IETF Logo Mail Archive

Re: [Iotops] can we create protocols that securely transfer ownership?

Toerless Eckert <tte@cs.fau.de> Sun, 01 November 2020 16:51 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 021E63A0BFA for <iotops@ietfa.amsl.com>; Sun, 1 Nov 2020 08:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkGia2Z0kiJ1 for <iotops@ietfa.amsl.com>; Sun, 1 Nov 2020 08:51:32 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE74F3A0BF5 for <Iotops@ietf.org>; Sun, 1 Nov 2020 08:51:30 -0800 (PST)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 4D2A454843F; Sun, 1 Nov 2020 17:51:25 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 486B1440059; Sun, 1 Nov 2020 17:51:25 +0100 (CET)
Date: Sun, 01 Nov 2020 17:51:25 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: William_J_G Overington <wjgo_10009=40btinternet.com@dmarc.ietf.org>, Iotops@ietf.org
Message-ID: <20201101165125.GQ48111@faui48f.informatik.uni-erlangen.de>
References: <6e7fc2c3.ccb.1757e4c3e9e.Webtop.227@btinternet.com> <4838.1604246428@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <4838.1604246428@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/dX9U4Xt72T1HOrQP4lQb_UJRYlA>
Subject: Re: [Iotops] can we create protocols that securely transfer ownership?
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2020 16:51:34 -0000

On Sun, Nov 01, 2020 at 11:00:28AM -0500, Michael Richardson wrote:
> While there is an issue of how to maintain software beyond the lifetime of
> the (interest of the marketing department) of the manufacturer, the bigger
> picture is that the device is cryptographically locked to running on software
> approved (digitally signed) by the manufacturer.
> 
> We actually *need* this kind of lockdown in order to keep malware out.
> But, one person's weed is another person's wild-flower.

Many ways to cut the cake:

IMHO, devices MUST permit to override TA for secure boot/software with
owner TA, so i can securely allow for it to only run software i as the
owner sign. And those TA ultimately would be what identifies the owner.
More so, then any certificate (because the TA designate who can do something
with the device).

In addition, i would want vouchers that sign with my own TA the cert
of a vendor signed piece of software, so i can install such software.

Most classical use-case: Do not permit arbitrary staff to install
random vendor software versions, but only those that have been verified
and approved by some testing department. And those vouchers might
be short-lived, so that installation can only happen in a time window
before a likely better updated software version would be preferrable.
Or later downgrade without permission.

> Having the hexdump doesn't help us much.  We basically already have that.
> Often we have the entire source code, but we still can't load it into the
> device because we don't have the keys that are baked (literally: by laser
> blown fuses into the silicon) into the device.

Laser blown fuses sounds expensive. We had OTP memory forever.

Cheers
    Toerless
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide



> -- 
> Iotops mailing list
> Iotops@ietf.org
> https://www.ietf.org/mailman/listinfo/iotops


-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email