Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)
Deb Cooley <debcooley1@gmail.com> Sat, 13 April 2024 21:33 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72405C14F5EA; Sat, 13 Apr 2024 14:33:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.844
X-Spam-Level:
X-Spam-Status: No, score=-1.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YLarw8svD6Y; Sat, 13 Apr 2024 14:33:53 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42F1CC14F5E7; Sat, 13 Apr 2024 14:33:53 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id e9e14a558f8ab-36a15df0f8cso9188515ab.1; Sat, 13 Apr 2024 14:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713044032; x=1713648832; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=v+ijLigVN1u/qCG3BQJGMdeO7ZRFkBn7dT5hkzzvVDw=; b=e7NfgC00x/0qjtrFxhEIaC8roxUPt9f6ocC7mYoYRm+UQnmXX5HOrX0UiOoRfxEp7X Jpgyshn9P1i9DpnFai1BBOo2wYPV83uLx7wAo3xbRGLbEueVkOG84Iem2n+/xMMV8vin r6dzP+Vd85sSDzfyqrWwwusMXkft1JaALif6wB/IH1TKz01QOZ63w4KdH6KofV0l0RWp gEICO4H4qgTdsq2WUpIFQ1oX5AmNo+X1Zv3EPROPAKmi149vdtZI+Gae94B+/NTJz51V 2fj0/90lw9ITieX2pQWJTkRH5C9WoQ+dTrLkapJ8vmOharKmKi074mcRlbU5WVoReuCt TtQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713044032; x=1713648832; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=v+ijLigVN1u/qCG3BQJGMdeO7ZRFkBn7dT5hkzzvVDw=; b=Gjh/tKrTsiHYMUJcEiXymxnUtwMcG5eMnysGloEAK8jLMq3eJV2pUkkKRT6Ym/LZvB sOwbN385m4DERUUBV2fAfCCIOrd9WroZuRxL2lX+zs5nYmBULfJwSduZFON1xm/VkoxH ELHccq5dHAQBMQvgKckdPQu0KJOMNalDMjIOFIlgpa0poFpXXFozsGw8Y5UkxhO+QkIx XMToKje7Q9iwNqP5v32Yn5dk5BbftOuiqCr7uhwthMy5sDr2XPALk5pjoklbHR/GCRGe IVdqCHWWhhnz9rxmJqAmiR0KJXeKJTJaMIFT4kRaU2fUVgbJoderN2sUoAI2DF6w+M+t P/dg==
X-Forwarded-Encrypted: i=1; AJvYcCXOwXJA1AcIPSwnfkasxSuCS5u4HkD+fw+frgmASo+naSWV53KdIqjD4GpXWXfFrS5+GiXBKJyrT/MCqo7h8vKMo/VDLVyIgZLiy3BbstPok0psbfyemq/BzezlsTLrYITcwWBCKx2TTlo/Vnzqr3VnEzK+73PhZTXjWpX148saoccow6eluXA=
X-Gm-Message-State: AOJu0YzIQ7C4EXxIqqSgvr7wYJphh2NUIJSKWpFvQZKQ1mKeCi+IiKrX nt2z0cnSkbKWX/nkHquryb4hU8CjUJJo/X0MlD3WMnJljHF7IZ3tbtfe2xvB57ci3IZyICPOOOl 2jztDpqHsj0qwu2TQaDJ4R8xxu34G
X-Google-Smtp-Source: AGHT+IFpWMEEDfvGa/YC/5NmWOKx7vMjCr9yBNuv6kcV9q3TgxAMUDrUthPOLpI4pYdBfl2ljJmxUv+c7ttBS0oUcPk=
X-Received: by 2002:a05:6e02:17cf:b0:36a:1eed:f105 with SMTP id z15-20020a056e0217cf00b0036a1eedf105mr8236601ilu.1.1713044032179; Sat, 13 Apr 2024 14:33:52 -0700 (PDT)
MIME-Version: 1.0
References: <171223113635.18757.2029607792392526207@ietfa.amsl.com> <8c09e877-dfc4-4fd9-9242-b55ee70ab5a8@lear.ch> <CAGgd1OcWTedxG_6kL-Jx_ugpruFqeA+Rg--bOKrqpmEMJ=OUAA@mail.gmail.com> <814a1e21-e61c-48d3-825b-57f4b2ae40b9@lear.ch>
In-Reply-To: <814a1e21-e61c-48d3-825b-57f4b2ae40b9@lear.ch>
From: Deb Cooley <debcooley1@gmail.com>
Date: Sat, 13 Apr 2024 17:33:27 -0400
Message-ID: <CAGgd1Of2P0kjJWNY+Mpnex62qvJ8h=TaMY+pd7hL8q0DeV-iKg@mail.gmail.com>
To: Eliot Lear <lear@lear.ch>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud-acceptable-urls@ietf.org, opsawg@ietf.org, opsawg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="00000000000005d7420616012536"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/cRFiZh2EZ2CQ1oWpR84mqXnkdKc>
Subject: Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2024 21:33:57 -0000
Thanks for that. I look forward to reading the revision. RFC 8520, if only.... [I do get tired of people running up 'oh my, oh my, oh my, our certificates have been exposed!!'. My reply is usally 'so what?'] It is a common mistake, and probably pedantic on my part. But PKI is complicated, and hard to understand. LOL Deb On Sat, Apr 13, 2024 at 9:42 AM Eliot Lear <lear@lear.ch> wrote: > Hi Deb, > > Taking both your messages into account, I agree that we should retitle > Section 3 and make clear that we are discussing risks. I also agree that > we should clearly reference 802.1AR, and that we state it's limitations. > In brief, 802.1AR specifies the form of the Subject, the crypto to be used, > and which extensions are required. These sorts of profiles for IOT are > pretty common. I also agree that we should take care to separate certs and > keys in our language. I wish you had been available to do the 8520 review > ;-) > > Thanks, > > > > On 13.04.2024 15:26, Deb Cooley wrote: > > Thanks for the site config fix. > > 802.1AR you say? No mention of 802.1 in the draft at all. If the PKI > rules are different in 802, seems like that would be good to at least > mention. At least distinguish whether we are talking about L2 or L3 (or > app layer - wherever HTTPS lives) > > Deb > > On Thu, Apr 4, 2024 at 8:26 AM Eliot Lear <lear@lear.ch> wrote: > >> Hi Deb, >> >> On 04.04.2024 13:45, Deb Cooley via Datatracker wrote: >> > >> > Shepherd writeup: It would be nice to enumerate the manufacturers that >> have >> > implemented this concept. The link to 'https://mudmaker.org' causes >> my browser >> > to throw big flashy warning signs. When I click through them, it tells >> me to >> > 'GO AWAY'. fun... >> >> Hi Deb. There was a config error on a server. It's fixed. Thanks for >> pointing it out. >> >> >> > Section 3.1 upgrade causes vulnerabilities: One would think that this >> > situation should be avoided at all costs. There could be a way for the >> device >> > to signal which version of F/W it is running, allowing the MUD file to >> be >> > tailored. >> >> This may or may not be possible. It depends on how the MUD URL is >> communicated. If it's communicated in a certificate, then the cert >> would have to change, and as 802.1AR makes clear, that's not supposed to >> happen. I hold out hope that SUIT will provide a better path here, but >> these are still early days. >> >> I should point out that in the vast majority of cases, a MUD URL rarely >> has to change because you can have a superset of access that won't be at >> all harmful (a good example would be adding a new new endpoint that is >> used by new versions). The corner case is primarily about services >> being turned off. >> >> > >> > Section 3.2: The same applies for this section as well. False >> positives can >> > be just as dangerous (because they bury the real positives). >> > >> > Section 4: Updating IDevID URLs can't be updated with a F/W update? >> F/W >> > updates are signed by the manufacturer's signing key, correct? >> >> See above. Not permitted by 802.1AR. But there may be a more SUITable >> fix over time. >> >> I'll leave the the rest to Michael. >> >> Eliot >> >> > >> > Section 4.2: Just how hard would it be to specify the CA certificate >> paired >> > with a subject name (subject alt name, or CN)? Seems like this is more >> secure >> > than your proposed methods. Oddly enough, Section 5.1 proposes this. >> > >> > Section 5, last para: Instead of subject names, SKI should be used >> [RFC5280, >> > section 4.2.1.2]. This can be easily checked in a certificate validate >> that is >> > presented. >> > >> > Section 5.2: Can't this be used all the time? >> > >> > Section 5.3.3: Classically to change a 'root' one signs the new with >> the old >> > and signs the old with the new. If it is done this way, I suspect one >> could >> > change whatever names, CAs one needs to change. >> > >> > Section 7: One might argue that the use of server authenticated TLS >> might >> > mitigate a bunch of concerns. >> > >> > Section 9. This is confusing. Please seperate the before issues and >> the after >> > issues into seperate sections (at least). There are many potential >> > vulnerabilities listed earlier in the draft. Please consolidate those >> here >> > (possibly with draft section links to where the mitigation is >> suggested). >> > >> > >> > ---------------------------------------------------------------------- >> > COMMENT: >> > ---------------------------------------------------------------------- >> > >> > >> > Nits: >> > Section 1, para 6: change 'check the signatures, rejecting files whose >> > signatures do not match' to '... whose signatures do not validate'. >> Using >> > language like 'match' leads to bad behavior, when the entity should be >> taking a >> > positive action to validate the signature. >> > >> > Section 9, last sentence: jargon? I'm not sure I know what this >> means, and >> > English is my (only) language. >> > >> > >> > >> > _______________________________________________ >> > OPSAWG mailing list >> > OPSAWG@ietf.org >> > https://www.ietf.org/mailman/listinfo/opsawg >> > >> >
- [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsaw… Deb Cooley via Datatracker
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Eliot Lear
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Michael Richardson
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Eliot Lear
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley