IETF Logo Mail Archive

Re: [scim] I-D Action: draft-ietf-scim-device-model-03.txt

Eliot Lear <lear@lear.ch> Mon, 18 March 2024 06:19 UTC

Return-Path: <lear@lear.ch>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2ED7C14F70B for <scim@ietfa.amsl.com>; Sun, 17 Mar 2024 23:19:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNkkwwry5y_f for <scim@ietfa.amsl.com>; Sun, 17 Mar 2024 23:19:06 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7F1BC14F702 for <scim@ietf.org>; Sun, 17 Mar 2024 23:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1710742739; bh=xUOKm8HSTb0Grgv1y0iQWI5NZf0YKAA3hplFvfl2Jdc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=SZj6mvaxFCHaNLJaTMHSUx4LDHS5roZ3B0WsQHyly3Ae42QQJQB9pZ2huCrVhVa6U K1WRjBztbMkDu7y5j+x8wqknWMeYBvfxx8aX0Ok7VcGPB8v1vxVjQlCL8oOONrfX8c h1vwTQLMPUJ0IEkrSQiZDxORZB9HbMJiS0FJctzw=
Received: from [192.168.0.99] (77-58-144-232.dclient.hispeed.ch [77.58.144.232]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 42I6IxnX3764349 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Mon, 18 Mar 2024 07:18:59 +0100
Message-ID: <0cdbcad6-c32d-4a80-9ce2-7afd95a73adf@lear.ch>
Date: Mon, 18 Mar 2024 07:18:58 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Monty Wiseman <monty.wiseman@beyondidentity.com>
Cc: "scim@ietf.org" <scim@ietf.org>
References: <66298f3a-7d5d-4c1c-b09c-8a8aba49454b@beyondidentity.com> <a28e9b30-c94d-41f1-8222-4cca3828ba5d@lear.ch> <d57d463f-2103-49cb-b190-b8f79bdafbcb@beyondidentity.com>
From: Eliot Lear <lear@lear.ch>
Autocrypt: addr=lear@lear.ch; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
In-Reply-To: <d57d463f-2103-49cb-b190-b8f79bdafbcb@beyondidentity.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------a0ivpa0B6051sniOY0l0OblU"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/r_zidZuG9IBzavBIO-LFsU8uYW4>
Subject: Re: [scim] I-D Action: draft-ietf-scim-device-model-03.txt
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 06:19:10 -0000

Hi Monty,

Actaully I agree with what you write.  As you'll hear today, this is 
work to be done, but I don't think it's a lot of work.  The only *real* 
issue is whether versioning should be internalized to the module name or 
separated.

Eliot

On 18.03.2024 02:59, Monty Wiseman wrote:
> I can include an approach for using TCG-defined device identity (as 
> provided in the links below) but I have a broader concern. This draft 
> includes a specific set of device Extensions for specific 
> implementations but doesn't appear to to be extensible. What if a new 
> method comes along (or a modification of an existing one. I recommend 
> we take the approach we just did for the csr-attestion in LAMPS where 
> there is a need to provide attestations from many types of components 
> (TPM being just one example). There is a place specified in the spec 
> where an OID is provided to identify the type of attestation_statement 
> is being provided and we (LAMPS) will be requesting an IANA registry 
> for those. This way the RFC is extensible. See: 
> https://datatracker.ietf.org/doc/draft-ietf-lamps-csr-attestation/
>
> Monty Wiseman
> Security Architect, Beyond Identity
> www.beyondidentity.com
>
> On 24/03/05 18:58, Eliot Lear wrote:
>> Hi Monty
>>
>> To get things in, I think the general approach should to indicate, at 
>> least briefly, what the semantics of the server would be.  So for 
>> instance, for DPP the semantics involve getting the QR code 
>> components to the DPP controller so that when a device "chirps", it 
>> can perform the authentication exchange.
>>
>> What would those semantics be here?  Would it simply be to insert a 
>> certificate root and, say, Subject bound by that root, into an 
>> EAP-TLS/TEAP process?  At which point, the two SCIM data objects 
>> would be something like a trust anchor (or a URL to it) and then a 
>> Subject or SAN or some such.
>>
>> Eliot
>>
>> On 05.03.2024 00:33, Monty Wiseman wrote:
>>> There should be a Device Extension for TCG-defined TPM-based 
>>> devices. There is a "Platform Certificate" and "TPM2 Key for device 
>>> Identity" (802.1ar keys in TPM) x.509-based certificate defined by 
>>> Trusted Computing Group (TCG) that defines a particular device and 
>>> includes supply chain assurance back to the manufacturer. I'd be 
>>> willing to contribute.
>>>
>>> https://trustedcomputinggroup.org/wp-content/uploads/IWG_Platform_Certificate_Profile_v1p1_r19_pub_fixed.pdf 
>>>
>>>
>>> https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_v1_r12_pub10082021.pdf 
>>>
>>>
>

v2.23.0 | Report a Bug | By Email