Re: [homenet] Ted's security talk at IETF99: DNCP Security

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 01 August 2017 20:48 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E78129ACD for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 13:48:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmEeLxzU8M5Q for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 13:48:23 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66486124B0A for <homenet@ietf.org>; Tue, 1 Aug 2017 13:48:23 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 3A6582009E; Tue, 1 Aug 2017 16:50:11 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1CA2A8076D; Tue, 1 Aug 2017 16:48:22 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ted Lemon <mellon@fugue.com>
cc: homenet@ietf.org
In-Reply-To: <6C42A593-3EBC-49BE-9A9F-0CF701FF68BF@fugue.com>
References: <3725.1501514462@obiwan.sandelman.ca> <52E1C5A0-FC0E-46A5-9016-AA95FB3DC1CB@fugue.com> <3184.1501522914@obiwan.sandelman.ca> <5A407EA3-AC8B-44A7-8EC2-8242480027FE@fugue.com> <27345.1501546823@obiwan.sandelman.ca> <AA5A4081-02A3-4A80-BF8B-10C003DE71D5@fugue.com> <10182.1501601902@obiwan.sandelman.ca> <6C42A593-3EBC-49BE-9A9F-0CF701FF68BF@fugue.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 01 Aug 2017 16:48:22 -0400
Message-ID: <20840.1501620502@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/F8lOI9d80Z8CLm-Mxn8xK6Vc2XE>
Subject: Re: [homenet] Ted's security talk at IETF99: DNCP Security
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 20:48:25 -0000

Ted Lemon <mellon@fugue.com>; wrote:
    > You agree that it's a different problem right?

    mcr> The common part is that one might have a similar set of external
    mcr> (physical) signals.

    mcr> Should Dave bring his printer to the IETF network, and they happen to
    mcr> discovery each other via privacy-enhanced dnssd magic (cf: Arthur Clark's
    mcr> definition of magic), then it would be good that they can prove that it's
    mcr> really them.

    > To be honest, I probably missed the point you were making—I just went back
    > and reviewed this exchange, and I don't actually understand what the
    > distinction is that you are making between ephemeral and long-lived
    > relationships.

This thread started by being about the problem of getting devices in the home
to securely join the homenet.  One sees a list of possible routers in the
home, and identifies one that should belong, and tells your homenet that it
should be allowed to join.  (And the router also is told to join your
network).

The short-term exchange is where you discover the new router and do the
out-of-band secured exchange to establish initial trust.  Within that initial
trust, longer-term credentials (asymmetric keys) are exchanged.


--
Michael Richardson <mcr+IETF@sandelman.ca>;, Sandelman Software Works
 -= IPv6 IoT consulting =-