Re: [Mud] how to increase trust in MUD URL
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 22 January 2020 19:07 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33CAD120802 for <mud@ietfa.amsl.com>; Wed, 22 Jan 2020 11:07:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcslPgOTL9Cc for <mud@ietfa.amsl.com>; Wed, 22 Jan 2020 11:07:39 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E571312080F for <mud@ietf.org>; Wed, 22 Jan 2020 11:07:37 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 00MJ7XET007105 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 22 Jan 2020 20:07:34 +0100
Received: from [192.168.16.50] (79.234.120.240) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 22 Jan 2020 20:07:28 +0100
To: "M. Ranganathan" <mranga@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: mud@ietf.org
References: <157918044299.26236.8163535356477976451.idtracker@ietfa.amsl.com> <CAFpG3gehp98VB2RpL6LenRJsV=RRQ=1jCTX7mcrmd27pzkYqfg@mail.gmail.com> <CAFpG3gek8qrHjN5LNQUrRrS9+zFuVQQ4y+XorRrr5xySs2fP1g@mail.gmail.com> <20570.1579314460@localhost> <30267.1579654985@localhost> <9b50e4ca-d516-3f3b-5992-1695f8147d18@sit.fraunhofer.de> <30626.1579713687@localhost> <CAHiu4JOXOAt2U5soxrHB2D8EMxwkQ-tKv62F2vxAVPdvqAgfzg@mail.gmail.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <d4ec644d-f9f8-b3c7-e2a7-eb08baeae4fe@sit.fraunhofer.de>
Date: Wed, 22 Jan 2020 20:07:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <CAHiu4JOXOAt2U5soxrHB2D8EMxwkQ-tKv62F2vxAVPdvqAgfzg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.234.120.240]
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/yYSFDVQPebPhBA3JuT8e16_Izz8>
Subject: Re: [Mud] how to increase trust in MUD URL
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 19:07:42 -0000
On 22.01.20 19:31, M. Ranganathan wrote: > Am I missing something obvious. No, not at all. I am not aware of potential procedural caveats and in principle this sounds fine. Alas, now the "trust in the MUD URL" relies on the protection of the private key. If that key is not shielded/isolated properly and the integrity of the devices is compromised, the trustworthiness of the MUD URL is gone without any indications, consecutively. Please mind, maybe I am the one missing something now. The burden of providing evidence about the "trust in the MUD URL" lies with the device in this scenario. If you embed it in the device's DevID, this burden is with the trust anchor, I think. Although a complementary entity is required to remediate loss of device integrity, still (as in most cases). A compromised device alone can and will use any MUD URL it wants. Maybe I am over-simplifying my point, but I think that is one main difference. Analogously, I am still not convinced that changing the MUD URL is not dangerous in principle. If you do not allow for a MUD URL to change, you avoid a lot of complexity. The simplicity of MUD is one of its main selling points. Viele Grüße, Henk On 22.01.20 19:31, M. Ranganathan wrote: > On Wed, Jan 22, 2020 at 12:21 PM Michael Richardson > <mcr+ietf@sandelman.ca> wrote: >> >> >> Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote: >> > On 22.01.20 02:03, Michael Richardson wrote: >> >> But, updating the URL in IDevID is difficult to do. Quite reasonably it might >> >> be impossible without a device recall. The IDevID version is much easier to >> >> invest trust into. And it clearly links back to the manufacturer. >> >> > This is one of the biggest issues that came to my mind ad-hoc. Is changing >> > the URI really an option? I would assume this type of encapsulation is >> > trustworthy, I think. >> >> Changing the URI in an IDevID is not, in my opinion, feasible. >> While I can imagine ways for an IDevID to be renewed online, I would prefer >> that it be buried so deep into the TPM that it can't be changed in the field. > > I see some words to the contrary in > https://tools.ietf.org/html/draft-richardson-opsawg-mud-acceptable-urls-00 > > i.e. I see the following: > > "The DHCP and LLDP mechanisms are not signed, but are asserted by the device." > > Why can't the MUD URL emitted by the device using DHCP be signed with > the device private key? > > If the IDevID for the device can be sent to the MUD Controller using a > trusted agent then the > Device can just send a signed MUD URL in the DHCP request (or LLDP),. > > With this mechanism, it may not be necessary to imbed the MUD URL in > the device certificate > and the device can freely change the MUD URL with firmware updates. > > Onboarding mechanisms (e.g. DPP) can be used to authenticate the > device against the certificate. > > With this setup, it is not necessary to include the MUD URL as part of > the device certificate. > > Am I missing something obvious. > > >> >> -- >> Mud mailing list >> Mud@ietf.org >> https://www.ietf.org/mailman/listinfo/mud > > >
- [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Henk Birkholz
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL M. Ranganathan
- Re: [Mud] how to increase trust in MUD URL Henk Birkholz
- Re: [Mud] how to increase trust in MUD URL Eliot Lear
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Ted Lemon
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Eliot Lear
- Re: [Mud] how to increase trust in MUD URL Michael Richardson