[OPSAWG] changes to draft-ietf-opsawg-mud-acceptable-urls-02.txt
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 21 February 2021 19:08 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745B23A0EEA; Sun, 21 Feb 2021 11:08:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id psBW0DQUvBR2; Sun, 21 Feb 2021 11:08:00 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B6353A0EE8; Sun, 21 Feb 2021 11:07:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id AC5DF389EB; Sun, 21 Feb 2021 14:11:58 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id h18fUT2u9t0g; Sun, 21 Feb 2021 14:11:57 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 36664389E9; Sun, 21 Feb 2021 14:11:57 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id B534FB2; Sun, 21 Feb 2021 14:07:56 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: opsawg@ietf.org
cc: iotops@ietf.org
In-Reply-To: <161375882679.28794.17399834722460314435@ietfa.amsl.com>
References: <161375882679.28794.17399834722460314435@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 21 Feb 2021 14:07:56 -0500
Message-ID: <5608.1613934476@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/zkJQfsYb3kiGWty_54qvXBqBZn0>
Subject: [OPSAWG] changes to draft-ietf-opsawg-mud-acceptable-urls-02.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2021 19:08:03 -0000
> Title : Authorized update to MUD URLs > Authors : Michael Richardson > Wei Pan > Eliot Lear >A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-mud-acceptable-urls-02 The text of the document has been revised for better flow. Some content in the introduction has moved to section 3. Section 4, which is the core of the proposal has been slightly tweaked, but essentially remains the same: when signaling a changae to the MUD URL via insecure mechanisms that malware may control (DHCP, LLDP), only changes to the last component of the MUD URL are permitted. The new mud file may contain a new MUD-URL, which is substantially different from the original one, and this allows the manufacturer to re-organize their site (or even change sites entirely). But this is controlled because the new file must be signed by the same signer as the original file. This document makes some statements in section 3.3 about pinning of the signing entity. This language is not at this point normative. This document has marked itself as a BCP in the header, although it has grown some BCP14 language. It seems that it an error, that it should be standards in order track to Update RFC8520, and should include BCP14 language. How does the WG feel about that? The adoption call did not say anything about intended status. There is an option issue at the end of section 4: XXX: how should the trust anchor for the signature be updated when there is Merger&Acquisition) There are a number of different ways in which this could be handled. Getting it right, and making it interoperable would require that we make some more substantive normative statements about how the MUD controller pins the signing entity from the Manufacturer. While this seems slightly esoteric to worry about M&A actitivy, establishing the long-term identity of the manufacturer seems pretty important. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [OPSAWG] I-D Action: draft-ietf-opsawg-mud-accept… internet-drafts
- [OPSAWG] changes to draft-ietf-opsawg-mud-accepta… Michael Richardson