Re: [Rats] [Iotops] 802.1AR device identity

Eliot Lear <lear@cisco.com> Sun, 14 March 2021 08:22 UTC

Return-Path: <lear@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAE2A3A1F4B; Sun, 14 Mar 2021 00:22:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.9
X-Spam-Level:
X-Spam-Status: No, score=-11.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSrUAOp5_l0r; Sun, 14 Mar 2021 00:22:51 -0800 (PST)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84A3F3A1F4A; Sun, 14 Mar 2021 00:22:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7631; q=dns/txt; s=iport; t=1615710170; x=1616919770; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=HkNaz6c17umO9kQeh7rk3bNxfEvLob84xpyuBidgSXg=; b=YDvZTRgcVBxhvHHCRsEa8JOp4g4l0wmeFEmm9hIRzF7HwsIlNigRnFFz liIGOiwxM4HiuqM7wWZK+2xwCrpMUcenTK5mG3FelN0GG4uI78kkYJnXB wNoxNxRRz0ByVFedQBQvax7etlpzBrLHYuWolBhAuk08cuuRDCvXXdzdY o=;
X-Files: signature.asc : 488
X-IPAS-Result: =?us-ascii?q?A0AMAACNxk1gjBbLJq1RCRkBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QESAQEBAQEBAQEBAQEBgX0CAQEBAQELAYN2AScShHKJBIhAA5Q2hiMUgWgEB?= =?us-ascii?q?wEBAQoDAQE0BAEBgViCdQKBdSY2Bw4CAwEBAQMCAwEBAQEFAQEBAgEGBBQBA?= =?us-ascii?q?QEBhkeGRQECAgEjVhALQgICVwaDAwGCZiGrZHeBMoVYhHoQgTkBgVKFKgGFF?= =?us-ascii?q?oEvQoIMgREnHIFsbD6EFRKDMDWCKwSBZVsGCGIwgTIHOwEFBAoVCJE2Eow6n?= =?us-ascii?q?GiDDIMzgT+XTAMfgz6KXIVXkCSGQ5A+nE4Bg3gCBAYFAhaBWwIvgVkzGggbF?= =?us-ascii?q?TsqAYI/PRIZDY44jjBAA2cCBgEJAQEDCY5pAQE?=
IronPort-HdrOrdr: A9a23:fay7EKEtH5CN+3ZvpLqEaseALOonbusQ8zAX/mp6ICY0TuWzkc eykPMHkSLlkTp5YhsdsP2JJaXoexLh3LFv5415B9ifdSng/FClNYRzqbblqgePJwTb+vRG3a ltN4hyYeeAbmRSqcb/7E2GH807wN+BmZrEuc7kw31gTR5nZshbhm8TNi+hHkJ7XwVAD5Yifa DshPZvnSaqengcc62AakUtYu6rnayvqLvWJToPBxsq82C1/FeVwY+/NQSE1REDVD4K5rEu/Q H+4mrEz5Tmle2nwRnB0GKW1bBqoZ/Kz9tOA9HksLlzFgnR
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,245,1610409600"; d="asc'?scan'208,217";a="34169395"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Mar 2021 08:22:45 +0000
Received: from [10.61.144.24] ([10.61.144.24]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 12E8Mj9K011797 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 14 Mar 2021 08:22:45 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_0DE1A019-940F-4EBB-BF81-AFC0ED2D4535"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Eliot Lear <lear@cisco.com>
In-Reply-To: <22167.1615685681@localhost>
Date: Sun, 14 Mar 2021 09:22:44 +0100
Cc: iotops@ietf.org
Message-Id: <75F17573-ED6C-4A08-88A2-574BF06BD91B@cisco.com>
References: <D197C29D-95C4-4696-BE22-703E14DFFE35@intel.com> <E0971364-E3AD-40C6-A08A-A0BA7E64D18F@cisco.com> <22167.1615685681@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.24, [10.61.144.24]
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/8u1KnljKOnk7rALVbWpKHXDJDNA>
X-Mailman-Approved-At: Mon, 15 Mar 2021 00:11:33 -0700
Subject: Re: [Rats] [Iotops] 802.1AR device identity
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Mar 2021 08:22:53 -0000

[moving rats to bcc… continuing discussion on iotops]

Hi Michael,

> 
> 
> (It could be that there are modes where another IDevID can be installed, but
> the original would not be removed.  Whether this is an LDevID or IDevID is
> open to intepretation)

Yes.

> 
>> I’ve had this thought in two
>> different contexts: What if the signature algorithm, CA, or private key
>> used to protect the iDevID has been compromised?
> 
> Then, the device is broken.
> I think you would certainly agree that this can be the only answer if the
> software signing key is compromised, right?

The device is vulnerable.  The question is whether a repair can be effected.

> 
>> Can one recover with an update?
>> What if there are attributes in the cert that I want to
>> dink and share with the deployment?
> 
> Please define "dink" for me.  I know of only one definition from the school yard.
> Does this mean remove? replace?

Yes.

> 
>> I’d like to take that latter case off the table, but then we need to
>> seriously think about RATS or SUIT providing a standard protected TLV
>> list that deployments could receive through a standard interface.
>> These are attestations of a form, but they’re not really measurements,
>> as has been previously discussed here.
> 
> Can you give me an example of one of these attributes?

Soooo…. Here’s an example:

Suppose I am a system integrator who needs to assemble a device out of constituent components that includes a particular software load.  I wish to claim to be the manufacturer of the device, as I am the one producing the final product.  I want to therefore provide the onboarding service.  That requires a change of URL for the MASA in BRSKI terms.  I may also wish to change the MUD-URL based on the software load.

The core question I am asking is this: we have attributes about the device I these certificates that really could be elsewhere.  But where?

Eliot