Re: [Iot-onboarding] OPC and BRSKI
Dan Harkins <dharkins@lounge.org> Fri, 09 August 2019 16:55 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 357471201A3 for <iot-onboarding@ietfa.amsl.com>; Fri, 9 Aug 2019 09:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WUqiaV-wxqj for <iot-onboarding@ietfa.amsl.com>; Fri, 9 Aug 2019 09:55:51 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F6C51201A2 for <iot-onboarding@ietf.org>; Fri, 9 Aug 2019 09:55:51 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-93-158-174.san.res.rr.com [76.93.158.174]) by wwwlocal.goatley.com (PMDF V6.8-0 #1001) with ESMTP id <0PVZ0043IB12K3@wwwlocal.goatley.com> for iot-onboarding@ietf.org; Fri, 09 Aug 2019 11:55:50 -0500 (CDT)
Received: from thinny.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0PVZ00BGKB0I0W@trixy.bergandi.net> for iot-onboarding@ietf.org; Fri, 09 Aug 2019 09:55:30 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO thinny.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Fri, 09 Aug 2019 09:55:30 -0700
Date: Fri, 09 Aug 2019 09:55:48 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <20190808162540.5jwwwxcubl6wp6u2@faui48f.informatik.uni-erlangen.de>
To: Toerless Eckert <tte@cs.fau.de>
Cc: iot-onboarding@ietf.org
Message-id: <b7abeb43-f23f-6b04-6c9e-8b39ac3c25cf@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO thinny.local)
References: <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <BYAPR08MB49037C509717B409DE7B570BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <20190806223052.md5lp6yeleuvuf5l@faui48f.informatik.uni-erlangen.de> <BYAPR08MB4903CED7FFDB7D11EFDB49FAFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <BYAPR08MB4903E91A2E9FC117755443C1FAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <F5504CAE-85B7-43AF-B743-1E234A4B320E@cisco.com> <BYAPR08MB4903C95973435BA06FC3C080FAD40@BYAPR08MB4903.namprd08.prod.outlook.com> <B5B28896-C211-41BF-AB51-0C6FDC72E44F@cisco.com> <0100016c6d9b4c92-77a6c841-c195-4323-b467-169c4bfabdee-000000@email.amazonses.com> <70a91551-dc40-966b-0f3d-f12fc41d58b7@lounge.org> <20190808162540.5jwwwxcubl6wp6u2@faui48f.informatik.uni-erlangen.de>
X-PMAS-Software: PreciseMail V3.3 [190808a] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/0y4sRBFE0usPedLwFjHQ-SgbRqo>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2019 16:55:53 -0000
Hi Toerless, On 8/8/19 9:25 AM, Toerless Eckert wrote: > On Wed, Aug 07, 2019 at 10:40:54PM -0700, Dan Harkins wrote: >> The problematic nature of voucher-less trust can be offset somewhat by >> limiting knowledge of the device's credential. DPP attempts to do this. The DPP >> device will only accept a provisioning agent that knows its public key. > What is DPP ? The Device Provisioning Protocol. A quick google search discovers that Michael has graciously placed the spec on his server. Thanks Michael! http://www.sandelman.ca/tmp/ieee/dev-prov.pdf It's a way to provision 802.11 devices before they get on the 802.11 network. It doesn't require a backend like a MASA but such a thing could be used if need be. Check it out. > Interesting scheme. I wonder how problematic security experts would find > this approach. But certainly novel to me to use a public key as a shared > secret with one "owner". The public key isn't really a secret. It's the identity of the device. And if you know it then you have the ability to provision it. You can talk to the device if you know who it is, if you don't know who it is it will ignore you. For small office or home/apartment situations this is trust-by-possession. But, as I said, something like a MASA could be used to provide other forms of trust (e.g. trust through legitimate purchase). >> But that is not the only way of bootstrapping a >> device's public key. The device's public key could be bootstrapped from a >> cloud service-- give the serial number of the device (and/or proof-of-ownership) >> and get back the device's public key. > How about resale of such a device. The second owner knows that the first > owner always has a key left (because it can always remember the public key). > Or else it should be possible to erase/recreate this key-pair. This identity key, called a bootstrapping key, does not change when the thing is reset to to factory defaults. If the thing is not provisioned it will listen for DPP messages addressed to it (via this identity key) and when it is provisioned it will not listen to DPP messages anymore until it is reset to factory defaults. If you want to resell the device you just need to provide the new owner with the bootstrapping key (it may still be in the form of a QR code on its backside or you may have it in packing materials). The owner can then reset the thing to factory defaults and start sending it DPP messages. >> This allows the device to have a modicum of trust in "the network" based >> on the steps the network had to go through in order to bootstrap the device's >> public key. >> This way printers (with a relatively low bar on trust of "the network") can >> get provisioned for a network that also includes something like a centrifuge >> (with a relatively higher bar on trust of "the network" that it will join). > Not sure i understand that point. I'm trying to say that there are multiple ways to obtain a thing's identity key and they all impart different degrees of trust. It is up to a manufacturer to provide bootstrapping of identity keys of the things it produces in a manner that is suitable for those kinds of things-- televisions placed on home networks are different than light arrays placed in stadiums which are different than EKGs put in hospitals which are different than.... >> I'm not sure how relevant this is to OPC (I have not found the relevant >> documents on the OPC website) but I just want to point out that voucher-less >> provisioning does not have to rely solely on blind trust or TOFU. > A voucher is just a secure digital artefact to pass on authorization of > ownership. If you want to give that authorization to some enterprises > server/registrar in the shared-secret public-key scheme, you would also > need to have some way to pass on that public key to that enterprise > server. Just a different type of voucher. > > Aka: there is always a voucher, even if you haven't called it that way ;-)) Indeed! One of the by-products of this effort by Eliot to enumerate all these on-boarding techniques might be some common lingo so we can all talk to each other :-) regards, Dan.
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] [Anima] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Dan Harkins
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Dan Harkins
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Toerless Eckert
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Owen Friel (ofriel)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Jack Visoky