Re: [Iot-onboarding] OPC and BRSKI
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 06 August 2019 21:10 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91912120047 for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 14:10:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z065Q3zopX-p for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 14:10:56 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35667120033 for <iot-onboarding@ietf.org>; Tue, 6 Aug 2019 14:10:55 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 66BEE3818D; Tue, 6 Aug 2019 17:10:18 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D0E65A01; Tue, 6 Aug 2019 17:10:53 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
cc: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
In-Reply-To: <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 06 Aug 2019 17:10:53 -0400
Message-ID: <27052.1565125853@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/CG3_siFhijNnnhwLKCdkQ6N6bp4>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 21:10:58 -0000
Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org> wrote: > I will start with the main trouble spots. Some of these may be already > covered by BRKSI but I missed the implications of some of the text: > 1) Low end devices that only support OPC; this means no TLS client > capabilities and no ability to initiate network communication > (i.e. server only mode); What is "OPC", from a transport and security point of view? When I looked through the web site, I'm afraid I came up empty. BRSKI can be made to work when the pledge is a responder, but there are details that need to be worked out for specific use cases. You may prefer https://datatracker.ietf.org/doc/rfc8572/ Secure Zero-Touch Provisioning, which uses the same format vouchers, but has different flows. > 2) Machine builders that combine devices into a machine that is sold as > a unit. These device still have a unique network identity but the > effective manufacturer has changed; How to deal with the DeviceID? What an appropriate answer is depends upon who will be responsible for the components. Is it the manufacturer of the aggregate or the manufacturer of the devices. One way to think of this as an initial sale to the aggregator, and then to replace the trust anchors for a second sale. Another way is to think of this is that the aggregator runs a mini-registrar, onboards the devices into the aggregate, and then takes care of the devices itself. > 3) Devices may be reset to factory defaults and sold/transferred to > another organization. This needs to be possible even if the MASA is no > longer available (i.e. the original manufacturer has gone out of > business). There are a number of different ways to do this; every single one of them requires some advance planning (coding) by the device manufacturer. > 4) Offline operation is the norm with pre-issued vouchers delivered out > of band. The pre-issued vouchers will need to have reasonably long > lifetime (i..e. years not hours). This has already been taken into account. The question is whether the end-owner is known at time of voucher issue or not. If not, then you either need a bearer voucher (which RFC8366 declined to define, as it's so powerful, we were afraid of the security considerations), or you need to pin to a temporary key which is turned over the operator. But, that is effectively a bearer voucher with multiple components. > The lifecycle of a device is shown in the following diagram. The > expectation is we would need to add links to the MASA at each step in > the lifetime. I don't think you need a connection to the MASA until provisioning box, nor after that either. I think that the hardest part is (1), and then it's just an applicability statement. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Eliot Lear
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] [Anima] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Dan Harkins
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Kent Watsen
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Michael Richardson
- Re: [Iot-onboarding] OPC and BRSKI Toerless Eckert
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] OPC and BRSKI Dan Harkins
- Re: [Iot-onboarding] OPC and BRSKI Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Randy Armstrong (OPC)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Toerless Eckert
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Michael Richardson
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Owen Friel (ofriel)
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] EXTERNAL: Re: [Anima] OPC an… Jack Visoky
- Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC an… Jack Visoky