Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 02 December 2020 22:28 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 980B23A159C for <iot-onboarding@ietfa.amsl.com>; Wed, 2 Dec 2020 14:28:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.834
X-Spam-Level:
X-Spam-Status: No, score=-0.834 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3L1_3PRokXPg for <iot-onboarding@ietfa.amsl.com>; Wed, 2 Dec 2020 14:28:49 -0800 (PST)
Received: from relay.sandelman.ca (minerva.sandelman.ca [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FBEA3A1510 for <iot-onboarding@ietf.org>; Wed, 2 Dec 2020 14:28:48 -0800 (PST)
Received: from dooku.sandelman.ca (cpe788a207f397a-cmbc4dfb96bb50.sdns.net.rogers.com [174.116.121.43]) by relay.sandelman.ca (Postfix) with ESMTPS id 537171F45D; Wed, 2 Dec 2020 22:28:44 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 76ECB1A02BA; Wed, 2 Dec 2020 17:28:41 -0500 (EST)
Received: from dooku (localhost [127.0.0.1]) by dooku.sandelman.ca (Postfix) with ESMTP id 757561A026C; Wed, 2 Dec 2020 17:28:41 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ash Wilson <ash.wilson@valimail.com>
cc: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, Shumon Huque <shuque@gmail.com>
In-reply-to: <CAEfM=vTDPi6fQXR+EQ7jW04RsyZQRQXHw3R-fH+QiC70JKSZaA@mail.gmail.com>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com> <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com> <2FE1E13B-E313-43F9-932E-6682DF72E18D@cisco.com> <20201117074330.GP39343@faui48f.informatik.uni-erlangen.de> <CAEfM=vTDPi6fQXR+EQ7jW04RsyZQRQXHw3R-fH+QiC70JKSZaA@mail.gmail.com>
Comments: In-reply-to Ash Wilson <ash.wilson=40valimail.com@dmarc.ietf.org> message dated "Tue, 17 Nov 2020 10:53:44 -0800."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: text/plain
Date: Wed, 02 Dec 2020 17:28:41 -0500
Message-ID: <692795.1606948121@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/vF4NOTqmx4pKaSZxd8GqFdFSQ_o>
Subject: Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 22:28:52 -0000
<#secure method=pgpmime mode=sign> Hi Ash, I AM NOT A PKIX FAN. I hate it, BUT: Ash Wilson <ash.wilson=40valimail.com@dmarc.ietf.org> wrote: > application, hosted in the cloud. All sensors will use the city's > municipal wifi to connect to edge nodes. I do not want to be bound to > selecting the same vendor for all sensors (I want best-of-breed), and I > do not want to operate my own CA. For my risk model, it's OK to use > mfr-issued device certificates for all of my sensors. Could you explain a bit more about "operate my own CA". What infrastructure are you willing to operate? > Network access use case: I use cert-based EAP-TLS to provide network > access control for the networks my sensors and edge nodes connect > to. But, which certificates do you use? The IDevID ones? If so, do you just have a database which each EE certificate pinned? > In order to prevent the possibility of naming collision across > suppliers (which creates an opportunity for device impersonation, > improper network access, and unreliable data) I need to onboard all of > my devices to a single CA. > If I use DANE for device identity, I don't > need my own private CA, rather I only need to provide my RADIUS server > with a list of allowed device DNS names for the municipal sensor > network, regardless of device mfr or identity provider. How is this different than providing a database of EE or public keys? > Session security use case: My sensors connect to my edge nodes using > TLS. With traditional PKI, I need to make sure that the trust store in > every sensor has a CA cert for my edge nodes. My edge nodes need CA > certs to accommodate all sensors which might need to connect to > them. Without DANE for client identity, I need to either copy around CA > certs from all of my suppliers (name collision risk), or manage my own > CA and onboard all of those devices, which can be costly. With DANE for > TLS client identity, I can configure each sensor with the name of its > upstream edge server (use DANE as it is now), and I can configure each > edge server with the names of its allowed clients (use DANE for client > ID). My sensors use mDNS to discover edge node IP addresses, and use > DANE to authenticate the discovered edge nodes for establishing a TLS > session. I dunno, it feels like you are willing to jump through a lot of hoops to avoid running a CA. CAs are only hard if you are public and have CPS. > Message/object security use case: I want my edge nodes to forward This seems moot. Either way, you can use object security if you can track the signature to an identity. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Toerless Eckert
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Toerless Eckert
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- [Iot-onboarding] Confusing terminology was Re: [S… Mohit Sethi M
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Mohit Sethi M
- Re: [Iot-onboarding] Confusing terminology was Re… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Mohit Sethi M
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Dan Harkins
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson