.com> <DBBPR08MB5915C107E3620968DFE34D97FA0C9@DBBPR08MB5915.eurprd08.prod.outlook.com> <23295.1624134481@localhost> <DBBPR08MB591546610B09B3606721EF2CFA0B9@DBBPR08MB5915.eurprd08.prod.outlook.com> <5631.1624225291@localhost> <DBBPR08MB5915DB801CD6D3FFD8D69E96FA0A9@DBBPR08MB5915.eurprd08.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 21 Jun 2021 10:40:39 -0400
Message-ID: <11057.1624286439@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/KIOf0yrlssto5Z0oLHCAxcK2nnQ>
Subject: Re: [Danish] Charter Text and the Problem Statement
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 14:40:53 -0000

Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
    >> If you use DANISH, then you don't need to onboard the device
    >> (i.e. enroll it with a new certificate), because you already have secure
    >> access to the correct certificate via DNS(SEC).

    > In the past we used different keys for different purposes. A
    > manufacturer provided key was used for a relatively small number of
    > tasks (typically for obtaining operational keys). For use with
    > application services we used a different key. We used yet another key
    > for firmware updates and again another for attestation.

    > What has changed?

As you know I'm a big proponent of using an IDevID with an onboarding
protocol to obtain an LDevID.
I think that this is still an important path.  But, it's not the only path!

While I think your next comment might be about divergent paths causing market
confusion,  I think that we are already there.   There are presently a number
of incompatible systems out there that deliver keys from the factory to be
used in production.

I think that the DANISH might be an interesting way to publish *LDevID*s.
While I might onboard a device into my network, in the future, imagine that
different operational networks might need to interact without having an
ownership relationship.  For instance, any personal wearables you might have
interacting with a variety of building or vehicle systems that you are in.
How will I give you permission to turn on the lights in my house?
I'd surely prefer to list that authorization by DNS name, rather than hash,
right?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [




--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email