Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 15 June 2021 20:36 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1A13A3CF9 for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 13:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wg3fBvES6T8Q for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 13:36:22 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E71743A3C37 for <danish@ietf.org>; Tue, 15 Jun 2021 13:36:21 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 99B84C6190; Tue, 15 Jun 2021 16:36:20 -0400 (EDT)
Date: Tue, 15 Jun 2021 16:36:20 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: danish@ietf.org
Message-ID: <YMkPRB334UACZH26@straasha.imrryr.org>
Reply-To: danish@ietf.org
References: <02cb8931e16c4ccaa6eed1b89c0a20b6@cira.ca> <YMd3Na0Fu+Z+eqzc@straasha.imrryr.org> <90e0d38f1a394b79987b5f1517cc157e@cira.ca> <32259.1623782305@localhost> <YMj2TBzoiYDohJ99@straasha.imrryr.org> <24225.1623787020@localhost> <CAEfM=vR_9kOr0bLhk89ZWmqtxavcGjRHDgKCspX9xjGBOS5dXw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAEfM=vR_9kOr0bLhk89ZWmqtxavcGjRHDgKCspX9xjGBOS5dXw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/QrAgC-0YL-xSpLZ-4BdeQ8Ht6cg>
Subject: Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 20:36:23 -0000
On Tue, Jun 15, 2021 at 01:06:12PM -0700, Ash Wilson wrote: > FWIW, I'm a fan of immutable DNS names and rotating certs. If the device > can rotate its own certificate with the CA, then an automation component > between the CA and DNS server can manage the rotation for DANE via TLSA > records. This sounds reasonable, of course there needs to be some way to prevent the previous owner from also being able to rotate the device key based on knowledge of the previous key. Which means, that key rollover locks the previous key out of future device metadata updates. -- Viktor.
- [Danish] IoT Device Identification with TLSA via … Jacques Latour
- Re: [Danish] IoT Device Identification with TLSA … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Jacques Latour
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Paul Wouters
- Re: [Danish] [EXT] Re: IoT Device Identification … Ash Wilson
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Jacques Latour
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] IoT Device Identification with TLSA … Hannes Tschofenig
- Re: [Danish] [EXT] Re: IoT Device Identification … Hannes Tschofenig
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] RE: IoT Device Identification … Jacques Latour