Re: [Iot-onboarding] BRSKI : proximity registrar cert and MITM question

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 19 February 2020 09:15 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D091200E9 for <iot-onboarding@ietfa.amsl.com>; Wed, 19 Feb 2020 01:15:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKc7MuhW8M_g for <iot-onboarding@ietfa.amsl.com>; Wed, 19 Feb 2020 01:15:04 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E78B120024 for <iot-onboarding@ietf.org>; Wed, 19 Feb 2020 01:15:04 -0800 (PST)
Received: from dooku.sandelman.ca (client-141-23-163-163.wlan.tu-berlin.de [141.23.163.163]) by relay.sandelman.ca (Postfix) with ESMTPS id BFF8F1F458; Wed, 19 Feb 2020 09:15:02 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 5BE3A1A2BAC; Wed, 19 Feb 2020 10:15:02 +0100 (CET)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "M. Ranganathan" <mranga@gmail.com>
cc: iot-onboarding@ietf.org
In-reply-to: <CAHiu4JPRyNT=DmykHw6KaU+Q6X_o70Zc_+i0NosM-zU_iiRSZg@mail.gmail.com>
References: <CAHiu4JPRyNT=DmykHw6KaU+Q6X_o70Zc_+i0NosM-zU_iiRSZg@mail.gmail.com>
Comments: In-reply-to "M. Ranganathan" <mranga@gmail.com> message dated "Tue, 18 Feb 2020 17:23:51 -0500."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Wed, 19 Feb 2020 10:15:02 +0100
Message-ID: <25486.1582103702@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/gFK-n29gPCPFyBsEJhoYKeC-cw4>
Subject: Re: [Iot-onboarding] BRSKI : proximity registrar cert and MITM question
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 09:15:07 -0000

M. Ranganathan <mranga@gmail.com> wrote:
    > The BRSKI spec says that the pledge needs to send the proximity
    > registrar certificate when it requests a voucher. This establishes to
    > the registrar that it is the same pledge with whom it established a TLS
    > association. Can the server certificate be re-used if a different
    > pledge connects?

The registrar uses the same certificate for all pledges.
The pledge puts that certificate into the voucher request, which is a kind of
witness to the connection.

    > I don't understand the MITM scenario. An example would be helpful.

Which specific scenario are you talking about?
A lot of situations turn out to be difficult to construct in a convincing way
because the device is authenticated by it's IDevID, and so a MITM would have
to have an acceptable IDevID as well.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [