Re: [Iot-onboarding] what can pinned-domain-cert actually pin?

Eliot Lear <> Wed, 28 August 2019 09:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F337120096 for <>; Wed, 28 Aug 2019 02:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TwZZVv2qW8yQ for <>; Wed, 28 Aug 2019 02:39:25 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CF545120019 for <>; Wed, 28 Aug 2019 02:39:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=9045; q=dns/txt; s=iport; t=1566985165; x=1568194765; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=N4/01q3kTI8EX4QB6gVJPRK8FjNvvEoRyAh2cAzkH7Y=; b=h2vVxmrgtaXbY46lop/SfrUn04ceLMlwlNJwh5WH3wPOMNmNWndCNr74 yyhJSLn/oUs5jSGWX+vNHmJgzNlhS91Erw435YebHVCofSNlgSQpFQCg6 FtaLSMyF7wZfpZEjJNvxFVS18M9JLOYZ4mfpbUkKp4Krmyid/vVgGiXEQ E=;
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos;i="5.64,440,1559520000"; d="asc'?scan'208,217";a="16057158"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Aug 2019 09:39:23 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id x7S9dMQ2031219 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 28 Aug 2019 09:39:22 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_7F976544-DDE7-4E0B-966E-4083111AB535"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 28 Aug 2019 11:39:21 +0200
In-Reply-To: <>
Cc: Kent Watsen <>, Michael Richardson <>, "" <>
To: "Owen Friel (ofriel)" <>
References: <2693.1566923418@localhost> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Aug 2019 09:39:27 -0000

> On 28 Aug 2019, at 11:08, Owen Friel (ofriel) <> wrote:
>> -----Original Message-----
>> From: Iot-onboarding < <>> On Behalf Of Kent
>> Watsen
>> Sent: 27 August 2019 19:43
>> To: Michael Richardson < <>>
>> Cc: <>
>> Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
>> In SZTP, pinned-domain-cert is the long-lived TA to a potentially short-lived
>> "Owner Certificate".  In theory, the root of the pinned-domain-cert PKI could
>> be a public CA but, in practice (because public CAs don't issue long-lived
>> certs), it means that a private PKI needs to be used.  Due to the nature of
>> these PKIs NOT being used to secure TLS-based services, the need for
>> a public root TA isn't there, so no big deal.
> What do you mean by long-lived? Public CAs can issue EE certs with expiration times up to 825 days as per <>.

I don’t think it’s long enough.  A manufacturer at least needs the option to issue a voucher that doesn’t expire for a cert that doesn’t expire.  We just don’t know how long a device might sit in a drawer, nor whether the manufacturer would continue to exist or support a particular device.

One issue we might want to take into account: time may be quite a fluid concept as far as end device clocks are concerned.  That is- how does the client know whether a cert actually is expired?  Now I don’t think we can count on them NOT knowing, but it could also be the case that cert expiry in these cases should just be ignored in favor of the voucher expiry.