Re: [Danish] [EXT] RE: IoT Device Identification with TLSA via Danish
Jacques Latour <Jacques.Latour@cira.ca> Mon, 21 June 2021 14:50 UTC
Return-Path: <Jacques.Latour@cira.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7125F3A0959 for <danish@ietfa.amsl.com>; Mon, 21 Jun 2021 07:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFBkK---r0Id for <danish@ietfa.amsl.com>; Mon, 21 Jun 2021 07:50:09 -0700 (PDT)
Received: from albina.zerospam.ca (albina.zerospam.ca [199.27.221.82]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF2013A0906 for <danish@ietf.org>; Mon, 21 Jun 2021 07:50:08 -0700 (PDT)
X-ZEROSPAM_FILTERED: true
Received: from albina.zerospam.ca (localhost [127.0.0.1]) by albina.zerospam.ca (Postfix) with ESMTP id 4G7srb4SwyzyN4; Mon, 21 Jun 2021 10:50:07 -0400 (EDT)
Authentication-Results: albina.zerospam.ca (ip=192.228.22.11); spf=none smtp.helo=mx1.cira.ca; spf=pass smtp.mailfrom=Jacques.Latour@cira.ca; dkim=none; dmarc=none (action=none) reason="No DMARC policy found" header.from=cira.ca
Received: from 127.0.0.1 (127.0.0.1:12000) (original ip: 192.228.22.11) by albina.zerospam.ca (Themis) with ESMTP id zZfXJj2AiKWdJkvubS1; Mon, 21 Jun 2021 10:50:06 -0400
Received: from mx1.cira.ca (nat.crp.cira.ca [192.228.22.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by albina.zerospam.ca (Postfix) with ESMTPS id 4G7srZ11zgzyN7; Mon, 21 Jun 2021 10:50:06 -0400 (EDT)
Received: from CRP-EX16-02.CORP.CIRA.CA (10.2.36.121) by CRP-EX16-02.CORP.CIRA.CA (10.2.36.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2242.10; Mon, 21 Jun 2021 10:50:05 -0400
Received: from CRP-EX16-02.CORP.CIRA.CA ([fe80::c50f:56f4:1f3c:b748]) by CRP-EX16-02.CORP.CIRA.CA ([fe80::c50f:56f4:1f3c:b748%14]) with mapi id 15.01.2242.010; Mon, 21 Jun 2021 10:50:05 -0400
From: Jacques Latour <Jacques.Latour@cira.ca>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "danish@ietf.org" <danish@ietf.org>
Thread-Topic: [EXT] RE: IoT Device Identification with TLSA via Danish
Thread-Index: AddhKvcSXHMYMAB6StqY1oKWkaM4dwD3nhkgAGhz3EA=
Date: Mon, 21 Jun 2021 14:50:05 +0000
Message-ID: <7847f2fef4474c2c8ab7ea1b06d2d39b@cira.ca>
References: <02cb8931e16c4ccaa6eed1b89c0a20b6@cira.ca> <DBBPR08MB5915F04A83054BBEB4F9FE7BFA0C9@DBBPR08MB5915.eurprd08.prod.outlook.com>
In-Reply-To: <DBBPR08MB5915F04A83054BBEB4F9FE7BFA0C9@DBBPR08MB5915.eurprd08.prod.outlook.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Enabled=true; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_SetDate=2021-06-21T14:50:04Z; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Method=Standard; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Name=Confidential; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_SiteId=f349b30c-7550-4f17-88da-269417631f54; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_ActionId=024940c3-c741-41ca-8799-fc26e14044a4; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_ContentBits=2
x-originating-ip: [10.2.36.1]
Content-Type: multipart/alternative; boundary="_000_7847f2fef4474c2c8ab7ea1b06d2d39bciraca_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/gwXnL46A174qipGsovTKqK0-r7c>
Subject: Re: [Danish] [EXT] RE: IoT Device Identification with TLSA via Danish
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 14:50:21 -0000
Hi Hannes, Yes, in my presentation on very first slide I said "we presented the IoT Registry many times in the past at many venues", the IoT Registry for us is an identity management system for mobile GMSA IoT SAFE enabled IoT devices. It's the gateway between the mobile network operators and the cloud/ASPs. * See https://github.com/CIRALabs/CIRA-Secure-IoT-Registry/blob/38c3128651fbfcf8a0b5bd40523cd7dc12a5bc70/CIRA%20-%202020-01-22%20ICS%20Symposium.pdf In short, in the IoT Registry we track the identity of the IoT device (public key or certificate) to a unique eSIM ID via IoT SAFE. In this context, I'm a big fan of making available in the DNS w/DNSSEC the individual IoT device identity via the proposed DANISH mechanisms. Jacques CLASSIFICATION:CONFIDENTIAL From: Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sent: June 19, 2021 8:51 AM To: Jacques Latour <Jacques.Latour@cira.ca>; danish@ietf.org Subject: [EXT] RE: IoT Device Identification with TLSA via Danish Hi Jacques, Thanks for sharing your slides. Since the slides are not meant to be self-explanatory I have a question for you: What is an IoT registry for you? (You mention the term on slide 2 and it seems to be core to your presentation.) Ciao Hannes From: Danish <danish-bounces@ietf.org<mailto:danish-bounces@ietf.org>> On Behalf Of Jacques Latour Sent: Monday, June 14, 2021 4:41 PM To: danish@ietf.org<mailto:danish@ietf.org> Subject: [Danish] IoT Device Identification with TLSA via Danish Hi, Today I presented at the ICANN DNSSEC workshop the potential results of DANISH working group which I think should include the entire scope having a mutual TLSA validated TLS session from an IoT device to a server. https://github.com/CIRALabs/CIRA-Secure-IoT-Registry/blob/master/CIRA%20-%20Challenges%20in%20DNSSEC%20IoT%20Registry%20-%20ICANN%202021-6-14.pdf In addition, I was thinking there should be a 4th TLSA certificate usage, type 0 or 4, for TLSA to show cert that are revoked, if we know for sure the certificate is revoked then it should be presented and queried/answered as such, an authoritative answer signed with DNSSEC to say certificate is revoked, not to be trusted anymore. NSEC says it does not exists, this usage would be very clear. This works for client identity, not sure for other TLSA use cases. Jacques IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Danish] IoT Device Identification with TLSA via … Jacques Latour
- Re: [Danish] IoT Device Identification with TLSA … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Jacques Latour
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Paul Wouters
- Re: [Danish] [EXT] Re: IoT Device Identification … Ash Wilson
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Jacques Latour
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] IoT Device Identification with TLSA … Hannes Tschofenig
- Re: [Danish] [EXT] Re: IoT Device Identification … Hannes Tschofenig
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] RE: IoT Device Identification … Jacques Latour