IETF Logo Mail Archive

Re: [Rats] name of identity key

Guy Fedorkow <gfedorkow@juniper.net> Wed, 27 November 2019 15:46 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45CD3120BC8 for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 07:46:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=DkQq/EMV; dkim=pass (1024-bit key) header.d=juniper.net header.b=gJPVCtyH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_i4lOizbw1d for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 07:46:04 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A543A120AA0 for <rats@ietf.org>; Wed, 27 Nov 2019 07:46:01 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xARFawm7032382; Wed, 27 Nov 2019 07:45:59 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=0JCbNnhMeZPDF1DTnSaePoTb50Sfo3YtMWylfioSBZ8=; b=DkQq/EMVQ92Ro9IJg2UhuqwgcRUXn+VCDNg4JfzhnD/CukDNcyycgOJZwT/860Ie8ynf nTcMOdI5ISx+4ODhc4Lx6PsOSQbA71PJo19H02fejpKhI2o8h1iymGnZCfkXa9E+88gh jcNG5GJqocrlOybvexbavhD0roSemaGl7djGO/ywnYyGLDp4j9iAMgF/oEW/iIcnM/v8 WYYGfT/sh//an/aSBh0Th0/jwXffxyq1wSwDJyGbyLZdpMfSlGzmq2cPkEGmSHKGxDRh QOxEtB3pGl6XP5NUmrYlX7ddGbKUb/WOpDqmHRYfwoJrVtoSIqL5Tvbt4vg3ZLsm3a/y cA==
Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2058.outbound.protection.outlook.com [104.47.44.58]) by mx0a-00273201.pphosted.com with ESMTP id 2whcxgsf7k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Nov 2019 07:45:59 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a12mTCOkHyeMfFbQ4cH+tOui0bLwDOzVfa7bloxp4MSMe5Z37wTSbJswnNzidDdeXjkRvKtJ1u1ze06AohXmbyUpdz8v4Ps04nfNmPWF0OByxLwJpdIoaYRn443PaTmBW3zd7t365+RQWw+k+BmycBl2M8qOboQsLjxOdUIHHiTAEDhYbeusc3RYcMX0Q/4AyTEuGOnKDCS8hnw1duulZgirpvv43JfwK6qIRJ75hs0G8IBWtMnxAlvpN8mKqsfx7WENqcDr7adG9zGVJH21DjtGs2jvwTBkYS+tSwA4lYqYcVQQgN9crNRXr9i13zkt90niSUvBpM+u/i+asN0IOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0JCbNnhMeZPDF1DTnSaePoTb50Sfo3YtMWylfioSBZ8=; b=hNHpkB2VcylHA9ML44aw1bjWsGLOfCnfc+refUHs6+57sv/chx7nWwhzOqQcmnWqmcIXIEKjOu38NCzwJNQK3G3Wli29utViG0KzJvD1c0x4lmllNuDhG2tUNxuFTHp0IftPzcPMg+2/WLVLi/46REB9SIooWRGpbnSI9uHajdsLguYM2PYjCWVJDallL/g3sdSNNgsPfmH54G1EA+gkAlQu55i2ByIWy93MUtbJL4t38ip10D6IPz/aGOAdn5XPW3fk5FJNnGQg+MvFguWExgl1BouxxWyK9uHU9bbRvKoiLWxrI1MZnLDmhiKMODujj3Fe1k726YXyNnzI1iwOTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0JCbNnhMeZPDF1DTnSaePoTb50Sfo3YtMWylfioSBZ8=; b=gJPVCtyH/l9jqlaeH5tgZsCOqvj0twxM0J3cgiMOFUJgtn4xElHJUUlCZErywUJPcarALq2eE5yUov2agOzZKNG3AuB3sq6K/vu3Mk1htCjKVsIlE4nk8yaMGwYxAJ9mRbH6/0q3iziedzkmX06SLoRm0sOQ2QxTmhgGlA67ZuI=
Received: from BYAPR05MB4248.namprd05.prod.outlook.com (20.176.251.147) by BYAPR05MB4261.namprd05.prod.outlook.com (52.135.202.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.16; Wed, 27 Nov 2019 15:45:57 +0000
Received: from BYAPR05MB4248.namprd05.prod.outlook.com ([fe80::457d:474a:1f33:9a2b]) by BYAPR05MB4248.namprd05.prod.outlook.com ([fe80::457d:474a:1f33:9a2b%4]) with mapi id 15.20.2495.014; Wed, 27 Nov 2019 15:45:56 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "pritikin@cisco.com" <pritikin@cisco.com>
CC: Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, Henk Berkholz <henk.birkholz@sit.fraunhofer.de>, "Smith, Ned" <ned.smith@intel.com>, William Bellingrath <wbellingrath@juniper.net>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: name of identity key
Thread-Index: AdWg4nF8kDHIJtSESNGSE2qU3LjHXACg2v8AAHSogKA=
Content-Class:
Date: Wed, 27 Nov 2019 15:45:56 +0000
Message-ID: <BYAPR05MB42489D88D5BF1EEB12DB16BBBA440@BYAPR05MB4248.namprd05.prod.outlook.com>
References: <BYAPR05MB4248D3AE10BAA7E74D588E76BA490@BYAPR05MB4248.namprd05.prod.outlook.com> <32083.1574668598@dooku.sandelman.ca>
In-Reply-To: <32083.1574668598@dooku.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2019-11-27T15:45:54.9777890Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=4062f924-ab42-4568-a2d7-1e3bcd9d2d23; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d698591d-b5dc-4305-7806-08d77350e4d5
x-ms-traffictypediagnostic: BYAPR05MB4261:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR05MB42616F6352A3AE93927EEAA6BA440@BYAPR05MB4261.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(376002)(346002)(366004)(396003)(199004)(189003)(13464003)(6506007)(76116006)(2906002)(26005)(5660300002)(446003)(71200400001)(316002)(3846002)(11346002)(33656002)(256004)(99286004)(102836004)(86362001)(2501003)(7736002)(52536014)(6116002)(3480700005)(54906003)(6246003)(66066001)(53546011)(14454004)(186003)(74316002)(64756008)(66446008)(478600001)(66556008)(55016002)(66476007)(8676002)(81156014)(81166006)(71190400001)(6436002)(229853002)(66946007)(9686003)(110136005)(25786009)(7696005)(8936002)(4326008)(76176011)(305945005); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4261; H:BYAPR05MB4248.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JlXGvcWcMFMcn8kqVFEs66hDGTwJTTx/rd6uy3n6HleX/gR5AgpsToeTVG+CFEMNZhQ1vsDfHHoBKZs4Ww++VT9TjtwtFUsL9SesDHxkhXGL2gJSpOoQrQ9UxRgo6MQ0fTsoCuDgDVff25LOckb8zysZqMQzuQln8Hka7tHr0TYULrEJ5oOLgtJw48Z1ffvovbeRbaLNAvY0+FbpQjrkys3f5jD7kgGh2z3lr/1Xbm4t8VoNmVym+PSDBy6iZbnTvJjVdIH8D8EndPxF46tGuHhN/kbbl8iV35BD+crKtQUTp6MoKws3CnaHhH0Wh5Pi/nTH6tkeEWSIhFpVpJcuBjwKJHFtsbdRPQneO+YaGm7GATZOxMGz9+BvVwMizcK4FKUkB3WpO8ljqPi4AI6lNXzR9qabCxY/D6YJhlMkyCNI3ENneALCkRU2YjgReybb
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: d698591d-b5dc-4305-7806-08d77350e4d5
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 15:45:56.8958 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gwd7OjahGTHnZYMmroJUIIgAusmAQG2DsLXG9cpWXMHigz+7LeFBxtsDgF3GJwkxKMtfHDuFaV6DySrnyu7nWQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4261
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-27_03:2019-11-27,2019-11-27 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 suspectscore=0 clxscore=1011 impostorscore=0 adultscore=0 spamscore=0 mlxlogscore=999 lowpriorityscore=0 bulkscore=0 malwarescore=0 priorityscore=1501 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911270137
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/_D_ZtcRq43Zq__Ubmrsk1SI60m0>
Subject: Re: [Rats] name of identity key
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 15:46:09 -0000

Hi Michael,
  I'm not sure I'm seeing the problem...
  The identity key used for ZTP and the identity key used to prove that you're attesting the right box are most likely  the same, as they have the same role, that of authenticating a secure connection to a device.  And it's up to the device manufacturer and the system administrator as to whether they want to use an IDevID provided by the manufacturer or an LDevID provided by the sysadmin.  Obviously if you want drop-ship sZTP to work, it has to be the manufacturer's identity key, since the sysadmin won't get to touch the box before it's plugged in.  But there's nothing to say they couldn't pre-stage it and install a Local Device Identity key (and Local Attestation Key)
  In RIV, it's the Attestation key (Initial or Local) that must be unique, and that one has no purpose other than to sign the evidence collected in the TPM.

  Is there something I'm missing in your question below?

  Thanks
/guy




Juniper Business Use Only

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: Monday, November 25, 2019 2:57 AM
To: Guy Fedorkow <gfedorkow@juniper.net>; pritikin@cisco.com
Cc: Jessica Fitzgerald-McKay <jmfmckay@gmail.com>; Henk Berkholz <henk.birkholz@sit.fraunhofer.de>; Smith, Ned <ned.smith@intel.com>; William Bellingrath <wbellingrath@juniper.net>
Subject: Re: name of identity key


Guy Fedorkow <gfedorkow@juniper.net> wrote:
    > Hi Michael, I don't want to lose your question on the name of the
    > identity credential in RIV (or RATS)...  I think you were saying that
    > from a RATS point of view, you'd want to make the spec more generic
    > than a strict requirement for IEEE DevID.  Can you help me see why?  Is
    > there a more generic way of specifying the certificate that goes with
    > the identity key?  Thanks /guy

I (draft-ietf-anima-bootstrapping-keyinfra) am the user of an IDevID deployed in devices.  This is often located in a TPM.

If the TPM has to have a different IDevID key for signing Evidence, then I forsee a number of problems if the key has the same DN (serial-number, etc.) as the IDevID used for onboarding.

Is it signed by the same manufacturer CA as the onboarding IDevID?
(what names do I even use to distinguish these two keys?)

I can see manufacturers pushing back on having two identities.

One answer might be:
  MANUCA -> RIV_IDEVID(w/CA:TRUE) -> Onboarding_IDEVID

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email