IETF Logo Mail Archive

Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome

Eliot Lear <lear@cisco.com> Tue, 17 November 2020 06:41 UTC

Return-Path: <lear@cisco.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8926B3A1073 for <iot-onboarding@ietfa.amsl.com>; Mon, 16 Nov 2020 22:41:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMpMuqCF1CjU for <iot-onboarding@ietfa.amsl.com>; Mon, 16 Nov 2020 22:41:14 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF0E93A1051 for <iot-onboarding@ietf.org>; Mon, 16 Nov 2020 22:41:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10063; q=dns/txt; s=iport; t=1605595274; x=1606804874; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=rupxYA3rcQvSurwT/3zYWKiynfqt1n07QV8kz7x4rwI=; b=VwJVe6hkPMActph/BQQTEXQyi8Z5MvqkPpNSxN+0PudFX7i3BNvi0yEU dBD9Rp9vxRdFaaWd6+BBPFGyp8oQg+dBa1aXHa7dIkaiw+YsM5CBrqUQy ul7pXcr4AF5wHXkxfFyiweTYq0eH9L4p3NRSwPfEofw7Acv4p2db2D+ME Y=;
X-Files: signature.asc : 488
X-IPAS-Result: A0ATAwDCb7Nf/xbLJq1ZCRwBAQEBAQEHAQESAQEEBAEBgg+BdTVJK1UBIBIuhDyJBYghgQWTD4gZBAcBAQEKAwEBIwwEAQGESgKCISY4EwIDAQEBAwIDAQEBAQUBAQECAQYEcYVhDIVyAQEBAwEjVgULCxgqAgJXBhODJgGCZiAPrT92gTKFV4RgCgaBOIFTjAiCAIERJxyCGgcuPoJdAgIBgTCDQzOCLASQWIJQiAOBGptugneDG4E3hD6SCAMfoXmeUZFzg2QCBAYFAhWBayOBVzMaCBsVZQGCPj4SGQ2XJIVFQAMwAgE0AgYBCQEBAwmOSAEB
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.77,484,1596499200"; d="asc'?scan'208,217";a="31177054"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Nov 2020 06:41:09 +0000
Received: from dhcp-10-61-99-159.cisco.com (dhcp-10-61-99-159.cisco.com [10.61.99.159]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 0AH6f7lp009901 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 17 Nov 2020 06:41:07 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <2FE1E13B-E313-43F9-932E-6682DF72E18D@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_0FF6334B-9B0F-4D27-B7F3-5FA353124050"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Tue, 17 Nov 2020 07:41:06 +0100
In-Reply-To: <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com>
Cc: Shumon Huque <shuque@gmail.com>, "Panwei (William)" <william.panwei@huawei.com>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
To: Ash Wilson <ash.wilson=40valimail.com@dmarc.ietf.org>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com> <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.99.159, dhcp-10-61-99-159.cisco.com
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/oCH3E1Ras2buiQENcExPlM5NUv8>
Subject: Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 06:41:22 -0000

Hi Ash,

This all sounds fine.  I have a few thoughts, but nothing that invalidates the idea, I don’t think.  More about applicability.

> On 16 Nov 2020, at 20:13, Ash Wilson <ash.wilson=40valimail.com@dmarc.ietf.org> wrote:
> 
> Hi Wei Pan,
> The process of bootstrapping the device's identity is outside the scope of our drafts, but I completely agree that getting the bootstrapping process right is important. We think that using DANE like this doesn't conflict with other bootstrapping processes; it just adds a DNS-discoverable public key to the identity of the device when it is provisioned.
> 
> One of the processes we are seeking to simplify is that of establishing trust directly between devices in the field, both of which may have only a keypair, and not the benefit of PKI that chains to a publicly trusted CA.

Yes.  I think this is a great use of DANE.

> Supporting x.509 certificates is in the interest of providing broad protocol compatibility (including the support of other adjacent standards like MUD: https://tools.ietf.org/id/draft-ietf-opsawg-mud-22.html#mudx509 <https://tools.ietf.org/id/draft-ietf-opsawg-mud-22.html#mudx509>). By using TLSA for client auth, we allow devices with only a raw public key in DNS, as well as devices with metadata-rich x.509 certificates, to mutually authenticate without requiring the distribution of CA certificates, just based on knowledge of the communicating peer's DNS name.

What is configured at build time, what is configured at provisioning time, and what is accessed real time can mean trading off complexity against dependencies.  Absent OCSP there may be no external dependencies.  With OCSP (even with stapling) the situation might prove a little different.  This is worth discussion.



> 
> SIM/UICC identity providers may provision public keys in DNS, and leave a record of the device's DNS name in the SIM card (likely to be found in the certificate). This gives the device that receives the SIM card the ability to do all the things that the PKI ecosystem supports now, with the additional benefit of being able to mutually authenticate without the other side of the handshake needing to possess and trust the CA certificate used to sign the certificate that ships with the SIM card. Naming collisions are prevented by binding the public key to the DNS name- only the possessor of the private key corresponding to the TLSA record is the 'real' identity holder.

One thing we should look at is privacy considerations.  Who gets to query for this information?  What happens when they have it?  What is their authorization to have it?

> 
> In a similar fashion, device manufacturers may provision a DANE identity for devices before they ship. These device identities may reside in a DNS zone under the manufacturer's control, or the implementer may present the device certificates in a DNS zone under the implementer's control. This allows the identity to more naturally indicate the party responsible for the device's behavior, and can make the mitigation of some types of network abuse a little more straightforward.
> 

This is very close to the MASA function in BRSKI.  Worth discussing.

I wonder if we should have “side meeting”, either this week or in one of the following weeks, to discuss all of this.  Would people be interested?

Eliot

v2.23.0 | Report a Bug | By Email