IETF Logo Mail Archive

Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 15 June 2021 20:36 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1A13A3CF9 for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 13:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wg3fBvES6T8Q for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 13:36:22 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E71743A3C37 for <danish@ietf.org>; Tue, 15 Jun 2021 13:36:21 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 99B84C6190; Tue, 15 Jun 2021 16:36:20 -0400 (EDT)
Date: Tue, 15 Jun 2021 16:36:20 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: danish@ietf.org
Message-ID: <YMkPRB334UACZH26@straasha.imrryr.org>
Reply-To: danish@ietf.org
References: <02cb8931e16c4ccaa6eed1b89c0a20b6@cira.ca> <YMd3Na0Fu+Z+eqzc@straasha.imrryr.org> <90e0d38f1a394b79987b5f1517cc157e@cira.ca> <32259.1623782305@localhost> <YMj2TBzoiYDohJ99@straasha.imrryr.org> <24225.1623787020@localhost> <CAEfM=vR_9kOr0bLhk89ZWmqtxavcGjRHDgKCspX9xjGBOS5dXw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAEfM=vR_9kOr0bLhk89ZWmqtxavcGjRHDgKCspX9xjGBOS5dXw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/QrAgC-0YL-xSpLZ-4BdeQ8Ht6cg>
Subject: Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 20:36:23 -0000

On Tue, Jun 15, 2021 at 01:06:12PM -0700, Ash Wilson wrote:

> FWIW, I'm a fan of immutable DNS names and rotating certs. If the device
> can rotate its own certificate with the CA, then an automation component
> between the CA and DNS server can manage the rotation for DANE via TLSA
> records.

This sounds reasonable, of course there needs to be some way to prevent
the previous owner from also being able to rotate the device key based
on knowledge of the previous key.

Which means, that key rollover locks the previous key out of future
device metadata updates.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email