Re: [Iot-onboarding] OPC and BRSKI

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Thu, 08 August 2019 06:04 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7681200DF for <iot-onboarding@ietfa.amsl.com>; Wed, 7 Aug 2019 23:04:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0q5gdTo7X0t for <iot-onboarding@ietfa.amsl.com>; Wed, 7 Aug 2019 23:04:38 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-eopbgr740054.outbound.protection.outlook.com [40.107.74.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 982541200B9 for <iot-onboarding@ietf.org>; Wed, 7 Aug 2019 23:04:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ub/JuVapcPLjoQh1O/D/vKdd0+lqgbfi5XSHMyb1HuROFJc2JHZPSFMxPehxrPFWI8rUo4TUOHCXMycnk0XL2vPr/ItG9wQB0siEvsCI+vAqcaWaAMCQVJ/nmC2Mn1YlCSk9o7mXH6R8l5rTA5nnaFGAljUJbKnYKhAeY3m3/oanW6HMu5oBmsl5Jg4fX3OkjXJYx7jre7NPsl1SVK1CeuQLlkGvUqgmO9VYPaCnw6dYKoAiV+EdfkR/MNauEqKqx3hfeiztI44In6zY/k6C7mo9Wylb5eoQIGoBOwfwtoMxfCqMjdmHSeHRwgTEeR3wx/JRWhLqcWRCtytQAi+3Cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SvjBpEMXxx8NyzoDYs8iZV2SnTQGHJIvlSZnZroKsAQ=; b=MYGuoMvyfdBdiE11FfyJ4YePgb3SCFrQ/97BCbTbBn/SMywH7aJUwNggwPh2kp/hUaEWLkSWKnjc2icTnpiNdjVWJ+ffY+F+5+1bT4EbcvDydiTb5+WFZ6BZZECJKya63ljsAP9c7V8wR9Ik/6THh54n2cjal4kn1TmGEjblQf91jv6I4LmZ7pQMHXpW9Pkh7NieAoQLvNDHYJlBxcgVx2SU+i3RJq282VM6CEEEChutUFbAtxBn6s9rchMno0Bofm0l31hOOeJDITobNtu1ojwfz0brwqeqAUx3GIjzYpAeXJeBnT0R9mQBb5JonlCMsdKl+nXfFG5e/O+SLz26Dw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=opcfoundation.org;dmarc=pass action=none header.from=opcfoundation.org;dkim=pass header.d=opcfoundation.org;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.onmicrosoft.com; s=selector1-opcfoundation-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SvjBpEMXxx8NyzoDYs8iZV2SnTQGHJIvlSZnZroKsAQ=; b=HfB39aUtOqFZkAOAIeJsKxLMPgL884TJLVvdsov8oP8pR7HOOuvqmtNvvI5JIPh8ij/ziwMmGfmtoV/JOi7RzG9chb54mZeqhxPoz2nf7grYQxdwvo7n18soubPd8gh0J0uG1g7riWMqW09rFITMqYoIXLZg67wcp82m8vRI1u0=
Received: from BYAPR08MB4903.namprd08.prod.outlook.com (20.176.255.96) by BYAPR08MB4134.namprd08.prod.outlook.com (52.135.196.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.17; Thu, 8 Aug 2019 06:04:35 +0000
Received: from BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53]) by BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53%4]) with mapi id 15.20.2157.015; Thu, 8 Aug 2019 06:04:35 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Dan Harkins <dharkins@lounge.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] OPC and BRSKI
Thread-Index: AdVMZzs5EDHMP+c/QWCVcWuK34MU/QAGrJ8AAADfarAABKcngAAAO+sQAANovwAAARHHUAAAmp+QABFFfIAAAX6+0AABMbGAABbM7wAAFOAnAAAAPCYw
Date: Thu, 08 Aug 2019 06:04:35 +0000
Message-ID: <BYAPR08MB49034BA15C283F5248B42017FAD70@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <BYAPR08MB49037C509717B409DE7B570BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <20190806223052.md5lp6yeleuvuf5l@faui48f.informatik.uni-erlangen.de> <BYAPR08MB4903CED7FFDB7D11EFDB49FAFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <BYAPR08MB4903E91A2E9FC117755443C1FAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <F5504CAE-85B7-43AF-B743-1E234A4B320E@cisco.com> <BYAPR08MB4903C95973435BA06FC3C080FAD40@BYAPR08MB4903.namprd08.prod.outlook.com> <B5B28896-C211-41BF-AB51-0C6FDC72E44F@cisco.com> <0100016c6d9b4c92-77a6c841-c195-4323-b467-169c4bfabdee-000000@email.amazonses.com> <70a91551-dc40-966b-0f3d-f12fc41d58b7@lounge.org>
In-Reply-To: <70a91551-dc40-966b-0f3d-f12fc41d58b7@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=randy.armstrong@opcfoundation.org;
x-originating-ip: [24.80.80.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2999eaf9-1389-4d86-a8fc-08d71bc64a3b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR08MB4134;
x-ms-traffictypediagnostic: BYAPR08MB4134:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR08MB4134203909417CA222FD14F2FAD70@BYAPR08MB4134.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 012349AD1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(366004)(376002)(346002)(39840400004)(189003)(199004)(40224003)(66446008)(53936002)(81166006)(2501003)(476003)(66066001)(99286004)(102836004)(256004)(14444005)(229853002)(316002)(71200400001)(6306002)(54896002)(6506007)(8676002)(7696005)(71190400001)(6436002)(6246003)(8936002)(9686003)(7736002)(53546011)(14454004)(76176011)(3846002)(66946007)(64756008)(66476007)(66556008)(790700001)(446003)(6116002)(76116006)(110136005)(11346002)(186003)(74316002)(81156014)(2906002)(55016002)(33656002)(26005)(236005)(52536014)(86362001)(508600001)(486006)(5660300002)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR08MB4134; H:BYAPR08MB4903.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: opcfoundation.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: VFpQgUk1zYI8NPVkDJbCfUqkUpw29a8zN3hA4wZb+N2caNx1z4N1a7WnPES/R2041rojtu7pyVts0cU6updP1fFJBUN74z5ROadCDyIf6aLzeuVXmgHUKWwnJEiV4FfmRG1M6Q7VxY7dx7mNN/81o4OR6HIbvVzJRPs44JhJHB2iOC4siU7zVwN3RfLI+mUSO1zQVTBcd12gGfizS9cuj56pAG8tb3y3RStAlUNesaQYLvr3mJdnVS+aF6nAiYTQhJ5GpfvU4Ov/YZIGD1zilqNJPP6XYHQgv6qllPPQPdxAwR+xSXeDBg1CvKUjSgbJ790XBRTTvSr9QC96X+tDUyAdKHdXpelLmKhYEc/oHYWo8vXX/8BuQ9bgTSdPW4eWZhyprLOybvmBJnT0/T6ryhbdnh/ZlplwZT/oPTuVsMM=
Content-Type: multipart/alternative; boundary="_000_BYAPR08MB49034BA15C283F5248B42017FAD70BYAPR08MB4903namp_"
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 2999eaf9-1389-4d86-a8fc-08d71bc64a3b
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Aug 2019 06:04:35.7313 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MMK8v6K2wqdVwGJWPo92M/hEiNQmKkNlfWtyO8mVOfKVvwl7REdghjZ/akgfqBKFDubwtoVT2yGzN7QMgVqVifiz12Zgf/O5NR/9Wb+Li7GR/0nsoVIc+7Coo4Dsm0HY
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB4134
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/ALfD6SnGTx_OcRUENv03boDWWis>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 06:04:41 -0000

> I'm not sure how relevant this is to OPC (I have not found the relevant documents
> the OPC website) but I just want to point out that voucher-less provisioning does
> not have to rely solely on blind trust or TOFU.

What we are looking for from the MASA is a framework that will provide the Operator with a "whitelist" of Device Certificates before any Device is plugged into the Network.
The OPC UA enabled Registrar would know what Devices are allowed when they attempt to register.
(IOW - the registrar does not simply rely on the Manufacturer CA).

From: Iot-onboarding <iot-onboarding-bounces@ietf.org> On Behalf Of Dan Harkins
Sent: August 7, 2019 10:41 PM
To: iot-onboarding@ietf.org
Subject: Re: [Iot-onboarding] OPC and BRSKI


  Hi Kent,
On 8/7/19 12:43 PM, Kent Watsen wrote:
On Aug 7, 2019, at 4:50 AM, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:

The purpose, as I see it, of the voucher, is simply to provide zero-touch network provisioning.  I was asking a slightly different question: for purposes of network connectivity will operators want to know that only devices they authorized are connecting (e.g., 802.1X and then like)?  This is a natural assumption in the wireless world, but less so in wired.

More specifically, the voucher enables the device to trust the network, i.e., the entity claiming to be the device's owner.  Without the voucher, there is the TOFU (trust on first use), a.k.a. "resurrecting duckling" problem.

  The problematic nature of voucher-less trust can be offset somewhat by limiting
knowledge of the device's credential. DPP attempts to do this. The DPP device will
only accept a provisioning agent that knows its public key.

  The idea is that degree of gratuitousness of the device's bootstrapping directly
determines how much it can trust "the network" that has bootstrapped it's public key.
A QR code on the device's backside means that the device will trust anyone who has
physical possession of it (and can scan it's backside). This does not prevent the
"device fell off the truck" threat. But that is not the only way of bootstrapping a
device's public key. The device's public key could be bootstrapped from a cloud
service-- give the serial number of the device (and/or proof-of-ownership) and get
back the device's public key.

  This allows the device to have a modicum of trust in "the network" based on the
steps the network had to go through in order to bootstrap the device's public key.
This way printers (with a relatively low bar on trust of "the network") can get
provisioned for a network that also includes something like a centrifuge (with a
relatively higher bar on trust of "the network" that it will join).

  I'm not sure how relevant this is to OPC (I have not found the relevant documents
on the OPC website) but I just want to point out that voucher-less provisioning does
not have to rely solely on blind trust or TOFU.

  regards,

  Dan.