Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 02 October 2018 19:05 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DD68131057; Tue, 2 Oct 2018 12:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXEEmnjdydME; Tue, 2 Oct 2018 12:05:35 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95824130EF5; Tue, 2 Oct 2018 12:05:35 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id EC57D20090; Tue, 2 Oct 2018 15:05:33 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id ACB12230C; Tue, 2 Oct 2018 15:05:34 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id A983BAE; Tue, 2 Oct 2018 15:05:34 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ted Lemon <mellon@fugue.com>
cc: Eliot Lear <lear@cisco.com>, draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org, Security Directorate <secdir@ietf.org>, Randy Bush <randy@psg.com>, Christian Huitema <huitema@huitema.net>, anima@ietf.org
In-Reply-To: <B9A85C1F-3299-4EB5-8716-05CC14CDC1F5@fugue.com>
References: <153826253306.18743.9250084704876465818@ietfa.amsl.com> <m2sh1qkebi.wl-randy@psg.com> <057bd957-06b4-824e-a7c8-214383819621@huitema.net> <m2murxi8ws.wl-randy@psg.com> <b4a32733-c2df-6bea-17d2-4d45ee4d5136@cisco.com> <m2wor0h9vu.wl-randy@psg.com> <1fd9c9d5-508f-901e-818c-3cc87725c331@cisco.com> <B9A85C1F-3299-4EB5-8716-05CC14CDC1F5@fugue.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 02 Oct 2018 15:05:34 -0400
Message-ID: <3590.1538507134@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5HMItkpHexahe4e4MDdHUTJbAcM>
Subject: Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2018 19:05:38 -0000

Ted Lemon <mellon@fugue.com>; wrote:
    > The manufacturer-going-out-of-business use case argues for there being
    > a way that a person with physical access to the unit can re-key it
    > without contacting the manufacturer. It also argues for open source,
    > but that's out of scope. :)

The authors think that having the box rekeyed is a feature that some
manufacturers will provide, and some buyers will **insist** upon.

It has to be difficult, and in some cases, physical access may be too
insecure!

It's not much different than handing an (sometimes encrypted) QIC-tape/CD/DVD
containing source code over to an escrow lawyer, something I've regularly
done when I've worked on products with proprietary stacks.
We will see such things being discussed when we do the security review for
SUIT as well.

Being able to replace the manufacturer trust anchors for firmware, and the
trust anchor for validating ownership vouchers will become a checkmark
feature.  Any company can become Nortel.


--
Michael Richardson <mcr+IETF@sandelman.ca>;, Sandelman Software Works
 -= IPv6 IoT consulting =-