[Iotops] BRSKI and IDevID (non-!)issues with draft-ietf-uta-use-san
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 14 May 2021 00:22 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BA933A1A41; Thu, 13 May 2021 17:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xbbqauy93p7u; Thu, 13 May 2021 17:22:49 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C5273A1A3F; Thu, 13 May 2021 17:22:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 509923913F; Thu, 13 May 2021 20:31:54 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id dKfuYomuPoCj; Thu, 13 May 2021 20:31:53 -0400 (EDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id DDE1B39132; Thu, 13 May 2021 20:31:52 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 63FE5688; Thu, 13 May 2021 20:22:46 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Salz, Rich" <rsalz@akamai.com>, "uta@ietf.org" <uta@ietf.org>, iotops@ietf.org, anima@ietf.org
In-Reply-To: <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com>
References: <F538FFD7-D172-4AEE-82DD-CF6F93936C3B@akamai.com> <D341C730-EBA1-4BF5-B200-0BE1A4B8A1D0@cisco.com> <413CBCFE-1FDF-458E-9F0E-E3D58F86E5D9@bluepopcorn.net> <A5B94C6E-419D-454E-92E8-FEEB5F8EDE17@cisco.com> <8A41ED29-2448-4633-AC45-33DE98A6BC81@akamai.com> <7B51BB81-1C9D-4B2F-AF83-1E528E620AE7@cisco.com> <CAFewVt4Pm6-T3XC65uEceuzpXjNubEYLWY9h1cmHdNBPcpOVXQ@mail.gmail.com> <42739D1C-004F-4DAD-8023-8E9731B46E05@cisco.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 13 May 2021 20:22:46 -0400
Message-ID: <15280.1620951766@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/5CgDE0AyEaBT6FN3O5QieywXTDc>
Subject: [Iotops] BRSKI and IDevID (non-!)issues with draft-ietf-uta-use-san
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 May 2021 00:22:54 -0000
I read the document before it was adopted (before SECDISPATCH), and I didn't see any problems with it. I have re-read it in the context of IoT or enterprise (routers) devices that might contain long-lived IDevID (sometimes called Manufacturer Installed Certificates, confusingly appreviated "MIC"). CISCO calls them Secure Unique Device Identifier (SUDI), and there are many other manufacturers with their own interesting names. I believe that the CHIP/MATTER effort also mandates such a thing for the purposes of identity and device attestation. In BRSKI (about to be RFC8995) TLS connections are initiated from a client (the pledge) to a Registrar. The TLS connections make use of ClientCertificates for identification. RFC6125 rules are not relevant to validation of the client certificate. If a CN=, emailAddress= or DC= was present in the ClientCertificate it would not be used as part of the validation in a compliant Registrar. The Registrar cares about the X520SerialNumber (aka "serialNumber=") only. In the other direction, the pledge does not initially validate the Registrar ServerCertificate at all. It is taken as given, provisionally, until such time as the pledge gets corroboration from an RFC8366 voucher. In general, the Registrar certificate is issued from a private (enterprise) PKI, and the corroboration depends upon a sales relationship with the vendor (the MASA). RFC6125 DNS-ID validations may occur in the MASA, depending upon policy. The new rules from use-san should apply without a problem, if any 6125 validation (vs explicit pinning) was used. The Registrar->MASA connection is already explicitely RFC6125 DNS-ID only. In summary, I don't see anything in use-san that will affect BRSKI. It may be that Cisco and other manufacturers use their certificates in other ways, and I can't speak for whether they might be affected. Some nits: > While not discussed in [RFC6125] this section also implicitly > prohibits the use of the Domain Component or emailAddress RDN's. 1) it seems like, since it's mentioned here, that it's not "implicit" at all. It seems rather explicit to me. 2) I think that the deprecation of a sequence of "DC=" probably warrants a sentence of its own. 3) I'm unclear how emailAddress was used when a DNS name was desired. Were there rules that allowed the client to say, "connect to example.com" and then validation was okay if the certificate says emailAddress=foo@example.com? If so, then I think that this situation should be more clearly deprecated. 4) I suggest that section 3 "The New Rules" should be in positive language only. Most of the language is what not to do. I think that this is important to list, but I suggest it be split up into a section "Do this" and a section "Do not do this" -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Brian Smith
- Re: [Iotops] [Uta] How should we change draft-iet… Eliot Lear
- Re: [Iotops] [Uta] How should we change draft-iet… Salz, Rich
- [Iotops] BRSKI and IDevID (non-!)issues with draf… Michael Richardson
- Re: [Iotops] [Uta] How should we change draft-iet… Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Eliot Lear
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Salz, Rich
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Michael Richardson
- Re: [Iotops] BRSKI and IDevID (non-!)issues with … Spencer Dawkins at IETF