Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
Ash Wilson <ash.wilson@valimail.com> Thu, 03 December 2020 16:26 UTC
Return-Path: <ash.wilson@valimail.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B0F13A0F0C for <iot-onboarding@ietfa.amsl.com>; Thu, 3 Dec 2020 08:26:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dfs_vJMfC9ld for <iot-onboarding@ietfa.amsl.com>; Thu, 3 Dec 2020 08:26:15 -0800 (PST)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA7053A0F04 for <iot-onboarding@ietf.org>; Thu, 3 Dec 2020 08:26:15 -0800 (PST)
Received: by mail-qv1-xf2e.google.com with SMTP id n9so1216073qvp.5 for <iot-onboarding@ietf.org>; Thu, 03 Dec 2020 08:26:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/1+I/fEp9j1/LXxLTMyepiqQsGS8B6P1Gfvd72qjfL8=; b=fConyp1rEuAgqmrkLhJVJnJJEYWakTGcqM5YKp8A7yBtX1IBCUGaWPU+XQHPlBTSHN 0sgEflh6xoAj5UL2DJ7UzK1XuwmcQTC5iTX5t9f/SojGwS7Q/yTzqIO86P9qG6gpdEYC jI4u96wYE4d3ySmQJ7ck7E6CYHB0ccdxdwGiTCgAzT3Wl+Dyp+C2wP+6HUhlm/vaqlGG 8Ud6GlvR+hYab83xIwJe0THghlbOYbPwfobLskPhPVUJjg/fEu0LD4JJm692XCnA4m8Y nR5ieOmirN53NvSvlJB66VuE+KejGsgsPPP/uFWy4xaUBbOnWcqmgZWRmujKXH+LHi8k DnKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/1+I/fEp9j1/LXxLTMyepiqQsGS8B6P1Gfvd72qjfL8=; b=rU72/iRsZV/Ry2gSmbXE7+tJf1gN8t+5qfLcTvLCrYHQgHquCvt2IudQBkB6U4r8Ti l8FOCvLvSUv6xy+lcLc/sqiUUEwfjd+nOSWO4gsQcXZYUHY7GS5GOh0fSIqSjUeGWDm8 9Z1+h+AYewe8ChAhhsanPWAi8OO/LkgnGzH1aOmCiU6hOIFRDHXrSS0ACiWdo50Siwiv TikasGEQSQDyXwiMwnXJQlkZfXByDilOVoIyI+sp43XQIjjtAP1futtKZtfUrxHkWJQe ipnceBvSmUu+KQcu0DwZcuQvhgPc2UIg8fYpgm0nUW1EtsJlxoU0YyRme6uK3VAl5TIa VTYg==
X-Gm-Message-State: AOAM5315QtduGGu/+mDwTHAYdG0OnYJqcKF4sFWBsbrQVcN8hyByGUHa d2KapdqT7GUcdxT6gS66cQNTvIjVg9sj01TmCKQCKg==
X-Google-Smtp-Source: ABdhPJzpvCQ3QONQCVwgxCe/xsvivudIup9IlUOgJtEz//FKfZpKeWx6NfusidbqoMDtxp4tevlwyxWXLjR+nd0Hbgo=
X-Received: by 2002:ad4:5621:: with SMTP id cb1mr3976170qvb.12.1607012774388; Thu, 03 Dec 2020 08:26:14 -0800 (PST)
MIME-Version: 1.0
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com> <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com> <2FE1E13B-E313-43F9-932E-6682DF72E18D@cisco.com> <20201117074330.GP39343@faui48f.informatik.uni-erlangen.de> <CAEfM=vTDPi6fQXR+EQ7jW04RsyZQRQXHw3R-fH+QiC70JKSZaA@mail.gmail.com> <692795.1606948121@dooku>
In-Reply-To: <692795.1606948121@dooku>
From: Ash Wilson <ash.wilson@valimail.com>
Date: Thu, 03 Dec 2020 11:26:03 -0500
Message-ID: <CAEfM=vTJOHbvomtZ0NSv2GRumycA+iOJaA2oeAMtFQWN4pabUw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, Shumon Huque <shuque@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000916a2705b591d111"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/0bd5sRuo5S1dXAA7JFT2c6lswBg>
Subject: Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 16:26:18 -0000
On Wed, Dec 2, 2020 at 5:28 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > <#secure method=pgpmime mode=sign> > > Hi Ash, > I AM NOT A PKIX FAN. > I hate it, BUT: > > Ash Wilson <ash.wilson=40valimail.com@dmarc.ietf.org> wrote: > > application, hosted in the cloud. All sensors will use the city's > > municipal wifi to connect to edge nodes. I do not want to be bound > to > > selecting the same vendor for all sensors (I want best-of-breed), > and I > > do not want to operate my own CA. For my risk model, it's OK to use > > mfr-issued device certificates for all of my sensors. > > Could you explain a bit more about "operate my own CA". > What infrastructure are you willing to operate? > As an application owner, my priority is operating only what's required to securely and reliably deliver my application's functionality. If I can get broadly useful device identity from the device supplier, that represents a reduction in the footprint of the application I'm responsible for maintaining. If the supplier ships devices with certificates or raw public keys already in DNS, I may not need to re-key to my own PKI. This makes a handful of assumptions, including that keys are provisioned in an appropriately secure manner (which https://tools.ietf.org/html/draft-richardson-t2trg-idevid-considerations-01 can help with). This process could require the supplier to manage the DNS namespace for the devices they ship with this type of identity. Alternatively, I could give the supplier a list of names I would like to have assigned to devices, and then receive an archive of all the device certificates to bulk-upload into a DNS zone which I maintain. I can run my own CA if I need to... But the need to do so diminishes if DANE allows me to avoid name collisions and to perform mutual auth without having to distribute CA certificates. > > Network access use case: I use cert-based EAP-TLS to provide > network > > access control for the networks my sensors and edge nodes connect > > to. > > But, which certificates do you use? The IDevID ones? > If so, do you just have a database which each EE certificate pinned? > This depends on the configuration of the TLSA record. If the certificate usage is 3 (DANE-EE), then the certificate or public key is validated against the device's TLSA record(s) and PKIX validation is not required. In this use case, the RADIUS server just needs a list of permitted identities. If the supplicant can prove possession of a private key associated with a DANE identity on the RADIUS server's 'allow' list, the device is allowed onto the network. This can be an IDevID or LDevID certificate, as long as it has a name in DNS. The database which associates names to public keys is DNS, and the RADIUS server only needs a list of permitted DNS names. > > In order to prevent the possibility of naming collision across > > suppliers (which creates an opportunity for device impersonation, > > improper network access, and unreliable data) I need to onboard all > of > > my devices to a single CA. > > > If I use DANE for device identity, I don't > > need my own private CA, rather I only need to provide my RADIUS > server > > with a list of allowed device DNS names for the municipal sensor > > network, regardless of device mfr or identity provider. > > How is this different than providing a database of EE or public keys? > This actually is providing a database of public keys, but the database is DNS and identities can be maintained by whoever the application owner trusts to do so (mfr, implementer, etc...). The same database (DNS) can be used to support authenticating network access as well as message signature verification. > > Session security use case: My sensors connect to my edge nodes > using > > TLS. With traditional PKI, I need to make sure that the trust store > in > > every sensor has a CA cert for my edge nodes. My edge nodes need CA > > certs to accommodate all sensors which might need to connect to > > them. Without DANE for client identity, I need to either copy around > CA > > certs from all of my suppliers (name collision risk), or manage my > own > > CA and onboard all of those devices, which can be costly. With DANE > for > > TLS client identity, I can configure each sensor with the name of its > > upstream edge server (use DANE as it is now), and I can configure > each > > edge server with the names of its allowed clients (use DANE for > client > > ID). My sensors use mDNS to discover edge node IP addresses, and use > > DANE to authenticate the discovered edge nodes for establishing a TLS > > session. > > I dunno, it feels like you are willing to jump through a lot of hoops to > avoid running a CA. CAs are only hard if you are public and have CPS. > I agree that CAs don't have to be difficult to operate. There are a number of providers who have great user interfaces and provide useful APIs and integrations. As an application owner, I want to focus on the core functionality of my application, and if I can purchase/lease devices with immediately useful identities, then I don't need to maintain a CA component (as-a-service or otherwise) as a part of my application footprint. > > Message/object security use case: I want my edge nodes to forward > > This seems moot. Either way, you can use object security if you can track > the signature to an identity. > This is all about simplifying the process of discovering public keys. If the message bears the sending entity's DANE/DNS name, the recipient can use DNS to retrieve the public key. This improves: * Network bandwidth consumption: No need for the message sender to also transmit a certificate. * Removal of implied trust: No need to base trust for message integrity and attribution on middleware if the message can be independently verified. * Systems integration: You don't need to integrate with a proprietary API to retrieve certificates for message authentication. Rather, DNS can become the discovery API for every CA that wishes to participate. > -- > ] Never tell me the odds! | ipv6 mesh > networks [ > ] Michael Richardson, Sandelman Software Works | network > architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on > rails [ > > -- *Ash Wilson* | Technical Director *e:* ash.wilson@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Toerless Eckert
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Toerless Eckert
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- [Iot-onboarding] Confusing terminology was Re: [S… Mohit Sethi M
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Mohit Sethi M
- Re: [Iot-onboarding] Confusing terminology was Re… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Mohit Sethi M
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Dan Harkins
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson