Re: [saag] [solace] Slides posted for SAAG heads-up

Rene Struik <> Wed, 07 November 2012 20:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 23ECF21F8B6E; Wed, 7 Nov 2012 12:33:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lAqZgtOxW5uT; Wed, 7 Nov 2012 12:33:03 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 1F08D21F8A26; Wed, 7 Nov 2012 12:33:03 -0800 (PST)
Received: by with SMTP id 9so3422550iec.31 for <multiple recipients>; Wed, 07 Nov 2012 12:33:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=YqX6XnR1cvI7f0nfzmAI2RsUyy/ha6+o+ky8N7Cy1nk=; b=k00zT4TpyzyyfH7g5qE+7saNCzdydDwFf6D/AojzrR5L3MRxspQCHciaZO7SWMzLiF NOoBK8S56OBjvrgEK7VfrXzqEr7+7Y5NPslRQLe0/7KxJ53/d6C63KTFVOqao84Dcr9S 6tN0qMwLzw18laB1EdUKARgAMyoctofmd3EqewFzLZjA8GQA78M1+1yGsz8ys16ls0Jw 3JqazgewdfQjmeYt4h/V8z+pdhde7TVR7Gu6g+h8MPWD+FnKQz9rDcpKCKqeKoGluatt LphO8JtcxOjaR3hpiUgOEZXVaMytLNTIGlULiF/7/sjc3XmmJgAWkg7XYqIKY3h2cLBG OIuw==
Received: by with SMTP id m8mr5810439iga.48.1352320382644; Wed, 07 Nov 2012 12:33:02 -0800 (PST)
Received: from [] ( []) by with ESMTPS id gs6sm2902405igc.11.2012. (version=TLSv1/SSLv3 cipher=OTHER); Wed, 07 Nov 2012 12:33:01 -0800 (PST)
Message-ID: <>
Date: Wed, 07 Nov 2012 15:32:57 -0500
From: Rene Struik <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Carsten Bormann <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: "" <>, "" <>
Subject: Re: [saag] [solace] Slides posted for SAAG heads-up
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Nov 2012 20:33:04 -0000

Hi Carsten:

Great to discuss some of these topics with SAAG. I believe it would have 
merit to take this on a more fundamental ITRF level, so as to prevent 
people throwing a single protocol at the topic area: all context needs 
to be defined here in a unified way. More importantly, though, this 
should become an effort aimed at wide-scale usability (the 50billion 
devices everyone seems to point to in presentations from time to time)

Some brief comments:
a) Deployment scenarios.
I believe it would be a mistake to limit oneself to a single use case 
scenario. The proverbial light switch-lamp use case comes to mind, which 
would suffer from the often made assumption that one has a single, 
homogeneous trust domain (rather than a heterogeneous trust domain 
setting, where device roles etc are dynamic) and from small network size 
(after all, if internet of things will have 50 billion devices in 2020, 
then the avg network size *must* be large). This was the original 
approach within ZigBee all the way back in 2003, which - in my mind - 
set back the whole life-cycle management topic for years. By now (2012), 
there have been lots of studies into more realistic use cases with 
large-scale deployment by user groups, which do assume one can procure 
devices from mutually untrusted vendors, have many transitions in the 
supply-chain, may buy/sell/dispose of subsystems, etc. This all points 
towards heterogeneous trust models and very dynamic device behavior, 
without requiring centralized control flows involving a manufacturer 
(the latter is also undesirable from a survivability perspective).
b) Trust life-cycle management.
Please note that trust lifecycle management requires both crypto and 
security protocols (mechanical constructs) and constructs that take care 
of authorization decisions (initial authorization, changes to device 
role mapping, device replacement, etc.). The latter seems 
under-emphasized on the slides. This should include questions as to how 
to initialize 50 billion devices for virtually $0 apiece.
c) Security objectives.
An objective such as "not subject to a mass scale attack" would be hard 
to quantify in terms of required cryptographic assurances. Moreover, it 
seems to miss the point that some of these highly constrained networks 
are suppose to safeguard critical infrastructure (municipal water 
supply, hurricane prediction systems, etc.). In my mind, it would be a 
mistake to make this an exercise in toning down normal security 
requirements (under the pretext that this is only for "non-serious 
applications" (lamp-switch scenario again)). If one wants to get mass 
scale deployment of the 50 billion devices mark, one cannot aim for 
"crappy, but good enough" solutions, since no one in a position of 
accountability would sign off on these (lifes and jobs on the line if 
something goes wrong, so to speak).

The good news is that most high-quality crypto that is also efficient 
and does not leave a huge implementation footprint is fast becoming a 
commodity (or is getting there). The bad news is that integration of 
individual crypto and security constructs *and* security policies that 
allow these to be woven into a unified, standardizable framework 
architecture is still far off from sufficient understanding, let alone 
support via standards (and often simply ruled out of scope, since a 
"convenient" way to lock out product from other vendors).


Weblink to NIST Cryptography for Emerging Technologies and Applications 
Workshop, Gaithersburg, MD, November 7-8, 2011

A very old IETF draft of potential interest - with requirements, 
spelling out crypto + policy requirements, etc.
(true: 3yrs old draft [Nov 2009], but referring to needing a home with 
IETF in concluding section):

On 11/7/2012 12:45 PM, Carsten Bormann wrote:
> The slides for my short report at tomorrow's SAAG meeting are up:
> (Disclaimer: These are presentation slides, not a presentation by itself.
> So they make sense primarily in combination with what I'm going to say.)
> Grüße, Carsten
> _______________________________________________
> solace mailing list

email: | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363