IETF Logo Mail Archive

Re: [scim] I-D Action: draft-ietf-scim-device-model-03.txt

Monty Wiseman <monty.wiseman@beyondidentity.com> Mon, 18 March 2024 07:47 UTC

Return-Path: <monty.wiseman@beyondidentity.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F1B5C14CE30 for <scim@ietfa.amsl.com>; Mon, 18 Mar 2024 00:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=beyondidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BkBZVMGkuGYM for <scim@ietfa.amsl.com>; Mon, 18 Mar 2024 00:47:28 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A933C14CE2B for <scim@ietf.org>; Mon, 18 Mar 2024 00:47:28 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1dd10ae77d8so24305925ad.0 for <scim@ietf.org>; Mon, 18 Mar 2024 00:47:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beyondidentity.com; s=google-bid; t=1710748048; x=1711352848; darn=ietf.org; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=rQCsCg82w4fEqtufy/Ic4lwvH3uTLBZKV3NxqhIPDkc=; b=corGqlLgxvJzB0jMHEWrWL+YgejHLBful9yHS25nT9CtEQbdR+cpIX17U9lEeNSwmk jGL5FLBTUGZdUrA9N1T6I2LZuarxZg6ZeI29vCSPgbfkG0haQqdypx5uaiNSahC5h9Bi dPMfkPkJW36hYsd6IscwoKqsk+ZWJrMUc3Ok/ad/ThaRgzGi5rAwrkYkl3ktEx+M3Lrq M07QRcIfc6jc3men7hERNp4M24ejnpQOctJgyi3xAnPtaILtT3OYFgjwcTqt3Q1eeJIP xB7OezoGxAezB0MPZ7KvMIKr86raU00iULmbmIMCaQgcMwRNy2GSOIxGjh9We8FjPsWz f7kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710748048; x=1711352848; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=rQCsCg82w4fEqtufy/Ic4lwvH3uTLBZKV3NxqhIPDkc=; b=J+JeIQAwFNJczF4A9Gu44Q9a5TEorErGt+E8Gs5zQbJhUBvPUNd2pZ+ywGWgW31jsI JNWYL9LcoZrQ/YTxoAtu3+e9P4V/A2q14SjP98lJ7RJ9HXdLc+Ef6h7UAjbjPoWw1rUL 1p/EVbMdSpGfGOw4+VcLG+ElbcUvm0XMnXcJagQaUIZGPGIAyG0+kJMxhVClrdTyrnjY lDK2VBGXfhRTbVcpSfXtREVRNmY9jZ/u9V45eiq/998nshbNdwASyc6sEFgRKifFd+fj M/6HUxSRxKXvr82dJ+Jf1ylLqscFFyRHW+9TXKvI884zX1kCUc3zjVtl00F7t+aGzGRp 276g==
X-Gm-Message-State: AOJu0YyOG/dXRMSuQjJspDTxgMErS2WxZC9kQq8RuzVI5DGSSq+aRHrl OZigzDqGNjiB8Voz9FOkJ/QQ8j125eScc8cftgHc2weN5dMhNVGo0zvXSUSJ7N70LRRefs0uf1N NV8M=
X-Google-Smtp-Source: AGHT+IHEopKw1nl/H1urpSamqOjLJc+YW6ZLwsijedLQVzWZ0tD6WdK5IlcO5XNWrFnpZ0KuUxBlAA==
X-Received: by 2002:a17:902:e943:b0:1e0:319:a355 with SMTP id b3-20020a170902e94300b001e00319a355mr5036805pll.27.1710748047702; Mon, 18 Mar 2024 00:47:27 -0700 (PDT)
Received: from [10.2.0.2] ([144.48.39.228]) by smtp.gmail.com with ESMTPSA id n1-20020a170902d2c100b001e0310bb84fsm582782plc.289.2024.03.18.00.47.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Mar 2024 00:47:27 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------7fMNDuFj0erNsl83Tn03I4yc"
Message-ID: <ce00b29a-b813-45b4-a2fb-1b53e792bee3@beyondidentity.com>
Date: Mon, 18 Mar 2024 17:47:21 +1000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Eliot Lear <lear@lear.ch>, "Andreas.Fuchs@infineon.com" <andreas.fuchs@infineon.com>
Cc: "scim@ietf.org" <scim@ietf.org>
References: <66298f3a-7d5d-4c1c-b09c-8a8aba49454b@beyondidentity.com> <a28e9b30-c94d-41f1-8222-4cca3828ba5d@lear.ch> <d57d463f-2103-49cb-b190-b8f79bdafbcb@beyondidentity.com> <0cdbcad6-c32d-4a80-9ce2-7afd95a73adf@lear.ch>
Content-Language: en-US
From: Monty Wiseman <monty.wiseman@beyondidentity.com>
In-Reply-To: <0cdbcad6-c32d-4a80-9ce2-7afd95a73adf@lear.ch>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/LUAPhkzTGpvgesz5aL5aU1eZokw>
Subject: Re: [scim] I-D Action: draft-ietf-scim-device-model-03.txt
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 07:47:32 -0000

Eliot,

Great to hear we are in agreement. As I'm proposing a very similar 
architecture to what we just finished in the csr-attestation. This 
method was discussed in LAMPS just before this session so we know this 
is a reasonable approach. I'll be willing to help with this change to 
the draft and I'll add the TCG method as another example.

Monty Wiseman
Security Architect, Beyond Identity
www.beyondidentity.com

On 24/03/18 16:18, Eliot Lear wrote:
>
> Hi Monty,
>
> Actaully I agree with what you write.  As you'll hear today, this is 
> work to be done, but I don't think it's a lot of work. The only *real* 
> issue is whether versioning should be internalized to the module name 
> or separated.
>
> Eliot
>
> On 18.03.2024 02:59, Monty Wiseman wrote:
>> I can include an approach for using TCG-defined device identity (as 
>> provided in the links below) but I have a broader concern. This draft 
>> includes a specific set of device Extensions for specific 
>> implementations but doesn't appear to to be extensible. What if a new 
>> method comes along (or a modification of an existing one. I recommend 
>> we take the approach we just did for the csr-attestion in LAMPS where 
>> there is a need to provide attestations from many types of components 
>> (TPM being just one example). There is a place specified in the spec 
>> where an OID is provided to identify the type of 
>> attestation_statement is being provided and we (LAMPS) will be 
>> requesting an IANA registry for those. This way the RFC is 
>> extensible. See: 
>> https://datatracker.ietf.org/doc/draft-ietf-lamps-csr-attestation/
>>
>> Monty Wiseman
>> Security Architect, Beyond Identity
>> www.beyondidentity.com
>>
>> On 24/03/05 18:58, Eliot Lear wrote:
>>> Hi Monty
>>>
>>> To get things in, I think the general approach should to indicate, 
>>> at least briefly, what the semantics of the server would be.  So for 
>>> instance, for DPP the semantics involve getting the QR code 
>>> components to the DPP controller so that when a device "chirps", it 
>>> can perform the authentication exchange.
>>>
>>> What would those semantics be here?  Would it simply be to insert a 
>>> certificate root and, say, Subject bound by that root, into an 
>>> EAP-TLS/TEAP process?  At which point, the two SCIM data objects 
>>> would be something like a trust anchor (or a URL to it) and then a 
>>> Subject or SAN or some such.
>>>
>>> Eliot
>>>
>>> On 05.03.2024 00:33, Monty Wiseman wrote:
>>>> There should be a Device Extension for TCG-defined TPM-based 
>>>> devices. There is a "Platform Certificate" and "TPM2 Key for device 
>>>> Identity" (802.1ar keys in TPM) x.509-based certificate defined by 
>>>> Trusted Computing Group (TCG) that defines a particular device and 
>>>> includes supply chain assurance back to the manufacturer. I'd be 
>>>> willing to contribute.
>>>>
>>>> https://trustedcomputinggroup.org/wp-content/uploads/IWG_Platform_Certificate_Profile_v1p1_r19_pub_fixed.pdf 
>>>>
>>>>
>>>> https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_v1_r12_pub10082021.pdf 
>>>>
>>>>
>>

v2.23.0 | Report a Bug | By Email