Re: [Iot-onboarding] Some new stuff for

Michael Richardson <> Tue, 24 March 2020 21:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4D3003A0E90; Tue, 24 Mar 2020 14:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1N-7wOPlGxgh; Tue, 24 Mar 2020 14:45:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4B3B93A0E8D; Tue, 24 Mar 2020 14:45:09 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id 3980838982; Tue, 24 Mar 2020 17:43:44 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id D3D2516D; Tue, 24 Mar 2020 17:45:07 -0400 (EDT)
From: Michael Richardson <>
To: Eliot Lear <>
In-Reply-To: <>
References: <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 24 Mar 2020 17:45:07 -0400
Message-ID: <16935.1585086307@localhost>
Archived-At: <>
Subject: Re: [Iot-onboarding] Some new stuff for
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Mar 2020 21:45:13 -0000

Eliot Lear <> wrote:
    > As part of mudding, I’ve been talking to the SBOM people.  These are
    > the folk who are looking to produce a software bill of materials for
    > IOT devices.  The question: how to find it?  Well, MUD to the rescue.
    > I’ve added a very simple extension (no draft yet but working on it)
    > that would describe just how to get the SBOM.

Right. SBOM... I came across this at FOSDEM and LPC relating to documenting
what is going into containers, which often pick and choose at the file level.
That seems very apropo for IoT devices, which will often do the same thing.
(And ideally, will be upgraded with some container tech, maybe...)

So I see that you have Cloud URL, Local URL and "On Request"
This seems about right to me. just a URL with the rest of the info.

    > I also made some changes as to what happens when you click on the
    > “download” button.  Not only do you get a MUD file, but you also get a
    > DEMO CMS signature file as well.  If you trust this signature for
    > anything other than demonstration purposes, well…

Good, but my open question about whether or not mud-signature is permitted to
be relative still unresolved :-)

    > I also have now a demonstration QR code that contains the MUDURL alone.
    > This would be suitable for sticking on a box or otherwise providing
    > legacy equipment folk.  I have some issues with this.  The first is
    > that just scanning it on your iPhone gets you a JSON file.  From a
    > tooling perspective… that’s not slick.  Also, it’s sometimes
    > unnecessary, given what Michael is planning, and what is going into
    > DPP.  Also, I’m currently using a questionable Google API to generate
    > the QR code.  But as I am a questionable guy, and this is really for
    > demonstration purposes, I think this is ok.

Eliot, I think that we need to figure out how this can go forward.
I haven't received confirmation that opsawg will give me time yet.
Regardless, I think that we need to have a bigger discussion.

Maybe this fits into the NIST Wednesday calls.
(feel free to invite me)

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-