Re: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG

Mohit Sethi M <mohit.m.sethi@ericsson.com> Thu, 12 September 2019 11:05 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E444120833; Thu, 12 Sep 2019 04:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMx2fCkX8QAx; Thu, 12 Sep 2019 04:05:10 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50087.outbound.protection.outlook.com [40.107.5.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A189A120845; Thu, 12 Sep 2019 04:05:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VZv6itaQqbfI10trWOgs/oaJMIXvPDjJtHw4MS88i63dCWdwUrJN9dwzgNLqLjVzoZctqwV5Almw1w0BDBSL71AGe2no3hQI6+g3QDURPPBkIRitSoxF9Cz0L+EdeB0+YmyShM24tAVUzmGfxbkx+R9J34gYHEOaD5FTObFbZW4z/OP1UqvyVjq1zFEZGKETnH+Dgy1RVHUlRPDKp7C0zjM6eA7XpXRqcfJTrOjPCVxqA4q7m0xAPQVO9OY1AqqTZw/yTdH5t+NzM3ggLYeBGfokcbnlrUyYvHSUBArOaMZpffbtnC592C0lQxIcTvENbF0ZFosxziO0aDetmrqpuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eB2gmmbmo8x39+D1pgUhdQt6WfLMQI3Ngt8x3IJBz80=; b=lKObBrZHlZdhCMOqUxXpsr+GBgGnyNMZbCXBPhUK9oHSIgPAznJ0c5x/RgunenfYku8ugou6ptye7Vq/3HPbrJL1mHsy5F+NcrgSDXfFGlJMKHt7o2TixXDZvj8FaWxVJxNuhrEj+9QnaaXU3JCH3bKTeJyWL6JSLrOnuo12cPx/BT6e2ueAXSrFYocTSHVfGuKotG2h+Y+wJH8xNNRCO+ASa5R3loSKKi+eaCBGblHl91degWjoeLcIwWJIys6pGfhA+mJoB/2XScR2+qepakPFtRgLKP7RVJmiOE34HeW91UlEAnM17xETwVk5b5YlUxv/rY2+hG4W/rqaZ3J8Fg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eB2gmmbmo8x39+D1pgUhdQt6WfLMQI3Ngt8x3IJBz80=; b=lUIYY1p62S5IjhFYbFNUILOWP5r0BOa7xG4KNFGpxfyziE3ra1Ee3i07YPIW9eanvQfRAchxC4DUHIt6TaBVQWloyvD3cUjrhniNDdCs77c284PKWXEd36LjxpFPdoqrbK32R7ODtezL8VqBWfJlAltIPEC0rUx2tbaxI5jnMQw=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2633.eurprd07.prod.outlook.com (10.168.185.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.6; Thu, 12 Sep 2019 11:05:06 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9%10]) with mapi id 15.20.2263.016; Thu, 12 Sep 2019 11:05:06 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>, Mohit Sethi M <mohit.m.sethi@ericsson.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "mud@ietf.org" <mud@ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG
Thread-Index: AQHVaNbcpd2ivcpAw0yCVRFO+FMgJ6cm7cUAgAD0aoA=
Date: Thu, 12 Sep 2019 11:05:06 +0000
Message-ID: <7143e57b-d3bd-8cd6-3fce-aba6dee56cfd@ericsson.com>
References: <19176.1567583108@dooku.sandelman.ca> <0100016cfc877287-c2198aee-ffe6-4c28-94a1-cb141b92741f-000000@email.amazonses.com> <bb757b7b-dffc-9494-4ae0-a709d30445df@ericsson.com> <0100016d2205079e-f7bb82bf-7e5b-4e61-a938-bc49ac1c5f44-000000@email.amazonses.com>
In-Reply-To: <0100016d2205079e-f7bb82bf-7e5b-4e61-a938-bc49ac1c5f44-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [87.93.24.218]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 612e1615-09fc-45bd-70f3-08d7377111f3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR0701MB2633;
x-ms-traffictypediagnostic: HE1PR0701MB2633:|HE1PR0701MB2633:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR0701MB2633A401833FF9817C0864F5D0B00@HE1PR0701MB2633.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(346002)(396003)(136003)(376002)(199004)(189003)(8936002)(36756003)(99286004)(6512007)(478600001)(102836004)(6246003)(6506007)(86362001)(186003)(66556008)(31686004)(53546011)(66476007)(66446008)(64756008)(14454004)(66946007)(76176011)(26005)(71190400001)(71200400001)(31696002)(53936002)(256004)(14444005)(25786009)(6436002)(2616005)(66066001)(476003)(6486002)(54896002)(76116006)(316002)(65956001)(65806001)(4326008)(11346002)(3846002)(446003)(8676002)(110136005)(6116002)(81166006)(7736002)(81156014)(54906003)(15650500001)(2906002)(486006)(5660300002)(58126008)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2633; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jBC8cEVaHhmzBYF2+Bfnzaz/yEN7HfciRfYVUCCE1n1hZ+gYygVLFpq/+1qskSx8AVrj5zVVC20WUskfLaLshVf/v2PHCmTBfzo4N4Yqv02Y9C2/MfrZEC7t4TS867UL4u3ATB6guGh/9aAAqRtMmxqAXhLuW3yuU8IYPybl8BeApAPeu6X9g0hSIUw21W/BXm1n0pu9Py1y4U7X6whHAyndHNCAYuYx/LzqkBypuJwM6c/lK8OJZZnNxs5gjoodrTfd8fE9rcY4LAbd5AOzAdfN6vd2bZEX5ptYeEgbKpjzDqGzqeYbeF0BxsfzCkGd+JAr/GJS73F2VSv5b5VAmgdBuaeQBTwnSbUNbgX+AV6S1FKbvL4P2w86K9QDV/KMBR8wCmfYpQAQ8ncAWuSmCymtQcvG1NEhIOgQtnWGqmg=
Content-Type: multipart/alternative; boundary="_000_7143e57bd3bd8cd63fceaba6dee56cfdericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 612e1615-09fc-45bd-70f3-08d7377111f3
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 11:05:06.6064 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Txv/PLwVrBKFTEwrj9jb4PoM7pxo0Q1g3HaGm8iQ8gGJnd4/46jmkGt/g00wlzMn2OcqOYZVazXYsy8r+vL75NN+wvYYUDFewg2QTSgw1Dk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2633
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/Vb67Wq66IhrqIqvxp4zhexQGbNE>
Subject: Re: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 11:05:12 -0000

Hi Kent,

Thanks for this. It is very helpful. I may still need some hand-holding to understand all the aspects. There is quite a lot to digest here.

You mention that SZTP can give a payload to the device that could be a script or more complex instructions. Can this payload be a certificate?

I understand that people will have different opinions about their own work and it can be hard to compare protocols. But are there use-cases that are addressed by BRSKI but not by SZTP? Is it the case that BRSKI addresses some scenarios more efficiently?

--Mohit

On 9/11/19 11:30 PM, Kent Watsen wrote:

Hi Mohit,


Could you explain the high-level differences between BRSKI and SZTP for those like me who are not extremely familiar.

I know there are probably many differences. For example, I see that the SZTP spec says that devices can receive initial bootstrap information over DNS or from a bootstrap server.

What I am trying to understand is what does a device start from (shared-secret/ephemeral key pair/manufacturer certificate), and what does it end with? Do we need both SZTP and BRSKI?

Top of mind.


Preconditions:
- SZTP: secure device identity certificate SHOULD (e.g., IDevID RECOMMENDED), alternate credentials possible.  Optional list of TA certs for validating SZTP servers.  Optional list of TA certs for validating vouchers.
- BRSKI: IDevID MUST.  List of TA certs for validating vouchers MUST.

Normal Operations:
- SZTP: many modes here, some doesn't require networking.  Vouchers only needed when TLS can't be used or trusted.   Vouchers, when used, are primarily long-lived, but MAY be ephemeral (e.g., nonced).  Primarily with strong ownership verification, but weaker forms are possible.
- BRSKI: singular mode (pledge looks for a Registrar).  Vouchers are always used and are primarily conceived to be ephemeral (nonced) with a MASA that maintains a log; long-lived Vouchers and strong ownership-verification are possible.

Postconditions:
- SZTP: a "payload" that could be as small as a script or as large as instructions for updating the OS image + setting an initial configuration.
- BRSKI: a domain certificate.  Additional mechanisms needed to get device into a managed state (this is what some of the other ANIMA drafts are for)


I think I got the BRSKI parts right, but hope folks will chime in if anything is misrepresented or underrepresented.

Kent