Re: [Iot-onboarding] what can pinned-domain-cert actually pin?

"Owen Friel (ofriel)" <ofriel@cisco.com> Wed, 28 August 2019 10:55 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B46BD1200FD for <iot-onboarding@ietfa.amsl.com>; Wed, 28 Aug 2019 03:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=A+l6C7WV; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=AFK0KVE0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EipBV3RimINN for <iot-onboarding@ietfa.amsl.com>; Wed, 28 Aug 2019 03:55:15 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0FCC120025 for <iot-onboarding@ietf.org>; Wed, 28 Aug 2019 03:55:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3244; q=dns/txt; s=iport; t=1566989714; x=1568199314; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=7FxzNwKrSPYaWp4DK152dTrMF7Rj4K1OFLrJs8Jp4Ec=; b=A+l6C7WVQC4+0vo7umssrA/OPnjzfQqTKLiFLHpY4060ptW60VfMVDnM gaM9bU1q48W0ER6e1UeOsnJ+0thWUJwnf4/04jVihLrJMU9BeAUEEEv6W cHwjIuX09pefzidfYgxp5fGJZ7XT7mOMxOGCuyugKaJG1aHomnLdT4VeB E=;
IronPort-PHdr: =?us-ascii?q?9a23=3Aaw6Gxx2h5EMVA5kKsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxGOt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSw?= =?us-ascii?q?dDjMwXmwI6B8vQDkPhLfPuRyc7B89FElRi+iLzPA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ANAAAtXGZd/4MNJK1lGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBVAQBAQEBCwGBRFADbVYgBAsWFIQhg0cDinOCXJdqgS4UgRA?= =?us-ascii?q?DVAkBAQEMAQElCAIBAYQ/AheCNyM1CA4CAwgBAQQBAQECAQYEbYUuDIVKAQE?= =?us-ascii?q?BAQIBEhERDAEBNwELBAIBCBEEAQEBAgIREgMCAgIwFAEICAIEDgUIGoMBgWo?= =?us-ascii?q?DDg8BDqARAoE4iGFzgTKCfAEBBYUNGIIWAwaBDCgBi3YYgUA/gRFGgkw+gmE?= =?us-ascii?q?BAQIBgRkRNj2CTDKCJow7IoJFh0iVFwkCgh6GbY1+mFmKM4o+aoYdiiUCBAI?= =?us-ascii?q?EBQIOAQEFgVIBNYFYcBWDJ4JCg3KFFIU/cgEBgSeNcgEB?=
X-IronPort-AV: E=Sophos;i="5.64,440,1559520000"; d="scan'208";a="620397651"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Aug 2019 10:55:13 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x7SAtDhH017915 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 28 Aug 2019 10:55:13 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 28 Aug 2019 05:55:13 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 28 Aug 2019 06:55:12 -0400
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 28 Aug 2019 06:55:12 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aQtvSRw1KnwlqXf6I04omRB01yJfnJFc0q+gBYNWxJkoERXi2eiQe9didy2Gu7m6pXHMfoGicCyC4Zn8SBMorT83BGoSJc1pHBheCECO56H8wrTtxZZwaotYAdaPp78Zf5KX++nNcULJqXLq2xYKihsq1LA7GLfKsmyPAK3Vxi7K/X6IImCLgYA6S6DyzOyAjNpmlMvyPyHW0W6bEByCumQttL5/ADys8s94bnH53mhfdtwESIK/D8HNV6IvRS3mM/aLWE2416RKiYQvBxCuFuQ8+1MiJvPIYsQxIVhGybJ0edE2ssFKRTyB7kvxeDuFzynpjbrJ2Qxff7tSJKMYAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7FxzNwKrSPYaWp4DK152dTrMF7Rj4K1OFLrJs8Jp4Ec=; b=g0UfPAGNLHmam32ClNcKd3eQZ7wrtvdRsofw1jKl/IFuPqgR+sAfLLpZ+xVuT0cEB1bRhGvVabb3wk4f50qiCrnMKAHH6Y375Gw7/V0r/g/mfpr3T88qniuMKuwVfQC5kiALETeeWNbqplSF7tgaSkKhvP1EDiHqN8mSkUgDeekrrohiZjVgpPd3jgzzWT2xHyZAb7E2AqbfKFgBjxzG2Bwt9xccY4V9KQGZMVmQ4PE+xe11qhmkyK5qTRFNkiAhseu/cj5Q9lzmQtdP1mgJ2kZiglzaY2ym8qh1aMdvrhO5YwZiEKrJyW4Vab366tfbbiEST7aWqcX9A07LF5wC+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7FxzNwKrSPYaWp4DK152dTrMF7Rj4K1OFLrJs8Jp4Ec=; b=AFK0KVE0wa97/JmI7arxjegvHuTOROTo5C72StCY0KzN/tfpBrx1vqoICQVMVww12wyHIG7u9+JIsrsEVHegyVoNVw5TzUnpZXfNjjlgyiDLEZOgdWUv1wq/G8OcXm6sbPW4g0vh2dfk75UlFtsJ0joLNUb5dtNmkYKWWZTTmAk=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2183.namprd11.prod.outlook.com (10.172.76.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.21; Wed, 28 Aug 2019 10:55:11 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::9098:374:9205:d0c4]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::9098:374:9205:d0c4%5]) with mapi id 15.20.2199.021; Wed, 28 Aug 2019 10:55:11 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Eliot Lear <lear@cisco.com>
CC: Kent Watsen <kent+ietf@watsen.net>, Michael Richardson <mcr+ietf@sandelman.ca>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] what can pinned-domain-cert actually pin?
Thread-Index: AQHVXPTdRdfIG1V6k0+L04J9EcMpEqcPVJEAgADrXPCAAA8ZgIAAFHbw
Date: Wed, 28 Aug 2019 10:55:10 +0000
Message-ID: <CY4PR1101MB22780086300306D6D43C3080DBA30@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <2693.1566923418@localhost> <0100016cd46359e7-8c844438-dc7a-45df-9868-ba0957bcc89f-000000@email.amazonses.com> <CY4PR1101MB22782817AA5A55C3812A3EEFDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com> <BB115A81-530D-4F48-BED3-1E18ACBDDF82@cisco.com>
In-Reply-To: <BB115A81-530D-4F48-BED3-1E18ACBDDF82@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:4041:1250:997c:8517:b410:fbfc]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 47ec5541-7bbe-479d-7870-08d72ba6329f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:CY4PR1101MB2183;
x-ms-traffictypediagnostic: CY4PR1101MB2183:
x-ms-exchange-purlcount: 2
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <CY4PR1101MB21835C54CCED7810F8177088DBA30@CY4PR1101MB2183.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 014304E855
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(396003)(366004)(136003)(39860400002)(189003)(199004)(13464003)(6636002)(76116006)(66476007)(66556008)(64756008)(66446008)(186003)(486006)(46003)(966005)(8676002)(86362001)(478600001)(229853002)(81156014)(54906003)(81166006)(53546011)(8936002)(66946007)(102836004)(305945005)(55016002)(14454004)(74316002)(7736002)(6116002)(25786009)(6246003)(71200400001)(6306002)(6862004)(5660300002)(52536014)(4326008)(11346002)(76176011)(256004)(14444005)(9686003)(71190400001)(53936002)(2906002)(476003)(66574012)(7696005)(19627235002)(6436002)(316002)(6506007)(33656002)(99286004)(446003); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2183; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: bj2TMQaRhtOHSgYNrLatQubO3EFcWSW6ZkSKvUycKXQ7vxWvFfHDJnr+ot3odKKARurr9qkamUW4bJoLv/Sb5jSVYG/peJ8mCW7MFLllXxn3fyY+p9UVVxnTDnYyoFaZGomh6zGhJmdLWafjDRu40dugHKNhvqkAnteuh8jU/OkGxVktaRHa8oPJ+C0fYt6IvF4GnRd6dMcMsyEfbJhCb15M0lYeoUcj5P2UAydeK3wyuJ69BM3bfashgO6iJ6q0haIe8EoKGcoMNrRTe4pIQ6Qks8zxdWNgRs2ElO4P5WId+N5qRms5o1DoubSwYv/vwsqyqdqNQHYZhdjD23IlLc5dp4oCvoI2sC0dIHs6F+hYHhQQ4Y2ptqCLanpiMraFD++BEdwas7l/s6UDLoHUJJvIHENSvKgM2JHgpuCcxh4=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 47ec5541-7bbe-479d-7870-08d72ba6329f
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2019 10:55:10.9292 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bgIDsfXzqtfjm0l6wmf5J05mT1aMkJrK2I63alqehHYUcpsWmCA/W3DtZiMATpYqEMo+vBcqgyKvQLAWmqHEBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2183
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/UThTFQxOfbiob_HoFkza_MP3BsA>
Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 10:55:18 -0000


> -----Original Message-----
> From: Eliot Lear <lear@cisco.com>;
> Sent: 28 August 2019 10:39
> To: Owen Friel (ofriel) <ofriel@cisco.com>;
> Cc: Kent Watsen <kent+ietf@watsen.net>;; Michael Richardson
> <mcr+ietf@sandelman.ca>;; iot-onboarding@ietf.org
> Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
> 
> 
> 
> 
> 
> On 28 Aug 2019, at 11:08, Owen Friel (ofriel) <mailto:ofriel@cisco.com>
> wrote:
> 
> 
> 
> 
> -----Original Message-----
> From: Iot-onboarding <mailto:iot-onboarding-bounces@ietf.org> On Behalf
> Of Kent
> Watsen
> Sent: 27 August 2019 19:43
> To: Michael Richardson <mailto:mcr+ietf@sandelman.ca>
> Cc: mailto:iot-onboarding@ietf.org
> Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
> 
> 
> In SZTP, pinned-domain-cert is the long-lived TA to a potentially short-lived
> "Owner Certificate".  In theory, the root of the pinned-domain-cert PKI could
> be a public CA but, in practice (because public CAs don't issue long-lived
> certs), it means that a private PKI needs to be used.  Due to the nature of
> these PKIs NOT being used to secure TLS-based services, the need for
> a public root TA isn't there, so no big deal.
> 
> What do you mean by long-lived? Public CAs can issue EE certs with
> expiration times up to 825 days as per https://cabforum.org/wp-
> content/uploads/CA-Browser-Forum-BR-1.6.5.pdf.
> 
> 
> I don’t think it’s long enough.  A manufacturer at least needs the option to
> issue a voucher that doesn’t expire for a cert that doesn’t expire.  We just
> don’t know how long a device might sit in a drawer, nor whether the
> manufacturer would continue to exist or support a particular device.

That’s why pinning of the public root CA (and DNS-ID) may be desirable.

> 
> One issue we might want to take into account: time may be quite a fluid
> concept as far as end device clocks are concerned.  That is- how does the
> client know whether a cert actually is expired?  Now I don’t think we can
> count on them NOT knowing, but it could also be the case that cert expiry in
> these cases should just be ignored in favor of the voucher expiry.
> 
> Eliot


This is what BRSKI says about that time issue: https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-26#section-2.6.1