Re: [Mud] Using an HSM to sign MUD files?

Michael Richardson <mcr@sandelman.ca> Mon, 10 February 2020 17:45 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2050112001B for <mud@ietfa.amsl.com>; Mon, 10 Feb 2020 09:45:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8JPefWzBxkD for <mud@ietfa.amsl.com>; Mon, 10 Feb 2020 09:45:41 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A48912001A for <mud@ietf.org>; Mon, 10 Feb 2020 09:45:40 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [IPv6:2a02:8109:b6c0:52b8:584d:5a6f:7ed3:c298]) by relay.sandelman.ca (Postfix) with ESMTPS id 30A181F459; Mon, 10 Feb 2020 17:45:39 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id EAF8D1A29B4; Mon, 10 Feb 2020 18:45:37 +0100 (CET)
From: Michael Richardson <mcr@sandelman.ca>
To: Eliot Lear <lear@cisco.com>
cc: mud@ietf.org, Rich Salz <rsalz@akamai.com>
In-reply-to: <48EB1BF2-1163-42D2-9E24-8B1DC437203C@cisco.com>
References: <48EB1BF2-1163-42D2-9E24-8B1DC437203C@cisco.com>
Comments: In-reply-to Eliot Lear <lear@cisco.com> message dated "Sun, 09 Feb 2020 13:59:24 +0100."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 10 Feb 2020 18:45:37 +0100
Message-ID: <734.1581356737@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/1zCQ-1RMemNR3gd4bVuBkDiG0Ek>
Subject: Re: [Mud] Using an HSM to sign MUD files?
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2020 17:45:43 -0000

Eliot Lear <lear@cisco.com> wrote:
    > I was asked by a partner how to modify the normal MUD signing
    > instructions when an HSM is in play.  Each HSM is a little different,
    > but the general concepts are the same.  OpenSSL does come equipped with
    > a means to invoke HSMs.  What has to happen, roughly speaking is the
    > following:

I think that the HSM is in the manufacturer infrastructure, not something
attached to the device being described!  I'm just saying this to be clear,
but some people aren't clear about who makes the signature.

Are there some operational things we could/should extract into a document.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [