Re: [Iot-onboarding] OPC and BRSKI
Kent Watsen <kent+ietf@watsen.net> Thu, 08 August 2019 14:51 UTC
Return-Path: <0100016c71b6c9e6-39a9553d-beea-4141-af36-f5d96e1fb790-000000@amazonses.watsen.net>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902CE120181 for <iot-onboarding@ietfa.amsl.com>; Thu, 8 Aug 2019 07:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8OUDkxTMBKO for <iot-onboarding@ietfa.amsl.com>; Thu, 8 Aug 2019 07:51:42 -0700 (PDT)
Received: from a8-32.smtp-out.amazonses.com (a8-32.smtp-out.amazonses.com [54.240.8.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD08E120188 for <iot-onboarding@ietf.org>; Thu, 8 Aug 2019 07:51:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1565275900; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=TLDJ/BJeNchEURx8fF+m8sAXS1zw2ytq1qSqni2zbtU=; b=QZSVVmJPOX3BAovT/wau83Jazkv4SIJQok+hPXyxWXI5wqMffzDy1DIB8GysEsLj 5L060cLz589kckvAvRmJbbXttTVXp49ZmPCYmt6XdDkgwNTW+AvXLM9CmU8nCH1aZ6X lUEC2WCPrxY08ns1okQQhaESJcYcT9K1ThOgep3k=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016c71b6c9e6-39a9553d-beea-4141-af36-f5d96e1fb790-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3B57A72F-9DDE-403E-AC48-6DA362849C0A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 08 Aug 2019 14:51:40 +0000
In-Reply-To: <BYAPR08MB49034BA15C283F5248B42017FAD70@BYAPR08MB4903.namprd08.prod.outlook.com>
Cc: Dan Harkins <dharkins@lounge.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
To: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <BYAPR08MB49037C509717B409DE7B570BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <20190806223052.md5lp6yeleuvuf5l@faui48f.informatik.uni-erlangen.de> <BYAPR08MB4903CED7FFDB7D11EFDB49FAFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <BYAPR08MB4903E91A2E9FC117755443C1FAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <F5504CAE-85B7-43AF-B743-1E234A4B320E@cisco.com> <BYAPR08MB4903C95973435BA06FC3C080FAD40@BYAPR08MB4903.namprd08.prod.outlook.com> <B5B28896-C211-41BF-AB51-0C6FDC72E44F@cisco.com> <0100016c6d9b4c92-77a6c841-c195-4323-b467-169c4bfabdee-000000@email.amazonses.com> <70a91551-dc40-966b-0f3d-f12fc41d58b7@lounge.org> <BYAPR08MB49034BA15C283F5248B42017FAD70@BYAPR08MB4903.namprd08.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.08.08-54.240.8.32
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/7IWEGvLHrjwUy-VhGu00cccUlFM>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 14:51:44 -0000
Hi Randy, > What we are looking for from the MASA is a framework that will provide the Operator with a “whitelist” of Device Certificates before any Device is plugged into the Network. > The OPC UA enabled Registrar would know what Devices are allowed when they attempt to register.. > (IOW – the registrar does not simply rely on the Manufacturer CA). Indeed. Assuming a secure device identity certificate (e.g., IDevID), the network trusting the device is a two-step process: 1) certificate-path validation to the manufacturer's CA 2) device-identity (e.g., serial number) is expected. The backend supporting what you're looking for is hinted at by RFC 8572, item #4 in C.1. What the NMS does is out-of-scope to SZTP, but not doing both path-validation and identity-verification wouldn't make sense, given that a device-specific response is needed in most cases. Kent
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] [Anima] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Dan Harkins
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Dan Harkins
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Toerless Eckert
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Owen Friel (ofriel)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Jack Visoky