Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BRSKI ?
Toerless Eckert <tte@cs.fau.de> Fri, 28 May 2021 23:04 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46F133A3929 for <opsawg@ietfa.amsl.com>; Fri, 28 May 2021 16:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sffiahEY9nz9 for <opsawg@ietfa.amsl.com>; Fri, 28 May 2021 16:04:31 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 827B63A3927 for <opsawg@ietf.org>; Fri, 28 May 2021 16:04:31 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id B815E54804B; Sat, 29 May 2021 01:04:19 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id AA6AE4E75DB; Sat, 29 May 2021 01:04:19 +0200 (CEST)
Date: Sat, 29 May 2021 01:04:19 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "opsawg@ietf.org" <opsawg@ietf.org>
Message-ID: <20210528230419.GU3909@faui48e.informatik.uni-erlangen.de>
References: <20210527233844.GE3909@faui48e.informatik.uni-erlangen.de> <11274.1622211801@localhost> <20210528151624.GL3909@faui48e.informatik.uni-erlangen.de> <30292.1622239707@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <30292.1622239707@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/_U0htIOhUZGV-xbX79eE8wROkpQ>
Subject: Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BRSKI ?
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2021 23:04:36 -0000
On Fri, May 28, 2021 at 06:08:27PM -0400, Michael Richardson wrote: > > Can not quite parse this. Rephrase pls. I was just thinking about known > > exploits for specific software versions as the reason for not making > > the SBOM available to anyone who asks. > > The need for all entities in all sorts of supply chains to know exactly what > possible issues there are. > This will lead to many audits, mandated by national security concerns. > Manufacturers who feel shy about revealing what they used, will find themselves > with multiple month delays at borders. > I also think that we are going towards mandatory disclosure of all breaches. Thanks. Interesting. And agreed. But i think this is mostly orthogonal to the problem at hand unless the manufactur could really track software changes performed by users. And i would guess at least in th IETF there seem to be enough participants trying to minimize tracing by vendors. > > I ran into that problem i think > > more than a decade ago when customers asked to not have software > > version be included in LLDP information freely available to anyone on > > the same LAN. Such as the virus infested employee PC whereas that virus > > would hen easily find attackable network equipment. Not much different > > when there is a well-known URL that such attacking systems could probe. > > Right, "Think about the children". I think it is "think of the children" (https://www.youtube.com/watch?v=RybNI0KB1bg) > So, now IT can't find the vulnerable PC either. There are enough other mechanisms. And of course, if all this information was broadcasted into a trusted domain like ACP, the story would be different. > The malware never needed or cared about the LLDP version. > What's the proof? The presence of virus infected PCs. Well, the more info an attacker has, the less probing it needs to do, and the less probing it does the less its catched by heuristic, oops, artificially intelligent, IPS. > >> We also already know how to integrate MUD with BRSKI, and this > >> connects MUD with SBOM, so really, I don't think we need more. > > > So tell me, how do you think a registrar would be able to include SBOM > > information in its decision whether to, or what certificate to give to > > a pledge during the EST enrollment. I don't see a solution for that > > without a solution like he one i proposed. I may of course be missing > > something. > > Because SBOM is just an attribute that is part of remote attestation. Thats fine. I agree that we should look into an optional remote attestation step after upgrading the TLS connection and before handing out keying materials. I guess i need to read up more. Rats ?! ;-) Cheers Toerless > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > -- --- tte@cs.fau.de
- [OPSAWG] draft-ietf-opsawg-sbom-access and BRSKI ? Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Michael Richardson
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Michael Richardson
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Michael Richardson
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Toerless Eckert
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Michael Richardson
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Michael Richardson
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-sbom-access and BR… Michael Richardson