IETF Logo Mail Archive

Re: [Danish] Charter Text and the Problem Statement

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sat, 19 June 2021 12:48 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418913A0CF8 for <danish@ietfa.amsl.com>; Sat, 19 Jun 2021 05:48:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=sr8j5+r7; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=sr8j5+r7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgich4G_Id8c for <danish@ietfa.amsl.com>; Sat, 19 Jun 2021 05:47:59 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2050.outbound.protection.outlook.com [40.107.20.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CE9D3A0CF4 for <danish@ietf.org>; Sat, 19 Jun 2021 05:47:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3k0qFs3cd4jHAg0nbrq03j6oWhwwsmN9pkL84HNcNS8=; b=sr8j5+r72v/BTbbEFNvEd63nTkiEb8LYOtelyrGcPHBKdE9nU/QN370Npo8i0ZRdsXesYcUiH2zXaIqcZGZAbrZ+H2fo2efVhGU8rCOvM3xuyNmBPRy2/UeNDfW/aEpld7nOx6mmJa05YrhAf0dftBDZErRr/rYmpFFP6/1y1zM=
Received: from AM6PR04CA0061.eurprd04.prod.outlook.com (2603:10a6:20b:f0::38) by VI1PR08MB3104.eurprd08.prod.outlook.com (2603:10a6:803:42::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.19; Sat, 19 Jun 2021 12:47:51 +0000
Received: from AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:f0:cafe::62) by AM6PR04CA0061.outlook.office365.com (2603:10a6:20b:f0::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Sat, 19 Jun 2021 12:47:51 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT056.mail.protection.outlook.com (10.152.17.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Sat, 19 Jun 2021 12:47:50 +0000
Received: ("Tessian outbound f88ae75fbd47:v96"); Sat, 19 Jun 2021 12:47:50 +0000
X-CR-MTA-TID: 64aa7808
Received: from dd7b76e47903.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id BE52D4F1-91C5-44AA-B44C-AD7E384A645B.1; Sat, 19 Jun 2021 12:47:43 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id dd7b76e47903.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sat, 19 Jun 2021 12:47:43 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tvn2TMT9JBSt9sWpH07UMgXDNJuXooeU5161VfQbM9Dwu95GK8LGh3Q5sHDipfu1OBYDae6UFgZ2TSpyVmMqLdgIaZsgdHKEvYtQ2fFNHf2jC3wFLXaNZ8h7GIRhDIxQ9kBmjArPNg+w5+tYi3+ehS+cEAdzrGywbvwST0PyNvJ9FCAgfWjLIqUXkSdTGGTluoBEpqvuvyuT+K7xUSf7gHl35eikfp7jeOY8F6NVzmRlqrYfDpryai0f1Wy5zxLnQdiLO6v5aZdvqa9xQumM4XDcRj1QaeTi7GMLrLGWe+lHTHjy5+p97//Q8J73XzpUToDNmJ9JRRsgLoajQSIr/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3k0qFs3cd4jHAg0nbrq03j6oWhwwsmN9pkL84HNcNS8=; b=VUL3+CjcucHcV3cnROVzMadoQMr+wGIK8q4m1yJ81Qi+4tCHT3VX0S7eei5eCSAoUEdBL3fxbodRA400jezrC9lgFOgwn5SGGxlUIwMdGQYA2itOPKwA3ldbWG7TUg+VH4FXylWQRu482iXaVCOd2Peq9jsqWkD4btLhMQNCYY+H0BI1zpNoZA3X9/CxV5WQ2T68k4E82u6S75WIb3y2TlwKOdp7mFWY2ir6B/y1yeGoPe4acENT/Xvwb5ghvKyRLqPcuxAf8wDBh3tbJwyKGAzzuKyD8xVacTbdPxjPyrmPV9lNqPT4BUrbjWqAZqjfVpbqs/adtpMW1+bRGsvZWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3k0qFs3cd4jHAg0nbrq03j6oWhwwsmN9pkL84HNcNS8=; b=sr8j5+r72v/BTbbEFNvEd63nTkiEb8LYOtelyrGcPHBKdE9nU/QN370Npo8i0ZRdsXesYcUiH2zXaIqcZGZAbrZ+H2fo2efVhGU8rCOvM3xuyNmBPRy2/UeNDfW/aEpld7nOx6mmJa05YrhAf0dftBDZErRr/rYmpFFP6/1y1zM=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB8PR08MB5019.eurprd08.prod.outlook.com (2603:10a6:10:e0::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Sat, 19 Jun 2021 12:47:39 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41%3]) with mapi id 15.20.4242.023; Sat, 19 Jun 2021 12:47:39 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Ash Wilson <ash.wilson@valimail.com>
CC: "danish@ietf.org" <danish@ietf.org>
Thread-Topic: [Danish] Charter Text and the Problem Statement
Thread-Index: Addin8Z32g6ibl9RQiW6iIvXVU0WhwAVq2gAABL3x4AAGNNDAAAroAeQ
Date: Sat, 19 Jun 2021 12:47:39 +0000
Message-ID: <DBBPR08MB5915C107E3620968DFE34D97FA0C9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915066E1CE5BDB2D695A8DAFA0F9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAEfM=vQehhvSNeBNitJJjisEbimn_gizoo8VTtHWUJ1zSU+rQg@mail.gmail.com> <DBBPR08MB5915D8FC201DFEB31F7D8EA8FA0E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAEfM=vTHPmDcOimf9xOvkYgeObbHvpfG1uZUVjBJFhykrZNafg@mail.gmail.com>
In-Reply-To: <CAEfM=vTHPmDcOimf9xOvkYgeObbHvpfG1uZUVjBJFhykrZNafg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 18255F622DC5A84B869BC078048A2185.0
x-checkrecipientchecked: true
Authentication-Results-Original: valimail.com; dkim=none (message not signed) header.d=none; valimail.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.123.248]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 6439f534-daac-4bb5-e6f2-08d9332072d8
x-ms-traffictypediagnostic: DB8PR08MB5019:|VI1PR08MB3104:
X-Microsoft-Antispam-PRVS: <VI1PR08MB31046138A46198174F3E7344FA0C9@VI1PR08MB3104.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:6430;OLM:6430;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 1r60h/E05g7poXoEbboVu+xQsPvDffd0jBwkozVgvac3lOrK9GUoWVekyTKOXuBtlMYzw7XkqFjsXwver2mr5LpQX9iFOlBzhmvWDQN3AjlHe6aQcMUaMJxnwPXZlDHM/npxi4KN1nBVeZOrZZqja6IaVasSVlgylxx2tlZk6sMfGQgMpI5uunggzCsuD1sBY8nbFD7mca4anddmPXJb0BYM1W1DrIa8XFHbsYGqzBUGqKIdpMZ+X3j49qHk4l6jZe1aIyPPTnc9UIAnSYquatwDn+G/GDZp7L7QD5tXJlPMH4lJMF3kW7GsuiZmNiBubJKvTwC2rg733dHlFKczWdqnxfzkXB0Ncy84AE4TJo8hC++g8wW2YNFIAIHbBuxcZVmA50QKfMkKChquIEsQ5xVVFWdJuFS83X+K11lPytZKQ1im/wkF2szpRQthRvfgHluueaZJ1pDIq0si2bL/DWdDALErRrxfpnUMuz6t8BQRChAvR1LQ6oeG7J4L/w3i23ETenvRSK50vvLv4pc1OVaRfSJ8RUMxpC3YPYyXlRcxo4C5nQYWFkvlIvdffEjQTbrlMI7Cn9fBAfhniFHpobIt20A/FN3jPGpYACqFSnmxLfNfr+W5q62XHJZ81O5Z1dOFIwb+xa3/Y+oRjyoiJqDWPVonCHV+49DaIr+oI6p6RBB0moxsamukRns2T1N6OAbTC0us2KYmvTz584uGjy8tr/cdtXYCvf18+xZ9hnPduj5p9wSwscTad2nj9+QH
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(366004)(39850400004)(376002)(346002)(2906002)(478600001)(7696005)(316002)(6916009)(52536014)(966005)(66446008)(64756008)(66556008)(66476007)(76116006)(66946007)(33656002)(8676002)(5660300002)(26005)(122000001)(38100700002)(186003)(86362001)(6506007)(53546011)(71200400001)(4326008)(30864003)(8936002)(9686003)(9326002)(55016002)(166002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DNvRjF1+CipHuAqPXK3ipTnkIB7LxU6+ZII3NIQHzvMduG6iKCUntCYDRBaYI93tmA8X7ko7lBHL+czTB//f/C/dym0u6rPjf/UpCDis33PHwpjI+D2qVYUbDWoMRmNy+0yzFChEXoujcROGeBhSjjEI5+k/2owg307Ukgw5866dgx/bGKShn650Oqo/Eyb1VtNvkbQbrfd6Z+e2RuTnAzXe1gAScoFFZxIFPE1AojVAAn9qLCTY/E4ZATxy7oFVD6wcxUB6hkI8LXFQCEjD4l1qMJHUKPxr97cWNmOe8wD04KMVryudA0yYLaogXpv0yNWzqdtCSJvt5WHIhbrCoBhYV0ZLXQFLn8R7wv09/nu+7f+R8+BOyDqJbYlPIr2URwaAB6GyzLIwL7m89ZIUxE+/Dyz89HlYPveEB8w6kQftd/lZ/BKBa+qbDYwScdYaryseNZf8bxbCL4eeaza1Be+xnomWp3RmGSZz2dKvcqi4ugDTPQ+BRFcB18fhfJNg22ubGooWulm48xueK8D5NJqVGh70tgbxUcpWkaLt3cwopJ15/qMnol9TqVuV4qvAV3CN6VqJZmfTdSslGTggDDaDepaP5c9UgMmbe31/RCDc49swfbKa5Zfb3Tjn8LTt8d3543RsPy9fDK698naGSjZc4Y4Dpn5F58KpnrASuOyjXBVkI+NlP4q53BB5FcOWbBlwroX+djNzTovLl0/3BpBqySfXXoe6TF1hH859rrBZq2LiegxGi2kDT+8hueBhT25WfwGRJxfVhDoqrxp27FsyhWtmXhcu3WaxruYtn0ItgGqrs0MaNCe2Np5eCKUBCp9vZv3tzSvl3eaE0Un8tZhS5/rBMEtbAAFskKpu4tkVIoUOWkbE2uADTCpxdAwoTc7wvTfvXskF3v5nGgBLYp+oF+aU9FkdeVz/o3BRDSflRfX0SrK7IerbstOsdDduNsyHAVEGs+w2YLKkRFGuLMQB8kAUlz89M/TH7LVP/GYOrIIK9f6qjHMovONlqVMmgI8KCKiG/SaYKLu4W6gmVV1wvFCzlL0ANCUENckpixLYxw0swK6nZjmPbF3nkLYtFnKGi/ddCw38Z6n3WGb8fAl4aUcId6J6+HsdmF/hyXzbMWgftpxRXdEJXTUnNmRv6bY0aZKzqr5sPmEOOAxCDOsBRRj+BJUT0Ir3k2JSl00Yn7Y4UX243NgMYS8BWdrdhn724C/JY/MFAEVqj8q2ePG82pChUj8rIKlxT3cwKr26r78dYOaUgaTf4yJWmsptohKiRK+os1KHPB1NR9qcglblvsoPcnWTYO/Iweeb9Es=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB5915C107E3620968DFE34D97FA0C9DBBPR08MB5915eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5019
Original-Authentication-Results: valimail.com; dkim=none (message not signed) header.d=none; valimail.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: fca033f0-7152-4aaf-d951-08d933206c10
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: MIOWwxOAZ/thBJhpxwBryjMkunBbjcShI9sY4gQsGS9NgsQi2WxnOrTuHL3Ud4dDDcdKDfsjF/j8F7A2HpR/4grSQFP1Kl1qP6hbKDDifLInF9sWKh15QOrZpxOky5FUwHCbDi89SZ9RATl/tzRivdtjXVbaomaZblIWngM5hl6Nb+YMrP1W+sVFafCT+C2x9VtbIcfYU0IAwGbggZ7n6baKzV98zGPJWusb/SEk5DF5o7v8xtfW/T8F36/hPbYGPMql8DPKFHm7zXSbelIAC2D92RmO1VMgcw62lC59rN0OIgMs/skcwafsUvaRfroTZLHyxKXEsGHPFG97f6ub2tqFadIKt7QF+VHF06L9DSdnLznXaU/ijIkl9CFB28cQqlfuTQnuqhxfb1FujhnoTT25mppba+dSzgIAtbzW3ZqZED0/gAgEf/3n54+BTHswUG9PwdLDlasUcqw5zVZrKQzbE/qUr8Y4vih52dFzfNB5OggRRDOBr6MwmcUs423nZfvSlZWeIbtbrjRk7v3CIfWza/bSmrW1/NB5/3k3uLk5Jj07x+hPMFiljiAqpryb2WkVdmDVTcFx+1feDGXHRGVT/RYV8NtDzqOjheGa85HElQ37dICrCBw6uCS8fi38d0SoDcpQ4iIPaApDgHRsSaiNNIYUzdIFCJ8sJdHqwCpqSBiK3eaIHKJKxBtYCYyApHrBP23JA9ENG4QssxqBFPXRcYZX4UL0qrKFEqwWYHDugOhAizqDV3XR0vGyGnEIJUVdaH8QrJIAaoJcsWa6bsXWVqnEB5x3RNYj30totjRnkQWe82fFLXYuFevINjIV
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(396003)(39850400004)(376002)(136003)(36840700001)(46966006)(70586007)(70206006)(53546011)(83380400001)(6862004)(81166007)(6506007)(5660300002)(7696005)(9686003)(55016002)(4326008)(33964004)(30864003)(2906002)(8936002)(8676002)(82310400003)(82740400003)(316002)(52536014)(47076005)(166002)(966005)(336012)(33656002)(9326002)(186003)(26005)(86362001)(36860700001)(356005)(478600001)(579004); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jun 2021 12:47:50.7673 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6439f534-daac-4bb5-e6f2-08d9332072d8
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3104
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/L9jlJMsbXTgYBZO-Uf4NUOrJjEU>
Subject: Re: [Danish] Charter Text and the Problem Statement
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jun 2021 12:48:04 -0000

Hi Ash,

If the network access authentication use case with EAP-TLS is important to you then I believe it would be good to add it as a milestone on the charter. You cannot use an implementation of draft-ietf-emu-eap-tls13 and assume any of the DANE functionality to work. You would indeed have to rely on draft-ietf-tls-dnssec-chain-extension because not having network connectivity is the main reason why you would be running the EAP-TLS exchange in the first place.

Regarding “best practice to ensure that a device is patched before putting it into production, and updating roots of trust fits within the scope of that sort of activity”: I don’t think there is any expectation that the device will be updated before it is put in production (i.e. powered on for the first time). You can assume that the device, when it comes online for the first time and reaches out to the device management server, gets a firmware update. Having that firmware update happen before it is connected to the network is extremely unlikely.

EAP-TLS is also not an IoT device onboarding protocol. From the charter text I am also not assuming that you are attempting to define a new IoT onboarding protocol or do you?

Regarding the home IoT environment: I would not count on CHIP/Matter re-using your work. My understanding is that they are creating their own solutions. Since the home environment is very fragmented, it might not be the easiest place to start. Of course, your company may play and that field and so you might have a way to get the outcome of DANISH deployed there.

I am still trying to figure out how DANISH fits into the larger picture and hence I am looking forward to read an architecture document. Is the a pre-draft available already?

Ciao
Hannes

From: Ash Wilson <ash.wilson@valimail.com>
Sent: Thursday, June 17, 2021 8:22 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: danish@ietf.org
Subject: Re: [Danish] Charter Text and the Problem Statement

Hi Hannes,
Great questions, responses in-line below...

On Wed, Jun 16, 2021 at 11:43 PM Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Thanks for your feedback, Ash.

It is interesting that you mention the network access authentication use case. Do you envision EAP-TLS in combination with Danish to work architecturally differently than the current EAP-TLS-based approach?

We hope to minimize the amount of work required to enable DANE client ID for EAP-TLS. Some challenges remain with EAP-TLS in conjunction with TLS 1.3: https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-16. Supporting TLS 1.2 for EAP-TLS and DANE would likely be more straightforward, but I do not know whether there's much interest in updating TLS 1.2 to cover this use case.

DANE server authentication with EAP-TLS brings another challenge: the absence of IP connectivity prior to authentication. This could be remedied by https://datatracker.ietf.org/doc/html/draft-ietf-tls-dnssec-chain-extension-07, if the work on that draft were to continue. There are also challenges with validating the chain, tied to root key rotation. Devices which remain unplugged too long may not be able to authenticate. On the other hand, it is a best practice to ensure that a device is patched before putting it into production, and updating roots of trust fits within the scope of that sort of activity.

If only DANE for client authentication is supported in EAP-TLS, which is the likely initial outcome, the challenge of getting the authentication server's CA certificate onto the device still exists. This still represents a reduction in effort on the part of the IT staff, but not a perfect zero-touch onboarding unless the supplier also provisions the CA certs for the authentication server... and in the case of WiFi, the SSID to associate with. Still, we think this represents a substantial improvement in the onboarding experience for the implementer.


You write:
“Credential issuance very often requires the device and the person bootstrapping the identity to be in the same place”

Binding the user to his or her device typically takes some time. It often requires the user to log into some service and to “add” the new device often by demonstrating physical possession. Of course, this is the way how it works for end consumer products, where scalability is less of an issue because you are probably not going to buy thousands of smart coffee machines. For a commercial setup, the process often works different but it very much depends on the type of industry vertical you are in. There is often a non-irrelevant configuration step involved as well. For example, with commercial indoor lighting professionals need to configure different lighting themes.

I don’t see any of this user-related interaction being covered as part of the chartered work.

DANE can be useful for home IoT. I think that it could reduce the complexity of automation wherever private PKI is being managed in the consumer's environment, and accelerate and simplify the onboarding experience. IETF is accessible and wide-reaching, and seems like the right place to present and refine the design pattern that might be adopted later by other standards (like CHIP/Matter). I'm also operating under the assumption that enterprise IoT has a more recognized need for interoperability and simpler secure onboarding processes. That is a big assumption, and only based on my observations thus far. I'm open to including the home consumer's perspective in this effort, if you think it's worthwhile.


As far as describing the general onboarding experience for the implementer, I had hoped to include that in the architecture document along with examples of how DANE might interface with and support other standards in the broader ecosystem. In trying to keep the charter concise, I think we left out some important information.

You bring up an interesting point, with the configuration of lighting profiles during fixture installation. The expectation is that with DANE as the authentication protocol, the variety of suppliers producing devices for a given application might be able to agree on a format for representing configuration information, and devices can securely retrieve it from the system that manages the application's configuration. I think that it would be especially useful to show how DANE works with other discovery protocols (mDNS, for instance) in the process of retrieving the device's configuration. Where do you think this fits best? In the architecture document, or would another format be a better fit for this?


Ciao
Hannes

From: Ash Wilson <ash.wilson@valimail.com<mailto:ash.wilson@valimail.com>>
Sent: Wednesday, June 16, 2021 11:28 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Cc: danish@ietf.org<mailto:danish@ietf.org>
Subject: Re: [Danish] Charter Text and the Problem Statement

Hi Hannes,
Thanks for the questions, and apologies for keeping you waiting on answers/clarification.

On Wed, Jun 16, 2021 at 4:12 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Hi all,

I have been reading through the charter text in an attempt to understand the problem statement.

Two problems are mentioned:


1)  Challenges with naming collisions in the IoT space.



2)  Credential issuance is time consuming.


Ad 1: Reading through the text it feels like naming collisions are a big thing in IoT. I have not heard about those problems. Could you elaborate?
Certainly. I'll use a hospital as an example environment.

Within a hospital, it is desirable to implement 802.1x authentication using EAP-TLS for access to protected networks. EAP-TLS enables the use of PKI-based identity to authenticate an entity for network access.

When implementing EAP-TLS for network access, RADIUS is a common protocol/server used for authentication behind the switch or wireless access point. Guidance for configuring RADIUS recommends the use of only one CA certificate for authenticating supplicant certificates. This guidance can be found in the wild in Freeradius configuration files for EAP-TLS, related to the 'ca_file' configuration directive.

CAs guarantee the uniqueness of an entity's name within the scope of the CA, but have no method for enforcing name uniqueness across other CAs. For instance, CA1 and CA2 may both sign certificates for entities with the same name. If CA1 and CA2 are both trusted by the RADIUS server, and two entities named "medicaldevice123" exist, one per CA, then the resulting ambiguity makes it difficult to appropriately apply access controls. This ambiguity is mitigated by operating a single organizational PKI, and requiring identities issued by that single organizational PKI for EAP-TLS authentication.

Onboarding devices to organizational PKI requires time and effort. Oftentimes some sort of skilled labor and/or dedicated infrastructure for automating the onboarding process is involved. DANE allows us to bind a DNS name to a public key, and mitigates the ambiguities introduced by the use of multiple CAs. An organization can only issue working identities within its own namespace in DNS. Since naming ambiguity can be mitigated using DANE, we may now choose to use manufacturer-issued PKI, represented in DNS, for authenticating entities.

From the hospital's standpoint, the IT staff no longer needs to manage the process of onboarding devices to organizational PKI. The device arrives on-site with an identity which can be immediately used for network authentication.

You add that “In response to the challenges related to

ambiguity between identities issued by different CAs, application owners

frequently choose to onboard IoT devices to a single CA.”. Is that a good or a bad development?
It is a good development if the organization really wants to directly manage all of the credentials for all of the application participants. The effort and rationale behind BRSKI (RFC 8995) suggests a desire to make onboarding to organizational PKI easier to automate.

If a supplier issues a trustworthy identity for a device, and DNS prevents another PKI from issuing working credentials under the same name, then issuing another identity via organizational PKI becomes superfluous. This is where we think that time and effort can be saved, because the skills required for onboarding do not need to include the management and issuance of identities under organizational PKI.

Ad 2: Is it really true that credential issuance is time consuming? Why is that? For whom is it time consuming?
Credential issuance very often requires the device and the person bootstrapping the identity to be in the same place. Some platforms and protocols exist to make that process easier (like BRSKI) or less human-involving. The time investment seems to be on the part of both the manufacturer (in issuing the IDevID) as well as the organizational IT staff, who manage the organizational PKI.

Ciao
Hannes

PS: You use the term “Certificate Authority (CA)”. It is actually called “Certification Authority”.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Danish mailing list
Danish@ietf.org<mailto:Danish@ietf.org>
https://www.ietf.org/mailman/listinfo/danish


--
Ash Wilson | Technical Director
e: ash.wilson@valimail.com<mailto:ash.wilson@valimail.com>
[https://hosted-packages.s3-us-west-1.amazonaws.com/Valimail+Logo.png]

This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


--
Ash Wilson | Technical Director
e: ash.wilson@valimail.com<mailto:ash.wilson@valimail.com>
[https://hosted-packages.s3-us-west-1.amazonaws.com/Valimail+Logo.png]

This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email