Re: [Iot-onboarding] FW: New Version Notification for draft-friel-anima-brski-cloud-00.txt
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 11 September 2019 15:32 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6C01209BF for <iot-onboarding@ietfa.amsl.com>; Wed, 11 Sep 2019 08:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ejx3ol-D4-W for <iot-onboarding@ietfa.amsl.com>; Wed, 11 Sep 2019 08:32:20 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE7341209C6 for <iot-onboarding@ietf.org>; Wed, 11 Sep 2019 08:32:19 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [148.69.85.38]) by relay.sandelman.ca (Postfix) with ESMTPS id 296431F459; Wed, 11 Sep 2019 15:32:17 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id DE9F648C6; Wed, 11 Sep 2019 16:32:54 +0100 (WEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
cc: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
In-reply-to: <CY4PR1101MB2278AB70B3F1E210663E3A46DBB60@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <156814578438.22642.14659802904628203855.idtracker@ietfa.amsl.com> <CY4PR1101MB2278AB70B3F1E210663E3A46DBB60@CY4PR1101MB2278.namprd11.prod.outlook.com>
Comments: In-reply-to "Owen Friel (ofriel)" <ofriel@cisco.com> message dated "Tue, 10 Sep 2019 20:09:05 -0000."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 11 Sep 2019 16:32:54 +0100
Message-ID: <7550.1568215974@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/FTG4qQSjKYeYt9MefvlRJ2Fiwn4>
Subject: Re: [Iot-onboarding] FW: New Version Notification for draft-friel-anima-brski-cloud-00.txt
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 15:32:23 -0000
Owen Friel (ofriel) <ofriel@cisco.com> wrote: > FYI, as discussed earlier on the thread, published first cut of the default BRSKI cloud registrar draft. Thanks for starting this document. I will send pull requests once I know where you put it... I think that there are a few high-level things that need to be clearer. 0) Why isn't is RFC8572 (SZTP) needs to be clearer. 1) what does it mean to onboard to the cloud only. While it is nice for the IETF to make a standard for a manufacturer to interoperate with itself, we should recognize that we don't need to. This is basically how every single home-IoT device that calls home works today. 2) we should clarify some reasons why the device can not find the local registrar. One reason is that it's not local. I.e. a device being bootstrapped at some other location. 3) the device already has network connectivity. Probably from a wire!!! (maybe from an open WiFi though) It's not core enterprise/ISP routing/switching equipment. 4) there is probably a significant difference between a 301 redirect before the voucher request and one that occurs after a voucher is issued. A redirect before request would be based upon the TLS Client Certificate identity. A redirect that occured during the voucher-request would be curious, and I'm not sure what purpose it would serve, so I want to ignore this. A redirect in the form a voucher, is a different thing, pointing the pledge to an EST server with which to continue. In fact, I would suggest that these are two MAJOR different modes, and might even be different documents/protocols. The argument for not being separate is that it might be on a per-device basis that it makes the decision. 5) I think that this mechanism can never work without some amount of supply-chain integration, otherwise the cloud MASA has no idea who the correct customer is. This is also implies that it doesn't work for the various "HomeDepot" retail situations. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Iot-onboarding] FW: New Version Notification for… Owen Friel (ofriel)
- Re: [Iot-onboarding] FW: New Version Notification… Michael Richardson
- Re: [Iot-onboarding] FW: New Version Notification… Owen Friel (ofriel)