Re: [Iot-onboarding] [Mud] Some new stuff for

Eliot Lear <> Mon, 23 March 2020 15:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E761D3A0878; Mon, 23 Mar 2020 08:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aEyHnAEIBZrl; Mon, 23 Mar 2020 08:20:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 540D83A0802; Mon, 23 Mar 2020 08:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=6275; q=dns/txt; s=iport; t=1584976834; x=1586186434; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=GW7S9PUTrUQ07ljIewsXp8DCwTrteQljpdHmFMAca+0=; b=gtP3DhuN3w4rQJFk0utf5UfugC/sajIjWNiVTfvhLExJbyq7fPj1otVU EZpBf1xXrKI+jG4phxTN3ICSKtiiCEbIKeThwg3Y0lC4txCJfyBDDLq6E XsiTLpG5iJwE7S226FgQbNBdJ4bREerpb7usI7WUGGIYWIaAttGuuOODX M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BgAAA603he/xbLJq1mGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYF7gXiBHVQBIBIqhBiJAogViWqJUIgLCQEBAQw?= =?us-ascii?q?BARgBCgwEAQGBUYJ0AoJLOBMCAwEBCwEBBQEBAQIBBQRthSoBBiUMhWMBAQE?= =?us-ascii?q?BAgEBASFLCwULCxgnAwICIQYfEQYTgyYBgksDDiAPrAZ1gTKFS4JjDYIggTi?= =?us-ascii?q?MSYIAgREnIIIfLj6CG0kBAYR2MoIsBI4ukluOTjJEgkaCVoUIimyEPR2DTot?= =?us-ascii?q?XjDSEXpVzjHmDNAIEBgUCFYFpIoFYMxoIGxU7KgGCQQk1EhgNgRqGdIZfiDe?= =?us-ascii?q?FQkADMI8WAQE?=
X-IronPort-AV: E=Sophos; i="5.72,296,1580774400"; d="scan'208,217"; a="24679082"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Mar 2020 15:20:32 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id 02NFKVh2027354 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 23 Mar 2020 15:20:32 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E251391B-2609-4C5B-92D2-ACED997F42F8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.\))
Date: Mon, 23 Mar 2020 16:20:31 +0100
In-Reply-To: <>
To: "M. Ranganathan" <>
References: <> <>
X-Mailer: Apple Mail (2.3608.
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [Iot-onboarding] [Mud] Some new stuff for
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Mar 2020 15:20:51 -0000

Hi Ranga,

> On 23 Mar 2020, at 16:09, M. Ranganathan <> wrote:
> I have a very basic question about the whole notion of mixing SBOM with MUD. MUD was intended for network access control whereas SBOM is more for ensuring software integrity. Should this be part of the MUD file or included (for example) as a pointer in the device certificate so it can be independent of MUD? Why include this as part of the MUD file?  I'd just like to understand the motivation.

There are several.  
First, they need some sort of a schema to describe how to get the SBOM in the first place, and if they’re going to go that far they will end up reproducing much of the MUD mechanism.  
Second, access control is just one use of MUD.  There are others, and this is one of them.  Another use that we are contemplating is a list of pointers to certification statements that organizations such as UL might make.  One could even envision a MUD file without ACLs, not that I would recommend it.  
Third, if you are going to produce an SBOM, it seems to me you OUGHT to describe what sort of access you expect the device to have so that if an adversary picks off the SBOM for that particular device or device type, you have some protection.
Fourth, if everyone does their own thing with device certificates they are going to bloat, and become operationally unmanageable. I’m not saying there isn’t room for more, but people should think of MUD more as a means to access various statements the vendor wants to make, and less about just ACLs.

> Stay healthy.
> Thanks,
> Ranga
> -- 
> Mud mailing list
> <>
> <>
> -- 
> M. Ranganathan