IETF Logo Mail Archive

Re: [Iotops] maintain ownership (was: can we create protocols that securely transfer ownership?)

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 05 November 2020 17:43 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 338C23A1935 for <iotops@ietfa.amsl.com>; Thu, 5 Nov 2020 09:43:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WwzQ-KiCtoO3 for <iotops@ietfa.amsl.com>; Thu, 5 Nov 2020 09:43:32 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 422E83A1919 for <iotops@ietf.org>; Thu, 5 Nov 2020 09:43:31 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id EBDA938C7E; Thu, 5 Nov 2020 12:43:37 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Wd6AX5hBjxsi; Thu, 5 Nov 2020 12:43:37 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 5608C38C6A; Thu, 5 Nov 2020 12:43:37 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E4EE926; Thu, 5 Nov 2020 12:43:29 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Amyas Phillips, Ambotec" <amyas@ambotec.org>, "iotops@ietf.org" <iotops@ietf.org>
In-Reply-To: <EEF8A3ED-E57D-4F84-92DD-5C74123AFD91@ambotec.org>
References: <B8F9A780D330094D99AF023C5877DABAADB1F8C6@dggeml511-mbs.china.huawei.com> <15665.1604430085@localhost> <20201103204823.GE48111@faui48f.informatik.uni-erlangen.de> <5254.1604514609@localhost> <EEF8A3ED-E57D-4F84-92DD-5C74123AFD91@ambotec.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 05 Nov 2020 12:43:29 -0500
Message-ID: <20562.1604598209@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/IFMrNfK59sP0FfDorz1eck4Fk8g>
Subject: Re: [Iotops] maintain ownership (was: can we create protocols that securely transfer ownership?)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2020 17:43:34 -0000

Amyas Phillips, Ambotec <amyas@ambotec.org> wrote:
    > Most IoT devices are
    > now sold with EULAs, constraining any remaining legal concept of
    > ownership with contractual terms.

    > You can even find that a licence
    > to use it is the only thing you get when you buy a device, legal title
    > remaining with the vendor.

Yes.
Many people have problems with this, but ideally, this state of things would be more explicit.
I think that, if explained clearly, that many entities would refuse to
"license" the device.

    > I’d like to suggest that we set aside legal title and say “ownership”
    > for the purpose of this discussion means “logical control of a
    > device”. Transfer of logical control is an important and delicate event
    > in an IoT device’s lifecycle so this seems to fit within the aims of
    > the charter, even if it isn’t mentioned explicitly.

    > I’d like to further suggest that logical control ultimately means the
    > right to control what software is installed on a device. That is to
    > say, ownership == logical control == the right to set and (if transfer
    > of control is supported) replace the firmware update trust anchor. That
    > is what ownership means. Every other form of control is delegated from
    > that and is called something other than “ownership".

This definition works for me.

    > 1. What if an IC has an integrated secure element under logical control
    > of a third party and it is impossible even for a person with legal
    > title to seize control of that SE?

    > That’s fine, just acknowledge the SE as a separate domain of
    > control. Someone has physical title, possibly constrained by license
    > terms. Someone has logical control of the SE. Someone has logical
    > control of the ‘insecure’ computing environment. It would a similar
    > situation in a device with a main application processor and separate a
    > wireless module with its own firmware.

    > 2. Wouldn’t this mean that any device whose firmware has to be signed
    > by its OEM is still under the logical control of and “owned” by that
    > OEM?

    > Yes.

Agreed.

    > 3. But that’s not who I mean when I talk about the owner!

    > I get it, but this just means different and more specific terminology
    > is required. You might mean the entity trusted by the device to issue
    > application-layer commands (possibly including commands to set
    > application-layer trust anchors).

Agreed.

    > 6. What if the device ships without trust anchors, who owns it then?

    > It is in a first-to-claim state. That assumes that once “claimed” it
    > can’t be claimed by anyone else without the current claimant’s
    > authorisation.

Or, maybe it can't be updated, and it's first-malware-to-claim :-)

    > 8. Isn’t is possible to dream up IoT devices that don’t have logical
    > controllers?

    > I guess so - you could do without secure boot and expose
    > unauthenticated interfaces, or you could make a device that is always
    > claimable - but that doesn't invalidate the concept.

Are you, in "always claimable", including the case that the device
manufacturer will delegate software signing to the legal physical owner?
Apparently, many enterprises demand the right to control what and when
updates are deployed, and thus this has become a thing in SUIT.

    > 9. What does transfer of ownership mean then?

    > Setting someone else’s TA in the initial bootloader.

!yup.

    > 10. What if a hacker obtains arbitrary code execution?

    > They 0wn the device but they don’t own it - not unless they can make
    > their control permanent across reboots. They have application layer
    > logical control until a reboot.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email