[Rum] RUE client credentials

Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 12 August 2019 22:37 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE949121441 for <rum@ietfa.amsl.com>; Mon, 12 Aug 2019 15:37:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2cWWQb-FkeUO for <rum@ietfa.amsl.com>; Mon, 12 Aug 2019 15:37:00 -0700 (PDT)
Received: from outgoing-alum.mit.edu (outgoing-alum.mit.edu [18.7.68.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81F68122433 for <rum@ietf.org>; Mon, 12 Aug 2019 12:40:57 -0700 (PDT)
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x7CJetrJ017374 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <rum@ietf.org>; Mon, 12 Aug 2019 15:40:56 -0400
To: rum@ietf.org
References: <8FB5F5A0-E3FE-40F8-A6D0-35D9002C6770@brianrosen.net> <85828597-D024-4E7E-8876-F1C4753E6B7D@edvina.net> <64B406DC-4171-41EB-9171-A2AF7B78B409@brianrosen.net>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <054dde2a-7fa1-9941-986c-f3b3d8c0f76e@alum.mit.edu>
Date: Mon, 12 Aug 2019 15:40:55 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <64B406DC-4171-41EB-9171-A2AF7B78B409@brianrosen.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/EHgVXiOZ8peMHqGuzwFbZgYRPmM>
Subject: [Rum] RUE client credentials
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2019 22:37:03 -0000

On 8/7/19 5:14 PM, Brian Rosen wrote:
> Working on these comments.  I submitted a new version (-01)
> 
> I edited the doc to say the client cert is provisioned.  Given that it’s 
> provisioned by the entity that the provides the server, do I need to say 
> anything else about validating the cert?

I think we need to examine what the goal is here, and whether it is 
being achieved. I don't think enough is said to decide.

This client cert mechanism was first added way back when (2015 I think). 
IIRC, the motivation was because the providers wanted to restrict access 
to RUE *implementations* that have passed interoperability testing, in 
order to reduce the problems of dealing with buggy implementations or 
attackers.

The idea was that certs would only be made available to 
*implementations* (e.g. images) that have been tested. There was no 
expectation that each user who obtains a rue would need to have it tested.

But the exact mechanism for binding a cert to a tested implementation 
was never worked out. I've asked around from time to time and I haven't 
learned of any way to achieve this.

Brian's new text pushes this off one level but doesn't solve the 
problem. The provider's *sip* server can perhaps trust that the rue got 
the cert from the provider's provisioning server. But the provisioning 
server still has to decide if this is a trustworthy implementation.

The Apple store and the Google Play Store solve this problem by being 
the distributor of apps. The developer has to submit the app, which is 
then tested/verified by the store and then being assigned credentials. 
Potentially we could have something list that by having a RUE Store 
operated by a RUE testing authority. But I don't think anybody is 
prepared to operate such a thing and it would require the devices 
receiving these apps to bypass the normal vendor restrictions on 
installations.

I don't have a good answer here.

	Thanks,
	Paul