Re: [Iot-onboarding] OPC and BRSKI

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Fri, 09 August 2019 19:32 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBC8C120019 for <iot-onboarding@ietfa.amsl.com>; Fri, 9 Aug 2019 12:32:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnM8vzAua1H8 for <iot-onboarding@ietfa.amsl.com>; Fri, 9 Aug 2019 12:31:59 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-eopbgr820040.outbound.protection.outlook.com [40.107.82.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3051E12002E for <iot-onboarding@ietf.org>; Fri, 9 Aug 2019 12:31:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UhhwL4UFqg/327DvQSkQRYI5L8VDPWnN7bcMwQJIcMDAKlvNE6Jd90E0tG6f4BLQS8guxMCKKgOpWIoxr/eUKNMK0hGjPivm77YEf1zwDx43FyTafcsbwNI18GBCTgX1pka3xTurX1mjCR10oi/4MlR1qlrL+y/07lPBc3J3603XG3wYysHqGl1NjSsxEb8AXap5qm9LycogbKxSEGcSYU7MrhNA8IKD1sTpqWMqtkQnjouX98PylCeoYc9hcNimZtKHi+2MW+I6cY+b0xC6fPjehRwYv0H4TZqP2pQpDqy3pUIbIs2L18XSxa+RZ+id2L2BW8d9VV5tqta0cu9nvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wGcCfuZbYvqBK6tWTCSo6a+or+tM/NlUaqG/A7e54ig=; b=oIGvfTTzZyBylBTU2VZDxq0WQWxFsfFtFUWD1cxGHKptBDXwJtuDdsEJKQ3K7PodYhMYX5Q5OExW5x14UD+AkN6CdIL2OV/YswCTgUFYdrrKGay5Ifn1P2OYEgfm0H1d+6ca1X3M+yoeGRykbzK61/On6qvN4s9t3Hfsot1qFiqX5AmqN199x7oFUi5RlvRP9H2LA7dKMgJYomuejOXL9HVMy5yUUTPVyJSPIV+rDCxoiGxPs4U3ZWHLW9Sx+PLVR0DoaV9za4fIhIWvsO/jPrJzPZ64HT+pm31xuYkyrnYUcxyPAG1td90ObN6ENf50jaPSugpyZOHRUkUJZkfBvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=opcfoundation.org;dmarc=pass action=none header.from=opcfoundation.org;dkim=pass header.d=opcfoundation.org;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.onmicrosoft.com; s=selector1-opcfoundation-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wGcCfuZbYvqBK6tWTCSo6a+or+tM/NlUaqG/A7e54ig=; b=ABWIRqvdWIr+kvecJP6nXDmKxTBVJUkxwqXyMZyhWAn4Zzvu9GK89+bFk1fqIkGYQYFXaruP42Zh8tmuE/T+0SChek/3NCUVTY1I1ub2CHRyMrtXplk7/LH3EJKQy1E6zpAeEdvtFzvX96xfexMDurMuspmzKQrgec3BdrxeKOM=
Received: from BYAPR08MB4903.namprd08.prod.outlook.com (20.176.255.96) by BYAPR08MB4357.namprd08.prod.outlook.com (52.135.211.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.20; Fri, 9 Aug 2019 19:31:57 +0000
Received: from BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53]) by BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53%4]) with mapi id 15.20.2157.020; Fri, 9 Aug 2019 19:31:57 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Dan Harkins <dharkins@lounge.org>, Toerless Eckert <tte@cs.fau.de>
CC: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] OPC and BRSKI
Thread-Index: AdVMZzs5EDHMP+c/QWCVcWuK34MU/QAGrJ8AAADfarAABKcngAAAO+sQAANovwAAARHHUAAAmp+QABFFfIAAAX6+0AABMbGAABbM7wAAFOAnAAAWhKoAADNYBAAABWii4A==
Date: Fri, 9 Aug 2019 19:31:57 +0000
Message-ID: <BYAPR08MB49038D69A3ACD3AD815E9714FAD60@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <BYAPR08MB49037C509717B409DE7B570BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <20190806223052.md5lp6yeleuvuf5l@faui48f.informatik.uni-erlangen.de> <BYAPR08MB4903CED7FFDB7D11EFDB49FAFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <BYAPR08MB4903E91A2E9FC117755443C1FAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <F5504CAE-85B7-43AF-B743-1E234A4B320E@cisco.com> <BYAPR08MB4903C95973435BA06FC3C080FAD40@BYAPR08MB4903.namprd08.prod.outlook.com> <B5B28896-C211-41BF-AB51-0C6FDC72E44F@cisco.com> <0100016c6d9b4c92-77a6c841-c195-4323-b467-169c4bfabdee-000000@email.amazonses.com> <70a91551-dc40-966b-0f3d-f12fc41d58b7@lounge.org> <20190808162540.5jwwwxcubl6wp6u2@faui48f.informatik.uni-erlangen.de> <b7abeb43-f23f-6b04-6c9e-8b39ac3c25cf@lounge.org>
In-Reply-To: <b7abeb43-f23f-6b04-6c9e-8b39ac3c25cf@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=randy.armstrong@opcfoundation.org;
x-originating-ip: [24.80.80.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1cc33298-a24d-40f2-5725-08d71d003e41
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7193020); SRVR:BYAPR08MB4357;
x-ms-traffictypediagnostic: BYAPR08MB4357:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR08MB43573E4189E868287E149579FAD60@BYAPR08MB4357.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01244308DF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(346002)(366004)(396003)(39830400003)(376002)(189003)(199004)(13464003)(40224003)(66946007)(66556008)(186003)(66476007)(76116006)(11346002)(476003)(486006)(5660300002)(66446008)(4326008)(64756008)(53936002)(86362001)(25786009)(6116002)(8676002)(3846002)(6246003)(110136005)(229853002)(7696005)(2906002)(305945005)(74316002)(8936002)(9686003)(508600001)(71190400001)(14454004)(76176011)(81156014)(71200400001)(81166006)(966005)(99286004)(316002)(26005)(6436002)(66066001)(446003)(52536014)(256004)(14444005)(53546011)(7736002)(6306002)(6506007)(33656002)(55016002)(102836004); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR08MB4357; H:BYAPR08MB4903.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: opcfoundation.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: zt2AfPR2AlUPzFbfYQLZ2xxIexPoeDgU0ESothZ6puxcUsBcrtP/X1fLB3AS0Fs23CB1IzTi0bNeTu2PPyOXkWfb9J51WG6aGypSoeWTXIiQZzPatYEyq2k69VNX2qfsQ+H2MzzoCjZDnZqYHfL8bYtio4DkNKrpMYgWqwfsuPszMX96VQ4SYAKUXEwgNE0mrGRD0PiJY2DSoArUwsePW9SsK7tBsc2wZ2bbQFdTVdF6MCcsdzqT9TD8FLEDubyRMNy69WmmMmYBdHwz5GiD31A6Tjiyg+tPEqBUG5WYAUMyB9WgqehLxQJrDXV/JsaTt2ULsiwJfJS5ZXsIiltJ/x9nDbAlx22qFCDo78pLJA6XiZLCj97Y2DWfFx2a60P1B5nMkV5ERz8dgak0hKRLLJLx5l7p+SZyllpABFgldRs=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 1cc33298-a24d-40f2-5725-08d71d003e41
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2019 19:31:57.6550 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xyVU1jBTJ6wEzq56c077u2TqOX1gYCAkwX8ufHohiFWkkSw4vYVtNFtG9Ri5AcHj7FS8kUvLy1UtMUlWIEjnkP5B/GI8OrM0DvFY4o65v/3ikDB5M/9cb6G5Xvn/CxX1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB4357
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/QVhb7GgNu1ejpkEIwMvBLb3kndU>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2019 19:32:03 -0000

>   Indeed! One of the by-products of this effort by Eliot to enumerate all these on-boarding techniques might be some common lingo so we can all talk to each other :-)

One of my objectives from this conversation to find out what common terminology should be used in the OPC specifications.

-----Original Message-----
From: Iot-onboarding <iot-onboarding-bounces@ietf.org> On Behalf Of Dan Harkins
Sent: August 9, 2019 9:56 AM
To: Toerless Eckert <tte@cs.fau.de>
Cc: iot-onboarding@ietf.org
Subject: Re: [Iot-onboarding] OPC and BRSKI


   Hi Toerless,

On 8/8/19 9:25 AM, Toerless Eckert wrote:
> On Wed, Aug 07, 2019 at 10:40:54PM -0700, Dan Harkins wrote:
>>    The problematic nature of voucher-less trust can be offset 
>> somewhat by limiting knowledge of the device's credential. DPP 
>> attempts to do this. The DPP device will only accept a provisioning agent that knows its public key.
> What is DPP ?

   The Device Provisioning Protocol. A quick google search discovers that Michael has graciously placed the spec on his server. Thanks Michael!

    http://www.sandelman.ca/tmp/ieee/dev-prov.pdf

It's a way to provision 802.11 devices before they get on the 802.11 network.
It doesn't require a backend like a MASA but such a thing could be used if need be. Check it out.

> Interesting scheme. I wonder how problematic security experts would 
> find this approach. But certainly novel to me to use a public key as a 
> shared secret with one "owner".

   The public key isn't really a secret. It's the identity of the device. And if you know it then you have the ability to provision it. You can talk to the device if you know who it is, if you don't know who it is it will ignore you. For small office or home/apartment situations this is trust-by-possession.
But, as I said, something like a MASA could be used to provide other forms of trust (e.g. trust through legitimate purchase).

>> But that is not the only way of  bootstrapping a device's public key. 
>> The device's public key could be bootstrapped from a cloud service-- 
>> give the serial number of the device (and/or proof-of-ownership) and 
>> get back the device's public key.
> How about resale of such a device. The second owner knows that the 
> first owner always has a key left (because it can always remember the public key).
> Or else it should be possible to erase/recreate this key-pair.

   This identity key, called a bootstrapping key, does not change when the thing is reset to to factory defaults. If the thing is not provisioned it will listen for DPP messages addressed to it (via this identity key) and when it is provisioned it will not listen to DPP messages anymore until it is reset to factory defaults. If you want to resell the device you just need to provide the new owner with the bootstrapping key (it may still be in the form of a QR code on its backside or you may have it in packing materials). The owner can then reset the thing to factory defaults and start sending it DPP messages.

>>    This allows the device to have a modicum of trust in "the network" 
>> based on the steps the network had to go through in order to 
>> bootstrap the device's public key.
>> This way printers (with a relatively low bar on trust of "the 
>> network") can get provisioned for a network that also includes 
>> something like a centrifuge (with a relatively higher bar on trust of "the network" that it will join).
> Not sure i understand that point.

   I'm trying to say that there are multiple ways to obtain a thing's identity key and they all impart different degrees of trust. It is up to a manufacturer to provide bootstrapping of identity keys of the things it produces in a manner that is suitable for those kinds of things-- televisions placed on home networks are different than light arrays placed in stadiums which are different than EKGs put in hospitals which are different than....

>>    I'm not sure how relevant this is to OPC (I have not found the 
>> relevant documents on the OPC website) but I just want to point out 
>> that voucher-less provisioning does  not have to rely solely on blind trust or TOFU.
> A voucher is just a secure digital artefact to pass on authorization 
> of ownership. If you want to give that authorization to some 
> enterprises server/registrar in the shared-secret public-key scheme, 
> you would also need to have some way to pass on that public key to 
> that enterprise server. Just a different type of voucher.
>
> Aka: there is always a voucher, even if you haven't called it that way 
> ;-))

   Indeed! One of the by-products of this effort by Eliot to enumerate all these on-boarding techniques might be some common lingo so we can all talk to each other :-)

   regards,

   Dan.



--
Iot-onboarding mailing list
Iot-onboarding@ietf.org
https://www.ietf.org/mailman/listinfo/iot-onboarding