Re: [Iot-onboarding] OPC and BRSKI

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Thu, 08 August 2019 16:54 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D9E6120271; Thu, 8 Aug 2019 09:54:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqIrt-ymqjAs; Thu, 8 Aug 2019 09:54:12 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-eopbgr780055.outbound.protection.outlook.com [40.107.78.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F9EC120254; Thu, 8 Aug 2019 09:54:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CyeJf9za4RyZ+PVXCupy7TXyMOhKKwmVPGhyiX2LZUQi7begU2RCmbhj8jfgOjxCB3b+nRLzfmTLYnhniVfFtkNLnnVJqJI5Tt6JLRlSVUqAzee9PDU2GefzS8y430DaorgWFREMRMlPf7nnECF71NJXqwHaU13FeBXOPrF0ZchX00U0SN9WntIQHVZBXbcROP1eKCBPNYrTtjtOcIvWPZJ3DJADMVjwCZ+m/OVHMQuaoEvrvkrKayDo0Y4wQILD8OkfEQyZSbz7p/bw+gtL8OIDdBzc9knJEUo3PLN6c/9+mr/FsJNLVTv43uR1HALIfOfmvwl/AkdSpETqOMapAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IdyFi8h48TRfo07z+S0UjJCH9sNYvggziaYwvKuW7qY=; b=g7EmWu3td9o9dDZ5qKjFwPr7aN2NKsu5D3uxHMnX1TrX6X+M71M4mBu6FTI4LcOTRAvMBnhiabxGBDbcExwLaZarGN3UlcDbGHhYi2yWClFrz+R49FWbnynY44ncD7yZejIWiQwrCvQiu0hbk1MPwVu7J78LBTouOjNwYjDpGnxw0Vn3zS2lPkmGEWCbxnMuznI+IftAOr+YUehCBYOu5jKsbjvLb7L+s37jctZWJvNe0Q16Zbew2Xaoo4En7eZoqJKcE4kbN/XZUWeGv2iVorsKt3l0dlL2HVTdUvoQ9KhbDrqCUH0PJgtfQ0pE7uFb+7ZuuGKX2W8wqXReHQ+fJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=opcfoundation.org;dmarc=pass action=none header.from=opcfoundation.org;dkim=pass header.d=opcfoundation.org;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.onmicrosoft.com; s=selector1-opcfoundation-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IdyFi8h48TRfo07z+S0UjJCH9sNYvggziaYwvKuW7qY=; b=gbOV7GrU27SM4Amcnuf1FMPVUoLJpPZjRGIsoJjhg7UCbwJDSXkftCQeNpDjZTTLBYmyN8qu3a0yG/uc5knJ0PwR1Ns+L5nnbKwd/jo2cgpLfIO+w/AkyN7TA+49d4jCGGHl4GAFqxP7sgo31h/Bmo36Xtf/Kwsh7Pl/1gft2Rs=
Received: from BYAPR08MB4903.namprd08.prod.outlook.com (20.176.255.96) by BYAPR08MB4680.namprd08.prod.outlook.com (52.135.234.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.15; Thu, 8 Aug 2019 16:54:11 +0000
Received: from BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53]) by BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53%4]) with mapi id 15.20.2157.015; Thu, 8 Aug 2019 16:54:11 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Iot-onboarding] OPC and BRSKI
Thread-Index: AdVMZzs5EDHMP+c/QWCVcWuK34MU/QAGrJ8AAADfarAABKcngAAmKcyAAAUDvQAADyfMUAAfy3oAAAGXgVA=
Date: Thu, 08 Aug 2019 16:54:11 +0000
Message-ID: <BYAPR08MB49034F3B36F6979D59561FC3FAD70@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <11781.1565189957@localhost> <20190807172252.4sadxaiprm6hhmdy@faui48f.informatik.uni-erlangen.de> <BYAPR08MB490385B1BED4C665C79B1937FAD70@BYAPR08MB4903.namprd08.prod.outlook.com> <4671.1565279232@localhost>
In-Reply-To: <4671.1565279232@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=randy.armstrong@opcfoundation.org;
x-originating-ip: [24.80.80.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f113d9f6-cbe8-4622-16ed-08d71c210970
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR08MB4680;
x-ms-traffictypediagnostic: BYAPR08MB4680:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR08MB468027B2F842D3FD9BB6008FFAD70@BYAPR08MB4680.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4941;
x-forefront-prvs: 012349AD1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(136003)(346002)(39840400004)(366004)(13464003)(189003)(199004)(2906002)(86362001)(508600001)(76116006)(6116002)(966005)(66446008)(33656002)(66476007)(446003)(66556008)(5660300002)(11346002)(64756008)(81166006)(229853002)(71200400001)(476003)(52536014)(7736002)(8936002)(256004)(486006)(53936002)(110136005)(26005)(6436002)(81156014)(8676002)(2501003)(305945005)(316002)(6246003)(74316002)(71190400001)(55016002)(7696005)(186003)(6306002)(6506007)(14444005)(99286004)(53546011)(66066001)(25786009)(76176011)(14454004)(3846002)(102836004)(9686003)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR08MB4680; H:BYAPR08MB4903.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: opcfoundation.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: TLCzIVP1SELp9d6eqAX5vftD6xTv8mY3su5vyR+x5a/0YXQZy64x7lmHZ7wX3LK6MyVMQg7XJZcs2FoL6xTcaq2fYwVh/iYnwam3mYGK7g+gzVUGsQQ5WJdtUkLRUU4Oepcs6dfj5jW2HHk0a1/mfdQIrLo3FvuvQrehb3KYSuR8yMpK8JELaI6hWI0bwM6heElKXeDy+lOKmBon0jKAUHLjOhcsCYa8THHRcBHMFrWj+jRmo1rn190hfkNs4RgV4vPgloEPlAuZNhGB98bVyRJb4wtQCQjDbUaZdeq8MSVmOMCLaT2WQ6vX+CWwtzU6n0ONVk4x4XtSwfZY9XbtBv35/+L3rmNI5RsXO16EFauGgHfniCIthLHfrYwdu2m/JLwGWDbLnLqEjkwOIG7xoA8JAK+E5XyY1kORwvE55Iw=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-Network-Message-Id: f113d9f6-cbe8-4622-16ed-08d71c210970
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Aug 2019 16:54:11.2764 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +iPcHQb8Ox/JfRqlgGqUa9xhAxSgLsKq+WEV3L3j2tk54MCpC6Qy7iJ0660MDeU3pW3i0VbEZVfbux+Z3P+eDknMwvtZto7Kh8xxhLxiFvOccgu30X5n4aU1CNKBZ0v0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB4680
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/gnP0s4oxs6MvQRAurTP3Zxw5YGA>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 16:54:21 -0000

Hi Michael,

OPC UA uses SecurityProfiles to specify the exact algorithms. The based RSA profiles do not have PFS but the ECC profiles do.
We expect the ECC profiles (not released yet) to be most interesting to low end device makers.
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part7/6.6.164/

It is not clear which tls-unique attribute you are interested in.
Do you need a unique identifier for the negotiated keys?
If so the SecureChannelId + TokenId would provide that.
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part6/6.7.2/#Table43

Regards,

Randy


-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: August 8, 2019 8:47 AM
To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>; iot-onboarding@ietf.org; anima@ietf.org
Subject: Re: [Iot-onboarding] OPC and BRSKI


Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org> wrote:
    >> Thats what i referred to in my prior email: We would need to understand how to most easily duplicate the mutual authentication with certificates during TLS connection setup with OPC TCP UA messages.:

    > OPC UA CP requires mutual authentication with Certificates bound to the
    > application rather than the machine. It provides everything that you
    > get from TLS.

Based upon my reading of the diagram, it is not obvious that it provides PFS, but I don't think PFS is particularly important for BRSKI.  It seems to support client certificates and server certificates, and that's enough.
We need an equivalent to tls-unique in order to properly bind the EST channel to the UA CP SecureChannel, but that's all I think.

    > So when the Pledge Device connects to the Registrar or the Certificate
    > Manager using UA the Device proves it has possession of the Device
    > private key.

    > That said, the KeyPair used for communication does not need to be the
    > same as the KeyPair used to authenticate.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-