IETF Logo Mail Archive

Re: [Iotops] comments on draft-sweet-iot-acme-00.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 28 April 2022 03:06 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29D40C14F72F for <iotops@ietfa.amsl.com>; Wed, 27 Apr 2022 20:06:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.952
X-Spam-Level:
X-Spam-Status: No, score=-3.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiI7m1StpSuM for <iotops@ietfa.amsl.com>; Wed, 27 Apr 2022 20:06:51 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AE30C14F612 for <iotops@ietf.org>; Wed, 27 Apr 2022 20:06:48 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id e24so3105670pjt.2 for <iotops@ietf.org>; Wed, 27 Apr 2022 20:06:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=RSZZbixU8GVBG7HdRFVz+NAPX8Oi8GXPpKTLo8E9ung=; b=NpBFUy305+gsQsSKw5dM9pqpuWPQhEfNEB5bU9AFv1J8nve9I9xvNC0R7fP0x+4s+J mpFIH2zdiuSgfb8j/P9yDyRxiRVaxsFALiefJ/J5ad3Gdf3nNercIph7EjFpkRhAcZmP mZ9XD95pizsbniQ14zuDQyXvZ/P2zIGbM/CpOgBgx+NLEtu/9TTMsy1oCd9LySjshp7u Ud7ce55Sj4K2DInznmYNeXT9S34ResqgVQDaA5n1LaaiBeQ2AngTu//hZeTh0fn5U+Kk tW/2FowG7Vkhj2BTRmIRCRhcI67jnV17ymCnqa5QE2Cq+//BSlZuCwsUA/6ngWvKO4xb lZfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=RSZZbixU8GVBG7HdRFVz+NAPX8Oi8GXPpKTLo8E9ung=; b=XrCsNpR72hH8k0rTkU/uB/OPYKEPlFlwNgw28lGxPeWOaNwl/p4v4TCSmUSBKY16Td KpmEXev3Nhetj4NqVnDbos6iTyDAlQqUuWLZieHhYu+W31E6cR3K45hJgwimCz71rvnl N/WUkXNa3ZIj6Lt6ZT9be2Pbekk5le5yklK5yfT59bLclxanuViETjTDknRQsEEbhtiL edDVDSBcN6jlb16dRJ6+E4VsxiUOmqOkRETkRtqgc6eFo8lZ4qoqq4INZvn+BgG3RYU/ EaWY5xNmkpkfzbHmQiqW1GDH/ERj5h1cpImdNraNLjN33/LLWbnpjHF43/fd/8cRtZQz FXhQ==
X-Gm-Message-State: AOAM530poQanNpnEiWywo3sAH/6YhI5dP5ia1JdgvXgwGHjmIL1q4eei Tj0lYO8f8eW/2hg2gNFeW09CGgOGIjQdGQ==
X-Google-Smtp-Source: ABdhPJyTlIg9b3ISbZOS3mU0fc4Kwouxit5YUiXQ0ViCncF5oGbZ5hx332me+0LZiqbOsuVCH8M3MA==
X-Received: by 2002:a17:903:182:b0:158:d1d8:19b with SMTP id z2-20020a170903018200b00158d1d8019bmr24567370plg.108.1651115207298; Wed, 27 Apr 2022 20:06:47 -0700 (PDT)
Received: from ?IPv6:2406:e003:1005:b501:80b2:5c79:2266:e431? ([2406:e003:1005:b501:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id 35-20020a631063000000b003c14af50602sm752544pgq.26.2022.04.27.20.06.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Apr 2022 20:06:46 -0700 (PDT)
To: Michael Sweet <msweet@msweet.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: iotops@ietf.org
References: <164926156380.8707.8732915494613186098@ietfa.amsl.com> <B83EA69B-24B5-4FD4-BAED-6C5B34EC75B2@msweet.org> <387994.1649869389@dooku> <B665331A-A8D4-4ACC-B886-E8413F22BEA7@msweet.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <c36eb82a-f7f3-cf1b-f83c-90f086cf2ca2@gmail.com>
Date: Thu, 28 Apr 2022 15:06:41 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <B665331A-A8D4-4ACC-B886-E8413F22BEA7@msweet.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/r5zJRxsgjL1Fr-6_yWXdGIDS5qQ>
Subject: Re: [Iotops] comments on draft-sweet-iot-acme-00.txt
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 03:06:55 -0000

Some comments near the end...

On 14-Apr-22 08:00, Michael Sweet wrote:
> Michael,
> 
>> On Apr 13, 2022, at 1:03 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>>
>> Signed PGP part
>>
>> Michael Sweet <msweet=40msweet.org@dmarc.ietf.org> wrote:
>>> A proposed solution for locally-managed (and trusted) X.509
>>> certificates, to solve the "this web site will eat your child" errors.
>>> I'm working on coding up a sample implementation...
>>
>>> Comments/feedback is appreciated!
>>
>> As I understand it,
>>
>> 1) I need to teach all the browsers which I will use at my home include this new
>>    trust anchor, and ideally, to trust it only for .local.
>>    If I don't do a path restriction for .local, then the new anchor could
>>    impersonate any web property.   That comes with significant liability,
>>    since they could intercept my bank cookies, steal the end users' money, etc.
> 
> Correct.  Ideally this would be done at the OS level (Windows and macOS both have what is needed to support this, and I think there has been some recent work for Linux desktops as well) so that the browsers can just ask the OS whether to trust a certificate for an mDNS hostname, but it would be easy enough to implement in the browsers as well.
> 
>>    And, even when I do that path restriction, if there are multiple places
>>    that do this, then I might need to trust multiple anchors to speak for .local.
>>    (The one at my home, my parents' home, the small nursury school, the
>>    church office, ....)
> 
> Right, that is why you need to tie the trust anchor to the router's MAC address (or some other unique identifier).  Switch networks/routers and you need to update the current local trust anchor.
> 
>>    I'm unaware of protocols to discover local trust anchors on a
>>    per-provisioning domain basis.  But actually, it's something we probably
>>    need.
>>    Perhaps that's something you'd be interested in working on?
> 
> Yes, specifically because I've been dealing with this issue basically since CUPS got TLS support (20 years ago or so...)
> 
>> 2) The innovation here is using RFC8555 to enroll rather than, say, RFC7030,
>>    or CSA/MATTER, or OPC UA, or...
>>
>>    * We still need to setup a local certification authority someplace.
> 
> I'm hoping to end up with an implementation that can be embedded in wireless routers.
> 
>>    * We need to teach IoT devices to do RFC8555.
> 
> ... and have code that IoT devices can use to do so. :)
> 
>> So for this proposal to fly, three things need to happen:
>>
>> a) updates to browser.
> 
> and/or OS, which would make supporting local trust anchors easier/more reliable.
> 
>> b) updates to IoT devices
>> c) updates to local network to have ACME server
> 
> ... which should be pretty straight-forward on existing enterprise networks which often have CA servers for company subdomains.  For home networks we need to get the server running on the router.
> 
>> Please see our SUIB talks at IETF112 and IETF113.
> 
> I've seen both presentations; sadly, I spent most of my 13 years at Apple lobbying the security and browser folks to support self-signed certificates for .local and link-local/private IP addresses, and every year the warning/error messages got worse.  So my confidence that we can get browsers to support self-signed certificates with a TOFU policy is 0.
> 
> Client-driven PKI solutions still need a valid trust anchor, which in general means a locally-distributed self-signed root (for .local) and/or a CA-signed root (for example.com) that a (local/public) CA uses to generate the device certificate.  In my experience, managing per-device (not to mention web server) certificates by hand doesn't scale, thus ACME...
> 
> My ACME draft is basically a "Gateway Issued Certificate" solution, just without vendor lock-in/global oversight.  If you can trust your DHCP server/router to connect you to the Internet, you can trust it to manage the X.509 certificates for your network or tell you which server is doing the job...  If you can't (e.g., public Wi-Fi) then you *don't* use IoT-ACME and you *don't* use the local trust anchor.
> 
>> I can't see how this is different than the requirements to deploy RFC8995 in
>> he home.  It also seems to include no authorized transfer of ownership, nor
>> does it seem to deal with how to get (unique, per-device, because RCM) WiFI
>> credentials to the device.
> 
> One problem with RFC8995 is the notion that a manufacturer should have any control over provisioning/transfer of ownership.  Too many manufacturers have either gone out of business, stopped supporting "legacy" products, and/or added lock-in restrictions to their products (ink/toner cartridges with chips, etc.), leaving the customer with a paperweight in the end.

Of course this issue was debated at some length in the WG, along with the converse issue (when the original customer sells the device on to a third party). See section 10.7. "Death of a Manufacturer" in RFC8995 (and the earlier sections on used, stolen and grey market equipment).

> 
> Another problem is that you need Internet access to use your device, and there are enough situations where you don't have access (intentionally or not).  We shouldn't create more reasons why you need to be online 100% of the time just for your device to work *locally*.

Indeed, but BRSKI is for bootstrapping, so there isn't a 100% requirement. Also, I've always maintained that some site operators, who require air-gap security, will run their own MASAs. I'd do that if I was either an army or a nuclear power plant, for example.

> Finally, you need to get manufacturers on board to provide an always-available cloud service with the corresponding liability of being a CA, (necessarily) tracking every user's device, and protecting that data from disclosure forever (on penalty of serious fines from the EU, etc.) If there is a data breach, that likely will mean revoking ALL of the device certificates that have been issued and somehow getting them to re-register once the service is back up.

Yes. Nothing comes free, and a genuine zero-touch secure bootstrap is no exception.

> WRT getting an IoT device on a network, there are already standards for that for Ethernet and Wi-Fi, plus plenty of vendor solutions that offer different levels of security/confidentiality.  Adding more standards is always an interesting exercise [1] but it would be nice if everyone implemented the existing stuff first. :)

Also true, but the goal here is to work over any present and future L2 and not need a magic WPS button; and for a large network, not to require a truck roll when the magic WPS button fails.

  
> [1] https://xkcd.com/927/

Carpenter's law: As an online standards discussion grows longer (regardless of topic or scope), the probability of a citation of XCD 927 approaches 1.

    Brian

> 
> ________________________
> Michael Sweet
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email