Re: [Rats] [Iotops] 802.1AR device identity

Guy Fedorkow <gfedorkow@juniper.net> Mon, 15 March 2021 13:30 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A7463A1195; Mon, 15 Mar 2021 06:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.356
X-Spam-Level:
X-Spam-Status: No, score=-3.356 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=bcI57Mq4; dkim=pass (1024-bit key) header.d=juniper.net header.b=Am4JL01V
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naexMtsya8KN; Mon, 15 Mar 2021 06:30:41 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646743A1188; Mon, 15 Mar 2021 06:30:41 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 12FDPV9D010097; Mon, 15 Mar 2021 06:30:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=faUQlFR9CYkjlB5NNv+scH0GT/Rd4Zdk/chQdZV8BFc=; b=bcI57Mq4/H5BzEI6DGK9s9X68ayCY0fnMIJzh2HMyJyumhyK4yxhMommQnikvPfKMdjJ 12gBt0CYATG3LS1pYsHVIdwsGF0KxB4JECVTfMcnlHe9TQslHzPu+Y4BanBR7WpCNzd6 xcqxd9yZLWLczoQMph7tnGVTPUwjm3vCJ4RUE4MZAauPYho/8ociY/cGSVImuGQX9WXz ojduBTbMoRFbt73CoE+09lUA2rNIhgSLo9XbSB2vXYY7YOQHGx1Um4dKXsrqFP/NiRiD TcOYNAq6nPyzLVvpovYJV5SP9InNpvcPFpgpWiJscpAOgfXuVK+La9kw3LIoKilStGHE lg==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by mx0b-00273201.pphosted.com with ESMTP id 378vheb2qv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 15 Mar 2021 06:30:39 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KglPb4SJGxojLEkLJPYMts1MTXb17xzmad7OibLIcS5kiOOEBIRfD3GhA37msjNnXmln2ZFNhMGXqnNPZLruYh4336KJsUkVxgyKkWWfW6gPsi0yADPLEHMHtktfNAb1vyPJJVrHIADPXX2SZeCZ6mqvwrSZ288KP1NFJ8eqvruV4Zs6IaCAKw9Z+EMEio6jw2SbtUJI2Gnn6rKchChty1KDB6bthMngJn6i/Gf6kmpWQ0+wrG3cggRKaF3dOtGe0cEMDbirBTjL4ef0Fu/7Mfwor2M54Hes3XlRU3h1TlnZrINAq9Zi8EAp8rAK/v7vBvYCCVJMzVMsbHTl+7sQ1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=faUQlFR9CYkjlB5NNv+scH0GT/Rd4Zdk/chQdZV8BFc=; b=PyeK0pcqILdaH6GIjCGGoJOc2fBE/7pwB1kol3DyoAaStCb7Xl83JyYpKeW0V3tnEtVEt8AQ16BglFxNVydot6cloIRFTz43P79wYOf9ihQIuzgT+T0rbjLHJCg1CoSZCoFB/6Hk3XJ4euzfE1hDrZ2Ag/dWG5FSvIyD3Ng7pVW0kcHtrAP7aA6TDf9GIV24E+dOZ3axGQ1b1Si3ArB+nvQowaedRakLMYOSWUYiWuDeWmPwEfBCSgOLJ84IPOxvhZITT1BThJD28OxT3lNu+LIDaemles9qVsHtQW7yCAjGG9vbFwk3j0L8lqwDGGBOm0Szsv+zT/szMHAT9qB1ug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=faUQlFR9CYkjlB5NNv+scH0GT/Rd4Zdk/chQdZV8BFc=; b=Am4JL01VXBGFpOL7egEMLXvlci1ochLClGvEXlBCV71rXNXv5lb4SXv/9JO4LrEheJFSzZDvLxtZxjGp61WLemf+3aAY8lL0qa3I/vPRZPr/mwfKPePOG9zSrypPSJ7YyYr9P7NBJDKH8MOXIZCgLERD3EupW+XbaZC4BEx3Ww0=
Received: from BLAPR05MB7378.namprd05.prod.outlook.com (2603:10b6:208:298::10) by BL0PR05MB5169.namprd05.prod.outlook.com (2603:10b6:208:8b::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.13; Mon, 15 Mar 2021 13:30:36 +0000
Received: from BLAPR05MB7378.namprd05.prod.outlook.com ([fe80::6c50:5962:d313:b6c3]) by BLAPR05MB7378.namprd05.prod.outlook.com ([fe80::6c50:5962:d313:b6c3%8]) with mapi id 15.20.3955.011; Mon, 15 Mar 2021 13:30:34 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: [Rats] [Iotops] 802.1AR device identity
Thread-Index: AQHXGHI+lWZ/qcXa8kmN7GVHqvFoYKqFDEQw
Date: Mon, 15 Mar 2021 13:30:34 +0000
Message-ID: <BLAPR05MB737820F60EB1379958A79D5DBA6C9@BLAPR05MB7378.namprd05.prod.outlook.com>
References: <D197C29D-95C4-4696-BE22-703E14DFFE35@intel.com> <E0971364-E3AD-40C6-A08A-A0BA7E64D18F@cisco.com> <22167.1615685681@localhost>
In-Reply-To: <22167.1615685681@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2021-03-15T13:30:32Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=0ab3000d-4c5f-4b47-b99d-ec173ef24062; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [24.62.29.247]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 4bf9642e-d105-4a37-b1c7-08d8e7b68368
x-ms-traffictypediagnostic: BL0PR05MB5169:
x-microsoft-antispam-prvs: <BL0PR05MB5169C5254B814913DB5CCDF6BA6C9@BL0PR05MB5169.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wp3GyeU4v4/wwuAFa16jiu0U/kaWBMLbfPWzHAdyCtrqYrqkvzQuwdLfJsm0+qbjmQ+pd74FNDCdWVXArxkjvKTOJUyz5RTHI85KfxA9xPog/zCCJeS0JLlbPR9K36mlDfRqZGi9yATXQY49yQicAQ39JWLZncJK44Gnk3G9QlrLJLl4+/Olvr9/aC6RS1AuJnP1uRkwFqhy7ekiRj8mDmfkZISyeDKm5VPCRsMg+OdBNllcY9riJYRhA/FADIDWJBFV5hTb/WNYyLVskXMVL8jqAfxOPZqT60smbxxsOtLvCOl8zfqtgEGtcBSnPsKXcQjzm7sTL9R/UVE512rqx06A3iT1uqo/gLA/s6SWQztcQtnw1yWDXaX7uNGPsemsDJTG/EaHCyq12kBxJZt+bzUMaRoR5rmARTxuVn7QFhTBup/HxhxTCZy97QUyFgbMdGEGMEkEB5WEJx6Tzo3DhmJXb/oaXc8LL4G58Ee/1hlmlAj11ObH9Bj4e/Qv8UjxUiVr7x5OpNM6Lp51nmEzlmbRvhF59aBHRzt6Y2INep9W68Ref5X4l+iSCPu77SBh
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR05MB7378.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(376002)(366004)(136003)(39860400002)(2906002)(76116006)(55016002)(66476007)(86362001)(52536014)(83380400001)(33656002)(9686003)(66574015)(478600001)(316002)(186003)(7696005)(6506007)(8676002)(110136005)(53546011)(8936002)(66946007)(71200400001)(66446008)(64756008)(66556008)(26005)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?dm5hS2wrQklmQitUcG5JcTFOTlZhMXNyWWVsZVhoTklDMmQxMmtodzROQ2FR?= =?utf-8?B?TWMyWEFFZnJqbFNKZVkyWlNkRm1WNHRHU1pYcnBmS0Rxd3g4dGdCdlhTclRZ?= =?utf-8?B?NzNRYU9oUHFTK0lGQjNMSVNxZmVNUmU5QVc3RncwMjZLNVpBKzBEd29WaTk0?= =?utf-8?B?ZkE0NCtpOWNVd2FDZElMNjFNYStWQXhjc3JDKzVsdWVCOW0zK3hxRjlQRXVw?= =?utf-8?B?cjlYWjNvNm91bEJsZWg1dEtDZ05VTktBd09VdUlFVWN2NU5CZWhHT3F5RDVv?= =?utf-8?B?amNVMlZ5UGhXTmtaNEIvdDI3dFBVRWlJUFZhcWl2UHdFcWdveHdYb08raVE1?= =?utf-8?B?clFPaERqWkY5T0pVMlUvV0NjSlR2ZW9NK1dBZkdSdjRtZFVRcGUwM1l6ZFlX?= =?utf-8?B?a0JuR2NHdFFHOTU1djFOTUxBOWx5bDB1LzRKM0dIWGZsRlpuK0xHbUxzVVVt?= =?utf-8?B?NWdnaHR4TzRZaDJRNDU1NGN2a0J2c2lXK2pJOW1lZjFTdUtUZ1J3UklVMCty?= =?utf-8?B?QUxGK1FKMzN4azVtdDdGNEQxTDR1ZlcxS285WDFsNVAvQUJwbjJOSTQvN0w4?= =?utf-8?B?WW8zZ3pZTzgyRDNjYmppWE4vVWwyZ29iZFl1YXNCMnovUm5oai91OFFHNjlk?= =?utf-8?B?NFFUbVBrRnFhL2M3bzQ0ZzZSZ2w3T09IMHU2QUtsazliaEZuRk8xaUUrb1BO?= =?utf-8?B?VHV5TktkMEcwZWo4N2Rycm5JT1c4NkVqQlFxTkM3U0hkQTdyUlh0Y2l3SEp2?= =?utf-8?B?OHl2dlhRMFZIZkY2aGZMZHNzWGt1b3k2YkIwWnQydWREVlhLdnVzV29pREFO?= =?utf-8?B?RW53YXhyUEUrNVF1WkhmdUdmV2daOU9SV2Z4dVpiZTJlbHFLVUpSR2FlT3JM?= =?utf-8?B?ZWdubllpZEFqVVQvSFUxQlhRYUg3aVRDMTVWWFBMV2NzTzZmUjRZTjBFS0VS?= =?utf-8?B?RHV4MGJCdWNmenFOZStFYm0zRmtNT0JJdUprT2J0YkwzYjE0OUNRQVY5Wktz?= =?utf-8?B?TzljZ2x3SUZPRUQ4OFlyZUpMYzFlaTBNNWJ3enUzakl6b0swYUQ2R0JHZUdI?= =?utf-8?B?S0ZVZkphUDNBZE9IWVU0cWFTenlmTGhCZ2piWDZsQklkbWFUQXMycVBpT1lS?= =?utf-8?B?LzE1OVBDdktMMEZ4VlJqeUJXMHdyL2MrYVBqOUlQNktHcXhqNlorUjlwM2dz?= =?utf-8?B?aUhXRklza1dWSHBPVUpUNUxaN0lpdjVaQVZENC9NWEkwSE12WmdLSGtsa3JY?= =?utf-8?B?aVNPK3BxQXU4Vk50TU16L1EvdFdIWTdoVG9pck9nMTZLU0ZENDNNbDVSUGJI?= =?utf-8?B?eGQrRUtOUzFlbmVQUGY1cXNWM2pyelNMUmVpQVV1UDBjTElCUkNPeGVRMXlw?= =?utf-8?B?RlhyWW1DTjY5dzV5YTZHbHFPb1NuY3V2U3R2akx2VE1BQUZ2NTk1RXFBU3BW?= =?utf-8?B?cCtoTVRFM25Tazl3eTk0TDRzUWZ5MGNlNDBUdlNzYVB4S0tiOTN5bGkxNUpi?= =?utf-8?B?K2twM205TUFDcjkwRHJ3LzlWWWVHRHVRNWVQZ0NSdzhma3NoSFJaR0hSYzdL?= =?utf-8?B?eVhFY2JGWHhOQjJHYWpoK3FTVnBXZXRVWWs1UFJGWDdBT2VKYlVwOXBMK3Br?= =?utf-8?B?QS9UelQzd0tvTSsweDZadDlEaFlNN1ByUTBVbFdreVMwbkJWQ2tEZkRISzNU?= =?utf-8?B?Mm00aFRibU96TGk3UUhqdVJ6d2wxbTFJUWo1VTZ2Qkg0eXdFT3p5WWNZN1pt?= =?utf-8?Q?rsCZn97Hvig5t/agy8=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR05MB7378.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4bf9642e-d105-4a37-b1c7-08d8e7b68368
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2021 13:30:34.5575 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: va0AyF+G86unJ6dn9nPwAdLEMHwFQlW5zDEota+X3vyD1Olsm3IMoy/aVv+GMTwhufYRzY9EGXI0A7aBaPH+7g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB5169
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-15_05:2021-03-15, 2021-03-15 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 bulkscore=0 adultscore=0 mlxlogscore=999 clxscore=1011 phishscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 mlxscore=0 lowpriorityscore=0 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103150095
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/YkkB1ZWZe6QCo1wE-U7xGUX5Wls>
Subject: Re: [Rats] [Iotops] 802.1AR device identity
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 13:30:43 -0000

I agree with Michael.  The IDevID in my point of view is as permanent as the serial number on the box or the VIN on your car.  
I think DevID could have privacy implications in some applications, so within TCG there have been proposals to download the IDevID at the customer's discretion, but in that case, it would have to be linked to TPM's EK (another immutable key), so there's still only one possible IDevID ever for a box.
  As noted, LDevIDs can be made and destroyed at will.
/guy



Juniper Business Use Only

-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Saturday, March 13, 2021 8:35 PM
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>rg>; rats@ietf.org; iotops@ietf.org
Subject: Re: [Rats] [Iotops] 802.1AR device identity

[External Email. Be cautious of content]


Eliot Lear <lear=40cisco.com@dmarc.ietf.org> wrote:
    > Yeah, this is an issue that comes up from time to time.  How
    > “immutable” should that iDevID be?

I take the approach that the IDevID that was shipped from the factory can not be replaced without a device recall.

(It could be that there are modes where another IDevID can be installed, but the original would not be removed.  Whether this is an LDevID or IDevID is open to intepretation)

    > I’ve had this thought in two
    > different contexts: What if the signature algorithm, CA, or private key
    > used to protect the iDevID has been compromised?

Then, the device is broken.
I think you would certainly agree that this can be the only answer if the software signing key is compromised, right?

    > Can one recover with an update?
    > What if there are attributes in the cert that I want to
    > dink and share with the deployment?

Please define "dink" for me.  I know of only one definition from the school yard.
Does this mean remove? replace?

    > I’d like to take that latter case off the table, but then we need to
    > seriously think about RATS or SUIT providing a standard protected TLV
    > list that deployments could receive through a standard interface.
    > These are attestations of a form, but they’re not really measurements,
    > as has been previously discussed here.

Can you give me an example of one of these attributes?
This sounds like the FIDO situation, from section 6.3 of (my) the usecase
document:

   According to [fidotechnote] FIDO uses attestation to make claims
   about the kind of device which is be used to enroll.  Keypairs are
   generated on a per-device _model_ basis, with a certificate having a
   trust chain that leads back to a well-known root certificate.  It is
   expected that as many as 100,000 devices in a production run would
   have the same public and private key pair.  One assumes that this is
   stored in a tamper-proof TPM so it is relatively difficult to get
   this key out.  The use of this key attests to the the device type,
   and the kind of protections for keys that the relying party may
   assume, not to the identity of the end user.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide