[Iotops] comments on draft-sweet-iot-acme-00.txt

Michael Sweet <msweet=40msweet.org@dmarc.ietf.org> wrote:
    > A proposed solution for locally-managed (and trusted) X.509
    > certificates, to solve the "this web site will eat your child" errors.
    > I'm working on coding up a sample implementation...

    > Comments/feedback is appreciated!

As I understand it,

1) I need to teach all the browsers which I will use at my home include this new
   trust anchor, and ideally, to trust it only for .local.
   If I don't do a path restriction for .local, then the new anchor could
   impersonate any web property.   That comes with significant liability,
   since they could intercept my bank cookies, steal the end users' money, etc.

   And, even when I do that path restriction, if there are multiple places
   that do this, then I might need to trust multiple anchors to speak for .local.
   (The one at my home, my parents' home, the small nursury school, the
   church office, ....)

   I'm unaware of protocols to discover local trust anchors on a
   per-provisioning domain basis.  But actually, it's something we probably
   need.
   Perhaps that's something you'd be interested in working on?

2) The innovation here is using RFC8555 to enroll rather than, say, RFC7030,
   or CSA/MATTER, or OPC UA, or...

   * We still need to setup a local certification authority someplace.
   * We need to teach IoT devices to do RFC8555.

So for this proposal to fly, three things need to happen:

a) updates to browser.
b) updates to IoT devices
c) updates to local network to have ACME server

Please see our SUIB talks at IETF112 and IETF113.

I can't see how this is different than the requirements to deploy RFC8995 in
he home.  It also seems to include no authorized transfer of ownership, nor
does it seem to deal with how to get (unique, per-device, because RCM) WiFI
credentials to the device.

    >> Begin forwarded message:
    >>
    >> From: internet-drafts@ietf.org Subject: New Version Notification for
    >> draft-sweet-iot-acme-00.txt Date: April 6, 2022 at 12:12:43 PM EDT To:
    >> "Michael Sweet" <msweet@msweet.org>
    >>
    >>
    >> A new version of I-D, draft-sweet-iot-acme-00.txt has been
    >> successfully submitted by Michael Sweet and posted to the IETF
    >> repository.
    >>
    >> Name: draft-sweet-iot-acme Revision: 00 Title: ACME-Based Provisioning
    >> of IoT Devices Document date: 2022-04-06 Group: Individual Submission
    >> Pages: 10 URL:
    >> https://www.ietf.org/archive/id/draft-sweet-iot-acme-00.txt Status:
    >> https://datatracker.ietf.org/doc/draft-sweet-iot-acme/ Html:
    >> https://www.ietf.org/archive/id/draft-sweet-iot-acme-00.html Htmlized:
    >> https://datatracker.ietf.org/doc/html/draft-sweet-iot-acme
    >>
    >>
    >> Abstract: This document extends the Automatic Certificate Management
    >> Environment (ACME) [RFC8555] to provision X.509 certificates for local
    >> Internet of Things (IoT) devices that are accepted by existing web
    >> browsers and other software running on End User client devices.
    >>
    >>
    >>
    >>
    >> The IETF Secretariat
    >>
    >>

    > ________________________ Michael Sweet

    > ----------------------------------------------------
    > Alternatives:

    > ----------------------------------------------------
    > --
    > Iotops mailing list Iotops@ietf.org
    > https://www.ietf.org/mailman/listinfo/iotops

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

[Iotops] comments on draft-sweet-iot-acme-00.txt

Attachment: signature.asc