Re: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 12 September 2019 12:39 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9062E1201EF; Thu, 12 Sep 2019 05:39:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dofUAwgcKIuB; Thu, 12 Sep 2019 05:39:13 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CE2B120041; Thu, 12 Sep 2019 05:39:12 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [104.244.9.242]) by relay.sandelman.ca (Postfix) with ESMTPS id 5C4D01F459; Thu, 12 Sep 2019 12:39:11 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id B5E3449E7; Thu, 12 Sep 2019 13:33:20 +0100 (WEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "iot-onboarding\@ietf.org" <iot-onboarding@ietf.org>, "mud\@ietf.org" <mud@ietf.org>
In-reply-to: <bb757b7b-dffc-9494-4ae0-a709d30445df@ericsson.com>
References: <19176.1567583108@dooku.sandelman.ca> <0100016cfc877287-c2198aee-ffe6-4c28-94a1-cb141b92741f-000000@email.amazonses.com> <bb757b7b-dffc-9494-4ae0-a709d30445df@ericsson.com>
Comments: In-reply-to Mohit Sethi M <mohit.m.sethi@ericsson.com> message dated "Wed, 11 Sep 2019 19:26:52 -0000."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Thu, 12 Sep 2019 13:33:20 +0100
Message-ID: <29152.1568291600@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/FhSK8RwpFfIFIg3lkGpxpf_0UXE>
Subject: Re: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 12:39:21 -0000

Mohit Sethi M <mohit.m.sethi@ericsson.com>; wrote:
    > I know there are probably many differences. For example, I see that the
    > SZTP spec says that devices can receive initial bootstrap information
    > over DNS or from a bootstrap server.

SZTP does not have voucher-requests.
Or at least, does not do them inband in a specific way detailed by a standard.
Both use RFC8366 vouchers to convey ownership.

    > What I am trying to understand is what does a device start from
    > (shared-secret/ephemeral key pair/manufacturer certificate), and what
    > does it end with? Do we need both SZTP and BRSKI?

They serve different parts of the ecosystem.
SZTP does not mandate an IDevID, but many ways of using it would seem to
benefit from having one.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [