Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-acceptable-urls-04.txt
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 06 October 2021 21:35 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 098D53A0913 for <opsawg@ietfa.amsl.com>; Wed, 6 Oct 2021 14:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BpLkmZFRaUp5 for <opsawg@ietfa.amsl.com>; Wed, 6 Oct 2021 14:35:44 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E997D3A08FD for <opsawg@ietf.org>; Wed, 6 Oct 2021 14:35:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id DE9F8180B4 for <opsawg@ietf.org>; Wed, 6 Oct 2021 17:43:50 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Mr4k-yYcwJp5 for <opsawg@ietf.org>; Wed, 6 Oct 2021 17:43:42 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 030CF18050 for <opsawg@ietf.org>; Wed, 6 Oct 2021 17:43:42 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id F23512C1 for <opsawg@ietf.org>; Wed, 6 Oct 2021 17:35:31 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: opsawg@ietf.org
In-Reply-To: <163354435338.28730.5021816488439192703@ietfa.amsl.com>
References: <163354435338.28730.5021816488439192703@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 06 Oct 2021 17:35:31 -0400
Message-ID: <3509.1633556131@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/pvLLHZRYUIdLNdTwpuF7LEHAOK0>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-acceptable-urls-04.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 21:35:49 -0000
> Title : Authorized update to MUD URLs > Authors : Michael Richardson > Wei Pan > Eliot Lear > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-mud-acceptable-urls-04 I started with a review of text, and proceeded with a few edits. I then got to (XXX: how should the trust anchor for the signature be updated when there is Merger&Acquisition) and I decided to add a new section 4.1 on mergers/acquisitions and changes to file structure: https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-acceptable-urls-04.html#name-merger-acquisitions-and-key Section 4.1.3 suggests that we can change the signing CA if we get the old CA to sign the new CA. That won't let us change the Subject Name of the EE. I did add in section 4.0: When pinning the signature, the MUD controller SHOULD pin the lowest Certification Authority (CA) that was used in the validation of the CMS structure, along with the chain of Subject Names leading to the signature. The MUD controller may need additional trust anchors (including previously pinned ones) in order to verify that CA certificate. and perhaps this belongs in an entirely new section, with more details. The section 4.1.3 exploits this part to change signing authorities. I'd really like some careful review of this. I also added a section 5, https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-acceptable-urls-04.html#name-polling-for-changes-in-mud- on how the MUD controller really has to poll, and therefore ETag and Max-Age headers are probably required. I welcome feedback as to whether or not I've strayed too far from the original document goals. ==== 4.1. Merger, Acquisitions and Key Changes The above process allows for a manufacturer to rework its file structure. They can change web server host names, so long as they retain the old structure long enough for all devices to upgrade at least once. The process also allows a manufacturer to change the EE certificate and Certification Authority used for signing. 4.1.1. Changing file structure A manufacturer has been hosting a MUD file at https://example.com/household/products/mudfiles/toaster.json and wishes to move it to https://example.com/mudfiles/toasters/model1945/mud.json The manufacturer simply changes the MUD-URL contained with the files at the old location to have a value of https://example.com/mudfiles/toasters/model1945/mud.json. The manufacturer must continue to serve the files from the old location for some time, or to return an HTTP 301 (Moved Permanently) redirecting to the new location. 4.1.2. Changing hosting URLs A manufacturer has been hosting a MUD file at https://example.com/household/products/mudfiles/toaster.json and wishes to move it to https://mud.example/example.com/toasters/model1945/mud.json The manufacturer simply changes the MUD-URL contained with the files at the old location to have a value of https://example.com/mudfiles/toasters/model1945/mud.json. The manufacturer has to continue to host at the old location until such time as it is sure that all MUD controllers have loaded the new data, and that all devices in the field have upgraded their URL. A 301 Redirect that changed the hostname SHOULD NOT be accepted by MUD controllers. 4.1.3. Changing Signing Authority A manufacturer has been signing MUD files using an EE Certificate with subjectAltName foo.example, issued by an internal Certification Authority BAZ. The manufacturer wishes to begin signing with an EE Certificate with subjectAltname foo.example, but now signed by a public CA (call it: Fluffy). The manufacturer first creates a new MUD file with a new detached signature file. Within this signature file, the manufacturer places a certificate chain: Internal-CA BAZ->Fluffy, and then the Fluffy Certificate, and then the foo.example certificate issued from Fluffy. This supports changing certification authorities, but it does not support changing the Subject Name of the signing entity. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [OPSAWG] I-D Action: draft-ietf-opsawg-mud-accept… internet-drafts
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-ac… Michael Richardson