IETF Logo Mail Archive

Re: [Iotops] maintain ownership

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 05 November 2020 19:43 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B2CD3A19E3 for <iotops@ietfa.amsl.com>; Thu, 5 Nov 2020 11:43:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.345
X-Spam-Level:
X-Spam-Status: No, score=-2.345 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-sLTijx8u9M for <iotops@ietfa.amsl.com>; Thu, 5 Nov 2020 11:43:13 -0800 (PST)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75C0D3A19E0 for <iotops@ietf.org>; Thu, 5 Nov 2020 11:43:13 -0800 (PST)
Received: by mail-pg1-x52d.google.com with SMTP id h6so2053010pgk.4 for <iotops@ietf.org>; Thu, 05 Nov 2020 11:43:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=QzzYaE3IupQ0IjQoNs4dlcnOuAsQVcVA0bofRNgcPIc=; b=gZGjyNXoeTOJt7B/4I2HEsC8oPuj8Gyg0C+jsQdmteNRjqMOLVffGNG4O/SpH0p+Jm q/OGtbpvt05MiYFAk8+A9NMBzRDCXxC+5DB/PEi+/MHx7VYjDJNsUUZnPhjnu8O27Xy2 YEzFO4HbbVXq1gagbKsjH49h76J9R8pt/MVg9NZfr9AmU8vSh9KIfZu6Rs+uQNtkValZ 4EBhkTY54Nm+iVgr1l1SbN57VmQa++rCLMfQAU9PF2Fx4EekHpf08KIQul7hRNEbiicU undT53RgieXYREwBtgcrDS6WGgn97c5Rc0xmeYeFIWKi/5Zowc/gtKxqJGnRajVmqNo1 K7LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=QzzYaE3IupQ0IjQoNs4dlcnOuAsQVcVA0bofRNgcPIc=; b=H4cZcvNcwcIg/gEFYWCgJ3dmf0sO3Snti6pyo2NXcHXS5bz9ZzSln8znMJOfALL7ew 6ochP8CQo3dfmC4FWuopO8zSITcZuGTZqkkQFT+xsCCGUmAuDblV6BHanUGMywALaWuP pX69s6J+7MIxbq7BGrC2BH/Bc9eVjdQGJAvAe9INwXhCdqG2BV7106mvKZPqyXe3xF07 gDtJkNeUiOzuq4IkeYUUwUV8bYn4goEn1EsXRNE+m5iACcGT4ETbdPWfL7+IK54vqTnY JSe5HX4a/w8MCooBXc8cIwjCcTufo9fOKX7/8prISKO3+qLK2rq/T+3bDnx5TTKGi+Re 4yaQ==
X-Gm-Message-State: AOAM531X9+a6cO4XZn3pVd7rjzpVJoUJh/jQj3r7IvuHasdMDUJEEFdt XU1qQOdQv4md2AulJlCzgz2Mm7nowhZ2gA==
X-Google-Smtp-Source: ABdhPJxtO93HBdTEREQxQPtwRj7ponoo8XvBdmRFaIOHiElyIf1voQ5OHf1quZCldmI6xpi0za9img==
X-Received: by 2002:a17:90a:9741:: with SMTP id i1mr793245pjw.139.1604605391794; Thu, 05 Nov 2020 11:43:11 -0800 (PST)
Received: from [192.168.178.20] ([151.210.130.0]) by smtp.gmail.com with ESMTPSA id v24sm2895609pjh.19.2020.11.05.11.43.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Nov 2020 11:43:10 -0800 (PST)
To: Michael Richardson <mcr+ietf@sandelman.ca>, "Amyas Phillips, Ambotec" <amyas@ambotec.org>, "iotops@ietf.org" <iotops@ietf.org>
References: <B8F9A780D330094D99AF023C5877DABAADB1F8C6@dggeml511-mbs.china.huawei.com> <15665.1604430085@localhost> <20201103204823.GE48111@faui48f.informatik.uni-erlangen.de> <5254.1604514609@localhost> <EEF8A3ED-E57D-4F84-92DD-5C74123AFD91@ambotec.org> <20562.1604598209@localhost>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <45ed90d2-28ad-0726-2ce6-1b92a4fd9712@gmail.com>
Date: Fri, 06 Nov 2020 08:43:06 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <20562.1604598209@localhost>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/5JteD9MJpVtTE7ukCOMlUIngQeU>
Subject: Re: [Iotops] maintain ownership
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2020 19:43:15 -0000

On 06-Nov-20 06:43, Michael Richardson wrote:
> 
> Amyas Phillips, Ambotec <amyas@ambotec.org> wrote:
>     > Most IoT devices are
>     > now sold with EULAs, constraining any remaining legal concept of
>     > ownership with contractual terms.
> 
>     > You can even find that a licence
>     > to use it is the only thing you get when you buy a device, legal title
>     > remaining with the vendor.
> 
> Yes.
> Many people have problems with this, but ideally, this state of things would be more explicit.
> I think that, if explained clearly, that many entities would refuse to
> "license" the device.
> 
>     > I’d like to suggest that we set aside legal title and say “ownership”
>     > for the purpose of this discussion means “logical control of a
>     > device”. Transfer of logical control is an important and delicate event
>     > in an IoT device’s lifecycle so this seems to fit within the aims of
>     > the charter, even if it isn’t mentioned explicitly.
> 
>     > I’d like to further suggest that logical control ultimately means the
>     > right to control what software is installed on a device. That is to
>     > say, ownership == logical control == the right to set and (if transfer
>     > of control is supported) replace the firmware update trust anchor. That
>     > is what ownership means. Every other form of control is delegated from
>     > that and is called something other than “ownership".
> 
> This definition works for me.

It's attractive, but it leaves me with one concern. The concept of "ownership"
implies the concept of "theft". If ownership is defined in this new way,
what is the equivalent definition of theft? How do we know that the entity
with logical control really has the right to that control? How do we
know that control has been stolen?

I don't mean that this is a show-stopper, but it does mean that the new
definition chases its own tail to some extent.

   Brian

> 
>     > 1. What if an IC has an integrated secure element under logical control
>     > of a third party and it is impossible even for a person with legal
>     > title to seize control of that SE?
> 
>     > That’s fine, just acknowledge the SE as a separate domain of
>     > control. Someone has physical title, possibly constrained by license
>     > terms. Someone has logical control of the SE. Someone has logical
>     > control of the ‘insecure’ computing environment. It would a similar
>     > situation in a device with a main application processor and separate a
>     > wireless module with its own firmware.
> 
>     > 2. Wouldn’t this mean that any device whose firmware has to be signed
>     > by its OEM is still under the logical control of and “owned” by that
>     > OEM?
> 
>     > Yes.
> 
> Agreed.
> 
>     > 3. But that’s not who I mean when I talk about the owner!
> 
>     > I get it, but this just means different and more specific terminology
>     > is required. You might mean the entity trusted by the device to issue
>     > application-layer commands (possibly including commands to set
>     > application-layer trust anchors).
> 
> Agreed.
> 
>     > 6. What if the device ships without trust anchors, who owns it then?
> 
>     > It is in a first-to-claim state. That assumes that once “claimed” it
>     > can’t be claimed by anyone else without the current claimant’s
>     > authorisation.
> 
> Or, maybe it can't be updated, and it's first-malware-to-claim :-)
> 
>     > 8. Isn’t is possible to dream up IoT devices that don’t have logical
>     > controllers?
> 
>     > I guess so - you could do without secure boot and expose
>     > unauthenticated interfaces, or you could make a device that is always
>     > claimable - but that doesn't invalidate the concept.
> 
> Are you, in "always claimable", including the case that the device
> manufacturer will delegate software signing to the legal physical owner?
> Apparently, many enterprises demand the right to control what and when
> updates are deployed, and thus this has become a thing in SUIT.
> 
>     > 9. What does transfer of ownership mean then?
> 
>     > Setting someone else’s TA in the initial bootloader.
> 
> !yup.
> 
>     > 10. What if a hacker obtains arbitrary code execution?
> 
>     > They 0wn the device but they don’t own it - not unless they can make
>     > their control permanent across reboots. They have application layer
>     > logical control until a reboot.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> 
>

v2.23.0 | Report a Bug | By Email