IETF Logo Mail Archive

Re: [Danish] Charter Text and the Problem Statement

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 23 June 2021 00:38 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 920673A2147 for <danish@ietfa.amsl.com>; Tue, 22 Jun 2021 17:38:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VkC826MKMRfa for <danish@ietfa.amsl.com>; Tue, 22 Jun 2021 17:38:30 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA1523A2117 for <danish@ietf.org>; Tue, 22 Jun 2021 17:38:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id C23D738CC2; Tue, 22 Jun 2021 20:40:05 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id iF-HCCSQW-pg; Tue, 22 Jun 2021 20:40:03 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 27C8338CC1; Tue, 22 Jun 2021 20:40:03 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 4A9E4E32; Tue, 22 Jun 2021 20:38:25 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "danish@ietf.org" <danish@ietf.org>
In-Reply-To: <DBBPR08MB59157E1831783E7657D048A6FA0A9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915066E1CE5BDB2D695A8DAFA0F9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAEfM=vQehhvSNeBNitJJjisEbimn_gizoo8VTtHWUJ1zSU+rQg@mail.gmail.com> <DBBPR08MB5915D8FC201DFEB31F7D8EA8FA0E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAEfM=vTHPmDcOimf9xOvkYgeObbHvpfG1uZUVjBJFhykrZNafg@mail.gmail.com> <DBBPR08MB5915C107E3620968DFE34D97FA0C9@DBBPR08MB5915.eurprd08.prod.outlook.com> <23295.1624134481@localhost> <DBBPR08MB591546610B09B3606721EF2CFA0B9@DBBPR08MB5915.eurprd08.prod.outlook.com> <5631.1624225291@localhost> <DBBPR08MB5915DB801CD6D3FFD8D69E96FA0A9@DBBPR08MB5915.eurprd08.prod.outlook.com> <11057.1624286439@localhost> <DBBPR08MB59157E1831783E7657D048A6FA0A9@DBBPR08MB5915.eurprd08.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 22 Jun 2021 20:38:25 -0400
Message-ID: <18932.1624408705@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/zBu6yTXRPkEawE4nb7gtJfjT8w4>
Subject: Re: [Danish] Charter Text and the Problem Statement
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2021 00:38:36 -0000

Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
    > I was not necessarily thinking about IEEE 802.1AR and the way BRSKI
    > uses it. BRSKI is kind of special in the way it is designed.

It's not that special, actually :-)

DeviceAuthority has a similar design in their proprietary protocol.
  (I don't know many details, just presentations, they have NDAs)
The Intel-SDO, now FIDO IoT, is also very similiar.
It looks like CHIP/MATTER also arranges for an LDevID equivalent, but without
a voucher.

    > In general, in security there is the idea to use different keys for
    > different purposes. If that has changed then I completed missed it.

It's clearly better to do that if you can.

But, _better sometimes is often the enemy of good enough_ is a proverb I've
heard attributed to many cultures.  Better the keypair you overuse
than the factory default password you can never change, right?

My hope that the TLS subcerts mechanism will allow us to operationally use
different keys, while from an identity and authorization point of view, it's
all one virtual key.  But, first that has to get deployed ubiquitously.

    > Regarding the management of access with wearables and smart home
    > deployments using standardized protocols I thought that this is why we
    > did all the work in ACE.

Yes, that's true.  We did that all that stuff in ACE to allow the protocols
and the authorizations, but the specification and onboarding of identities
was specifically out of scope for ACE.  You might recall that I insisted on
that.
I wanted to do that, because I didn't want ACE to attempt to boil the same
ocean that ANIMA and others were also boiling.

Here in DANISH, we can now look forward to the situation where we can use
what is essentially the well-protected (in some TEEP) factory provisioned
key, with the DANE based identity in the authorization list.  *OR* we could
have the private PKI of one operator vertical to export to DANE for
interoperation with another vectical.  Or some hybrid mix.

What's the bottom line Hannes should take home:
       _billions and billions of new mbedTLS users_ :-)


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email