[Iotops] assemblies and onboarding and 802.1AR device identity
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 14 March 2021 18:14 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27C723A0CE7 for <iotops@ietfa.amsl.com>; Sun, 14 Mar 2021 11:14:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GdbWSsnoniHh for <iotops@ietfa.amsl.com>; Sun, 14 Mar 2021 11:14:14 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 103833A0CE3 for <iotops@ietf.org>; Sun, 14 Mar 2021 11:14:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id C0EF1389C4; Sun, 14 Mar 2021 14:19:31 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wMX05GZUURpF; Sun, 14 Mar 2021 14:19:29 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id B1E13389C0; Sun, 14 Mar 2021 14:19:29 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 268B21C0; Sun, 14 Mar 2021 14:14:10 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@cisco.com>, iotops@ietf.org
In-Reply-To: <75F17573-ED6C-4A08-88A2-574BF06BD91B@cisco.com>
References: <D197C29D-95C4-4696-BE22-703E14DFFE35@intel.com> <E0971364-E3AD-40C6-A08A-A0BA7E64D18F@cisco.com> <22167.1615685681@localhost> <75F17573-ED6C-4A08-88A2-574BF06BD91B@cisco.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 14 Mar 2021 14:14:10 -0400
Message-ID: <18406.1615745650@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/gtUp-rA_AL4DUAVck5Tg2UfusO0>
Subject: [Iotops] assemblies and onboarding and 802.1AR device identity
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Mar 2021 18:14:16 -0000
Eliot Lear <lear@cisco.com> wrote: >>> I’d like to take that latter case off the table, but then we need to >>> seriously think about RATS or SUIT providing a standard protected TLV >>> list that deployments could receive through a standard interface. >>> These are attestations of a form, but they’re not really >>> measurements, as has been previously discussed here. >> >> Can you give me an example of one of these attributes? > Soooo…. Here’s an example: > Suppose I am a system integrator who needs to assemble a device out of > constituent components that includes a particular software load. I > wish to claim to be the manufacturer of the device, as I am the one > producing the final product. I want to therefore provide the > onboarding service. That requires a change of URL for the MASA in > BRSKI terms. I may also wish to change the MUD-URL based on the > software load. > The core question I am asking is this: we have attributes about the > device I these certificates that really could be elsewhere. But where? It seems clear that the assembler needs to create a new IDevID, and they need to store it somewhere, and it needs to express itself rather than the individual components. It seems to me that if one can effect to load a particular software, then one ought to have control via that software load of the onboarding and which IDevID is expressed. Remembering that we invented multitasking because CPUs were very expensive, leading eventually to virtualization and containers, but that most of our security issues are the result of sharing of resources, I suggest that maybe the answer here is to stop sharing when doing an assembly. The "control plane" CPU for the assembly doesn't have to actually do any of the work other than coordination and onboarding. That having a $3 ATMEGA MCU hold all of the desired upward (for onboarding of the assembly) and downward (for keeping track of the onboard components) might make the most sense. I don't think that's a big cost for an assembler if the assembly is worth thousands to fractions of millons. (I come back to the bogie assembly for a railcar, which has got to be worth a fair bit. Also: airplanes and cars. However, we should think about smaller assemblies as well, including things like a desktop computer's CPUs, GPUs and MCUs in keyboards and hard disks. Component stereo/AV systems in homes and in theatres.) I'm not suggesting this MCU is an active Registrar, but rather, it's the like it's the TPM/CA for a Registrar component that the assembler brings into the do work stuff out. A tool if you like. So, it would store the credentials. It's a superset of the KDC. (insert storey about KDC that was drywalled in, but kept operating for years) I would propose we think about the commonalities among onboarding solutions (upward and downward), and probably we need to write a YANG module to explain it all. We should consider that one might use DPP to onboard the components of an assembly, which then uses BRSKI to join a superior assembly, and that superior assembly then uses FIDO-DO to be deployed. We need to take into account Kerberos, OAUTH2/GNAP and ACE operational keys. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- Re: [Iotops] [Rats] 802.1AR device identity Eliot Lear
- Re: [Iotops] [Rats] 802.1AR device identity Smith, Ned
- Re: [Iotops] [Rats] 802.1AR device identity Eliot Lear
- Re: [Iotops] [Rats] 802.1AR device identity Smith, Ned
- Re: [Iotops] [Rats] 802.1AR device identity Laurence Lundblade
- Re: [Iotops] [Rats] 802.1AR device identity Ira McDonald
- Re: [Iotops] [Rats] 802.1AR device identity Michael Richardson
- Re: [Iotops] [Rats] 802.1AR device identity Eliot Lear
- [Iotops] assemblies and onboarding and 802.1AR de… Michael Richardson
- Re: [Iotops] [Rats] 802.1AR device identity Guy Fedorkow
- Re: [Iotops] [Rats] 802.1AR device identity Michael Richardson
- Re: [Iotops] [Rats] 802.1AR device identity Laurence Lundblade
- Re: [Iotops] [Rats] 802.1AR device identity Guy Fedorkow
- Re: [Iotops] [Rats] 802.1AR device identity Laurence Lundblade
- Re: [Iotops] [Rats] 802.1AR device identity Smith, Ned
- Re: [Iotops] [Rats] 802.1AR device identity Toerless Eckert
- Re: [Iotops] [Rats] 802.1AR device identity Michael Richardson
- Re: [Iotops] [Rats] 802.1AR device identity Ash Wilson
- Re: [Iotops] [Rats] 802.1AR device identity Eliot Lear
- Re: [Iotops] [Rats] 802.1AR device identity Russ Housley
- Re: [Iotops] [Rats] 802.1AR device identity Guy Fedorkow
- Re: [Iotops] [Rats] 802.1AR device identity Smith, Ned
- Re: [Iotops] [Rats] 802.1AR device identity Laurence Lundblade
- [Iotops] SUIT device identifier (was Re: [Rats] 8… Laurence Lundblade