Re: [saag] BOFs about IoT firmware update and TEE configuration
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 22 February 2017 08:16 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 380AC129444; Wed, 22 Feb 2017 00:16:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.988
X-Spam-Level:
X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.887, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2X4MjTJdMGc; Wed, 22 Feb 2017 00:16:02 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8E4B1293DF; Wed, 22 Feb 2017 00:16:01 -0800 (PST)
Received: from [192.168.91.176] ([195.149.223.239]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0McluX-1cxhzU1hZZ-00Hwhb; Wed, 22 Feb 2017 09:15:53 +0100
To: Eliot Lear <lear@cisco.com>
References: <16c236b7-dd80-1e27-8de9-16f05558d38e@gmx.net> <dbc93119-3128-64e0-b6b0-1a0e87e95f90@cisco.com> <1da45f12-7999-6a9e-3649-2ffea4d50511@gmx.net> <fe6c2aaf-dc0a-bfc2-59c2-a077ddc4e43b@cisco.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <6916bccf-9273-5d2f-af44-ef38d1394223@gmx.net>
Date: Wed, 22 Feb 2017 09:15:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <fe6c2aaf-dc0a-bfc2-59c2-a077ddc4e43b@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="hI3RQLufgaom59dRQ5OT2PbenT4FMi15U"
X-Provags-ID: V03:K0:rPfhlBOQXuW1/sBqGJetnwkqASvv7ooZhztJ6Fe8uiZuTXxu2Tn Mq8eoAr8JGqA+rLE/yWHRuBxPXBHklnhvwLm6h9x2IJJ3GKeneFhJznxOFyJI26H2XyWnyE Keaz1v7XTnpiAYvHBjmVGIKfDSgScm2q0C2TBNmKKCW+lj4HENu06TRR8Rw9xb64vLTzMtv LpcONFbvkDJSSGI1ch4rA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:AnxnEiUV/70=:oLTq4Co8mpvE/SEyvs7hr4 s6PSNpHovxZfk3GIc3mdCIvTj3WmIKnU/GFmbtUHOh9KAfwIBitXfrqTdB+WVBEG7TQJyOg7T W9LecCPjxvAAZivS7uK4qN2vM+LZHFnyZYCbTMLMmqNFK2zWJW+pEgRDwHzLj79040T92eHdF i9s36+o+y6oT8NsR7R0JY481ZvEv4zArAjinztdzOQmgpfimrjcR0xLX6TOMyr/HRPEqIpbnK VUptSwh8I1Dv+3n8qjzUhTUlNk3H5Cx9JHd5lNeuY4LH/nWAo13Lt6RqvTnAzz5D5uB7KKK7B yYwYLt9853a6Nb/nlT80bP+dZDERqI/kL3InKCp1irXH8TzTvExOoHq2od/aazg7jvs/g0tPg abWbyrZL0iwCI5ppelBO15hYLve+K6DdgWNAP1havGOUKiC/DbITO7GcEuvp0FwaR4DKb2xTN irDcPw2vGVtTxa1ESC4k5MCQ9kvJcNYXUO1sPbTGx9JrOSxN6yS6qegREAdI4kY1kg1FwlKEw WJnMWXc/vCNtKLAfuy0H0j1pjlUgHnsIfiLNzpuafn+U29yO/uoK1RbBp0QJKDIW/XgLHXGfZ RoWzvNmWuttqqT3cGkK/1HRBGwP1JpTKr1U8+pXDVF9lFHyzWK3pSgChPexklmxaTQcHQBRtG 2oQHmUM2rmHH3PnoWwDzn+CfB/J1lXDle+EXZHjtotMFRll7DwFrN2+pahzDwRdz7yDSfVRBU DEebpjRS7gEQgdttjbxaWU4zB9qgydvCMgpH04wA4anEeYtNzYqjEAdwci4IqPrxZZ4M3EdG5 o770733oPF1ZGr5fKCFBMiMDRo5ChKvoeu3gPUJhxdFqxia7+NaVSrcO/ER2aIhd1OU10QfhN 0l7UijgLBabR0YiEAcRpafJlVt5ShJt0Yr6K6pqhjw3TJ2eDDdWHEtYnNJ1E4IpOhqTRPYWI8 pKeo9xnDmSYLUTfPK6tMxduY3ElO/vW3nGR+/p+OO2E0CTtrrK8HzcuPlS64VeEELSnDbBcbl Jw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/TQdapaqS6FY_zmZZR9_x9nJ7RUY>
Cc: teep@ietf.org, saag <saag@ietf.org>
Subject: Re: [saag] BOFs about IoT firmware update and TEE configuration
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 08:16:04 -0000
Hi Eliot, (I put the TEEP mailing list on CC since they may be interested in this conversation as well.) The use case for TEEP is a bit different. The idea is to configure software running on a trusted execution environment. While the currently proposed solution assumes a PKI and the use of asymmetric key cryptography it does not use 802.1AR certificates. There is no notion of a local network since it does not matter. The document also does not talk about how the messages are conveyed but HTTP is more likely for the smart phone/tablet use cases. I created a slide deck for presentation at the T2TRG meeting at the Berlin IETF but unfortunately there was no time. Nevertheless, here is the slide deck: https://github.com/t2trg/2016-ietf96/blob/master/slides/70_OTrP-IETF93.pdf Does this provide enough information about the intention? Ciao Hannes On 02/20/2017 03:58 PM, Eliot Lear wrote: > Hi Hannes, > > First, Max, Michael, Michael, and Kent are far more the experts than I > am on this, but here is a brief summary: > > The purpose of draft-ietf-anima-bootstrap-keyinfra is to provide a > trusted introduction between devices and the network such that you start > in the following state: > > Device has a manufacturer certificate (802.1AR iDevID) and a > manufacturer trust root, and the local network can in some way > authenticate the manufacturer, and perhaps visa versa. The end state is > that the device has a local (802.1 LDevID) and a local trust anchor. To > accomplish this, a flow is defined to get to the point where the device > will register with a local registrar using EST (either EST or EST/CoAP). > > Now perhaps you could explain a little about the TEE draft you're doing? > > If there's some overlap perhaps there's a chance to consolidate the work. > > Eliot > > > > On 2/18/17 5:17 PM, Hannes Tschofenig wrote: >> Hi Eliot, >> >> I actually don't know since I never understood the ANIMA work all that >> well due to its fuzzy scope. I suspect that you can answer the question >> better than I do. >> >> Ciao >> Hannes >> >> On 02/13/2017 02:29 PM, Eliot Lear wrote: >>> Hannes, >>> >>> Can you say a few words about how TEE compares to >>> draft-ietf-anima-bootstrap-keyinfra (et al) which has been in >>> development in a WG for quite some time? >>> >>> Eliot >>> >>> >>> On 2/13/17 12:51 PM, Hannes Tschofenig wrote: >>>> Hi all, >>>> >>>> we have proposed two security-relevant BOFs for the upcoming meeting. >>>> They are listed on the BOF Wiki page at >>>> https://trac.tools.ietf.org/bof/trac/wiki but I still wanted to briefly >>>> introduce them to you >>>> >>>> ** “Firmware Update Description (FUD)” >>>> >>>> Last year we had a workshop organized by the IAB on firmware updates for >>>> IoT devices (see https://www.iab.org/activities/workshops/iotsu/) where >>>> we talked about various challenges and gaps. >>>> >>>> As a follow-up to the workshop we would like to initiate some >>>> standardization activity in this area. >>>> >>>> The mailing list can be found at >>>> https://www.ietf.org/mailman/listinfo/fud >>>> >>>> >>>> ** “A Protocol for Dynamic Trusted Execution Environment Enablement (TEEP)” >>>> >>>> This BOF is about an application layer security protocol that allows to >>>> configure security credentials and software running on a Trusted >>>> Execution Environment (TEE). Today, TEEs are, for example, found home >>>> routers, set-top boxes, smart phones, tablets, wearables, etc. >>>> Unfortunately, there have been mostly proprietary protocols used in this >>>> environment. >>>> >>>> With this BOF we are making an attempt to standardize such a protocol. A >>>> strawman proposal of such a protocol has been published with >>>> https://tools.ietf.org/html/draft-pei-opentrustprotocol-03. >>>> >>>> The mailing list can be found at: >>>> https://www.ietf.org/mailman/listinfo/teep >>>> >>>> >>>> >>>> >>>> Ciao >>>> Hannes >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> saag mailing list >>>> saag@ietf.org >>>> https://www.ietf.org/mailman/listinfo/saag > >
- [saag] BOFs about IoT firmware update and TEE con… Hannes Tschofenig
- Re: [saag] BOFs about IoT firmware update and TEE… Eliot Lear
- Re: [saag] BOFs about IoT firmware update and TEE… Michael Richardson
- Re: [saag] BOFs about IoT firmware update and TEE… Hannes Tschofenig
- Re: [saag] BOFs about IoT firmware update and TEE… Eliot Lear
- Re: [saag] BOFs about IoT firmware update and TEE… Hannes Tschofenig
- Re: [saag] BOFs about IoT firmware update and TEE… Eliot Lear