Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16

Brian E Carpenter <> Sun, 30 September 2018 19:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 39204130E13; Sun, 30 Sep 2018 12:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JCN5gIajtCQU; Sun, 30 Sep 2018 12:58:15 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 025E3130DE9; Sun, 30 Sep 2018 12:58:15 -0700 (PDT)
Received: by with SMTP id j8-v6so7657107pff.6; Sun, 30 Sep 2018 12:58:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=6D4MkRE/yYanFgjDt6hmibY4RutoZdUMp7hPkL92DKY=; b=ko6C6/YQDO2AmjMGJz9PSYtl4+yyPWIhYvMO859uKgfPCXRXrhZWiJHkhbCCOm2UuI RMHNAKczafhsk7xFiSdRS3ELAKH9kiDtURujzH46LberXJT8B3LTemkcW+64f5u+lH2/ mMluWim6rGc4JyZhhNbk5DAis1OrMJ26ZFFJYcZkdltkc/rYoZkS4GTMzhbaqTFp20Xe KXpAe/SPnR32Ckzb9Fmxp32V8mE0HeTfCyQxwLkIc/LEt9x2d9/EvtcAo24xWz9JFKMR RLVg50yC/NCXGJ2DCNA6cO7DYSp6dzBZIML4ANA8UOri4mHjlsYhw+squZWJVShxCSbu 7Miw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=6D4MkRE/yYanFgjDt6hmibY4RutoZdUMp7hPkL92DKY=; b=ZqyIoTraR5LkyLfFRNOaCcBF9hlOILqJa57DppYgEoD2wNk9CdAShynAAKU9PGpzxP jaFC2mMmoZdXF9Z+LY6/3YKulj1PVvE3FQrVyW3AaY+HXKmDG8M3G2ezLR6dE9RkeHHY S80hd4QvFOk4KjkB3P2dapubAZmCAKauVFCSVaUFxsIJiY04ZyEy6Mp0GnClLbki7fJC pa3M/aR64FgWyJjuZGuIkkWM24e+L4+bVFYywQP+3c1NR/SRHcp1nWeTvb0jGBdazl5Q 0cvScK2zY6j5hy8Vg3dVKOh3TGX5Ks8VlHxJdBd8CT/OKEt4SGOQPhxDQ9rLLXD2fIDA nMrA==
X-Gm-Message-State: ABuFfoh6TDYO62Qis0KU8VIyfacZkzKBK7OtiMfgHlVQKOGHKd2/R4PF RyWR8EYLfKKZQ8pKSq0la321raxD
X-Google-Smtp-Source: ACcGV62aEt7vP3eRwLWjFfhzmolthbKynj5WlmR0T0AfDY11R8oFETPm9afC1jZB7G0QTCKW33EA+Q==
X-Received: by 2002:a62:4704:: with SMTP id u4-v6mr8349428pfa.76.1538337494154; Sun, 30 Sep 2018 12:58:14 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id s16-v6sm14866756pfm.114.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Sep 2018 12:58:12 -0700 (PDT)
To: Randy Bush <>, Christian Huitema <>
Cc:, IETF Rinse Repeat <>,, Security Directorate <>
References: <> <>
From: Brian E Carpenter <>
Message-ID: <>
Date: Mon, 1 Oct 2018 08:58:06 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 30 Sep 2018 19:58:18 -0000

On 2018-10-01 07:52, Randy Bush wrote:
> christian,
> a stunning review as usual.  but i have two questions which you kind of
> finessed.  they are simple binary, i.e. yes/no, questions that the end
> user, to whom the IETF is ultimately responsible, really cares about.
> if the manufacturer's servers go down, either permanently or even for
> a day, does the device i have purchased still work?  i.e. is it fail
> soft? [0]

It still works if and only if the registrar already holds its voucher. 

There's a related question, which is: if the autonomic network is
air-gapped from the Internet, as is very likely in many sensitive
applications, does the whole mechanism work at all?

The answer is, as I understand it, yes, but with a variant. See option 3
in section 6.3. "Registrar security reductions", which explicitly covers
the case of obtaining vouchers in advance from the MASA.

The BRSKI authors regard this as less secure than relying on the MASA
in real time. You might have a different opinion, if you were operating
the air-gapped network. My personal opinion is that this will be a 
widely used solution, whatever its security issues, because it avoids
MASA dependency.

> if the manufacturer's servers go down, either permanently or even for
> a day, can i give/sell the device i have purchased to a third, well
> fourth i guess, party, at my whim and seamlessly unencumbered?

There are two conditions for it to work as I understand:
1) The device ID is added to the list of devices acceptable to the
registrar in its new network.
2) That registrar is able to contact the MASA.

Alternatively - see the previous point. If you had previously obtained
a voucher in advance, you could include it with the device. Just as
you might write the hard disk password on a yellow sticky when
selling a laptop in a garage sale.


> fwiw, i asked these same questions at the 2005 paris side meeting at
> l'ecole whatever hosted by mark.  the blank stares i received alarmed
> me.  the ietf is ultimately responsible to the users.
> thanks.
> randy
> --
> 0 - yes, i understand i may not be able to access it through the
>     manufacturer's cloud.  so you want to help look at tcpdumps of
>     the manufacturer installed thermostat that does not talk to that
>     mfgr on net that i am debugging this weekend?  :(
> _______________________________________________
> Anima mailing list