IETF Logo Mail Archive

Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sat, 19 June 2021 14:02 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF1BB3A10F9 for <danish@ietfa.amsl.com>; Sat, 19 Jun 2021 07:02:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2QkvFws/; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2QkvFws/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDVr7_DTH7mJ for <danish@ietfa.amsl.com>; Sat, 19 Jun 2021 07:02:05 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2048.outbound.protection.outlook.com [40.107.22.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB8333A10F4 for <danish@ietf.org>; Sat, 19 Jun 2021 07:02:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9doXPvTG6s8pzJtu9OuqbRR0BxJItE+deykQLOxPH90=; b=2QkvFws/6v9RYE8WaVmnk40iSJOttN0hJ2uLumklDjRp/euCMWcPpMTxwprkPyBryUjGqTw+K/hukuiasCo/4stMF35sT3pOqFHwCtFG5WrJzj99C95kO4qoWUNjLPZvFs+tykugKJdVPW/DkkAdpNBCMky88nQ8//eAXUoYAvE=
Received: from DB6PR0801CA0049.eurprd08.prod.outlook.com (2603:10a6:4:2b::17) by AM5PR0801MB1795.eurprd08.prod.outlook.com (2603:10a6:203:2f::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.19; Sat, 19 Jun 2021 14:02:01 +0000
Received: from DB5EUR03FT005.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:2b:cafe::c9) by DB6PR0801CA0049.outlook.office365.com (2603:10a6:4:2b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Sat, 19 Jun 2021 14:02:01 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT005.mail.protection.outlook.com (10.152.20.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Sat, 19 Jun 2021 14:02:01 +0000
Received: ("Tessian outbound f88ae75fbd47:v96"); Sat, 19 Jun 2021 14:02:01 +0000
X-CR-MTA-TID: 64aa7808
Received: from 30ff386e137a.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 944D11D7-D5EC-48AA-8FD5-A8F3AD968962.1; Sat, 19 Jun 2021 14:01:55 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 30ff386e137a.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sat, 19 Jun 2021 14:01:55 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=blBIaMTdEDhKQ0IfVuAj823Ldp8g6e00pMwiu0+IFHLS7YwQPAFkC36BTGdVd3CNfLE4j/GRGospzP0USsP6ME08Gm5edGIxSBw1oY1lMDWVQWpq23xXhK4/D/HWJMdDkOAGWI1HfYQiSlt5p6gPglbzVGdGulaGOx9lzo/LebYPPcRT13JWcIeBS3yKmA6KoRze50hXDqxRtgUrzhe2gybOESh3dYfse5gmaVJcDNhsqGDlkAlfzopxPtZPnN1wb4KTbAmtcb3CXbFnaP/1S3JBWeVbtCywsCAuVr43C75hlY+2PtBDJlBE6cvbqqC9R9BmR8D6D8dFEXd8aE86+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9doXPvTG6s8pzJtu9OuqbRR0BxJItE+deykQLOxPH90=; b=lk/IsSSxj6wWwVNb3LPB/SWA3+fNcvwdgMVl4Yc1l/4P+3+6yPjbFp9PUh1L3PP6fepRu0b5BXypxagD2bvAFYIGaFsRov+YKZsi+jKdVGPTtzELEQ4EtAFmu/pnL7dY4cBXF+gmzN7Ffa5TvGJiBPVk/jPwbhRERmYKOurNoB4yACuPPNhWnVvxtgmvuscbiiJzorr1zUEIYIERHCy83pWxSV2F1P32aSJNR/v+ZiHJUkRAidYkKo33Yn5XKshsjBohAOKJqmp/aVWGi8N8PylXTkM3itXOSXeTR8Po9k+XP3OhIfxU/dvPIJhSeEhJsmCxLE6fGXgm2oenBhs3qQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9doXPvTG6s8pzJtu9OuqbRR0BxJItE+deykQLOxPH90=; b=2QkvFws/6v9RYE8WaVmnk40iSJOttN0hJ2uLumklDjRp/euCMWcPpMTxwprkPyBryUjGqTw+K/hukuiasCo/4stMF35sT3pOqFHwCtFG5WrJzj99C95kO4qoWUNjLPZvFs+tykugKJdVPW/DkkAdpNBCMky88nQ8//eAXUoYAvE=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB7PR08MB3132.eurprd08.prod.outlook.com (2603:10a6:5:1c::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.19; Sat, 19 Jun 2021 14:01:49 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41%3]) with mapi id 15.20.4242.023; Sat, 19 Jun 2021 14:01:49 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Jacques Latour <Jacques.Latour@cira.ca>, "danish@ietf.org" <danish@ietf.org>
Thread-Topic: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish
Thread-Index: AQHXYeq1j4nc9HqrjUCxOrwF4awGj6sVZ2qAgAX7NOA=
Date: Sat, 19 Jun 2021 14:01:49 +0000
Message-ID: <DBBPR08MB59157CFAD3D10DF22248741EFA0C9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <02cb8931e16c4ccaa6eed1b89c0a20b6@cira.ca> <YMd3Na0Fu+Z+eqzc@straasha.imrryr.org> <90e0d38f1a394b79987b5f1517cc157e@cira.ca> <32259.1623782305@localhost>
In-Reply-To: <32259.1623782305@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: DB25EC9E71CDFB488709EDF25A248E62.0
x-checkrecipientchecked: true
Authentication-Results-Original: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.123.248]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: f6aa13f1-aa4f-46f9-3bff-08d9332acfb2
x-ms-traffictypediagnostic: DB7PR08MB3132:|AM5PR0801MB1795:
X-Microsoft-Antispam-PRVS: <AM5PR0801MB1795E35BD0AA7EC4F45CE1A0FA0C9@AM5PR0801MB1795.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: WckIICZ2SHs/1T2nux9WCtFvqyAzjOw8AX77P85sRc7zbqlNOzu7gJRSf3QnjgibSA3vrTlR71W26DxW2YZ1AS/DaEkNRjAZ2MsYITFkxUBf/UcGpaNWGxyumn8czw6mVK6JVqrNXXMhfr/hg6wh9Cf/311cv6mupFGfatcGav4QetWaMWrYWPb0AojElLXJ8Gua/JC9Jsv/b3fhdXObhX5zSJGenjHwjh9w8EtWSjFV4HESzZSioMhvy0B+Zu7CnSmPl8z8V0ggx93vz0noT+KVAPrw+8ArJPWSBP4uiJQOQU3dmHNlFutekL8NBwV016cvpbwQhRXp+zfFVUj5FQKV+XOAF2fkOfPk6wkp5ZXYaCaivczSZetrdSk7vu1Bxa017PR6yOIEZK1gjrPQu3jtNjFeK6a9TaFMoH94B2wqhqcfP6mIehF5zWpZnYwykq0vs7aIYopD75NOFz/BnWnuwaynBLRmKUCAv5gaqQhPdDKkn2d5Cgwj5xCdGIbhbSSx/1C6sZB6WCz2dP2T7mKnnWCOYMkSAsJlZ75FOOPNCruwQ6dOw4QAmh0dP5CxSw8xGSvLRxKWTTEFRKoUoT14FUsKIqoGyS2o7vuz9Ko=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(396003)(39850400004)(136003)(346002)(316002)(33656002)(6506007)(53546011)(110136005)(38100700002)(9686003)(55016002)(7696005)(86362001)(122000001)(186003)(26005)(478600001)(83380400001)(64756008)(66556008)(66476007)(66946007)(76116006)(66446008)(8936002)(8676002)(71200400001)(66574015)(2906002)(5660300002)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yka2n/OtvoUGRBaL7H2dN6KjdnvwTcRp9JoWXsA7kQHSW9bbrdLsIVDc+EgcxVK8doCbgGPLaWSNHYJs7pZeuoyXrgMkvbATahSLjELJU08asumd08Dw41W5Ay425VypIRuOhmJ6NWIjD77QXZlCV4VkR+g7/Y8xYYOFea4n5L+UDzwkIIw2nXtXAyU1RmrzIlCsMEMY4AIIk4UJpJRa2x3GRqKcWG0eEwbPsstMaJfD6qasgnTvhH1qVq2b2UVmtaxSIqfYt+AiR41CzD7t2z7OWnrzYzZbvnjDu4h661nheFFcycDdKV0P7MDtAf74TcJ/KC6qYu0hOCaM4AnGzMAlY3wI1R47l8xyEoVZS9udZHFg5NVd8fqemBN0zKsy1e9/uU0+0IuzzNTa7ngPLAFsXVqhexhmGh1OFHCtP+5fCC7f1s2QRlmYYoq2t/u8WewR2QxzsOvr7bAasqtrw9Xc5ePzwhu7CBCWGY77W9d8s9pEVeXF97B6kRpXgMjLp/T14jEAOpgxdAhN4WACW39ce/8jgROK4suzL7LjGm6Lgu5uPTJX2qldsvOjpWlgd1kqQTNqUU3Byo35Iirtu7pQ9fdmK0FxEGca9J1PGl7vHeua/dK2kdJlzrXNdgC0NkhIqdEuX2SqgYeBXDAaW+23A3tZlk28t/zh/6R7iYiOaOfZMQTwDMAyD5c2zFUMQnWaOfNutoU0h6MIoETxU2a/894uPBAbdJ0U+WFUR7qjN3WXrEMsDQSG3Iiz20SC8YT7ivwGvTrCX0IjgiDcf6ck3TrvXmQJs1kvEf+k7bPQtCX+veGhQy60ITY99lpghtoNzG0lAvysTleIQpX+YS+tcsTM5Mq62AUlq0HGrP/LWOuk9jlwOi3wktYj6DFb46KWtGq8mx8NAMO1y/QowCY55vGCY7ITOTCYGeD+p9P+MXAlnhI6PU8fsqM1GzvBdOqZ6rN/4N+YhDBstg8pPrgpEI4BYNSJ1TiQN9tWywjBcu9Xir1XkGnnhhJLiBvFLfea+0a8IehXsS7mSokiROfoBIfX2xsZw9itn6OV4j877IfLe38nCgAh/EkECslEVKDSF1Fqx/p8gOTbc+aXEL3DeRaR3AiQhtJ58QctXkn3hPT0HRUlPlsOflcX3yhFS40GXj3vCJ3IHpItMvWMRlkqlbHXEP4bYLsOr3JghhBq9j60YJqKg7S/r5PwUStQJL1yEja3UOxha3jY6y4+JbUAvEbzXt7Eq0ot25aYx8G1zmokTmH1mcPOQXveNkR3MxCmqeW3rStr6i0yhzG0Yc/XgVxZ0m1tPhgzJSyCBiNMygx1dqR3IfeoLxf9ClOO
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3132
Original-Authentication-Results: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT005.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 1a0f960c-ba71-427d-5722-08d9332ac882
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: jM/mJ6PUgU0Ors5MuwyTRx6jOl8lR5mMVOaB1JJNAXhmC/YBnc27OgNCloWnhdLwQ7dMc2066OgVhjyjHHcGECu8qLVi8OE8ZLF2FTuvNP8p9H3kMpqZmjaJKqwJH9vV4SRx+zNyTFH1w/xvYGWqONwOEhUgdgiHK5boXk4+4CLmJEoGLVNgPb68qQ5RDSnF6N9ixdPUNYXLSHNkx+YZnOhALTB9IIkp1PHS9CP8p6vGo/pE7GSPQWgPfZJulvhcsmgGbS3GKIDJ4XneDF5Gnde8pb1+thKXXbVzL8TcinH7Pn2ISw6KXaXFHKHYxJQanRudWL90d00xxKD2e2GJf569zbFFYfPA57Tf811UMN68OLXSvTa69AKmsTVGRvoC6hP5BjQDs1VD0DDjhxp2sWMrwOOILEywAEnoSGHE43Prjokn6OSxG+1WQblFyOpDL6xZvkUvOHut1X/arzVct4PmSvGhFIu8jHkF6jZdt9PTDjkJGVxb3YZX7IengM01HO8FfU/qg8ohNWQ1crocv1t6oPPvoSJlERTuNHBkPjFynTF72cU9eXg7fopHbFgP2Oq1Kwao5vw+QtI/9LE8+LwXEgNs/tEiNn4kuoVAVi76rzh4m/v18Gv2qb6GFGQ2Xz6vWp3jKncBt0E/YT6owEwkijW3h/uoA/M0Zf88NCc=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(396003)(136003)(39850400004)(346002)(376002)(36840700001)(46966006)(7696005)(82310400003)(26005)(82740400003)(81166007)(9686003)(33656002)(2906002)(53546011)(66574015)(8676002)(86362001)(55016002)(83380400001)(6506007)(356005)(186003)(36860700001)(47076005)(316002)(110136005)(5660300002)(8936002)(52536014)(336012)(70586007)(70206006)(478600001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jun 2021 14:02:01.5783 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f6aa13f1-aa4f-46f9-3bff-08d9332acfb2
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT005.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1795
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/PIEFZiOEzBgLnuqIi37LJtMu0AY>
Subject: Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jun 2021 14:02:10 -0000

Hi Michael, Hi Jacques,

I found this email thread and was wondering about one aspect in the context of authorization lists.

Where are these authorization lists stored and who creates them?
In what you use cases do you need to configure these authorization lists?

Ciao
Hannes

PS: I would avoid to use the term "identity" because here we are only talking about an identifier. Identity has so much baggage, which is probably not useful in this context.

-----Original Message-----
From: Danish <danish-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Tuesday, June 15, 2021 8:38 PM
To: Jacques Latour <Jacques.Latour@cira.ca>; danish@ietf.org
Subject: Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish


Jacques Latour <Jacques.Latour@cira.ca> wrote:
    > Top post: I think in the context of IoT Device Client Identity, the
    > identity of an individual device can be revoked for other reasons than
    > a compromise, for example if an IoT device is repurposed for a new use,
    > then a new identity would be provisioned for the new purpose (new
    > customer, new network), I think having a method of knowing that the old
    > identity is revoked (say for 3 months) would be useful.  We would know
    > for sure that the reprovisioning of a new identity to the IoT device
    > didn't work.

A premise of DANISH is that the device comes with an identity, supplied by a manufacturer.
This is the part where the device does not need to go through an onboarding process (to a private CA), but rather it's enough to configure the name of the device into an authorization list.

If the device is repurposed, then it won't get a new name. (that would require that it be onboarded with a name name, right?) So, in order to repurpose a device, it needs to be removed from whatever authorization list it was on, and then added to the new authorization list.
Revoking the certificate would keep the device from being able to be used in the new purpose.

{I personally think that this is a negative of DANISH.
Maybe it's not a core aspect of it, but it seems like it to me.}

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide




IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email